Uppdaterad Debian 12; 12.13 utgiven
10 januari 2026
Debianprojektet presenterar stolt sin trettonde uppdatering till dess
gamla stabila utgåva Debian 12 (med kodnamnet bookworm
).
Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem,
tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner
har redan publicerats separat och refereras när de finns tillgängliga.
Vänligen notera att punktutgåvan inte innebär en ny version av Debian
12 utan endast uppdaterar några av de inkluderade paketen. Det behövs
inte kastas bort gamla media av bookworm
. Efter installationen
kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad
Debianspegling..
De som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.
Nya installationsavbildningar kommer snart att finnas tillgängliga på de vanliga platserna.
En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:
Blandade felrättningar
Denna uppdatering av den gamla stabila utgåvan lägger till några viktiga felrättningar till följande paket:
| Paket | Orsak |
|---|---|
| allow-html-temp | New upstream version to support newer Thunderbird releases |
| angular.js | Fix regular expression-based denial of service issues [CVE-2022-25844 CVE-2023-26116 CVE-2023-26117 CVE-2023-26118]; fix restriction bypass issues [CVE-2024-8372 CVE-2024-8373]; fix denial of service issue [CVE-2024-21490]; fix improper sanitization issues [CVE-2025-0716 CVE-2025-2336] |
| apache2 | New upstream stable release; fix integer overflow issue [CVE-2025-55753]; don't pass querystring to #exec directives [CVE-2025-58098]; fix improper parsing of environment variables [CVE-2025-65082]; fix mod_userdir+suexec bypass issue [CVE-2025-66200] |
| base-files | Update for the point release |
| bash | Rebuild with updated glibc |
| btrfs-progs | Device stats: fix printing wrong values in tabular output |
| busybox | Rebuild with updated glibc |
| c-icap-modules | Rebuild against libclamav12; disable clamav support on armel, mipsel and mips64el |
| calibre | Fix code execution issue [CVE-2025-64486] |
| cdebootstrap | Rebuild with updated glibc |
| chkrootkit | Rebuild with updated glibc |
| clamav | New upstream long term support release |
| composer | Fix ANSI sequence injection [CVE-2025-67746] |
| cups-filters | Fix TIFF parser bounds/validation issues [CVE-2025-57812]; clamp oversized PDF MediaBox-derived page size in pdftoraster [CVE-2025-64503]; avoid rastertopclx infinite loop and heap overflow on crafted raster input [CVE-2025-64524] |
| cyrus-imapd | Rebuild against libclamav12; disable clamav support on armel, mipsel and mips64el |
| dar | Rebuild with updated glibc |
| debian-installer | Increase Linux kernel ABI to 6.1.0-42; rebuild against oldstable-proposed-updates |
| debian-installer-netboot-images | Rebuild against oldstable-proposed-updates |
| debian-security-support | Mark hdf5, libsoup2.4, libsoup3 and zabbix as receiving limited support; mark dnsdist, pdns, pdns-recursor as unsupported |
| distro-info-data | Update bookworm EoL date; add Ubuntu 26.04 LTS Resolute Raccoon |
| docker.io | Rebuild with updated containerd, glibc |
| dpdk | New upstream stable release |
| e2guardian | Disable clamav support on armel, mipsel and mips64el |
| freerdp2 | New upstream release; fix multiple memory-safety vulnerabilities: integer overflow/underflow and out-of-bounds write in NSC, Clear, and GDI bitmap codecs [CVE-2024-22211 CVE-2024-32037 CVE-2024-32038 CVE-2024-32039 CVE-2024-32040]; out-of-bounds reads in ZGFX, Planar, NCRUSH, Interleaved, and RFX codecs [CVE-2024-32041 CVE-2024-32457 CVE-2024-32458 CVE-2024-32459 CVE-2024-32460]; invalid memory access in freerdp_peer_get_logon_info [CVE-2024-32661]; bounds-check and overflow fixes; update for GCC 14 / FFmpeg 7 build compatibility |
| gcc-bpf | Rebuild with updated glibc |
| gcc-or1k-elf | Rebuild with updated glibc |
| gcc-riscv64-unknown-elf | Rebuild with updated glibc |
| gcc-xtensa-lx106 | Rebuild with updated glibc |
| gdk-pixbuf | Fix buffer overflow issue [CVE-2025-7345] |
| ghdl | Rebuild with updated glibc |
| git | Fix arbitrary file creation/truncation in gitk [CVE-2025-27613]; prevent arbitrary file overwrite in git-gui with crafted directory names [CVE-2025-46835]; correct submodule path parsing with trailing CR [CVE-2025-48384]; validate bundle-uri to prevent protocol injection during clone [CVE-2025-48385] |
| glib2.0 | Fix various integer overflow issues [CVE-2025-13601 CVE-2025-14087 CVE-2025-14512] |
| gnupg2 | Avoid potential downgrade to SHA1 in 3rd party key signatures; error out on unverified output for non-detached signatures; fix possible memory corruption in the armor parser [CVE-2025-68973]; do not use a default when asking for another output filename |
| golang-github-containerd-stargz-snapshotter | Rebuild with updated containerd |
| golang-github-containers-buildah | Rebuild with updated containerd |
| golang-github-openshift-imagebuilder | Rebuild with updated containerd |
| imagemagick | Fix denial of service issues [CVE-2025-62594 CVE-2025-68618]; fix use-after-free issue [CVE-2025-65955]; fix integer overflow issues [CVE-2025-62171 CVE-2025-66628 CVE-2025-69204]; fix infinite loop issue [CVE-2025-68950] |
| intel-microcode | Update Intel processor microcode to 20251111 |
| lemonldap-ng | Fix sessions tablename when not default; fix oidc flow when user encountered an error on server side; fix Kerberos JavaScript when used with Choice; improve CORS checking; fix path_info handling; fix shell injection issue [CVE-2025-59518]; hide session id from Ajax responses |
| libcap2 | Rebuild with updated glibc |
| libclamunrar | New upstream release, aligning with clamav 1.4.3 |
| libcommons-lang-java | Fix uncontrolled recursion issue [CVE-2025-48924] |
| libcommons-lang3-java | Fix uncontrolled recursion issue [CVE-2025-48924] |
| libhtp | Fix denial of service issue via unbounded HTTP header processing [CVE-2024-23837 CVE-2024-45797] |
| libnginx-mod-http-lua | Fix HTTP HEAD request smuggling [CVE-2024-33452] |
| libphp-adodb | Fix SQL injection in sqlite and sqlite3 metadata lookups [CVE-2025-54119] |
| libpod | Rebuild with updated containerd |
| libreoffice | Set Bulgaria locale default currency to EUR |
| libssh | Fix integer overflow issue [CVE-2025-4877]; fix use of uninitialized variable [CVE-2025-4878]; fix out of bounds memory access issue [CVE-2025-5318]; fix double free issue [CVE-2025-5351]; fix use of uninitialized memory [CVE-2025-5372 CVE-2025-5987]; fix null pointer dereference issue [CVE-2025-8114]; fix memory leak [CVE-2025-8277] |
| libxml2 | Fix denial of service issue [CVE-2025-9714] |
| libyaml-syck-perl | Fix memory corruption leading to strvalue being set on empty keys |
| linux | New upstream stable release |
| linux-signed-amd64 | New upstream stable release |
| linux-signed-arm64 | New upstream stable release |
| linux-signed-i386 | New upstream stable release |
| log4cxx | Fix improper escaping issues [CVE-2025-54812 CVE-2025-54813] |
| luksmeta | Fix data corruption issue with LUKS1 [CVE-2025-11568] |
| modsecurity-apache | Fix request body error handling to propagate Apache filter/read failures correctly [CVE-2025-54571]; map request body read failures to appropriate HTTP status codes; simplify request body error propagation in mod_security2 |
| mongo-c-driver | Avoid invalid memory reads [CVE-2025-12119] |
| mydumper | Fix arbitrary file read issue [CVE-2025-30224] |
| nvidia-graphics-drivers | New upstream bugfix release [CVE-2025-23279 CVE-2025-23286] |
| nvidia-open-gpu-kernel-modules | New upstream bugfix release [CVE-2025-23279 CVE-2025-23286] |
| onetbb | Fix build failure on single-CPU and CI environments by skipping problematic tests |
| open-vm-tools | Disable SDMP service version collection by default to mitigate local privilege escalation [CVE-2025-41244] |
| openrefine | Fix MySQL host parameter injection in JDBC URL parsing [CVE-2024-23833]; fix reflected XSS in gdata OAuth callback handler [CVE-2024-47878]; fix content-type confusion XSS in ExportRows endpoint [CVE-2024-47880]; prevent remote or extension loading via SQLite connection URL [CVE-2024-47881]; escape HTML in error stack traces [CVE-2024-47882]; prevent path traversal in language file loading [CVE-2024-49760] |
| openssl | New upstream stable release |
| pam | Fix local privilege escalation in pam_namespace [CVE-2025-6020] |
| pg-snakeoil | Rebuild against libclamav12 |
| pgbouncer | Fix arbitary SQL execution issue [CVE-2025-12819]; fix expired password use issue [CVE-2025-2291] |
| postgresql-15 | New upstream stable release; check for CREATE privileges on the schema in CREATE STATISTICS [CVE-2025-12817]; avoid integer overflow in allocation-size calculations within libpq [CVE-2025-12818] |
| qemu | New upstream stable release; fix qemu-img info https://example.com; fix migration of guests using virtio-net; fix use after free issue [CVE-2025-11234] |
| qpwgraph | Add missing dependency on libqt6svg6 |
| r-cran-gh | Fix sensitive data leak issue [CVE-2025-54956] |
| rear | Prevent created initrd from being world-readable when GRUB_RESCUE=y [CVE-2024-23301] |
| rescue | Improve btrfs support |
| rlottie | Fix outlying coordinate rejection in FreeType rasteriser [CVE-2025-0634 CVE-2025-53074 CVE-2025-53075] |
| rsync | Improve test coverage for future updates; fix out-of-bounds read via negative array index in sender file list handling [CVE-2025-10158] |
| ruby-sinatra | Fix regular expression-based denial of service issue [CVE-2025-61921] |
| samba | Fix information leak issue [CVE-2018-14628]; fix command injection issue [CVE-2025-10230]; fix uninitialized memory disclosure issue [CVE-2025-9640] |
| sash | Rebuild with updated glibc |
| shadow | Fix segmentation fault in groupmod |
| skeema | Rebuild with updated containerd |
| snapd | Rebuild with updated containerd |
| sogo | Fix HTML injection issue [CVE-2023-48104]; fix CSS injection issue [CVE-2024-24510]; fix cross-site scripting issues [CVE-2025-63498 CVE-2025-63499]; fix crash on invalid mailIdentities |
| squid | Fix denial of service issue [CVE-2023-46728]; fix mishandling of long SNMP OIDs in ASN.1 [CVE-2025-59362]; disable ESI feature support, fixing several issues [CVE-2024-45802]; remove Gopher support |
| sudo | Enable Intel CET on amd64 only |
| supermin | Rebuild with updated glibc |
| symfony | Fix PATH_INFO parsing [CVE-2025-64500]; drop failing Finder testsuite data entries |
| syslog-ng | Fix incorrect wildcard matching in certificate names [CVE-2024-47619] |
| tripwire | Rebuild with updated glibc |
| u-boot | Fix integer overflow issues [CVE-2024-57254 CVE-2024-57255 CVE-2024-57256 CVE-2024-57258]; fix stack consumption issue [CVE-2024-57257]; fix heap corruption issue [CVE-2024-57259] |
| ublock-origin | New upstream release; improve user experience and add new filter capabilities; fix denial of service issue [CVE-2025-4215] |
| unbound | Fix denial of service issue [CVE-2024-33655]; fix possible domain hijack issue [CVE-2025-11411]; fix unbound-anchor cannot deal with full disk; fix potential amplification DDoS attacks; fix incorrect return of NODATA for some ANY queries |
| user-mode-linux | Rebuild with updated linux |
| vtk9 | Fix inability to read VTK XML files with appended data on newer expat |
| zsh | Rebuild with updated glibc, libcap2 |
Säkerhetsuppdateringar
Denna revision lägger till följande säkerhetsuppdateringar till den gamla stabila utgåvan. Säkerhetsgruppen har redan släppt bulletiner för alla dessa uppdateringar:
Borttagna paket
Följande paket har tagits bort på grund av omständigheter utom vår kontroll:
| Paket | Orsak |
|---|---|
| clamav | [armel mipsel mips64el] No longer supportable on architectures without newer Rust support |
| clamsmtp | [armel mipsel mips64el] Depends on to-be-removed clamav |
| libc-icap-mod-virus-scan | [armel mipsel mips64el] Depends on to-be-removed clamav |
| libclamunrar | [armel mipsel mips64el] Depends on to-be-removed clamav |
| pagure | Broken, security issues |
| pg-snakeoil | [armel mipsel mips64el] Depends on to-be-removed clamav |
Debianinstalleraren
Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den gamla stabila utgåvan med denna punktutgåva.
URLer
Den fullständiga listan på paket som har förändrats i denna revision:
Den aktuella gamla stabila utgåvan:
Föreslagna uppdateringar till den gamla stabila utgåvan:
Information om den gamla stabila utgåvan (versionsfakta, kända problem osv.):
Säkerhetsbulletiner och information:
Om Debian
Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.
Kontaktinformation
För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org>, eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.