Debian 12.14 Update Fixes Critical CVEs in Glibc and Openssh
Debian 12.14 has arrived as the fourteenth point release for the oldstable Bookworm distribution, bringing a heavy load of security patches and bugfixes that affect core system components. This update addresses vulnerabilities in glibc, openssh, apache2, and numerous other packages that could allow remote code execution or privilege escalation. Skipping this release leaves systems exposed to known exploits, so applying the changes should be the top priority for anyone running Debian 12. System administrators often see broken package states accumulate when point releases are ignored for months, leading to difficult upgrade paths later. Debian 12.14 helps prevent this drift by bundling dozens of fixes into a single update cycle that keeps the oldstable branch secure and stable.
What Debian 12.14 Actually Fixes
The release notes highlight serious issues in foundational libraries and services that demand attention. Glibc receives patches for integer overflows and uninitialized memory use that could crash applications or leak sensitive data to unauthorized processes. Openssh gets fixed against code execution vulnerabilities, which is critical since ssh serves as the primary access point for remote management on almost every server. Apache2 also sees multiple corrections for privilege escalation and authentication bypasses that could compromise web servers handling user traffic. The 7zip package receives a new upstream release to handle integer underflow issues that might lead to code execution when processing malicious archives. These are not minor tweaks; they are essential hardening measures that close doors attackers love to use.
How to Apply the Debian 12.14 Update
Applying the update requires pointing the package manager at a mirror and running an upgrade command that handles dependency changes safely. Users should open a terminal and execute sudo apt update followed by sudo apt full-upgrade. The full-upgrade flag is necessary here because it allows the removal of obsolete packages or installation of new dependencies, which prevents broken states that can occur with a standard upgrade when package relationships shift. After the installation completes, a reboot is required to ensure the new kernel and glibc libraries are loaded into memory. New installation images will be available soon for fresh installs, but existing systems do not need to be reinstalled to get these fixes. Running the update now saves time compared to dealing with a compromised system later.
Removed Packages and Backports
Two packages have been dropped from the main repository due to maintenance issues or security concerns that make them unsupportable in this release. Suricata is no longer maintained in the main archive, so users who need intrusion detection should switch to backports immediately rather than waiting for a fix that will never arrive. Zulucrypt was removed because of unmaintained status and known security problems that cannot be addressed within the current framework. Relying on these tools after this update will result in unpatched vulnerabilities, so migration plans should be implemented right away. The Debian project has made it clear that unsupported software does not belong in the stable distribution, and removing these packages protects users from false confidence in their security posture.
Security Advisories and Kernel Updates
The Debian security team has published dozens of advisories ranging from DSA-6003 to DSA-6265, covering Firefox ESR, Chromium, GIMP, VLC, and the Linux kernel itself. Kernel updates are included for amd64, arm64, and i386 architectures to address vulnerabilities that could allow local privilege escalation or denial of service attacks. System administrators should verify the running kernel version after reboot to confirm the update took effect across all installed components. The comprehensive list of changes is available in the Debian changelog for those who need to audit specific package versions before deploying to production servers. Keeping track of these advisories ensures that no critical patch slips through the cracks during routine maintenance windows.
