The Debian project has released Debian GNU/Linux 12.12, which focuses on addressing security concerns and bug fixes in the existing old stable distribution. The release includes numerous security updates and bug fixes across a wide range of packages, including Apache2, Botan, Expatriated Expat, Glibc, Libxml2, OpenSSL, PostgreSQL-15, and Python-Django. This update aims to enhance the stability and security of the system, with the Debian Installer also updated to incorporate these fixes for new installations.
Debian GNU/Linux 12.12 Released
The Debian project has announced the twelfth update to its old stable distribution, Debian 12 (Bookworm). This point release brings essential security updates and fixes for various critical issues.
Key Highlights
- The update mainly focuses on addressing security vulnerabilities, with many packages receiving important corrections.
- No need to discard existing installation media; simply upgrade using an up-to-date Debian mirror.
- New installation images will be available at the regular locations soon.
Packages Affected by Security Updates
This release includes numerous security updates for various packages. Some of the notable ones are:
- Apache2: Multiple CVEs addressed, including HTTP response splitting and server-side request forgery issues.
- Botan: Fixes for denial-of-service issues and improper parsing of name constraints.
- Clamav: New upstream stable release with buffer overflow fixes.
- Docker.io: Rebuilt against glibc 2.36-9+deb12u12.
- Expat: Denial-of-service issue fixes, parser crash fix, and potential buffer overflows in the interactive shell.
- Firebird3.0: NULL pointer dereference issue fixed.
- Glibc: Multiple CVEs addressed, including incorrect LD_LIBRARY_PATH search, memory layout issues, SVE implementation of memset on aarch64, and double free issue.
- Jinja2: Arbitrary code execution issue fixed.
- Libxml2: Integer overflow in xmlBuildQName, potential buffer overflows, use-after-free, and type confusion issues addressed.
- OpenSSL: New upstream stable release with ABI compatibility changes to avoid crashes.
- PostgreSQL-15: Security checks tightened, pg_dump scripts protection from being used as attacks.
- Python-django: Various CVEs fixed, including regular expression-based denial-of-service issues and SQL injection vulnerabilities.
- Webpy: Fixed SQL injection issue.
Other Notable Updates
The update also includes fixes for several non-security-related issues:
- Debian-installer: Increased Linux kernel ABI to 6.1.0-39 and rebuilt against oldstable-proposed-updates.
- Debian-installer-netbook-images: Rebuilt against oldstable-proposed-updates.
- Distro-info-data: Added Ubuntu end-of-Legacy Support dates, release, and estimated EoL for trixie.
- Djvulibre: Denial-of-service issue fixes.
- Docker.io: Rebuilt against glibc 2.36-9+deb12u12.
- Expat: Denial-of-service issue fixes, parser crash fix, and potential buffer overflows in the interactive shell.
- Firebird3.0: NULL pointer dereference issue fixed.
- Glibc: Multiple CVEs addressed, including incorrect LD_LIBRARY_PATH search, memory layout issues, SVE implementation of memset on aarch64, and double free issue.
- Jinja2: Arbitrary code execution issue fixed.
- Libxml2: Integer overflow in xmlBuildQName, potential buffer overflows, use-after-free, and type confusion issues addressed.
- OpenSSL: New upstream stable release with ABI compatibility changes to avoid crashes.
- PostgreSQL-15: Security checks tightened, pg_dump scripts protection from being used as attacks.
- Python-django: Various CVEs fixed, including regular expression-based denial-of-service issues and SQL injection vulnerabilities.
Installation and Upgrade Instructions
For existing installations:
- Update the package list by running apt update.
- Upgrade packages using apt full-upgrade.
For new installations, wait for the updated installation images to become available at the regular locations.
