Saturday, July 11, 2026

Fedora 45 Mass Rebuild Notification — Scheduled for 2026-07-15

Hello all,

As per the Fedora 45 release schedule [1], the mass rebuild is scheduled to begin on Wednesday, 2026-07-15.

We have a tracker ticket [2] open on the Release Engineering issue tracker. Feel free to leave a comment on the ticket with any questions or requests.

The mass rebuild will be done in a side tag (`f45-rebuild`) and merged when completed. FTBFS (Fails To Build From Source) bugs will be filed shortly after the mass rebuild has finished.

If you need to exclude a package from the rebuild, add a `noautobuild` file to the root of your dist-git repository, or request that Release Engineering add it to the skip list.

Please note that maintainers can continue working as normal during the mass rebuild. If you submit a build for your package, it will be used instead of the mass rebuild build.

If you have questions or run into issues, comment on the tracker ticket or reach out in the Release Engineering Matrix room [3].

Regards,
Patrik Polakovic
Fedora Release Engineering

[1] https://fedorapeople.org/groups/schedule/f-45/f-45-all-tasks.html
[2] https://forge.fedoraproject.org/releng/tickets/issues/13406
[3] https://matrix.to/#/#releng:fedoraproject.org

-- _______________________________________________ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

Updated Debian 13: 13.6 released

------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 13: 13.6 released press@debian.org July 11th, 2026 https://www.debian.org/News/2026/20260711 ------------------------------------------------------------------------ The Debian project is pleased to announce the sixth update of its stable distribution Debian 13 (codename "trixie"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 13 but only updates some of the packages included. There is no need to throw away old "trixie" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Noteworthy updates ------------------ "fwupd" has been updated to upstream version 2.0.20, which has the ability to update the Secure Boot certificate authority (CA), Key Exchange Key (KEK) and revocation (DBX) databases. The 2013 UEFI Secure Boot CA installed by default on most PCs and used to sign bootloaders has now expired. Future updates to "shim-signed" could therefore lead to systems being unable to boot with Secure Boot enabled. Users are strongly advised to apply "CA", "KEK" and "DBX" updates from their system OEM in line with the following guidance: https://wiki.debian.org/SecureBoot/CAChanges#What_should_I_do.3F For licensing reasons "geoip-database" has been reverted to a version dated approximately December 2019. As a result, applications using this database might use out-of-date allocation information. More recent versions of "geoip-database" (GeoLite) are not compatible with the Debian Free Software Guidelines and cannot be distributed. Consumers of this data are strongly encouraged to obtain a GeoLite license directly and cease reliance on the "geoip-database" package. Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: +-------------------------+-------------------------------------------+ | Package | Reason | +-------------------------+-------------------------------------------+ | apache2 [1] | Fix use-after-free issues [CVE-2026-29167 | | | CVE-2026-48913]; fix cross-site scripting | | | issue [CVE-2026-29170]; fix buffer | | | overflow issues [CVE-2026-34355 CVE-2026- | | | 34356 CVE-2026-42536]; fix denial of | | | service issues [CVE-2026-42535 CVE-2026- | | | 44186 CVE-2026-49975]; fix out of bounds | | | read issues [CVE-2026-43951 CVE-2026- | | | 44185]; fix file read issue [CVE-2026- | | | 44119]; fix buffer underwrite issue | | | [CVE-2026-44631] | | | | | archlinux-keyring [2] | Update keys | | | | | awstats [3] | Prevent freezing on keyword stat | | | | | base-files [4] | Update for the point release | | | | | beets [5] | Fix XSS vulnerability [CVE-2026-42052] | | | | | calibre [6] | Fix unsafe e-book extraction and resource | | | path handling [CVE-2026-30853 CVE-2026- | | | 33206]; prevent e-book viewer local file | | | reads and SSRF/exfiltration [CVE-2026- | | | 33205]; avoid unsafe catalog rule | | | evaluation; correct XPath and SQL query | | | handling; fix reader-background endpoint | | | path normalisation; improve exception | | | diagnostics | | | | | cdebootstrap [7] | Rebuild with updated xz-utils | | | | | chrony [8] | Ensure if-up/down hook scripts exit | | | successfully | | | | | ckermit [9] | Block remote control of the local kermit | | | by default [CVE-2025-68920]; disable | | | unnecessary OpenSSL version check | | | | | composer [10] | Fix support for new GitHub token format | | | [CVE-2026-45793] | | | | | courier [11] | Fix webadmin paths to imapd and imapd-ssl | | | | | curl [12] | Fix bearer token redirect leaks | | | [CVE-2025-14524 CVE-2026-3783]; correct | | | OpenSSL CA cache reuse [CVE-2025-14819]; | | | fix HTTP Negotiate and proxy connection | | | reuse [CVE-2026-1965 CVE-2026-3784 | | | CVE-2026-5545]; prevent clear-text | | | STARTTLS connection reuse [CVE-2026- | | | 4873]; fix SMB use-after-free and wrong | | | share reuse [CVE-2026-3805 CVE-2026- | | | 5773]; clear redirected host/proxy/netrc | | | credentials [CVE-2026-6253 CVE-2026- | | | 6429]; prevent stale cookie leaks | | | [CVE-2026-6276]; clear proxy Digest state | | | when switching proxies [CVE-2026-7168] | | | | | dar [13] | Rebuild with updated curl, libgcrypt20, | | | openssl | | | | | dcmtk [14] | Fix NULL pointer dereference issues | | | [CVE-2022-4981 CVE-2025-14841]; fix | | | memory corruption issues [CVE-2025-2357 | | | CVE-2025-9732 CVE-2025-14607]; fix | | | command injection issue [CVE-2026-5663]; | | | fix buffer overflow issues [CVE-2026- | | | 10194 CVE-2026-12805] | | | | | debian-installer [15] | Bump linux ABI 6.12.94+deb13; rebuild for | | | point release | | | | | debian-installer- | Rebuild from proposed updates | | netboot-images [16] | | | | | | debusine [17] | Enforce file upload permissions; restrict | | | artifact relation creation/deletion | | | [CVE-2026-11852]; harden sbuild | | | repository command quoting; reject | | | unsafe .dsc/.changes checksum paths | | | [CVE-2026-11853] | | | | | deepdiff [18] | Fix class pollution issue [CVE-2025- | | | 58367]; fix denial of service issue | | | [CVE-2026-33155] | | | | | dhcpcd [19] | Fix memory safety issues [CVE-2025-70102 | | | CVE-2026-56113 CVE-2026-56114]; fix IPv6 | | | Router Advertisement information leakage | | | [CVE-2026-56116]; correct control socket | | | lifetime handling [CVE-2026-56117] | | | | | distrobuilder [20] | Rebuild with updated incus | | | | | dolphin [21] | Fix sandbox escape issue [CVE-2026-41525] | | | | | errands [22] | Fix verification of TLS certificates for | | | CalDAV servers [CVE-2025-71063] | | | | | execnet [23] | Disable unreliable build-time tests | | | | | fldigi [24] | Force LC_NUMERIC=C.UTF-8 to use proper | | | decimal separator in API and ADIF log | | | files | | | | | freecad [25] | Fix fanuc post processor; fix build | | | failure on arm64 | | | | | fwupd [26] | Enable UEFI CA/db/KEK updates for the | | | 2026 Secure Boot certificate transition; | | | fix UEFI PK/KEK/dbx enumeration; fix | | | Thunderbolt controller deployment; | | | correct firmware update regressions; | | | update fwupd hardware support and tests | | | | | gambas3 [27] | Fix Qt component loading | | | | | gdown [28] | Fix arbitray file write issue [CVE-2026- | | | 40491] | | | | | geoip [29] | Reinstate generator scripts, relied upon | | | by geoip-database | | | | | geoip-database [30] | Revert to a DFSG-compatible version | | | | | giflib [31] | Fix memory corruption issues [CVE-2026- | | | 23868 CVE-2026-26740] | | | | | gimp [32] | Fix integer overflow issues [CVE-2026- | | | 4154 CVE-2026-40915] | | | | | gnupg2 [33] | Rebuild with updated libgcrypt20 | | | | | gnustep-sqlclient [34] | Remove Multi-Arch: same | | | | | graphite2 [35] | Fix out-of-bounds write [CVE-2026-50593] | | | | | horizon [36] | Fix escaping of special characters in | | | project | | | | | ironic [37] | Fix credential forwarding from | | | configuration molds [CVE-2026-42997]; fix | | | IPMI console command injection [CVE-2026- | | | 42510]; sandbox kickstart template | | | rendering [CVE-2026-44916]; prevent | | | conductor thread exhaustion from file | | | special devices [CVE-2026-44919]; | | | restrict unsafe file image paths; improve | | | image download validation and | | | checksumming; correct Redfish power, boot | | | and firmware workflows; fix inspection | | | rule validation and hook failures; avoid | | | stuck service/deploy states | | | | | isc-kea [38] | Fix denial of service issue [CVE-2026- | | | 3608] | | | | | isenkram [39] | Handle usr-merge migration in update-fw- | | | list; update generated firmware lists | | | | | keystone [40] | Fix behaviour of user_enabled_invert | | | [CVE-2026-40683]; prevent unauthorized | | | EC2 credential creation and deletion | | | [CVE-2026-33551] | | | | | libapache-session- | Improve entropy source [CVE-2026-8503] | | browseable-perl [41] | | | | | | libass [42] | Fix out of bounds read and write issues | | | | | libbytes-random-secure- | Fix incorrect usage of seed in PRNG | | perl [43] | [CVE-2026-11625] | | | | | libcaca [44] | Prevent undefined behaviour in overflow | | | check [CVE-2026-42046] | | | | | libcrypt-pbkdf2- | Change default hash algorithm to HMAC- | | perl [45] | SHA256 and default iterations to 600,000 | | | [CVE-2026-9641]; generate salts using | | | Crypt::URandom [CVE-2026-9638]; use a | | | constant-time comparison in `validate` to | | | avoid timing attacks [CVE-2017-20240] | | | | | libcrypt-urandom- | Fix buffer overflow issue [CVE-2026-2474] | | perl [46] | | | | | | libhtml-parser- | Fix heap-use-after-free in | | perl [47] | _decode_entities [CVE-2026-8829] | | | | | libnet-cidr-lite- | Fix IP/CIDR parser validation: reject | | perl [48] | non-ASCII digits and trailing newlines | | | [CVE-2026-55190]; reject zero-padded CIDR | | | masks [CVE-2026-45191] | | | | | libreoffice [49] | Gracefully handle failure in graphite2 | | | | | libslirp [50] | Fix memory disclosure issue [CVE-2026- | | | 9539] | | | | | libtasn1-6 [51] | Fix buffer overflow issue [CVE-2025- | | | 13151] | | | | | libvncserver [52] | Fix buffer overflow and out-of-bounds | | | write [CVE-2026-44988 CVE-2026-50538] | | | | | libxml-libxml-perl [53] | Fix out-of-bounds read [CVE-2026-8177] | | | | | libxml2 [54] | Fix RelaxNG include recursion limits | | | [CVE-2026-0989]; prevent XML and SGML | | | catalog