Miscellaneous Bugfixes
This oldstable update adds a few important corrections to the following packages:
| Package | Reason |
|---|---|
| 7zip | New upstream stable release; fix integer underflow issue [CVE-2023-31102]; fix code execution issues [CVE-2023-40481 CVE-2025-11001 CVE-2025-11002]; fix denial of service issue [CVE-2024-11612]; fix null pointer dereference issue [CVE-2025-53817]; fix handling of symbolic links [CVE-2025-55188] |
| apache2 | New upstream release: fix http2 regression; fix use-after-free issue [CVE-2026-23918]; fix privilege escalation issue [CVE-2026-24072]; fix NULL pointer dereference issues [CVE-2026-29169 CVE-2026-33007]; fix authentication bypass issue [CVE-2026-33006]; fix HTTP response splitting issue [CVE-2026-33523]; fix out-of-bounds read issues [CVE-2026-33857 CVE-2026-34032]; fix buffer over-read issue [CVE-2026-34059] |
| arduino-core-avr | New upstream stable release; fix buffer overflow issue [CVE-2025-69209] |
| augeas | Fix NULL pointer dereference issue [CVE-2025-2588] |
| awstats | Prevent command injection [CVE-2025-63261] |
| base-files | Update for the point release |
| bash | Rebuild with updated glibc |
| busybox | Fix stack overflow [CVE-2022-48174] and use-after-free [CVE-2023-42363 CVE-2023-42364 CVE-2023-42365] errors |
| c3p0 | Fix recursive entity expansion issue [CVE-2019-5427] |
| calibre | Fix path traversal issues [CVE-2026-25635 CVE-2026-25636 CVE-2026-26064 CVE-2026-26065]; fix code execution issue [CVE-2026-25731]; fix HTTP response header injection issue [CVE-2026-27810]; fix IP ban bypass issue [CVE-2026-27824] |
| cdebootstrap | Rebuild with updated glibc |
| chkrootkit | Rebuild with updated glibc |
| chrony | Open the PHC reference clock with the O_RDWR flag when enabling the extpps option |
| composer | Fix code execution issue [CVE-2023-43655]; fix command injection issues [CVE-2026-40261 CVE-2026-40176] |
| containerd | Fix CRI Attach implementation [CVE-2025-64329]; fix overly broad directory permissions [CVE-2024-25621]; fix large UID:GID (> 32bit) overflow [CVE-2024-40635] |
| dar | Rebuild with updated glibc |
| debian-installer | Bump linux ABI to 6.1.0-47 |
| debian-installer-netboot-images | Rebuild against oldstable-proposed-updates |
| debsig-verify | Rebuild with updated dpkg |
| deets | Rebuild with updated dpkg |
| distro-info-data | Add Ubuntu 26.10 Stonking Stingray |
| docker.io | Rebuild with updated containerd, glibc |
| dovecot | Correct incomplete backport of CVE-2026-27855 fix; fix memory leak in CVE-2026-27857 fix |
| dpkg | New upstream stable release; fix insufficient permissions check leading to possible denial of service issue [CVE-2025-6297]; fix denial of service issue [CVE-2026-2219]; fix buffer over-read issue; fix uninitialized variable warning with Rules-Requires-Root; fix segmentation fault in dpkg-trigger; translation fixes |
| erlang | Fix denial of service issues [CVE-2025-48038 CVE-2025-48039 CVE-2025-48040 CVE-2025-48041]; fix HTTP request smuggling issue [CVE-2026-23941]; fix path traversal issues [CVE-2026-23942 CVE-2026-21620]; fix compression bomb issue [CVE-2026-23943] |
| exim4 | Fix GnuTLS hostname verify of a server certificate with a zero-length Subject; fix denial of service issue [CVE-2026-40684]; fix out-of-bounds read/write issues [CVE-2026-40685 CVE-2026-40686 CVE-2026-40687] |
| fonttools | Fix XML External Entity injection issue [CVE-2023-45139]; fix code execution issue [CVE-2025-66034] |
| glance | Fix server-side request forgery issue [CVE-2026-34881]; fix build failure |
| glib2.0 | Fix timezone handling with Debian & Ubuntu's symlinks; fix missing input validation in g_buffered_input_stream_peek [CVE-2026-0988]; fix integer overflow in base64 encoding [CVE-2026-1484]; fix buffer underflow issue in content type parsing [CVE-2026-1485]; fix integer overflow in unicode conversion [CVE-2026-1489] |
