Uppdaterad Debian 12; 12.12 utgiven
6 september 2025
Debianprojektet presenterar stolt sin tolfte uppdatering till dess
gamla stabila utgåva Debian 12 (med kodnamnet bookworm
).
Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem,
tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner
har redan publicerats separat och refereras när de finns tillgängliga.
Vänligen notera att punktutgåvan inte innebär en ny version av Debian
12 utan endast uppdaterar några av de inkluderade paketen. Det behövs
inte kastas bort gamla media av bookworm
. Efter installationen
kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad
Debianspegling..
De som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.
Nya installationsavbildningar kommer snart att finnas tillgängliga på de vanliga platserna.
En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:
Blandade felrättningar
Denna uppdatering av den gamla stabila utgåvan lägger till några viktiga felrättningar till följande paket:
| Paket | Orsak |
|---|---|
| amd64-microcode | Update AMD-SEV firmware [CVE-2024-56161]; update included microcode |
| aom | Fix libaom encoder output validity |
| apache2 | New upstream stable release; fix HTTP response splitting issue [CVE-2024-42516]; fix server-side request forgery issue [CVE-2024-43204 CVE-2024-43394]; fix log injection issue [CVE-2024-47252]; fix access control bypass issue [CVE-2025-23048]; fix denial of service issue [CVE-2025-49630]; fix potential man-in-the-middle issue [CVE-2025-49812]; fix memory lifetime management issue [CVE-2025-53020] |
| b43-fwcutter | Update firmware URL |
| balboa | Rebuild against glibc 2.36-9+deb12u12 |
| base-files | Update for the point release |
| bash | Rebuild against glibc 2.36-9+deb12u12 |
| botan | Fix denial of service issues [CVE-2024-34702 CVE-2024-34703]; fix improper parsing of name constraints [CVE-2024-39312]; fix compiler-induced secret-dependent operation issue [CVE-2024-50383] |
| busybox | Rebuild against glibc 2.36-9+deb12u12 |
| ca-certificates | Add Sectigo Public Server Authentication Root E46 and Sectigo Public Server Authentication Root R46 |
| catatonit | Rebuild against glibc 2.36-9+deb12u12 |
| cdebootstrap | Rebuild against glibc 2.36-9+deb12u12 |
| chkrootkit | Rebuild against glibc 2.36-9+deb12u12 |
| cjson | Fix denial of service issue [CVE-2023-26819]; fix buffer overflow issue [CVE-2023-53154] |
| clamav | New upstream stable release; fix buffer overflow issues [CVE-2025-20128 CVE-2025-20260] |
| cloud-init | Make hotplug socket writable only by root [CVE-2024-11584]; don't attempt to identify non-x86 OpenStack instances [CVE-2024-6174] |
| commons-beanutils | Fix improper access control issue [CVE-2025-48734] |
| commons-vfs | Fix path traversal issue [CVE-2025-27553] |
| corosync | Fix buffer overflow vulnerability on large UDP packets [CVE-2025-30472] |
| criu | Fix restore functionality of mount namespaces with newer kernel versions |
| curl | Fix regression handling sftp://host/~ URIs; fix a memory leak |
| dar | Rebuild against glibc 2.36-9+deb12u12 |
| debian-edu-config | Fix quoting in Exim configuration; gosa-sync: fix password verification; fix quoting in gosa.conf |
| debian-installer | Increase Linux kernel ABI to 6.1.0-39; rebuild against oldstable-proposed-updates; add console-setup-pc-ekmap for arm64 and armhf CD images; use nomodesetrather than fb=falseto disable framebuffer |
| debian-installer-netbook-images | Rebuild against oldstable-proposed-updates |
| debian-security-support | Query source:Package instead of Source to get the correct list of packages; fix typo related to gobgp |
| distro-info-data | Add Ubuntu end of Legacy Support dates; add release and estimated EoL for trixie |
| djvulibre | Fix denial of service issues [CVE-2021-46310 CVE-2021-46312] |
| docker.io | Rebuild against glibc 2.36-9+deb12u12 |
| dpdk | New upstream stable release |
| dropbear | Fix shell injection vulnerability in multihop handling [CVE-2025-47203] |
| e2fsprogs | Rebuild against glibc 2.36-9+deb12u12 |
| erlang | ssh: fix strict KEX hardening [CVE-2025-46712]; zip: sanitize pathnames when extracting files with absolute pathnames [CVE-2025-4748]; fix documentation build failure with newer xsltproc versions |
| expat | Fix denial of service issues [CVE-2023-52425 CVE-2024-8176]; fix parser crash [CVE-2024-50602] |
| fig2dev | Detect nan in spline control values [CVE-2025-46397]; permit \0 in 2nd line in fig file [CVE-2025-46398]; ge output: correct spline computation [CVE-2025-46399]; reject arcs with a radius smaller than 3 [CVE-2025-46400] |
| firebird3.0 | Fix NULL pointer dereference issue [CVE-2025-54989] |
| fort-validator | Fix denial of service issues [CVE-2024-45234 CVE-2024-45235 CVE-2024-45236 CVE-2024-45238 CVE-2024-45239 CVE-2024-48943]; fix buffer overflow issue [CVE-2024-45237] |
| galera-4 | New upstream stable release |
| glib2.0 | Fix buffer underflow issue [CVE-2025-4373 CVE-2025-7039]; improve upgrade safety |
| glibc | Fix incorrect LD_LIBRARY_PATH search in dlopen for static setuid binaries [CVE-2025-4802]; improve memory layout of structures in exp/exp10/expf functions; add an SVE implementation of memset on aarch64; improve generic implementation of memset on aarch64; fix double free issue [CVE-2025-8058] |
| gnupg2 | Rebuild against glibc 2.36-9+deb12u12; fix recommends of architecture-any packages on architecture-all package to support binNMUs |
| golang-github-gin-contrib-cors | Fix mishandling of wildcards [CVE-2019-25211] |
| gst-plugins-base1.0 | Fix buffer overrun issue [CVE-2025-47806]; fix NULL pointer dereference issues [CVE-2025-47807 CVE-2025-47808] |
| gst-plugins-good1.0 | Fix possible information disclosure issue [CVE-2025-47219] |
| init-system-helpers | Fix handling of os-release diversions from live-build, ensuring they don't exist in non-live systems |
| insighttoolkit4 | Fix build on systems with a single CPU |
| insighttoolkit5 | Fix build on systems with a single CPU |
| integrit | Rebuild against glibc 2.36-9+deb12u12 |
| iperf3 | Fix buffer overflow issue [CVE-2025-54349]; fix assertion failure [CVE-2025-54350] |
| jinja2 | Fix arbitrary code execution issue [CVE-2025-27516] |
| jq | Zero-terminate string in jv.c [CVE-2025-48060] |
| kexec-tools | Remove no longer required dependencies |
| kmail-account-wizard | Fix man in the middle attack issue [CVE-2024-50624] |
| krb5 | Fix message tampering issue [CVE-2025-3576]; disable issuance of tickets using RC4 or triple-DES session keys by default |
| kubernetes | Sanitise raw data output to terminal [CVE-2021-25743]; hide long and multi-line strings when printing |
| libarchive | Fix integer overflow issues [CVE-2025-5914 CVE-2025-5916], buffer over read issue [CVE-2025-5915], buffer overlow issue [CVE-2025-5917] |
| libbpf | Fix operation with newer systemd versions |
| libcap2 | Rebuild against glibc 2.36-9+deb12u12; add missing Built-Using: glibc |
| libcgi-simple-perl | Fix HTTP response splitting issue [CVE-2025-40927] |
| libfcgi | Fix integer overflow issue [CVE-2025-23016] |
| libfile-tail-perl | Fix uninitialized variable issue |
| libphp-adodb | Fix SQL injection vulnerability in pg_insert_id() [CVE-2025-46337] |
| libraw | Fix out-of-bounds read issues [CVE-2025-43961 CVE-2025-43962 CVE-2025-43963]; enforce minimum w0 and w1 values [CVE-2025-43964] |
| libreoffice | Add EUR support for Bulgaria |
| libsndfile | Fix integer overflow issues [CVE-2022-33065]; fix out of bounds read issue [CVE-2024-50612] |
| libsoup3 | New upstream bug-fix release; fix buffer overrun issue [CVE-2024-52531]; fix denial of service issues [CVE-2024-52532 CVE-2025-32051]; fix heap overflow issues [CVE-2025-32052 CVE-2025-32053]; fix integer overflow issue [CVE-2025-32050]; fix heap buffer overflow issues [CVE-2025-2784]; reject HTTP headers if they contain null bytes [CVE-2024-52530]; fix denial of service issues [CVE-2025-32909 CVE-2025-32910 CVE-2025-46420 CVE-2025-32912 CVE-2025-32906]; fix memory management issues [CVE-2025-32911 CVE-2025-32913]; fix credential disclosure issue [CVE-2025-46421]; fix use-after-free during disconnection, which can cause GNOME Calculator to hang at startup; fix a test failure on some 32-bit systems |
| libtheora | Fix segfault during decoder initialisation; avoid possible bit-shifting in decoder |
| libtpms | Fix out of bounds read issue [CVE-2025-49133] |
| libxml2 | Fix integer overflow issue in xmlBuildQName [CVE-2025-6021]; fix potential buffer overflows in the interactive shell [CVE-2025-6170]; fix use-after-free issue in xmlSchematronReportOutput [CVE-2025-49794]; fix type confusion issue in xmlSchematronReportOutput [CVE-2025-49796] |
| libyaml-libyaml-perl | Fix arbitrary file edit issue [CVE-2025-40908] |
| lintian | Add bookworm to duke to the list of known Debian release names; don't emit source-nmu-has-incorrect-version-number for stable updates |
| linux | New upstream stable release; increase ABI to 39 |
| linux-signed-amd64 | New upstream stable release; increase ABI to 39 |
| linux-signed-arm64 | New upstream stable release; increase ABI to 39 |
| linux-signed-i386 | New upstream stable release; increase ABI to 39 |
| llvm-toolchain-19 | New upstream stable release |
| luajit | Fix buffer overflow issue [CVE-2024-25176]; fix denial of service issue [CVE-2024-25177]; fix out-of-bounds read issue [CVE-2024-25178] |
| lxc | Rebuild against glibc 2.36-9+deb12u12 |
| mailgraph | Update embedded copy of Parse::Syslog, enabling support for RFC3339 dates |
| mariadb | New upstream stable release; security fixes [CVE-2023-52969 CVE-2023-52970 CVE-2023-52971 CVE-2025-30693 CVE-2025-30722]; fix restart after out of memory; new upstream stable release; fix variable name in debian-start.sh |
| mkchromecast | Replace youtube-dl with yt-dlp |
| mlt | Fix Python scripts |
| mono | Remove unneeded (and broken) mono-source package |
| mosquitto | Fix memory leak issue [CVE-2023-28366]; fix out of bounds memory access issue [CVE-2024-10525]; fix double free issue [CVE-2024-3935]; fix possible segmentation fault issue [CVE-2024-8376] |
| multipath-tools | Reinstate ANA prioritizer in build process |
| nextcloud-desktop | Fix share options in graphical interface |
| nginx | Fix potential information leak in ngx_mail_smtp_module [CVE-2025-53859] |
| node-addon-api | Add support for nodejs >= 18.20 |
| node-csstype | Fix build failure |
| node-form-data | Fix insufficient randomness issue [CVE-2025-7783] |
| node-minipass | Fix tap reporter in auto test and autopkgtest |
| node-nodeunit | Fix test flakiness |
| node-tar-fs | Fix path traversal issues [CVE-2024-12905 CVE-2025-48387] |
| node-tmp | Fix arbitrary file write issue [CVE-2025-54798] |
| nvda2speechd | Fix required rmp-serde version |
| openjpeg2 | Fix NULL pointer dereference issue [CVE-2025-50952] |
| openssh | Handle OpenSSL >=3 ABI compatibility to avoid new SSH connections failing during upgrades to trixie |
| openssl | New upstream stable release; revert some upstream changes to avoid crashes in downstream software |
| perl | Fix TLS certificate verification issue [CVE-2023-31484]; fix non thread safe file access [CVE-2025-40909] |
| postgresql-15 | New upstream stable release; tighten security checks in planner estimation functions [CVE-2025-8713]; prevent pg_dump scripts from being used to attack the user running the restore [CVE-2025-8714]; convert newlines to spaces in names included in comments in pg_dump output [CVE-2025-8715] |
| postgresql-common | PgCommon.pm: Set defined path in prepare_exec. Fixes compatibility with trixie's perl version |