recursion/resource exhaustion | | | [CVE-2025-8732 CVE-2026-0990 CVE-2026- | | | 0992]; fix xmllint shell memory leak | | | [CVE-2026-1757]; correct XML writer and | | | Schematron error-path leaks; avoid | | | RelaxNG validation use-after-free; update | | | regression tests | | | | | libxpm [55] | Fix out of bounds read issue [CVE-2026- | | | 4367] | | | | | linuxcnc [56] | Sanitize module names | | | | | lxml-html-clean [57] | Fix filter bypass issue [CVE-2026-28348]; | | | fix tag injection issue [CVE-2026-28350] | | | | | mesa [58] | Fix WebGPU/SPIR-V allocation handling | | | [CVE-2026-40393] | | | | | miniupnpd [59] | Fix integer underflow issue [CVE-2026- | | | 5720] | | | | | modsecurity [60] | Prevent denial of service in hexDecode | | | handling [CVE-2026-30923]; prevent denial | | | of service in SSN/CPF/SVNR verification | | | [CVE-2026-42268] | | | | | mutt [61] | Fix buffer truncation issues [CVE-2026- | | | 43859 CVE-2026-43860 CVE-2026-43861]; fix | | | mishandling of imap_auth_gss security | | | level [CVE-2026-43862]; fix denial of | | | service issue [CVE-2026-43863]; fix NULL | | | pointer dereference issue [CVE-2026- | | | 43864] | | | | | mxml [62] | Fix out-of-bounds read [CVE-2026-5037] | | | | | nbconvert [63] | Fix arbitrary file read/write issues | | | [CVE-2026-39377 CVE-2026-39378] | | | | | neutron [64] | Fix tagging policy bypass | | | | | nss [65] | Improve handling of escape sequences in | | | pk11uri_ParseAttributes [CVE-2026-12318] | | | | | ojalgo [66] | Reduce frequency of built-time test | | | failures | | | | | opencc [67] | Fix out-of-bounds read issue [CVE-2025- | | | 15536] | | | | | openslide [68] | Fix possible code execution issue | | | [CVE-2026-48977] | | | | | php-guzzlehttp- | Fix Host authority validation [CVE-2026- | | psr7 [69] | 48998]; reject control characters in URI | | | hosts [CVE-2026-49214]; harden | | | ServerRequest globals handling; normalise | | | global header values; encode literal plus | | | signs in query helpers | | | | | php-league-csv [70] | Fix build time test with PHP >=8.4.14 | | | | | php-twig [71] | Security update | | | | | pillow [72] | Followup fix for CVE-2026-42310 | | | | | poco [73] | Fix segmentation fault [CVE-2025-6375] | | | | | poetry [74] | Fix arbitrary file write issue [CVE-2026- | | | 34591] | | | | | poppler [75] | Fix invalid signature creation issue | | | | | postfix [76] | New upstream stable release; fix denial | | | of service issue [CVE-2026-43964]; keep | | | daemon running during upgrades | | | | | protobuf [77] | Fix parser recursion limits [CVE-2024- | | | 7254 CVE-2025-4565 CVE-2026-0994 | | | CVE-2026-6409] | | | | | psd-tools [78] | Fix denial of service issue [CVE-2026- | | | 27809] | | | | | pupnp [79] | Fix SSRF port confusion issue [CVE-2026- | | | 41682] | | | | | pymdown-extensions [80] | Fix regular expression-based denial of | | | service issue [CVE-2025-68142] | | | | | pyopenssl [81] | Fix handling of exceptions and connection | | | cancelling [CVE-2026-27448]; fix buffer | | | overflow in DTLS cookie callback | | | [CVE-2026-27459] | | | | | pytest-httpbin [82] | Disable unreliable build-time test | | | | | python-daphne [83] | Fix denial of service issue [CVE-2026- | | | 44545]; fix header injection issue | | | [CVE-2026-44546] | | | | | python-django [84] | Update test suite following changes in | | | python3.13 | | | | | python-dynaconf [85] | Fix Server-Side Template Injection issue | | | [CVE-2026-33154] | | | | | python-grpc-tools [86] | Fix TypeError in | | | command.build_package_protos | | | | | python-handy- | Fix end of central diretory locator for | | archives [87] | Zip64 | | | | | python-idna [88] | Fix denial of service issue [CVE-2026- | | | 45409] | | | | | python-iniparse [89] | Fix race condition in build-time tests | | | | | python-jwcrypto [90] | Fix denial of service issue [CVE-2026- | | | 39373] | | | | | python-markdown [91] | Adapt to changes in Python's html.parser | | | module | | | | | python-marshmallow [92] | Fix denial of service issue [CVE-2025- | | | 68480] | | | | | python-memray [93] | Fix cross-site scripting issue [CVE-2026- | | | 32722] | | | | | python-virtualenv [94] | Fix time-of-check / time-of-use issues | | | [CVE-2026-22702] | | | | | python-webob [95] | Fix open redirect issue [CVE-2026-44889] | | | | | python-xmltodict [96] | Fix XML injection issue [CVE-2025-9375] | | | | | python3.13 [97] | Fix a crash in SNI callback when the SSL | | | object is gone; fix reference leaks in | | | ssl.SSLContext objects; avoid garbage | | | collecting objects too early when sharing | | | __dict__; fix "CR/LF bytes were not | | | rejected by HTTP client proxy tunnel | | | headers or host" [CVE-2026-1502]; fix | | | denial of service issues [CVE-2026-3276 | | | CVE-2026-9669]; fix insufficient escaping | | | issue [CVE-2026-6019]; fix path traversal | | | issue [CVE-2026-7774]; fix server-side | | | request forgery issue [CVE-2026-8328] | | | | | qemu [98] | New upstream stable release; security | | | fixes [CVE-2024-6519 CVE-2026-2243 | | | CVE-2026-3195 CVE-2026-3196 CVE-2026-3842 | | | CVE-2026-3886 CVE-2026-3890 CVE-2026- | | | 41435 CVE-2026-41436 CVE-2026-41437 | | | CVE-2026-41438 CVE-2026-41439 CVE-2026- | | | 41440 CVE-2026-5744 CVE-2026-5761 | | | CVE-2026-5763 CVE-2026-6502 CVE-2026-8341 | | | CVE-2026-48002 CVE-2026-48003 CVE-2026- | | | 48004 CVE-2026-48914 CVE-2026-48915 | | | CVE-2026-6425 CVE-2026-8343] | | | | | qtmir [99] | Fix Lomiri rendering, scaling, focus | | | handling, and session crash issues; | | | correct stale window and dead surface | | | cleanup; ensure Xwayland applications | | | inherit DISPLAY; improve Asahi Linux | | | rendering provider selection | | | | | rauc [100] | Fix improper signing of large bundles | | | [CVE-2026-34155] | | | | | resource-agents [101] | Fix syntax error | | | | | rhino [102] | Fix denial of service issue [CVE-2025- | | | 66453] | | | | | rlottie [103] | Fix out-of-bounds read issue [CVE-2026- | | | 10305]; fix denial of service issues | | | [CVE-2026-47319 CVE-2026-47320] | | | | | rsync [104] | Reject excessively long HTTP proxy | | | response lines [CVE-2026-45232] | | | | | rtl-433 [105] | Fix buffer overflow issue [CVE-2025- | | | 34450] | | | | | ruby-css-parser [106] | Fix validation of HTTPS certificates for | | | remote CSS [CVE-2026-44312] | | | | | rust-time [107] | Fix denial of service [CVE-2026-25727] | | | | | samba [108] | New upstream stable release | | | | | shim [109] | New upstream release; build with default | | | gcc; set SBAT revocation level to | | | 2025021800 | | | | | shim-helpers-amd64- | Update to shim 16.1-2~deb13u1 | | signed [110] | | | | | | shim-helpers-arm64- | Update to shim 16.1-2~deb13u1 | | signed [111] | | | | | | shim-signed [112] | Ensure Secure Boot compatibility with | | | 2023 Microsoft UEFI CA; check for likely | | | boot issues before installation; combine | | | and verify multiple shim signatures; | | | update signed shim binaries | | | | | skanpage [113] | Fix data leakage issue [CVE-2025-55174] | | | | | smartdns [114] | Fix buffer overflow issue [CVE-2026-1425] | | | | | squirrel3 [115] | Fix sandbox escape [CVE-2021-41556] | | | | | sshfs-fuse [116] | Add contain_symlinks option to prevent | | | symlink escape attacks [CVE-2026-47187]; | | | reject hostname option injection via | | | bracketed mount source [CVE-2026-48711] | | | | | starman [117] | Fix request smuggling issue [CVE-2026- | | | 40560] | | | | | symfony [118] | Security update | | | | | tigervnc [119] | Prevent other users reading x0vncserver | | | screen [CVE-2026-34352] | | | | | user-mode-linux [120] | Rebuild with updated linux | | | | | vitrage [121] | Fix remote code execution vulnerability | | | [CVE-2026-28370] | | | | | wireless-regdb [122] | New upstream stable release; update | | | regulatory information for several | | | countries | | | | | wireshark [123] | New upstream stable release; fix denial | | | of service issue [CVE-2026-9759] | | | | | xz-utils [124] | Fix buffer overflow issue [CVE-2026- | | | 34743] | | | | +-------------------------+-------------------------------------------+ 1: https://packages.debian.org/src:apache2 2: https://packages.debian.org/src:archlinux-keyring 3: https://packages.debian.org/src:awstats 4: https://packages.debian.org/src:base-files 5: https://packages.debian.org/src:beets 6: https://packages.debian.org/src:calibre 7: https://packages.debian.org/src:cdebootstrap 8: https://packages.debian.org/src:chrony 9: https://packages.debian.org/src:ckermit 10: https://packages.debian.org/src:composer 11: https://packages.debian.org/src:courier 12: https://packages.debian.org/src:curl 13: https://packages.debian.org/src:dar 14: https://packages.debian.org/src:dcmtk 15: https://packages.debian.org/src:debian-installer 16: https://packages.debian.org/src:debian-installer-netboot-images 17: https://packages.debian.org/src:debusine 18: https://packages.debian.org/src:deepdiff 19: https://packages.debian.org/src:dhcpcd 20: https://packages.debian.org/src:distrobuilder 21: https://packages.debian.org/src:dolphin 22: https://packages.debian.org/src:errands 23: https://packages.debian.org/src:execnet 24: https://packages.debian.org/src:fldigi 25: https://packages.debian.org/src:freecad 26: https://packages.debian.org/src:fwupd 27: https://packages.debian.org/src:gambas3 28: https://packages.debian.org/src:gdown 29: https://packages.debian.org/src:geoip 30: https://packages.debian.org/src:geoip-database 31: https://packages.debian.org/src:giflib 32: https://packages.debian.org/src:gimp 33: https://packages.debian.org/src:gnupg2 34: https://packages.debian.org/src:gnustep-sqlclient 35: https://packages.debian.org/src:graphite2 36: https://packages.debian.org/src:horizon 37: https://packages.debian.org/src:ironic 38: https://packages.debian.org/src:isc-kea 39: https://packages.debian.org/src:isenkram 40: https://packages.debian.org/src:keystone 41: https://packages.debian.org/src:libapache-session-browseable-perl 42: https://packages.debian.org/src:libass 43: https://packages.debian.org/src:libbytes-random-secure-perl 44: https://packages.debian.org/src:libcaca 45: https://packages.debian.org/src:libcrypt-pbkdf2-perl 46: https://packages.debian.org/src:libcrypt-urandom-perl 47: https://packages.debian.org/src:libhtml-parser-perl 48: https://packages.debian.org/src:libnet-cidr-lite-perl 49: https://packages.debian.org/src:libreoffice 50: https://packages.debian.org/src:libslirp 51: https://packages.debian.org/src:libtasn1-6 52: https://packages.debian.org/src:libvncserver 53: https://packages.debian.org/src:libxml-libxml-perl 54: https://packages.debian.org/src:libxml2 55: https://packages.debian.org/src:libxpm 56: https://packages.debian.org/src:linuxcnc 57: https://packages.debian.org/src:lxml-html-clean 58: https://packages.debian.org/src:mesa 59: https://packages.debian.org/src:miniupnpd 60: https://packages.debian.org/src:modsecurity 61: https://packages.debian.org/src:mutt 62: https://packages.debian.org/src:mxml 63: https://packages.debian.org/src:nbconvert 64: https://packages.debian.org/src:neutron 65: https://packages.debian.org/src:nss 66: https://packages.debian.org/src:ojalgo 67: https://packages.debian.org/src:opencc 68: https://packages.debian.org/src:openslide 69: https://packages.debian.org/src:php-guzzlehttp-psr7 70: https://packages.debian.org/src:php-league-csv 71: https://packages.debian.org/src:php-twig 72: https://packages.debian.org/src:pillow 73: https://packages.debian.org/src:poco 74: https://packages.debian.org/src:poetry 75: https://packages.debian.org/src:poppler 76: https://packages.debian.org/src:postfix 77: https://packages.debian.org/src:protobuf 78: https://packages.debian.org/src:psd-tools 79: https://packages.debian.org/src:pupnp 80: https://packages.debian.org/src:pymdown-extensions 81: https://packages.debian.org/src:pyopenssl 82: https://packages.debian.org/src:pytest-httpbin 83: https://packages.debian.org/src:python-daphne 84: https://packages.debian.org/src:python-django 85: https://packages.debian.org/src:python-dynaconf 86: https://packages.debian.org/src:python-grpc-tools 87: https://packages.debian.org/src:python-handy-archives 88: https://packages.debian.org/src:python-idna 89: https://packages.debian.org/src:python-iniparse 90: https://packages.debian.org/src:python-jwcrypto 91: https://packages.debian.org/src:python-markdown 92: https://packages.debian.org/src:python-marshmallow 93: https://packages.debian.org/src:python-memray 94: https://packages.debian.org/src:python-virtualenv 95: https://packages.debian.org/src:python-webob 96: https://packages.debian.org/src:python-xmltodict 97: https://packages.debian.org/src:python3.13 98: https://packages.debian.org/src:qemu 99: https://packages.debian.org/src:qtmir 100: https://packages.debian.org/src:rauc 101: https://packages.debian.org/src:resource-agents 102: https://packages.debian.org/src:rhino 103: https://packages.debian.org/src:rlottie 104: https://packages.debian.org/src:rsync 105: https://packages.debian.org/src:rtl-433 106: https://packages.debian.org/src:ruby-css-parser 107: https://packages.debian.org/src:rust-time 108: https://packages.debian.org/src:samba 109: https://packages.debian.org/src:shim 110: https://packages.debian.org/src:shim-helpers-amd64-signed 111: https://packages.debian.org/src:shim-helpers-arm64-signed 112: https://packages.debian.org/src:shim-signed 113: https://packages.debian.org/src:skanpage 114: https://packages.debian.org/src:smartdns 115: https://packages.debian.org/src:squirrel3 116: https://packages.debian.org/src:sshfs-fuse 117: https://packages.debian.org/src:starman 118: https://packages.debian.org/src:symfony 119: https://packages.debian.org/src:tigervnc 120: https://packages.debian.org/src:user-mode-linux 121: https://packages.debian.org/src:vitrage 122: https://packages.debian.org/src:wireless-regdb 123: https://packages.debian.org/src:wireshark 124: https://packages.debian.org/src:xz-utils Security Updates ---------------- This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates: +----------------+--------------------------------+ | Advisory ID | Package | +----------------+--------------------------------+ | DSA-6250 [125] | chromium [126] | | | | | DSA-6256 [127] | php8.4 [128] | | | | | DSA-6266 [129] | nghttp2 [130] | | | | | DSA-6267 [131] | thunderbird [132] | | | | | DSA-6268 [133] | ffmpeg [134] | | | | | DSA-6270 [135] | postgresql-17 [136] | | | | | DSA-6271 [137] | gsasl [138] | | | | | DSA-6273 [139] | chromium [140] | | | | | DSA-6274 [141] | linux-signed-amd64 [142] | | | | | DSA-6274 [143] | linux-signed-arm64 [144] | | | | | DSA-6274 [145] | linux [146] | | | | | DSA-6277 [147] | openjpeg2 [148] | | | | | DSA-6278 [149] | nginx [150] | | | | | DSA-6279 [151] | redis [152] | | | | | DSA-6280 [153] | netatalk [154] | | | | | DSA-6281 [155] | gnutls28 [156] | | | | | DSA-6282 [157] | rsync [158] | | | | | DSA-6283 [159] | firefox-esr [160] | | | | | DSA-6284 [161] | pdns [162] | | | | | DSA-6285 [163] | bind9 [164] | | | | | DSA-6286 [165] | evince [166] | | | | | DSA-6287 [167] | chromium [168] | | | | | DSA-6288 [169] | thunderbird [170] | | | | | DSA-6289 [171] | openvpn [172] | | | | | DSA-6290 [173] | nss [174] | | | | | DSA-6291 [175] | haproxy [176] | | | | | DSA-6292 [177] | haveged [178] | | | | | DSA-6293 [179] | krb5 [180] | | | | | DSA-6294 [181] | libgcrypt20 [182] | | | | | DSA-6295 [183] | linux-signed-amd64 [184] | | | | | DSA-6295 [185] | linux-signed-arm64 [186] | | | | | DSA-6295 [187] | linux [188] | | | | | DSA-6296 [189] | spip [190] | | | | | DSA-6297 [191] | samba [192] | | | | | DSA-6298 [193] | imagemagick [194] | | | | | DSA-6299 [195] | kdenlive [196] | | | | | DSA-6300 [197] | node-shell-quote [198] | | | | | DSA-6301 [199] | roundcube [200] | | | | | DSA-6302 [201] | starlette [202] | | | | | DSA-6303 [203] | varnish [204] | | | | | DSA-6304 [205] | unbound [206] | | | | | DSA-6305 [207] | linux-signed-amd64 [208] | | | | | DSA-6305 [209] | linux-signed-arm64 [210] | | | | | DSA-6305 [211] | linux [212] | | | | | DSA-6307 [213] | kitty [214] | | | | | DSA-6308 [215] | nagios4 [216] | | | | | DSA-6309 [217] | exim4 [218] | | | | | DSA-6311 [219] | php-twig [220] | | | | | DSA-6312 [221] | symfony [222] | | | | | DSA-6313 [223] | dovecot [224] | | | | | DSA-6314 [225] | swift [226] | | | | | DSA-6315 [227] | cyborg [228] | | | | | DSA-6316 [229] | chromium [230] | | | | | DSA-6318 [231] | gst-plugins-good1.0 [232] | | | | | DSA-6319 [233] | yelp [234] | | | | | DSA-6321 [235] | ceph [236] | | | | | DSA-6322 [237] | frr [238] | | | | | DSA-6323 [239] | apache2 [240] | | | | | DSA-6324 [241] | request-tracker5 [242] | | | | | DSA-6325 [243] | chromium [244] | | | | | DSA-6326 [245] | nginx [246] | | | | | DSA-6328 [247] | tomcat10 [248] | | | | | DSA-6329 [249] | tomcat11 [250] | | | | | DSA-6330 [251] | strongswan [252] | | | | | DSA-6331 [253] | keystone [254] | | | | | DSA-6332 [255] | okular [256] | | | | | DSA-6333 [257] | mistral [258] | | | | | DSA-6334 [259] | poppler [260] | | | | | DSA-6335 [261] | openssl [262] | | | | | DSA-6336 [263] | jackson-core [264] | | | | | DSA-6336 [265] | jackson-databind [266] | | | | | DSA-6336 [267] | jackson-dataformat-smile [268] | | | | | DSA-6337 [269] | chromium [270] | | | | | DSA-6338 [271] | libdbi-perl [272] | | | | | DSA-6339 [273] | libinput [274] | | | | | DSA-6340 [275] | neutron [276] | | | | | DSA-6341 [277] | ironic [278] | | | | | DSA-6341 [279] | python-oslo.messaging [280] | | | | | DSA-6342 [281] | jpeg-xl [282] | | | | | DSA-6343 [283] | librabbitmq [284] | | | | | DSA-6344 [285] | chromium [286] | | | | | DSA-6345 [287] | libgd-perl [288] | | | | | DSA-6346 [289] | libreoffice [290] | | | | | DSA-6347 [291] | bird2 [292] | | | | | DSA-6348 [293] | gsasl [294] | | | | | DSA-6349 [295] | atril [296] | | | | | DSA-6350 [297] | firefox-esr [298] | | | | | DSA-6351 [299] | thunderbird [300] | | | | | DSA-6352 [301] | chromium [302] | | | | | DSA-6353 [303] | gst-libav1.0 [304] | | | | | DSA-6354 [305] | libconfig-inifiles-perl [306] | | | | | DSA-6355 [307] | linux-signed-amd64 [308] | | | | | DSA-6355 [309] | linux-signed-arm64 [310] | | | | | DSA-6355 [311] | linux [312] | | | | | DSA-6356 [313] | imagemagick [314] | | | | | DSA-6357 [315] | pillow [316] | | | | | DSA-6358 [317] | libhttp-daemon-perl [318] | | | | | DSA-6359 [319] | gst-plugins-good1.0 [320] | | | | | DSA-6360 [321] | squid [322] | | | | | DSA-6361 [323] | ffmpeg [324] | | | | | DSA-6362 [325] | gst-plugins-bad1.0 [326] | | | | | DSA-6363 [327] | python-urllib3 [328] | | | | | DSA-6364 [329] | chromium [330] | | | | | DSA-6365 [331] | libssh2 [332] | | | | | DSA-6366 [333] | sogo [334] | | | | | DSA-6367 [335] | dnsdist [336] | | | | | DSA-6368 [337] | pdns [338] | | | | | DSA-6369 [339] | pdns-recursor [340] | | | | | DSA-6370 [341] | incus [342] | | | | | DSA-6371 [343] | xorg-server [344] | | | | | DSA-6372 [345] | tor [346] | | | | | DSA-6373 [347] | lxd [348] | | | | | DSA-6374 [349] | nginx [350] | | | | | DSA-6375 [351] | fastnetmon [352] | | | | | DSA-6376 [353] | openvpn [354] | | | | | DSA-6377 [355] | php8.4 [356] | | | | | DSA-6378 [357] | chromium [358] | | | | | DSA-6379 [359] | bird3 [360] | | | | | DSA-6380 [361] | mediawiki [362] | | | | | DSA-6384 [363] | chromium [364] | | | | +----------------+--------------------------------+ 125: https://www.debian.org/security/2026/dsa-6250 126: https://packages.debian.org/src:chromium 127: https://www.debian.org/security/2026/dsa-6256 128: https://packages.debian.org/src:php8.4 129: https://www.debian.org/security/2026/dsa-6266 130: https://packages.debian.org/src:nghttp2 131: https://www.debian.org/security/2026/dsa-6267 132: https://packages.debian.org/src:thunderbird 133: https://www.debian.org/security/2026/dsa-6268 134: https://packages.debian.org/src:ffmpeg 135: https://www.debian.org/security/2026/dsa-6270 136: https://packages.debian.org/src:postgresql-17 137: https://www.debian.org/security/2026/dsa-6271 138: https://packages.debian.org/src:gsasl 139: https://www.debian.org/security/2026/dsa-6273 140: https://packages.debian.org/src:chromium 141: https://www.debian.org/security/2026/dsa-6274 142: https://packages.debian.org/src:linux-signed-amd64 143: https://www.debian.org/security/2026/dsa-6274 144: https://packages.debian.org/src:linux-signed-arm64 145: https://www.debian.org/security/2026/dsa-6274 146: https://packages.debian.org/src:linux 147: https://www.debian.org/security/2026/dsa-6277 148: https://packages.debian.org/src:openjpeg2 149: https://www.debian.org/security/2026/dsa-6278 150: https://packages.debian.org/src:nginx 151: https://www.debian.org/security/2026/dsa-6279 152: https://packages.debian.org/src:redis 153: https://www.debian.org/security/2026/dsa-6280 154: https://packages.debian.org/src:netatalk 155: https://www.debian.org/security/2026/dsa-6281 156: https://packages.debian.org/src:gnutls28 157: https://www.debian.org/security/2026/dsa-6282 158: https://packages.debian.org/src:rsync 159: https://www.debian.org/security/2026/dsa-6283 160: https://packages.debian.org/src:firefox-esr 161: https://www.debian.org/security/2026/dsa-6284 162: https://packages.debian.org/src:pdns 163: https://www.debian.org/security/2026/dsa-6285 