Updated Debian 12: 12.10 released
March 15th, 2025
The Debian project is pleased to announce the tenth update of its
stable distribution Debian 12 (codename bookworm
).
This point release mainly adds corrections for security issues,
along with a few adjustments for serious problems. Security advisories
have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian
12 but only updates some of the packages included. There is
no need to throw away old bookworm
media. After installation,
packages can be upgraded to the current versions using an up-to-date Debian
mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
| Package | Reason |
|---|---|
| 389-ds-base | Fix crash when modifying userPassword using malformed input [CVE-2024-2199 CVE-2024-8445]; prevent denial of service while attempting to log in with a user with a malformed hash in their password [CVE-2024-5953]; prevent denial of service on the directory server with specially-crafted LDAP query [CVE-2024-3657] |
| base-files | Update for the point release |
| bup | New upstream bugfix release |
| containerd | Fix tests causing FTBFS on the auto-builder network |
| curl | Fix unintended HTTPS upgrades or premature reversion to HTTP when both subdomains and parent domains are used [CVE-2024-9681]; prevent stopping of stunnel before retries in the built-time tests; fix possible credentials leakage issues [CVE-2024-11053 CVE-2025-0167]; fix test failures due to port clashes |
| dacite | Do not cache result of get_default_value_for_field |
| dcmtk | Fix issue when rendering an invalid monochrome DICOM image [CVE-2024-47796]; ensure: HighBit < BitsAllocated [CVE-2024-52333]; fix possible overflows when allocating memory [CVE-2024-27628]; fix two segmentation faults [CVE-2024-34508 CVE-2024-34509]; fix arbitrary code execution issue [CVE-2024-28130]; fix buffer overflow issues [CVE-2025-25472 CVE-2025-25474]; fix NULL pointer dereference issue [CVE-2025-25475] |
| debian-installer | Increase Linux kernel ABI to 6.1.0-32; rebuild against proposed-updates |
| debian-ports-archive-keyring | Add 2026 key; move 2023 and 2024 keys to the removed keyring |
| dgit | Add missing parameters for source upload target |
| djoser | Fix authentication bypass [CVE-2024-21543] |
| dns-root-data | Add the DNSKEY record for KSK-2024 |
| edk2 | Fix overflow condition in PeCoffLoaderRelocateImage() [CVE-2024-38796]; fix potential UINT32 overflow in S3 ResumeCount [CVE-2024-1298] |
| elpa | Fix tests on machines with 2 vCPU or fewer |
| flightgear | Fix sandbox bypass vulnerability in Nasal scripts [CVE-2025-0781] |
| gensim | Fix build failure on single-CPU machines |
| glibc | Fix buffer overflow when printing assertion failure message [CVE-2025-0395]; fix memset performance for unaligned destinations; fix TLS performance degradation after dlopen() usage; avoid integer truncation when parsing CPUID data with large cache sizes; ensure data passed to the rseq syscall are properly initialized |
| golang-github-containers-buildah | Disable a test known to fail on the auto-builder network, fixing build failure |
| intel-microcode | New upstream security release [CVE-2023-34440 CVE-2023-43758 CVE-2024-24582 CVE-2024-28047 CVE-2024-28127 CVE-2024-29214 CVE-2024-31068 CVE-2024-31157 CVE-2024-36293 CVE-2024-37020 CVE-2024-39279 CVE-2024-39355] |
| iptables-netflow | Fix build with newer bullseye kernels |
| jinja2 | Fix arbitrary code execution issues [CVE-2024-56201 CVE-2024-56326] |
| joblib | Fix build failure on single-CPU systems |
| lemonldap-ng | Fix CSRF vulnerability on 2FA registration interface [CVE-2024-52948] |
| libapache-mod-jk | Set correct default permissions for shared memory [CVE-2024-46544] |
| libeconf | Fix buffer overflow vulnerability [CVE-2023-32181 CVE-2023-22652] |
| librabbitmq | Add option to read username/password from file [CVE-2023-35789] |
| libtar | Fix out-of-bounds read in gnu_longlink() [CVE-2021-33643]; fix out-of-bounds read in gnu_longname() [CVE-2021-33644]; fix memory leak in th_read() [CVE-2021-33645]; fix memory leak in th_read() [CVE-2021-33646] |
| linux | New upstream release; bump ABI to 32 |
| linux-signed-amd64 | New upstream release; bump ABI to 32 |
| linux-signed-arm64 | New upstream release; bump ABI to 32 |
| linux-signed-i386 | New upstream release; bump ABI to 32 |
| linuxcnc | Fix multi axes movement on single axis G0 MDI call |
| ltt-control | Fix consumer crash on shutdown |
| lttng-modules | Fix build with newer bullseye kernels |
| mariadb | New upstream stable release; fix security issue [CVE-2024-21096]; fix denial of service issue [CVE-2025-21490] |
| monero | Impose response limits on HTTP server connections [CVE-2025-26819] |
| mozc | Install fcitx icons to the correct locations |
| ndcube | Ignore test warnings from astropy |
| nginx | Fix possible bypass of client certificate authentication [CVE-2025-23419] |
| node-axios | Fix CSRF vulnerability [CVE-2023-45857]; fix potential vulnerability in URL when determining an origin [CVE-2024-57965] |
| node-js-sdsl | Fix build failure |
| node-postcss | Fix mishandling of non-integer values leading to denial of service in nanoid [CVE-2024-55565]; fix parsing of external untrusted CSS [CVE-2023-44270] |
| node-recast | Fix build failure |
| node-redis | Fix build failure |
| node-rollup | Fix build failure arising from changed timeout API |
| openh264 | Fix Cisco download URL |
| php-nesbot-carbon | Fix arbitrary file include issue [CVE-2025-22145] |
| postgresql-15 | New upstream stable release; harden PQescapeString and allied functions against invalidly-encoded strings; improve behavior of libpq's quoting functions [CVE-2025-1094] |
| puma | Fix behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers [CVE-2023-40175]; limit size of chunk extensions [CVE-2024-21647]; prevent manipulation of headers set by intermediate proxies [CVE-2024-45614] |
| python-django | Fix regular expression-based denial of service issue [CVE-2023-36053], denial of service issues [CVE-2024-38875 CVE-2024-39614 CVE-2024-41990 CVE-2024-41991], user enumeration issue [CVE-2024-39329], directory traversal issue [CVE-2024-39330], excessive memory consumption issue [CVE-2024-41989], SQL injection issue [CVE-2024-42005] |
| python-pycdlib | Run tests only if /tmp is tmpfs, otherwise they are known to fail |
| rapiddisk | Support Linux versions up to 6.10 |
| rsyslog | Avoid segmentation fault if a SIGTERM is received during startup |
| runit-services | Do not enable dhclient service by default |
| seqan3 | Fix parallel running of tests |
| simgear | Fix sandbox bypass vulnerability in Nasal scripts [CVE-2025-0781] |
| spamassassin | New upstream stable release |
| sssd | Apply GPO policy consistently [CVE-2023-3758] |
| subversion | Fix vulnerable parsing of control characters in paths served by mod_dav_svn [CVE-2024-46901] |
| sunpy | Ignore test warnings from astropy |
| systemd | New upstream stable release |
| tzdata | New upstream release; update data for Paraguay; update leap second information |
| vagrant | Fix URL of public Vagrant registry |
| vim | Fix crash when expanding ~in substitute [CVE-2023-2610]; fix buffer-overflow in vim_regsub_both() [CVE-2023-4738]; fix heap use after free in ins_compl_get_exp() [CVE-2023-4752]; fix heap-buffer-overflow in vim_regsub_both [CVE-2023-4781]; fix buffer-overflow in trunc_string() [CVE-2023-5344]; fix stack-buffer-overflow in option callback functions [CVE-2024-22667]; fix heap-buffer-overflow in ins_typebuf (CVE-2024-43802]; fix use-after-free when closing a buffer [CVE-2024-47814]; fix build failure on 32-bit architectures |
| wget | Fix mishandling of semicolons in userinfo in URLs [CVE-2024-38428] |
| xen | Allow direct kernel boot with kernels >= 6.12 |
Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
| Package | Reason |
|---|---|
| kanboard | Unmaintained; security issues |
| libnet-easytcp-perl | Unmaintained upstream; security issues |
| looking-glass | Not suitable for a stable release |
Debian Installer
The installer has been updated to include the fixes incorporated into stable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current stable distribution:
Proposed updates to the stable distribution:
stable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.