The Debian Project has rolled out the fifth point release of its stable branch, Debian 13.5 (codename "trixie"), bundling months of accumulated security patches and bug fixes into fresh installation media. Announced on 2026-05-16, the update doesn't change the underlying release, but it pulls in roughly a hundred package updates that anyone running security.debian.org will already have applied piecemeal.
The security backlog is substantial. Apache 2 alone collects nine CVE fixes including an authentication bypass and HTTP response splitting, while FreeRDP absorbs more than 50 separate CVEs spanning use-after-free, buffer overflow, and path traversal issues. OpenSSH addresses five tracked vulnerabilities including improper handling of the authorized_keys principals option, sudo patches a privilege escalation, and systemd lands a new upstream stable release that fixes a nspawn escape-to-host bug along with two code execution flaws. Other notable updates touch OpenSSL, Nginx, glibc, bubblewrap, rsync, and the Linux kernel through multiple DSA advisories.
Beyond the security work, there are some quietly useful changes for hardware tinkerers. The debian-installer bumps the kernel ABI to 6.12.86+deb13, and initramfs-tools now includes the Cadence driver to fix USB boot failures on boards using StarFive SoCs, a meaningful win for the RISC-V crowd running VisionFive and similar single-board computers. GRUB also gets a fix for an illegal instruction on riscv64. Elsewhere, Remmina loses its "phone home" functionality, and distro-info-data adds Ubuntu 26.10 "Stonking Stingray" to its known releases.
One package, dav4tbsync, was dropped entirely after being superseded by Thunderbird 140. Existing trixie users don't need new installation media to upgrade, just an apt update against any current Debian mirror. Fresh ISOs for new installations will appear at the usual download locations shortly.