| glibc | Fix integer overflow issue [CVE-2026-0861]; fix uninitialised memory use issue [CVE-2025-15281]; fix incorrect handling of DNS responses [CVE-2026-4437]; fix return of invalid DNS hostnames [CVE-2026-4438]; fix assertion failure [CVE-2026-4046]; fix performance bottleneck with ASAN on 32-bit arm; fix incorrect backtrace unwinding; fix typo in wmemset ifunc selector that caused AVX2/AVX512 paths to be skipped; fix POWER optimized rawmemchr function; fix stack content leak issue [CVE-2026-0915] |
| gnuais | Fix displaying map in gnuaisgui |
| golang-github-containerd-stargz-snapshotter | Rebuild with updated containerd |
| golang-github-containers-buildah | Rebuild with updated containerd |
| golang-github-openshift-imagebuilder | Rebuild with updated containerd |
| gpsd | Fix out-of-bounds write issue [CVE-2025-67268]; fix integer underflow issue [CVE-2025-67269] |
| grub-efi-amd64-signed | Remove NTFS and jfs from monolithic EFI image; update SBAT levels; set Protected: yes for -signed packages so they cannot easily be removed; backport upstream regression fixes; fix video/readers/jpeg: Do not permit duplicate SOF0 markers in JPEG [CVE-2024-45774]; fix commands/extcmd: Missing check for failed allocation [CVE-2024-45775]; fix commands/dump: The dump command is not in lockdown when secure boot is enabled [CVE-2025-1118]; fix integer overflow issues [CVE-2024-45776 CVE-2024-45777 CVE-2024-45778 CVE-2024-45779 CVE-2024-45780 CVE-2025-0677 CVE-2025-0678 CVE-2025-0684 CVE-2025-0685 CVE-2025-0690 CVE-2025-1125]; fix out-of-bounds write issues [CVE-2024-45781 CVE-2024-45782 CVE-2025-0624]; fix use-after-free issues [CVE-2024-45783 CVE-2025-0622]; fix buffer overflow issue [CVE-2025-0689] |
| grub-efi-arm64-signed | Remove NTFS and jfs from monolithic EFI image; update SBAT levels; set Protected: yes for -signed packages so they cannot easily be removed; backport upstream regression fixes; fix video/readers/jpeg: Do not permit duplicate SOF0 markers in JPEG [CVE-2024-45774]; fix commands/extcmd: Missing check for failed allocation [CVE-2024-45775]; fix commands/dump: The dump command is not in lockdown when secure boot is enabled [CVE-2025-1118]; fix integer overflow issues [CVE-2024-45776 CVE-2024-45777 CVE-2024-45778 CVE-2024-45779 CVE-2024-45780 CVE-2025-0677 CVE-2025-0678 CVE-2025-0684 CVE-2025-0685 CVE-2025-0690 CVE-2025-1125]; fix out-of-bounds write issues [CVE-2024-45781 CVE-2024-45782 CVE-2025-0624]; fix use-after-free issues [CVE-2024-45783 CVE-2025-0622]; fix buffer overflow issue [CVE-2025-0689] |
| grub-efi-ia32-signed | Remove NTFS and jfs from monolithic EFI image; update SBAT levels; set Protected: yes for -signed packages so they cannot easily be removed; backport upstream regression fixes; fix video/readers/jpeg: Do not permit duplicate SOF0 markers in JPEG [CVE-2024-45774]; fix commands/extcmd: Missing check for failed allocation [CVE-2024-45775]; fix commands/dump: The dump command is not in lockdown when secure boot is enabled [CVE-2025-1118]; fix integer overflow issues [CVE-2024-45776 CVE-2024-45777 CVE-2024-45778 CVE-2024-45779 CVE-2024-45780 CVE-2025-0677 CVE-2025-0678 CVE-2025-0684 CVE-2025-0685 CVE-2025-0690 CVE-2025-1125]; fix out-of-bounds write issues [CVE-2024-45781 CVE-2024-45782 CVE-2025-0624]; fix use-after-free issues [CVE-2024-45783 CVE-2025-0622]; fix buffer overflow issue [CVE-2025-0689] |
| grub2 | Remove NTFS and jfs from monolithic EFI image; update SBAT levels; set Protected: yes for -signed packages so they cannot easily be removed; backport upstream regression fixes; fix video/readers/jpeg: Do not permit duplicate SOF0 markers in JPEG [CVE-2024-45774]; fix commands/extcmd: Missing check for failed allocation [CVE-2024-45775]; fix commands/dump: The dump command is not in lockdown when secure boot is enabled [CVE-2025-1118]; fix integer overflow issues [CVE-2024-45776 CVE-2024-45777 CVE-2024-45778 CVE-2024-45779 CVE-2024-45780 CVE-2025-0677 CVE-2025-0678 CVE-2025-0684 CVE-2025-0685 CVE-2025-0690 CVE-2025-1125]; fix out-of-bounds write issues [CVE-2024-45781 CVE-2024-45782 CVE-2025-0624]; fix use-after-free issues [CVE-2024-45783 CVE-2025-0622]; fix buffer overflow issue [CVE-2025-0689] |
| gvfs | Use control connection address for PASV data [CVE-2026-28295]; reject paths containing CR/LF characters [CVE-2026-28296] |
| kissfft | Fix integer overflow issues [CVE-2025-34297 CVE-2026-41445] |
| kpackage | Skip unreliable build-time test |
| lemonldap-ng | Update documentation to avoid using unsecured Nginx variable |
| libarchive | Fix out-of-bounds read issues [CVE-2025-5918 CVE-2026-4424]; fix denial of service issues [CVE-2026-4111 CVE-2026-4426]; fix possible code execution issue [CVE-2026-5121] |
| libcap2 | Fix time of check / time of use issue [CVE-2026-4878]; rebuild with updated glibc |
| libexif | Fix integer underflow issues [CVE-2026-40386 CVE-2026-32775]; fix integer overflow issue [CVE-2026-40385] |
| libnet-cidr-lite-perl | Fix ACL bypass issues [CVE-2026-40198 CVE-2026-40199] |
| libpng1.6 | Fix heap buffer overflow issues [CVE-2026-22801 CVE-2026-22695] |
| libpod | Rebuild with updated containerd |
| libreoffice | Fix incomplete fix for CVE-2024-12426 |
| libreoffice-texmaths | Add dependency on dvipng/dvisvgm |
| libuev | Fix buffer overrun issue [CVE-2022-48620] |
| libvncserver | Fix out-of-bounds read issue [CVE-2026-32853]; fix null pointer dereference issue [CVE-2026-32854] |
| libxml-security-java | Fix private key disclosure issue [CVE-2023-44483] |
| libxslt | Fix deterministic generate-id() regression causing build failures in other packages |
| lxc | Fix authorisation bypass issue [CVE-2026-39402] |
| mapserver | Fix SQL injection issue [CVE-2025-59431]; fix buffer overflow issue [CVE-2026-33721]; fix heap-buffer-overflow and double-free issues in maplexer |
| modsecurity-crs | Fix rule bypass issue [CVE-2023-38199]; fix file extension blocking bypass issue [CVE-2026-33691] |
| mongo-c-driver | Fix insufficient validation issues [CVE-2025-14911 CVE-2026-6231]; fix denial of service issue [CVE-2026-4359]; fix buffer overflow issue [CVE-2026-6691]; improve handling of corrupt GridFS files |
| nginx | Fix buffer overflow issues [CVE-2026-27654 CVE-2026-27784 CVE-2026-32647]; fix session authentication issues [CVE-2026-27651 CVE-2026-28753]; fix OCSP result bypass issue [CVE-2026-28755]; use $host instead of $http_host |
| openssh | Fix possible code execution issues [CVE-2025-61984 CVE-2025-61985]; ensure scp does not unexpectedly make transferred files setuid or setgid [CVE-2026-35385]; fix command execution issue [CVE-2026-35386]; fix incomplete application of PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with regard to ECDSA keys [CVE-2026-35387]; use connection multiplexing confirmation for proxy-mode multiplexing sessions [CVE-2026-35388]; fix handling of the authorized_keys principals option [CVE-2026-35414]; validate user and host names for ProxyJump/-J options passed via the command line |
| openssl | New upstream stable release |
| p7zip | Rebase onto newer 7zip version; fix integer underflow issue [CVE-2023-31102]; fix code execution issues [CVE-2023-40481 CVE-2025-11001 CVE-2025-11002]; fix denial of service issue [CVE-2024-11612]; fix null pointer dereference issue [CVE-2025-53817]; fix handling of symbolic links [CVE-2025-55188]; fix buffer overflow issue [CVE-2023-52168]; fix out-of-bounds read issues [CVE-2023-52169 CVE-2022-47069] |
| p7zip-rar | Rebase onto newer 7zip version; fix denial of service issue [CVE-2025-53816] |
| php-dompdf | Fix denial of service issue [CVE-2023-50262] |
| php-league-commonmark | Fix cross site scripting issue [CVE-2025-46734]; fix validation bypass issues [CVE-2026-30838 CVE-2026-33347] |
| php-phpseclib | Fix denial of service issue [CVE-2024-27355]; fix variable time comparison issue [CVE-2026-40194] |
| php-phpseclib3 | Fix denial of service issue [CVE-2024-27355]; fix variable time comparison issue [CVE-2026-40194] |
| phpseclib | Fix denial of service issue [CVE-2024-27355]; fix variable time comparison issue [CVE-2026-40194] |
| plastimatch | Remove non-free files |
| postgresql-15 | New upstream stable release; fix buffer overrun issue [CVE-2026-2006] |
| proftpd-dfsg | Fix denial of service issue [CVE-2024-57392]; fix SQL injection issue [CVE-2026-42167]; fix mod_radius: Message-Authenticator check always fails |
| pymupdf | Rebuild with updated mupdf |
| python-authlib | Fix algorithm confusion issue [CVE-2024-37568]; fix cross-site request forgery issue [CVE-2025-68158]; fix denial of service issues [CVE-2025-62706 CVE-2025-61920]; fix policy bypass issue [CVE-2025-59420] |
| python-django | Fix regular expression-based denial of service issue [CVE-2023-36053], denial of service issues [CVE-2024-38875 CVE-2024-39614 CVE-2024-41990 CVE-2024-41991], user enumeration issue [CVE-2024-39329], directory traversal issue [CVE-2024-39330], excessive memory consumption issue [CVE-2024-41989], SQL injection issue [CVE-2024-42005] |
| python-ldap | Fix insufficient escaping issue [CVE-2025-61911]; fix denial of service issue [CVE-2025-61912] |
| python3.11 | Fix header injection issues [CVE-2025-11468 CVE-2025-15282 CVE-2026-0672 CVE-2026-0865 CVE-2026-1299]; fix denial of service issues [CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 CVE-2025-6069 CVE-2025-6075 CVE-2025-8194]; fix insufficient validation in zipFile [CVE-2025-8291]; fix use-after-free issue [CVE-2025-4516] |
| qemu | Rebuild with updated glibc, glib2.0, gnutls28 |
| request-tracker5 | Fix builds of CKEditor when firefox is >= 148 |
| sash | Rebuild with updated glibc |
| sed | Fix time of check / time of use issue [CVE-2026-5958] |
| sioyek | Rebuild with updated mupdf |
| skeema | Rebuild with updated containerd |
| snapd | Rebuild with updated libcap2 |
| sudo | Fix exec_mailer permissions checks [CVE-2026-35535] |
| supermin | Rebuild with updated glibc |
| swupdate | Fix denial of service issue [CVE-2026-28525] |
| systemd | Fix assert and freeze [CVE-2026-29111]; fix code execution issues [CVE-2026-40225 CVE-2026-4105]; fix nspawn escape-to-host issue [CVE-2026-40226] |
| taglib | Fix segmentation violation issue [CVE-2023-47466] |
| tpm2-pkcs11 | Fix NULL pointer dereference during database migration |
| tripwire | Rebuild with updated glibc |
| tzdata | New upstream release; update data for British Columbia |
| user-mode-linux | Rebuild with updated linux |
| vips | Fix buffer overflow issues [CVE-2026-2913 CVE-2026-3147 CVE-2026-3281]; fix memory corruption issue [CVE-2026-3145]; fix null pointer dereference issue [CVE-2026-3146]; fix out of bound read issues [CVE-2026-3282 CVE-2026-3283]; fix integer overflow issue [CVE-2026-3284] |
| wireless-regdb | New upstream stable release; update regulatory information for several countries |
| wireshark | Fix denial of service issues [CVE-2024-11596 CVE-2024-9781 CVE-2025-11626 CVE-2025-13499 CVE-2025-13945 CVE-2025-13946 CVE-2025-1492 CVE-2025-5601 CVE-2025-9817 CVE-2026-0960] |
| xorg-server | Fix buffer re-use issue [CVE-2026-33999]; fix / improve bounds checking [CVE-2026-34000 CVE-2026-34003]; fix use after free issue [CVE-2026-34001]; fix out-of-bounds read issue [CVE-2026-34002] |
| zsh | Rebuild with updated libcap2, glibc |
| zvbi | Fix uninitialised pointer issue [CVE-2025-2173]; fix integer overflow issues [CVE-2025-2174 CVE-2025-2175 CVE-2025-2176 CVE-2025-2177] |
Security Updates
This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
| Package | Reason |
|---|---|
| suricata | Unsupportable; possible security issues; maintained via backports |
| zulucrypt | Security issues; unmaintained |
Keep systems patched and happy.
