Atualização Debian 12: 12.12 lançado
6 de Setembro de 2025
O projeto Debian está feliz em anunciar a décima segunda atualização de sua
versão estável (stable) do Debian 12 (codinome bookworm
).
Esta versão pontual adiciona principalmente correções para problemas de
segurança, além de pequenos ajustes para problemas mais sérios. Avisos de
segurança já foram publicados em separado e são referenciados quando
necessário.
Por favor, note que a versão pontual não constitui uma nova versão do Debian
12, mas apenas atualiza alguns dos pacotes já incluídos. Não há
necessidade de jogar fora as antigas mídias do bookworm
. Após a
instalação, os pacotes podem ser atualizados para as versões atuais usando um
espelho atualizado do Debian.
Aquelas pessoas que frequentemente instalam atualizações a partir de security.debian.org não terão que atualizar muitos pacotes, e a maioria de tais atualizações estão incluídas na versão pontual.
Novas imagens de instalação logo estarão disponíveis nos locais habituais.
A atualização de uma instalação existente para esta revisão pode ser feita apontando o sistema de gerenciamento de pacotes para um dos muitos espelhos HTTP do Debian. Uma lista abrangente de espelhos está disponível em:
Correções gerais de bugs
Esta atualização da versão estável (stable) adiciona algumas correções importantes para os seguintes pacotes:
| Pacote | Justificativa |
|---|---|
| amd64-microcode | Update AMD-SEV firmware [CVE-2024-56161]; update included microcode |
| aom | Fix libaom encoder output validity |
| apache2 | New upstream stable release; fix HTTP response splitting issue [CVE-2024-42516]; fix server-side request forgery issue [CVE-2024-43204 CVE-2024-43394]; fix log injection issue [CVE-2024-47252]; fix access control bypass issue [CVE-2025-23048]; fix denial of service issue [CVE-2025-49630]; fix potential man-in-the-middle issue [CVE-2025-49812]; fix memory lifetime management issue [CVE-2025-53020] |
| b43-fwcutter | Update firmware URL |
| balboa | Rebuild against glibc 2.36-9+deb12u12 |
| base-files | Update for the point release |
| bash | Rebuild against glibc 2.36-9+deb12u12 |
| botan | Fix denial of service issues [CVE-2024-34702 CVE-2024-34703]; fix improper parsing of name constraints [CVE-2024-39312]; fix compiler-induced secret-dependent operation issue [CVE-2024-50383] |
| busybox | Rebuild against glibc 2.36-9+deb12u12 |
| ca-certificates | Add Sectigo Public Server Authentication Root E46 and Sectigo Public Server Authentication Root R46 |
| catatonit | Rebuild against glibc 2.36-9+deb12u12 |
| cdebootstrap | Rebuild against glibc 2.36-9+deb12u12 |
| chkrootkit | Rebuild against glibc 2.36-9+deb12u12 |
| cjson | Fix denial of service issue [CVE-2023-26819]; fix buffer overflow issue [CVE-2023-53154] |
| clamav | New upstream stable release; fix buffer overflow issues [CVE-2025-20128 CVE-2025-20260] |
| cloud-init | Make hotplug socket writable only by root [CVE-2024-11584]; don't attempt to identify non-x86 OpenStack instances [CVE-2024-6174] |
| commons-beanutils | Fix improper access control issue [CVE-2025-48734] |
| commons-vfs | Fix path traversal issue [CVE-2025-27553] |
| corosync | Fix buffer overflow vulnerability on large UDP packets [CVE-2025-30472] |
| criu | Fix restore functionality of mount namespaces with newer kernel versions |
| curl | Fix regression handling sftp://host/~ URIs; fix a memory leak |
| dar | Rebuild against glibc 2.36-9+deb12u12 |
| debian-edu-config | Fix quoting in Exim configuration; gosa-sync: fix password verification; fix quoting in gosa.conf |
| debian-installer | Increase Linux kernel ABI to 6.1.0-39; rebuild against oldstable-proposed-updates; add console-setup-pc-ekmap for arm64 and armhf CD images; use nomodesetrather than fb=falseto disable framebuffer |
| debian-installer-netbook-images | Rebuild against oldstable-proposed-updates |
| debian-security-support | Query source:Package instead of Source to get the correct list of packages; fix typo related to gobgp |
| distro-info-data | Add Ubuntu end of Legacy Support dates; add release and estimated EoL for trixie |
| djvulibre | Fix denial of service issues [CVE-2021-46310 CVE-2021-46312] |
| docker.io | Rebuild against glibc 2.36-9+deb12u12 |
| dpdk | New upstream stable release |
| dropbear | Fix shell injection vulnerability in multihop handling [CVE-2025-47203] |
| e2fsprogs | Rebuild against glibc 2.36-9+deb12u12 |
| erlang | ssh: fix strict KEX hardening [CVE-2025-46712]; zip: sanitize pathnames when extracting files with absolute pathnames [CVE-2025-4748]; fix documentation build failure with newer xsltproc versions |
| expat | Fix denial of service issues [CVE-2023-52425 CVE-2024-8176]; fix parser crash [CVE-2024-50602] |
| fig2dev | Detect nan in spline control values [CVE-2025-46397]; permit \0 in 2nd line in fig file [CVE-2025-46398]; ge output: correct spline computation [CVE-2025-46399]; reject arcs with a radius smaller than 3 [CVE-2025-46400] |
| firebird3.0 | Fix NULL pointer dereference issue [CVE-2025-54989] |
| fort-validator | Fix denial of service issues [CVE-2024-45234 CVE-2024-45235 CVE-2024-45236 CVE-2024-45238 CVE-2024-45239 CVE-2024-48943]; fix buffer overflow issue [CVE-2024-45237] |
| galera-4 | New upstream stable release |
| glib2.0 | Fix buffer underflow issue [CVE-2025-4373 CVE-2025-7039]; improve upgrade safety |
| glibc | Fix incorrect LD_LIBRARY_PATH search in dlopen for static setuid binaries [CVE-2025-4802]; improve memory layout of structures in exp/exp10/expf functions; add an SVE implementation of memset on aarch64; improve generic implementation of memset on aarch64; fix double free issue [CVE-2025-8058] |
| gnupg2 | Rebuild against glibc 2.36-9+deb12u12; fix recommends of architecture-any packages on architecture-all package to support binNMUs |
| golang-github-gin-contrib-cors | Fix mishandling of wildcards [CVE-2019-25211] |
| gst-plugins-base1.0 | Fix buffer overrun issue [CVE-2025-47806]; fix NULL pointer dereference issues [CVE-2025-47807 CVE-2025-47808] |
| gst-plugins-good1.0 | Fix possible information disclosure issue [CVE-2025-47219] |
| init-system-helpers | Fix handling of os-release diversions from live-build, ensuring they don't exist in non-live systems |
| insighttoolkit4 | Fix build on systems with a single CPU |
| insighttoolkit5 | Fix build on systems with a single CPU |
| integrit | Rebuild against glibc 2.36-9+deb12u12 |
| iperf3 | Fix buffer overflow issue [CVE-2025-54349]; fix assertion failure [CVE-2025-54350] |
| jinja2 | Fix arbitrary code execution issue [CVE-2025-27516] |
| jq | Zero-terminate string in jv.c [CVE-2025-48060] |
| kexec-tools | Remove no longer required dependencies |
| kmail-account-wizard | Fix man in the middle attack issue [CVE-2024-50624] |
| krb5 | Fix message tampering issue [CVE-2025-3576]; disable issuance of tickets using RC4 or triple-DES session keys by default |
| kubernetes | Sanitise raw data output to terminal [CVE-2021-25743]; hide long and multi-line strings when printing |
| libarchive | Fix integer overflow issues [CVE-2025-5914 CVE-2025-5916], buffer over read issue [CVE-2025-5915], buffer overlow issue [CVE-2025-5917] |
| libbpf | Fix operation with newer systemd versions |
| libcap2 | Rebuild against glibc 2.36-9+deb12u12; add missing Built-Using: glibc |
| libcgi-simple-perl | Fix HTTP response splitting issue [CVE-2025-40927] |
| libfcgi | Fix integer overflow issue [CVE-2025-23016] |
| libfile-tail-perl | Fix uninitialized variable issue |
| libphp-adodb | Fix SQL injection vulnerability in pg_insert_id() [CVE-2025-46337] |
| libraw | Fix out-of-bounds read issues [CVE-2025-43961 CVE-2025-43962 CVE-2025-43963]; enforce minimum w0 and w1 values [CVE-2025-43964] |
| libreoffice | Add EUR support for Bulgaria |
| libsndfile | Fix integer overflow issues [CVE-2022-33065]; fix out of bounds read issue [CVE-2024-50612] |
| libsoup3 | New upstream bug-fix release; fix buffer overrun issue [CVE-2024-52531]; fix denial of service issues [CVE-2024-52532 CVE-2025-32051]; fix heap overflow issues [CVE-2025-32052 CVE-2025-32053]; fix integer overflow issue [CVE-2025-32050]; fix heap buffer overflow issues [CVE-2025-2784]; reject HTTP headers if they contain null bytes [CVE-2024-52530]; fix denial of service issues [CVE-2025-32909 CVE-2025-32910 CVE-2025-46420 CVE-2025-32912 CVE-2025-32906]; fix memory management issues [CVE-2025-32911 CVE-2025-32913]; fix credential disclosure issue [CVE-2025-46421]; fix use-after-free during disconnection, which can cause GNOME Calculator to hang at startup; fix a test failure on some 32-bit systems |
| libtheora | Fix segfault during decoder initialisation; avoid possible bit-shifting in decoder |
| libtpms | Fix out of bounds read issue [CVE-2025-49133] |
| libxml2 | Fix integer overflow issue in xmlBuildQName [CVE-2025-6021]; fix potential buffer overflows in the interactive shell [CVE-2025-6170]; fix use-after-free issue in xmlSchematronReportOutput [CVE-2025-49794]; fix type confusion issue in xmlSchematronReportOutput [CVE-2025-49796] |
| libyaml-libyaml-perl | Fix arbitrary file edit issue [CVE-2025-40908] |
| lintian | Add bookworm to duke to the list of known Debian release names; don't emit source-nmu-has-incorrect-version-number for stable updates |
| linux | New upstream stable release; increase ABI to 39 |
| linux-signed-amd64 | New upstream stable release; increase ABI to 39 |
| linux-signed-arm64 | New upstream stable release; increase ABI to 39 |
| linux-signed-i386 | New upstream stable release; increase ABI to 39 |
| llvm-toolchain-19 | New upstream stable release |
| luajit | Fix buffer overflow issue [CVE-2024-25176]; fix denial of service issue [CVE-2024-25177]; fix out-of-bounds read issue [CVE-2024-25178] |
| lxc | Rebuild against glibc 2.36-9+deb12u12 |
| mailgraph | Update embedded copy of Parse::Syslog, enabling support for RFC3339 dates |
| mariadb | New upstream stable release; security fixes [CVE-2023-52969 CVE-2023-52970 CVE-2023-52971 CVE-2025-30693 CVE-2025-30722]; fix restart after out of memory; new upstream stable release; fix variable name in debian-start.sh |
| mkchromecast | Replace youtube-dl with yt-dlp |
| mlt | Fix Python scripts |
| mono | Remove unneeded (and broken) mono-source package |
| mosquitto | Fix memory leak issue [CVE-2023-28366]; fix out of bounds memory access issue [CVE-2024-10525]; fix double free issue [CVE-2024-3935]; fix possible segmentation fault issue [CVE-2024-8376] |
| multipath-tools | Reinstate ANA prioritizer in build process |
| nextcloud-desktop | Fix share options in graphical interface |
| nginx | Fix potential information leak in ngx_mail_smtp_module [CVE-2025-53859] |
| node-addon-api | Add support for nodejs >= 18.20 |
| node-csstype | Fix build failure |
| node-form-data | Fix insufficient randomness issue [CVE-2025-7783] |
| node-minipass | Fix tap reporter in auto test and autopkgtest |
| node-nodeunit | Fix test flakiness |
| node-tar-fs | Fix path traversal issues [CVE-2024-12905 CVE-2025-48387] |
| node-tmp | Fix arbitrary file write issue [CVE-2025-54798] |
| nvda2speechd | Fix required rmp-serde version |
| openjpeg2 | Fix NULL pointer dereference issue [CVE-2025-50952] |
| openssh | Handle OpenSSL >=3 ABI compatibility to avoid new SSH connections failing during upgrades to trixie |
| openssl | New upstream stable release; revert some upstream changes to avoid crashes in downstream software |
| perl | Fix TLS certificate verification issue [CVE-2023-31484]; fix non thread safe file access [CVE-2025-40909] |
| postgresql-15 | New upstream stable release; tighten security checks in planner estimation functions [CVE-2025-8713]; prevent pg_dump scripts from being used to attack the user running the restore [CVE-2025-8714]; convert newlines to spaces in names included in comments in pg_dump output [CVE-2025-8715] |
| postgresql-common | PgCommon.pm: Set defined path in prepare_exec. Fixes compatibility with trixie's perl version |
| prody | Fix build failure; add tolerance to some tests which now fail on i386 |
| python-django | Fix regular expression-based denial of service issue [CVE-2023-36053], denial of service issues [CVE-2024-38875 CVE-2024-39614 CVE-2024-41990 CVE-2024-41991], user enumeration issue [CVE-2024-39329], directory traversal issue [CVE-2024-39330], excessive memory consumption issue [CVE-2024-41989], SQL injection issue [CVE-2024-42005] |
| python-flask-cors | Fix log data injection issue [CVE-2024-1681]; fix improper path processing issues [CVE-2024-6866 CVE-2024-6839 CVE-2024-6844] |
| python-mitogen | Support targets with Python >= 3.12 |
| python-zipp | Fix denial of service issue [CVE-2024-5569] |
| qemu | Rebuild against glibc 2.36-9+deb12u12; new upstream bugfix release |
| raptor2 | Fix integer underflow issue [CVE-2024-57823]; fix heap read buffer overflow issue [CVE-2024-57822] |
| rar | New upstream release; fix ANSI escape injection issue [CVE-2024-33899] |
| rubygems | Fix credential leak issue [CVE-2025-27221]; fix regular expression related denial of service issue [CVE-2023-28755] |
| rust-cbindgen-web | Rebuild against current rustc-web |
| rustc-web | New upstream stable release, to support building of newer Chromium versions |
| samba | Fix various bugs following a change to Microsoft Active Directory |
| sash | Rebuild against glibc 2.36-9+deb12u12 |
| setuptools | Fix arbitrary file write issue [CVE-2025-47273] |
| shaarli | Fix cross site scripting issue [CVE-2025-55291] |
| simplesamlphp | Fix signature verification issue [CVE-2025-27773] |
| snapd | Rebuild against glibc 2.36-9+deb12u12 |
| sqlite3 | Fix memory corruption issue [CVE-2025-6965]; fix bug in NOT NULL/IS NULL optimization that can cause invalid data |
| supermin | Rebuild against glibc 2.36-9+deb12u12 |
| systemd | New upstream stable release |
| tini | Rebuild against glibc 2.36-9+deb12u12 |
| tripwire | Rebuild against glibc 2.36-9+deb12u12 |
| tsocks | Rebuild against glibc 2.36-9+deb12u12 |
| tzdata | Confirm leap second status for 2025 |
| usb.ids | New upstream update |
| waitress | Fix race condition in HTTP pipelining [CVE-2024-49768]; fix denial of service issue [CVE-2024-49769] |
| webpy | Fix SQL injection issue [CVE-2025-3818] |
| wireless-regdb | New upstream release, updating included regulatory data; permit 320 MHz bandwidth in 6 GHz band for GB |
| wolfssl | Fix insufficient randomisation issue [CVE-2025-7394] |
| wpa | Fix inappropriate reuse of PKEX elements [CVE-2022-37660] |
| xfce4-weather-plugin | Migrate to new APIs; update translations |
| xrdp | Fix session restrictions bypass issue [CVE-2023-40184]; fix out-of-bounds read issue [CVE-2023-42822]; fix login restrictions bypass issue [CVE-2024-39917] |
| ydotool | Rebuild against glibc 2.36-9+deb12u12 |
| zsh | Rebuild against glibc 2.36-9+deb12u12 |
Atualizações de segurança
Esta revisão adiciona as seguintes atualizações de segurança para a versão estável (stable). A equipe de segurança já lançou um aviso para cada uma dessas atualizações:
Pacotes removidos
Os seguintes pacotes foram removidos por circunstâncias fora de nosso controle:
| Pacote | Justificativa |
|---|---|
| guix | Unsupportable; security issues |
Instalador do Debian
O instalador foi atualizado para incluir as correções incorporadas na versão estável (stable) pela versão pontual.
URLs
As listas completas dos pacotes que foram alterados por esta revisão:
A atual versão estável (stable):
Atualizações propostas (proposed updates) para a versão estável (stable):
Informações da versão estável (stable) (notas de lançamento, errata, etc):
Anúncios de segurança e informações:
Sobre o Debian
O projeto Debian é uma associação de desenvolvedores(as) de Software Livre que dedicam seu tempo e esforço como voluntários(as) para produzir o sistema operacional completamente livre Debian.
Informações de contato
Para mais informações, por favor visite as páginas web do Debian em https://www.debian.org/, envie um e-mail (em inglês) para <press@debian.org>, ou entre em contato (em inglês) com a equipe de lançamento da versão estável (stable) em <debian-release@lists.debian.org>.