Debian 10225 Published by

The fifth point release for Debian GNU/Linux 12 is now available. The majority of the changes that are included in this point release are corrections for security issues, along with a few adjustments for more serious issues.





Updated Debian 12: 12.5 released

The Debian project is pleased to announce the fifth update of its stable distribution Debian 12 (codename bookworm). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Debian_12

Please note that the point release does not constitute a new version of Debian 12 but only updates some of the packages included. There is no need to throw away old bookworm media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

PackageReason
apktoolPrevent arbitrary file writes with malicious resource names [CVE-2024-21633]
atrilFix crash when opening some epub files; fix index loading for certain epub documents; add fallback for malformed epub files in check_mime_type; use libarchive instead of external command for extracting documents [CVE-2023-51698]
base-filesUpdate for the 12.5 point release
cajaFix desktop rendering artifacts after resolution changes; fix use of informal date format
calibreFix HTML Input: Don't add resources that exist outside the folder hierarchy rooted at the parent folder of the input HTML file by default [CVE-2023-46303]
comptonRemove recommendation of picom
cryptsetupcryptsetup-initramfs: Add support for compressed kernel modules; cryptsetup-suspend-wrapper: Don't error out on missing /lib/systemd/system-sleep directory; add_modules(): Change suffix drop logic to match initramfs-tools
debian-edu-artworkProvide an Emerald theme based artwork for Debian Edu 12
debian-edu-configNew upstream release
debian-edu-docUpdate included documentation and translations
debian-edu-faiNew upstream release
debian-edu-installNew upstream release; fix security sources.list
debian-installerIncrease Linux kernel ABI to 6.1.0-18; rebuild against proposed-updates
debian-installer-netboot-imagesRebuild against proposed-updates
debian-ports-archive-keyringAdd Debian Ports Archive Automatic Signing Key (2025)
dpdkNew upstream stable release
dropbearFix terrapin attack [CVE-2023-48795]
engrampaFix several memory leaks; fix archive save as functionality
espeak-ngFix buffer overflow issues [CVE-2023-49990 CVE-2023-49992 CVE-2023-49993], buffer underflow issue [CVE-2023-49991], floating point exception issue [CVE-2023-49994]
filezillaPrevent Terrapin exploit [CVE-2023-48795]
fishHandle Unicode non-printing characters safely when given as command substitution [CVE-2023-49284]
fssyncDisable flaky tests
gnutls28Fix assertion failure when verifying a certificate chain with a cycle of cross signatures [CVE-2024-0567]; fix timing side-channel issue [CVE-2024-0553]
indentFix buffer under read issue [CVE-2024-0911]
islFix use on older CPUs
jtreg7New source package to support builds of openjdk-17
libdatetime-timezone-perlUpdate included timezone data
libde265Fix buffer overflow issues [CVE-2023-49465 CVE-2023-49467 CVE-2023-49468]
libfirefox-marionette-perlFix compatibility with newer firefox-esr versions
libmateweatherFix URL for aviationweather.gov
libspreadsheet-parsexlsx-perlFix possible memory bomb [CVE-2024-22368]; fix XML External Entity issue [CVE-2024-23525]
linuxNew upstream stable release; bump ABI to 18
linux-signed-amd64New upstream stable release; bump ABI to 18
linux-signed-arm64New upstream stable release; bump ABI to 18
linux-signed-i386New upstream stable release; bump ABI to 18
localslackircSend authorization and cookie headers to the websocket
mariadbNew upstream stable release; fix denial of service issue [CVE-2023-22084]
mate-screensaverFix memory leaks
mate-settings-daemonFix memory leaks; relax High DPI limits; fix handling of multiple rfkill events
mate-utilsFix various memory leaks
monitoring-pluginsFix check_http plugin when --no-body is used and the upstream response is chunked
needrestartFix microcode check regression on AMD CPUs
netplan.ioFix autopkgtests with newer systemd versions
nextcloud-desktopFix fails to sync files with special chars like ':'; fix two-factor authentication notifications
node-yarnpkgFix use with Commander 8
onionprobeFix initialisation of Tor if using hashed passwords
pipewireUse malloc_trim() when available to release memory
plumaFix memory leak issues; fix double activation of extensions
postfixNew upstream stable release; address SMTP smuggling issue [CVE-2023-51764]
proftpd-dfsgImplement fix for the Terrapin attack [CVE-2023-48795]; fix out-of-bounds read issue [CVE-2023-51713]
proftpd-mod-proxyImplement fix for the Terrapin attack [CVE-2023-48795]
pypdfFix infinite loop issue [CVE-2023-36464]
pypdf2Fix infinite loop issue [CVE-2023-36464]
pypy3Avoid an rpython assertion error in the JIT if integer ranges don't overlap in a loop
qemuNew upstream stable release; virtio-net: correctly copy vnet header when flushing TX [CVE-2023-6693]; fix null pointer dereference issue [CVE-2023-6683]; revert patch causing regressions in suspend / resume functionality
rpmEnable the read-only BerkeleyDB backend
rss-glxInstall screensavers into /usr/libexec/xscreensaver; call GLFinish() prior to glXSwapBuffers()
spipFix two cross-site scripting issues
swupdatePrevent acquiring root privileges through inappropriate socket mode
systemdNew upstream stable release; fix missing verification issue in systemd-resolved [CVE-2023-7008]
tarFix boundary checking in base-256 decoder [CVE-2022-48303], handling of extended header prefixes [CVE-2023-39804]
tinyxmlFix assertion issue [CVE-2023-34194]
tzdataNew upstream stable release
usb.idsUpdate included data list
usbutilsFix usb-devices not printing all devices
usrmergeClean up biarch directories when not needed; don't run convert-etc-shells again on converted systems; handle mounted /lib/modules on Xen systems; improve error reporting; add versioned conflicts with libc-bin, dhcpcd, libparted1.8-10 and lustre-utils
wolfsslFix security issue when client sent neither PSK nor KSE extensions [CVE-2023-3724]
xenNew upstream stable release; security fixes [CVE-2023-46837 CVE-2023-46839 CVE-2023-46840]

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory IDPackage
DSA-5572 roundcube
DSA-5573 chromium
DSA-5574 libreoffice
DSA-5576 xorg-server
DSA-5577 chromium
DSA-5578 ghostscript
DSA-5579 freeimage
DSA-5581 firefox-esr
DSA-5582 thunderbird
DSA-5583 gst-plugins-bad1.0
DSA-5584 bluez
DSA-5585 chromium
DSA-5586 openssh
DSA-5587 curl
DSA-5588 putty
DSA-5589 node-undici
DSA-5590 haproxy
DSA-5591 libssh
DSA-5592 libspreadsheet-parseexcel-perl
DSA-5593 linux-signed-amd64
DSA-5593 linux-signed-arm64
DSA-5593 linux-signed-i386
DSA-5593 linux
DSA-5595 chromium
DSA-5597 exim4
DSA-5598 chromium
DSA-5599 phpseclib
DSA-5600 php-phpseclib
DSA-5601 php-phpseclib3
DSA-5602 chromium
DSA-5603 xorg-server
DSA-5605 thunderbird
DSA-5606 firefox-esr
DSA-5607 chromium
DSA-5608 gst-plugins-bad1.0
DSA-5609 slurm-wlm
DSA-5610 redis
DSA-5611 glibc
DSA-5612 chromium
DSA-5613 openjdk-17
DSA-5614 zbar
DSA-5615 runc

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

The current stable distribution:

Proposed updates to the stable distribution:

stable distribution information (release notes, errata etc.):

Security announcements and information:

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.