Updated Debian 12: 12.14 released

May 16th, 2026

The Debian project is pleased to announce the fourteenth update of its oldstable distribution Debian 12 (codename bookworm). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 12 but only updates some of the packages included. There is no need to throw away old bookworm media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following packages:

Package	Reason
7zip	New upstream stable release; fix integer underflow issue [CVE-2023-31102]; fix code execution issues [CVE-2023-40481 CVE-2025-11001 CVE-2025-11002]; fix denial of service issue [CVE-2024-11612]; fix null pointer dereference issue [CVE-2025-53817]; fix handling of symbolic links [CVE-2025-55188]
apache2	New upstream release: fix http2 regression; fix use-after-free issue [CVE-2026-23918]; fix privilege escalation issue [CVE-2026-24072]; fix NULL pointer dereference issues [CVE-2026-29169 CVE-2026-33007]; fix authentication bypass issue [CVE-2026-33006]; fix HTTP response splitting issue [CVE-2026-33523]; fix out-of-bounds read issues [CVE-2026-33857 CVE-2026-34032]; fix buffer over-read issue [CVE-2026-34059]
arduino-core-avr	New upstream stable release; fix buffer overflow issue [CVE-2025-69209]
augeas	Fix NULL pointer dereference issue [CVE-2025-2588]
awstats	Prevent command injection [CVE-2025-63261]
base-files	Update for the point release
bash	Rebuild with updated glibc
busybox	Fix stack overflow [CVE-2022-48174] and use-after-free [CVE-2023-42363 CVE-2023-42364 CVE-2023-42365] errors
c3p0	Fix recursive entity expansion issue [CVE-2019-5427]
calibre	Fix path traversal issues [CVE-2026-25635 CVE-2026-25636 CVE-2026-26064 CVE-2026-26065]; fix code execution issue [CVE-2026-25731]; fix HTTP response header injection issue [CVE-2026-27810]; fix IP ban bypass issue [CVE-2026-27824]
cdebootstrap	Rebuild with updated glibc
chkrootkit	Rebuild with updated glibc
chrony	Open the PHC reference clock with the O_RDWR flag when enabling the extpps option
composer	Fix code execution issue [CVE-2023-43655]; fix command injection issues [CVE-2026-40261 CVE-2026-40176]
containerd	Fix CRI Attach implementation [CVE-2025-64329]; fix overly broad directory permissions [CVE-2024-25621]; fix large UID:GID (> 32bit) overflow [CVE-2024-40635]
dar	Rebuild with updated glibc
debian-installer	Bump linux ABI to 6.1.0-47
debian-installer-netboot-images	Rebuild against oldstable-proposed-updates
debsig-verify	Rebuild with updated dpkg
deets	Rebuild with updated dpkg
distro-info-data	Add Ubuntu 26.10 Stonking Stingray
docker.io	Rebuild with updated containerd, glibc
dovecot	Correct incomplete backport of CVE-2026-27855 fix; fix memory leak in CVE-2026-27857 fix
dpkg	New upstream stable release; fix insufficient permissions check leading to possible denial of service issue [CVE-2025-6297]; fix denial of service issue [CVE-2026-2219]; fix buffer over-read issue; fix uninitialized variable warning with Rules-Requires-Root; fix segmentation fault in dpkg-trigger; translation fixes
erlang	Fix denial of service issues [CVE-2025-48038 CVE-2025-48039 CVE-2025-48040 CVE-2025-48041]; fix HTTP request smuggling issue [CVE-2026-23941]; fix path traversal issues [CVE-2026-23942 CVE-2026-21620]; fix compression bomb issue [CVE-2026-23943]
exim4	Fix GnuTLS hostname verify of a server certificate with a zero-length Subject; fix denial of service issue [CVE-2026-40684]; fix out-of-bounds read/write issues [CVE-2026-40685 CVE-2026-40686 CVE-2026-40687]
fonttools	Fix XML External Entity injection issue [CVE-2023-45139]; fix code execution issue [CVE-2025-66034]
glance	Fix server-side request forgery issue [CVE-2026-34881]; fix build failure
glib2.0	Fix timezone handling with Debian & Ubuntu's symlinks; fix missing input validation in g_buffered_input_stream_peek [CVE-2026-0988]; fix integer overflow in base64 encoding [CVE-2026-1484]; fix buffer underflow issue in content type parsing [CVE-2026-1485]; fix integer overflow in unicode conversion [CVE-2026-1489]
glibc	Fix integer overflow issue [CVE-2026-0861]; fix uninitialised memory use issue [CVE-2025-15281]; fix incorrect handling of DNS responses [CVE-2026-4437]; fix return of invalid DNS hostnames [CVE-2026-4438]; fix assertion failure [CVE-2026-4046]; fix performance bottleneck with ASAN on 32-bit arm; fix incorrect backtrace unwinding; fix typo in wmemset ifunc selector that caused AVX2/AVX512 paths to be skipped; fix POWER optimized rawmemchr function; fix stack content leak issue [CVE-2026-0915]
gnuais	Fix displaying map in gnuaisgui
golang-github-containerd-stargz-snapshotter	Rebuild with updated containerd
golang-github-containers-buildah	Rebuild with updated containerd
golang-github-openshift-imagebuilder	Rebuild with updated containerd
gpsd	Fix out-of-bounds write issue [CVE-2025-67268]; fix integer underflow issue [CVE-2025-67269]
grub-efi-amd64-signed	Remove NTFS and jfs from monolithic EFI image; update SBAT levels; set Protected: yes for -signed packages so they cannot easily be removed; backport upstream regression fixes; fix video/readers/jpeg: Do not permit duplicate SOF0 markers in JPEG [CVE-2024-45774]; fix commands/extcmd: Missing check for failed allocation [CVE-2024-45775]; fix commands/dump: The dump command is not in lockdown when secure boot is enabled [CVE-2025-1118]; fix integer overflow issues [CVE-2024-45776 CVE-2024-45777 CVE-2024-45778 CVE-2024-45779 CVE-2024-45780 CVE-2025-0677 CVE-2025-0678 CVE-2025-0684 CVE-2025-0685 CVE-2025-0690 CVE-2025-1125]; fix out-of-bounds write issues [CVE-2024-45781 CVE-2024-45782 CVE-2025-0624]; fix use-after-free issues [CVE-2024-45783 CVE-2025-0622]; fix buffer overflow issue [CVE-2025-0689]
grub-efi-arm64-signed	Remove NTFS and jfs from monolithic EFI image; update SBAT levels; set Protected: yes for -signed packages so they cannot easily be removed; backport upstream regression fixes; fix video/readers/jpeg: Do not permit duplicate SOF0 markers in JPEG [CVE-2024-45774]; fix commands/extcmd: Missing check for failed allocation [CVE-2024-45775]; fix commands/dump: The dump command is not in lockdown when secure boot is enabled [CVE-2025-1118]; fix integer overflow issues [CVE-2024-45776 CVE-2024-45777 CVE-2024-45778 CVE-2024-45779 CVE-2024-45780 CVE-2025-0677 CVE-2025-0678 CVE-2025-0684 CVE-2025-0685 CVE-2025-0690 CVE-2025-1125]; fix out-of-bounds write issues [CVE-2024-45781 CVE-2024-45782 CVE-2025-0624]; fix use-after-free issues [CVE-2024-45783 CVE-2025-0622]; fix buffer overflow issue [CVE-2025-0689]
grub-efi-ia32-signed	Remove NTFS and jfs from monolithic EFI image; update SBAT levels; set Protected: yes for -signed packages so they cannot easily be removed; backport upstream regression fixes; fix video/readers/jpeg: Do not permit duplicate SOF0 markers in JPEG [CVE-2024-45774]; fix commands/extcmd: Missing check for failed allocation [CVE-2024-45775]; fix commands/dump: The dump command is not in lockdown when secure boot is enabled [CVE-2025-1118]; fix integer overflow issues [CVE-2024-45776 CVE-2024-45777 CVE-2024-45778 CVE-2024-45779 CVE-2024-45780 CVE-2025-0677 CVE-2025-0678 CVE-2025-0684 CVE-2025-0685 CVE-2025-0690 CVE-2025-1125]; fix out-of-bounds write issues [CVE-2024-45781 CVE-2024-45782 CVE-2025-0624]; fix use-after-free issues [CVE-2024-45783 CVE-2025-0622]; fix buffer overflow issue [CVE-2025-0689]
grub2	Remove NTFS and jfs from monolithic EFI image; update SBAT levels; set Protected: yes for -signed packages so they cannot easily be removed; backport upstream regression fixes; fix video/readers/jpeg: Do not permit duplicate SOF0 markers in JPEG [CVE-2024-45774]; fix commands/extcmd: Missing check for failed allocation [CVE-2024-45775]; fix commands/dump: The dump command is not in lockdown when secure boot is enabled [CVE-2025-1118]; fix integer overflow issues [CVE-2024-45776 CVE-2024-45777 CVE-2024-45778 CVE-2024-45779 CVE-2024-45780 CVE-2025-0677 CVE-2025-0678 CVE-2025-0684 CVE-2025-0685 CVE-2025-0690 CVE-2025-1125]; fix out-of-bounds write issues [CVE-2024-45781 CVE-2024-45782 CVE-2025-0624]; fix use-after-free issues [CVE-2024-45783 CVE-2025-0622]; fix buffer overflow issue [CVE-2025-0689]
gvfs	Use control connection address for PASV data [CVE-2026-28295]; reject paths containing CR/LF characters [CVE-2026-28296]
kissfft	Fix integer overflow issues [CVE-2025-34297 CVE-2026-41445]
kpackage	Skip unreliable build-time test
lemonldap-ng	Update documentation to avoid using unsecured Nginx variable
libarchive	Fix out-of-bounds read issues [CVE-2025-5918 CVE-2026-4424]; fix denial of service issues [CVE-2026-4111 CVE-2026-4426]; fix possible code execution issue [CVE-2026-5121]
libcap2	Fix time of check / time of use issue [CVE-2026-4878]; rebuild with updated glibc
libexif	Fix integer underflow issues [CVE-2026-40386 CVE-2026-32775]; fix integer overflow issue [CVE-2026-40385]
libnet-cidr-lite-perl	Fix ACL bypass issues [CVE-2026-40198 CVE-2026-40199]
libpng1.6	Fix heap buffer overflow issues [CVE-2026-22801 CVE-2026-22695]
libpod	Rebuild with updated containerd
libreoffice	Fix incomplete fix for CVE-2024-12426
libreoffice-texmaths	Add dependency on dvipng/dvisvgm
libuev	Fix buffer overrun issue [CVE-2022-48620]
libvncserver	Fix out-of-bounds read issue [CVE-2026-32853]; fix null pointer dereference issue [CVE-2026-32854]
libxml-security-java	Fix private key disclosure issue [CVE-2023-44483]
libxslt	Fix deterministic generate-id() regression causing build failures in other packages
lxc	Fix authorisation bypass issue [CVE-2026-39402]
mapserver	Fix SQL injection issue [CVE-2025-59431]; fix buffer overflow issue [CVE-2026-33721]; fix heap-buffer-overflow and double-free issues in maplexer
modsecurity-crs	Fix rule bypass issue [CVE-2023-38199]; fix file extension blocking bypass issue [CVE-2026-33691]
mongo-c-driver	Fix insufficient validation issues [CVE-2025-14911 CVE-2026-6231]; fix denial of service issue [CVE-2026-4359]; fix buffer overflow issue [CVE-2026-6691]; improve handling of corrupt GridFS files
nginx	Fix buffer overflow issues [CVE-2026-27654 CVE-2026-27784 CVE-2026-32647]; fix session authentication issues [CVE-2026-27651 CVE-2026-28753]; fix OCSP result bypass issue [CVE-2026-28755]; use $host instead of $http_host
openssh	Fix possible code execution issues [CVE-2025-61984 CVE-2025-61985]; ensure scp does not unexpectedly make transferred files setuid or setgid [CVE-2026-35385]; fix command execution issue [CVE-2026-35386]; fix incomplete application of PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with regard to ECDSA keys [CVE-2026-35387]; use connection multiplexing confirmation for proxy-mode multiplexing sessions [CVE-2026-35388]; fix handling of the authorized_keys principals option [CVE-2026-35414]; validate user and host names for ProxyJump/-J options passed via the command line
openssl	New upstream stable release
p7zip	Rebase onto newer 7zip version; fix integer underflow issue [CVE-2023-31102]; fix code execution issues [CVE-2023-40481 CVE-2025-11001 CVE-2025-11002]; fix denial of service issue [CVE-2024-11612]; fix null pointer dereference issue [CVE-2025-53817]; fix handling of symbolic links [CVE-2025-55188]; fix buffer overflow issue [CVE-2023-52168]; fix out-of-bounds read issues [CVE-2023-52169 CVE-2022-47069]
p7zip-rar	Rebase onto newer 7zip version; fix denial of service issue [CVE-2025-53816]
php-dompdf	Fix denial of service issue [CVE-2023-50262]
php-league-commonmark	Fix cross site scripting issue [CVE-2025-46734]; fix validation bypass issues [CVE-2026-30838 CVE-2026-33347]
php-phpseclib	Fix denial of service issue [CVE-2024-27355]; fix variable time comparison issue [CVE-2026-40194]
php-phpseclib3	Fix denial of service issue [CVE-2024-27355]; fix variable time comparison issue [CVE-2026-40194]
phpseclib	Fix denial of service issue [CVE-2024-27355]; fix variable time comparison issue [CVE-2026-40194]
plastimatch	Remove non-free files
postgresql-15	New upstream stable release; fix buffer overrun issue [CVE-2026-2006]
proftpd-dfsg	Fix denial of service issue [CVE-2024-57392]; fix SQL injection issue [CVE-2026-42167]; fix mod_radius: Message-Authenticator check always fails
pymupdf	Rebuild with updated mupdf
python-authlib	Fix algorithm confusion issue [CVE-2024-37568]; fix cross-site request forgery issue [CVE-2025-68158]; fix denial of service issues [CVE-2025-62706 CVE-2025-61920]; fix policy bypass issue [CVE-2025-59420]
python-django	Fix regular expression-based denial of service issue [CVE-2023-36053], denial of service issues [CVE-2024-38875 CVE-2024-39614 CVE-2024-41990 CVE-2024-41991], user enumeration issue [CVE-2024-39329], directory traversal issue [CVE-2024-39330], excessive memory consumption issue [CVE-2024-41989], SQL injection issue [CVE-2024-42005]
python-ldap	Fix insufficient escaping issue [CVE-2025-61911]; fix denial of service issue [CVE-2025-61912]
python3.11	Fix header injection issues [CVE-2025-11468 CVE-2025-15282 CVE-2026-0672 CVE-2026-0865 CVE-2026-1299]; fix denial of service issues [CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 CVE-2025-6069 CVE-2025-6075 CVE-2025-8194]; fix insufficient validation in zipFile [CVE-2025-8291]; fix use-after-free issue [CVE-2025-4516]
qemu	Rebuild with updated glibc, glib2.0, gnutls28
request-tracker5	Fix builds of CKEditor when firefox is >= 148
sash	Rebuild with updated glibc
sed	Fix time of check / time of use issue [CVE-2026-5958]
sioyek	Rebuild with updated mupdf
skeema	Rebuild with updated containerd
snapd	Rebuild with updated libcap2
sudo	Fix exec_mailer permissions checks [CVE-2026-35535]
supermin	Rebuild with updated glibc
swupdate	Fix denial of service issue [CVE-2026-28525]
systemd	Fix assert and freeze [CVE-2026-29111]; fix code execution issues [CVE-2026-40225 CVE-2026-4105]; fix nspawn escape-to-host issue [CVE-2026-40226]
taglib	Fix segmentation violation issue [CVE-2023-47466]
tpm2-pkcs11	Fix NULL pointer dereference during database migration
tripwire	Rebuild with updated glibc
tzdata	New upstream release; update data for British Columbia
user-mode-linux	Rebuild with updated linux
vips	Fix buffer overflow issues [CVE-2026-2913 CVE-2026-3147 CVE-2026-3281]; fix memory corruption issue [CVE-2026-3145]; fix null pointer dereference issue [CVE-2026-3146]; fix out of bound read issues [CVE-2026-3282 CVE-2026-3283]; fix integer overflow issue [CVE-2026-3284]
wireless-regdb	New upstream stable release; update regulatory information for several countries
wireshark	Fix denial of service issues [CVE-2024-11596 CVE-2024-9781 CVE-2025-11626 CVE-2025-13499 CVE-2025-13945 CVE-2025-13946 CVE-2025-1492 CVE-2025-5601 CVE-2025-9817 CVE-2026-0960]
xorg-server	Fix buffer re-use issue [CVE-2026-33999]; fix / improve bounds checking [CVE-2026-34000 CVE-2026-34003]; fix use after free issue [CVE-2026-34001]; fix out-of-bounds read issue [CVE-2026-34002]
zsh	Rebuild with updated libcap2, glibc
zvbi	Fix uninitialised pointer issue [CVE-2025-2173]; fix integer overflow issues [CVE-2025-2174 CVE-2025-2175 CVE-2025-2176 CVE-2025-2177]

Security Updates

This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:

Advisory ID	Package
DSA-6003	firefox-esr
DSA-6025	firefox-esr
DSA-6054	firefox-esr
DSA-6078	firefox-esr
DSA-6093	gimp
DSA-6094	libsodium
DSA-6096	vlc
DSA-6097	chromium
DSA-6098	net-snmp
DSA-6100	chromium
DSA-6101	firefox-esr
DSA-6102	python-urllib3
DSA-6103	thunderbird
DSA-6105	modsecurity-crs
DSA-6106	inetutils
DSA-6107	bind9
DSA-6108	chromium
DSA-6110	openjdk-17
DSA-6111	imagemagick
DSA-6113	openssl
DSA-6114	pyasn1
DSA-6115	gimp
DSA-6116	chromium
DSA-6118	thunderbird
DSA-6120	tomcat10
DSA-6122	chromium
DSA-6123	xrdp
DSA-6125	usbmuxd
DSA-6127	linux-signed-amd64
DSA-6127	linux-signed-arm64
DSA-6127	linux-signed-i386
DSA-6127	linux
DSA-6128	shaarli
DSA-6129	munge
DSA-6131	nginx
DSA-6132	postgresql-15
DSA-6135	chromium
DSA-6136	python-django-storages
DSA-6136	python-django
DSA-6137	roundcube
DSA-6138	libpng1.6
DSA-6139	gimp
DSA-6140	gnutls28
DSA-6142	gegl
DSA-6143	libvpx
DSA-6145	nova
DSA-6146	chromium
DSA-6148	firefox-esr
DSA-6149	nss
DSA-6150	python-django
DSA-6151	chromium
DSA-6152	thunderbird
DSA-6153	lxd
DSA-6154	php8.2
DSA-6156	gimp
DSA-6157	chromium
DSA-6159	imagemagick
DSA-6160	netty
DSA-6163	linux-signed-amd64
DSA-6163	linux-signed-arm64
DSA-6163	linux-signed-i386
DSA-6163	linux
DSA-6164	chromium
DSA-6165	chromium
DSA-6167	gst-plugins-base1.0
DSA-6170	snapd
DSA-6171	chromium
DSA-6172	webkit2gtk
DSA-6173	freeciv
DSA-6175	libyaml-syck-perl
DSA-6176	strongswan
DSA-6177	chromium
DSA-6178	firefox-esr
DSA-6179	thunderbird
DSA-6180	ruby-rack
DSA-6181	bind9
DSA-6182	libxml-parser-perl
DSA-6185	phpseclib
DSA-6186	php-phpseclib
DSA-6187	php-phpseclib3
DSA-6188	lxd
DSA-6189	libpng1.6
DSA-6190	gst-plugins-bad1.0
DSA-6191	gst-plugins-ugly1.0
DSA-6192	chromium
DSA-6193	inetutils
DSA-6194	pyasn1
DSA-6195	python-tornado
DSA-6196	roundcube
DSA-6197	dovecot
DSA-6199	trafficserver
DSA-6200	tor
DSA-6201	openssl
DSA-6202	firefox-esr
DSA-6203	tiff
DSA-6204	openssh
DSA-6205	chromium
DSA-6206	gdk-pixbuf
DSA-6208	mediawiki
DSA-6210	imagemagick
DSA-6211	thunderbird
DSA-6213	lxd
DSA-6214	chromium
DSA-6215	gimp
DSA-6216	opam
DSA-6218	mupdf
DSA-6220	simpleeval
DSA-6221	ntfs-3g
DSA-6222	ngtcp2
DSA-6223	flatpak
DSA-6224	xdg-dbus-proxy
DSA-6225	firefox-esr
DSA-6226	packagekit
DSA-6227	strongswan
DSA-6229	thunderbird
DSA-6230	chromium
DSA-6236	firefox-esr
DSA-6237	jtreg7
DSA-6237	openjdk-17
DSA-6239	chromium
DSA-6242	thunderbird
DSA-6243	linux-signed-amd64
DSA-6243	linux-signed-arm64
DSA-6243	linux-signed-i386
DSA-6243	linux
DSA-6245	imagemagick
DSA-6247	lxd
DSA-6248	apache2
DSA-6249	wireshark
DSA-6251	libreoffice
DSA-6252	prosody
DSA-6254	firefox-esr
DSA-6255	php8.2
DSA-6257	postorius
DSA-6258	linux-signed-amd64
DSA-6258	linux-signed-arm64
DSA-6258	linux-signed-i386
DSA-6258	linux
DSA-6259	pyjwt
DSA-6260	tor
DSA-6261	corosync
DSA-6262	lcms2
DSA-6263	libpng1.6
DSA-6264	dnsmasq
DSA-6265	exim4

Removed packages

The following packages were removed due to circumstances beyond our control:

Package	Reason
suricata	Unsupportable; possible security issues; maintained via backports
zulucrypt	Security issues; unmaintained

Debian Installer

The installer has been updated to include the fixes incorporated into oldstable by the point release.

URLs

The complete lists of packages that have changed with this revision:

https://deb.debian.org/debian/dists/bookworm/ChangeLog

The current oldstable distribution:

https://deb.debian.org/debian/dists/oldstable/

Proposed updates to the oldstable distribution:

https://deb.debian.org/debian/dists/oldstable-proposed-updates

oldstable distribution information (release notes, errata etc.):

https://www.debian.org/releases/oldstable/

Security announcements and information:

https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.