164: https://packages.debian.org/src:bind9 165: https://www.debian.org/security/2026/dsa-6286 166: https://packages.debian.org/src:evince 167: https://www.debian.org/security/2026/dsa-6287 168: https://packages.debian.org/src:chromium 169: https://www.debian.org/security/2026/dsa-6288 170: https://packages.debian.org/src:thunderbird 171: https://www.debian.org/security/2026/dsa-6289 172: https://packages.debian.org/src:openvpn 173: https://www.debian.org/security/2026/dsa-6290 174: https://packages.debian.org/src:nss 175: https://www.debian.org/security/2026/dsa-6291 176: https://packages.debian.org/src:haproxy 177: https://www.debian.org/security/2026/dsa-6292 178: https://packages.debian.org/src:haveged 179: https://www.debian.org/security/2026/dsa-6293 180: https://packages.debian.org/src:krb5 181: https://www.debian.org/security/2026/dsa-6294 182: https://packages.debian.org/src:libgcrypt20 183: https://www.debian.org/security/2026/dsa-6295 184: https://packages.debian.org/src:linux-signed-amd64 185: https://www.debian.org/security/2026/dsa-6295 186: https://packages.debian.org/src:linux-signed-arm64 187: https://www.debian.org/security/2026/dsa-6295 188: https://packages.debian.org/src:linux 189: https://www.debian.org/security/2026/dsa-6296 190: https://packages.debian.org/src:spip 191: https://www.debian.org/security/2026/dsa-6297 192: https://packages.debian.org/src:samba 193: https://www.debian.org/security/2026/dsa-6298 194: https://packages.debian.org/src:imagemagick 195: https://www.debian.org/security/2026/dsa-6299 196: https://packages.debian.org/src:kdenlive 197: https://www.debian.org/security/2026/dsa-6300 198: https://packages.debian.org/src:node-shell-quote 199: https://www.debian.org/security/2026/dsa-6301 200: https://packages.debian.org/src:roundcube 201: https://www.debian.org/security/2026/dsa-6302 202: https://packages.debian.org/src:starlette 203: https://www.debian.org/security/2026/dsa-6303 204: https://packages.debian.org/src:varnish 205: https://www.debian.org/security/2026/dsa-6304 206: https://packages.debian.org/src:unbound 207: https://www.debian.org/security/2026/dsa-6305 208: https://packages.debian.org/src:linux-signed-amd64 209: https://www.debian.org/security/2026/dsa-6305 210: https://packages.debian.org/src:linux-signed-arm64 211: https://www.debian.org/security/2026/dsa-6305 212: https://packages.debian.org/src:linux 213: https://www.debian.org/security/2026/dsa-6307 214: https://packages.debian.org/src:kitty 215: https://www.debian.org/security/2026/dsa-6308 216: https://packages.debian.org/src:nagios4 217: https://www.debian.org/security/2026/dsa-6309 218: https://packages.debian.org/src:exim4 219: https://www.debian.org/security/2026/dsa-6311 220: https://packages.debian.org/src:php-twig 221: https://www.debian.org/security/2026/dsa-6312 222: https://packages.debian.org/src:symfony 223: https://www.debian.org/security/2026/dsa-6313 224: https://packages.debian.org/src:dovecot 225: https://www.debian.org/security/2026/dsa-6314 226: https://packages.debian.org/src:swift 227: https://www.debian.org/security/2026/dsa-6315 228: https://packages.debian.org/src:cyborg 229: https://www.debian.org/security/2026/dsa-6316 230: https://packages.debian.org/src:chromium 231: https://www.debian.org/security/2026/dsa-6318 232: https://packages.debian.org/src:gst-plugins-good1.0 233: https://www.debian.org/security/2026/dsa-6319 234: https://packages.debian.org/src:yelp 235: https://www.debian.org/security/2026/dsa-6321 236: https://packages.debian.org/src:ceph 237: https://www.debian.org/security/2026/dsa-6322 238: https://packages.debian.org/src:frr 239: https://www.debian.org/security/2026/dsa-6323 240: https://packages.debian.org/src:apache2 241: https://www.debian.org/security/2026/dsa-6324 242: https://packages.debian.org/src:request-tracker5 243: https://www.debian.org/security/2026/dsa-6325 244: https://packages.debian.org/src:chromium 245: https://www.debian.org/security/2026/dsa-6326 246: https://packages.debian.org/src:nginx 247: https://www.debian.org/security/2026/dsa-6328 248: https://packages.debian.org/src:tomcat10 249: https://www.debian.org/security/2026/dsa-6329 250: https://packages.debian.org/src:tomcat11 251: https://www.debian.org/security/2026/dsa-6330 252: https://packages.debian.org/src:strongswan 253: https://www.debian.org/security/2026/dsa-6331 254: https://packages.debian.org/src:keystone 255: https://www.debian.org/security/2026/dsa-6332 256: https://packages.debian.org/src:okular 257: https://www.debian.org/security/2026/dsa-6333 258: https://packages.debian.org/src:mistral 259: https://www.debian.org/security/2026/dsa-6334 260: https://packages.debian.org/src:poppler 261: https://www.debian.org/security/2026/dsa-6335 262: https://packages.debian.org/src:openssl 263: https://www.debian.org/security/2026/dsa-6336 264: https://packages.debian.org/src:jackson-core 265: https://www.debian.org/security/2026/dsa-6336 266: https://packages.debian.org/src:jackson-databind 267: https://www.debian.org/security/2026/dsa-6336 268: https://packages.debian.org/src:jackson-dataformat-smile 269: https://www.debian.org/security/2026/dsa-6337 270: https://packages.debian.org/src:chromium 271: https://www.debian.org/security/2026/dsa-6338 272: https://packages.debian.org/src:libdbi-perl 273: https://www.debian.org/security/2026/dsa-6339 274: https://packages.debian.org/src:libinput 275: https://www.debian.org/security/2026/dsa-6340 276: https://packages.debian.org/src:neutron 277: https://www.debian.org/security/2026/dsa-6341 278: https://packages.debian.org/src:ironic 279: https://www.debian.org/security/2026/dsa-6341 280: https://packages.debian.org/src:python-oslo.messaging 281: https://www.debian.org/security/2026/dsa-6342 282: https://packages.debian.org/src:jpeg-xl 283: https://www.debian.org/security/2026/dsa-6343 284: https://packages.debian.org/src:librabbitmq 285: https://www.debian.org/security/2026/dsa-6344 286: https://packages.debian.org/src:chromium 287: https://www.debian.org/security/2026/dsa-6345 288: https://packages.debian.org/src:libgd-perl 289: https://www.debian.org/security/2026/dsa-6346 290: https://packages.debian.org/src:libreoffice 291: https://www.debian.org/security/2026/dsa-6347 292: https://packages.debian.org/src:bird2 293: https://www.debian.org/security/2026/dsa-6348 294: https://packages.debian.org/src:gsasl 295: https://www.debian.org/security/2026/dsa-6349 296: https://packages.debian.org/src:atril 297: https://www.debian.org/security/2026/dsa-6350 298: https://packages.debian.org/src:firefox-esr 299: https://www.debian.org/security/2026/dsa-6351 300: https://packages.debian.org/src:thunderbird 301: https://www.debian.org/security/2026/dsa-6352 302: https://packages.debian.org/src:chromium 303: https://www.debian.org/security/2026/dsa-6353 304: https://packages.debian.org/src:gst-libav1.0 305: https://www.debian.org/security/2026/dsa-6354 306: https://packages.debian.org/src:libconfig-inifiles-perl 307: https://www.debian.org/security/2026/dsa-6355 308: https://packages.debian.org/src:linux-signed-amd64 309: https://www.debian.org/security/2026/dsa-6355 310: https://packages.debian.org/src:linux-signed-arm64 311: https://www.debian.org/security/2026/dsa-6355 312: https://packages.debian.org/src:linux 313: https://www.debian.org/security/2026/dsa-6356 314: https://packages.debian.org/src:imagemagick 315: https://www.debian.org/security/2026/dsa-6357 316: https://packages.debian.org/src:pillow 317: https://www.debian.org/security/2026/dsa-6358 318: https://packages.debian.org/src:libhttp-daemon-perl 319: https://www.debian.org/security/2026/dsa-6359 320: https://packages.debian.org/src:gst-plugins-good1.0 321: https://www.debian.org/security/2026/dsa-6360 322: https://packages.debian.org/src:squid 323: https://www.debian.org/security/2026/dsa-6361 324: https://packages.debian.org/src:ffmpeg 325: https://www.debian.org/security/2026/dsa-6362 326: https://packages.debian.org/src:gst-plugins-bad1.0 327: https://www.debian.org/security/2026/dsa-6363 328: https://packages.debian.org/src:python-urllib3 329: https://www.debian.org/security/2026/dsa-6364 330: https://packages.debian.org/src:chromium 331: https://www.debian.org/security/2026/dsa-6365 332: https://packages.debian.org/src:libssh2 333: https://www.debian.org/security/2026/dsa-6366 334: https://packages.debian.org/src:sogo 335: https://www.debian.org/security/2026/dsa-6367 336: https://packages.debian.org/src:dnsdist 337: https://www.debian.org/security/2026/dsa-6368 338: https://packages.debian.org/src:pdns 339: https://www.debian.org/security/2026/dsa-6369 340: https://packages.debian.org/src:pdns-recursor 341: https://www.debian.org/security/2026/dsa-6370 342: https://packages.debian.org/src:incus 343: https://www.debian.org/security/2026/dsa-6371 344: https://packages.debian.org/src:xorg-server 345: https://www.debian.org/security/2026/dsa-6372 346: https://packages.debian.org/src:tor 347: https://www.debian.org/security/2026/dsa-6373 348: https://packages.debian.org/src:lxd 349: https://www.debian.org/security/2026/dsa-6374 350: https://packages.debian.org/src:nginx 351: https://www.debian.org/security/2026/dsa-6375 352: https://packages.debian.org/src:fastnetmon 353: https://www.debian.org/security/2026/dsa-6376 354: https://packages.debian.org/src:openvpn 355: https://www.debian.org/security/2026/dsa-6377 356: https://packages.debian.org/src:php8.4 357: https://www.debian.org/security/2026/dsa-6378 358: https://packages.debian.org/src:chromium 359: https://www.debian.org/security/2026/dsa-6379 360: https://packages.debian.org/src:bird3 361: https://www.debian.org/security/2026/dsa-6380 362: https://packages.debian.org/src:mediawiki 363: https://www.debian.org/security/2026/dsa-6384 364: https://packages.debian.org/src:chromium Debian Installer ---------------- The installer has been updated to include the fixes incorporated into stable by the point release. URLs ---- The complete lists of packages that have changed with this revision: https://deb.debian.org/debian/dists/trixie/ChangeLog The current stable distribution: https://deb.debian.org/debian/dists/stable/ Proposed updates to the stable distribution: https://deb.debian.org/debian/dists/proposed-updates stable distribution information (release notes, errata etc.): https://www.debian.org/releases/stable/ Security announcements and information: https://www.debian.org/security/ About Debian ------------ The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian. Contact Information ------------------- For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.

Updated Debian 12: 12.15 released

------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 12: 12.15 released press@debian.org July 11th, 2026 https://www.debian.org/News/2026/2026071102 ------------------------------------------------------------------------ The Debian project is pleased to announce the fifteenth and final update of its oldstable distribution Debian 12 (codename "bookworm"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 12 but only updates some of the packages included. There is no need to throw away old "bookworm" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Noteworthy updates ------------------ "fwupd" has been updated to upstream version 2.0.20, which has the ability to update the Secure Boot certificate authority (CA), Key Exchange Key (KEK) and revocation (DBX) databases. The 2013 UEFI Secure Boot CA installed by default on most PCs and used to sign bootloaders has now expired. Future updates to "shim-signed" could therefore lead to systems being unable to boot with Secure Boot enabled. Users are strongly advised to apply "CA", "KEK" and "DBX" updates from their system OEM in line with the following guidance: https://wiki.debian.org/SecureBoot/CAChanges#What_should_I_do.3F For licensing reasons "geoip-database" has been reverted to a version dated approximately December 2019. As a result, applications using this database might use out-of-date allocation information. More recent versions of "geoip-database" (GeoLite) are not compatible with the Debian Free Software Guidelines and cannot be distributed. Consumers of this data are strongly encouraged to obtain a GeoLite license directly and cease reliance on the "geoip-database" package. This update marks the end of Debian Release Team, Debian Security Team and Debian Backports support for version. Ongoing support for some architectures will be provided by the Debian Long Term Support team supported by Freexian. Users are advised to upgrade systems to Debian 13 "trixie". Miscellaneous Bugfixes ---------------------- This oldstable update adds a few important corrections to the following packages: +-------------------------+-------------------------------------------+ | Package | Reason | +-------------------------+-------------------------------------------+ | 7zip [1] | New upstream stable release; fix buffer | | | overflow issues [CVE-2026-48092 CVE-2026- | | | 48095]; fix memory disclosure issue | | | [CVE-2026-48101]; fix out-of-bounds read | | | issues [CVE-2026-48102 CVE-2026-48103 | | | CVE-2026-48111 CVE-2026-48112]; fix | | | uninitialised memory read issue | | | [CVE-2026-48104] | | | | | apache2 [2] | Fix HTTP/2 request DoS and file handle | | | exhaustion [CVE-2026-49975 CVE-2026- | | | 48913]; fix proxy, DAV, LDAP, SSL, XML | | | and header memory/crash issues [CVE-2026- | | | 29167 CVE-2026-34355 CVE-2026-34356 | | | CVE-2026-42535 CVE-2026-42536 CVE-2026- | | | 43951 CVE-2026-44185]; fix proxy FTP | | | directory listing XSS and backend loop | | | [CVE-2026-29170 CVE-2026-44186]; restrict | | | htaccess expression file access | | | [CVE-2026-44119]; fix regex parsing | | | underflow [CVE-2026-44631]; correct SSI, | | | file-cache, WebDAV DELETE and proxy | | | health-check handling; update | | | documentation and tests | | | | | appstream [3] | Rebuild with updated libxmlb | | | | | base-files [4] | Update for the point release | | | | | beets [5] | Fix XSS vulnerability [CVE-2026-42052]; | | | fix build-time test failures | | | | | calibre [6] | Fix various potential security issues; | | | read resources only from book contents | | | [CVE-2026-33206]; keep extracted files | | | within container dir [CVE-2026-30853]; | | | prevent reading background images from | | | outside the config dir [CVE-2026-33205] | | | | | cdebootstrap [7] | Rebuild with updated xz-utils | | | | | chrony [8] | Ensure if-up/down hook scripts exit | | | successfully | | | | | cloud-init [9] | Fix OpenStack bond initialisation | | | | | composer [10] | Fix support for new GitHub token format | | | [CVE-2026-45793] | | | | | curl [11] | Fix cache poisoning issue [CVE-2025- | | | 10148]; fix data leak issues [CVE-2025- | | | 14524 CVE-2026-3783]; fix incorrect | | | connection re-use issues [CVE-2025-14819 | | | CVE-2026-3784 CVE-2026-5773 CVE-2026- | | | 7168] | | | | | dar [12] | Rebuild with updated libgcrypt20 | | | | | dcmtk [13] | Fix NULL pointer dereference issues | | | [CVE-2022-4981 CVE-2025-14841]; fix | | | memory corruption issues [CVE-2025-2357 | | | CVE-2025-9732 CVE-2025-14607]; fix | | | command injection issue [CVE-2026-5663]; | | | fix buffer overflow issues [CVE-2026- | | | 10194 CVE-2026-12805] | | | | | debian-installer [14] | Bump linux ABI 6.1.0-50; rebuild for | | | point release | | | | | debian-installer- | Rebuild from proposed updates | | netboot-images [15] | | | | | | debian-security- | Prepare support limitations ahead of | | support [16] | transition to LTS | | | | | delve [17] | Fix failure to build on 4th generation | | | EYPC processors | | | | | dhcpcd5 [18] | Fix NULL pointer dereference issue | | | [CVE-2025-70102]; fix out-of-bounds write | | | issue [CVE-2026-56114] | | | | | firewalld [19] | Fix DBUS policy checking [CVE-2026-4948] | | | | | fwupd [20] | Rebuild with updated libjcat, libxmlb; | | | add support for updating DBX and KEK | | | stores; rebuild in a clean environment | | | | | geoip-database [21] | Revert to a DFSG-compatible version | | | | | ghdl [22] | Rebuild with updated gcc-12 | | | | | giflib [23] | Fix memory corruption issues [CVE-2026- | | | 23868 CVE-2026-26740] | | | | | gnome-firmware [24] | Rebuild with updated libxmlb; backport | | | patch for libfwupd3 compatibility | | | | | gnome-software [25] | Rebuild with updated libxmlb; backport | | | patch for libfwupd3 compatibility | | | | | graphite2 [26] | Fix out-of-bounds write [CVE-2026-50593] | | | | | gss [27] | Fix build failures caused by an expired | | | Kerberos ticket; avoid krb5context self- | | | tests with timebomb | | | | | horizon [28] | Fix escaping of special characters in | | | project | | | | | ironic [29] | Fix file disclosure via image sources | | | [CVE-2025-44021]; fix console command | | | injection [CVE-2026-42510]; fix Swift | | | token disclosure [CVE-2026-42997]; fix | | | unsafe template execution [CVE-2026- | | | 44916] | | | | | keystone [30] | Fix behaviour of user_enabled_invert | | | [CVE-2026-40683]; prevent unauthorized | | | EC2 credential creation and deletion | | | [CVE-2026-33551] | | | | | libapache-session- | Improve entropy of generated session IDs | | browseable-perl [31] | | | | | | libbytes-random-secure- | Fix incorrect usage of seed in PRNG | | perl [32] | [CVE-2026-11625] | | | | | libcaca [33] | Prevent undefined behaviour in overflow | | | check [CVE-2026-42046] | | | | | libcrypt-pbkdf2- | Change default hash algorithm to HMAC- | | perl [34] | SHA256 and default iterations to 600,000 | | | [CVE-2026-9641]; generate salts using | | | Crypt::URandom [CVE-2026-9638]; use a | | | constant-time comparison in `validate` to | | | avoid timing attacks [CVE-2017-20240] | | | | | libhtml-gumbo-perl [35] | Fix uninitialized memory access | | | [CVE-2025-15646] | | | | | libhtml-parser- | Fix heap-use-after-free in | | perl [36] | _decode_entities [CVE-2026-8829] | | | | | libjcat [37] | Add support for ed25519 types and SHA512 | | | hashes | | | | | libnet-cidr-lite- | Fix IP/CIDR parser validation: reject | | perl [38] | non-ASCII digits and trailing newlines | | | [CVE-2026-55190]; reject zero-padded CIDR | | | masks [CVE-2026-45191] | | | | | libreoffice [39] | Gracefully handle failure in graphite2 | | | | | libvncserver [40] | Fix buffer overflow and out-of-bounds | | | write [CVE-2026-44988 CVE-2026-50538] | | | | | libxml-libxml-perl [41] | Fix out-of-bounds read [CVE-2026-8177] | | | | | libxml2 [42] | Fix catalogue recursion and duplicate- | | | catalog handling [CVE-2025-8732 CVE-2026- | | | 0990 CVE-2026-0992]; limit RelaxNG | | | include recursion [CVE-2026-0989]; fix | | | xmllint shell memory leak [CVE-2026- | | | 1757]; correct schematron regression-test | | | outputs [CVE-2025-49794 CVE-2025-49796]; | | | fix XML writer and schematron memory | | | leaks; mitigate RelaxNG validation use- | | | after-free; update catalogue and RelaxNG | | | regression tests | | | | | libxmlb [43] | Add support for zstd decompression; fix | | | XMLb store/truncation validation; correct | | | query binding/index handling; fix XML | | | export and empty text() handling | | | | | linuxcnc [44] | Sanitize module names | | | | | mariadb [45] | New upstream stable release; fix code | | | execution issues [CVE-2025-13699 | | | CVE-2026-44168 CVE-2026-48163 CVE-2026- | | | 48165 CVE-2026-49261]; fix denial of | | | service issues [CVE-2026-21968 CVE-2026- | | | 34303]; fix logging bypass issue | | | [CVE-2026-3494]; fix path traversal issue | | | [CVE-2026-44171]; fix SQL injection issue | | | [CVE-2026-44172]; fix incomplete | | | privilege check issue [CVE-2026-44173]; | | | fix "Illegal mix of collations" error; | | | fix "Mroonga hangs on invalid index | | | flag" ; fix crash in | | | information_schema.table_constraints | | | | | mesa [46] | Fix WebGPU/SPIR-V allocation handling | | | [CVE-2026-40393] | | | | | modsecurity [47] | Prevent denial of service in hexDecode | | | handling [CVE-2026-30923]; prevent denial | | | of service in SSN/CPF/SVNR verification | | | [CVE-2026-42268] | | | | | mxml [48] | Fix out-of-bounds read [CVE-2026-5037] | | | | | node-flatted [49] | Fix prototype pollution issue [CVE-2026- | | | 33228] | | | | | node-jschardet [50] | Fix build link references | | | | | node-regexpp [51] | Add missing link to undici-types | | | | | ojalgo [52] | Reduce frequency of built-time test | | | failures | | | | | openslide [53] | Fix possible code execution issue | | | [CVE-2026-48977] | | | | | p7zip [54] | New upstream stable release; fix buffer | | | overflow issues [CVE-2026-48092 CVE-2026- | | | 48095]; fix memory disclosure issue | | | [CVE-2026-48101]; fix out-of-bounds read | | | issues [CVE-2026-48102 CVE-2026-48103 | | | CVE-2026-48111 CVE-2026-48112]; fix | | | uninitialised memory read issue | | | [CVE-2026-48104] | | | | | php-guzzlehttp- | Fix Host authority validation [CVE-2026- | | psr7 [55] | 48998]; reject control characters in URI | | | hosts [CVE-2026-49214]; harden | | | ServerRequest globals handling; normalise | | | global header values; encode literal plus | | | signs in query helpers | | | | | phpunit [56] | Fix unsafe deserialization in PHPT code | | | coverage handling [CVE-2026-24765] | | | | | plasma-discover [57] | Backport patch for libfwupd3 | | | compatibility | | | | | prometheus [58] | Fix date-sensitive build-time test | | | | | protobuf [59] | Fix parser recursion limits [CVE-2024- | | | 7254 CVE-2025-4565 CVE-2026-0994 | | | CVE-2026-6409] | | | | | pydantic [60] | Fix denial of service in email | | | verification [CVE-2024-3772] | | | | | pymatgen [61] | Fix denial of service in | | | GaussianInput.from_string [CVE-2022- | | | 42964] | | | | | python-ase [62] | Disable unreliable built-time test | | | | | python-django [63] | Update test suite following changes in | | | python3.13 | | | | | python-filelock [64] | Fix symlink vulnerabilies [CVE-2025-68146 | | | CVE-2026-22701] | | | | | python-markdown [65] | Fix parsing of bogus HTML markup | | | [CVE-2025-69534] | | | | | python-pyramid [66] | Fix information disclosure issue | | | [CVE-2023-40587] | | | | | python-xmltodict [67] | Fix XML injection issue [CVE-2025-9375] | | | | | python3.11 [68] | Prevent incorrect tar archive handling | | | [CVE-2025-13462]; ensure bytecode-only | | | imports use normal security checks | | | [CVE-2026-2297]; reject unsafe cookie | | | values [CVE-2026-3644]; prevent XML | | | parser crashes [CVE-2026-4224]; prevent | | | browser command injection [CVE-2026- | | | 4519]; prevent bz2/lzma decompressor | | | memory corruption [CVE-2026-6100]; | | | restore XML autopkgtests | | | | | qemu [69] | Rebuild with updated gnutls28 | | | | | rhino [70] | Fix denial of service issue [CVE-2025- | | | 66453] | | | | | rlottie [71] | Fix out-of-bounds read issue [CVE-2026- | | | 10305]; fix denial of service issues | | | [CVE-2026-47319 CVE-2026-47320] | | | | | rsync [72] | Reject excessively long HTTP proxy | | | response lines [CVE-2026-45232] | | | | | ruby-css-parser [73] | Fix validation of HTTPS certificates for | | | remote CSS [CVE-2026-44312] | | | | | rust-time [74] | Fix denial of service [CVE-2026-25727] | | | | | science.js [75] | Fix build time race condition | | | | | sentry-python [76] | Fix subprocess environment sanitisation | | | [CVE-2024-40647] | | | | | shim [77] | New upstream release; build with default | | | gcc; set SBAT revocation level to | | | 2025021800 | | | | | shim-helpers-amd64- | Update to shim 16.1-2~deb12u1 | | signed [78] | | | | | | shim-helpers-arm64- | Update to shim 16.1-2~deb12u1 | | signed [79] | | | | | | shim-helpers-i386- | Update to shim 16.1-2~deb12u1 | | signed [80] | | | | | | shim-signed [81] | Ensure Secure Boot compatibility with | | | 2023 Microsoft UEFI CA; check for likely | | | boot issues before installation; combine | | | and verify multiple shim signatures; | | | update signed shim binaries | | | | | sqlite-utils [82] | Add dependency on python3-click-default- | | | group | | | | | sshfs-fuse [83] | Add contain_symlinks option to prevent | | | symlink escape attacks [CVE-2026-47187]; | | | reject hostname option injection via | | | bracketed mount source [CVE-2026-48711] | | | | | sylpheed [84] | Fix link checking [CVE-2021-37746] | | | | | user-mode-linux [85] | Rebuild with updated linux | | | | | vitrage [86] | Fix remote code execution vulnerability | | | [CVE-2026-28370] | | | | | wireless-regdb [87] | New upstream stable release; update | | | regulatory information for several | | | countries | | | | | xz-utils [88] | Fix buffer overflow issue [CVE-2026- | | | 34743] | | | | +-------------------------+-------------------------------------------+ 1: https://packages.debian.org/src:7zip 2: https://packages.debian.org/src:apache2 3: https://packages.debian.org/src:appstream 4: https://packages.debian.org/src:base-files 5: https://packages.debian.org/src:beets 6: https://packages.debian.org/src:calibre 7: https://packages.debian.org/src:cdebootstrap 8: https://packages.debian.org/src:chrony 9: https://packages.debian.org/src:cloud-init 10: https://packages.debian.org/src:composer 11: https://packages.debian.org/src:curl 12: https://packages.debian.org/src:dar 13: https://packages.debian.org/src:dcmtk 14: https://packages.debian.org/src:debian-installer 15: https://packages.debian.org/src:debian-installer-netboot-images 16: https://packages.debian.org/src:debian-security-support 17: https://packages.debian.org/src:delve 18: https://packages.debian.org/src:dhcpcd5 19: https://packages.debian.org/src:firewalld 20: https://packages.debian.org/src:fwupd 21: https://packages.debian.org/src:geoip-database 22: https://packages.debian.org/src:ghdl 23: https://packages.debian.org/src:giflib 24: https://packages.debian.org/src:gnome-firmware 25: https://packages.debian.org/src:gnome-software 26: https://packages.debian.org/src:graphite2 27: https://packages.debian.org/src:gss 28: https://packages.debian.org/src:horizon 29: https://packages.debian.org/src:ironic 30: https://packages.debian.org/src:keystone 31: https://packages.debian.org/src:libapache-session-browseable-perl 32: https://packages.debian.org/src:libbytes-random-secure-perl 33: https://packages.debian.org/src:libcaca 34: https://packages.debian.org/src:libcrypt-pbkdf2-perl 35: https://packages.debian.org/src:libhtml-gumbo-perl 36: https://packages.debian.org/src:libhtml-parser-perl 37: https://packages.debian.org/src:libjcat 38: https://packages.debian.org/src:libnet-cidr-lite-perl 39: https://packages.debian.org/src:libreoffice 40: https://packages.debian.org/src:libvncserver 41: https://packages.debian.org/src:libxml-libxml-perl 42: https://packages.debian.org/src:libxml2 43: https://packages.debian.org/src:libxmlb 44: https://packages.debian.org/src:linuxcnc 45: https://packages.debian.org/src:mariadb 46: https://packages.debian.org/src:mesa 47: https://packages.debian.org/src:modsecurity 48: https://packages.debian.org/src:mxml 49: https://packages.debian.org/src:node-flatted 50: https://packages.debian.org/src:node-jschardet 51: https://packages.debian.org/src:node-regexpp 52: https://packages.debian.org/src:ojalgo 53: https://packages.debian.org/src:openslide 54: https://packages.debian.org/src:p7zip 55: https://packages.debian.org/src:php-guzzlehttp-psr7 56: https://packages.debian.org/src:phpunit 57: https://packages.debian.org/src:plasma-discover 58: https://packages.debian.org/src:prometheus 59: https://packages.debian.org/src:protobuf 60: https://packages.debian.org/src:pydantic 61: https://packages.debian.org/src:pymatgen 62: https://packages.debian.org/src:python-ase 63: https://packages.debian.org/src:python-django 64: https://packages.debian.org/src:python-filelock 65: https://packages.debian.org/src:python-markdown 66: https://packages.debian.org/src:python-pyramid 67: https://packages.debian.org/src:python-xmltodict 68: https://packages.debian.org/src:python3.11 69: https://packages.debian.org/src:qemu 70: https://packages.debian.org/src:rhino 71: https://packages.debian.org/src:rlottie 72: https://packages.debian.org/src:rsync 73: https://packages.debian.org/src:ruby-css-parser 74: https://packages.debian.org/src:rust-time 75: https://packages.debian.org/src:science.js 76: https://packages.debian.org/src:sentry-python 77: https://packages.debian.org/src:shim 78: https://packages.debian.org/src:shim-helpers-amd64-signed 79: https://packages.debian.org/src:shim-helpers-arm64-signed 80: https://packages.debian.org/src:shim-helpers-i386-signed 81: https://packages.debian.org/src:shim-signed 82: https://packages.debian.org/src:sqlite-utils 83: https://packages.debian.org/src:sshfs-fuse 84: https://packages.debian.org/src:sylpheed 85: https://packages.debian.org/src:user-mode-linux 86: https://packages.debian.org/src:vitrage 87: https://packages.debian.org/src:wireless-regdb 88: https://packages.debian.org/src:xz-utils Security Updates ---------------- This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates: +----------------+--------------------------------+ | Advisory ID | Package | +----------------+--------------------------------+ | DLA-4627 [89] | kernel-wedge [90] | | | | | DLA-4628 [91] | linux-base [92] | | | | | DLA-4632 [93] | atril [94] | | | | | DLA-4633 [95] | libreoffice [96] | | | | | DLA-4635 [97] | firefox-esr [98] | | | | | DLA-4636 [99] | thunderbird [100] | | | | | DLA-4637 [101] | libconfig-inifiles-perl [102] | | | | | DLA-4638 [103] | libgd-perl [104] | | | | | DLA-4639 [105] | libhttp-daemon-perl [106] | | | | | DLA-4642 [107] | u-boot [108] | | | | | DLA-4643 [109] | imagemagick [110] | | | | | DLA-4644 [111] | libmatio [112] | | | | | DLA-4648 [113] | libtext-csv-xs-perl [114] | | | | | DLA-4651 [115] | python-urllib3 [116] | | | | | DLA-4654 [117] | chromium [118] | | | | | DLA-4656 [119] | tor [120] | | | | | DLA-4657 [121] | sogo [122] | | | | | DLA-4658 [123] | librabbitmq [124] | | | | | DLA-4662 [125] | jq [126] | | | | | DLA-4665 [127] | linux-signed-amd64 [128] | | | | | DLA-4665 [129] | linux-signed-arm64 [130] | | | | | DLA-4665 [131] | linux-signed-i386 [132] | | | | | DLA-4665 [133] | linux [134] | | | | | DLA-4666 [135] | openvpn [136] | | | | | DLA-4667 [137] | nginx [138] | | | | | DLA-4668 [139] | sympa [140] | | | | | DLA-4669 [141] | php8.2 [142] | | | | | DLA-4672 [143] | chromium [144] | | | | | DLA-4674 [145] | chromium [146] | | | | | DSA-6250 [147] | chromium [148] | | | | | DSA-6266 [149] | nghttp2 [150] | | | | | DSA-6267 [151] | thunderbird [152] | | | | | DSA-6269 [153] | postgresql-15 [154] | | | | | DSA-6271 [155] | gsasl [156] | | | | | DSA-6272 [157] | nodejs [158] | | | | | DSA-6273 [159] | chromium [160] | | | | | DSA-6275 [161] | linux-signed-amd64 [162] | | | | | DSA-6275 [163] | linux-signed-arm64 [164] | | | | | DSA-6275 [165] | linux-signed-i386 [166] | | | | | DSA-6275 [167] | linux [168] | | | | | DSA-6276 [169] | ffmpeg [170] | | | | | DSA-6277 [171] | openjpeg2 [172] | | | | | DSA-6278 [173] | nginx [174] | | | | | DSA-6279 [175] | redis [176] | | | | | DSA-6281 [177] | gnutls28 [178] | | | | | DSA-6282 [179] | rsync [180] | | | | | DSA-6283 [181] | firefox-esr [182] | | | | | DSA-6285 [183] | bind9 [184] | | | | | DSA-6286 [185] | evince [186] | | | | | DSA-6287 [187] | chromium [188] | | | | | DSA-6288 [189] | thunderbird [190] | | | | | DSA-6289 [191] | openvpn [192] | | | | | DSA-6292 [193] | haveged [194] | | | | | DSA-6293 [195] | krb5 [196] | | | | | DSA-6294 [197] | libgcrypt20 [198] | | | | | DSA-6297 [199] | samba [200] | | | | | DSA-6299 [201] | kdenlive [202] | | | | | DSA-6300 [203] | node-shell-quote [204] | | | | | DSA-6301 [205] | roundcube [206] | | | | | DSA-6302 [207] | starlette [208] | | | | | DSA-6306 [209] | linux-signed-amd64 [210] | | | | | DSA-6306 [211] | linux-signed-arm64 [212] | | | | | DSA-6306 [213] | linux-signed-i386 [214] | | | | | DSA-6306 [215] | linux [216] | | | | | DSA-6308 [217] | nagios4 [218] | | | | | DSA-6309 [219] | exim4 [220] | | | | | DSA-6310 [221] | imagemagick [222] | | | | | DSA-6313 [223] | dovecot [224] | | | | | DSA-6316 [225] | chromium [226] | | | | | DSA-6317 [227] | php-symfony-contracts [228] | | | | | DSA-6317 [229] | symfony [230] | | | | | DSA-6319 [231] | yelp [232] | | | | | DSA-6320 [233] | php-twig [234] | | | | | DSA-6321 [235] | ceph [236] | | | | | DSA-6322 [237] | frr [238] | | | | | DSA-6323 [239] | apache2 [240] | | | | | DSA-6324 [241] | request-tracker5 [242] | | | | | DSA-6325 [243] | chromium [244] | | | | | DSA-6326 [245] | nginx [246] | | | | | DSA-6327 [247] | request-tracker4 [248] | | | | | DSA-6328 [249] | tomcat10 [250] | | | | | DSA-6330 [251] | strongswan [252] | | | | | DSA-6331 [253] | keystone [254] | | | | | DSA-6332 [255] | okular [256] | | | | | DSA-6333 [257] | mistral [258] | | | | | DSA-6334 [259] | poppler [260] | | | | | DSA-6335 [261] | openssl [262] | | | | | DSA-6336 [263] | jackson-core [264] | | | | | DSA-6336 [265] | jackson-databind [266] | | | | | DSA-6336 [267] | jackson-dataformat-smile [268] | | | | | DSA-6337 [269] | chromium [270] | | | | | DSA-6338 [271] | libdbi-perl [272] | | | | | DSA-6339 [273] | libinput [274] | | | | | DSA-6341 [275] | ironic [276] | | | | | DSA-6341 [277] | python-oslo.messaging [278] | | | | | DSA-6344 [279] | chromium [280] | | | | | DSA-6352 [281] | chromium [282] | | | | +----------------+--------------------------------+ 89: https://www.debian.org/lts/security/2026/dla-4627 90: https://packages.debian.org/src:kernel-wedge 91: https://www.debian.org/lts/security/2026/dla-4628 92: https://packages.debian.org/src:linux-base 93: https://www.debian.org/lts/security/2026/dla-4632 94: https://packages.debian.org/src:atril 95: https://www.debian.org/lts/security/2026/dla-4633 96: https://packages.debian.org/src:libreoffice 97: https://www.debian.org/lts/security/2026/dla-4635 98: https://packages.debian.org/src:firefox-esr 99: https://www.debian.org/lts/security/2026/dla-4636 100: https://packages.debian.org/src:thunderbird 101: https://www.debian.org/lts/security/2026/dla-4637 102: https://packages.debian.org/src:libconfig-inifiles-perl 103: https://www.debian.org/lts/security/2026/dla-4638 104: https://packages.debian.org/src:libgd-perl 105: https://www.debian.org/lts/security/2026/dla-4639 106: https://packages.debian.org/src:libhttp-daemon-perl 107: https://www.debian.org/lts/security/2026/dla-4642 108: https://packages.debian.org/src:u-boot 109: https://www.debian.org/lts/security/2026/dla-4643 110: https://packages.debian.org/src:imagemagick 111: https://www.debian.org/lts/security/2026/dla-4644 112: https://packages.debian.org/src:libmatio 113: https://www.debian.org/lts/security/2026/dla-4648 114: https://packages.debian.org/src:libtext-csv-xs-perl 115: https://www.debian.org/lts/security/2026/dla-4651 116: https://packages.debian.org/src:python-urllib3 117: https://www.debian.org/lts/security/2026/dla-4654 118: https://packages.debian.org/src:chromium 119: https://www.debian.org/lts/security/2026/dla-4656 120: https://packages.debian.org/src:tor 121: https://www.debian.org/lts/security/2026/dla-4657 122: https://packages.debian.org/src:sogo 123: https://www.debian.org/lts/security/2026/dla-4658 124: https://packages.debian.org/src:librabbitmq 125: https://www.debian.org/lts/security/2026/dla-4662 126: https://packages.debian.org/src:jq 127: https://www.debian.org/lts/security/2026/dla-4665 128: https://packages.debian.org/src:linux-signed-amd64 129: https://www.debian.org/lts/security/2026/dla-4665 130: https://packages.debian.org/src:linux-signed-arm64 131: https://www.debian.org/lts/security/2026/dla-4665 132: https://packages.debian.org/src:linux-signed-i386 133: https://www.debian.org/lts/security/2026/dla-4665 134: https://packages.debian.org/src:linux 135: https://www.debian.org/lts/security/2026/dla-4666 136: https://packages.debian.org/src:openvpn 137: https://www.debian.org/lts/security/2026/dla-4667 138: https://packages.debian.org/src:nginx 139: https://www.debian.org/lts/security/2026/dla-4668 140: https://packages.debian.org/src:sympa 141: https://www.debian.org/lts/security/2026/dla-4669 142: https://packages.debian.org/src:php8.2 143: https://www.debian.org/lts/security/2026/dla-4672 144: https://packages.debian.org/src:chromium 145: https://www.debian.org/lts/security/2026/dla-4674 146: https://packages.debian.org/src:chromium 147: https://www.debian.org/security/2026/dsa-6250 148: https://packages.debian.org/src:chromium 149: https://www.debian.org/security/2026/dsa-6266 150: https://packages.debian.org/src:nghttp2 151: https://www.debian.org/security/2026/dsa-6267 152: https://packages.debian.org/src:thunderbird 153: https://www.debian.org/security/2026/dsa-6269 154: https://packages.debian.org/src:postgresql-15 155: https://www.debian.org/security/2026/dsa-6271 156: https://packages.debian.org/src:gsasl 157: https://www.debian.org/security/2026/dsa-6272 158: https://packages.debian.org/src:nodejs 159: https://www.debian.org/security/2026/dsa-6273 160: https://packages.debian.org/src:chromium 161: https://www.debian.org/security/2026/dsa-6275 162: https://packages.debian.org/src:linux-signed-amd64 163: https://www.debian.org/security/2026/dsa-6275 164: https://packages.debian.org/src:linux-signed-arm64 165: https://www.debian.org/security/2026/dsa-6275 166: https://packages.debian.org/src:linux-signed-i386 167: https://www.debian.org/security/2026/dsa-6275 168: https://packages.debian.org/src:linux 169: https://www.debian.org/security/2026/dsa-6276 170: https://packages.debian.org/src:ffmpeg 171: https://www.debian.org/security/2026/dsa-6277 172: https://packages.debian.org/src:openjpeg2 173: https://www.debian.org/security/2026/dsa-6278 174: https://packages.debian.org/src:nginx 175: https://www.debian.org/security/2026/dsa-6279 176: https://packages.debian.org/src:redis 177: https://www.debian.org/security/2026/dsa-6281 178: https://packages.debian.org/src:gnutls28 179: https://www.debian.org/security/2026/dsa-6282 180: https://packages.debian.org/src:rsync 181: https://www.debian.org/security/2026/dsa-6283 182: https://packages.debian.org/src:firefox-esr 183: https://www.debian.org/security/2026/dsa-6285 184: https://packages.debian.org/src:bind9 185: https://www.debian.org/security/2026/dsa-6286 186: https://packages.debian.org/src:evince 187: https://www.debian.org/security/2026/dsa-6287 188: https://packages.debian.org/src:chromium 189: https://www.debian.org/security/2026/dsa-6288 190: https://packages.debian.org/src:thunderbird 191: https://www.debian.org/security/2026/dsa-6289 192: https://packages.debian.org/src:openvpn 193: https://www.debian.org/security/2026/dsa-6292 194: https://packages.debian.org/src:haveged 195: https://www.debian.org/security/2026/dsa-6293 196: https://packages.debian.org/src:krb5 197: https://www.debian.org/security/2026/dsa-6294 198: https://packages.debian.org/src:libgcrypt20 199: https://www.debian.org/security/2026/dsa-6297 200: https://packages.debian.org/src:samba 201: https://www.debian.org/security/2026/dsa-6299 202: https://packages.debian.org/src:kdenlive 203: https://www.debian.org/security/2026/dsa-6300 204: https://packages.debian.org/src:node-shell-quote 205: https://www.debian.org/security/2026/dsa-6301 206: https://packages.debian.org/src:roundcube 207: https://www.debian.org/security/2026/dsa-6302 208: https://packages.debian.org/src:starlette 209: https://www.debian.org/security/2026/dsa-6306 210: https://packages.debian.org/src:linux-signed-amd64 211: https://www.debian.org/security/2026/dsa-6306 212: https://packages.debian.org/src:linux-signed-arm64 213: https://www.debian.org/security/2026/dsa-6306 214: https://packages.debian.org/src:linux-signed-i386 215: https://www.debian.org/security/2026/dsa-6306 216: https://packages.debian.org/src:linux 217: https://www.debian.org/security/2026/dsa-6308 218: https://packages.debian.org/src:nagios4 219: https://www.debian.org/security/2026/dsa-6309 220: https://packages.debian.org/src:exim4 221: https://www.debian.org/security/2026/dsa-6310 222: https://packages.debian.org/src:imagemagick 223: https://www.debian.org/security/2026/dsa-6313 224: https://packages.debian.org/src:dovecot 225: https://www.debian.org/security/2026/dsa-6316 226: https://packages.debian.org/src:chromium 227: https://www.debian.org/security/2026/dsa-6317 228: https://packages.debian.org/src:php-symfony-contracts 229: https://www.debian.org/security/2026/dsa-6317 230: https://packages.debian.org/src:symfony 231: https://www.debian.org/security/2026/dsa-6319 232: https://packages.debian.org/src:yelp 233: https://www.debian.org/security/2026/dsa-6320 234: https://packages.debian.org/src:php-twig 235: https://www.debian.org/security/2026/dsa-6321 236: https://packages.debian.org/src:ceph 237: https://www.debian.org/security/2026/dsa-6322 238: https://packages.debian.org/src:frr 239: https://www.debian.org/security/2026/dsa-6323 240: https://packages.debian.org/src:apache2 241: https://www.debian.org/security/2026/dsa-6324 242: https://packages.debian.org/src:request-tracker5 243: https://www.debian.org/security/2026/dsa-6325 244: https://packages.debian.org/src:chromium 245: https://www.debian.org/security/2026/dsa-6326 246: https://packages.debian.org/src:nginx 247: https://www.debian.org/security/2026/dsa-6327 248: https://packages.debian.org/src:request-tracker4 249: https://www.debian.org/security/2026/dsa-6328 250: https://packages.debian.org/src:tomcat10 251: https://www.debian.org/security/2026/dsa-6330 252: https://packages.debian.org/src:strongswan 253: https://www.debian.org/security/2026/dsa-6331 254: https://packages.debian.org/src:keystone 255: https://www.debian.org/security/2026/dsa-6332 256: https://packages.debian.org/src:okular 257: https://www.debian.org/security/2026/dsa-6333 258: https://packages.debian.org/src:mistral 259: https://www.debian.org/security/2026/dsa-6334 260: https://packages.debian.org/src:poppler 261: https://www.debian.org/security/2026/dsa-6335 262: https://packages.debian.org/src:openssl 263: https://www.debian.org/security/2026/dsa-6336 264: https://packages.debian.org/src:jackson-core 265: https://www.debian.org/security/2026/dsa-6336 266: https://packages.debian.org/src:jackson-databind 267: https://www.debian.org/security/2026/dsa-6336 268: https://packages.debian.org/src:jackson-dataformat-smile 269: https://www.debian.org/security/2026/dsa-6337 270: https://packages.debian.org/src:chromium 271: https://www.debian.org/security/2026/dsa-6338 272: https://packages.debian.org/src:libdbi-perl 273: https://www.debian.org/security/2026/dsa-6339 274: https://packages.debian.org/src:libinput 275: https://www.debian.org/security/2026/dsa-6341 276: https://packages.debian.org/src:ironic 277: https://www.debian.org/security/2026/dsa-6341 278: https://packages.debian.org/src:python-oslo.messaging 279: https://www.debian.org/security/2026/dsa-6344 280: https://packages.debian.org/src:chromium 281: https://www.debian.org/security/2026/dsa-6352 282: https://packages.debian.org/src:chromium Removed packages ---------------- The following packages were removed due to circumstances beyond our control: +-------------+-------------------------------------+ | Package | Reason | +-------------+-------------------------------------+ | smb4k [283] | Unable to continue security support | | | | +-------------+-------------------------------------+ 283: https://packages.debian.org/src:smb4k Debian Installer ---------------- The installer has been updated to include the fixes incorporated into oldstable by the point release. URLs ---- The complete lists of packages that have changed with this revision: https://deb.debian.org/debian/dists/bookworm/ChangeLog The current oldstable distribution: https://deb.debian.org/debian/dists/oldstable/ Proposed updates to the oldstable distribution: https://deb.debian.org/debian/dists/oldstable-proposed-updates oldstable distribution information (release notes, errata etc.): https://www.debian.org/releases/oldstable/ Security announcements and information: https://www.debian.org/security/ About Debian ------------ The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian. Contact Information ------------------- For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.