| prody | Fix build failure; add tolerance to some tests which now fail on i386 |
| python-django | Fix regular expression-based denial of service issue [CVE-2023-36053], denial of service issues [CVE-2024-38875 CVE-2024-39614 CVE-2024-41990 CVE-2024-41991], user enumeration issue [CVE-2024-39329], directory traversal issue [CVE-2024-39330], excessive memory consumption issue [CVE-2024-41989], SQL injection issue [CVE-2024-42005] |
| python-flask-cors | Fix log data injection issue [CVE-2024-1681]; fix improper path processing issues [CVE-2024-6866 CVE-2024-6839 CVE-2024-6844] |
| python-mitogen | Support targets with Python >= 3.12 |
| python-zipp | Fix denial of service issue [CVE-2024-5569] |
| qemu | Rebuild against glibc 2.36-9+deb12u12; new upstream bugfix release |
| raptor2 | Fix integer underflow issue [CVE-2024-57823]; fix heap read buffer overflow issue [CVE-2024-57822] |
| rar | New upstream release; fix ANSI escape injection issue [CVE-2024-33899] |
| rubygems | Fix credential leak issue [CVE-2025-27221]; fix regular expression related denial of service issue [CVE-2023-28755] |
| rust-cbindgen-web | Rebuild against current rustc-web |
| rustc-web | New upstream stable release, to support building of newer Chromium versions |
| samba | Fix various bugs following a change to Microsoft Active Directory |
| sash | Rebuild against glibc 2.36-9+deb12u12 |
| setuptools | Fix arbitrary file write issue [CVE-2025-47273] |
| shaarli | Fix cross site scripting issue [CVE-2025-55291] |
| simplesamlphp | Fix signature verification issue [CVE-2025-27773] |
| snapd | Rebuild against glibc 2.36-9+deb12u12 |
| sqlite3 | Fix memory corruption issue [CVE-2025-6965]; fix bug in NOT NULL/IS NULL optimization that can cause invalid data |
| supermin | Rebuild against glibc 2.36-9+deb12u12 |
| systemd | New upstream stable release |
| tini | Rebuild against glibc 2.36-9+deb12u12 |
| tripwire | Rebuild against glibc 2.36-9+deb12u12 |
| tsocks | Rebuild against glibc 2.36-9+deb12u12 |
| tzdata | Confirm leap andra status for 2025 |
| usb.ids | New upstream update |
| waitress | Fix race condition in HTTP pipelining [CVE-2024-49768]; fix denial of service issue [CVE-2024-49769] |
| webpy | Fix SQL injection issue [CVE-2025-3818] |
| wireless-regdb | New upstream release, updating included regulatory data; permit 320 MHz bandwidth in 6 GHz band for GB |
| wolfssl | Fix insufficient randomisation issue [CVE-2025-7394] |
| wpa | Fix inappropriate reuse of PKEX elements [CVE-2022-37660] |
| xfce4-weather-plugin | Migrate to new APIs; update translations |
| xrdp | Fix session restrictions bypass issue [CVE-2023-40184]; fix out-of-bounds read issue [CVE-2023-42822]; fix login restrictions bypass issue [CVE-2024-39917] |
| ydotool | Rebuild against glibc 2.36-9+deb12u12 |
| zsh | Rebuild against glibc 2.36-9+deb12u12 |
Säkerhetsuppdateringar
Denna revision lägger till följande säkerhetsuppdateringar till den gamla stabila utgåvan. Säkerhetsgruppen har redan släppt bulletiner för alla dessa uppdateringar:
Borttagna paket
Följande paket har tagits bort på grund av omständigheter utom vår kontroll:
| Paket | Orsak |
|---|---|
| guix | Unsupportable; security issues |
Debianinstalleraren
Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den gamla stabila utgåvan med denna punktutgåva.
URLer
Den fullständiga listan på paket som har förändrats i denna revision:
Den aktuella gamla stabila utgåvan:
Föreslagna uppdateringar till den gamla stabila utgåvan:
Information om den gamla stabila utgåvan (versionsfakta, kända problem osv.):
Säkerhetsbulletiner och information:
Om Debian
Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.
Kontaktinformation
För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org>, eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.