January 10th, 2026
The Debian project is pleased to announce the thirteenth update of its oldstable distribution Debian 12 (codename bookworm). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian 12 but only updates some of the packages included. There is no need to throw away old bookworm media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.
Those who frequently install updates from security.debian.org won’t have to update many packages, and most such updates are included in the poin…
January 10th, 2026
The Debian project is pleased to announce the thirteenth update of its oldstable distribution Debian 12 (codename bookworm). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian 12 but only updates some of the packages included. There is no need to throw away old bookworm media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.
Those who frequently install updates from security.debian.org won’t have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian’s many HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This oldstable update adds a few important corrections to the following packages:
| Package | Reason |
|---|---|
| allow-html-temp | New upstream version to support newer Thunderbird releases |
| angular.js | Fix regular expression-based denial of service issues [CVE-2022-25844 CVE-2023-26116 CVE-2023-26117 CVE-2023-26118]; fix restriction bypass issues [CVE-2024-8372 CVE-2024-8373]; fix denial of service issue [CVE-2024-21490]; fix improper sanitization issues [CVE-2025-0716 CVE-2025-2336] |
| apache2 | New upstream stable release; fix integer overflow issue [CVE-2025-55753]; don’t pass querystring to #exec directives [CVE-2025-58098]; fix improper parsing of environment variables [CVE-2025-65082]; fix mod_userdir+suexec bypass issue [CVE-2025-66200] |
| base-files | Update for the point release |
| bash | Rebuild with updated glibc |
| btrfs-progs | Device stats: fix printing wrong values in tabular output |
| busybox | Rebuild with updated glibc |
| c-icap-modules | Rebuild against libclamav12; disable clamav support on armel, mipsel and mips64el |
| calibre | Fix code execution issue [CVE-2025-64486] |
| cdebootstrap | Rebuild with updated glibc |
| chkrootkit | Rebuild with updated glibc |
| clamav | New upstream long term support release |
| composer | Fix ANSI sequence injection [CVE-2025-67746] |
| cups-filters | Fix TIFF parser bounds/validation issues [CVE-2025-57812]; clamp oversized PDF MediaBox-derived page size in pdftoraster [CVE-2025-64503]; avoid rastertopclx infinite loop and heap overflow on crafted raster input [CVE-2025-64524] |
| cyrus-imapd | Rebuild against libclamav12; disable clamav support on armel, mipsel and mips64el |
| dar | Rebuild with updated glibc |
| debian-installer | Increase Linux kernel ABI to 6.1.0-42; rebuild against oldstable-proposed-updates |
| debian-installer-netboot-images | Rebuild against oldstable-proposed-updates |
| debian-security-support | Mark hdf5, libsoup2.4, libsoup3 and zabbix as receiving limited support; mark dnsdist, pdns, pdns-recursor as unsupported |
| distro-info-data | Update bookworm EoL date; add Ubuntu 26.04 LTS Resolute Raccoon |
| docker.io | Rebuild with updated containerd, glibc |
| dpdk | New upstream stable release |
| e2guardian | Disable clamav support on armel, mipsel and mips64el |
| freerdp2 | New upstream release; fix multiple memory-safety vulnerabilities: integer overflow/underflow and out-of-bounds write in NSC, Clear, and GDI bitmap codecs [CVE-2024-22211 CVE-2024-32037 CVE-2024-32038 CVE-2024-32039 CVE-2024-32040]; out-of-bounds reads in ZGFX, Planar, NCRUSH, Interleaved, and RFX codecs [CVE-2024-32041 CVE-2024-32457 CVE-2024-32458 CVE-2024-32459 CVE-2024-32460]; invalid memory access in freerdp_peer_get_logon_info [CVE-2024-32661]; bounds-check and overflow fixes; update for GCC 14 / FFmpeg 7 build compatibility |
| gcc-bpf | Rebuild with updated glibc |
| gcc-or1k-elf | Rebuild with updated glibc |
| gcc-riscv64-unknown-elf | Rebuild with updated glibc |
| gcc-xtensa-lx106 | Rebuild with updated glibc |
| gdk-pixbuf | Fix buffer overflow issue [CVE-2025-7345] |
| ghdl | Rebuild with updated glibc |
| git | Fix arbitrary file creation/truncation in gitk [CVE-2025-27613]; prevent arbitrary file overwrite in git-gui with crafted directory names [CVE-2025-46835]; correct submodule path parsing with trailing CR [CVE-2025-48384]; validate bundle-uri to prevent protocol injection during clone [CVE-2025-48385] |
| glib2.0 | Fix various integer overflow issues [CVE-2025-13601 CVE-2025-14087 CVE-2025-14512] |
| gnupg2 | Avoid potential downgrade to SHA1 in 3rd party key signatures; error out on unverified output for non-detached signatures; fix possible memory corruption in the armor parser [CVE-2025-68973]; do not use a default when asking for another output filename |
| golang-github-containerd-stargz-snapshotter | Rebuild with updated containerd |
| golang-github-containers-buildah | Rebuild with updated containerd |
| golang-github-openshift-imagebuilder | Rebuild with updated containerd |
| imagemagick | Fix denial of service issues [CVE-2025-62594 CVE-2025-68618]; fix use-after-free issue [CVE-2025-65955]; fix integer overflow issues [CVE-2025-62171 CVE-2025-66628 CVE-2025-69204]; fix infinite loop issue [CVE-2025-68950] |
| intel-microcode | Update Intel processor microcode to 20251111 |
| lemonldap-ng | Fix sessions tablename when not default; fix oidc flow when user encountered an error on server side; fix Kerberos JavaScript when used with Choice; improve CORS checking; fix path_info handling; fix shell injection issue [CVE-2025-59518]; hide session id from Ajax responses |
| libcap2 | Rebuild with updated glibc |
| libclamunrar | New upstream release, aligning with clamav 1.4.3 |
| libcommons-lang-java | Fix uncontrolled recursion issue [CVE-2025-48924] |
| libcommons-lang3-java | Fix uncontrolled recursion issue [CVE-2025-48924] |
| libhtp | Fix denial of service issue via unbounded HTTP header processing [CVE-2024-23837 CVE-2024-45797] |
| libnginx-mod-http-lua | Fix HTTP HEAD request smuggling [CVE-2024-33452] |
| libphp-adodb | Fix SQL injection in sqlite and sqlite3 metadata lookups [CVE-2025-54119] |
| libpod | Rebuild with updated containerd |
| libreoffice | Set Bulgaria locale default currency to EUR |
| libssh | Fix integer overflow issue [CVE-2025-4877]; fix use of uninitialized variable [CVE-2025-4878]; fix out of bounds memory access issue [CVE-2025-5318]; fix double free issue [CVE-2025-5351]; fix use of uninitialized memory [CVE-2025-5372 CVE-2025-5987]; fix null pointer dereference issue [CVE-2025-8114]; fix memory leak [CVE-2025-8277] |
| libxml2 | Fix denial of service issue [CVE-2025-9714] |
| libyaml-syck-perl | Fix memory corruption leading to str value being set on empty keys |
| linux | New upstream stable release |
| linux-signed-amd64 | New upstream stable release |
| linux-signed-arm64 | New upstream stable release |
| linux-signed-i386 | New upstream stable release |
| log4cxx | Fix improper escaping issues [CVE-2025-54812 CVE-2025-54813] |
| luksmeta | Fix data corruption issue with LUKS1 [CVE-2025-11568] |
| modsecurity-apache | Fix request body error handling to propagate Apache filter/read failures correctly [CVE-2025-54571]; map request body read failures to appropriate HTTP status codes; simplify request body error propagation in mod_security2 |
| mongo-c-driver | Avoid invalid memory reads [CVE-2025-12119] |
| mydumper | Fix arbitrary file read issue [CVE-2025-30224] |
| nvidia-graphics-drivers | New upstream bugfix release [CVE-2025-23279 CVE-2025-23286] |
| nvidia-open-gpu-kernel-modules | New upstream bugfix release [CVE-2025-23279 CVE-2025-23286] |
| onetbb | Fix build failure on single-CPU and CI environments by skipping problematic tests |
| open-vm-tools | Disable SDMP service version collection by default to mitigate local privilege escalation [CVE-2025-41244] |
| openrefine | Fix MySQL host parameter injection in JDBC URL parsing [CVE-2024-23833]; fix reflected XSS in gdata OAuth callback handler [CVE-2024-47878]; fix content-type confusion XSS in ExportRows endpoint [CVE-2024-47880]; prevent remote or extension loading via SQLite connection URL [CVE-2024-47881]; escape HTML in error stack traces [CVE-2024-47882]; prevent path traversal in language file loading [CVE-2024-49760] |
| openssl | New upstream stable release |
| pam | Fix local privilege escalation in pam_namespace [CVE-2025-6020] |
| pg-snakeoil | Rebuild against libclamav12 |
| pgbouncer | Fix arbitary SQL execution issue [CVE-2025-12819]; fix expired password use issue [CVE-2025-2291] |
| postgresql-15 | New upstream stable release; check for CREATE privileges on the schema in CREATE STATISTICS [CVE-2025-12817]; avoid integer overflow in allocation-size calculations within libpq [CVE-2025-12818] |
| qemu | New upstream stable release; fix qemu-img info https://example.com; fix migration of guests using virtio-net; fix use after free issue [CVE-2025-11234] |
| qpwgraph | Add missing dependency on libqt6svg6 |
| r-cran-gh | Fix sensitive data leak issue [CVE-2025-54956] |
| rear | Prevent created initrd from being world-readable when GRUB_RESCUE=y [CVE-2024-23301] |
| rescue | Improve btrfs support |
| rlottie | Fix outlying coordinate rejection in FreeType rasteriser [CVE-2025-0634 CVE-2025-53074 CVE-2025-53075] |
| rsync | Improve test coverage for future updates; fix out-of-bounds read via negative array index in sender file list handling [CVE-2025-10158] |
| ruby-sinatra | Fix regular expression-based denial of service issue [CVE-2025-61921] |
| samba | Fix information leak issue [CVE-2018-14628]; fix command injection issue [CVE-2025-10230]; fix uninitialized memory disclosure issue [CVE-2025-9640] |
| sash | Rebuild with updated glibc |
| shadow | Fix segmentation fault in groupmod |
| skeema | Rebuild with updated containerd |
| snapd | Rebuild with updated containerd |
| sogo | Fix HTML injection issue [CVE-2023-48104]; fix CSS injection issue [CVE-2024-24510]; fix cross-site scripting issues [CVE-2025-63498 CVE-2025-63499]; fix crash on invalid mailIdentities |
| squid | Fix denial of service issue [CVE-2023-46728]; fix mishandling of long SNMP OIDs in ASN.1 [CVE-2025-59362]; disable ESI feature support, fixing several issues [CVE-2024-45802]; remove Gopher support |
| sudo | Enable Intel CET on amd64 only |
| supermin | Rebuild with updated glibc |
| symfony | Fix PATH_INFO parsing [CVE-2025-64500]; drop failing Finder testsuite data entries |
| syslog-ng | Fix incorrect wildcard matching in certificate names [CVE-2024-47619] |
| tripwire | Rebuild with updated glibc |
| u-boot | Fix integer overflow issues [CVE-2024-57254 CVE-2024-57255 CVE-2024-57256 CVE-2024-57258]; fix stack consumption issue [CVE-2024-57257]; fix heap corruption issue [CVE-2024-57259] |
| ublock-origin | New upstream release; improve user experience and add new filter capabilities; fix denial of service issue [CVE-2025-4215] |
| unbound | Fix denial of service issue [CVE-2024-33655]; fix possible domain hijack issue [CVE-2025-11411]; fix unbound-anchor cannot deal with full disk; fix potential amplification DDoS attacks; fix incorrect return of NODATA for some ANY queries |
| user-mode-linux | Rebuild with updated linux |
| vtk9 | Fix inability to read VTK XML files with appended data on newer expat |
| zsh | Rebuild with updated glibc, libcap2 |
Security Updates
This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
| Package | Reason |
|---|---|
| clamav | [armel mipsel mips64el] No longer supportable on architectures without newer Rust support |
| clamsmtp | [armel mipsel mips64el] Depends on to-be-removed clamav |
| libc-icap-mod-virus-scan | [armel mipsel mips64el] Depends on to-be-removed clamav |
| libclamunrar | [armel mipsel mips64el] Depends on to-be-removed clamav |
| pagure | Broken, security issues |
| pg-snakeoil | [armel mipsel mips64el] Depends on to-be-removed clamav |
Debian Installer
The installer has been updated to include the fixes incorporated into oldstable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current oldstable distribution:
Proposed updates to the oldstable distribution:
oldstable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.