The Debian project has announced the release of the tenth update for its stable distribution, Debian 12 (codename bookworm). This point release primarily introduces enhancements to address security vulnerabilities and resolves critical issues. Security advisories have been published individually and are cited where applicable. The point release does not represent a new version of Debian 12; it merely updates certain packages included in the distribution. Upon installation, packages may be updated to the latest versions by utilizing a current Debian mirror. The majority of updates are incorporated in the point release.
New installation images will be accessible shortly at the usual locations. To upgrade an existing installation to this revision, direct the package management system to one of the numerous HTTP mirrors provided by Debian. The stable update incorporates several significant bug fixes for the following packages: package-reason, 389-ds-base, dcmtk, dgit, djoser, dns-root-data, edk2, elpa, flightgear, gensim, glibc, golang-github-containers-buildah, intel-microcode, iptables-netflow, jinja2, joblib, lemonldap-ng, libapache-mod-jk, libeconf, librabbitmq, libtar, linux, ltt-control, lttng-modules, mariadb, monero, mozc, ndcube, nginx, node-axios, node-js-sdsl, node-postcss, node-recast, node-redis, node-rollup, openh264, php-nesbot-carbon, postgresql-15, puma, python-django, python-pycdlib, rapiddisk, rsyslog, runit-services, seqan3, and syslog.
New installation images will be accessible shortly at the usual locations. To upgrade an existing installation to this revision, direct the package management system to one of the numerous HTTP mirrors provided by Debian. The stable update incorporates several significant bug fixes for the following packages: package-reason, 389-ds-base, dcmtk, dgit, djoser, dns-root-data, edk2, elpa, flightgear, gensim, glibc, golang-github-containers-buildah, intel-microcode, iptables-netflow, jinja2, joblib, lemonldap-ng, libapache-mod-jk, libeconf, librabbitmq, libtar, linux, ltt-control, lttng-modules, mariadb, monero, mozc, ndcube, nginx, node-axios, node-js-sdsl, node-postcss, node-recast, node-redis, node-rollup, openh264, php-nesbot-carbon, postgresql-15, puma, python-django, python-pycdlib, rapiddisk, rsyslog, runit-services, seqan3, and syslog.
Updated Debian 12: 12.10 released
The Debian project is pleased to announce the tenth update of its stable distribution Debian 12 (codename bookworm). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian 12 but only updates some of the packages included. There is no need to throw away old bookworm media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
Package Reason 389-ds-base Fix crash when modifying userPassword using malformed input [CVE-2024-2199 CVE-2024-8445]; prevent denial of service while attempting to log in with a user with a malformed hash in their password [CVE-2024-5953]; prevent denial of service on the directory server with specially-crafted LDAP query [CVE-2024-3657] base-files Update for the point release bup New upstream bugfix release containerd Fix tests causing FTBFS on the auto-builder network curl Fix unintended HTTPS upgrades or premature reversion to HTTP when both subdomains and parent domains are used [CVE-2024-9681]; prevent stopping of stunnel before retries in the built-time tests; fix possible credentials leakage issues [CVE-2024-11053 CVE-2025-0167]; fix test failures due to port clashes dacite Do not cache result of get_default_value_for_field dcmtk Fix issue when rendering an invalid monochrome DICOM image [CVE-2024-47796]; ensure: HighBit < BitsAllocated [CVE-2024-52333]; fix possible overflows when allocating memory [CVE-2024-27628]; fix two segmentation faults [CVE-2024-34508 CVE-2024-34509]; fix arbitrary code execution issue [CVE-2024-28130]; fix buffer overflow issues [CVE-2025-25472 CVE-2025-25474]; fix NULL pointer dereference issue [CVE-2025-25475] debian-installer Increase Linux kernel ABI to 6.1.0-32; rebuild against proposed-updates debian-ports-archive-keyring Add 2026 key; move 2023 and 2024 keys to the removed keyring dgit Add missing parameters for source upload target djoser Fix authentication bypass [CVE-2024-21543] dns-root-data Add the DNSKEY record for KSK-2024 edk2 Fix overflow condition in PeCoffLoaderRelocateImage() [CVE-2024-38796]; fix potential UINT32 overflow in S3 ResumeCount [CVE-2024-1298] elpa Fix tests on machines with 2 vCPU or fewer flightgear Fix sandbox bypass vulnerability in Nasal scripts [CVE-2025-0781] gensim Fix build failure on single-CPU machines glibc Fix buffer overflow when printing assertion failure message [CVE-2025-0395]; fix memset performance for unaligned destinations; fix TLS performance degradation after dlopen() usage; avoid integer truncation when parsing CPUID data with large cache sizes; ensure data passed to the rseq syscall are properly initialized golang-github-containers-buildah Disable a test known to fail on the auto-builder network, fixing build failure intel-microcode New upstream security release [CVE-2023-34440 CVE-2023-43758 CVE-2024-24582 CVE-2024-28047 CVE-2024-28127 CVE-2024-29214 CVE-2024-31068 CVE-2024-31157 CVE-2024-36293 CVE-2024-37020 CVE-2024-39279 CVE-2024-39355] iptables-netflow Fix build with newer bullseye kernels jinja2 Fix arbitrary code execution issues [CVE-2024-56201 CVE-2024-56326] joblib Fix build failure on single-CPU systems lemonldap-ng Fix CSRF vulnerability on 2FA registration interface [CVE-2024-52948] libapache-mod-jk Set correct default permissions for shared memory [CVE-2024-46544] libeconf Fix buffer overflow vulnerability [CVE-2023-32181 CVE-2023-22652] librabbitmq Add option to read username/password from file [CVE-2023-35789] libtar Fix out-of-bounds read in gnu_longlink() [CVE-2021-33643]; fix out-of-bounds read in gnu_longname() [CVE-2021-33644]; fix memory leak in th_read() [CVE-2021-33645]; fix memory leak in th_read() [CVE-2021-33646] linux New upstream release; bump ABI to 32 linux-signed-amd64 New upstream release; bump ABI to 32 linux-signed-arm64 New upstream release; bump ABI to 32 linux-signed-i386 New upstream release; bump ABI to 32 linuxcnc Fix multi axes movement on single axis G0 MDI call ltt-control Fix consumer crash on shutdown lttng-modules Fix build with newer bullseye kernels mariadb New upstream stable release; fix security issue [CVE-2024-21096]; fix denial of service issue [CVE-2025-21490] monero Impose response limits on HTTP server connections [CVE-2025-26819] mozc Install fcitx icons to the correct locations ndcube Ignore test warnings from astropy nginx Fix possible bypass of client certificate authentication [CVE-2025-23419] node-axios Fix CSRF vulnerability [CVE-2023-45857]; fix potential vulnerability in URL when determining an origin [CVE-2024-57965] node-js-sdsl Fix build failure node-postcss Fix mishandling of non-integer values leading to denial of service in nanoid [CVE-2024-55565]; fix parsing of external untrusted CSS [CVE-2023-44270] node-recast Fix build failure node-redis Fix build failure node-rollup Fix build failure arising from changed timeout API openh264 Fix Cisco download URL php-nesbot-carbon Fix arbitrary file include issue [CVE-2025-22145] postgresql-15 New upstream stable release; harden PQescapeString and allied functions against invalidly-encoded strings; improve behavior of libpq's quoting functions [CVE-2025-1094] puma Fix behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers [CVE-2023-40175]; limit size of chunk extensions [CVE-2024-21647]; prevent manipulation of headers set by intermediate proxies [CVE-2024-45614] python-django Fix regular expression-based denial of service issue [CVE-2023-36053], denial of service issues [CVE-2024-38875 CVE-2024-39614 CVE-2024-41990 CVE-2024-41991], user enumeration issue [CVE-2024-39329], directory traversal issue [CVE-2024-39330], excessive memory consumption issue [CVE-2024-41989], SQL injection issue [CVE-2024-42005] python-pycdlib Run tests only if /tmp is tmpfs, otherwise they are known to fail rapiddisk Support Linux versions up to 6.10 rsyslog Avoid segmentation fault if a SIGTERM is received during startup runit-services Do not enable dhclient service by default seqan3 Fix parallel running of tests simgear Fix sandbox bypass vulnerability in Nasal scripts [CVE-2025-0781] spamassassin New upstream stable release sssd Apply GPO policy consistently [CVE-2023-3758] subversion Fix vulnerable parsing of control characters in paths served by mod_dav_svn [CVE-2024-46901] sunpy Ignore test warnings from astropy systemd New upstream stable release tzdata New upstream release; update data for Paraguay; update leap second information vagrant Fix URL of public Vagrant registry vim Fix crash when expanding ~ in substitute [CVE-2023-2610]; fix buffer-overflow in vim_regsub_both() [CVE-2023-4738]; fix heap use after free in ins_compl_get_exp() [CVE-2023-4752]; fix heap-buffer-overflow in vim_regsub_both [CVE-2023-4781]; fix buffer-overflow in trunc_string() [CVE-2023-5344]; fix stack-buffer-overflow in option callback functions [CVE-2024-22667]; fix heap-buffer-overflow in ins_typebuf (CVE-2024-43802]; fix use-after-free when closing a buffer [CVE-2024-47814]; fix build failure on 32-bit architectures wget Fix mishandling of semicolons in userinfo in URLs [CVE-2024-38428] xen Allow direct kernel boot with kernels >= 6.12 Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
Package Reason kanboard Unmaintained; security issues libnet-easytcp-perl Unmaintained upstream; security issues looking-glass Not suitable for a stable release Debian Installer
The installer has been updated to include the fixes incorporated into stable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current stable distribution:
Proposed updates to the stable distribution:
stable distribution information (release notes, errata etc.):
Security announcements and information:
