Debian 9891 Published by

After the third update was skipped due to a corruption issue with the included Linux kernel, the Debian project has released the fourth update for Debian GNU/Linux 12 Bookworm.

Updated Debian 12: 12.4 released

Please be advised that this document has been updated as best to reflect Debian 12.3 being superseded by Debian 12.4. These changes came about from a last minute bug advisory of  #1057843 concerning issues with kernel-image-6.1.0-14 (6.1.64-1).

Debian 12.4 is released with kernel-image-6.1.0-15 (6.1.66), along with a few other bug fixes

The Debian project is pleased to announce the forth update of its stable distribution Debian 12 (codename bookworm). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 12 but only updates some of the packages included. There is no need to throw away old bookworm media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

adequateSkip symbol-size-mismatch test on architectures where array symbols don't include a specific length; disable deprecation warnings about smartmatch, given, when in Perl 5.38; fix warnings from version comparison about smartmatch being experimental
amandaFix local privilege escalation [CVE-2023-30577]
arctica-greeterMove logo away from border when greeting
awstatsAvoid prompts on upgrade due to logrotate configuration cleanup
axisFilter out unsupported protocols in the client class ServiceFactory [CVE-2023-40743]
base-filesUpdate for the 12.4 point release
ca-certificates-javaRemove circular dependencies
calibreFix crash in Get Books when regenerating UIC files
crunFix containers with systemd as their init system, when using newer kernel versions
cupsTake into account that on some printers the ColorModel option's choice for color printing is CMYK and not RGB
dav4tbsyncNew upstream version, restoring compatibility with newer Thunderbird versions
debian-edu-artworkProvide an Emerald theme based artwork for Debian Edu 12
debian-edu-configNew upstream stable version; fix setting and changing of LDAP passwords
debian-edu-docUpdate included documentation and translations
debian-edu-faiNew upstream stable version
debian-edu-routerFix dnsmasq conf generation for networks over VLAN; only generate UIF filter rules for SSH if 'Uplink' interface is defined; update translations
debian-installerIncrease Linux kernel ABI to 6.1.0-15; rebuild against proposed-updates
debian-installer-netboot-imagesRebuild against proposed-updates
debootstrapBackport merged-/usr support changes from trixie: implement merged-/usr by post-merging, default to merged-/usr for suites newer than bookworm in all profiles
devscriptsDebchange: Update to current Debian distributions
dhcpcd5Change Breaks/Replaces dhcpcd5 to Conflicts
di-netboot-assistantFix support for bookworm live ISO image
distro-infoUpdate tests for distro-info-data 0.58+deb12u1, which adjusted Debian 7's EoL date
distro-info-dataAdd Ubuntu 24.04 LTS Noble Numbat; fix several End Of Life dates
eas4tbsyncNew upstream version, restoring compatibility with newer Thunderbird versions
exfatprogsFix out-of-bounds memory access issues [CVE-2023-45897]
exim4Fix security issues relating to the proxy protocol [CVE-2023-42117] and DNSDB lookups [CVE-2023-42119]; add hardening for SPF lookups; disallow UTF-16 surrogates from ${utf8clean:...}; fix crash with tls_dhparam = none; fix $recipients expansion when used within ${run...}; fix expiry date of auto-generated SSL certificates; fix crash induced by some combinations of zero-length strings and ${tr...}
fonts-noto-color-emojiAdd support for Unicode 15.1
gimpAdd Conflicts and Replaces: gimp-dds to remove old versions of this plugin shipped by gimp itself since 2.10.10
gnome-charactersAdd support for Unicode 15.1
gnome-sessionOpen text files in gnome-text-editor if gedit is not installed
gnome-shellNew upstream stable release; allow notifications to be dismissed with backspace key in addition to the delete key; fix duplicate devices shown when reconnecting to PulseAudio; fix possible use-after-free crashes on PulseAudio/Pipewire restart; avoid sliders in quick settings (volume, etc.) being reported to accessibility tools as their own parent object; align scrolled viewports to the pixel grid to avoid jitter visible during scrolling
gnutls28Fix timing sidechannel issue [CVE-2023-5981]
gosaNew upstream stable release
gosa-plugins-sudoFix uninitialised variable
hash-slingerFix generation of TLSA records
intel-graphics-compilerFix compatibility with stable's intel-vc-intrinsics version
iotop-cFix the logic in only option; fix busy loop when ESC is pressed; fix ASCII graph rendering
jdupesUpdate prompts to help avoid choices that could lead to unexpected data loss
lastpass-cliNew upstream stable release; update certificate hashes; add support for reading encrypted URLs
libapache2-mod-pythonEnsure binNMU versions are PEP-440-compliant
