Updated Debian 13: 13.5 released

May 16th, 2026

The Debian project is pleased to announce the fifth update of its stable distribution Debian 13 (codename trixie). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 13 but only updates some of the packages included. There is no need to throw away old trixie media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package	Reason
389-ds-base	Fix heap overflow issue [CVE-2025-14905]
7zip	Relax Breaks / Replaces versions to ease upgrades from bookworm
apache2	New upstream stable release; fix use-after-free issue [CVE-2026-23918]; fix privilege escalation issue [CVE-2026-24072]; fix NULL pointer dereference issues [CVE-2026-29169 CVE-2026-33007]; fix authentication bypass issue [CVE-2026-33006]; fix HTTP response splitting issue [CVE-2026-33523]; fix out-of-bounds read issues [CVE-2026-33857 CVE-2026-34032]; fix buffer over-read issue [CVE-2026-34059]
awstats	Prevent command injection [CVE-2025-63261]
base-files	Update for the point release
bash	Rebuild with updated glibc
beads	Rebuild with updated cimg
bepasty	Fix loading pygments CSS
bglibs	Rebuild with updated glibc
bird2	ASPA: Fix downstream validation; BGP: Fix restart behavior on reconfiguration; filters: Fix string attributes; logging: Fix error handling
black	Fix arbitrary file write issue [CVE-2026-32274]
bubblewrap	Fix privilege escalation issue [CVE-2026-41163]
busybox	Rebuild with updated glibc
calibre	Fix path traversal issues [CVE-2026-25635 CVE-2026-25636 CVE-2026-26064 CVE-2026-26065]; fix code execution issue [CVE-2026-25731]; fix HTTP response header injection issue [CVE-2026-27810]; fix IP ban bypass issue [CVE-2026-27824]
catatonit	Rebuild with updated glibc
cdebootstrap	Rebuild with updated glibc
chkrootkit	Rebuild with updated glibc
cimg	Fix overflow issue [CVE-2026-42144]; fix out of memory issue with crafted files [CVE-2026-42146]
cockpit	Fix code execution issue [CVE-2026-4631]
composer	Fix command injection issues [CVE-2026-40261 CVE-2026-40176]
condor	Rebuild with updated glibc
curl	Fix server certificate verification issue [CVE-2025-13034]
dar	Rebuild with updated glibc, libcap2, openssl
debian-installer	Bump linux ABI to 6.12.86+deb13
debian-installer-netboot-images	Rebuild against proposed-updates
debmirror	Add debmirror-specific User-Agent header
distribution-gpg-keys	Update included keys
distro-info-data	Add Ubuntu 26.10 Stonking Stingray
distrobuilder	Rebuild with updated incus
docker.io	Rebuild with updated glibc
dovecot	Fix memory leak in CVE-2026-27857 fix
e2fsprogs	Rebuild with updated glibc
efibootguard	Rebuild against gnu-efi with #1086705 fixed
ejabberd	Ignore certificate purpose for incoming s2s connections
ejabberd-contrib	Rebuild with updated ejabberd
epics-base	Skip failing build-time test
erlang	Fix path traversal issues [CVE-2026-21620 CVE-2026-23942[; fix HTTP request smuggling issue [CVE-2026-23941]; fix denial of service issue [CVE-2026-23943]
erlang-p1-tls	Accept client certificates without sslpurpose flag
exim4	Fix GnuTLS hostname verify of a server certificate with a zero-length Subject; fix denial of service issue [CVE-2026-40684]; fix out-of-bounds read/write issues [CVE-2026-40685 CVE-2026-40686 CVE-2026-40687]
feed2toot	Ensure compatibility with Python 3.13
firewalld	Prevent local users from being able to modify runtime firewall state without prior authentication if the desktop policy is active [CVE-2026-4948]
freerdp3	Fix issues with large certificates; fix clipboard paste issue; fix segmentation fault issue [CVE-2025-4478]; fix use-after-free issues [CVE-2026-22851 CVE-2026-22856 CVE-2026-22857 CVE-2026-23883 CVE-2026-23884 CVE-2026-24491 CVE-2026-24675 CVE-2026-24676 CVE-2026-24678 CVE-2026-24680 CVE-2026-24681 CVE-2026-24683 CVE-2026-24684 CVE-2026-25952 CVE-2026-25953 CVE-2026-25954 CVE-2026-25955 CVE-2026-25959 CVE-2026-25997 CVE-2026-26986]; fix buffer overflow issues [CVE-2026-22852 CVE-2026-22853 CVE-2026-22854 CVE-2026-23530 CVE-2026-23531 CVE-2026-23532 CVE-2026-23533 CVE-2026-23534 CVE-2026-23732]; fix out-of-bounds read issues [CVE-2026-22855 CVE-2026-22859 CVE-2026-24677 CVE-2026-24679 CVE-2026-24682 CVE-2026-25941 CVE-2026-25942]; fix buffer underflow issues [CVE-2026-22858 CVE-2026-26955]; fix null pointer dereference issue [CVE-2026-23948]; fix buffer over-read issue [CVE-2026-26271; fix out-of-bounds write issue [CVE-2026-26965]; fix denial of service issue [CVE-2026-27015]; fix buffer overflow issues [CVE-2026-29774 CVE-2026-31806 CVE-2026-31883 CVE-2026-33982 CVE-2026-33984]; fix out-of-bounds read/write issues [CVE-2026-29775 CVE-2026-31885 CVE-2026-31897 CVE-2026-33986 CVE-2026-33987]; fix integer underflow issue [CVE-2026-29776]; fix denial of service issues [CVE-2026-31884 CVE-2026-33952 CVE-2026-33977 CVE-2026-33983]; fix data leak issue [CVE-2026-33985]; fix double free issue [CVE-2026-33995]; fix path traversal issue [CVE-2026-40254]
fwupd	Thunderbolt: Fix deploying the thunderbolt controller on the X280
git-lfs	Fix arbitrary file write issue [CVE-2025-26625]
glance	Fix server-side request forgery issue [CVE-2026-34881]; fix build failure
glib2.0	Fix timezone handling with Debian & Ubuntu's symlinks; fix missing input validation in g_buffered_input_stream_peek [CVE-2026-0988]; fix integer overflow in base64 encoding [CVE-2026-1484]; fix buffer underflow issue in content type parsing [CVE-2026-1485]; fix integer overflow in unicode conversion [CVE-2026-1489]
glibc	Fix incorrect handling of DNS responses [CVE-2026-4437]; fix return of invalid DNS hostnames [CVE-2026-4438]; fix assertion failure [CVE-2026-4046]; fix a null pointer dereference in the nss_database_check_reload_and_get function; fix invalid pointer arithmetic in ANSI_X3.110 iconv module; various test suite fixes
gnupg2	Rebuild with updated glibc
gnutls28	Preserve extension order across client Hello retry
grub-efi-amd64-signed	Fix an illegal instruction on riscv64
grub-efi-arm64-signed	Fix an illegal instruction on riscv64
grub-efi-ia32-signed	Fix an illegal instruction on riscv64
grub2	Fix an illegal instruction on riscv64
gvfs	Use control connection address for PASV data [CVE-2026-28295]; reject paths containing CR/LF characters [CVE-2026-28296]
harfbuzz	Fix NULL pointer dereference issue [CVE-2026-22693]
heimdal	Fix memory leak in heimdal-clients; add build dependency on libcrypt-dev
initramfs-tools	Include Cadence driver, fixing failure to boot from USB storage on boards using Starfive SoC; unmkinitramfs: Accept lower-case hex digits in cpio headers, fixing compatibility with some other tools
integrit	Rebuild with updated glibc
jpeg-xl	Fix uninitialised memory read issues [CVE-2025-12474 CVE-2026-1837]; fix cross build failure; fix nojava build profile; fix build on big-endian architectures
jq	Fix buffer overflow issue [CVE-2026-32316]; fix denial of service issues [CVE-2026-33947 CVE-2026-39956]; fix validation bypass issue [CVE-2026-33948]; fix out-of-bounds read issue [CVE-2026-39979]; fix use of hardcoded seed [CVE-2026-40164]
kissfft	Fix integer overflow issues [CVE-2025-34297 CVE-2026-41445]
kpackage	Skip unreliable build-time test
lemonldap-ng	OIDC: don't ignore non default signature algorithm; OIDC: register Front-Channel-Logout URL; really hide passwords in session-explorer when stored in session; update documentation to avoid using unsecured Nginx variable
libarchive	Fix out-of-bounds read issues [CVE-2025-5918 CVE-2026-4424]; fix denial of service issues [CVE-2026-4111 CVE-2026-4426]; fix possible code execution issue [CVE-2026-5121]
libcap2	Fix time of check / time of use issue [CVE-2026-4878]
libcdio	Fix buffer overflow issue [CVE-2024-36600]
libcoap3	Fix out-of-bounds read issue [CVE-2026-29013]; fix buffer overflow issue [CVE-2025-34468]
libcryptx-perl	Fix Crypt::PK key generation is not fork safe and will generate identical keys [CVE-2026-41564]
libdatetime-timezone-perl	Update to database 2026a; update included timezone data
libexif	Fix integer underflow issues [CVE-2026-40386 CVE-2026-32775]; fix integer overflow issue [CVE-2026-40385]
libfinance-quote-perl	Fix date in quotes retrieved from XETRA source
libnet-cidr-lite-perl	Fix ACL bypass issues [CVE-2026-40198 CVE-2026-40199]
libreoffice-texmaths	Add dependency on dvipng/dvisvgm
libtext-csv-xs-perl	Fix stack corruption issue [CVE-2026-7111]
libvncserver	Fix out of bounds read issue [CVE-2026-32853]; fix NULL pointer dereference issue [CVE-2026-32854]
libxml-security-java	Fix private key disclosure issue [CVE-2023-44483]
libxslt	Fix deterministic generate-id() regression causing build failures in other packages
lxc	Fix authorisation bypass issue [CVE-2026-39402]
mailman-suite	Add django.contrib.humanize to recommended apps in sample config
mapserver	Fix buffer overflow issue [CVE-2026-33721]
mksh	Rebuild with updated musl
modsecurity-crs	Fix file extension blocking bypass issue [CVE-2026-33691]
mongo-c-driver	Fix insufficient validation issues [CVE-2025-14911 CVE-2026-6231]; fix denial of service issue [CVE-2026-4359]; fix buffer overflow issue [CVE-2026-6691]; improve handling of corrupt GridFS files
mumble	Fix Opus buffer overrun leading to crash
musl	Fix denial of service issue [CVE-2026-6042]; fix stack corruption issue [CVE-2026-40200]
nano	Fix overly broad permissions issue [CVE-2026-6842]; fix format string issue [CVE-2026-6843]
nautilus-wipe	Remove Multi-Arch: same
netatalk	Fix authentication in complex AD environments
nginx	Fix buffer overflow issues [CVE-2026-27654 CVE-2026-27784 CVE-2026-32647]; fix session authentication issues [CVE-2026-27651 CVE-2026-28753]; fix OCSP result bypass issue [CVE-2026-28755]; use $host instead of $http_host
node-flatted	Fix prototype pollution issue [CVE-2026-33228]
node-node-rsa	Fix builds with OpenSSL 3
node-tar	Properly sanitize absolute linkpaths [CVE-2026-23745]; normalize out unicode ligatures [CVE-2026-23950]; properly sanitize hard links containing '..' [CVE-2026-24842]; prevent hardlinking to files outside the extraction root [CVE-2026-26960]; strip leading '/' before sanitizing '..' [CVE-2026-29786]; prevent escaping symlinks with drive-relative paths [CVE-2026-31802]
numba	Conditionally skip tests requiring more CPUs than available
openssh	Ensure scp does not unexpectedly make transferred files setuid or setgid [CVE-2026-35385]; fix command execution issue [CVE-2026-35386]; fix incomplete application of PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with regard to ECDSA keys [CVE-2026-35387]; use connection multiplexing confirmation for proxy-mode multiplexing sessions [CVE-2026-35388]; fix handling of the authorized_keys principals option [CVE-2026-35414]; validate user and host names for ProxyJump/-J options passed via the command line; IPQoS handling improvements; don't reuse c->isatty for signalling that the remote channel has a tty attached
openssl	New upstream stable release
orca	Remove lightdm wrapper on package removal
osdlyrics	Add missing runtime dependency python3-pycurl; rebuild in a clean environment
pgbouncer	Fix integer overflow issue [CVE-2026-6664]; fix stack overflow issues [CVE-2026-6665]; fix NULL pointer dereference issue [CVE-2026-6666]; fix missing authorization check [CVE-2026-6667]
phosh	Cell-broadcast-prompt: close dialog on swipe; strip whitespace; wifi-network: don't unconditionally overwrite active access point; don't set active indicator visible
php-league-commonmark	Fix DisallowedRawHtml bypass via newline/tab in tag names [CVE-2026-30838]; fix DomainFilteringAdapter hostname boundary bypass [CVE-2026-33347]
php-phpseclib	Fix denial of service issue [CVE-2024-27355]; fix variable time comparison issue [CVE-2026-40194]
php-phpseclib3	Fix denial of service issue [CVE-2024-27355]; fix variable time comparison issue [CVE-2026-40194]
phpseclib	Fix denial of service issue [CVE-2024-27355]; fix variable time comparison issue [CVE-2026-40194]
proftpd-dfsg	Fix SQL injection issue [CVE-2026-42167]
pymupdf	Improve safety of 'pymupdf embed-extract' when dealing with existing files [CVE-2026-3029]
python-authlib	Fix cross-site request forgery issue [CVE-2025-68158]; fix denial of service issues [CVE-2025-62706 CVE-2025-61920]; fix policy bypass issue [CVE-2025-59420]
python-bottle-sqlite	Fix compaibility with Python 3.11+
python-certbot	Re-use selected profile for renewals
python-ldap	Fix insufficient escaping issue [CVE-2025-61911]; fix denial of service issue [CVE-2025-61912]
python-mapbox-earcut	Remove Multi-Arch: same annotation
python-oslo.db	Fix compatibility with newer mariadb versions
python3-lxc	Fix compatibility with Python 3.13
python3.13	Fix header injection issues [CVE-2025-11468 CVE-2025-15282 CVE-2026-0672 CVE-2026-0865 CVE-2026-1299]; fix denial of service issues [CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 CVE-2025-6069 CVE-2025-6075 CVE-2025-8194]; fix incorrect parsing of TarInfo header [CVE-2025-13462]; fix insufficient validation in zipFile [CVE-2025-8291]; fix missing sys.audit invocation [CVE-2026-2297]; fix early halt of base64 processing [CVE-2026-3446]; fix validation bypass issue [CVE-2026-3644]; fix stack overflow issue [CVE-2026-4224]; fix insufficient validation issue [CVE-2026-4519]; fix insufficient escaping issue [CVE-2026-6019]; fix use-after-free issue
qcoro	Skip unreliable build-time tests
qemu	Rebuild with updated glib2.0, glibc
qt6-base	Fix data race issues
remmina	Disable phone home functionality
request-tracker5	Fix builds of CKEditor when firefox is >= 148
rsync	Fix symlink handling on the receiver; fix use-after-free issue [CVE-2026-41035]
sash	Rebuild with updated glibc
sed	Fix time of check / time of use issue [CVE-2026-5958]
snapd	Rebuild with updated libcap2, glibc
starlet	Fix HTTP request smuggling issue [CVE-2026-40561]
stayrtr	Stop serving stale VRPs when the validator is stuck; use Restart=on-abnormal instead of on-abort
sudo	Fix privilege escalation issue [CVE-2026-35535]
supermin	Rebuild with updated musl
superqt	Skip unreliable font metrics test
suricata	Fix denial of service issues [CVE-2026-31932 CVE-2026-31933 CVE-2026-31935 CVE-2026-31937]
swupdate	Fix denial of service issue [CVE-2026-28525]
sylpheed	Add link check to address [CVE-2021-37746]
systemd	New upstream stable release; ensure /tmp workaround does not override local unit/fstab; fix assert and freeze [CVE-2026-29111]; fix code execution issues [CVE-2026-40225 CVE-2026-4105]; fix nspawn escape-to-host issue [CVE-2026-40226]
systemd-boot-efi-amd64-signed	New upstream stable release; ensure /tmp workaround does not override local unit/fstab; fix assert and freeze [CVE-2026-29111]; fix code execution issues [CVE-2026-40225 CVE-2026-4105]; fix nspawn escape-to-host issue [CVE-2026-40226]
systemd-boot-efi-arm64-signed	New upstream stable release; ensure /tmp workaround does not override local unit/fstab; fix assert and freeze [CVE-2026-29111]; fix code execution issues [CVE-2026-40225 CVE-2026-4105]; fix nspawn escape-to-host issue [CVE-2026-40226]
tini	Rebuild with updated glibc
tiv	Rebuild with updated cimg
toil	Conditionally skip build-time tests requiring more CPUs than available
tripwire	Rebuild with updated glibc
tsocks	Rebuild with updated glibc
tzdata	New upstream release; update data for British Columbia
unbound	Never try TLS to reach root nameservers
user-mode-linux	Rebuild with updated linux
vips	Fix buffer overflow issues [CVE-2026-2913 CVE-2026-3147 CVE-2026-3281]; fix memory corruption issue [CVE-2026-3145]; fix null pointer dereference issue [CVE-2026-3146]; fix out of bound read issues [CVE-2026-3282 CVE-2026-3283]; fix integer overflow issue [CVE-2026-3284]
xorg-server	Fix buffer re-use issue [CVE-2026-33999]; fix / improve bounds checking [CVE-2026-34000 CVE-2026-34003]; fix use after free issue [CVE-2026-34001]; fix out-of-bounds read issue [CVE-2026-34002]
zsh	Rebuild with updated libcap2, glibc

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID	Package
DSA-6088	php8.4
DSA-6158	imagemagick
DSA-6160	netty
DSA-6161	multipart
DSA-6162	linux-signed-amd64
DSA-6162	linux-signed-arm64
DSA-6162	linux
DSA-6164	chromium
DSA-6165	chromium
DSA-6166	nodejs
DSA-6167	gst-plugins-base1.0
DSA-6168	freetype
DSA-6169	imagemagick
DSA-6170	snapd
DSA-6171	chromium
DSA-6172	webkit2gtk
DSA-6173	freeciv
DSA-6174	spip
DSA-6175	libyaml-syck-perl
DSA-6176	strongswan
DSA-6177	chromium
DSA-6178	firefox-esr
DSA-6179	thunderbird
DSA-6180	ruby-rack
DSA-6181	bind9
DSA-6182	libxml-parser-perl
DSA-6183	nodejs
DSA-6184	incus
DSA-6185	phpseclib
DSA-6186	php-phpseclib
DSA-6187	php-phpseclib3
DSA-6188	lxd
DSA-6189	libpng1.6
DSA-6190	gst-plugins-bad1.0
DSA-6191	gst-plugins-ugly1.0
DSA-6192	chromium
DSA-6193	inetutils
DSA-6194	pyasn1
DSA-6195	python-tornado
DSA-6196	roundcube
DSA-6197	dovecot
DSA-6198	valkey
DSA-6200	tor
DSA-6201	openssl
DSA-6202	firefox-esr
DSA-6203	tiff
DSA-6204	openssh
DSA-6205	chromium
DSA-6206	gdk-pixbuf
DSA-6207	flatpak
DSA-6208	mediawiki
DSA-6209	xdg-dbus-proxy
DSA-6211	thunderbird
DSA-6212	incus
DSA-6213	lxd
DSA-6214	chromium
DSA-6215	gimp
DSA-6216	opam
DSA-6217	luanti
DSA-6218	mupdf
DSA-6219	pillow
DSA-6220	simpleeval
DSA-6221	ntfs-3g
DSA-6222	ngtcp2
DSA-6225	firefox-esr
DSA-6226	packagekit
DSA-6227	strongswan
DSA-6228	cpp-httplib
DSA-6229	thunderbird
DSA-6230	chromium
DSA-6231	jtreg7
DSA-6231	openjdk-21
DSA-6232	webkit2gtk
DSA-6233	pdns
DSA-6234	pdns-recursor
DSA-6235	dnsdist
DSA-6236	firefox-esr
DSA-6238	linux-signed-amd64
DSA-6238	linux-signed-arm64
DSA-6238	linux
DSA-6239	chromium
DSA-6240	imagemagick
DSA-6241	python-aiohttp
DSA-6242	thunderbird
DSA-6244	incus
DSA-6246	openjdk-25
DSA-6247	lxd
DSA-6248	apache2
DSA-6249	wireshark
DSA-6251	libreoffice
DSA-6252	prosody
DSA-6253	linux-signed-amd64
DSA-6253	linux-signed-arm64
DSA-6253	linux
DSA-6254	firefox-esr
DSA-6257	postorius
DSA-6259	pyjwt
DSA-6260	tor
DSA-6261	corosync
DSA-6262	lcms2
DSA-6263	libpng1.6
DSA-6264	dnsmasq
DSA-6265	exim4

Removed packages

The following packages were removed due to circumstances beyond our control:

Package	Reason
dav4tbsync	Superseded by Thunderbird 140

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

https://deb.debian.org/debian/dists/trixie/ChangeLog

The current stable distribution:

https://deb.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

https://deb.debian.org/debian/dists/proposed-updates

stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/

Security announcements and information:

https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.