Miscellaneous Bugfixes
DebianDebian Project
Update from:Updated Debian 12: 12.11 released
May 17th, 2025
The Debian project is pleased to announce the eleventh update of its stable distribution Debian 12 (codename bookworm). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian 12 but only updates some of the packages included. There is no need to throw away old bookworm media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Known issues
Linux 6.1.137-1, included with Debian 12.11 is unable to load the watchdog and w83977f_wdt modules on the amd64 architecture. This is a regression.
This issue will be fixed in a forthcoming update.
Users who rely on the watchdog functionality should disable their watchdog or avoid upgrading to this version of the kernel until a fix is available.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors.
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following
packages:
Package: abseil
Reason: Fix heap buffer overflow issue [CVE-2025-0838]; fix build failure on ppc64el
Package: donthell
Reason: Fix compatibility with SWIG 4.1
Package: base-files
Reason: Update for the point release
Package: bash
Reason: Rebuild for outdated Built-Using (glibc/2.36-9+deb12u5)
Package: busybox
Reason: Rebuild for outdated Built-Using (glibc/2.36-9)
Package: cdebootstrap
Reason: Rebuild for outdated Built-Using (glibc/2.36-9)
Package: chkrootkit
Reason: Rebuild for outdated Built-Using (glibc/2.36-9+deb12u5)
Package: crowdsec
Reason: Rebuild for outdated Built-Using (docker.io/20.10.24+dfsg1-1)
Package: dar
Reason: Rebuild for outdated Built-Using (glibc/2.36-9+deb12u5)
Package: debian-archive-keyring
Reason: Add archive signing and SRM keys for trixie (Debian 13); move buster (Debian 10) keys to removed keyring
Package: debian-installer
Reason: Increase Linux kernel ABI to 6.1.0-35; rebuild against proposed-updates
Package: debian-installer-netboot-images
Reason: Rebuild against proposed-updates
Package: debian-security-support
Reason: Update list of packages receiving limited support, or unsupported, in bookworm
Package: distro-info-data
Reason: Add Debian 15 and Ubuntu 25.10
Package: docker.io
Reason: Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1, glibc/2.36-9+deb12u8)
Package: dpdk
Reason: New upstream stable release
Package: fig2dev
Reason: Reject huge pattern lengths [CVE-2025-31162]; reject arcs with co-incident points [CVE-2025-31163]; allow an arc-box with zero radius [CVE-2025-31164]
Package: fossil
Reason: Fix interaction with an Apache HTTP server including the fix for CVE-2024-24795
Package: gcc-12
Reason: Fix -fstack-protector handling of overflows on AArch64 [CVE-2023-4039]
Package: gcc-mingw-w64
Reason: Rebuild for outdated Built-Using (gcc-12/12.2.0-13)
Package: glib2.0
Reason: Fix integer overflow in g_date_time_new_from_iso8601() [CVE-2025-3360]
Package: golang-github-containerd-stargz-snapshotter
Reason: Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1, runc/1.1.5+ds1-1)
Package: golang-github-containers-buildah
Reason: Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1)
Package: golang-github-openshift-imagebuilder
Reason: Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1, docker.io/20.10.24+dfsg1-1)
Package: haproxy
Reason: Fix heap buffer overflow issue [CVE-2025-32464]
Package: igtf-policy-bundle
Reason: Backport current policy bundle
Package: imagemagick
Reason: Fix MIFF image depth mishandled after SetQuantumFormat [CVE-2025-43965]
Package: initramfs-tools
Reason: Restore copy_file's handling of target ending in slash; exclude usr-merge symlinks in copy_file; add reset drivers when MODULES=dep
Package: krb5
Reason: Fix memory leak in ndr.c [CVE-2024-26462]; prevent buffer overflow when calculating ulog buffer size [CVE-2025-24528]
Package: libbson-xs-perl
Reason: Fix security issues in embedded copy of libbson: denial of service [CVE-2017-14227]; buffer over-read [CVE-2018-16790]; infinite loop [CVE-2023-0437]; memory corruption [CVE-2024-6381]; buffer overflows [CVE-2024-6383 CVE-2025-0755]
Package: libcap2
Reason: Fix incorrect recognition of group names [CVE-2025-1390]
Package: libdata-entropy-perl
Reason: Seed entropy pool with urandom by default [CVE-2025-1860]
Package: libpod
Reason: Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1, docker.io/20.10.24+dfsg1-1, golang-github-containers-buildah/1.28.2+ds1-3)
Package: libsub-handlesvia-perl
Reason: Fix arbitrary code execution issue [CVE-2025-30673]
Package: linux
Reason: New upstream release; bump ABI to 35
Package: linux-signed-amd64
Reason: New upstream release; bump ABI to 35
Package: linux-signed-arm64
Reason: New upstream release; bump ABI to 35
Package: linux-signed-i386
Reason: New upstream release; bump ABI to 35