libde265Fix segmentation violation issue [CVE-2023-27102], buffer overflow issues [CVE-2023-27103 CVE-2023-47471], buffer over-read issue [CVE-2023-43887]
libervia-backendFix start failure without pre-existing configuration; make exec path absolute in dbus service file; fix dependencies on python3-txdbus/python3-dbus
libmateweatherLocations: add San Miguel de Tucuman (Argentina); update forecast zones for Chicago; update data server URL; fix some location names
libsolvEnable support for zstd compression
linuxUpdate to upstream stable release 6.1.64; update ABI to 14; [rt] Update to 6.1.59-rt16; enable X86_PLATFORM_DRIVERS_HP; nvmet: nul-terminate the NQNs passed in the connect command [CVE-2023-6121]
linux-signed-amd64Update to upstream stable release 6.1.64; update ABI to 14; [rt] Update to 6.1.59-rt16; enable X86_PLATFORM_DRIVERS_HP; nvmet: nul-terminate the NQNs passed in the connect command [CVE-2023-6121]
linux-signed-arm64Update to upstream stable release 6.1.64; update ABI to 14; [rt] Update to 6.1.59-rt16; enable X86_PLATFORM_DRIVERS_HP; nvmet: nul-terminate the NQNs passed in the connect command [CVE-2023-6121]
linux-signed-i386Update to upstream stable release 6.1.64; update ABI to 14; [rt] Update to 6.1.59-rt16; enable X86_PLATFORM_DRIVERS_HP; nvmet: nul-terminate the NQNs passed in the connect command [CVE-2023-6121]
llvm-toolchain-16New backported package to support builds of newer chromium versions
lxcFix creating of ephemeral copies
mda-lv2Fix LV2 plugin installation location
midgeRemove non-free example files
minizipFix integer and heap overflow issues [CVE-2023-45853]
mrtgHandle relocated configuration file; translation updates
mutterNew upstream stable release; fix the ability to drag libdecor windows by their title bar on touchscreens; fix flickering and rendering artifacts when using software rendering; improve GNOME Shell app grid performance by avoiding repainting monitors other than the one it is displayed on
nagios-plugins-contribFix on-disk kernel version detection
network-manager-openconnectAdd User Agent to Openconnect VPN for NetworkManager
node-undiciDelete cookie and host headers on cross-origin redirect [CVE-2023-45143]
nvidia-graphics-driversNew upstream release; fix null pointer dereference issue [CVE-2023-31022]
nvidia-graphics-drivers-teslaNew upstream release; fix null pointer dereference issue [CVE-2023-31022]
nvidia-graphics-drivers-tesla-470New upstream release; fix null pointer dereference issue [CVE-2023-31022]
nvidia-open-gpu-kernel-modulesNew upstream release; fix null pointer dereference issue [CVE-2023-31022]
opendkimFix removal of incoming Authentication-Results: headers [CVE-2022-48521]
openrefineFix remote code execution vulnerability [CVE-2023-41887 CVE-2023-41886]
openscFix out-of-bounds read issue [CVE-2023-4535], potential PIN bypass [CVE-2023-40660], memory-handling issues [CVE-2023-40661]
oscryptoFix OpenSSL version parsing; fix autopkgtest
pcsFix resource move
perlFix buffer overrun issue [CVE-2023-47038]
php-phpseclib3Fix denial of service issue [CVE-2023-49316]
postgresql-15New upstream stable release; fix SQL injection issue [CVE-2023-39417]; fix MERGE to enforce row security policies properly [CVE-2023-39418]
proftpd-dfsgFix size of SSH key exchange buffers
python-cogentOnly skip tests that require multiple CPUs when running on a single CPU system
python3-onelogin-saml2Fix expired test payloads
pyzoltanSupport building on single core systems
qbittorrentDisable UPnP for web UI by default in qbittorrent-nox
qemuUpdate to upstream stable release 7.2.7; hw/scsi/scsi-disk: Disallow block sizes smaller than 512 [CVE-2023-42467]
qpdfFix data loss issue with some quoted octal strings
redisDrop ProcSubset=pid hardening flag from the systemd unit due to it causing crashes
rust-sdEnsure binary package versions sorts correctly relative to older releases (where it was built from a different source package)
sitesummaryUse systemd timer for running sitesummary-client if available
speech-dispatcher-contribEnable voxin on armhf and arm64
spyderFix interface language auto-configuration
symfonyFix session fixation issue [CVE-2023-46733]; add missing escaping [CVE-2023-46734]
systemdNew upstream stable release
tbsyncNew upstream version, restoring compatibility with newer Thunderbird versions
toilOnly request a single core for tests
tzdataUpdate leap second list
unadfFix buffer overflow issue [CVE-2016-1243]; fix code execution issue [CVE-2016-1244]
vipsFix null pointer dereference issue [CVE-2023-40032]
weborfFix denial of service issue
wormhole-williamDisable flaky tests, fixing build failures
xenNew upstream stable update; fix several security issues [CVE-2022-40982 CVE-2023-20569 CVE-2023-20588 CVE-2023-20593 CVE-2023-34320 CVE-2023-34321 CVE-2023-34322 CVE-2023-34323 CVE-2023-34325 CVE-2023-34326 CVE-2023-34327 CVE-2023-34328 CVE-2023-46835 CVE-2023-46836]
yuzuStrip :native from glslang-tools build dependency, fixing build failure

