Debian 10225 Published by

Debian GNU/Linux 12.8 represents the eighth update to the stable distribution of Debian 12, focusing on resolving security vulnerabilities and significant issues. This point release does not represent a new version of Debian 12; rather, it updates certain packages, enabling users to upgrade to the latest versions through an updated Debian mirror.





Updated Debian 12: 12.8 released

The Debian project is pleased to announce the eighth update of its stable distribution Debian 12 (codename bookworm). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 12 but only updates some of the packages included. There is no need to throw away old bookworm media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

Debian_12

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

PackageReason
7zipFix heap buffer overflow in NTFS handler [CVE-2023-52168]; fix out-of-bounds read in NTFS handler [CVE-2023-52169]
amandaUpdate incomplete fix for CVE-2022-37704, restoring operation with xfsdump
aprUse 0600 perms for named shared mem consistently [CVE-2023-49582]
base-filesUpdate for the point release
btrfs-progsFix checksum calculation errors during volume conversion in btrfs-convert
calamares-settings-debianFix missing launcher on KDE desktops; fix btrfs mounts
cjsonFix segmentation violation issue [CVE-2024-31755]
clamavNew upstream stable release; fix denial of service issue [CVE-2024-20505], file corruption issue [CVE-2024-20506]
cloud-initAdd support for multiple networkd Route sections
cloud-initramfs-toolsAdd missing dependencies in the initramfs
curlFix incorrect handling of some OCSP responses [CVE-2024-8096]
debian-installerReinstate some armel netboot targets (openrd); increase Linux kernel ABI to 6.1.0-27; rebuild against proposed-updates
debian-installer-netboot-imagesRebuild against proposed-updates
devscriptsbts: always upgrade to STARTTLS on 587/tcp; build-rdeps: add support for non-free-firmware; chdist: update sources.list examples with non-free-firmware; build-rdeps: use all available distros by default
diffoscopeFix build failure when processing a deliberately overlapping zip file in tests
distro-info-dataAdd Ubuntu 25.04
docker.ioFix bypassing of AuthZ plugins in some circumstances [CVE-2024-41110]
dpdkNew upstream stable release
exim4Fix crash in dbmnz when looking up keys with no content
fcgiwrapSet proper ownership on repositories in git backend
galera-4New upstream stable release
glib2.0Provide libgio-2.0-dev from libglib2.0-dev, and libgio-2.0-dev-bin from libglib2.0-dev-bin
glibcChange Croatian locale to use Euro as currency; revert upstream commit that modified the GLIBC_PRIVATE ABI, causing crashes with some static binaries on arm64; vfscanf(): fix matches longer than INT_MAX; ungetc(): fix uninitialized read when putting into unused streams, backup buffer leak on program exit; mremap(): fix support for the MREMAP_DONTUNMAP option; resolv: fix timeouts caused by short error responses or when single-request mode is enabled in resolv.conf
gtk+3.0Fix letting Orca announce initial focus
ikiwiki-hostingAllow reading of all user repositories
intel-microcodeNew upstream release; security fixes [CVE-2024-23984 CVE-2024-24968]
ipmitoolFix a buffer overrun in open interface; fix lan print fails on unsupported parameters; fix reading of temperature sensors; fix using hex values when sending raw data
iputilsFix incorrect handling of ICMP responses intended for other processes
kexec-toolsMask kexec.service to prevent the init.d script handling kexec process on a systemd enabled system
lemonldap-ngFix cross-site scripting vulnerability on login page [CVE-2024-48933]
lgogdownloaderFix parsing of Galaxy URLs
libskkPrevent crash on invalid JSON escape
libvirtFix running i686 VMs with AppArmor on the host; prevent certain guests from becoming unbootable or disappearing during upgrade
linuxNew upstream release; bump ABI to 27
linux-signed-amd64New upstream release; bump ABI to 27
linux-signed-arm64New upstream release; bump ABI to 27
linux-signed-i386New upstream release; bump ABI to 27
llvm-toolchain-15Architecture-specific rebuild on mips64el to sync version with other architectures
nghttp2Fix denial of service issue [CVE-2024-28182]
ninja-buildSupport large inode numbers on 32-bit systems
node-dompurifyFix prototype pollution issues [CVE-2024-45801 CVE-2024-48910]
node-es-module-lexerFix build failure
node-globbyFix build failure
node-mdn-browser-compat-dataFix build failure
node-rollup-plugin-node-polyfillsFix build failure
node-tapFix build failure
node-xtermFix TypeScript declarations
node-y-protocolsFix build failure
node-y-websocketFix build failure
node-ytdl-coreFix build failure
notify-osdCorrect executable path in desktop launcher file
ntfs-3gFix use-after-free in ntfs-uppercase-mbs; re-classify fuse as Depends, not Pre-Depends
opensslNew upstream stable release; fix buffer overread issue [CVE-2024-5535], out of bounds memory access [CVE-2024-9143]
ostreePrevent crashing libflatpak when using curl 8.10
puppetserverReinstate scheduled job to clean reports after 30 days, avoiding disk space exhaustion
puredataFix privilege escalation issue [CVE-2023-47480]
python-cryptographyFix NULL dereference when loading PKCS7 certificates [CVE-2023-49083]; fix NULL dereference when PKCS#12 key and cert don't match [CVE-2024-26130]
python3.11Fix regression in zipfile.Path; prevent ReDoS vulnerability with crafted tar archives
repreproPrevent hangs when running unzstd
sqlite3Fix a buffer overread issue [CVE-2023-7104], a stack overflow issue and an integer overflow issue
sumoFix a race condition when building documentation
systemdNew upstream stable release
tgtchap: Use proper entropy source [CVE-2024-45751]
timeshiftAdd missing dependency on pkexec
util-linuxAllow lscpu to identify new Arm cores
vmdb2Set locale to UTF-8
wiresharkNew upstream security release [CVE-2024-0208, CVE-2024-0209, CVE-2024-2955, CVE-2024-4853, CVE-2024-4854, CVE-2024-4855, CVE-2024-8250, CVE-2024-8645]
xfptFix buffer overflow issue [CVE-2024-43700]

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory IDPackage
DSA-5729 apache2
DSA-5733 thunderbird
DSA-5744 thunderbird
DSA-5758 trafficserver
DSA-5759 python3.11
DSA-5760 ghostscript
DSA-5761 chromium
DSA-5762 webkit2gtk
DSA-5763 pymatgen
DSA-5764 openssl
DSA-5765 firefox-esr
DSA-5766 chromium
DSA-5767 thunderbird
DSA-5768 chromium
DSA-5769 git
DSA-5770 expat
DSA-5771 php-twig
DSA-5772 libreoffice
DSA-5773 chromium
DSA-5774 ruby-saml
DSA-5775 chromium
DSA-5776 tryton-server
DSA-5777 booth
DSA-5778 cups-filters
DSA-5779 cups
DSA-5780 php8.2
DSA-5781 chromium
DSA-5782 linux-signed-amd64
DSA-5782 linux-signed-arm64
DSA-5782 linux-signed-i386
DSA-5782 linux
DSA-5783 firefox-esr
DSA-5784 oath-toolkit
DSA-5785 mediawiki
DSA-5786 libgsf
DSA-5787 chromium
DSA-5788 firefox-esr
DSA-5789 thunderbird
DSA-5790 node-dompurify
DSA-5791 python-reportlab
DSA-5792 webkit2gtk
DSA-5793 chromium
DSA-5794 openjdk-17
DSA-5795 python-sql
DSA-5796 libheif
DSA-5797 twisted
DSA-5798 activemq
DSA-5799 chromium
DSA-5800 xorg-server
DSA-5802 chromium

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

The current stable distribution:

Proposed updates to the stable distribution:

stable distribution information (release notes, errata etc.):

Security announcements and information: