Atualização Debian 13: 13.3 lançado
10 de Janeiro de 2026
O projeto Debian está feliz em anunciar a terceira atualização de sua
versão estável (stable) do Debian 13 (codinome trixie
).
Esta versão pontual adiciona principalmente correções para problemas de
segurança, além de pequenos ajustes para problemas mais sérios. Avisos de
segurança já foram publicados em separado e são referenciados quando
necessário.
Por favor, note que a versão pontual não constitui uma nova versão do Debian
13, mas apenas atualiza alguns dos pacotes já incluídos. Não há
necessidade de jogar fora as antigas mídias da trixie
. Após a
instalação, os pacotes podem ser atualizados para as versões atuais usando um
espelho atualizado do Debian.
Aquelas pessoas que frequentemente instalam atualizações a partir de security.debian.org não terão que atualizar muitos pacotes, e a maioria de tais atualizações estão incluídas na versão pontual.
Novas imagens de instalação logo estarão disponíveis nos locais habituais.
A atualização de uma instalação existente para esta revisão pode ser feita apontando o sistema de gerenciamento de pacotes para um dos muitos espelhos HTTP do Debian. Uma lista abrangente de espelhos está disponível em:
Correções gerais de bugs
Esta atualização da versão estável (stable) adiciona algumas correções importantes para os seguintes pacotes:
| Pacote | Justificativa |
|---|---|
| ansible | New upstream stable release |
| apache2 | New upstream stable release; fix integer overflow issue [CVE-2025-55753]; don't pass querystring to #exec directives [CVE-2025-58098]; fix improper parsing of environment variables [CVE-2025-65082]; fix mod_userdir+suexec bypass issue [CVE-2025-66200] |
| at-spi2-core | Ensure xkb group is taken into account for key events |
| awffull | Fix systemd timer invocation to avoid premature cron-script exit |
| base-files | Update for the point release |
| bash | Rebuild with updated glibc |
| bglibs | Rebuild with updated glibc |
| busybox | Rebuild with updated glibc |
| calibre | Fix FB2 embedded binary handling in conversion plugin [CVE-2025-64486] |
| catatonit | Rebuild with updated glibc |
| cdebootstrap | Rebuild with updated glibc |
| chkrootkit | Rebuild with updated glibc |
| cloud-init | Ensure deb822 sources.list template renders correctly |
| composer | Fix ANSI sequence injection [CVE-2025-67746] |
| condor | Rebuild with updated glibc |
| cups-filters | Fix TIFF parser bounds/validation issues [CVE-2025-57812]; clamp oversized PDF MediaBox-derived page size in pdftoraster [CVE-2025-64503]; avoid rastertopclx infinite loop and heap overflow on crafted raster input [CVE-2025-64524] |
| dar | Rebuild with updated curl, glibc, openssl |
| debian-installer | Increase Linux kernel ABI to 6.12.63+deb13; rebuild against proposed updates |
| debian-installer-netboot-images | Rebuild against proposed-updates |
| debian-security-support | Mark hdf5 and zabbix as receiving limited support; mark wpewebkit as unsupported |
| debos | Move systemd-resolved from Recommends to Depends |
| dgit | git-debrebase: use different directory for nested workareas |
| dhcpcd | Re-enable ntp_servers option by default |
| diffoscope | Fix tests when ukify is newer |
| distribution-gpg-keys | Update included keys |
| distrobuilder | Rebuild with updated containerd, incus |
| docker.io | Rebuild with updated containerd, glibc |
| dpdk | New upstream stable release |
| e2fsprogs | Rebuild with updated glibc |
| edk2 | Fix timing side-channel issue in ECDSA signature computation [CVE-2024-13176]; fix out-of-bounds memory access issue [CVE-2024-38805]; fix code execution issue [CVE-2025-3770] |
| exfatprogs | Ensure mkfs.exfat defaults to 512-byte sectors for Windows compatibility |
| extrepo-data | Update repository information; fix handling for future Debian releases |
| flatpak | New upstream stable release |
| fpdf2 | Fix use of variable fonts |
| freedombox | distupgrade: Handle comments in sources.list file; update trixie's release date; backups: Set proper permissions for backups-data directory [CVE-2025-68462] |
| freeradius | Fix TLS verification segfault when certificate chains include multiple intermediate certificates |
| glib2.0 | Fix various integer overflow issues [CVE-2025-13601 CVE-2025-14087 CVE-2025-14512] |
| glibc | Fix a double lock init issue after fork(); fix SYSCALL_CANCEL for return values larger than INT_MAX; fix crash in ifunc functions on arm64 when hardening with -ftrivial-auto-var-init=zero; fix _dl_find_object when ld.so has LOAD segment gaps, causing wrong backtrace unwinding; optimize inverse trig function, SVE exp, hyperbolic, and log1p functions on arm64 |
| gnome-shell | New upstream bugfix release |
| gnupg2 | Avoid potential downgrade to SHA1 in 3rd party key signatures; error out on unverified output for non-detached signatures; fix possible memory corruption in the armor parser [CVE-2025-68973]; do not use a default when asking for another output filename; rebuild with updated glibc |
| gnutls28 | Fix PKCS#11 token label bounds in gnutls_pkcs11_token_init [CVE-2025-9820]; initialise PKCS#11 modules in thread-safe mode with fallback |
| golang-github-awslabs-soci-snapshotter | Rebuild with updated containerd |
| golang-github-containerd-imgcrypt | Rebuild with updated containerd |
| golang-github-containerd-nydus-snapshotter | Rebuild with updated containerd |
| golang-github-containerd-stargz-snapshotter | Rebuild with updated containerd |
| golang-github-containers-buildah | Rebuild with updated containerd |
| golang-github-openshift-imagebuilder | Rebuild with updated containerd |
| imagemagick | Fix denial of service issues [CVE-2025-62594 CVE-2025-68618]; fix use-after-free issue [CVE-2025-65955]; fix integer overflow issues [CVE-2025-66628 CVE-2025-69204]; fix infinite loop issue [CVE-2025-68950] |
| incus | Fix AppArmor profile generation for nested containers |
| integrit | Rebuild with updated glibc |
| intel-microcode | Update Intel processor microcode to 20251111 |
| iperf3 | Fix authentication RSA encryption buffer length initialisation for OpenSSL 3.5.3+; avoid build failures with newer OpenSSL |
| kleopatra | Fix failure to start with a file argument on GNOME |
| libcap2 | Rebuild with updated glibc |
| libcoap3 | Fix configuration file parsing issue [CVE-2025-59391]; fix NULL pointer dereference issues [CVE-2025-65493 CVE-2025-65494 CVE-2025-65496 CVE-2025-65497 CVE-2025-65498 CVE-2025-65500 CVE-2025-65501]; fix integer signedness issue [CVE-2025-65495]; fix array index error issue [CVE-2025-65499] |
| libcupsfilters | Fix TIFF parser bounds/validation issues [CVE-2025-57812]; clamp oversized PDF MediaBox-derived page size in pdftoraster [CVE-2025-64503] |
| libphp-adodb | Fix SQL injection issue in sqlite(3) drivers [CVE-2025-54119] |
| libreoffice | Set Bulgaria locale default currency to EUR |
| libvirt | Perform ACL checks earlier, preventing malicious users from potentially being able to crash the daemon [CVE-2025-12748]; ensure that newly-created snapshots are not world-readable [CVE-2025-13193]; apply the detect_zeroes settings across all layers of the backing chain instead of just the topmost one |
| linux | New upstream stable release |
| linux-signed-amd64 | New upstream stable release |
| linux-signed-arm64 | New upstream stable release |
| lua-wsapi | Fix Lua 5.1 support |
| lxc | Add lxc-net dependency to sysvinit script; stop printing misleading errors in enter_net_ns(); fix generation of apparmor.d/abstractions/lxc/container-base; fix restarting unprivileged containers |
| lxd | Fix broken idmapping with kernel 6.9+; tighten storage pool volume permissions [CVE-2025-64507] |
| matlab-support | Avoid renaming MATLAB vendored Vulkan/FreeType libraries |
| mbedtls | New upstream stable release; fix timing issues [CVE-2025-54764 CVE-2025-59438] |
| mirrorbits | Fix fallback redirects when Redis/file metadata is unavailable; normalise fallback mirror URLs to avoid malformed redirects |
| mongo-c-driver | Avoid invalid memory reads [CVE-2025-12119] |
| mutter | New upstream bugfix release |
| node-nodemailer | Fix addressparser recipient parsing for quoted nested addresses [CVE-2025-13033] |
| openconnect | Respect path in AnyConnect/OpenConnect XML form handling; fix failure to build with MinGW32/64; use RFC9266 'tls-exporter' channel bindings for Cisco STRAP with TLSv1.3 |
| pgbouncer | Fix arbitary SQL execution issue [CVE-2025-12819] |
| podman | Rebuild with updated containerd |
| postgresql-17 | New upstream stable release; check for CREATE privileges on the schema in CREATE STATISTICS [CVE-2025-12817]; avoid integer overflow in allocation-size calculations within libpq [CVE-2025-12818] |
| pylint-django | Fix use with new astroid |
| qemu | New upstream stable release; fix use after free issue [CVE-2025-11234]; fix buffer overflow issue [CVE-2025-12464] |
| qiv | Fix Wayland startup crash by forcing X11 GDK backend |
| r-bioc-beachmat | Fix test that depends on the beachmat.hdf5R package, which is not yet in Debian |
| r-cran-gh | Fix exposure of request headers in returned response objects [CVE-2025-54956]; ensure pagination passes authentication context explicitly; update tests and documentation |
| reform-tools | Fix building lpc with Linux >= 6.17 |
| rlottie | Fix outlying coordinate rejection in FreeType rasteriser [CVE-2025-0634 CVE-2025-53074 CVE-2025-53075] |
| rsync | Fix out-of-bounds read via negative array index in sender file list handling [CVE-2025-10158] |
| rust-repro-env | Rebuild with updated rust-sequoia-openpgp |
| rust-ripasso-cursive | Rebuild with updated rust-sequoia-openpgp |
| rust-sequoia-chameleon-gnupg | Rebuild with updated rust-sequoia-openpgp |
| rust-sequoia-git | Rebuild with updated rust-sequoia-openpgp |
| rust-sequoia-keystore-server | Rebuild with updated rust-sequoia-openpgp |
| rust-sequoia-octopus-librnp | Rebuild with updated rust-sequoia-openpgp |
| rust-sequoia-openpgp | Fix buffer underflow in aes_key_unwrap [CVE-2025-67897] |
| rust-sequoia-sop | Rebuild with updated rust-sequoia-openpgp |
| rust-sequoia-sq | Rebuild with updated rust-sequoia-openpgp |
| rust-sequoia-sqv | Rebuild with updated rust-sequoia-openpgp |
| sash | Rebuild with updated glibc |
| sbuild | Explicitly select the sbuild-build-depends-main-dummy package architecture; preserve TMPDIR when running autopkgtest; lib/Sbuild/Build.pm: preserve TMPDIR for piuparts; obey $TMPDIR for autopkgtest dsc mkdtemp |
| snapd | Rebuild with updated glibc |
| sogo | Fix cross-site scripting issues [CVE-2025-63498 CVE-2025-63499] |
| suricata | Fix verdict logging bounds checks [CVE-2025-64330]; fix various logging stack overflows [CVE-2025-64331 CVE-2025-64332 CVE-2025-64333 CVE-2025-64344] |
| survex | Fix the width of the find stationssearch box to make it actually usable again |
| swupdate | Fix suricatta reboot-mode signalling via progress interface |
| symfony | Fix PATH_INFO parsing [CVE-2025-64500]; drop failing Finder testsuite data entries |
| tini | Rebuild with updated glibc |
| tripwire | Rebuild with updated glibc |
| tsocks | Rebuild with updated glibc |
| tzsetup | Fix timezone for Argentina and Ukraine |
| user-mode-linux | Rebuild with Linux 6.12.63-1 |
| yorick-gy | Fix GIR module version loading for Gtk/Gdk; switch to multiarch-friendly libgirepository-1.0-dev build-dependency; incorporate GCC-14/15 build fixes; update watch file and metadata |
| zsh | Rebuild with updated glibc, pcre |
Atualizações de segurança
Esta revisão adiciona as seguintes atualizações de segurança para a versão estável (stable). A equipe de segurança já lançou um aviso para cada uma dessas atualizações:
Instalador do Debian
O instalador foi atualizado para incluir as correções incorporadas na versão estável (stable) pela versão pontual.
URLs
As listas completas dos pacotes que foram alterados por esta revisão:
A atual versão estável (stable):
Atualizações propostas (proposed updates) para a versão estável (stable):
Informações da versão estável (stable) (notas de lançamento, errata, etc):
Anúncios de segurança e informações:
Sobre o Debian
O projeto Debian é uma associação de desenvolvedores(as) de Software Livre que dedicam seu tempo e esforço como voluntários(as) para produzir o sistema operacional completamente livre Debian.
Informações de contato
Para mais informações, por favor visite as páginas web do Debian em https://www.debian.org/, envie um e-mail (em inglês) para <press@debian.org>, ou entre em contato (em inglês) com a equipe de lançamento da versão estável (stable) em <debian-release@lists.debian.org>.