Debian 13 Trixie has released its first point update, focusing on addressing security issues and resolving critical problems. The update includes various bug fixes and security updates for packages such as imagemagick, libcoap3, and postgresql-17, among others. Existing installations can be upgraded by pointing the package management system at one of Debian's many HTTP mirrors, while new installation images will soon be available at regular locations.
Debian GNU/Linux 13.1 released: The first Point Release of Trixie
The Debian project released the first update to its stable distribution, Debian 13 (codename Trixie). This point release primarily focuses on addressing security issues and resolving critical problems. It is essential to note that this point release does not represent a new version of Debian 13 but rather an update to some of the included packages.
Update Procedure
Existing installations can be upgraded by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available on the official Debian website: https://www.debian.org/mirror/list
New installation images will soon be available at the regular locations.
Important Bug Fixes and Security Updates
The stable update includes several crucial corrections to various packages, including:
- auto-apt-proxy: Checks explicitly configured proxies before network gateway.
- firebird3.0: Fixes null pointer dereference in XDR message parsing (CVE-2025-54989).
- imagemagick: Security fixes for heap buffer overflow, infinite loop, memory leak, and stack overflow issues (CVE-2025-53014, CVE-2025-53015, CVE-2025-53019, CVE-2025-53101, CVE-2025-43965, and CVE-2025-46393).
- libcoap3: Fixes buffer overflow and integer overflow issues (CVE-2024-0962 and CVE-2024-31031).
- postgresql-17: Tightens security checks in planner estimation functions and prevents pg_dump scripts from being used to attack the user running the restore (CVE-2025-8713, CVE-2025-8714, and CVE-2025-8715).
Updated packages in detail
This stable update introduces several significant corrections to the following packages:
| Package | Reason |
|---|---|
| auto-apt-proxy | Check explicitly configured proxies before network gateway |
| base-files | Update for the point release |
| courier | Fix courier-webmin |
| debian-installer | Increase Linux kernel ABI to 6.12.43+deb13; rebuild against proposed-updates; add a workaround for a GRUB graphics initialisation bug |
| debian-installer-netboot-images | Rebuild against proposed-updates |
| desktop-base | Fix placement of plymouth prompts in multi-monitor setups |
| devscripts | Update suite and codename mappings |
| dpdk | New upstream point release |
| ethtool | netlink: fix print_string when the value is NULL |
| firebird3.0 | Fix null pointer dereference in XDR message parsing [CVE-2025-54989] |
| flvstreamer | Stop installing rtmpsrv and rtmpsuck, avoiding file conflict with the rtmpdump package |
| galera-4 | New upstream stable release |
| git | New upstream bug-fix release; fix arbitrary file write issues [CVE-2025-27613 CVE-2025-46835]; fix code execution issues [CVE-2025-27614 CVE-2025-48384]; fix protocol injection issue, possibly leading to arbitrary code execution [CVE-2025-48385] |
| glib2.0 | New upstream bugfix release; fix a corner case when upgrading from bookworm |
| gnome-control-center | Fix a UI issue and an error display issue; translation updates |
| gnome-online-accounts | New upstream bug-fix release; update translations |
| gnome-shell | New upstream bugfix release |
| golang-github-gin-contrib-cors | Fix mishandling of wildcards [CVE-2019-25211] |
| gssdp | New upstream bug-fix release; fix issues with Since: and Deprecated: declarations in documentation |
| imagemagick | Security fixes: heap buffer overflow in the InterpretImageFilename function [CVE-2025-53014]; infinite loop when writing during a specific XMP file conversion command [CVE-2025-53015]; memory leak in the magick stream command [CVE-2025-53019]; stack overflow through vsnprintf() [CVE-2025-53101]; use-after-free when SetQuantumFormat is used [CVE-2025-43965]; in multispectral MIFF image processing, packet_size mishandling [CVE-2025-46393] |
| init-system-helpers | Fix handling of os-release diversions from live-build, ensuring they don't exist in non-live systems |
| installation-guide | Enable Hungarian and Ukrainian translations; fix boot-dev-select-arm64 and armhf-armmp-supported-platforms hyperlinks |
| iperf3 | Fix buffer overflow issue [CVE-2025-54349]; fix assertion failure [CVE-2025-54350] |
| kamailio | Relax OpenSSL version check to only match against major version |
| libadwaita-1 | New upstream bugfix release |
| libcgi-simple-perl | Fix HTTP response splitting issue [CVE-2025-40927] |
| libcoap3 | Fix buffer overflow issue [CVE-2024-0962]; fix integer overflow issue [CVE-2024-31031] |
| libreoffice | Add EUR support for Bulgaria; fix installation of Impress sound effects; fix playing of videos in Impress under Qt6 |
| librepo | New upstream bug-fix release, fixing support for DNF5; improve handling of SELinux in the Debian packaging |
| linux | New upstream stable release |
| linux-signed-amd64 | New upstream stable release |
| linux-signed-arm64 | New upstream stable release |
| live-boot | Fix handling of os-release diversions from live-build, ensuring they don't exist in non-live systems |
| live-build | Fix handling of os-release diversions, ensuring they don't exist in non-live systems |
| mame | Fix translation building |
| mariadb | New upstream stable release |
| mate-sensors-applet | Fix crash at startup |
| mmdebstrap | Support numeric UID in /etc/subgid and /etc/subuid |
| modemmanager | Fix support for Fibocom FM350-GL |
| mozjs128 | New upstream stable release; fix uninitialised memory issue [CVE-2025-9181], memory safety issues [CVE-2025-9185] |
| network-manager-openvpn | New upstream stable release; fix multi-factor authentication in combination with non-ASCII characters |
| nginx | Fix potential information leak in ngx_mail_smtp_module [CVE-2025-53859] |
| node-tmp | Fix arbitrary file write issue [CVE-2025-54798] |
| open-iscsi | Ensure /var/lib exists in initramfs |
| openjpeg2 | Fix out-of-bounds write issue [CVE-2025-54874] |
| orca | Add dependencies on python3-setproctitle and python3-psutil |
| orphan-sysvinit-scripts | Fix installation of mdadm scripts |
| pcre2 | New upstream stable release; fix potential information disclosure issue [CVE-2025-58050] |
| postfix | New upstream stable release; fix copying of files to chroot |
| postgresql-17 | New upstream stable release; tighten security checks in planner estimation functions [CVE-2025-8713]; prevent pg_dump scripts from being used to attack the user running the restore [CVE-2025-8714]; convert newlines to spaces in names included in comments in pg_dump output [CVE-2025-8715] |
| ptyxis | New upstream bugfix release |
| pyraf | Ensure compatibility with Python 3.13 |
| qemu | New upstream bugfix release |
| rabbitmq-server | Show proper plugin version numbers |
| remind | Fix buffer overflow in DUMPVARS |
| renpy | Fix font symlinks |
| resource-agents | Handle cases where more than one route for an IP address exists |
| rkward | Restore compatibility with R 4.5 |
| samba | New upstream bugfix release |
| sbuild | Support UID in /etc/sub(u|g)id; fix build path permissions when building as root; always append newline in binNMU changelog; allow empty BUILD_PATH in command line options |
| shaarli | Fix cross site scripting issue [CVE-2025-55291] |
| sound-theme-freedesktop | Link front-center sample to audio-channel-mono |
| strongswan | Fix OpenSSL 3.5.1 support |
| systemd | New upstream stable release |
| systemd-boot-efi-amd64-signed | New upstream stable release |
| systemd-boot-efi-arm64-signed | New upstream stable release |
| thunar | Fix prompt before permanently deleting files |
| timescaledb | Disable test that fails with Postgresql 17.6 |
| transmission | Fix GTK app crash when LANG=fr |
| tzdata | Confirm leap second status for 2025 |
| wolfssl | Avoid weak and predictable random numbers [CVE-2025-7394] |
This update incorporates essential security enhancements to the stable release:
The following packages were removed:
| Package | Reason |
|---|---|
| guix | Unsupportable; security issues |
Debian Installer Update
The installer has been updated to include the fixes incorporated into stable by the point release.
URLs
For further information, please refer to the following links:
- Complete list of changed packages: https://deb.debian.org/debian/dists/trixie/ChangeLog
- Current stable distribution: https://deb.debian.org/debian/dists/stable/
- Proposed updates to the stable distribution: https://deb.debian.org/debian/dists/proposed-updates
- Stable distribution information (release notes, errata etc.): https://www.debian.org/releases/stable/
- Security announcements and information: https://www.debian.org/security/
