Updated Debian 13: 13.2 released

November 15th, 2025

The Debian project is pleased to announce the second update of its stable distribution Debian 13 (codename trixie). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 13 but only updates some of the packages included. There is no need to throw away old trixie media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package	Reason
7zip	New upstream release; security fixes [CVE-2025-55188 CVE-2025-11002 CVE-2025-11001]
7zip-rar	Add missing CRC table constructor
aide	Fix bin/buildcache use by running it from a root timer; various updates and fixes to included rules
allow-html-temp	New upstream version to support newer Thunderbird releases
alsa-ucm-conf-asahi	Install missing aop_audio UCM configs
ansible	Update collections to maintain compatibility with ansible-core 2.19
ansible-core	New upstream stable release; fix regression from 2.18 regarding handlers and play tags
asahi-scripts	Fix the macaudio default profile check; add the apple_nvmem_spmi module to the initramfs explicitly; make update-m1n1 idempotent
base-files	Update for the point release
brltty	atSpi2: do not manage widgets without text interface; avoid excessive verbose bluetooth/usbfs messages
console-setup	Update keyboard layouts dz(la) into dz(azerty-oss) and Use ca/multix variant instead of ca/multi; fix dz(azerty-oss/deadkeys) into dz, which is what xkb really provides; fix dz default layout
cups	Fix operation of checkboxes in admin interface
curl	Fix buffer over-read issue [CVE-2025-9086]; fix cache poisoning issue [CVE-2025-10148]; fix path traversal issue [CVE-2025-11563]; allow --output to be overridden by --curl-options; fix manpage example for continue-at; fix path traversal issue [CVE-2025-11563]
debian-edu-config	Use SERVER_ADDRESS in RewriteRule instead of hard-coded 'www'; drop desktop bundle from bundlesequence
debian-installer	Increase Linux kernel ABI to 6.12.57+deb13; rebuild against proposed-updates
debian-installer-netboot-images	Increase Linux kernel ABI to 6.12.57+deb13; rebuild against proposed-updates
dhcpcd	Fix crash when an address is deleted; prevent failure to start if wpasupplicant is not installed
distro-info-data	Update EoL date for bookworm; add Ubuntu 26.04 LTS Resolute Raccoon
dkms	New upstream release; stop shipping dkms.service, fixing dependency cycle with cloud-init-network.service; emit a warning if no kernel headers were found
dns-root-data	Update root-anchors.p7s (the signature of root-anchors.xml) with a new expiration date
dnsdist	Fix denial of service issues [CVE-2025-8671 CVE-2025-30187]
dolphin-emu	Fix interaction with RetroAchievements; fix translations
dovecot	Ensure default lmtpd auth_username_format matches the global value; fix oauth configuration parsing; lib-sieve: correctly handle errors; clean up a few typos in default/example configuration
eas4tbsync	New upstream version to support newer Thunderbird releases
eperl	Avoid passing a truncated environment on Perl 5.40
epiphany-browser	New upstream stable release; fix various crashes; fix PKCS#11 login for invalid cert/priv pairs
evolution	New upstream stable release
evolution-data-server	New upstream stable release; fix busy loop when using the MH format mail archive
fangfrisch	Update sanesecurity mirror as the old one will stop working soon
fluidsynth	Set the default samplerate to 48000 and buffer size to 512 in the service configuration, fixing high CPU usage and distorted sound
folder-account	New upstream version to support newer Thunderbird releases
fonts-noto-color-emoji	New upstream release; add support for the Unicode 17.0 standard
freeradius	Fix compatibility with OpenSSL 3.5.2
gnome-maps	New upstream stable release; fix a regression when requesting route planning from transitous.org; add address format for Austria and Paraguay
gnome-session	Fix default app priority for early adopters of Papers and Showtime
google-recaptcha	Fix PHP 8.4 deprecation warnings
ikvswitch	Use Trixie as default distro for the setup; don't fail on errors when taking down an IPMI bridge; use a sysctl.d fragment file rather than sysctl.conf
imagemagick	Fix integer overflow issue [CVE-2025-62171]
input-remapper	Add missing python3-psutil runtime dependency
irqbalance	Enable write access to /proc/irq in service definition
jdupes	Fix detection of unique files
jing-trang	Re-import upstream release, to remove incorrectly included files
keepassxc-browser	Fix compatibility with Chromium
kmail-account-wizard	Enable automatic QML dependency detection
lemonldap-ng	Fix command injection issue [CVE-2025-59518]; don't expose session-id into Ajax responses; fix Google authentication
libcommons-lang-java	Fix an uncontrolled recursion issue [CVE-2025-48924]
libcommons-lang3-java	Fix an uncontrolled recursion issue [CVE-2025-48924]
libgpiod	Remove unnecessary Breaks/Replaces on libgpiod2 and libgpiod2t64
libhtp	Prevent memory leak with lzma [CVE-2025-53537]
libsmb2	Fix buffer overflow issue [CVE-2025-57632]
libssh	Fix NULL pointer dereference issue [CVE-2025-8114]; fix denial of service issue [CVE-2025-8277]
libvirt	Don't require TLS certificates to support keyEncipherment; lower log level of a message, avoiding journal spam when using the LXC driver; fix a daemon crash that occurs when probing capabilities for a QEMU binary that doesn't report information about CPU models
libwebsockets	Fix denial of service issue [CVE-2025-11677]; fix buffer overflow issue [CVE-2025-11678]
libxml2	Fix XPath recursion depth DoS [CVE-2025-9714]
libyaml-syck-perl	Prevent memory corruption leading to str value being set on empty keys [CVE-2025-11683]
linux	New upstream stable release
linux-signed-amd64	New upstream stable release
linux-signed-arm64	New upstream stable release
lnav	Handle failure to set cregs from tmux
log4cxx	Fix improper escaping issues [CVE-2025-54812 CVE-2025-54813]
logcheck	Update ignore.d.paranoid/ssh and ignore.d.server/ssh
lttng-modules	Fix potential kernel crash with syscall tracing
luksmeta	Fix data corruption issue with LUKS1 [CVE-2025-11568]
lxcfs	Add missing dependency on fuse3
magit	Ship missing magit-dired.el in elpa-magit
mailfromd	Rebuild to fix symbol lookup error
mailmindr	New upstream version to support newer Thunderbird releases
malcontent	Fix filtering snaps after snapd 2.72; fix listing flatpaks in parental control UI; fix memory leak when checking snaps
mapserver	Fix SQL injection issue [CVE-2025-59431]
mc	Fix accidental use of >&10 for subshells, avoiding delays at startup
modsecurity-apache	Fix security issues relating to response Content-Type handling [CVE-2025-54571]
monitoring-plugins	Fix check_users in combination with systemd; fix check_mysql plugin with newer MySQL versions
mpv	Create missing folders for watch history
mrtg	Fix duplicate WorkDir lines in cfgmaker output
nextcloud-desktop	New upstream stable release
nfdump	Honour subdir (-S) when using dynamic FlowSource (-M)
nova	Fix information disclosure issue
nvidia-graphics-drivers-tesla-535	Fix use after free issue [CVE-2025-23280]; fix privilege escalation issue [CVE-2025-23282]; fix denial of service issues [CVE-2025-23300 CVE-2025-23330 CVE-2025-23332 CVE-2025-23345]
onetbb	Fix test failures on single-CPU test machines; skip flaky mutex tests
open-vm-tools	Disable (default) the execution of the SDMP get-versions.sh script [CVE-2025-41244]
openssl	New upstream stable release
openvpn-auth-radius	Fix packet authentication
orphan-sysvinit-scripts	Add haveged init script
patroni	New upstream stable release
pdns-recursor	Switch to dpkg/default.mk; drop CARGO_REGISTRY override
phpmyadmin	Address XSS vulnerability in bundled jquery.validate.js [CVE-2025-3573]
poppler	Fix infinite recursion [CVE-2025-50420]
postfix	New upstream stable release; fix typo which caused recreation of cadir in chroot and excessive logging
presage	Prevent crash with apostrophes in completion suggestions
privatebin-cli	Fix connections to pastebins using GCM ciphers
proftpd-dfsg	Don't remove /srv/ftp on package purge
puppet-module-puppetlabs-rabbitmq	Fix list_users provider; setup all nodes as disk nodes
puppet-module-tempest	Fix autoloading of openstack provider
python-eventlet	Fix HTTP request smuggling by discarding HTTP chunk trailers [CVE-2025-58068]
qemu	New upstream stable release; fix denial of service issue [CVE-2024-8354]; fix wrong emulation of FIBMAP and FIGETBSZ ioctls
qt6-base	Fix high CPU usage of kwin_x11 on screen lock (X11)
quicktext	New upstream version to support newer Thunderbird releases
rabbitmq-server	Fix logging on sensitive data [CVE-2025-50200]
riseup-vpn	Add dependency on qml6-module-qtcore
rocm-hipamd	Fix linking for programs that include <hip/hip_bf16.h> in more than one translation unit; fix spelling error in roc-obj-ls manpage
rsyslog-doc	Switch documentation theme to sphinx_rtd_theme
ruby-sys-filesystem	Fix detection of 64-bit OS on s390x and alpha
rust-virtiofsd	Add missing dependency on uidmap
sail	Fix memory corruption issues [CVE-2025-32468 CVE-2025-35984 CVE-2025-46407 CVE-2025-50129 CVE-2025-52456 CVE-2025-52930 CVE-2025-53085 CVE-2025-53510]
samba	New upstream stable release; fix uninitialized memory disclosure issue [CVE-2025-9640], command injection issue [CVE-2025-10230]
samhain	Disable dnmalloc, preventing possible segfaults
spip	Fix open redirect issue on AJAX login form
stardict	Split plugin in to a new stardict-plugin-network-dictionary package; disable stardict_dictdotcn.so plugin
suricata	Fix uncontrolled memory use issue [CVE-2025-53538]; fix detection bypass issue [CVE-2025-59147]
syslog-ng	Disable writing of log statistics by default
systemd	New upstream stable release; fix DNS-over-TLS handling in systemd-resolved; improve service and unit lifecycle stability; handle TPM2 and pcrlock corner cases; update documentation; refresh hwdb data; sync with Linux UAPI headers
systemd-boot-efi-amd64-signed	New upstream stable release; fix DNS-over-TLS handling in systemd-resolved; improve service and unit lifecycle stability; handle TPM2 and pcrlock corner cases; update documentation; refresh hwdb data; sync with Linux UAPI headers
systemd-boot-efi-arm64-signed	New upstream stable release; fix DNS-over-TLS handling in systemd-resolved; improve service and unit lifecycle stability; handle TPM2 and pcrlock corner cases; update documentation; refresh hwdb data; sync with Linux UAPI headers
tango	Fix broken communication between versions 9 and 10
tbsync	New upstream version to support newer Thunderbird releases
ublock-origin	New upstream release; improve user experience and add new filter capabilities
virt-manager	Fix Browse local function
watcher	Fix information disclosure issue
wike	Set a User Agent, to ensure that the mobile version of Wikipedia is used
wtmpdb	Rotate and prune logs using logrotate; store logs in system log directory
xnote	New upstream version to support newer Thunderbird releases
xorg	Fix login failure with sessions using multiple words in invocation
xssproxy	Fix compatibility with Chromium and xdg-desktop-portal-gtk

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID	Package
DSA-5979	libxslt
DSA-5993	chromium
DSA-5994	shibboleth-sp
DSA-5995	hsqldb1.8.0
DSA-5996	chromium
DSA-5997	imagemagick
DSA-5998	cups
DSA-5999	libjson-xs-perl
DSA-6000	libcpanel-json-xs-perl
DSA-6001	cjson
DSA-6002	node-sha.js
DSA-6003	firefox-esr
DSA-6004	chromium
DSA-6005	jetty9
DSA-6006	jetty12
DSA-6007	ffmpeg
DSA-6008	linux-signed-amd64
DSA-6008	linux-signed-arm64
DSA-6008	linux
DSA-6010	chromium
DSA-6012	nncp
DSA-6013	node-tar-fs
DSA-6014	gimp
DSA-6015	openssl
DSA-6016	chromium
DSA-6017	haproxy
DSA-6018	gegl
DSA-6019	dovecot
DSA-6020	redis
DSA-6021	chromium
DSA-6022	valkey
DSA-6023	tiff
DSA-6024	ghostscript
DSA-6025	firefox-esr
DSA-6026	chromium
DSA-6027	incus
DSA-6028	lxd
DSA-6030	intel-microcode
DSA-6031	request-tracker5
DSA-6033	bind9
DSA-6034	tryton-sao
DSA-6035	python-internetarchive
DSA-6036	chromium
DSA-6037	openjdk-21
DSA-6039	openjdk-25
DSA-6040	thunderbird
DSA-6042	evolution
DSA-6042	webkit2gtk
DSA-6044	xorg-server
DSA-6045	pdns-recursor
DSA-6046	chromium
DSA-6047	squid
DSA-6048	ruby-rack
DSA-6049	gimp
DSA-6050	chromium

Removed packages

The following packages were removed due to circumstances beyond our control:

Package	Reason
rust-profiling-procmacros	Unused

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

https://deb.debian.org/debian/dists/trixie/ChangeLog

The current stable distribution:

https://deb.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

https://deb.debian.org/debian/dists/proposed-updates

stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/

Security announcements and information:

https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.