------------------------------------------------------------------------
The Debian Project https://www.debian.org/ Updated Debian 12: 12.11 released press@debian.org
May 17th, 2025 https://www.debian.org/News/2025/20250517 ------------------------------------------------------------------------


The Debian project is pleased to announce the eleventh update of its
stable distribution Debian 12 (codename "bookworm"). This point release
mainly adds corrections for security issues, along with a few
adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of
Debian 12 but only updates some of the packages included. There is no
need to throw away old "bookworm" media. After installation, packages
can be upgraded to the current versions using an up-to-date Debian
mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list



Known issues
------------

Linux 6.1.137-1, included with Debian 12.11 is unable to load the
"watchdog" and "w83977f_wdt" modules on the "amd64" architecture. This
is a regression.

This issue will be fixed in a forthcoming update.

Users who rely on the watchdog functionality should disable their
watchdog or avoid upgrading to this version of the kernel until a fix is available.


Miscellaneous Bugfixes
----------------------

This stable update adds a few important corrections to the following
packages:

+----------------------------+----------------------------------------+
| Package | Reason | +----------------------------+----------------------------------------+
| abseil [1] | Fix heap buffer overflow issue |
| | [CVE-2025-0838]; fix build failure on |
| | ppc64el |
| | |
| adonthell [2] | Fix compatibility with SWIG 4.1 |
| | |
| base-files [3] | Update for the point release |
| | |
| bash [4] | Rebuild for outdated Built-Using |
| | (glibc/2.36-9+deb12u5) |
| | |
| busybox [5] | Rebuild for outdated Built-Using |
| | (glibc/2.36-9) |
| | |
| cdebootstrap [6] | Rebuild for outdated Built-Using |
| | (glibc/2.36-9) |
| | |
| chkrootkit [7] | Rebuild for outdated Built-Using |
| | (glibc/2.36-9+deb12u5) |
| | |
| crowdsec [8] | Rebuild for outdated Built-Using |
| | (docker.io/20.10.24+dfsg1-1) |
| | |
| dar [9] | Rebuild for outdated Built-Using |
| | (glibc/2.36-9+deb12u5) |
| | |
| debian-archive- | Add archive signing and SRM keys for |
| keyring [10] | trixie (Debian 13); move buster |
| | (Debian 10) keys to removed keyring |
| | |
| debian-installer [11] | Increase Linux kernel ABI to 6.1.0-35; |
| | rebuild against proposed-updates |
| | |
| debian-installer-netboot- | Rebuild against proposed-updates |
| images [12] | |
| | |
| debian-security- | Update list of packages receiving |
| support [13] | limited support, or unsupported, in |
| | bookworm |
| | |
| distro-info-data [14] | Add Debian 15 and Ubuntu 25.10 |
| | |
| docker.io [15] | Rebuild for outdated Built-Using |
| | (containerd/1.6.20~ds1-1, glibc/2.36- |
| | 9+deb12u8) |
| | |
| dpdk [16] | New upstream stable release |
| | |
| fig2dev [17] | Reject huge pattern lengths [CVE-2025- |
| | 31162]; reject arcs with co-incident |
| | points [CVE-2025-31163]; allow an arc- |
| | box with zero radius [CVE-2025-31164] |
| | |
| fossil [18] | Fix interaction with an Apache HTTP |
| | server including the fix for CVE-2024- |
| | 24795 |
| | |
| gcc-12 [19] | Fix -fstack-protector handling of |
| | overflows on AArch64 [CVE-2023-4039] |
| | |
| gcc-mingw-w64 [20] | Rebuild for outdated Built-Using |
| | (gcc-12/12.2.0-13) |
| | |
| glib2.0 [21] | Fix integer overflow in |
| | g_date_time_new_from_iso8601() |
| | [CVE-2025-3360] |
| | |
| golang-github-containerd- | Rebuild for outdated Built-Using |
| stargz-snapshotter [22] | (containerd/1.6.20~ds1-1, runc/ |
| | 1.1.5+ds1-1) |
| | |
| golang-github-containers- | Rebuild for outdated Built-Using |
| buildah [23] | (containerd/1.6.20~ds1-1) |
| | |
| golang-github-openshift- | Rebuild for outdated Built-Using |
| imagebuilder [24] | (containerd/1.6.20~ds1-1, docker.io/ |
| | 20.10.24+dfsg1-1) |
| | |
| haproxy [25] | Fix heap buffer overflow issue |
| | [CVE-2025-32464] |
| | |
| igtf-policy-bundle [26] | Backport current policy bundle |
| | |
| imagemagick [27] | Fix "MIFF image depth mishandled |
| | after SetQuantumFormat" [CVE-2025- |
| | 43965] |
| | |
| initramfs-tools [28] | Restore copy_file's handling of target |
| | ending in slash; exclude usr-merge |
| | symlinks in copy_file; add reset |
| | drivers when MODULES=dep |
| | |
| krb5 [29] | Fix memory leak in ndr.c [CVE-2024- |
| | 26462]; prevent buffer overflow when |
| | calculating ulog buffer size |
| | [CVE-2025-24528] |
| | |
| libbson-xs-perl [30] | Fix security issues in embedded copy |
| | of libbson: denial of service |
| | [CVE-2017-14227]; buffer over-read |
| | [CVE-2018-16790]; infinite loop |
| | [CVE-2023-0437]; memory corruption |
| | [CVE-2024-6381]; buffer overflows |
| | [CVE-2024-6383 CVE-2025-0755] |
| | |
| libcap2 [31] | Fix incorrect recognition of group |
| | names [CVE-2025-1390] |
| | |
| libdata-entropy-perl [32] | Seed entropy pool with urandom by |
| | default [CVE-2025-1860] |
| | |
| libpod [33] | Rebuild for outdated Built-Using |
| | (containerd/1.6.20~ds1-1, docker.io/ |
| | 20.10.24+dfsg1-1, golang-github- |
| | containers-buildah/1.28.2+ds1-3) |
| | |
| libsub-handlesvia- | Fix arbitrary code execution issue |
| perl [34] | [CVE-2025-30673] |
| | |
| linux [35] | New upstream release; bump ABI to 35 |
| | |
| linux-signed-amd64 [36] | New upstream release; bump ABI to 35 |
| | |
| linux-signed-arm64 [37] | New upstream release; bump ABI to 35 |
| | |
| linux-signed-i386 [38] | New upstream release; bump ABI to 35 |
| | |
| logcheck [39] | Respect removal of /etc/logcheck/ |
| | header.txt |
| | |
| mongo-c-driver [40] | Fix infinite loop issue [CVE-2023- |
| | 0437]; fix integer overflow issue |
| | [CVE-2024-6381]; fix buffer overflow |
| | issues [CVE-2024-6383 CVE-2025-0755] |
| | |
| network-manager [41] | Fix crash dereferencing NULL pointer |
| | during debug logging [CVE-2024-6501] |
| | |
| nginx [42] | Fix buffer underread and unordered |
| | chunk vulnerabilities in mp4 |
| | [CVE-2024-7347] |
| | |
| node-fstream-ignore [43] | Fix build failure by not running tests |
| | in parallel |
| | |
| node-send [44] | Fix cross-site scripting issue |
| | [CVE-2024-43799] |
| | |
| node-serialize- | Fix cross-site scripting issue |
| javascript [45] | [CVE-2024-11831] |
| | |
| nvidia-graphics- | New upstream stable release; remove |
| drivers [46] | ppc64el support (migrated to |
| | src:nvidia-graphics-drivers- |
| | tesla-535); fix build issues with |
| | newer kernel versions; security fixes |
| | [CVE-2024-0131 CVE-2024-0147 CVE-2024- |
| | 0149 CVE-2024-0150 CVE-2024-53869 |
| | CVE-2025-23244] |
| | |
| nvidia-graphics-drivers- | New upstream stable release; |
| tesla [47] | transition to packages from |
| | src:nvidia-graphics-drivers-tesla-535 |
| | on ppc64el; fix build issues with |
| | newer kernel versions |
| | |
| nvidia-graphics-drivers- | New package for the now EOL ppc64el |
| tesla-535 [48] | support |
| | |
| nvidia-open-gpu-kernel- | New upstream stable release; security |
| modules [49] | fixes [CVE-2024-0131 CVE-2024-0147 |
| | CVE-2024-0149 CVE-2024-0150 CVE-2024- |