Updated packages in detail
This update for the oldstable version introduces several significant corrections to the following packages:
| Package | Reason |
|---|---|
| amd64-microcode | Update AMD-SEV firmware [CVE-2024-56161]; update included microcode |
| aom | Fix libaom encoder output validity |
| apache2 | New upstream stable release; fix HTTP response splitting issue [CVE-2024-42516]; fix server-side request forgery issue [CVE-2024-43204 CVE-2024-43394]; fix log injection issue [CVE-2024-47252]; fix access control bypass issue [CVE-2025-23048]; fix denial of service issue [CVE-2025-49630]; fix potential man-in-the-middle issue [CVE-2025-49812]; fix memory lifetime management issue [CVE-2025-53020] |
| b43-fwcutter | Update firmware URL |
| balboa | Rebuild against glibc 2.36-9+deb12u12 |
| base-files | Update for the point release |
| bash | Rebuild against glibc 2.36-9+deb12u12 |
| botan | Fix denial of service issues [CVE-2024-34702 CVE-2024-34703]; fix improper parsing of name constraints [CVE-2024-39312]; fix compiler-induced secret-dependent operation issue [CVE-2024-50383] |
| busybox | Rebuild against glibc 2.36-9+deb12u12 |
| ca-certificates | Add Sectigo Public Server Authentication Root E46 and Sectigo Public Server Authentication Root R46 |
| catatonit | Rebuild against glibc 2.36-9+deb12u12 |
| cdebootstrap | Rebuild against glibc 2.36-9+deb12u12 |
| chkrootkit | Rebuild against glibc 2.36-9+deb12u12 |
| cjson | Fix denial of service issue [CVE-2023-26819]; fix buffer overflow issue [CVE-2023-53154] |
| clamav | New upstream stable release; fix buffer overflow issues [CVE-2025-20128 CVE-2025-20260] |
| cloud-init | Make hotplug socket writable only by root [CVE-2024-11584]; don't attempt to identify non-x86 OpenStack instances [CVE-2024-6174] |
| commons-beanutils | Fix improper access control issue [CVE-2025-48734] |
| commons-vfs | Fix path traversal issue [CVE-2025-27553] |
| corosync | Fix buffer overflow vulnerability on large UDP packets [CVE-2025-30472] |
| criu | Fix restore functionality of mount namespaces with newer kernel versions |
| curl | Fix regression handling s ftp://host/~ URIs; fix a memory leak |
| dar | Rebuild against glibc 2.36-9+deb12u12 |
| debian-edu-config | Fix quoting in Exim configuration; gosa-sync: fix password verification; fix quoting in gosa.conf |
| debian-installer | Increase Linux kernel ABI to 6.1.0-39; rebuild against oldstable-proposed-updates; add console-setup-pc-ekmap for arm64 and armhf CD images; use nomodeset rather than fb=false to disable framebuffer |
| debian-installer-netbook-images | Rebuild against oldstable-proposed-updates |
| debian-security-support | Query source:Package instead of Source to get the correct list of packages; fix typo related to gobgp |
| distro-info-data | Add Ubuntu end of Legacy Support dates; add release and estimated EoL for trixie |
| djvulibre | Fix denial of service issues [CVE-2021-46310 CVE-2021-46312] |
| docker.io | Rebuild against glibc 2.36-9+deb12u12 |
| dpdk | New upstream stable release |
| dropbear | Fix shell injection vulnerability in multihop handling [CVE-2025-47203] |
| e2fsprogs | Rebuild against glibc 2.36-9+deb12u12 |
| erlang | ssh: fix strict KEX hardening [CVE-2025-46712]; zip: sanitize pathnames when extracting files with absolute pathnames [CVE-2025-4748]; fix documentation build failure with newer xsltproc versions |
| expat | Fix denial of service issues [CVE-2023-52425 CVE-2024-8176]; fix parser crash [CVE-2024-50602] |
| fig2dev | Detect nan in spline control values [CVE-2025-46397]; permit \0 in 2nd line in fig file [CVE-2025-46398]; ge output: correct spline computation [CVE-2025-46399]; reject arcs with a radius smaller than 3 [CVE-2025-46400] |
| firebird3.0 | Fix NULL pointer dereference issue [CVE-2025-54989] |
| fort-validator | Fix denial of service issues [CVE-2024-45234 CVE-2024-45235 CVE-2024-45236 CVE-2024-45238 CVE-2024-45239 CVE-2024-48943]; fix buffer overflow issue [CVE-2024-45237] |
| galera-4 | New upstream stable release |
| glib2.0 | Fix buffer underflow issue [CVE-2025-4373 CVE-2025-7039]; improve upgrade safety |
| glibc | Fix incorrect LD_LIBRARY_PATH search in dlopen for static setuid binaries [CVE-2025-4802]; improve memory layout of structures in exp/exp10/expf functions; add an SVE implementation of memset on aarch64; improve generic implementation of memset on aarch64; fix double free issue [CVE-2025-8058] |
| gnupg2 | Rebuild against glibc 2.36-9+deb12u12; fix recommends of architecture-any packages on architecture-all package to support binNMUs |
| golang-github-gin-contrib-cors | Fix mishandling of wildcards [CVE-2019-25211] |
| gst-plugins-base1.0 | Fix buffer overrun issue [CVE-2025-47806]; fix NULL pointer dereference issues [CVE-2025-47807 CVE-2025-47808] |
| gst-plugins-good1.0 | Fix possible information disclosure issue [CVE-2025-47219] |
| init-system-helpers | Fix handling of os-release diversions from live-build, ensuring they don't exist in non-live systems |
| insighttoolkit4 | Fix build on systems with a single CPU |
| insighttoolkit5 | Fix build on systems with a single CPU |
| integrit | Rebuild against glibc 2.36-9+deb12u12 |
| iperf3 | Fix buffer overflow issue [CVE-2025-54349]; fix assertion failure [CVE-2025-54350] |
| jinja2 | Fix arbitrary code execution issue [CVE-2025-27516] |
| jq | Zero-terminate string in jv.c [CVE-2025-48060] |
| kexec-tools | Remove no longer required dependencies |
| kmail-account-wizard | Fix man in the middle attack issue [CVE-2024-50624] |
| krb5 | Fix message tampering issue [CVE-2025-3576]; disable issuance of tickets using RC4 or triple-DES session keys by default |
| kubernetes | Sanitise raw data output to terminal [CVE-2021-25743]; hide long and multi-line strings when printing |
| libarchive | Fix integer overflow issues [CVE-2025-5914 CVE-2025-5916], buffer over read issue [CVE-2025-5915], buffer overlow issue [CVE-2025-5917] |
| libbpf | Fix operation with newer systemd versions |
| libcap2 | Rebuild against glibc 2.36-9+deb12u12; add missing Built-Using: glibc |
| libcgi-simple-perl | Fix HTTP response splitting issue [CVE-2025-40927] |
| libfcgi | Fix integer overflow issue [CVE-2025-23016] |
| libfile-tail-perl | Fix uninitialized variable issue |
| libphp-adodb | Fix SQL injection vulnerability in pg_insert_id() [CVE-2025-46337] |
| libraw | Fix out-of-bounds read issues [CVE-2025-43961 CVE-2025-43962 CVE-2025-43963]; enforce minimum w0 and w1 values [CVE-2025-43964] |
| libreoffice | Add EUR support for Bulgaria |
| libsndfile | Fix integer overflow issues [CVE-2022-33065]; fix out of bounds read issue [CVE-2024-50612] |
| libsoup3 | New upstream bug-fix release; fix buffer overrun issue [CVE-2024-52531]; fix denial of service issues [CVE-2024-52532 CVE-2025-32051]; fix heap overflow issues [CVE-2025-32052 CVE-2025-32053]; fix integer overflow issue [CVE-2025-32050]; fix heap buffer overflow issues [CVE-2025-2784]; reject HTTP headers if they contain null bytes [CVE-2024-52530]; fix denial of service issues [CVE-2025-32909 CVE-2025-32910 CVE-2025-46420 CVE-2025-32912 CVE-2025-32906]; fix memory management issues [CVE-2025-32911 CVE-2025-32913]; fix credential disclosure issue [CVE-2025-46421]; fix use-after-free during disconnection, which can cause GNOME Calculator to hang at startup; fix a test failure on some 32-bit systems |
| libtheora | Fix segfault during decoder initialisation; avoid possible bit-shifting in decoder |
| libtpms | Fix out of bounds read issue [CVE-2025-49133] |
| libxml2 | Fix integer overflow issue in xmlBuildQName [CVE-2025-6021]; fix potential buffer overflows in the interactive shell [CVE-2025-6170]; fix use-after-free issue in xmlSchematronReportOutput [CVE-2025-49794]; fix type confusion issue in xmlSchematronReportOutput [CVE-2025-49796] |
| libyaml-libyaml-perl | Fix arbitrary file edit issue [CVE-2025-40908] |
| lintian | Add bookworm to duke to the list of known Debian release names; don't emit source-nmu-has-incorrect-version-number for stable updates |
| linux | New upstream stable release; increase ABI to 39 |
| linux-signed-amd64 | New upstream stable release; increase ABI to 39 |
| linux-signed-arm64 | New upstream stable release; increase ABI to 39 |
| linux-signed-i386 | New upstream stable release; increase ABI to 39 |
| llvm-toolchain-19 | New upstream stable release |
| luajit | Fix buffer overflow issue [CVE-2024-25176]; fix denial of service issue [CVE-2024-25177]; fix out-of-bounds read issue [CVE-2024-25178] |
| lxc | Rebuild against glibc 2.36-9+deb12u12 |
| mailgraph | Update embedded copy of Parse::Syslog, enabling support for RFC3339 dates |
| mariadb | New upstream stable release; security fixes [CVE-2023-52969 CVE-2023-52970 CVE-2023-52971 CVE-2025-30693 CVE-2025-30722]; fix restart after out of memory; new upstream stable release; fix variable name in debian-start.sh |
| mkchromecast | Replace youtube-dl with yt-dlp |
| mlt | Fix Python scripts |
| mono | Remove unneeded (and broken) mono-source package |
| mosquitto | Fix memory leak issue [CVE-2023-28366]; fix out of bounds memory access issue [CVE-2024-10525]; fix double free issue [CVE-2024-3935]; fix possible segmentation fault issue [CVE-2024-8376] |
| multipath-tools | Reinstate ANA prioritizer in build process |
| nextcloud-desktop | Fix share options in graphical interface |
| nginx | Fix potential information leak in ngx_mail_smtp_module [CVE-2025-53859] |
| node-addon-api | Add support for nodejs >= 18.20 |
| node-csstype | Fix build failure |
| node-form-data | Fix insufficient randomness issue [CVE-2025-7783] |
| node-minipass | Fix tap reporter in auto test and autopkgtest |
| node-nodeunit | Fix test flakiness |
| node-tar-fs | Fix path traversal issues [CVE-2024-12905 CVE-2025-48387] |
| node-tmp | Fix arbitrary file write issue [CVE-2025-54798] |
| nvda2speechd | Fix required rmp-serde version |
| openjpeg2 | Fix NULL pointer dereference issue [CVE-2025-50952] |
| openssh | Handle OpenSSL >=3 ABI compatibility to avoid new SSH connections failing during upgrades to trixie |
| openssl | New upstream stable release; revert some upstream changes to avoid crashes in downstream software |
| perl | Fix TLS certificate verification issue [CVE-2023-31484]; fix non thread safe file access [CVE-2025-40909] |
| postgresql-15 | New upstream stable release; tighten security checks in planner estimation functions [CVE-2025-8713]; prevent pg_dump scripts from being used to attack the user running the restore [CVE-2025-8714]; convert newlines to spaces in names included in comments in pg_dump output [CVE-2025-8715] |
| postgresql-common | PgCommon.pm: Set defined path in prepare_exec. Fixes compatibility with trixie's perl version |
| prody | Fix build failure; add tolerance to some tests which now fail on i386 |
| python-django | Fix regular expression-based denial of service issue [CVE-2023-36053], denial of service issues [CVE-2024-38875 CVE-2024-39614 CVE-2024-41990 CVE-2024-41991], user enumeration issue [CVE-2024-39329], directory traversal issue [CVE-2024-39330], excessive memory consumption issue [CVE-2024-41989], SQL injection issue [CVE-2024-42005] |
| python-flask-cors | Fix log data injection issue [CVE-2024-1681]; fix improper path processing issues [CVE-2024-6866 CVE-2024-6839 CVE-2024-6844] |
| python-mitogen | Support targets with Python >= 3.12 |
| python-zipp | Fix denial of service issue [CVE-2024-5569] |
| qemu | Rebuild against glibc 2.36-9+deb12u12; new upstream bugfix release |
| raptor2 | Fix integer underflow issue [CVE-2024-57823]; fix heap read buffer overflow issue [CVE-2024-57822] |
| rar | New upstream release; fix ANSI escape injection issue [CVE-2024-33899] |
| rubygems | Fix credential leak issue [CVE-2025-27221]; fix regular expression related denial of service issue [CVE-2023-28755] |
| rust-cbindgen-web | Rebuild against current rustc-web |
| rustc-web | New upstream stable release, to support building of newer Chromium versions |
| samba | Fix various bugs following a change to Microsoft Active Directory |
| sash | Rebuild against glibc 2.36-9+deb12u12 |
| setuptools | Fix arbitrary file write issue [CVE-2025-47273] |
| shaarli | Fix cross site scripting issue [CVE-2025-55291] |
| simplesamlphp | Fix signature verification issue [CVE-2025-27773] |
| snapd | Rebuild against glibc 2.36-9+deb12u12 |
| sqlite3 | Fix memory corruption issue [CVE-2025-6965]; fix bug in NOT NULL/IS NULL optimization that can cause invalid data |
| supermin | Rebuild against glibc 2.36-9+deb12u12 |
| systemd | New upstream stable release |
| tini | Rebuild against glibc 2.36-9+deb12u12 |
| tripwire | Rebuild against glibc 2.36-9+deb12u12 |
| tsocks | Rebuild against glibc 2.36-9+deb12u12 |
| tzdata | Confirm leap second status for 2025 |
| usb.ids | New upstream update |
| waitress | Fix race condition in HTTP pipelining [CVE-2024-49768]; fix denial of service issue [CVE-2024-49769] |
| webpy | Fix SQL injection issue [CVE-2025-3818] |
| wireless-regdb | New upstream release, updating included regulatory data; permit 320 MHz bandwidth in 6 GHz band for GB |
| wolfssl | Fix insufficient randomisation issue [CVE-2025-7394] |
| wpa | Fix inappropriate reuse of PKEX elements [CVE-2022-37660] |
| xfce4-weather-plugin | Migrate to new APIs; update translations |
| xrdp | Fix session restrictions bypass issue [CVE-2023-40184]; fix out-of-bounds read issue [CVE-2023-42822]; fix login restrictions bypass issue [CVE-2024-39917] |
| ydotool | Rebuild against glibc 2.36-9+deb12u12 |
| zsh | Rebuild against glibc 2.36-9+deb12u12 |
This update incorporates the latest security enhancements for the oldstable release:
The subsequent packages have been removed:
| Package | Reason |
|---|---|
| guix | Unsupportable; security issues |
Debian Installer Updates
The Debian Installer has been updated to include the fixes from this specific point release. This ensures that new installations of Debian 12.12 will include the latest security updates and bug fixes.
Download
A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list.
Conclusion
The Debian 12.12 update addresses numerous security concerns and bug fixes, enhancing the stability and security of the system. The removal of unsupportable packages and incorporation of fixes into the Debian Installer further contribute to a more secure and reliable experience for users.
