The Debian project is pleased to announce the second update of its stable distribution Debian 13 (codename trixie). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 13 but only updates some of the packages included. There is no need to throw away old trixie media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won’t have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian’s many HTTP mirrors. A comprehensive list of mirrors is available at:

Package Reason 7zip New upstream release; security fixes [CVE-2025-55188 CVE-2025-11002 CVE-2025-11001] 7zip-rar Add missing CRC table constructor aide Fix bin/buildcache use by running it from a root timer; various updates and fixes to included rules allow-html-temp New upstream version to support newer Thunderbird releases alsa-ucm-conf-asahi Install missing aop_audio UCM configs ansible Update collections to maintain compatibility with ansible-core 2.19 ansible-core New upstream stable release; fix regression from 2.18 regarding handlers and play tags asahi-scripts Fix the macaudio default profile check; add the apple_nvmem_spmi module to the initramfs explicitly; make update-m1n1 idempotent base-files Update for the point release brltty atSpi2: do not manage widgets without text interface; avoid excessive verbose bluetooth/usbfs messages console-setup Update keyboard layouts dz(la) into dz(azerty-oss) and Use ca/multix variant instead of ca/multi; fix dz(azerty-oss/deadkeys) into dz, which is what xkb really provides; fix dz default layout cups Fix operation of checkboxes in admin interface curl Fix buffer over-read issue [CVE-2025-9086]; fix cache poisoning issue [CVE-2025-10148]; fix path traversal issue [CVE-2025-11563]; allow –output to be overridden by –curl-options; fix manpage example for continue-at; fix path traversal issue [CVE-2025-11563] debian-edu-config Use SERVER_ADDRESS in RewriteRule instead of hard-coded ‘www’; drop desktop bundle from bundlesequence debian-installer Increase Linux kernel ABI to 6.12.57+deb13; rebuild against proposed-updates debian-installer-netboot-images Increase Linux kernel ABI to 6.12.57+deb13; rebuild against proposed-updates dhcpcd Fix crash when an address is deleted; prevent failure to start if wpasupplicant is not installed distro-info-data Update EoL date for bookworm; add Ubuntu 26.04 LTS Resolute Raccoon dkms New upstream release; stop shipping dkms.service, fixing dependency cycle with cloud-init-network.service; emit a warning if no kernel headers were found dns-root-data Update root-anchors.p7s (the signature of root-anchors.xml) with a new expiration date dnsdist Fix denial of service issues [CVE-2025-8671 CVE-2025-30187] dolphin-emu Fix interaction with RetroAchievements; fix translations dovecot Ensure default lmtpd auth_username_format matches the global value; fix oauth configuration parsing; lib-sieve: correctly handle errors; clean up a few typos in default/example configuration eas4tbsync New upstream version to support newer Thunderbird releases eperl Avoid passing a truncated environment on Perl 5.40 epiphany-browser New upstream stable release; fix various crashes; fix PKCS#11 login for invalid cert/priv pairs evolution New upstream stable release evolution-data-server New upstream stable release; fix busy loop when using the MH format mail archive fangfrisch Update sanesecurity mirror as the old one will stop working soon fluidsynth Set the default samplerate to 48000 and buffer size to 512 in the service configuration, fixing high CPU usage and distorted sound folder-account New upstream version to support newer Thunderbird releases fonts-noto-color-emoji New upstream release; add support for the Unicode 17.0 standard freeradius Fix compatibility with OpenSSL 3.5.2 gnome-maps New upstream stable release; fix a regression when requesting route planning from transitous.org; add address format for Austria and Paraguay gnome-session Fix default app priority for early adopters of Papers and Showtime google-recaptcha Fix PHP 8.4 deprecation warnings ikvswitch Use Trixie as default distro for the setup; don’t fail on errors when taking down an IPMI bridge; use a sysctl.d fragment file rather than sysctl.conf imagemagick Fix integer overflow issue [CVE-2025-62171] input-remapper Add missing python3-psutil runtime dependency irqbalance Enable write access to /proc/irq in service definition jdupes Fix detection of unique files jing-trang Re-import upstream release, to remove incorrectly included files keepassxc-browser Fix compatibility with Chromium kmail-account-wizard Enable automatic QML dependency detection lemonldap-ng Fix command injection issue [CVE-2025-59518]; don’t expose session-id into Ajax responses; fix Google authentication libcommons-lang-java Fix an uncontrolled recursion issue [CVE-2025-48924] libcommons-lang3-java Fix an uncontrolled recursion issue [CVE-2025-48924] libgpiod Remove unnecessary Breaks/Replaces on libgpiod2 and libgpiod2t64 libhtp Prevent memory leak with lzma [CVE-2025-53537] libsmb2 Fix buffer overflow issue [CVE-2025-57632] libssh Fix NULL pointer dereference issue [CVE-2025-8114]; fix denial of service issue [CVE-2025-8277] libvirt Don’t require TLS certificates to support keyEncipherment; lower log level of a message, avoiding journal spam when using the LXC driver; fix a daemon crash that occurs when probing capabilities for a QEMU binary that doesn’t report information about CPU models libwebsockets Fix denial of service issue [CVE-2025-11677]; fix buffer overflow issue [CVE-2025-11678] libxml2 Fix XPath recursion depth DoS [CVE-2025-9714] libyaml-syck-perl Prevent memory corruption leading to str value being set on empty keys [CVE-2025-11683] linux New upstream stable release linux-signed-amd64 New upstream stable release linux-signed-arm64 New upstream stable release lnav Handle failure to set cregs from tmux log4cxx Fix improper escaping issues [CVE-2025-54812 CVE-2025-54813] logcheck Update ignore.d.paranoid/ssh and ignore.d.server/ssh lttng-modules Fix potential kernel crash with syscall tracing luksmeta Fix data corruption issue with LUKS1 [CVE-2025-11568] lxcfs Add missing dependency on fuse3 magit Ship missing magit-dired.el in elpa-magit mailfromd Rebuild to fix symbol lookup error mailmindr New upstream version to support newer Thunderbird releases malcontent Fix filtering snaps after snapd 2.72; fix listing flatpaks in parental control UI; fix memory leak when checking snaps mapserver Fix SQL injection issue [CVE-2025-59431] mc Fix accidental use of >&10 for subshells, avoiding delays at startup modsecurity-apache Fix security issues relating to response Content-Type handling [CVE-2025-54571] monitoring-plugins Fix check_users in combination with systemd; fix check_mysql plugin with newer MySQL versions mpv Create missing folders for watch history mrtg Fix duplicate WorkDir lines in cfgmaker output nextcloud-desktop New upstream stable release nfdump Honour subdir (-S) when using dynamic FlowSource (-M) nova Fix information disclosure issue nvidia-graphics-drivers-tesla-535 Fix use after free issue [CVE-2025-23280]; fix privilege escalation issue [CVE-2025-23282]; fix denial of service issues [CVE-2025-23300 CVE-2025-23330 CVE-2025-23332 CVE-2025-23345] onetbb Fix test failures on single-CPU test machines; skip flaky mutex tests open-vm-tools Disable (default) the execution of the SDMP get-versions.sh script [CVE-2025-41244] openssl New upstream stable release openvpn-auth-radius Fix packet authentication orphan-sysvinit-scripts Add haveged init script patroni New upstream stable release pdns-recursor Switch to dpkg/default.mk; drop CARGO_REGISTRY override phpmyadmin Address XSS vulnerability in bundled jquery.validate.js [CVE-2025-3573] poppler Fix infinite recursion [CVE-2025-50420] postfix New upstream stable release; fix typo which caused recreation of cadir in chroot and excessive logging presage Prevent crash with apostrophes in completion suggestions privatebin-cli Fix connections to pastebins using GCM ciphers proftpd-dfsg Don’t remove /srv/ftp on package purge puppet-module-puppetlabs-rabbitmq Fix list_users provider; setup all nodes as disk nodes puppet-module-tempest Fix autoloading of openstack provider python-eventlet Fix HTTP request smuggling by discarding HTTP chunk trailers [CVE-2025-58068] qemu New upstream stable release; fix denial of service issue [CVE-2024-8354]; fix wrong emulation of FIBMAP and FIGETBSZ ioctls qt6-base Fix high CPU usage of kwin_x11 on screen lock (X11) quicktext New upstream version to support newer Thunderbird releases rabbitmq-server Fix logging on sensitive data [CVE-2025-50200] riseup-vpn Add dependency on qml6-module-qtcore rocm-hipamd Fix linking for programs that include <hip/hip_bf16.h> in more than one translation unit; fix spelling error in roc-obj-ls manpage rsyslog-doc Switch documentation theme to sphinx_rtd_theme ruby-sys-filesystem Fix detection of 64-bit OS on s390x and alpha rust-virtiofsd Add missing dependency on uidmap sail Fix memory corruption issues [CVE-2025-32468 CVE-2025-35984 CVE-2025-46407 CVE-2025-50129 CVE-2025-52456 CVE-2025-52930 CVE-2025-53085 CVE-2025-53510] samba New upstream stable release; fix uninitialized memory disclosure issue [CVE-2025-9640], command injection issue [CVE-2025-10230] samhain Disable dnmalloc, preventing possible segfaults spip Fix open redirect issue on AJAX login form stardict Split plugin in to a new stardict-plugin-network-dictionary package; disable stardict_dictdotcn.so plugin suricata Fix uncontrolled memory use issue [CVE-2025-53538]; fix detection bypass issue [CVE-2025-59147] syslog-ng Disable writing of log statistics by default systemd New upstream stable release; fix DNS-over-TLS handling in systemd-resolved; improve service and unit lifecycle stability; handle TPM2 and pcrlock corner cases; update documentation; refresh hwdb data; sync with Linux UAPI headers systemd-boot-efi-amd64-signed New upstream stable release; fix DNS-over-TLS handling in systemd-resolved; improve service and unit lifecycle stability; handle TPM2 and pcrlock corner cases; update documentation; refresh hwdb data; sync with Linux UAPI headers systemd-boot-efi-arm64-signed New upstream stable release; fix DNS-over-TLS handling in systemd-resolved; improve service and unit lifecycle stability; handle TPM2 and pcrlock corner cases; update documentation; refresh hwdb data; sync with Linux UAPI headers tango Fix broken communication between versions 9 and 10 tbsync New upstream version to support newer Thunderbird releases ublock-origin New upstream release; improve user experience and add new filter capabilities virt-manager Fix Browse local function watcher Fix information disclosure issue wike Set a User Agent, to ensure that the mobile version of Wikipedia is used wtmpdb Rotate and prune logs using logrotate; store logs in system log directory xnote New upstream version to support newer Thunderbird releases xorg Fix login failure with sessions using multiple words in invocation xssproxy Fix compatibility with Chromium and xdg-desktop-portal-gtk

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

The installer has been updated to include the fixes incorporated into stable by the point release.

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.