The Debian project has released the sixth version of its stable distribution, Debian 12, which includes security fixes and changes to major vulnerabilities. The stable update also fixes several problems, including a possible heap overflow, a possible command injection, cloud-init declarations, and djangorestframework. It also includes security fixes, such as one for a missing static file, another for a construction issue in the 6.9 kernel and backports, and one for a memory leak.
The update also fixes security mitigations, such as INTEL-SA-01051, INTEL-SA-01052, and INTEL-SA-01036, as well as unnamed functional concerns with other Intel processors. It also covers post-issuance validation logic, libapache2-mod-auth-openidc, json-smart, kio, file loss, and probable CIFS locking concerns, among other topics.
The update also fixes security mitigations, such as INTEL-SA-01051, INTEL-SA-01052, and INTEL-SA-01036, as well as unnamed functional concerns with other Intel processors. It also covers post-issuance validation logic, libapache2-mod-auth-openidc, json-smart, kio, file loss, and probable CIFS locking concerns, among other topics.
Updated Debian 12: 12.6 released
The Debian project is pleased to announce the sixth update of its stable distribution Debian 12 (codename bookworm). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian 12 but only updates some of the packages included. There is no need to throw away old bookworm media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
Package Reason aide Fix concurrent reading of extended attributes amavisd-new Handle multiple boundary parameters that contain conflicting values [CVE-2024-28054]; fix race condition in postinst archlinux-keyring Switch to pre-built keyrings; sync with upstream base-files Update for the 12.6 point release bash Rebuild to fix outdated Built-Using bioawk Disable parallel builds to fix random failures bluez Fix remote code execution issues [CVE-2023-27349 CVE-2023-50229 CVE-2023-50230] cdo Disable hirlam-extensions to avoid causing issues with ICON data files chkrootkit Rebuild to fix outdated Built-Using cjson Fix missing NULL checks [CVE-2023-50471 CVE-2023-50472] clamav New upstream stable release; fix possible heap overflow issue [CVE-2024-20290], possible command injection issue [CVE-2024-20328] cloud-init Declare conflicts/replaces on versioned package introduced for bullseye comitup Ensure service is unmasked in post install cpu Provide exactly one definition of globalLdap in LDAP plugin crmsh Create log directory and file on installation crowdsec-custom-bouncer Rebuild to fix outdated Built-Using crowdsec-firewall-bouncer Rebuild against golang-github-google-nftables version with fixed little-endian architecture support curl Do not keep default protocols when deselected [CVE-2024-2004]; fix memory leak [CVE-2024-2398] dar Rebuild to fix outdated Built-Using dcmtk Clean up properly on purge debian-installer Increase Linux kernel ABI to 6.1.0-22; rebuild against proposed-updates debian-installer-netboot-images Rebuild against proposed-updates debvm debvm-create: do install login; bin/debvm-waitssh: make --timeout=N work; bin/debvm-run: allow being run in environments without TERM set; fix resolv.conf in stretch dhcpcd5 privsep: Allow zero length messages through; fix server not being restarted correctly during upgrades distro-info-data Declare intentions for bullseye/bookworm; fix past data; add Ubuntu 24.10 djangorestframework Reinstate missing static files dm-writeboost Fix build error with 6.9 kernel and backports dns-root-data Update root hints; update expired security information dpdk New upstream stable release ebook-speaker Support username over 8 characters when enumerating groups emacs Security fixes [CVE-2024-30202 CVE-2024-30203 CVE-2024-30204 CVE-2024-30205]; replace expired package-keyring.gpg with a current version extrepo-data Update repository information flatpak New upstream stable release fpga-icestorm Restore compatibility with yosys freetype Disable COLRv1 support, which was unintentionally enabled by upstream; fix function existence check when calling get_colr_glyph_paint() galera-4 New upstream bugfix release; update upstream release signing key; prevent date-related test failures gdk-pixbuf ANI: Reject files with multiple anih chunks [CVE-2022-48622]; ANI: Reject files with multiple INAM or IART chunks; ANI: Validate anih chunk size glewlwyd Fix potential buffer overflow during FIDO2 credential validation [CVE-2023-49208]; fix open redirection via redirect_uri [CVE-2024-25715] glib2.0 Fix a (rare) memory leak glibc Revert fix to always call destructors in reverse constructor order due to unforeseen application compatibility issues; fix a DTV corruption due to a reuse of a TLS module ID following dlclose with unused TLS gnutls28 Fix certtool crash when verifying a certificate chain with more than 16 certificates [CVE-2024-28835]; fix side-channel in the deterministic ECDSA [CVE-2024-28834]; fix a memory leak; fix two segfault issues golang-github-containers-storage Rebuild for outdated Built-Using golang-github-google-nftables Fix AddSet() function on little-endian architectures golang-github-openshift-imagebuilder Rebuild for outdated Built-Using gosu Rebuild for outdated Built-Using gpaste Fix conflict with older libpgpaste6 gross Fix stack-based buffer overflow [CVE-2023-52159] hovercraft Depend on python3-setuptools icinga2 Fix segmentation fault on ppc64el igtf-policy-bundle Address CAB Forum S/MIME policy change; apply accumulated updates to trust anchors intel-microcode Security mitigations [CVE-2023-22655 CVE-2023-28746 CVE-2023-38575 CVE-2023-39368 CVE-2023-43490]; mitigate for INTEL-SA-01051 [CVE-2023-45733], INTEL-SA-01052 [CVE-2023-46103], INTEL-SA-01036 [CVE-2023-45745, CVE-2023-47855] and unspecified functional issues on various Intel processors jose Fix potential denial-of-service issue [CVE-2023-50967] json-smart Fix excessive recursion leading to stack overflow [CVE-2023-1370]; fix denial of service via crafted request [CVE-2021-31684] kio Fix file loss and potential locking issues on CIFS lacme Fix post-issuance validation logic libapache2-mod-auth-openidc Fix mising input validation leading to DoS [CVE-2024-24814] libesmtp Break and replace older library versions libimage-imlib2-perl Fix package build libjwt Fix timing side channel attack [CVE-2024-25189] libkf5ksieve Prevent leaking passwords into server-side logs libmail-dkim-perl Add dependency on libgetopt-long-descriptive-perl libpod Handle removed containers properly libreoffice Fix backup copy creation for files on mounted samba shares; don't remove libforuilo.so in -core-nogui libseccomp Add support for syscalls up to Linux 6.7 libtommath Fix integer overflow [CVE-2023-36328] libtool Conflict with libltdl3-dev; fix check for += operator in func_append libxml-stream-perl Fix compatibility with IO::Socket::SSL >= 2.078 linux New upstream stable release; increase ABI to 22 linux-signed-amd64 New upstream stable release; increase ABI to 22 linux-signed-arm64 New upstream stable release; increase ABI to 22 linux-signed-i386 New upstream stable release; increase ABI to 22 lua5.4 debian/version-script: Export additional missing symbols for lua 5.4.4 lxc-templates Fix the mirror option of lxc-debian mailman3 Depend alternatively on cron-daemon; fix postgresql:// url in post-installation script mksh Handle merged /usr in /etc/shells; fix crash with nested bashism; fix arguments to the dot command; distinguish unset and empty in `typeset -p` mobian-keyring Update Mobian archive key ms-gsl Mark not_null constructors as noexcept nano Fix format string issues; fix with --cutfromcursor, undoing a justification can eat a line; fix malicious symlink issue; fix example bindings in nanorc netcfg Handle routing for single-address netmasks ngircd Respect SSLConnect option for incoming connections; server certificate validation on server links (S2S-TLS); METADATA: Fix unsetting cloakhost node-babel7 Fix building against nodejs 18.19.0+dfsg-6~deb12u1; add Breaks/Replaces against obsolete node-babel-* packages node-undici Properly export typescript types node-v8-compile-cache Fix tests when a newer nodejs version is used node-zx Fix flaky test nodejs Skip flaky tests for mipsel/mips64el nsis Don't allow unprivileged users to delete the uninstaller directory [CVE-2023-37378]; fix regression in disabling stub relocations; build reproducibly for arm64 nvidia-graphics-drivers Restore compatibility with newer Linux kernel builds; take over packages from nvidia-graphics-drivers-tesla; add new nvidia-suspend-common package; relax dh-dkms build-dependency for compatibility with bookworm; new upstream stable release [CVE-2023-0180 CVE-2023-0183 CVE-2023-0184 CVE-2023-0185 CVE-2023-0187 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199 CVE-2023-25515 CVE-2023-25516 CVE-2023-31022 CVE-2024-0074 CVE-2024-0075 CVE-2024-0078 CVE-2024-0090 CVE-2024-0092] nvidia-graphics-drivers-tesla Restore compatibility with newer Linux kernel builds nvidia-graphics-drivers-tesla-470 Restore compatibility with newer Linux kernel builds; stop building nvidia-cuda-mps; new upstream stable release; security fixes [CVE-2022-42265 CVE-2024-0074 CVE-2024-0078 CVE-2024-0090 CVE-2024-0092] nvidia-modprobe Prepare to switch to 535 series LTS drivers nvidia-open-gpu-kernel-modules Update to 535 series LTS drivers [CVE-2023-0180 CVE-2023-0183 CVE-2023-0184 CVE-2023-0185 CVE-2023-0187 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199 CVE-2023-25515 CVE-2023-25516 CVE-2023-31022 CVE-2024-0074 CVE-2024-0075 CVE-2024-0078 CVE-2024-0090 CVE-2024-0092] nvidia-persistenced Switch to 535 series LTS drivers; update list of supported drivers nvidia-settings Also build for ppc64el; new upstream LTS release nvidia-xconfig New upstream LTS release openrc Ignore non-executable scripts in /etc/init.d openssl New upstream stable release; fix excessive time taken issues [CVE-2023-5678 CVE-2023-6237], vector register corruption issue on PowerPC [CVE-2023-6129], PKCS12 Decoding crashes [CVE-2024-0727] openvpn-dco-dkms Build for Linux >= 6.5; install compat-include directory; fix refcount imbalance orthanc-dicomweb Rebuild to fix outdated Built-Using orthanc-gdcm Rebuild to fix outdated Built-Using orthanc-mysql Rebuild to fix outdated Built-Using orthanc-neuro Rebuild to fix outdated Built-Using orthanc-postgresql Rebuild to fix outdated Built-Using orthanc-python Rebuild to fix outdated Built-Using orthanc-webviewer Rebuild to fix outdated Built-Using orthanc-wsi Rebuild to fix outdated Built-Using ovn New upstream stable version; fix insufficient validation of incoming BFD packets [CVE-2024-2182] pdudaemon Depend on python3-aiohttp php-composer-class-map-generator Force system dependency loading php-composer-pcre Add missing Breaks+Replaces: on composer (<< 2.2) php-composer-xdebug-handler Force system dependency loading php-doctrine-annotations Force system dependency loading php-doctrine-deprecations Force system dependency loading php-doctrine-lexer Force system dependency loading php-phpseclib Guard isPrime() and randomPrime() for BigInteger [CVE-2024-27354]; limit OID length in ASN1 [CVE-2024-27355]; fix BigInteger getLength(); remove visibitility modifiers from static variables php-phpseclib3 Force system dependency loading; guard isPrime() and randomPrime() for BigInteger [CVE-2024-27354]; limit OID length in ASN1 [CVE-2024-27355]; fix BigInteger getLength() php-proxy-manager Force system dependency loading php-symfony-contracts Force system dependency loading php-zend-code Force system dependency loading phpldapadmin Fix compatbility with PHP 8.1+ phpseclib Force system dependency loading; guard isPrime() and randomPrime() for BigInteger [CVE-2024-27354]; limit OID length in ASN1 [CVE-2024-27355]; fix BigInteger getLength() postfix New upstream stable release postgresql-15 New upstream stable release; restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner [CVE-2024-4317] prometheus-node-exporter-collectors Do not adversely affect mirror network; fix deadlock with other apt update runs pymongo Fix out-of-bounds read issue [CVE-2024-5629] pypy3 Strip C0 control and space characters in urlsplit [CVE-2023-24329]; avoid bypass of TLS handshake protections on closed sockets [CVE-2023-40217]; tempfile.TemporaryDirectory: fix symlink bug in cleanup [CVE-2023-6597]; protect zipfile from quoted-overlap zipbomb [CVE-2024-0450] python-aiosmtpd Fix SMTP smuggling issue [CVE-2024-27305]; fix STARTTLS unencrypted command injection issue [CVE-2024-34083] python-asdf Remove unnecessary dependency on asdf-unit-schemas python-channels-redis Ensure pools are closed on loop close in core python-idna Fix denial of service issue [CVE-2024-3651] python-jwcrypto Fix denial of service issue [CVE-2024-28102] python-xapian-haystack Drop dependency on django.utils.six python3.11 Fix use-after-free crash when deallocating a frame object; protect zipfile from quoted-overlap zipbomb [CVE-2024-0450]; tempfile.TemporaryDirectory: fix symlink bug in cleanup [CVE-2023-6597]; fix os.path.normpath(): Path truncation at null bytes [CVE-2023-41105]; avoid bypass of TLS handshake protections on closed sockets [CVE-2023-40217]; strip C0 control and space characters in urlsplit [CVE-2023-24329]; avoid a potential null pointer dereference in filleutils qemu New upstream stable release; security fixes [CVE-2024-26327 CVE-2024-26328 CVE-2024-3446 CVE-2024-3447] qtbase-opensource-src Fix regression in patch for CVE-2023-24607; avoid using system CA certificates when not wanted [CVE-2023-34410]; fix buffer overflow [CVE-2023-37369]; fix infinite loop in XML recursive entity expansion [CVE-2023-38197]; fix buffer overflow with crafted KTX image file [CVE-2024-25580]; fix HPack integer overflow check [CVE-2023-51714] rails Declare breaks and replaces on obsolete ruby-arel package riseup-vpn Use system certificate bundle by default, restoring ability to connect to an endpoint using LetsEncrypt certificate ruby-aws-partitions Ensure binary package includes partitions.json and partitions-metadata.json files ruby-premailer-rails Remove build-dependency on obsolete ruby-arel rust-cbindgen-web New source package to support builds of newer Firefox ESR versions rustc-web New source package to support builds of web browsers schleuder Fix argument parsing insufficient validation; fix importing keys from attachments sent by Thunderbird and handle mails without further content; look for keywords only at the start of mail; validate downcased email addresses when checking subscribers; consider From header for finding reply addresses sendmail Fix SMTP smuggling issue [CVE-2023-51765] skeema Rebuild for outdated Built-Using skopeo Rebuild for outdated Built-Using software-properties software-properties-qt: Add Conflicts+Replaces: on software-properties-kde for smoother upgrades from bullseye supermin Rebuild to fix outdated Built-Using symfony Force system dependency loading; DateTypTest: ensure submitted year is accepted choice systemd New upstream stable release; fix denial of service issues [CVE-2023-50387 CVE-2023-50868]; libnss-myhostname.nss: Install after files; libnss-mymachines.nss: Install before resolve and dns termshark Rebuild to fix outdated Built-Using tripwire Rebuild to fix outdated Built-Using tryton-client Only send compressed content in authenticated sessions tryton-server Prevent zip-bomb attacks from unauthenticated sources u-boot Fix orion-timer for booting sheevaplug and related platforms uif Support VLAN interface names umoci Rebuild for outdated Built-Using user-mode-linux Rebuilt to fix outdated Built-Using wayfire Add missing dependencies what-is-python Declare breaks and replaces on python-dev-is-python2; fix version mangling in build rules wpa Fix authentication bypass issue [CVE-2023-52160] xscreensaver Disable warning about old versions yapet Do not call EVP_CIPHER_CTX_set_key_length() in crypt/blowfish and crypt/aes zsh Rebuild to fix outdated Built-Using Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
Package Reason phppgadmin Security issues; incompatible with bookworm's PostgreSQL version pytest-salt-factories Only needed for salt, which is not part of bookworm ruby-arel Obsolete, integrated into ruby-activerecord, incompatible with ruby-activerecord 6.1.x spip Incompatible with bookworm's PHP version vasttrafik-cli API withdrawn Debian Installer
The installer has been updated to include the fixes incorporated into stable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current stable distribution:
Proposed updates to the stable distribution:
stable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