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory IDPackage
DSA-5499 chromium
DSA-5506 firefox-esr
DSA-5508 chromium
DSA-5511 mosquitto
DSA-5512 exim4
DSA-5513 thunderbird
DSA-5514 glibc
DSA-5515 chromium
DSA-5516 libxpm
DSA-5517 libx11
DSA-5518 libvpx
DSA-5519 grub-efi-amd64-signed
DSA-5519 grub-efi-arm64-signed
DSA-5519 grub-efi-ia32-signed
DSA-5519 grub2
DSA-5520 mediawiki
DSA-5521 tomcat10
DSA-5523 curl
DSA-5524 libcue
DSA-5525 samba
DSA-5526 chromium
DSA-5527 webkit2gtk
DSA-5528 node-babel7
DSA-5529 slurm-wlm-contrib
DSA-5529 slurm-wlm
DSA-5531 roundcube
DSA-5532 openssl
DSA-5533 gst-plugins-bad1.0
DSA-5534 xorg-server
DSA-5535 firefox-esr
DSA-5536 chromium
DSA-5538 thunderbird
DSA-5539 node-browserify-sign
DSA-5540 jetty9
DSA-5541 request-tracker5
DSA-5542 request-tracker4
DSA-5543 open-vm-tools
DSA-5544 zookeeper
DSA-5545 vlc
DSA-5546 chromium
DSA-5547 pmix
DSA-5548 jtreg6
DSA-5548 openjdk-17
DSA-5549 trafficserver
DSA-5550 cacti
DSA-5551 chromium
DSA-5552 ffmpeg
DSA-5553 postgresql-15
DSA-5555 openvpn
DSA-5556 chromium
DSA-5557 webkit2gtk
DSA-5558 netty
DSA-5559 wireshark
DSA-5560 strongswan
DSA-5561 firefox-esr
DSA-5562 tor
DSA-5563 intel-microcode
DSA-5564 gimp
DSA-5565 gst-plugins-bad1.0
DSA-5566 thunderbird
DSA-5567 tiff
DSA-5568 fastdds
DSA-5569 chromium
DSA-5570 nghttp2
DSA-5571 rabbitmq-server

Removed packages

The following packages were removed due to circumstances beyond our control:

gimp-ddsNo longer required; integrated into GIMP

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.


The complete lists of packages that have changed with this revision:

The current stable distribution:

Proposed updates to the stable distribution:

stable distribution information (release notes, errata etc.):

Security announcements and information: