Updated Debian 12: 12.13 released

January 10th, 2026

The Debian project is pleased to announce the thirteenth update of its oldstable distribution Debian 12 (codename bookworm). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 12 but only updates some of the packages included. There is no need to throw away old bookworm media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following packages:

Package	Reason
allow-html-temp	New upstream version to support newer Thunderbird releases
angular.js	Fix regular expression-based denial of service issues [CVE-2022-25844 CVE-2023-26116 CVE-2023-26117 CVE-2023-26118]; fix restriction bypass issues [CVE-2024-8372 CVE-2024-8373]; fix denial of service issue [CVE-2024-21490]; fix improper sanitization issues [CVE-2025-0716 CVE-2025-2336]
apache2	New upstream stable release; fix integer overflow issue [CVE-2025-55753]; don't pass querystring to #exec directives [CVE-2025-58098]; fix improper parsing of environment variables [CVE-2025-65082]; fix mod_userdir+suexec bypass issue [CVE-2025-66200]
base-files	Update for the point release
bash	Rebuild with updated glibc
btrfs-progs	Device stats: fix printing wrong values in tabular output
busybox	Rebuild with updated glibc
c-icap-modules	Rebuild against libclamav12; disable clamav support on armel, mipsel and mips64el
calibre	Fix code execution issue [CVE-2025-64486]
cdebootstrap	Rebuild with updated glibc
chkrootkit	Rebuild with updated glibc
clamav	New upstream long term support release
composer	Fix ANSI sequence injection [CVE-2025-67746]
cups-filters	Fix TIFF parser bounds/validation issues [CVE-2025-57812]; clamp oversized PDF MediaBox-derived page size in pdftoraster [CVE-2025-64503]; avoid rastertopclx infinite loop and heap overflow on crafted raster input [CVE-2025-64524]
cyrus-imapd	Rebuild against libclamav12; disable clamav support on armel, mipsel and mips64el
dar	Rebuild with updated glibc
debian-installer	Increase Linux kernel ABI to 6.1.0-42; rebuild against oldstable-proposed-updates
debian-installer-netboot-images	Rebuild against oldstable-proposed-updates
debian-security-support	Mark hdf5, libsoup2.4, libsoup3 and zabbix as receiving limited support; mark dnsdist, pdns, pdns-recursor as unsupported
distro-info-data	Update bookworm EoL date; add Ubuntu 26.04 LTS Resolute Raccoon
docker.io	Rebuild with updated containerd, glibc
dpdk	New upstream stable release
e2guardian	Disable clamav support on armel, mipsel and mips64el
freerdp2	New upstream release; fix multiple memory-safety vulnerabilities: integer overflow/underflow and out-of-bounds write in NSC, Clear, and GDI bitmap codecs [CVE-2024-22211 CVE-2024-32037 CVE-2024-32038 CVE-2024-32039 CVE-2024-32040]; out-of-bounds reads in ZGFX, Planar, NCRUSH, Interleaved, and RFX codecs [CVE-2024-32041 CVE-2024-32457 CVE-2024-32458 CVE-2024-32459 CVE-2024-32460]; invalid memory access in freerdp_peer_get_logon_info [CVE-2024-32661]; bounds-check and overflow fixes; update for GCC 14 / FFmpeg 7 build compatibility
gcc-bpf	Rebuild with updated glibc
gcc-or1k-elf	Rebuild with updated glibc
gcc-riscv64-unknown-elf	Rebuild with updated glibc
gcc-xtensa-lx106	Rebuild with updated glibc
gdk-pixbuf	Fix buffer overflow issue [CVE-2025-7345]
ghdl	Rebuild with updated glibc
git	Fix arbitrary file creation/truncation in gitk [CVE-2025-27613]; prevent arbitrary file overwrite in git-gui with crafted directory names [CVE-2025-46835]; correct submodule path parsing with trailing CR [CVE-2025-48384]; validate bundle-uri to prevent protocol injection during clone [CVE-2025-48385]
glib2.0	Fix various integer overflow issues [CVE-2025-13601 CVE-2025-14087 CVE-2025-14512]
gnupg2	Avoid potential downgrade to SHA1 in 3rd party key signatures; error out on unverified output for non-detached signatures; fix possible memory corruption in the armor parser [CVE-2025-68973]; do not use a default when asking for another output filename
golang-github-containerd-stargz-snapshotter	Rebuild with updated containerd
golang-github-containers-buildah	Rebuild with updated containerd
golang-github-openshift-imagebuilder	Rebuild with updated containerd
imagemagick	Fix denial of service issues [CVE-2025-62594 CVE-2025-68618]; fix use-after-free issue [CVE-2025-65955]; fix integer overflow issues [CVE-2025-62171 CVE-2025-66628 CVE-2025-69204]; fix infinite loop issue [CVE-2025-68950]
intel-microcode	Update Intel processor microcode to 20251111
lemonldap-ng	Fix sessions tablename when not default; fix oidc flow when user encountered an error on server side; fix Kerberos JavaScript when used with Choice; improve CORS checking; fix path_info handling; fix shell injection issue [CVE-2025-59518]; hide session id from Ajax responses
libcap2	Rebuild with updated glibc
libclamunrar	New upstream release, aligning with clamav 1.4.3
libcommons-lang-java	Fix uncontrolled recursion issue [CVE-2025-48924]
libcommons-lang3-java	Fix uncontrolled recursion issue [CVE-2025-48924]
libhtp	Fix denial of service issue via unbounded HTTP header processing [CVE-2024-23837 CVE-2024-45797]
libnginx-mod-http-lua	Fix HTTP HEAD request smuggling [CVE-2024-33452]
libphp-adodb	Fix SQL injection in sqlite and sqlite3 metadata lookups [CVE-2025-54119]
libpod	Rebuild with updated containerd
libreoffice	Set Bulgaria locale default currency to EUR
libssh	Fix integer overflow issue [CVE-2025-4877]; fix use of uninitialized variable [CVE-2025-4878]; fix out of bounds memory access issue [CVE-2025-5318]; fix double free issue [CVE-2025-5351]; fix use of uninitialized memory [CVE-2025-5372 CVE-2025-5987]; fix null pointer dereference issue [CVE-2025-8114]; fix memory leak [CVE-2025-8277]
libxml2	Fix denial of service issue [CVE-2025-9714]
libyaml-syck-perl	Fix memory corruption leading to str value being set on empty keys
linux	New upstream stable release
linux-signed-amd64	New upstream stable release
linux-signed-arm64	New upstream stable release
linux-signed-i386	New upstream stable release
log4cxx	Fix improper escaping issues [CVE-2025-54812 CVE-2025-54813]
luksmeta	Fix data corruption issue with LUKS1 [CVE-2025-11568]
modsecurity-apache	Fix request body error handling to propagate Apache filter/read failures correctly [CVE-2025-54571]; map request body read failures to appropriate HTTP status codes; simplify request body error propagation in mod_security2
mongo-c-driver	Avoid invalid memory reads [CVE-2025-12119]
mydumper	Fix arbitrary file read issue [CVE-2025-30224]
nvidia-graphics-drivers	New upstream bugfix release [CVE-2025-23279 CVE-2025-23286]
nvidia-open-gpu-kernel-modules	New upstream bugfix release [CVE-2025-23279 CVE-2025-23286]
onetbb	Fix build failure on single-CPU and CI environments by skipping problematic tests
open-vm-tools	Disable SDMP service version collection by default to mitigate local privilege escalation [CVE-2025-41244]
openrefine	Fix MySQL host parameter injection in JDBC URL parsing [CVE-2024-23833]; fix reflected XSS in gdata OAuth callback handler [CVE-2024-47878]; fix content-type confusion XSS in ExportRows endpoint [CVE-2024-47880]; prevent remote or extension loading via SQLite connection URL [CVE-2024-47881]; escape HTML in error stack traces [CVE-2024-47882]; prevent path traversal in language file loading [CVE-2024-49760]
openssl	New upstream stable release
pam	Fix local privilege escalation in pam_namespace [CVE-2025-6020]
pg-snakeoil	Rebuild against libclamav12
pgbouncer	Fix arbitary SQL execution issue [CVE-2025-12819]; fix expired password use issue [CVE-2025-2291]
postgresql-15	New upstream stable release; check for CREATE privileges on the schema in CREATE STATISTICS [CVE-2025-12817]; avoid integer overflow in allocation-size calculations within libpq [CVE-2025-12818]
qemu	New upstream stable release; fix qemu-img info https://example.com; fix migration of guests using virtio-net; fix use after free issue [CVE-2025-11234]
qpwgraph	Add missing dependency on libqt6svg6
r-cran-gh	Fix sensitive data leak issue [CVE-2025-54956]
rear	Prevent created initrd from being world-readable when GRUB_RESCUE=y [CVE-2024-23301]
rescue	Improve btrfs support
rlottie	Fix outlying coordinate rejection in FreeType rasteriser [CVE-2025-0634 CVE-2025-53074 CVE-2025-53075]
rsync	Improve test coverage for future updates; fix out-of-bounds read via negative array index in sender file list handling [CVE-2025-10158]
ruby-sinatra	Fix regular expression-based denial of service issue [CVE-2025-61921]
samba	Fix information leak issue [CVE-2018-14628]; fix command injection issue [CVE-2025-10230]; fix uninitialized memory disclosure issue [CVE-2025-9640]
sash	Rebuild with updated glibc
shadow	Fix segmentation fault in groupmod
skeema	Rebuild with updated containerd
snapd	Rebuild with updated containerd
sogo	Fix HTML injection issue [CVE-2023-48104]; fix CSS injection issue [CVE-2024-24510]; fix cross-site scripting issues [CVE-2025-63498 CVE-2025-63499]; fix crash on invalid mailIdentities
squid	Fix denial of service issue [CVE-2023-46728]; fix mishandling of long SNMP OIDs in ASN.1 [CVE-2025-59362]; disable ESI feature support, fixing several issues [CVE-2024-45802]; remove Gopher support
sudo	Enable Intel CET on amd64 only
supermin	Rebuild with updated glibc
symfony	Fix PATH_INFO parsing [CVE-2025-64500]; drop failing Finder testsuite data entries
syslog-ng	Fix incorrect wildcard matching in certificate names [CVE-2024-47619]
tripwire	Rebuild with updated glibc
u-boot	Fix integer overflow issues [CVE-2024-57254 CVE-2024-57255 CVE-2024-57256 CVE-2024-57258]; fix stack consumption issue [CVE-2024-57257]; fix heap corruption issue [CVE-2024-57259]
ublock-origin	New upstream release; improve user experience and add new filter capabilities; fix denial of service issue [CVE-2025-4215]
unbound	Fix denial of service issue [CVE-2024-33655]; fix possible domain hijack issue [CVE-2025-11411]; fix unbound-anchor cannot deal with full disk; fix potential amplification DDoS attacks; fix incorrect return of NODATA for some ANY queries
user-mode-linux	Rebuild with updated linux
vtk9	Fix inability to read VTK XML files with appended data on newer expat
zsh	Rebuild with updated glibc, libcap2

Security Updates

This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:

Advisory ID	Package
DSA-5979	libxslt
DSA-5993	chromium
DSA-5994	shibboleth-sp
DSA-5996	chromium
DSA-5997	imagemagick
DSA-5998	cups
DSA-5999	libjson-xs-perl
DSA-6000	libcpanel-json-xs-perl
DSA-6001	cjson
DSA-6002	node-sha.js
DSA-6003	firefox-esr
DSA-6004	chromium
DSA-6005	jetty9
DSA-6009	linux-signed-amd64
DSA-6009	linux-signed-arm64
DSA-6009	linux-signed-i386
DSA-6009	linux
DSA-6010	chromium
DSA-6012	nncp
DSA-6013	node-tar-fs
DSA-6015	openssl
DSA-6016	chromium
DSA-6017	haproxy
DSA-6018	gegl
DSA-6020	redis
DSA-6021	chromium
DSA-6023	tiff
DSA-6024	ghostscript
DSA-6025	firefox-esr
DSA-6026	chromium
DSA-6028	lxd
DSA-6029	ark
DSA-6030	intel-microcode
DSA-6031	request-tracker5
DSA-6032	request-tracker4
DSA-6033	bind9
DSA-6034	tryton-sao
DSA-6035	python-internetarchive
DSA-6036	chromium
DSA-6038	openjdk-17
DSA-6040	thunderbird
DSA-6041	strongswan
DSA-6042	evolution
DSA-6042	webkit2gtk
DSA-6043	gimp
DSA-6044	xorg-server
DSA-6046	chromium
DSA-6047	squid
DSA-6048	ruby-rack
DSA-6049	gimp
DSA-6050	chromium
DSA-6053	linux-signed-amd64
DSA-6053	linux-signed-arm64
DSA-6053	linux-signed-i386
DSA-6053	linux
DSA-6054	firefox-esr
DSA-6055	chromium
DSA-6056	keystone
DSA-6056	swift
DSA-6057	lxd
DSA-6058	lasso
DSA-6059	thunderbird
DSA-6060	chromium
DSA-6061	tryton-sao
DSA-6062	pdfminer
DSA-6064	tryton-server
DSA-6065	krita
DSA-6067	containerd
DSA-6068	xen
DSA-6069	openvpn
DSA-6070	webkit2gtk
DSA-6072	chromium
DSA-6074	webkit2gtk
DSA-6075	wordpress
DSA-6076	libpng1.6
DSA-6078	firefox-esr
DSA-6079	ffmpeg
DSA-6080	chromium
DSA-6081	thunderbird
DSA-6082	vlc
DSA-6083	webkit2gtk
DSA-6085	mediawiki
DSA-6087	roundcube
DSA-6089	chromium
DSA-6090	rails

Removed packages

The following packages were removed due to circumstances beyond our control:

Package	Reason
clamav	[armel mipsel mips64el] No longer supportable on architectures without newer Rust support
clamsmtp	[armel mipsel mips64el] Depends on to-be-removed clamav
libc-icap-mod-virus-scan	[armel mipsel mips64el] Depends on to-be-removed clamav
libclamunrar	[armel mipsel mips64el] Depends on to-be-removed clamav
pagure	Broken, security issues
pg-snakeoil	[armel mipsel mips64el] Depends on to-be-removed clamav

Debian Installer

The installer has been updated to include the fixes incorporated into oldstable by the point release.

URLs

The complete lists of packages that have changed with this revision:

https://deb.debian.org/debian/dists/bookworm/ChangeLog

The current oldstable distribution:

https://deb.debian.org/debian/dists/oldstable/

Proposed updates to the oldstable distribution:

https://deb.debian.org/debian/dists/oldstable-proposed-updates

oldstable distribution information (release notes, errata etc.):

https://www.debian.org/releases/oldstable/

Security announcements and information:

https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.