The Debian project has announced the release of the eleventh update to its stable distribution, Debian 12 (codename Bookworm). This point release primarily focuses on correcting security issues and making adjustments for critical problems. The update does not represent a new version of Debian 12; it merely updates certain packages included within it. Individuals who regularly install updates from security.debian.org will find that they do not need to update a significant number of packages, as the majority are incorporated in the point release. New installation images will be accessible shortly at the usual locations. To upgrade an existing installation to this revision, direct the package management system to one of Debian's HTTP mirrors.
There are identified issues with Linux version 6.1.137-1, specifically regarding the inability to load the watchdog and w83977f_wdt modules on the amd64 architecture. Individuals utilizing the watchdog functionality are advised to disable it or refrain from upgrading until a resolution is provided. Additional significant bug fixes encompass addressing heap overflows, ensuring compatibility with SWIG 4.1, and resolving memory leaks in libbson-xs-perl.
The release resolved a range of security vulnerabilities, encompassing build failures, cross-site scripting, and various packages including nvidia-graphics-drivers, nvidia-open-gpu-kernel-modules, nvidia-settings, openrazer, opensnitch, openssh, openssl, openvpn, phpmyadmin, policyd-rate-limit, poppler, postgresql-15, prometheus, python-h11, python3.11, qemu, qtbase-opensource-src, redis, renaissance, skeema, telegram-desktop, tripwire, Twitter-bootstrap3, tzdata, user-mode-linux, varnish, wireless-regdb, xmedcon, and zsh.
Updated Debian 12: 12.11 released
The Debian project is pleased to announce the eleventh update of its stable distribution Debian 12 (codename bookworm). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian 12 but only updates some of the packages included. There is no need to throw away old bookworm media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
Known issues
Linux 6.1.137-1, included with Debian 12.11 is unable to load the watchdog and w83977f_wdt modules on the amd64 architecture. This is a regression.
This issue will be fixed in a forthcoming update.
Users who rely on the watchdog functionality should disable their watchdog or avoid upgrading to this version of the kernel until a fix is available.
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
Package Reason abseil Fix heap buffer overflow issue [CVE-2025-0838]; fix build failure on ppc64el adonthell Fix compatibility with SWIG 4.1 base-files Update for the point release bash Rebuild for outdated Built-Using (glibc/2.36-9+deb12u5) busybox Rebuild for outdated Built-Using (glibc/2.36-9) cdebootstrap Rebuild for outdated Built-Using (glibc/2.36-9) chkrootkit Rebuild for outdated Built-Using (glibc/2.36-9+deb12u5) crowdsec Rebuild for outdated Built-Using (docker.io/20.10.24+dfsg1-1) dar Rebuild for outdated Built-Using (glibc/2.36-9+deb12u5) debian-archive-keyring Add archive signing and SRM keys for trixie (Debian 13); move buster (Debian 10) keys to removed keyring debian-installer Increase Linux kernel ABI to 6.1.0-35; rebuild against proposed-updates debian-installer-netboot-images Rebuild against proposed-updates debian-security-support Update list of packages receiving limited support, or unsupported, in bookworm distro-info-data Add Debian 15 and Ubuntu 25.10 docker.io Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1, glibc/2.36-9+deb12u8) dpdk New upstream stable release fig2dev Reject huge pattern lengths [CVE-2025-31162]; reject arcs with co-incident points [CVE-2025-31163]; allow an arc-box with zero radius [CVE-2025-31164] fossil Fix interaction with an Apache HTTP server including the fix for CVE-2024-24795 gcc-12 Fix -fstack-protector handling of overflows on AArch64 [CVE-2023-4039] gcc-mingw-w64 Rebuild for outdated Built-Using (gcc-12/12.2.0-13) glib2.0 Fix integer overflow in g_date_time_new_from_iso8601() [CVE-2025-3360] golang-github-containerd-stargz-snapshotter Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1, runc/1.1.5+ds1-1) golang-github-containers-buildah Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1) golang-github-openshift-imagebuilder Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1, docker.io/20.10.24+dfsg1-1) haproxy Fix heap buffer overflow issue [CVE-2025-32464] igtf-policy-bundle Backport current policy bundle imagemagick Fix MIFF image depth mishandled after SetQuantumFormat [CVE-2025-43965] initramfs-tools Restore copy_file's handling of target ending in slash; exclude usr-merge symlinks in copy_file; add reset drivers when MODULES=dep krb5 Fix memory leak in ndr.c [CVE-2024-26462]; prevent buffer overflow when calculating ulog buffer size [CVE-2025-24528] libbson-xs-perl Fix security issues in embedded copy of libbson: denial of service [CVE-2017-14227]; buffer over-read [CVE-2018-16790]; infinite loop [CVE-2023-0437]; memory corruption [CVE-2024-6381]; buffer overflows [CVE-2024-6383 CVE-2025-0755] libcap2 Fix incorrect recognition of group names [CVE-2025-1390] libdata-entropy-perl Seed entropy pool with urandom by default [CVE-2025-1860] libpod Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1, docker.io/20.10.24+dfsg1-1, golang-github-containers-buildah/1.28.2+ds1-3) libsub-handlesvia-perl Fix arbitrary code execution issue [CVE-2025-30673] linux New upstream release; bump ABI to 35 linux-signed-amd64 New upstream release; bump ABI to 35 linux-signed-arm64 New upstream release; bump ABI to 35 linux-signed-i386 New upstream release; bump ABI to 35 logcheck Respect removal of /etc/logcheck/header.txt mongo-c-driver Fix infinite loop issue [CVE-2023-0437]; fix integer overflow issue [CVE-2024-6381]; fix buffer overflow issues [CVE-2024-6383 CVE-2025-0755] network-manager Fix crash dereferencing NULL pointer during debug logging [CVE-2024-6501] nginx Fix buffer underread and unordered chunk vulnerabilities in mp4 [CVE-2024-7347] node-fstream-ignore Fix build failure by not running tests in parallel node-send Fix cross-site scripting issue [CVE-2024-43799] node-serialize-javascript Fix cross-site scripting issue [CVE-2024-11831] nvidia-graphics-drivers New upstream stable release; remove ppc64el support (migrated to src:nvidia-graphics-drivers-tesla-535); fix build issues with newer kernel versions; security fixes [CVE-2024-0131 CVE-2024-0147 CVE-2024-0149 CVE-2024-0150 CVE-2024-53869 CVE-2025-23244] nvidia-graphics-drivers-tesla New upstream stable release; transition to packages from src:nvidia-graphics-drivers-tesla-535 on ppc64el; fix build issues with newer kernel versions nvidia-graphics-drivers-tesla-535 New package for the now EOL ppc64el support nvidia-open-gpu-kernel-modules New upstream stable release; security fixes [CVE-2024-0131 CVE-2024-0147 CVE-2024-0149 CVE-2024-0150 CVE-2024-53869 CVE-2025-23244] nvidia-settings New upstream stable release; drop support for some obsolete packages; relax the nvidia-alternative dependency to a suggestion on ppc64el openrazer Fix out of bounds read issue [CVE-2025-32776] opensnitch Rebuild for outdated Built-Using (golang-github-google-nftables/0.1.0-3) openssh Fix the DisableForwarding directive [CVE-2025-32728] openssl New upstream stable release; fix timing side channel issue [CVE-2024-13176] openvpn Avoid possible ASSERT() on OpenVPN servers using --tls-crypt-v2 [CVE-2025-2704]; prevent malicious peer DoS or log-flooding [CVE-2024-5594]; refuse multiple exit notifications from authenticated clients [CVE-2024-28882]; update expired certificates in build tests phpmyadmin Fix XSS vulnerabilities [CVE-2025-24529 CVE-2025-24530] policyd-rate-limit Fix startup with newer python3-yaml poppler Fix crash on malformed files [CVE-2023-34872]; fix out-of-bounds read issues [CVE-2024-56378 CVE-2025-32365]; fix floating point exception issue [CVE-2025-32364] postgresql-15 New upstream stable release; fix buffer over-read issue [CVE-2025-4207] prometheus Rebuild for outdated Built-Using (docker.io/20.10.24+dfsg1-1) prometheus-postfix-exporter Rebuild for outdated Built-Using (docker.io/20.10.24+dfsg1-1) python-h11 Fix request smuggling issue [CVE-2025-43859] python3.11 Fix misparsing issues [CVE-2025-0938 CVE-2025-1795] qemu Rebuild for outdated Built-Using (glibc/2.36-9+deb12u9, gnutls28/3.7.9-2+deb12u3); new upstream bugfix release qtbase-opensource-src Delay HTTP2 communication until encrypted() can be responded to [CVE-2024-39936]; fix crash with null checks in table iface methods redis Fix denial of service issue [CVE-2025-21605] renaissance Avoid exception on startup sash Rebuild for outdated Built-Using (glibc/2.36-9) shadow Fix password leak issue [CVE-2023-4641]; fix chfn control character injection issue [CVE-2023-29383] skeema Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1, docker.io/20.10.24+dfsg1-1) skopeo Rebuild for outdated Built-Using (docker.io/20.10.24+dfsg1-1) telegram-desktop Rebuild for outdated Built-Using (ms-gsl/4.0.0-2) tripwire Rebuild for outdated Built-Using (glibc/2.36-9+deb12u5) twitter-bootstrap3 Fix cross-site scripting issues [CVE-2024-6485 CVE-2024-6484] twitter-bootstrap4 Fix cross-site scripting issue [CVE-2024-6531] tzdata New America/Coyhaique zone for Aysén Region in Chile user-mode-linux Rebuild for outdated Built-Using (linux/6.1.82-1) varnish Prevent HTTP/1 client-side desync [CVE-2025-30346] wireless-regdb New upstream release xmedcon Fix buffer overflow [CVE-2025-2581] zsh Rebuild for outdated Built-Using (glibc/2.36-9+deb12u5, libcap2/1:2.66-4) Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
Package Reason pidgin-skype Useless as service discontinued viagee No longer able to connect to gmail Debian Installer
The installer has been updated to include the fixes incorporated into stable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current stable distribution:
Proposed updates to the stable distribution:
stable distribution information (release notes, errata etc.):
Security announcements and information:
