------------------------------------------------------------------------
The Debian Project https://www.debian.org/
Updated Debian 12: 12.15 released press@debian.org
July 11th, 2026 https://www.debian.org/News/2026/2026071102
------------------------------------------------------------------------
The Debian project is pleased to announce the fifteenth and final update
of its oldstable distribution Debian 12 (codename "bookworm"). This
point release mainly adds corrections for security issues, along with a
few adjustments for serious problems. Security advisories have already
been published separately and are referenced where available.
Please note that the point release does not constitute a new version of
Debian 12 but only updates some of the packages included. There is no
need to throw away old "bookworm" media. After installation, packages
can be upgraded to the current versions using an up-to-date Debian
mirror.
Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:
https://www.debian.org/mirror/list
Noteworthy updates
------------------
"fwupd" has been updated to upstream version 2.0.20, which has the
ability to update the Secure Boot certificate authority (CA), Key
Exchange Key (KEK) and revocation (DBX) databases.
The 2013 UEFI Secure Boot CA installed by default on most PCs and used
to sign bootloaders has now expired. Future updates to "shim-signed"
could therefore lead to systems being unable to boot with Secure Boot
enabled.
Users are strongly advised to apply "CA", "KEK" and "DBX" updates from
their system OEM in line with the following guidance:
https://wiki.debian.org/SecureBoot/CAChanges#What_should_I_do.3F
For licensing reasons "geoip-database" has been reverted to a version
dated approximately December 2019. As a result, applications using this
database might use out-of-date allocation information.
More recent versions of "geoip-database" (GeoLite) are not compatible
with the Debian Free Software Guidelines and cannot be distributed.
Consumers of this data are strongly encouraged to obtain a GeoLite
license directly and cease reliance on the "geoip-database" package.
This update marks the end of Debian Release Team, Debian Security Team
and Debian Backports support for version. Ongoing support for some
architectures will be provided by the Debian Long Term Support team
supported by Freexian. Users are advised to upgrade systems to Debian 13
"trixie".
Miscellaneous Bugfixes
----------------------
This oldstable update adds a few important corrections to the following
packages:
+-------------------------+-------------------------------------------+
| Package | Reason |
+-------------------------+-------------------------------------------+
| 7zip [1] | New upstream stable release; fix buffer |
| | overflow issues [CVE-2026-48092 CVE-2026- |
| | 48095]; fix memory disclosure issue |
| | [CVE-2026-48101]; fix out-of-bounds read |
| | issues [CVE-2026-48102 CVE-2026-48103 |
| | CVE-2026-48111 CVE-2026-48112]; fix |
| | uninitialised memory read issue |
| | [CVE-2026-48104] |
| | |
| apache2 [2] | Fix HTTP/2 request DoS and file handle |
| | exhaustion [CVE-2026-49975 CVE-2026- |
| | 48913]; fix proxy, DAV, LDAP, SSL, XML |
| | and header memory/crash issues [CVE-2026- |
| | 29167 CVE-2026-34355 CVE-2026-34356 |
| | CVE-2026-42535 CVE-2026-42536 CVE-2026- |
| | 43951 CVE-2026-44185]; fix proxy FTP |
| | directory listing XSS and backend loop |
| | [CVE-2026-29170 CVE-2026-44186]; restrict |
| | htaccess expression file access |
| | [CVE-2026-44119]; fix regex parsing |
| | underflow [CVE-2026-44631]; correct SSI, |
| | file-cache, WebDAV DELETE and proxy |
| | health-check handling; update |
| | documentation and tests |
| | |
| appstream [3] | Rebuild with updated libxmlb |
| | |
| base-files [4] | Update for the point release |
| | |
| beets [5] | Fix XSS vulnerability [CVE-2026-42052]; |
| | fix build-time test failures |
| | |
| calibre [6] | Fix various potential security issues; |
| | read resources only from book contents |
| | [CVE-2026-33206]; keep extracted files |
| | within container dir [CVE-2026-30853]; |
| | prevent reading background images from |
| | outside the config dir [CVE-2026-33205] |
| | |
| cdebootstrap [7] | Rebuild with updated xz-utils |
| | |
| chrony [8] | Ensure if-up/down hook scripts exit |
| | successfully |
| | |
| cloud-init [9] | Fix OpenStack bond initialisation |
| | |
| composer [10] | Fix support for new GitHub token format |
| | [CVE-2026-45793] |
| | |
| curl [11] | Fix cache poisoning issue [CVE-2025- |
| | 10148]; fix data leak issues [CVE-2025- |
| | 14524 CVE-2026-3783]; fix incorrect |
| | connection re-use issues [CVE-2025-14819 |
| | CVE-2026-3784 CVE-2026-5773 CVE-2026- |
| | 7168] |
| | |
| dar [12] | Rebuild with updated libgcrypt20 |
| | |
| dcmtk [13] | Fix NULL pointer dereference issues |
| | [CVE-2022-4981 CVE-2025-14841]; fix |
| | memory corruption issues [CVE-2025-2357 |
| | CVE-2025-9732 CVE-2025-14607]; fix |
| | command injection issue [CVE-2026-5663]; |
| | fix buffer overflow issues [CVE-2026- |
| | 10194 CVE-2026-12805] |
| | |
| debian-installer [14] | Bump linux ABI 6.1.0-50; rebuild for |
| | point release |
| | |
| debian-installer- | Rebuild from proposed updates |
| netboot-images [15] | |
| | |
| debian-security- | Prepare support limitations ahead of |
| support [16] | transition to LTS |
| | |
| delve [17] | Fix failure to build on 4th generation |
| | EYPC processors |
| | |
| dhcpcd5 [18] | Fix NULL pointer dereference issue |
| | [CVE-2025-70102]; fix out-of-bounds write |
| | issue [CVE-2026-56114] |
| | |
| firewalld [19] | Fix DBUS policy checking [CVE-2026-4948] |
| | |
| fwupd [20] | Rebuild with updated libjcat, libxmlb; |
| | add support for updating DBX and KEK |
| | stores; rebuild in a clean environment |
| | |
| geoip-database [21] | Revert to a DFSG-compatible version |
| | |
| ghdl [22] | Rebuild with updated gcc-12 |
| | |
| giflib [23] | Fix memory corruption issues [CVE-2026- |
| | 23868 CVE-2026-26740] |
| | |
| gnome-firmware [24] | Rebuild with updated libxmlb; backport |
| | patch for libfwupd3 compatibility |
| | |
| gnome-software [25] | Rebuild with updated libxmlb; backport |
| | patch for libfwupd3 compatibility |
| | |
| graphite2 [26] | Fix out-of-bounds write [CVE-2026-50593] |
| | |
| gss [27] | Fix build failures caused by an expired |
| | Kerberos ticket; avoid krb5context self- |
| | tests with timebomb |
| | |
| horizon [28] | Fix escaping of special characters in |
| | project |
| | |
| ironic [29] | Fix file disclosure via image sources |
| | [CVE-2025-44021]; fix console command |
| | injection [CVE-2026-42510]; fix Swift |
| | token disclosure [CVE-2026-42997]; fix |
| | unsafe template execution [CVE-2026- |
| | 44916] |
| | |
| keystone [30] | Fix behaviour of user_enabled_invert |
| | [CVE-2026-40683]; prevent unauthorized |
| | EC2 credential creation and deletion |
| | [CVE-2026-33551] |
| | |
| libapache-session- | Improve entropy of generated session IDs |
| browseable-perl [31] | |
| | |
| libbytes-random-secure- | Fix incorrect usage of seed in PRNG |
| perl [32] | [CVE-2026-11625] |
| | |
| libcaca [33] | Prevent undefined behaviour in overflow |
| | check [CVE-2026-42046] |
| | |
| libcrypt-pbkdf2- | Change default hash algorithm to HMAC- |
| perl [34] | SHA256 and default iterations to 600,000 |
| | [CVE-2026-9641]; generate salts using |
| | Crypt::URandom [CVE-2026-9638]; use a |
| | constant-time comparison in `validate` to |
| | avoid timing attacks [CVE-2017-20240] |
| | |
| libhtml-gumbo-perl [35] | Fix uninitialized memory access |
| | [CVE-2025-15646] |
| | |
| libhtml-parser- | Fix heap-use-after-free in |
| perl [36] | _decode_entities [CVE-2026-8829] |
| | |
| libjcat [37] | Add support for ed25519 types and SHA512 |
| | hashes |
| | |
| libnet-cidr-lite- | Fix IP/CIDR parser validation: reject |
| perl [38] | non-ASCII digits and trailing newlines |
| | [CVE-2026-55190]; reject zero-padded CIDR |
| | masks [CVE-2026-45191] |
| | |
| libreoffice [39] | Gracefully handle failure in graphite2 |
| | |
| libvncserver [40] | Fix buffer overflow and out-of-bounds |
| | write [CVE-2026-44988 CVE-2026-50538] |
| | |
| libxml-libxml-perl [41] | Fix out-of-bounds read [CVE-2026-8177] |
| | |
| libxml2 [42] | Fix catalogue recursion and duplicate- |
| | catalog handling [CVE-2025-8732 CVE-2026- |
| | 0990 CVE-2026-0992]; limit RelaxNG |
| | include recursion [CVE-2026-0989]; fix |
| | xmllint shell memory leak [CVE-2026- |
| | 1757]; correct schematron regression-test |
| | outputs [CVE-2025-49794 CVE-2025-49796]; |
| | fix XML writer and schematron memory |
| | leaks; mitigate RelaxNG validation use- |
| | after-free; update catalogue and RelaxNG |
| | regression tests |
| | |
| libxmlb [43] | Add support for zstd decompression; fix |
| | XMLb store/truncation validation; correct |
| | query binding/index handling; fix XML |
| | export and empty text() handling |
| | |
| linuxcnc [44] | Sanitize module names |
| | |
| mariadb [45] | New upstream stable release; fix code |
| | execution issues [CVE-2025-13699 |
| | CVE-2026-44168 CVE-2026-48163 CVE-2026- |
| | 48165 CVE-2026-49261]; fix denial of |
| | service issues [CVE-2026-21968 CVE-2026- |
| | 34303]; fix logging bypass issue |
| | [CVE-2026-3494]; fix path traversal issue |
| | [CVE-2026-44171]; fix SQL injection issue |
| | [CVE-2026-44172]; fix incomplete |
| | privilege check issue [CVE-2026-44173]; |
| | fix "Illegal mix of collations" error; |
| | fix "Mroonga hangs on invalid index |
| | flag" ; fix crash in |
| | information_schema.table_constraints |
| | |
| mesa [46] | Fix WebGPU/SPIR-V allocation handling |
| | [CVE-2026-40393] |
| | |
| modsecurity [47] | Prevent denial of service in hexDecode |
| | handling [CVE-2026-30923]; prevent denial |
| | of service in SSN/CPF/SVNR verification |
| | [CVE-2026-42268] |
| | |
| mxml [48] | Fix out-of-bounds read [CVE-2026-5037] |
| | |
| node-flatted [49] | Fix prototype pollution issue [CVE-2026- |
| | 33228] |
| | |
| node-jschardet [50] | Fix build link references |
| | |
| node-regexpp [51] | Add missing link to undici-types |
| | |
| ojalgo [52] | Reduce frequency of built-time test |
| | failures |
| | |
| openslide [53] | Fix possible code execution issue |
| | [CVE-2026-48977] |
| | |
| p7zip [54] | New upstream stable release; fix buffer |
| | overflow issues [CVE-2026-48092 CVE-2026- |
| | 48095]; fix memory disclosure issue |
| | [CVE-2026-48101]; fix out-of-bounds read |
| | issues [CVE-2026-48102 CVE-2026-48103 |
| | CVE-2026-48111 CVE-2026-48112]; fix |
| | uninitialised memory read issue |
| | [CVE-2026-48104] |
| | |
| php-guzzlehttp- | Fix Host authority validation [CVE-2026- |
| psr7 [55] | 48998]; reject control characters in URI |
| | hosts [CVE-2026-49214]; harden |
| | ServerRequest globals handling; normalise |
| | global header values; encode literal plus |
| | signs in query helpers |
| | |
| phpunit [56] | Fix unsafe deserialization in PHPT code |
| | coverage handling [CVE-2026-24765] |
| | |
| plasma-discover [57] | Backport patch for libfwupd3 |
| | compatibility |
| | |
| prometheus [58] | Fix date-sensitive build-time test |
| | |
| protobuf [59] | Fix parser recursion limits [CVE-2024- |
| | 7254 CVE-2025-4565 CVE-2026-0994 |
| | CVE-2026-6409] |
| | |
| pydantic [60] | Fix denial of service in email |
| | verification [CVE-2024-3772] |
| | |
| pymatgen [61] | Fix denial of service in |
| | GaussianInput.from_string [CVE-2022- |
| | 42964] |
| | |
| python-ase [62] | Disable unreliable built-time test |
| | |
| python-django [63] | Update test suite following changes in |
| | python3.13 |
| | |
| python-filelock [64] | Fix symlink vulnerabilies [CVE-2025-68146 |
| | CVE-2026-22701] |
| | |
| python-markdown [65] | Fix parsing of bogus HTML markup |
| | [CVE-2025-69534] |
| | |
| python-pyramid [66] | Fix information disclosure issue |
| | [CVE-2023-40587] |
| | |
| python-xmltodict [67] | Fix XML injection issue [CVE-2025-9375] |
| | |
| python3.11 [68] | Prevent incorrect tar archive handling |
| | [CVE-2025-13462]; ensure bytecode-only |
| | imports use normal security checks |
| | [CVE-2026-2297]; reject unsafe cookie |
| | values [CVE-2026-3644]; prevent XML |
| | parser crashes [CVE-2026-4224]; prevent |
| | browser command injection [CVE-2026- |
| | 4519]; prevent bz2/lzma decompressor |
| | memory corruption [CVE-2026-6100]; |
| | restore XML autopkgtests |
| | |
| qemu [69] | Rebuild with updated gnutls28 |
| | |
| rhino [70] | Fix denial of service issue [CVE-2025- |
| | 66453] |
| | |
| rlottie [71] | Fix out-of-bounds read issue [CVE-2026- |
| | 10305]; fix denial of service issues |
| | [CVE-2026-47319 CVE-2026-47320] |
| | |
| rsync [72] | Reject excessively long HTTP proxy |
| | response lines [CVE-2026-45232] |
| | |
| ruby-css-parser [73] | Fix validation of HTTPS certificates for |
| | remote CSS [CVE-2026-44312] |
| | |
| rust-time [74] | Fix denial of service [CVE-2026-25727] |
| | |
| science.js [75] | Fix build time race condition |
| | |
| sentry-python [76] | Fix subprocess environment sanitisation |
| | [CVE-2024-40647] |
| | |
| shim [77] | New upstream release; build with default |
| | gcc; set SBAT revocation level to |
| | 2025021800 |
| | |
| shim-helpers-amd64- | Update to shim 16.1-2~deb12u1 |
| signed [78] | |
| | |
| shim-helpers-arm64- | Update to shim 16.1-2~deb12u1 |
| signed [79] | |
| | |
| shim-helpers-i386- | Update to shim 16.1-2~deb12u1 |
| signed [80] | |
| | |
| shim-signed [81] | Ensure Secure Boot compatibility with |
| | 2023 Microsoft UEFI CA; check for likely |
| | boot issues before installation; combine |
| | and verify multiple shim signatures; |
| | update signed shim binaries |
| | |
| sqlite-utils [82] | Add dependency on python3-click-default- |
| | group |
| | |
| sshfs-fuse [83] | Add contain_symlinks option to prevent |
| | symlink escape attacks [CVE-2026-47187]; |
| | reject hostname option injection via |
| | bracketed mount source [CVE-2026-48711] |
| | |
| sylpheed [84] | Fix link checking [CVE-2021-37746] |
| | |
| user-mode-linux [85] | Rebuild with updated linux |
| | |
| vitrage [86] | Fix remote code execution vulnerability |
| | [CVE-2026-28370] |
| | |
| wireless-regdb [87] | New upstream stable release; update |
| | regulatory information for several |
| | countries |
| | |
| xz-utils [88] | Fix buffer overflow issue [CVE-2026- |
| | 34743] |
| | |
+-------------------------+-------------------------------------------+
1: https://packages.debian.org/src:7zip
2: https://packages.debian.org/src:apache2
3: https://packages.debian.org/src:appstream
4: https://packages.debian.org/src:base-files
5: https://packages.debian.org/src:beets
6: https://packages.debian.org/src:calibre
7: https://packages.debian.org/src:cdebootstrap
8: https://packages.debian.org/src:chrony
9: https://packages.debian.org/src:cloud-init
10: https://packages.debian.org/src:composer
11: https://packages.debian.org/src:curl
12: https://packages.debian.org/src:dar
13: https://packages.debian.org/src:dcmtk
14: https://packages.debian.org/src:debian-installer
15: https://packages.debian.org/src:debian-installer-netboot-images
16: https://packages.debian.org/src:debian-security-support
17: https://packages.debian.org/src:delve
18: https://packages.debian.org/src:dhcpcd5
19: https://packages.debian.org/src:firewalld
20: https://packages.debian.org/src:fwupd
21: https://packages.debian.org/src:geoip-database
22: https://packages.debian.org/src:ghdl
23: https://packages.debian.org/src:giflib
24: https://packages.debian.org/src:gnome-firmware
25: https://packages.debian.org/src:gnome-software
26: https://packages.debian.org/src:graphite2
27: https://packages.debian.org/src:gss
28: https://packages.debian.org/src:horizon
29: https://packages.debian.org/src:ironic
30: https://packages.debian.org/src:keystone
31: https://packages.debian.org/src:libapache-session-browseable-perl
32: https://packages.debian.org/src:libbytes-random-secure-perl
33: https://packages.debian.org/src:libcaca
34: https://packages.debian.org/src:libcrypt-pbkdf2-perl
35: https://packages.debian.org/src:libhtml-gumbo-perl
36: https://packages.debian.org/src:libhtml-parser-perl
37: https://packages.debian.org/src:libjcat
38: https://packages.debian.org/src:libnet-cidr-lite-perl
39: https://packages.debian.org/src:libreoffice
40: https://packages.debian.org/src:libvncserver
41: https://packages.debian.org/src:libxml-libxml-perl
42: https://packages.debian.org/src:libxml2
43: https://packages.debian.org/src:libxmlb
44: https://packages.debian.org/src:linuxcnc
45: https://packages.debian.org/src:mariadb
46: https://packages.debian.org/src:mesa
47: https://packages.debian.org/src:modsecurity
48: https://packages.debian.org/src:mxml
49: https://packages.debian.org/src:node-flatted
50: https://packages.debian.org/src:node-jschardet
51: https://packages.debian.org/src:node-regexpp
52: https://packages.debian.org/src:ojalgo
53: https://packages.debian.org/src:openslide
54: https://packages.debian.org/src:p7zip
55: https://packages.debian.org/src:php-guzzlehttp-psr7
56: https://packages.debian.org/src:phpunit
57: https://packages.debian.org/src:plasma-discover
58: https://packages.debian.org/src:prometheus
59: https://packages.debian.org/src:protobuf
60: https://packages.debian.org/src:pydantic
61: https://packages.debian.org/src:pymatgen
62: https://packages.debian.org/src:python-ase
63: https://packages.debian.org/src:python-django
64: https://packages.debian.org/src:python-filelock
65: https://packages.debian.org/src:python-markdown
66: https://packages.debian.org/src:python-pyramid
67: https://packages.debian.org/src:python-xmltodict
68: https://packages.debian.org/src:python3.11
69: https://packages.debian.org/src:qemu
70: https://packages.debian.org/src:rhino
71: https://packages.debian.org/src:rlottie
72: https://packages.debian.org/src:rsync
73: https://packages.debian.org/src:ruby-css-parser
74: https://packages.debian.org/src:rust-time
75: https://packages.debian.org/src:science.js
76: https://packages.debian.org/src:sentry-python
77: https://packages.debian.org/src:shim
78: https://packages.debian.org/src:shim-helpers-amd64-signed
79: https://packages.debian.org/src:shim-helpers-arm64-signed
80: https://packages.debian.org/src:shim-helpers-i386-signed
81: https://packages.debian.org/src:shim-signed
82: https://packages.debian.org/src:sqlite-utils
83: https://packages.debian.org/src:sshfs-fuse
84: https://packages.debian.org/src:sylpheed
85: https://packages.debian.org/src:user-mode-linux
86: https://packages.debian.org/src:vitrage
87: https://packages.debian.org/src:wireless-regdb
88: https://packages.debian.org/src:xz-utils
Security Updates
----------------
This revision adds the following security updates to the oldstable
release. The Security Team has already released an advisory for each of
these updates:
+----------------+--------------------------------+
| Advisory ID | Package |
+----------------+--------------------------------+
| DLA-4627 [89] | kernel-wedge [90] |
| | |
| DLA-4628 [91] | linux-base [92] |
| | |
| DLA-4632 [93] | atril [94] |
| | |
| DLA-4633 [95] | libreoffice [96] |
| | |
| DLA-4635 [97] | firefox-esr [98] |
| | |
| DLA-4636 [99] | thunderbird [100] |
| | |
| DLA-4637 [101] | libconfig-inifiles-perl [102] |
| | |
| DLA-4638 [103] | libgd-perl [104] |
| | |
| DLA-4639 [105] | libhttp-daemon-perl [106] |
| | |
| DLA-4642 [107] | u-boot [108] |
| | |
| DLA-4643 [109] | imagemagick [110] |
| | |
| DLA-4644 [111] | libmatio [112] |
| | |
| DLA-4648 [113] | libtext-csv-xs-perl [114] |
| | |
| DLA-4651 [115] | python-urllib3 [116] |
| | |
| DLA-4654 [117] | chromium [118] |
| | |
| DLA-4656 [119] | tor [120] |
| | |
| DLA-4657 [121] | sogo [122] |
| | |
| DLA-4658 [123] | librabbitmq [124] |
| | |
| DLA-4662 [125] | jq [126] |
| | |
| DLA-4665 [127] | linux-signed-amd64 [128] |
| | |
| DLA-4665 [129] | linux-signed-arm64 [130] |
| | |
| DLA-4665 [131] | linux-signed-i386 [132] |
| | |
| DLA-4665 [133] | linux [134] |
| | |
| DLA-4666 [135] | openvpn [136] |
| | |
| DLA-4667 [137] | nginx [138] |
| | |
| DLA-4668 [139] | sympa [140] |
| | |
| DLA-4669 [141] | php8.2 [142] |
| | |
| DLA-4672 [143] | chromium [144] |
| | |
| DLA-4674 [145] | chromium [146] |
| | |
| DSA-6250 [147] | chromium [148] |
| | |
| DSA-6266 [149] | nghttp2 [150] |
| | |
| DSA-6267 [151] | thunderbird [152] |
| | |
| DSA-6269 [153] | postgresql-15 [154] |
| | |
| DSA-6271 [155] | gsasl [156] |
| | |
| DSA-6272 [157] | nodejs [158] |
| | |
| DSA-6273 [159] | chromium [160] |
| | |
| DSA-6275 [161] | linux-signed-amd64 [162] |
| | |
| DSA-6275 [163] | linux-signed-arm64 [164] |
| | |
| DSA-6275 [165] | linux-signed-i386 [166] |
| | |
| DSA-6275 [167] | linux [168] |
| | |
| DSA-6276 [169] | ffmpeg [170] |
| | |
| DSA-6277 [171] | openjpeg2 [172] |
| | |
| DSA-6278 [173] | nginx [174] |
| | |
| DSA-6279 [175] | redis [176] |
| | |
| DSA-6281 [177] | gnutls28 [178] |
| | |
| DSA-6282 [179] | rsync [180] |
| | |
| DSA-6283 [181] | firefox-esr [182] |
| | |
| DSA-6285 [183] | bind9 [184] |
| | |
| DSA-6286 [185] | evince [186] |
| | |
| DSA-6287 [187] | chromium [188] |
| | |
| DSA-6288 [189] | thunderbird [190] |
| | |
| DSA-6289 [191] | openvpn [192] |
| | |
| DSA-6292 [193] | haveged [194] |
| | |
| DSA-6293 [195] | krb5 [196] |
| | |
| DSA-6294 [197] | libgcrypt20 [198] |
| | |
| DSA-6297 [199] | samba [200] |
| | |
| DSA-6299 [201] | kdenlive [202] |
| | |
| DSA-6300 [203] | node-shell-quote [204] |
| | |
| DSA-6301 [205] | roundcube [206] |
| | |
| DSA-6302 [207] | starlette [208] |
| | |
| DSA-6306 [209] | linux-signed-amd64 [210] |
| | |
| DSA-6306 [211] | linux-signed-arm64 [212] |
| | |
| DSA-6306 [213] | linux-signed-i386 [214] |
| | |
| DSA-6306 [215] | linux [216] |
| | |
| DSA-6308 [217] | nagios4 [218] |
| | |
| DSA-6309 [219] | exim4 [220] |
| | |
| DSA-6310 [221] | imagemagick [222] |
| | |
| DSA-6313 [223] | dovecot [224] |
| | |
| DSA-6316 [225] | chromium [226] |
| | |
| DSA-6317 [227] | php-symfony-contracts [228] |
| | |
| DSA-6317 [229] | symfony [230] |
| | |
| DSA-6319 [231] | yelp [232] |
| | |
| DSA-6320 [233] | php-twig [234] |
| | |
| DSA-6321 [235] | ceph [236] |
| | |
| DSA-6322 [237] | frr [238] |
| | |
| DSA-6323 [239] | apache2 [240] |
| | |
| DSA-6324 [241] | request-tracker5 [242] |
| | |
| DSA-6325 [243] | chromium [244] |
| | |
| DSA-6326 [245] | nginx [246] |
| | |
| DSA-6327 [247] | request-tracker4 [248] |
| | |
| DSA-6328 [249] | tomcat10 [250] |
| | |
| DSA-6330 [251] | strongswan [252] |
| | |
| DSA-6331 [253] | keystone [254] |
| | |
| DSA-6332 [255] | okular [256] |
| | |
| DSA-6333 [257] | mistral [258] |
| | |
| DSA-6334 [259] | poppler [260] |
| | |
| DSA-6335 [261] | openssl [262] |
| | |
| DSA-6336 [263] | jackson-core [264] |
| | |
| DSA-6336 [265] | jackson-databind [266] |
| | |
| DSA-6336 [267] | jackson-dataformat-smile [268] |
| | |
| DSA-6337 [269] | chromium [270] |
| | |
| DSA-6338 [271] | libdbi-perl [272] |
| | |
| DSA-6339 [273] | libinput [274] |
| | |
| DSA-6341 [275] | ironic [276] |
| | |
| DSA-6341 [277] | python-oslo.messaging [278] |
| | |
| DSA-6344 [279] | chromium [280] |
| | |
| DSA-6352 [281] | chromium [282] |
| | |
+----------------+--------------------------------+
89: https://www.debian.org/lts/security/2026/dla-4627
90: https://packages.debian.org/src:kernel-wedge
91: https://www.debian.org/lts/security/2026/dla-4628
92: https://packages.debian.org/src:linux-base
93: https://www.debian.org/lts/security/2026/dla-4632
94: https://packages.debian.org/src:atril
95: https://www.debian.org/lts/security/2026/dla-4633
96: https://packages.debian.org/src:libreoffice
97: https://www.debian.org/lts/security/2026/dla-4635
98: https://packages.debian.org/src:firefox-esr
99: https://www.debian.org/lts/security/2026/dla-4636
100: https://packages.debian.org/src:thunderbird
101: https://www.debian.org/lts/security/2026/dla-4637
102: https://packages.debian.org/src:libconfig-inifiles-perl
103: https://www.debian.org/lts/security/2026/dla-4638
104: https://packages.debian.org/src:libgd-perl
105: https://www.debian.org/lts/security/2026/dla-4639
106: https://packages.debian.org/src:libhttp-daemon-perl
107: https://www.debian.org/lts/security/2026/dla-4642
108: https://packages.debian.org/src:u-boot
109: https://www.debian.org/lts/security/2026/dla-4643
110: https://packages.debian.org/src:imagemagick
111: https://www.debian.org/lts/security/2026/dla-4644
112: https://packages.debian.org/src:libmatio
113: https://www.debian.org/lts/security/2026/dla-4648
114: https://packages.debian.org/src:libtext-csv-xs-perl
115: https://www.debian.org/lts/security/2026/dla-4651
116: https://packages.debian.org/src:python-urllib3
117: https://www.debian.org/lts/security/2026/dla-4654
118: https://packages.debian.org/src:chromium
119: https://www.debian.org/lts/security/2026/dla-4656
120: https://packages.debian.org/src:tor
121: https://www.debian.org/lts/security/2026/dla-4657
122: https://packages.debian.org/src:sogo
123: https://www.debian.org/lts/security/2026/dla-4658
124: https://packages.debian.org/src:librabbitmq
125: https://www.debian.org/lts/security/2026/dla-4662
126: https://packages.debian.org/src:jq
127: https://www.debian.org/lts/security/2026/dla-4665
128: https://packages.debian.org/src:linux-signed-amd64
129: https://www.debian.org/lts/security/2026/dla-4665
130: https://packages.debian.org/src:linux-signed-arm64
131: https://www.debian.org/lts/security/2026/dla-4665
132: https://packages.debian.org/src:linux-signed-i386
133: https://www.debian.org/lts/security/2026/dla-4665
134: https://packages.debian.org/src:linux
135: https://www.debian.org/lts/security/2026/dla-4666
136: https://packages.debian.org/src:openvpn
137: https://www.debian.org/lts/security/2026/dla-4667
138: https://packages.debian.org/src:nginx
139: https://www.debian.org/lts/security/2026/dla-4668
140: https://packages.debian.org/src:sympa
141: https://www.debian.org/lts/security/2026/dla-4669
142: https://packages.debian.org/src:php8.2
143: https://www.debian.org/lts/security/2026/dla-4672
144: https://packages.debian.org/src:chromium
145: https://www.debian.org/lts/security/2026/dla-4674
146: https://packages.debian.org/src:chromium
147: https://www.debian.org/security/2026/dsa-6250
148: https://packages.debian.org/src:chromium
149: https://www.debian.org/security/2026/dsa-6266
150: https://packages.debian.org/src:nghttp2
151: https://www.debian.org/security/2026/dsa-6267
152: https://packages.debian.org/src:thunderbird
153: https://www.debian.org/security/2026/dsa-6269
154: https://packages.debian.org/src:postgresql-15
155: https://www.debian.org/security/2026/dsa-6271
156: https://packages.debian.org/src:gsasl
157: https://www.debian.org/security/2026/dsa-6272
158: https://packages.debian.org/src:nodejs
159: https://www.debian.org/security/2026/dsa-6273
160: https://packages.debian.org/src:chromium
161: https://www.debian.org/security/2026/dsa-6275
162: https://packages.debian.org/src:linux-signed-amd64
163: https://www.debian.org/security/2026/dsa-6275
164: https://packages.debian.org/src:linux-signed-arm64
165: https://www.debian.org/security/2026/dsa-6275
166: https://packages.debian.org/src:linux-signed-i386
167: https://www.debian.org/security/2026/dsa-6275
168: https://packages.debian.org/src:linux
169: https://www.debian.org/security/2026/dsa-6276
170: https://packages.debian.org/src:ffmpeg
171: https://www.debian.org/security/2026/dsa-6277
172: https://packages.debian.org/src:openjpeg2
173: https://www.debian.org/security/2026/dsa-6278
174: https://packages.debian.org/src:nginx
175: https://www.debian.org/security/2026/dsa-6279
176: https://packages.debian.org/src:redis
177: https://www.debian.org/security/2026/dsa-6281
178: https://packages.debian.org/src:gnutls28
179: https://www.debian.org/security/2026/dsa-6282
180: https://packages.debian.org/src:rsync
181: https://www.debian.org/security/2026/dsa-6283
182: https://packages.debian.org/src:firefox-esr
183: https://www.debian.org/security/2026/dsa-6285
184: https://packages.debian.org/src:bind9
185: https://www.debian.org/security/2026/dsa-6286
186: https://packages.debian.org/src:evince
187: https://www.debian.org/security/2026/dsa-6287
188: https://packages.debian.org/src:chromium
189: https://www.debian.org/security/2026/dsa-6288
190: https://packages.debian.org/src:thunderbird
191: https://www.debian.org/security/2026/dsa-6289
192: https://packages.debian.org/src:openvpn
193: https://www.debian.org/security/2026/dsa-6292
194: https://packages.debian.org/src:haveged
195: https://www.debian.org/security/2026/dsa-6293
196: https://packages.debian.org/src:krb5
197: https://www.debian.org/security/2026/dsa-6294
198: https://packages.debian.org/src:libgcrypt20
199: https://www.debian.org/security/2026/dsa-6297
200: https://packages.debian.org/src:samba
201: https://www.debian.org/security/2026/dsa-6299
202: https://packages.debian.org/src:kdenlive
203: https://www.debian.org/security/2026/dsa-6300
204: https://packages.debian.org/src:node-shell-quote
205: https://www.debian.org/security/2026/dsa-6301
206: https://packages.debian.org/src:roundcube
207: https://www.debian.org/security/2026/dsa-6302
208: https://packages.debian.org/src:starlette
209: https://www.debian.org/security/2026/dsa-6306
210: https://packages.debian.org/src:linux-signed-amd64
211: https://www.debian.org/security/2026/dsa-6306
212: https://packages.debian.org/src:linux-signed-arm64
213: https://www.debian.org/security/2026/dsa-6306
214: https://packages.debian.org/src:linux-signed-i386
215: https://www.debian.org/security/2026/dsa-6306
216: https://packages.debian.org/src:linux
217: https://www.debian.org/security/2026/dsa-6308
218: https://packages.debian.org/src:nagios4
219: https://www.debian.org/security/2026/dsa-6309
220: https://packages.debian.org/src:exim4
221: https://www.debian.org/security/2026/dsa-6310
222: https://packages.debian.org/src:imagemagick
223: https://www.debian.org/security/2026/dsa-6313
224: https://packages.debian.org/src:dovecot
225: https://www.debian.org/security/2026/dsa-6316
226: https://packages.debian.org/src:chromium
227: https://www.debian.org/security/2026/dsa-6317
228: https://packages.debian.org/src:php-symfony-contracts
229: https://www.debian.org/security/2026/dsa-6317
230: https://packages.debian.org/src:symfony
231: https://www.debian.org/security/2026/dsa-6319
232: https://packages.debian.org/src:yelp
233: https://www.debian.org/security/2026/dsa-6320
234: https://packages.debian.org/src:php-twig
235: https://www.debian.org/security/2026/dsa-6321
236: https://packages.debian.org/src:ceph
237: https://www.debian.org/security/2026/dsa-6322
238: https://packages.debian.org/src:frr
239: https://www.debian.org/security/2026/dsa-6323
240: https://packages.debian.org/src:apache2
241: https://www.debian.org/security/2026/dsa-6324
242: https://packages.debian.org/src:request-tracker5
243: https://www.debian.org/security/2026/dsa-6325
244: https://packages.debian.org/src:chromium
245: https://www.debian.org/security/2026/dsa-6326
246: https://packages.debian.org/src:nginx
247: https://www.debian.org/security/2026/dsa-6327
248: https://packages.debian.org/src:request-tracker4
249: https://www.debian.org/security/2026/dsa-6328
250: https://packages.debian.org/src:tomcat10
251: https://www.debian.org/security/2026/dsa-6330
252: https://packages.debian.org/src:strongswan
253: https://www.debian.org/security/2026/dsa-6331
254: https://packages.debian.org/src:keystone
255: https://www.debian.org/security/2026/dsa-6332
256: https://packages.debian.org/src:okular
257: https://www.debian.org/security/2026/dsa-6333
258: https://packages.debian.org/src:mistral
259: https://www.debian.org/security/2026/dsa-6334
260: https://packages.debian.org/src:poppler
261: https://www.debian.org/security/2026/dsa-6335
262: https://packages.debian.org/src:openssl
263: https://www.debian.org/security/2026/dsa-6336
264: https://packages.debian.org/src:jackson-core
265: https://www.debian.org/security/2026/dsa-6336
266: https://packages.debian.org/src:jackson-databind
267: https://www.debian.org/security/2026/dsa-6336
268: https://packages.debian.org/src:jackson-dataformat-smile
269: https://www.debian.org/security/2026/dsa-6337
270: https://packages.debian.org/src:chromium
271: https://www.debian.org/security/2026/dsa-6338
272: https://packages.debian.org/src:libdbi-perl
273: https://www.debian.org/security/2026/dsa-6339
274: https://packages.debian.org/src:libinput
275: https://www.debian.org/security/2026/dsa-6341
276: https://packages.debian.org/src:ironic
277: https://www.debian.org/security/2026/dsa-6341
278: https://packages.debian.org/src:python-oslo.messaging
279: https://www.debian.org/security/2026/dsa-6344
280: https://packages.debian.org/src:chromium
281: https://www.debian.org/security/2026/dsa-6352
282: https://packages.debian.org/src:chromium
Removed packages
----------------
The following packages were removed due to circumstances beyond our
control:
+-------------+-------------------------------------+
| Package | Reason |
+-------------+-------------------------------------+
| smb4k [283] | Unable to continue security support |
| | |
+-------------+-------------------------------------+
283: https://packages.debian.org/src:smb4k
Debian Installer
----------------
The installer has been updated to include the fixes incorporated into
oldstable by the point release.
URLs
----
The complete lists of packages that have changed with this revision:
https://deb.debian.org/debian/dists/bookworm/ChangeLog
The current oldstable distribution:
https://deb.debian.org/debian/dists/oldstable/
Proposed updates to the oldstable distribution:
https://deb.debian.org/debian/dists/oldstable-proposed-updates
oldstable distribution information (release notes, errata etc.):
https://www.debian.org/releases/oldstable/
Security announcements and information:
https://www.debian.org/security/
About Debian
------------
The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian.
Contact Information
-------------------
For further information, please visit the Debian web pages at
https://www.debian.org/, send mail to <press@debian.org>, or contact the
stable release team at <debian-release@lists.debian.org>.