| | 53869 CVE-2025-23244] |
| | |
| nvidia-settings [50] | New upstream stable release; drop |
| | support for some obsolete packages; |
| | relax the nvidia-alternative |
| | dependency to a suggestion on ppc64el |
| | |
| openrazer [51] | Fix out of bounds read issue |
| | [CVE-2025-32776] |
| | |
| opensnitch [52] | Rebuild for outdated Built-Using |
| | (golang-github-google-nftables/0.1.0- |
| | 3) |
| | |
| openssh [53] | Fix the DisableForwarding directive |
| | [CVE-2025-32728] |
| | |
| openssl [54] | New upstream stable release; fix |
| | timing side channel issue [CVE-2024- |
| | 13176] |
| | |
| openvpn [55] | Avoid possible ASSERT() on OpenVPN |
| | servers using --tls-crypt-v2 |
| | [CVE-2025-2704]; prevent malicious |
| | peer DoS or log-flooding [CVE-2024- |
| | 5594]; refuse multiple exit |
| | notifications from authenticated |
| | clients [CVE-2024-28882]; update |
| | expired certificates in build tests |
| | |
| phpmyadmin [56] | Fix XSS vulnerabilities [CVE-2025- |
| | 24529 CVE-2025-24530] |
| | |
| policyd-rate-limit [57] | Fix startup with newer python3-yaml |
| | |
| poppler [58] | Fix crash on malformed files |
| | [CVE-2023-34872]; fix out-of-bounds |
| | read issues [CVE-2024-56378 CVE-2025- |
| | 32365]; fix floating point exception |
| | issue [CVE-2025-32364] |
| | |
| postgresql-15 [59] | New upstream stable release; fix |
| | buffer over-read issue [CVE-2025-4207] |
| | |
| prometheus [60] | Rebuild for outdated Built-Using |
| | (docker.io/20.10.24+dfsg1-1) |
| | |
| prometheus-postfix- | Rebuild for outdated Built-Using |
| exporter [61] | (docker.io/20.10.24+dfsg1-1) |
| | |
| python-h11 [62] | Fix request smuggling issue [CVE-2025- |
| | 43859] |
| | |
| python3.11 [63] | Fix misparsing issues [CVE-2025-0938 |
| | CVE-2025-1795] |
| | |
| qemu [64] | Rebuild for outdated Built-Using |
| | (glibc/2.36-9+deb12u9, gnutls28/3.7.9- |
| | 2+deb12u3); new upstream bugfix |
| | release |
| | |
| qtbase-opensource-src [65] | Delay HTTP2 communication until |
| | encrypted() can be responded to |
| | [CVE-2024-39936]; fix crash with null |
| | checks in table iface methods |
| | |
| redis [66] | Fix denial of service issue [CVE-2025- |
| | 21605] |
| | |
| renaissance [67] | Avoid exception on startup |
| | |
| sash [68] | Rebuild for outdated Built-Using |
| | (glibc/2.36-9) |
| | |
| shadow [69] | Fix password leak issue [CVE-2023- |
| | 4641]; fix chfn control character |
| | injection issue [CVE-2023-29383] |
| | |
| skeema [70] | Rebuild for outdated Built-Using |
| | (containerd/1.6.20~ds1-1, docker.io/ |
| | 20.10.24+dfsg1-1) |
| | |
| skopeo [71] | Rebuild for outdated Built-Using |
| | (docker.io/20.10.24+dfsg1-1) |
| | |
| telegram-desktop [72] | Rebuild for outdated Built-Using (ms- |
| | gsl/4.0.0-2) |
| | |
| tripwire [73] | Rebuild for outdated Built-Using |
| | (glibc/2.36-9+deb12u5) |
| | |
| twitter-bootstrap3 [74] | Fix cross-site scripting issues |
| | [CVE-2024-6485 CVE-2024-6484] |
| | |
| twitter-bootstrap4 [75] | Fix cross-site scripting issue |
| | [CVE-2024-6531] |
| | |
| tzdata [76] | New America/Coyhaique zone for Aysén |
| | Region in Chile |
| | |
| user-mode-linux [77] | Rebuild for outdated Built-Using |
| | (linux/6.1.82-1) |
| | |
| varnish [78] | Prevent HTTP/1 client-side desync |
| | [CVE-2025-30346] |
| | |
| wireless-regdb [79] | New upstream release |
| | |
| xmedcon [80] | Fix buffer overflow [CVE-2025-2581] |
| | |
| zsh [81] | Rebuild for outdated Built-Using |
| | (glibc/2.36-9+deb12u5, libcap2/1:2.66- |
| | 4) |
| | | +----------------------------+----------------------------------------+

1: https://packages.debian.org/src:abseil
2: https://packages.debian.org/src:adonthell
3: https://packages.debian.org/src:base-files
4: https://packages.debian.org/src:bash
5: https://packages.debian.org/src:busybox
6: https://packages.debian.org/src:cdebootstrap
7: https://packages.debian.org/src:chkrootkit
8: https://packages.debian.org/src:crowdsec
9: https://packages.debian.org/src:dar
10: https://packages.debian.org/src:debian-archive-keyring
11: https://packages.debian.org/src:debian-installer
12: https://packages.debian.org/src:debian-installer-netboot-images
13: https://packages.debian.org/src:debian-security-support
14: https://packages.debian.org/src:distro-info-data
15: https://packages.debian.org/src:docker.io
16: https://packages.debian.org/src:dpdk
17: https://packages.debian.org/src:fig2dev
18: https://packages.debian.org/src:fossil
19: https://packages.debian.org/src:gcc-12
20: https://packages.debian.org/src:gcc-mingw-w64
21: https://packages.debian.org/src:glib2.0
22: https://packages.debian.org/src:golang-github-containerd-stargz-snapshotter
23: https://packages.debian.org/src:golang-github-containers-buildah
24:
https://packages.debian.org/src:golang-github-openshift-imagebuilder
25: https://packages.debian.org/src:haproxy
26: https://packages.debian.org/src:igtf-policy-bundle
27: https://packages.debian.org/src:imagemagick
28: https://packages.debian.org/src:initramfs-tools
29: https://packages.debian.org/src:krb5
30: https://packages.debian.org/src:libbson-xs-perl
31: https://packages.debian.org/src:libcap2
32: https://packages.debian.org/src:libdata-entropy-perl
33: https://packages.debian.org/src:libpod
34: https://packages.debian.org/src:libsub-handlesvia-perl
35: https://packages.debian.org/src:linux
36: https://packages.debian.org/src:linux-signed-amd64
37: https://packages.debian.org/src:linux-signed-arm64
38: https://packages.debian.org/src:linux-signed-i386
39: https://packages.debian.org/src:logcheck
40: https://packages.debian.org/src:mongo-c-driver
41: https://packages.debian.org/src:network-manager
42: https://packages.debian.org/src:nginx
43: https://packages.debian.org/src:node-fstream-ignore
44: https://packages.debian.org/src:node-send
45: https://packages.debian.org/src:node-serialize-javascript
46: https://packages.debian.org/src:nvidia-graphics-drivers
47: https://packages.debian.org/src:nvidia-graphics-drivers-tesla
48: https://packages.debian.org/src:nvidia-graphics-drivers-tesla-535
49: https://packages.debian.org/src:nvidia-open-gpu-kernel-modules
50: https://packages.debian.org/src:nvidia-settings
51: https://packages.debian.org/src:openrazer
52: https://packages.debian.org/src:opensnitch
53: https://packages.debian.org/src:openssh
54: https://packages.debian.org/src:openssl
55: https://packages.debian.org/src:openvpn
56: https://packages.debian.org/src:phpmyadmin
57: https://packages.debian.org/src:policyd-rate-limit
58: https://packages.debian.org/src:poppler
59: https://packages.debian.org/src:postgresql-15
60: https://packages.debian.org/src:prometheus
61: https://packages.debian.org/src:prometheus-postfix-exporter
62: https://packages.debian.org/src:python-h11
63: https://packages.debian.org/src:python3.11
64: https://packages.debian.org/src:qemu
65: https://packages.debian.org/src:qtbase-opensource-src
66: https://packages.debian.org/src:redis
67: https://packages.debian.org/src:renaissance
68: https://packages.debian.org/src:sash
69: https://packages.debian.org/src:shadow
70: https://packages.debian.org/src:skeema
71: https://packages.debian.org/src:skopeo
72: https://packages.debian.org/src:telegram-desktop
73: https://packages.debian.org/src:tripwire
74: https://packages.debian.org/src:twitter-bootstrap3
75: https://packages.debian.org/src:twitter-bootstrap4
76: https://packages.debian.org/src:tzdata
77: https://packages.debian.org/src:user-mode-linux
78: https://packages.debian.org/src:varnish
79: https://packages.debian.org/src:wireless-regdb
80: https://packages.debian.org/src:xmedcon
81: https://packages.debian.org/src:zsh

Security Updates
----------------

This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:

+----------------+-----------------------------------+
| Advisory ID | Package | +----------------+-----------------------------------+
| DSA-5877 [82] | chromium [83] |
| | |
| DSA-5878 [84] | php8.2 [85] |
| | |
| DSA-5879 [86] | opensaml [87] |
| | |
| DSA-5880 [88] | freetype [89] |
| | |
| DSA-5881 [90] | rails [91] |
| | |
| DSA-5882 [92] | chromium [93] |
| | |
| DSA-5883 [94] | mercurial [95] |
| | |
| DSA-5884 [96] | libxslt [97] |
| | |
| DSA-5885 [98] | webkit2gtk [99] |
| | |
| DSA-5886 [100] | ruby-rack [101] |
| | |
| DSA-5887 [102] | exim4 [103] |
| | |
| DSA-5888 [104] | ghostscript [105] |
| | |
| DSA-5889 [106] | firefox-esr [107] |
| | |
| DSA-5890 [108] | chromium [109] |
| | |
| DSA-5891 [110] | thunderbird [111] |
| | |
| DSA-5892 [112] | atop [113] |
| | |
| DSA-5893 [114] | tomcat10 [115] |
| | |
| DSA-5894 [116] | jetty9 [117] |
| | |
| DSA-5895 [118] | xz-utils [119] |
| | |
| DSA-5896 [120] | trafficserver [121] |
| | |
| DSA-5897 [122] | lemonldap-ng [123] |
| | |
| DSA-5898 [124] | chromium [125] |
| | |
| DSA-5899 [126] | webkit2gtk [127] |
| | |
| DSA-5900 [128] | linux-signed-amd64 [129] |
| | |
| DSA-5900 [130] | linux-signed-arm64 [131] |
| | |
| DSA-5900 [132] | linux-signed-i386 [133] |
| | |
| DSA-5900 [134] | linux [135] |
| | |
| DSA-5901 [136] | mediawiki [137] |
| | |
| DSA-5902 [138] | perl [139] |
| | |
| DSA-5903 [140] | chromium [141] |
| | |
| DSA-5904 [142] | libapache2-mod-auth-openidc [143] |
| | |
| DSA-5905 [144] | graphicsmagick [145] |
| | |
| DSA-5906 [146] | erlang [147] |
| | |
| DSA-5907 [148] | linux-signed-amd64 [149] |
| | |
| DSA-5907 [150] | linux-signed-arm64 [151] |
| | |
| DSA-5907 [152] | linux-signed-i386 [153] |
| | |
| DSA-5907 [154] | linux [155] |
| | |
| DSA-5908 [156] | libreoffice [157] |
| | |
| DSA-5909 [158] | request-tracker5 [159] |
| | |

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)