Skip to main content

Debian 12.5: The Latest Update

The Debian project has announced the release of the fifth update for its stable distribution, Debian 12 (codename bookworm). This point release includes important security corrections and fixes for various issues. Security advisories have already been published separately and are available for reference.

This stable update includes important bug fixes for various packages. Here are some notable corrections:

  • apktool: Prevents arbitrary file writes with malicious resource names [CVE-2024-21633]
  • atril: Fixes crash when opening some epub files, index loading for certain epub documents, and adds fallback for malformed epub files in check_mime_type; uses libarchive for extracting documents instead of an external command [CVE-2023-51698]
  • base-files: Updated for the 12.5 point release
  • caja: Fixes desktop rendering artifacts after resolution changes and use of informal date format
  • calibre: Fixes HTML Input to not add resources that exist outside the folder hierarchy rooted at the parent folder of the input HTML file by default [CVE-2023-46303]
  • compton: Removes recommendation of picom
  • cryptsetup: Adds support for compressed kernel modules, handles missing /lib/systemd/system-sleep directory, and changes suffix drop logic to match initramfs-tools
  • debian-edu-artwork: Provides an Emerald theme based artwork for Debian Edu 12
  • debian-edu-config: New upstream release
  • debian-edu-doc: Updates included documentation and translations
  • debian-edu-fai: New upstream release
  • debian-edu-install: New upstream release; fixes security sources.list
  • debian-installer: Increases Linux kernel ABI to 6.1.0-18; rebuilds against proposed-updates
  • debian-installer-netboot-images: Rebuilds against proposed-updates
  • debian-ports-archive-keyring: Adds Debian Ports Archive Automatic Signing Key (2025)
  • dpdk: New upstream stable release
  • dropbear: Fixes terrapin attack [CVE-2023-48795]
  • engrampa: Fixes several memory leaks and archive save as functionality
  • espeak-ng: Fixes buffer overflow and underflow issues, as well as a floating point exception issue [CVE-2023-49990 CVE-2023-49992 CVE-2023-49993 CVE-2023-49991 CVE-2023-49994]
  • filezilla: Prevents Terrapin exploit [CVE-2023-48795]
  • fish: Safely handles Unicode non-printing characters when given as command substitution [CVE-2023-49284]
  • fssync: Disables flaky tests
  • gnutls28: Fixes assertion failure when verifying a certificate chain with a cycle of cross signatures [CVE-2024-0567] and timing side-channel issue [CVE-2024-0553]
  • indent: Fixes buffer under read issue [CVE-2024-0911]
  • isl: Fixes use on older CPUs
  • jtreg7: New source package to support builds of openjdk-17
  • libdatetime-timezone-perl: Updates included timezone data
  • libde265: Fixes buffer overflow issues [CVE-2023-49465 CVE-2023-49467 CVE-2023-49468]
  • libfirefox-marionette-perl: Fixes compatibility with newer firefox-esr versions
  • libmateweather: Fixes URL for aviationweather.gov
  • libspreadsheet-parsexlsx-perl: Fixes possible memory bomb [CVE-2024-22368] and XML External Entity issue [CVE-2024-23525]
  • linux: New upstream stable release; bumps ABI to 18
  • linux-signed-amd64: New upstream stable release; bumps ABI to 18
  • linux-signed-arm64: New upstream stable release; bumps ABI to 18
  • linux-signed-i386: New upstream stable release; bumps ABI to 18
  • localslackirc: Sends authorization and cookie headers to the websocket
  • mariadb: New upstream stable release; fixes denial of service issue [CVE-2023-22084]
  • mate-screensaver: Fixes memory leaks
  • mate-settings-daemon: Fixes memory leaks, relaxes High DPI limits, and fixes handling of multiple rfkill events
  • mate-utils: Fixes various memory leaks
  • monitoring-plugins: Fixes check_http plugin when –no-body is used and the upstream response is chunked
  • needrestart: Fixes microcode check regression on AMD CPUs
  • netplan.io: Fixes autopkgtests with newer systemd versions
  • nextcloud-desktop: Fixes syncing files with special characters like ‘:’ and two-factor authentication notifications
  • node-yarnpkg: Fixes use with Commander 8
  • onionprobe: Fixes initialization of Tor if using hashed passwords
  • pipewire: Uses malloc_trim() to release memory when available
  • pluma: Fixes memory leak issues and double activation of extensions
  • postfix: New upstream stable release; addresses SMTP smuggling issue [CVE-2023-51764]
  • proftpd-dfsg: Implements fix for the Terrapin attack [CVE-2023-48795] and fixes out-of-bounds read issue [CVE-2023-51713]
  • proftpd-mod-proxy: Implements fix for the Terrapin attack [CVE-2023-48795]
  • pypdf: Fixes infinite loop issue [CVE-2023-36464]
  • pypdf2: Fixes infinite loop issue [CVE-2023-36464]
  • pypy3: Avoids an rpython assertion error in the JIT if integer ranges don’t overlap in a loop
  • qemu: New upstream stable release; fixes virtio-net, null pointer dereference, and suspend/resume functionality issues [CVE-2023-6693 CVE-2023-6683]
  • rpm: Enables the read-only BerkeleyDB backend
  • rss-glx: Installs screensavers into /usr/libexec/xscreensaver and calls GLFinish() prior to glXSwapBuffers()
  • spip: Fixes two cross-site scripting issues
  • swupdate: Prevents acquiring root privileges through inappropriate socket mode
  • systemd: New upstream stable release; fixes missing verification issue in systemd-resolved [CVE-2023-7008]
  • tar: Fixes boundary checking in base-256 decoder [CVE-2022-48303] and handling of extended header prefixes [CVE-2023-39804]
  • tinyxml: Fixes assertion issue [CVE-2023-34194]
  • tzdata: New upstream stable release
  • usb.ids: Updates included data list
  • usbutils: Fixes usb-devices not printing all devices
  • usrmerge: Cleans up biarch directories when not needed, avoids running convert-etc-shells again on converted systems, handles mounted /lib/modules on Xen systems, improves error reporting, and adds versioned conflicts with libc-bin, dhcpcd, libparted1.8-10, and lustre-utils
  • wolfssl: Fixes security issue when client sends neither PSK nor KSE extensions [CVE-2023-3724]
  • xen: New upstream stable release; includes security fixes [CVE-2023-46837 CVE-2023-46839 CVE-2023-46840]

For a complete list of package changes in this revision, you can visit https://deb.debian.org/debian/dists/bookworm/ChangeLog.