Atualização Debian 12: 12.13 lançado
10 de Janeiro de 2026
O projeto Debian está feliz em anunciar a décima terceira atualização de sua
versão estável (stable) do Debian 12 (codinome bookworm
).
Esta versão pontual adiciona principalmente correções para problemas de
segurança, além de pequenos ajustes para problemas mais sérios. Avisos de
segurança já foram publicados em separado e são referenciados quando
necessário.
Por favor, note que a versão pontual não constitui uma nova versão do Debian
12, mas apenas atualiza alguns dos pacotes já incluídos. Não há
necessidade de jogar fora as antigas mídias do bookworm
. Após a
instalação, os pacotes podem ser atualizados para as versões atuais usando um
espelho atualizado do Debian.
Aquelas pessoas que frequentemente instalam atualizações a partir de security.debian.org não terão que atualizar muitos pacotes, e a maioria de tais atualizações estão incluídas na versão pontual.
Novas imagens de instalação logo estarão disponíveis nos locais habituais.
A atualização de uma instalação existente para esta revisão pode ser feita apontando o sistema de gerenciamento de pacotes para um dos muitos espelhos HTTP do Debian. Uma lista abrangente de espelhos está disponível em:
Correções gerais de bugs
Esta atualização da versão estável (stable) adiciona algumas correções importantes para os seguintes pacotes:
| Pacote | Justificativa |
|---|---|
| allow-html-temp | New upstream version to support newer Thunderbird releases |
| angular.js | Fix regular expression-based denial of service issues [CVE-2022-25844 CVE-2023-26116 CVE-2023-26117 CVE-2023-26118]; fix restriction bypass issues [CVE-2024-8372 CVE-2024-8373]; fix denial of service issue [CVE-2024-21490]; fix improper sanitization issues [CVE-2025-0716 CVE-2025-2336] |
| apache2 | New upstream stable release; fix integer overflow issue [CVE-2025-55753]; don't pass querystring to #exec directives [CVE-2025-58098]; fix improper parsing of environment variables [CVE-2025-65082]; fix mod_userdir+suexec bypass issue [CVE-2025-66200] |
| base-files | Update for the point release |
| bash | Rebuild with updated glibc |
| btrfs-progs | Device stats: fix printing wrong values in tabular output |
| busybox | Rebuild with updated glibc |
| c-icap-modules | Rebuild against libclamav12; disable clamav support on armel, mipsel and mips64el |
| calibre | Fix code execution issue [CVE-2025-64486] |
| cdebootstrap | Rebuild with updated glibc |
| chkrootkit | Rebuild with updated glibc |
| clamav | New upstream long term support release |
| composer | Fix ANSI sequence injection [CVE-2025-67746] |
| cups-filters | Fix TIFF parser bounds/validation issues [CVE-2025-57812]; clamp oversized PDF MediaBox-derived page size in pdftoraster [CVE-2025-64503]; avoid rastertopclx infinite loop and heap overflow on crafted raster input [CVE-2025-64524] |
| cyrus-imapd | Rebuild against libclamav12; disable clamav support on armel, mipsel and mips64el |
| dar | Rebuild with updated glibc |
| debian-installer | Increase Linux kernel ABI to 6.1.0-42; rebuild against oldstable-proposed-updates |
| debian-installer-netboot-images | Rebuild against oldstable-proposed-updates |
| debian-security-support | Mark hdf5, libsoup2.4, libsoup3 and zabbix as receiving limited support; mark dnsdist, pdns, pdns-recursor as unsupported |
| distro-info-data | Update bookworm EoL date; add Ubuntu 26.04 LTS Resolute Raccoon |
| docker.io | Rebuild with updated containerd, glibc |
| dpdk | New upstream stable release |
| e2guardian | Disable clamav support on armel, mipsel and mips64el |
| freerdp2 | New upstream release; fix multiple memory-safety vulnerabilities: integer overflow/underflow and out-of-bounds write in NSC, Clear, and GDI bitmap codecs [CVE-2024-22211 CVE-2024-32037 CVE-2024-32038 CVE-2024-32039 CVE-2024-32040]; out-of-bounds reads in ZGFX, Planar, NCRUSH, Interleaved, and RFX codecs [CVE-2024-32041 CVE-2024-32457 CVE-2024-32458 CVE-2024-32459 CVE-2024-32460]; invalid memory access in freerdp_peer_get_logon_info [CVE-2024-32661]; bounds-check and overflow fixes; update for GCC 14 / FFmpeg 7 build compatibility |
| gcc-bpf | Rebuild with updated glibc |
| gcc-or1k-elf | Rebuild with updated glibc |
| gcc-riscv64-unknown-elf | Rebuild with updated glibc |
| gcc-xtensa-lx106 | Rebuild with updated glibc |
| gdk-pixbuf | Fix buffer overflow issue [CVE-2025-7345] |
| ghdl | Rebuild with updated glibc |
| git | Fix arbitrary file creation/truncation in gitk [CVE-2025-27613]; prevent arbitrary file overwrite in git-gui with crafted directory names [CVE-2025-46835]; correct submodule path parsing with trailing CR [CVE-2025-48384]; validate bundle-uri to prevent protocol injection during clone [CVE-2025-48385] |
| glib2.0 | Fix various integer overflow issues [CVE-2025-13601 CVE-2025-14087 CVE-2025-14512] |
| gnupg2 | Avoid potential downgrade to SHA1 in 3rd party key signatures; error out on unverified output for non-detached signatures; fix possible memory corruption in the armor parser [CVE-2025-68973]; do not use a default when asking for another output filename |
| golang-github-containerd-stargz-snapshotter | Rebuild with updated containerd |
| golang-github-containers-buildah | Rebuild with updated containerd |
| golang-github-openshift-imagebuilder | Rebuild with updated containerd |
| imagemagick | Fix denial of service issues [CVE-2025-62594 CVE-2025-68618]; fix use-after-free issue [CVE-2025-65955]; fix integer overflow issues [CVE-2025-62171 CVE-2025-66628 CVE-2025-69204]; fix infinite loop issue [CVE-2025-68950] |
| intel-microcode | Update Intel processor microcode to 20251111 |
| lemonldap-ng | Fix sessions tablename when not default; fix oidc flow when user encountered an error on server side; fix Kerberos JavaScript when used with Choice; improve CORS checking; fix path_info handling; fix shell injection issue [CVE-2025-59518]; hide session id from Ajax responses |
| libcap2 | Rebuild with updated glibc |
| libclamunrar | New upstream release, aligning with clamav 1.4.3 |
| libcommons-lang-java | Fix uncontrolled recursion issue [CVE-2025-48924] |
| libcommons-lang3-java | Fix uncontrolled recursion issue [CVE-2025-48924] |
| libhtp | Fix denial of service issue via unbounded HTTP header processing [CVE-2024-23837 CVE-2024-45797] |
| libnginx-mod-http-lua | Fix HTTP HEAD request smuggling [CVE-2024-33452] |
| libphp-adodb | Fix SQL injection in sqlite and sqlite3 metadata lookups [CVE-2025-54119] |
| libpod | Rebuild with updated containerd |
| libreoffice | Set Bulgaria locale default currency to EUR |
| libssh | Fix integer overflow issue [CVE-2025-4877]; fix use of uninitialized variable [CVE-2025-4878]; fix out of bounds memory access issue [CVE-2025-5318]; fix double free issue [CVE-2025-5351]; fix use of uninitialized memory [CVE-2025-5372 CVE-2025-5987]; fix null pointer dereference issue [CVE-2025-8114]; fix memory leak [CVE-2025-8277] |
| libxml2 | Fix denial of service issue [CVE-2025-9714] |
| libyaml-syck-perl | Fix memory corruption leading to strvalue being set on empty keys |
| linux | New upstream stable release |
| linux-signed-amd64 | New upstream stable release |
| linux-signed-arm64 | New upstream stable release |
| linux-signed-i386 | New upstream stable release |
| log4cxx | Fix improper escaping issues [CVE-2025-54812 CVE-2025-54813] |
| luksmeta | Fix data corruption issue with LUKS1 [CVE-2025-11568] |
| modsecurity-apache | Fix request body error handling to propagate Apache filter/read failures correctly [CVE-2025-54571]; map request body read failures to appropriate HTTP status codes; simplify request body error propagation in mod_security2 |
| mongo-c-driver | Avoid invalid memory reads [CVE-2025-12119] |
| mydumper | Fix arbitrary file read issue [CVE-2025-30224] |
| nvidia-graphics-drivers | New upstream bugfix release [CVE-2025-23279 CVE-2025-23286] |
| nvidia-open-gpu-kernel-modules | New upstream bugfix release [CVE-2025-23279 CVE-2025-23286] |
| onetbb | Fix build failure on single-CPU and CI environments by skipping problematic tests |
| open-vm-tools | Disable SDMP service version collection by default to mitigate local privilege escalation [CVE-2025-41244] |
| openrefine | Fix MySQL host parameter injection in JDBC URL parsing [CVE-2024-23833]; fix reflected XSS in gdata OAuth callback handler [CVE-2024-47878]; fix content-type confusion XSS in ExportRows endpoint [CVE-2024-47880]; prevent remote or extension loading via SQLite connection URL [CVE-2024-47881]; escape HTML in error stack traces [CVE-2024-47882]; prevent path traversal in language file loading [CVE-2024-49760] |
| openssl | New upstream stable release |
| pam | Fix local privilege escalation in pam_namespace [CVE-2025-6020] |
| pg-snakeoil | Rebuild against libclamav12 |
| pgbouncer | Fix arbitary SQL execution issue [CVE-2025-12819]; fix expired password use issue [CVE-2025-2291] |
| postgresql-15 | New upstream stable release; check for CREATE privileges on the schema in CREATE STATISTICS [CVE-2025-12817]; avoid integer overflow in allocation-size calculations within libpq [CVE-2025-12818] |
| qemu | New upstream stable release; fix qemu-img info https://example.com; fix migration of guests using virtio-net; fix use after free issue [CVE-2025-11234] |
| qpwgraph | Add missing dependency on libqt6svg6 |
| r-cran-gh | Fix sensitive data leak issue [CVE-2025-54956] |
| rear | Prevent created initrd from being world-readable when GRUB_RESCUE=y [CVE-2024-23301] |
| rescue | Improve btrfs support |
| rlottie | Fix outlying coordinate rejection in FreeType rasteriser [CVE-2025-0634 CVE-2025-53074 CVE-2025-53075] |
| rsync | Improve test coverage for future updates; fix out-of-bounds read via negative array index in sender file list handling [CVE-2025-10158] |
| ruby-sinatra | Fix regular expression-based denial of service issue [CVE-2025-61921] |
| samba | Fix information leak issue [CVE-2018-14628]; fix command injection issue [CVE-2025-10230]; fix uninitialized memory disclosure issue [CVE-2025-9640] |
| sash | Rebuild with updated glibc |
| shadow | Fix segmentation fault in groupmod |
| skeema | Rebuild with updated containerd |
| snapd | Rebuild with updated containerd |
| sogo | Fix HTML injection issue [CVE-2023-48104]; fix CSS injection issue [CVE-2024-24510]; fix cross-site scripting issues [CVE-2025-63498 CVE-2025-63499]; fix crash on invalid mailIdentities |
| squid | Fix denial of service issue [CVE-2023-46728]; fix mishandling of long SNMP OIDs in ASN.1 [CVE-2025-59362]; disable ESI feature support, fixing several issues [CVE-2024-45802]; remove Gopher support |
| sudo | Enable Intel CET on amd64 only |
| supermin | Rebuild with updated glibc |
| symfony | Fix PATH_INFO parsing [CVE-2025-64500]; drop failing Finder testsuite data entries |
| syslog-ng | Fix incorrect wildcard matching in certificate names [CVE-2024-47619] |
| tripwire | Rebuild with updated glibc |
| u-boot | Fix integer overflow issues [CVE-2024-57254 CVE-2024-57255 CVE-2024-57256 CVE-2024-57258]; fix stack consumption issue [CVE-2024-57257]; fix heap corruption issue [CVE-2024-57259] |
| ublock-origin | New upstream release; improve user experience and add new filter capabilities; fix denial of service issue [CVE-2025-4215] |
| unbound | Fix denial of service issue [CVE-2024-33655]; fix possible domain hijack issue [CVE-2025-11411]; fix unbound-anchor cannot deal with full disk; fix potential amplification DDoS attacks; fix incorrect return of NODATA for some ANY queries |
| user-mode-linux | Rebuild with updated linux |
| vtk9 | Fix inability to read VTK XML files with appended data on newer expat |
| zsh | Rebuild with updated glibc, libcap2 |
Atualizações de segurança
Esta revisão adiciona as seguintes atualizações de segurança para a versão estável (stable). A equipe de segurança já lançou um aviso para cada uma dessas atualizações:
Pacotes removidos
Os seguintes pacotes foram removidos por circunstâncias fora de nosso controle:
| Pacote | Justificativa |
|---|---|
| clamav | [armel mipsel mips64el] No longer supportable on architectures without newer Rust support |
| clamsmtp | [armel mipsel mips64el] Depends on to-be-removed clamav |
| libc-icap-mod-virus-scan | [armel mipsel mips64el] Depends on to-be-removed clamav |
| libclamunrar | [armel mipsel mips64el] Depends on to-be-removed clamav |
| pagure | Broken, security issues |
| pg-snakeoil | [armel mipsel mips64el] Depends on to-be-removed clamav |
Instalador do Debian
O instalador foi atualizado para incluir as correções incorporadas na versão estável (stable) pela versão pontual.
URLs
As listas completas dos pacotes que foram alterados por esta revisão:
A atual versão estável (stable):
Atualizações propostas (proposed updates) para a versão estável (stable):
Informações da versão estável (stable) (notas de lançamento, errata, etc):
Anúncios de segurança e informações:
Sobre o Debian
O projeto Debian é uma associação de desenvolvedores(as) de Software Livre que dedicam seu tempo e esforço como voluntários(as) para produzir o sistema operacional completamente livre Debian.
Informações de contato
Para mais informações, por favor visite as páginas web do Debian em https://www.debian.org/, envie um e-mail (em inglês) para <press@debian.org>, ou entre em contato (em inglês) com a equipe de lançamento da versão estável (stable) em <debian-release@lists.debian.org>.