Debian 12.5: The Latest Update

The Debian project has announced the release of the fifth update for its stable distribution, Debian 12 (codename bookworm). This point release includes important security corrections and fixes for various issues. Security advisories have already been published separately and are available for reference.

This stable update includes important bug fixes for various packages. Here are some notable corrections:

apktool: Prevents arbitrary file writes with malicious resource names [CVE-2024-21633]
atril: Fixes crash when opening some epub files, index loading for certain epub documents, and adds fallback for malformed epub files in check_mime_type; uses libarchive for extracting documents instead of an external command [CVE-2023-51698]
base-files: Updated for the 12.5 point release
caja: Fixes desktop rendering artifacts after resolution changes and use of informal date format
calibre: Fixes HTML Input to not add resources that exist outside the folder hierarchy rooted at the parent folder of the input HTML file by default [CVE-2023-46303]
compton: Removes recommendation of picom
cryptsetup: Adds support for compressed kernel modules, handles missing /lib/systemd/system-sleep directory, and changes suffix drop logic to match initramfs-tools
debian-edu-artwork: Provides an Emerald theme based artwork for Debian Edu 12
debian-edu-config: New upstream release
debian-edu-doc: Updates included documentation and translations
debian-edu-fai: New upstream release
debian-edu-install: New upstream release; fixes security sources.list
debian-installer: Increases Linux kernel ABI to 6.1.0-18; rebuilds against proposed-updates
debian-installer-netboot-images: Rebuilds against proposed-updates
debian-ports-archive-keyring: Adds Debian Ports Archive Automatic Signing Key (2025)
dpdk: New upstream stable release
dropbear: Fixes terrapin attack [CVE-2023-48795]
engrampa: Fixes several memory leaks and archive save as functionality
espeak-ng: Fixes buffer overflow and underflow issues, as well as a floating point exception issue [CVE-2023-49990 CVE-2023-49992 CVE-2023-49993 CVE-2023-49991 CVE-2023-49994]
filezilla: Prevents Terrapin exploit [CVE-2023-48795]
fish: Safely handles Unicode non-printing characters when given as command substitution [CVE-2023-49284]
fssync: Disables flaky tests
gnutls28: Fixes assertion failure when verifying a certificate chain with a cycle of cross signatures [CVE-2024-0567] and timing side-channel issue [CVE-2024-0553]
indent: Fixes buffer under read issue [CVE-2024-0911]
isl: Fixes use on older CPUs
jtreg7: New source package to support builds of openjdk-17
libdatetime-timezone-perl: Updates included timezone data
libde265: Fixes buffer overflow issues [CVE-2023-49465 CVE-2023-49467 CVE-2023-49468]
libfirefox-marionette-perl: Fixes compatibility with newer firefox-esr versions
libmateweather: Fixes URL for aviationweather.gov
libspreadsheet-parsexlsx-perl: Fixes possible memory bomb [CVE-2024-22368] and XML External Entity issue [CVE-2024-23525]
linux: New upstream stable release; bumps ABI to 18
linux-signed-amd64: New upstream stable release; bumps ABI to 18
linux-signed-arm64: New upstream stable release; bumps ABI to 18
linux-signed-i386: New upstream stable release; bumps ABI to 18
localslackirc: Sends authorization and cookie headers to the websocket
mariadb: New upstream stable release; fixes denial of service issue [CVE-2023-22084]
mate-screensaver: Fixes memory leaks
mate-settings-daemon: Fixes memory leaks, relaxes High DPI limits, and fixes handling of multiple rfkill events
mate-utils: Fixes various memory leaks
monitoring-plugins: Fixes check_http plugin when –no-body is used and the upstream response is chunked
needrestart: Fixes microcode check regression on AMD CPUs
netplan.io: Fixes autopkgtests with newer systemd versions
nextcloud-desktop: Fixes syncing files with special characters like ‘:’ and two-factor authentication notifications
node-yarnpkg: Fixes use with Commander 8
onionprobe: Fixes initialization of Tor if using hashed passwords
pipewire: Uses malloc_trim() to release memory when available
pluma: Fixes memory leak issues and double activation of extensions
postfix: New upstream stable release; addresses SMTP smuggling issue [CVE-2023-51764]
proftpd-dfsg: Implements fix for the Terrapin attack [CVE-2023-48795] and fixes out-of-bounds read issue [CVE-2023-51713]
proftpd-mod-proxy: Implements fix for the Terrapin attack [CVE-2023-48795]
pypdf: Fixes infinite loop issue [CVE-2023-36464]
pypdf2: Fixes infinite loop issue [CVE-2023-36464]
pypy3: Avoids an rpython assertion error in the JIT if integer ranges don’t overlap in a loop
qemu: New upstream stable release; fixes virtio-net, null pointer dereference, and suspend/resume functionality issues [CVE-2023-6693 CVE-2023-6683]
rpm: Enables the read-only BerkeleyDB backend
rss-glx: Installs screensavers into /usr/libexec/xscreensaver and calls GLFinish() prior to glXSwapBuffers()
spip: Fixes two cross-site scripting issues
swupdate: Prevents acquiring root privileges through inappropriate socket mode
systemd: New upstream stable release; fixes missing verification issue in systemd-resolved [CVE-2023-7008]
tar: Fixes boundary checking in base-256 decoder [CVE-2022-48303] and handling of extended header prefixes [CVE-2023-39804]
tinyxml: Fixes assertion issue [CVE-2023-34194]
tzdata: New upstream stable release
usb.ids: Updates included data list
usbutils: Fixes usb-devices not printing all devices
usrmerge: Cleans up biarch directories when not needed, avoids running convert-etc-shells again on converted systems, handles mounted /lib/modules on Xen systems, improves error reporting, and adds versioned conflicts with libc-bin, dhcpcd, libparted1.8-10, and lustre-utils
wolfssl: Fixes security issue when client sends neither PSK nor KSE extensions [CVE-2023-3724]
xen: New upstream stable release; includes security fixes [CVE-2023-46837 CVE-2023-46839 CVE-2023-46840]

For a complete list of package changes in this revision, you can visit https://deb.debian.org/debian/dists/bookworm/ChangeLog.