Package: logcheck
Reason: Respect removal of /etc/logcheck/header.txt
Package: mongo-c-driver
Reason: Fix infinite loop issue [CVE-2023-0437]; fix integer overflow issue [CVE-2024-6381]; fix buffer overflow issues [CVE-2024-6383 CVE-2025-0755]
Package: network-manager
Reason: Fix crash dereferencing NULL pointer during debug logging [CVE-2024-6501]
Package: nginx
Reason: Fix buffer underread and unordered chunk vulnerabilities in mp4 [CVE-2024-7347]
Package: node-fstream-ignore
Reason: Fix build failure by not running tests in parallel
Package: node-send
Reason: Fix cross-site scripting issue [CVE-2024-43799]
Package: node-serialize-javascript
Reason: Fix cross-site scripting issue [CVE-2024-11831]
Package: nvidia-graphics-drivers
Reason: New upstream stable release; remove ppc64el support (migrated to src:nvidia-graphics-drivers-tesla-535); fix build issues with newer kernel versions; security fixes [CVE-2024-0131 CVE-2024-0147 CVE-2024-0149 CVE-2024-0150 CVE-2024-53869 CVE-2025-23244]
Package: nvidia-graphics-drivers-tesla
Reason: New upstream stable release; transition to packages from src:nvidia-graphics-drivers-tesla-535 on ppc64el; fix build issues with newer kernel versions
Package: nvidia-graphics-drivers-tesla-535
Reason: New package for the now EOL ppc64el support
Package: nvidia-open-gpu-kernel-modules
Reason: New upstream stable release; security fixes [CVE-2024-0131 CVE-2024-0147 CVE-2024-0149 CVE-2024-0150 CVE-2024-53869 CVE-2025-23244]
Package: nvidia-settings
Reason: New upstream stable release; drop support for some obsolete packages; relax the nvidia-alternative dependency to a suggestion on ppc64el
Package: openrazer
Reason: Fix out of bounds read issue [CVE-2025-32776]
Package: opensnitch
Reason: Rebuild for outdated Built-Using (golang-github-google-nftables/0.1.0-3)
Package: openssh
Reason: Fix the DisableForwarding directive [CVE-2025-32728]
Package: openssl
Reason: New upstream stable release; fix timing side channel issue [CVE-2024-13176]
Package: openvpn
Reason: Avoid possible ASSERT() on OpenVPN servers using --tls-crypt-v2 [CVE-2025-2704]; prevent malicious peer DoS or log-flooding [CVE-2024-5594]; refuse multiple exit notifications from authenticated clients [CVE-2024-28882]; update expired certificates in build tests
Package: phpmyadmin
Reason: Fix XSS vulnerabilities [CVE-2025-24529 CVE-2025-24530]
Package: policyd-rate-limit
Reason: Fix startup with newer python3-yaml
Package: poppler
Reason: Fix crash on malformed files [CVE-2023-34872]; fix out-of-bounds read issues [CVE-2024-56378 CVE-2025-32365]; fix floating point exception issue [CVE-2025-32364]
Package: postgresql-15
Reason: New upstream stable release; fix buffer over-read issue [CVE-2025-4207]
Package: prometheus
Reason: Rebuild for outdated Built-Using (docker.io/20.10.24+dfsg1-1)
Package: prometheus-postfix-exporter
Reason: Rebuild for outdated Built-Using (docker.io/20.10.24+dfsg1-1)
Package: python-h11
Reason: Fix request smuggling issue [CVE-2025-43859]
Package: python3.11
Reason: Fix misparsing issues [CVE-2025-0938 CVE-2025-1795]
Package: qemu
Reason: Rebuild for outdated Built-Using (glibc/2.36-9+deb12u9, gnutls28/3.7.9-2+deb12u3); new upstream bugfix release
Package: qtbase-opensource-src
Reason: Delay HTTP2 communication until encrypted() can be responded to [CVE-2024-39936]; fix crash with null checks in table iface methods
Package: redis
Reason: Fix denial of service issue [CVE-2025-21605]
Package: renaissance
Reason: Avoid exception on startup
Package: sash
Reason: Rebuild for outdated Built-Using (glibc/2.36-9)
Package: shadow
Reason: Fix password leak issue [CVE-2023-4641]; fix chfn control character injection issue [CVE-2023-29383]
Package: skeema
Reason: Rebuild for outdated Built-Using (containerd/1.6.20~ds1-1, docker.io/20.10.24+dfsg1-1)
Package: skopeo
Reason: Rebuild for outdated Built-Using (docker.io/20.10.24+dfsg1-1)
Package: telegram-desktop
Reason: Rebuild for outdated Built-Using (ms-gsl/4.0.0-2)
Package: tripwire
Reason: Rebuild for outdated Built-Using (glibc/2.36-9+deb12u5)
Package: twitter-bootstrap3
Reason: Fix cross-site scripting issues [CVE-2024-6485 CVE-2024-6484]
Package: twitter-bootstrap4
Reason: Fix cross-site scripting issue [CVE-2024-6531]
Package: tzdata
Reason: New America/Coyhaique zone for Aysén Region in Chile
Package: user-mode-linux
Reason: Rebuild for outdated Built-Using (linux/6.1.82-1)
Package: varnish
Reason: Prevent HTTP/1 client-side desync [CVE-2025-30346]
Package: wireless-regdb
Reason: New upstream release
Package: xmedcon
Reason: Fix buffer overflow [CVE-2025-2581]
Package: zsh
Reason: Rebuild for outdated Built-Using (glibc/2.36-9+deb12u5, libcap2/1:2.66-4)
