Atualização Debian 13: 13.2 lançado
15 de Novembro de 2025
O projeto Debian está feliz em anunciar a segunda atualização de sua
versão estável (stable) do Debian 13 (codinome trixie
).
Esta versão pontual adiciona principalmente correções para problemas de
segurança, além de pequenos ajustes para problemas mais sérios. Avisos de
segurança já foram publicados em separado e são referenciados quando
necessário.
Por favor, note que a versão pontual não constitui uma nova versão do Debian
13, mas apenas atualiza alguns dos pacotes já incluídos. Não há
necessidade de jogar fora as antigas mídias da trixie
. Após a
instalação, os pacotes podem ser atualizados para as versões atuais usando um
espelho atualizado do Debian.
Aquelas pessoas que frequentemente instalam atualizações a partir de security.debian.org não terão que atualizar muitos pacotes, e a maioria de tais atualizações estão incluídas na versão pontual.
Novas imagens de instalação logo estarão disponíveis nos locais habituais.
A atualização de uma instalação existente para esta revisão pode ser feita apontando o sistema de gerenciamento de pacotes para um dos muitos espelhos HTTP do Debian. Uma lista abrangente de espelhos está disponível em:
Correções gerais de bugs
Esta atualização da versão estável (stable) adiciona algumas correções importantes para os seguintes pacotes:
| Pacote | Justificativa |
|---|---|
| 7zip | New upstream release; security fixes [CVE-2025-55188 CVE-2025-11002 CVE-2025-11001] |
| 7zip-rar | Add missing CRC table constructor |
| aide | Fix bin/buildcache use by running it from a root timer; various updates and fixes to included rules |
| allow-html-temp | New upstream version to support newer Thunderbird releases |
| alsa-ucm-conf-asahi | Install missing aop_audio UCM configs |
| ansible | Update collections to maintain compatibility with ansible-core 2.19 |
| ansible-core | New upstream stable release; fix regression from 2.18 regarding handlers and play tags |
| asahi-scripts | Fix the macaudio default profile check; add the apple_nvmem_spmi module to the initramfs explicitly; make update-m1n1 idempotent |
| base-files | Update for the point release |
| brltty | atSpi2: do not manage widgets without text interface; avoid excessive verbose bluetooth/usbfs messages |
| console-setup | Update keyboard layouts dz(la) into dz(azerty-oss) and Use ca/multix variant instead of ca/multi; fix dz(azerty-oss/deadkeys) into dz, which is what xkb really provides; fix dz default layout |
| cups | Fix operation of checkboxes in admin interface |
| curl | Fix buffer over-read issue [CVE-2025-9086]; fix cache poisoning issue [CVE-2025-10148]; fix path traversal issue [CVE-2025-11563]; allow --output to be overridden by --curl-options; fix manpage example for continue-at; fix path traversal issue [CVE-2025-11563] |
| debian-edu-config | Use SERVER_ADDRESS in RewriteRule instead of hard-coded 'www'; drop desktop bundle from bundlesequence |
| debian-installer | Increase Linux kernel ABI to 6.12.57+deb13; rebuild against proposed-updates |
| debian-installer-netboot-images | Increase Linux kernel ABI to 6.12.57+deb13; rebuild against proposed-updates |
| dhcpcd | Fix crash when an address is deleted; prevent failure to start if wpasupplicant is not installed |
| distro-info-data | Update EoL date for bookworm; add Ubuntu 26.04 LTS Resolute Raccoon |
| dkms | New upstream release; stop shipping dkms.service, fixing dependency cycle with cloud-init-network.service; emit a warning if no kernel headers were found |
| dns-root-data | Update root-anchors.p7s (the signature of root-anchors.xml) with a new expiration date |
| dnsdist | Fix denial of service issues [CVE-2025-8671 CVE-2025-30187] |
| dolphin-emu | Fix interaction with RetroAchievements; fix translations |
| dovecot | Ensure default lmtpd auth_username_format matches the global value; fix oauth configuration parsing; lib-sieve: correctly handle errors; clean up a few typos in default/example configuration |
| eas4tbsync | New upstream version to support newer Thunderbird releases |
| eperl | Avoid passing a truncated environment on Perl 5.40 |
| epiphany-browser | New upstream stable release; fix various crashes; fix PKCS#11 login for invalid cert/priv pairs |
| evolution | New upstream stable release |
| evolution-data-server | New upstream stable release; fix busy loop when using the MH format mail archive |
| fangfrisch | Update sanesecurity mirror as the old one will stop working soon |
| fluidsynth | Set the default samplerate to 48000 and buffer size to 512 in the service configuration, fixing high CPU usage and distorted sound |
| folder-account | New upstream version to support newer Thunderbird releases |
| fonts-noto-color-emoji | New upstream release; add support for the Unicode 17.0 standard |
| freeradius | Fix compatibility with OpenSSL 3.5.2 |
| gnome-maps | New upstream stable release; fix a regression when requesting route planning from transitous.org; add address format for Austria and Paraguay |
| gnome-session | Fix default app priority for early adopters of Papers and Showtime |
| google-recaptcha | Fix PHP 8.4 deprecation warnings |
| ikvswitch | Use Trixie as default distro for the setup; don't fail on errors when taking down an IPMI bridge; use a sysctl.d fragment file rather than sysctl.conf |
| imagemagick | Fix integer overflow issue [CVE-2025-62171] |
| input-remapper | Add missing python3-psutil runtime dependency |
| irqbalance | Enable write access to /proc/irq in service definition |
| jdupes | Fix detection of unique files |
| jing-trang | Re-import upstream release, to remove incorrectly included files |
| keepassxc-browser | Fix compatibility with Chromium |
| kmail-account-wizard | Enable automatic QML dependency detection |
| lemonldap-ng | Fix command injection issue [CVE-2025-59518]; don't expose session-id into Ajax responses; fix Google authentication |
| libcommons-lang-java | Fix an uncontrolled recursion issue [CVE-2025-48924] |
| libcommons-lang3-java | Fix an uncontrolled recursion issue [CVE-2025-48924] |
| libgpiod | Remove unnecessary Breaks/Replaces on libgpiod2 and libgpiod2t64 |
| libhtp | Prevent memory leak with lzma [CVE-2025-53537] |
| libsmb2 | Fix buffer overflow issue [CVE-2025-57632] |
| libssh | Fix NULL pointer dereference issue [CVE-2025-8114]; fix denial of service issue [CVE-2025-8277] |
| libvirt | Don't require TLS certificates to support keyEncipherment; lower log level of a message, avoiding journal spam when using the LXC driver; fix a daemon crash that occurs when probing capabilities for a QEMU binary that doesn't report information about CPU models |
| libwebsockets | Fix denial of service issue [CVE-2025-11677]; fix buffer overflow issue [CVE-2025-11678] |
| libxml2 | Fix XPath recursion depth DoS [CVE-2025-9714] |
| libyaml-syck-perl | Prevent memory corruption leading to strvalue being set on empty keys [CVE-2025-11683] |
| linux | New upstream stable release |
| linux-signed-amd64 | New upstream stable release |
| linux-signed-arm64 | New upstream stable release |
| lnav | Handle failure to set cregs from tmux |
| log4cxx | Fix improper escaping issues [CVE-2025-54812 CVE-2025-54813] |
| logcheck | Update ignore.d.paranoid/ssh and ignore.d.server/ssh |
| lttng-modules | Fix potential kernel crash with syscall tracing |
| luksmeta | Fix data corruption issue with LUKS1 [CVE-2025-11568] |
| lxcfs | Add missing dependency on fuse3 |
| magit | Ship missing magit-dired.el in elpa-magit |
| mailfromd | Rebuild to fix symbol lookup error |
| mailmindr | New upstream version to support newer Thunderbird releases |
| malcontent | Fix filtering snaps after snapd 2.72; fix listing flatpaks in parental control UI; fix memory leak when checking snaps |
| mapserver | Fix SQL injection issue [CVE-2025-59431] |
| mc | Fix accidental use of >&10 for subshells, avoiding delays at startup |
| modsecurity-apache | Fix security issues relating to response Content-Type handling [CVE-2025-54571] |
| monitoring-plugins | Fix check_users in combination with systemd; fix check_mysql plugin with newer MySQL versions |
| mpv | Create missing folders for watch history |
| mrtg | Fix duplicate WorkDir lines in cfgmaker output |
| nextcloud-desktop | New upstream stable release |
| nfdump | Honour subdir (-S) when using dynamic FlowSource (-M) |
| nova | Fix information disclosure issue |
| nvidia-graphics-drivers-tesla-535 | Fix use after free issue [CVE-2025-23280]; fix privilege escalation issue [CVE-2025-23282]; fix denial of service issues [CVE-2025-23300 CVE-2025-23330 CVE-2025-23332 CVE-2025-23345] |
| onetbb | Fix test failures on single-CPU test machines; skip flaky mutex tests |
| open-vm-tools | Disable (default) the execution of the SDMP get-versions.sh script [CVE-2025-41244] |
| openssl | New upstream stable release |
| openvpn-auth-radius | Fix packet authentication |
| orphan-sysvinit-scripts | Add haveged init script |
| patroni | New upstream stable release |
| pdns-recursor | Switch to dpkg/default.mk; drop CARGO_REGISTRY override |
| phpmyadmin | Address XSS vulnerability in bundled jquery.validate.js [CVE-2025-3573] |
| poppler | Fix infinite recursion [CVE-2025-50420] |
| postfix | New upstream stable release; fix typo which caused recreation of cadir in chroot and excessive logging |
| presage | Prevent crash with apostrophes in completion suggestions |
| privatebin-cli | Fix connections to pastebins using GCM ciphers |
| proftpd-dfsg | Don't remove /srv/ftp on package purge |
| puppet-module-puppetlabs-rabbitmq | Fix list_users provider; setup all nodes as disk nodes |
| puppet-module-tempest | Fix autoloading of openstack provider |
| python-eventlet | Fix HTTP request smuggling by discarding HTTP chunk trailers [CVE-2025-58068] |
| qemu | New upstream stable release; fix denial of service issue [CVE-2024-8354]; fix wrong emulation of FIBMAP and FIGETBSZ ioctls |
| qt6-base | Fix high CPU usage of kwin_x11 on screen lock (X11) |
| quicktext | New upstream version to support newer Thunderbird releases |
| rabbitmq-server | Fix logging on sensitive data [CVE-2025-50200] |
| riseup-vpn | Add dependency on qml6-module-qtcore |
| rocm-hipamd | Fix linking for programs that include <hip/hip_bf16.h> in more than one translation unit; fix spelling error in roc-obj-ls manpage |
| rsyslog-doc | Switch documentation theme to sphinx_rtd_theme |
| ruby-sys-filesystem | Fix detection of 64-bit OS on s390x and alpha |
| rust-virtiofsd | Add missing dependency on uidmap |
| sail | Fix memory corruption issues [CVE-2025-32468 CVE-2025-35984 CVE-2025-46407 CVE-2025-50129 CVE-2025-52456 CVE-2025-52930 CVE-2025-53085 CVE-2025-53510] |
| samba | New upstream stable release; fix uninitialized memory disclosure issue [CVE-2025-9640], command injection issue [CVE-2025-10230] |
| samhain | Disable dnmalloc, preventing possible segfaults |
| spip | Fix open redirect issue on AJAX login form |
| stardict | Split plugin in to a new stardict-plugin-network-dictionary package; disable stardict_dictdotcn.so plugin |
| suricata | Fix uncontrolled memory use issue [CVE-2025-53538]; fix detection bypass issue [CVE-2025-59147] |
| syslog-ng | Disable writing of log statistics by default |
| systemd | New upstream stable release; fix DNS-over-TLS handling in systemd-resolved; improve service and unit lifecycle stability; handle TPM2 and pcrlock corner cases; update documentation; refresh hwdb data; sync with Linux UAPI headers |
| systemd-boot-efi-amd64-signed | New upstream stable release; fix DNS-over-TLS handling in systemd-resolved; improve service and unit lifecycle stability; handle TPM2 and pcrlock corner cases; update documentation; refresh hwdb data; sync with Linux UAPI headers |
| systemd-boot-efi-arm64-signed | New upstream stable release; fix DNS-over-TLS handling in systemd-resolved; improve service and unit lifecycle stability; handle TPM2 and pcrlock corner cases; update documentation; refresh hwdb data; sync with Linux UAPI headers |
| tango | Fix broken communication between versions 9 and 10 |
| tbsync | New upstream version to support newer Thunderbird releases |
| ublock-origin | New upstream release; improve user experience and add new filter capabilities |
| virt-manager | Fix Browse localfunction |
| watcher | Fix information disclosure issue |
| wike | Set a User Agent, to ensure that the mobile version of Wikipedia is used |
| wtmpdb | Rotate and prune logs using logrotate; store logs in system log directory |
| xnote | New upstream version to support newer Thunderbird releases |
| xorg | Fix login failure with sessions using multiple words in invocation |
| xssproxy | Fix compatibility with Chromium and xdg-desktop-portal-gtk |
Atualizações de segurança
Esta revisão adiciona as seguintes atualizações de segurança para a versão estável (stable). A equipe de segurança já lançou um aviso para cada uma dessas atualizações:
Pacotes removidos
Os seguintes pacotes foram removidos por circunstâncias fora de nosso controle:
| Pacote | Justificativa |
|---|---|
| rust-profiling-procmacros | Unused |
Instalador do Debian
O instalador foi atualizado para incluir as correções incorporadas na versão estável (stable) pela versão pontual.
URLs
As listas completas dos pacotes que foram alterados por esta revisão:
A atual versão estável (stable):
Atualizações propostas (proposed updates) para a versão estável (stable):
Informações da versão estável (stable) (notas de lançamento, errata, etc):
Anúncios de segurança e informações:
Sobre o Debian
O projeto Debian é uma associação de desenvolvedores(as) de Software Livre que dedicam seu tempo e esforço como voluntários(as) para produzir o sistema operacional completamente livre Debian.
Informações de contato
Para mais informações, por favor visite as páginas web do Debian em https://www.debian.org/, envie um e-mail (em inglês) para <press@debian.org>, ou entre em contato (em inglês) com a equipe de lançamento da versão estável (stable) em <debian-release@lists.debian.org>.