------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 13: 13.5 released [email protected] May 16th, 2026 https://www.debian.org/News/2026/20260516 ------------------------------------------------------------------------
The Debian project is pleased to announce the fifth update of its stable distribution Debian 13 (codename "trixie"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 13 but only updates some of the packages included. There is no need to throw away old "trixie" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: +-----------------------+---------------------------------------------+ | Package | Reason | +-----------------------+---------------------------------------------+ | 389-ds-base [1] | Fix heap overflow issue [CVE-2025-14905] | | | | | 7zip [2] | Relax Breaks / Replaces versions to ease | | | upgrades from bookworm | | | | | apache2 [3] | New upstream stable release; fix use-after- | | | free issue [CVE-2026-23918]; fix privilege | | | escalation issue [CVE-2026-24072]; fix NULL | | | pointer dereference issues [CVE-2026-29169 | | | CVE-2026-33007]; fix authentication bypass | | | issue [CVE-2026-33006]; fix HTTP response | | | splitting issue [CVE-2026-33523]; fix out- | | | of-bounds read issues [CVE-2026-33857 | | | CVE-2026-34032]; fix buffer over-read issue | | | [CVE-2026-34059] | | | | | awstats [4] | Prevent command injection [CVE-2025-63261] | | | | | base-files [5] | Update for the point release | | | | | bash [6] | Rebuild with updated glibc | | | | | beads [7] | Rebuild with updated cimg | | | | | bepasty [8] | Fix loading pygments CSS | | | | | bglibs [9] | Rebuild with updated glibc | | | | | bird2 [10] | ASPA: Fix downstream validation; BGP: Fix | | | restart behavior on reconfiguration; | | | filters: Fix string attributes; logging: | | | Fix error handling | | | | | black [11] | Fix arbitrary file write issue [CVE-2026- | | | 32274] | | | | | bubblewrap [12] | Fix privilege escalation issue [CVE-2026- | | | 41163] | | | | | busybox [13] | Rebuild with updated glibc | | | | | calibre [14] | Fix path traversal issues [CVE-2026-25635 | | | CVE-2026-25636 CVE-2026-26064 CVE-2026- | | | 26065]; fix code execution issue [CVE-2026- | | | 25731]; fix HTTP response header injection | | | issue [CVE-2026-27810]; fix IP ban bypass | | | issue [CVE-2026-27824] | | | | | catatonit [15] | Rebuild with updated glibc | | | | | cdebootstrap [16] | Rebuild with updated glibc | | | | | chkrootkit [17] | Rebuild with updated glibc | | | | | cimg [18] | Fix overflow issue [CVE-2026-42144]; fix | | | out of memory issue with crafted files | | | [CVE-2026-42146] | | | | | cockpit [19] | Fix code execution issue [CVE-2026-4631] | | | | | composer [20] | Fix command injection issues [CVE-2026- | | | 40261 CVE-2026-40176] | | | | | condor [21] | Rebuild with updated glibc | | | | | curl [22] | Fix server certificate verification issue | | | [CVE-2025-13034] | | | | | dar [23] | Rebuild with updated glibc, libcap2, | | | openssl | | | | | debian-installer [24] | Bump linux ABI to 6.12.86+deb13 | | | | | debian-installer- | Rebuild against proposed-updates | | netboot-images [25] | | | | | | debmirror [26] | Add debmirror-specific User-Agent header | | | | | distribution-gpg- | Update included keys | | keys [27] | | | | | | distro-info-data [28] | Add Ubuntu 26.10 "Stonking Stingray" | | | | | distrobuilder [29] | Rebuild with updated incus | | | | | docker.io [30] | Rebuild with updated glibc | | | | | dovecot [31] | Fix memory leak in CVE-2026-27857 fix | | | | | e2fsprogs [32] | Rebuild with updated glibc | | | | | efibootguard [33] | Rebuild against gnu-efi with #1086705 fixed | | | | | ejabberd [34] | Ignore certificate purpose for incoming s2s | | | connections | | | | | ejabberd-contrib [35] | Rebuild with updated ejabberd | | | | | epics-base [36] | Skip failing build-time test | | | | | erlang [37] | Fix path traversal issues [CVE-2026-21620 | | | CVE-2026-23942[; fix HTTP request smuggling | | | issue [CVE-2026-23941]; fix denial of | | | service issue [CVE-2026-23943] | | | | | erlang-p1-tls [38] | Accept client certificates without | | | sslpurpose flag | | | | | exim4 [39] | Fix GnuTLS hostname verify of a server | | | certificate with a zero-length Subject; fix | | | denial of service issue [CVE-2026-40684]; | | | fix out-of-bounds read/write issues | | | [CVE-2026-40685 CVE-2026-40686 CVE-2026- | | | 40687] | | | | | feed2toot [40] | Ensure compatibility with Python 3.13 | | | | | firewalld [41] | Prevent local users from being able to | | | modify runtime firewall state without prior | | | authentication if the desktop policy is | | | active [CVE-2026-4948] | | | | | freerdp3 [42] | Fix issues with large certificates; fix | | | clipboard paste issue; fix segmentation | | | fault issue [CVE-2025-4478]; fix use-after- | | | free issues [CVE-2026-22851 CVE-2026-22856 | | | CVE-2026-22857 CVE-2026-23883 CVE-2026- | | | 23884 CVE-2026-24491 CVE-2026-24675 | | | CVE-2026-24676 CVE-2026-24678 CVE-2026- | | | 24680 CVE-2026-24681 CVE-2026-24683 | | | CVE-2026-24684 CVE-2026-25952 CVE-2026- | | | 25953 CVE-2026-25954 CVE-2026-25955 | | | CVE-2026-25959 CVE-2026-25997 CVE-2026- | | | 26986]; fix buffer overflow issues | | | [CVE-2026-22852 CVE-2026-22853 CVE-2026- | | | 22854 CVE-2026-23530 CVE-2026-23531 | | | CVE-2026-23532 CVE-2026-23533 CVE-2026- | | | 23534 CVE-2026-23732]; fix out-of-bounds | | | read issues [CVE-2026-22855 CVE-2026-22859 | | | CVE-2026-24677 CVE-2026-24679 CVE-2026- | | | 24682 CVE-2026-25941 CVE-2026-25942]; fix | | | buffer underflow issues [CVE-2026-22858 | | | CVE-2026-26955]; fix null pointer | | | dereference issue [CVE-2026-23948]; fix | | | buffer over-read issue [CVE-2026-26271; fix | | | out-of-bounds write issue [CVE-2026-26965]; | | | fix denial of service issue [CVE-2026- | | | 27015]; fix buffer overflow issues | | | [CVE-2026-29774 CVE-2026-31806 CVE-2026- | | | 31883 CVE-2026-33982 CVE-2026-33984]; fix | | | out-of-bounds read/write issues [CVE-2026- | | | 29775 CVE-2026-31885 CVE-2026-31897 | | | CVE-2026-33986 CVE-2026-33987]; fix integer | | | underflow issue [CVE-2026-29776]; fix | | | denial of service issues [CVE-2026-31884 | | | CVE-2026-33952 CVE-2026-33977 CVE-2026- | | | 33983]; fix data leak issue [CVE-2026- | | | 33985]; fix double free issue [CVE-2026- | | | 33995]; fix path traversal issue [CVE-2026- | | | 40254] | | | | | fwupd [43] | Thunderbolt: Fix deploying the thunderbolt | | | controller on the X280 | | | | | git-lfs [44] | Fix arbitrary file write issue [CVE-2025- | | | 26625] | | | | | glance [45] | Fix server-side request forgery issue | | | [CVE-2026-34881]; fix build failure | | | | | glib2.0 [46] | Fix timezone handling with Debian & | | | Ubuntu's symlinks; fix missing input | | | validation in g_buffered_input_stream_peek | | | [CVE-2026-0988]; fix integer overflow in | | | base64 encoding [CVE-2026-1484]; fix buffer | | | underflow issue in content type parsing | | | [CVE-2026-1485]; fix integer overflow in | | | unicode conversion [CVE-2026-1489] | | | | | glibc [47] | Fix incorrect handling of DNS responses | | | [CVE-2026-4437]; fix return of invalid DNS | | | hostnames [CVE-2026-4438]; fix assertion | | | failure [CVE-2026-4046]; fix a null pointer | | | dereference in the | | | nss_database_check_reload_and_get function; | | | fix invalid pointer arithmetic in | | | ANSI_X3.110 iconv module; various test | | | suite fixes | | | | | gnupg2 [48] | Rebuild with updated glibc | | | | | gnutls28 [49] | Preserve extension order across client | | | Hello retry | | | | | grub-efi-amd64- | Fix an illegal instruction on riscv64 | | signed [50] | | | | | | grub-efi-arm64- | Fix an illegal instruction on riscv64 | | signed [51] | | | | | | grub-efi-ia32- | Fix an illegal instruction on riscv64 | | signed [52] | | | | | | grub2 [53] | Fix an illegal instruction on riscv64 | | | | | gvfs [54] | Use control connection address for PASV | | | data [CVE-2026-28295]; reject paths | | | containing CR/LF characters [CVE-2026- | | | 28296] | | | | | harfbuzz [55] | Fix NULL pointer dereference issue | | | [CVE-2026-22693] | | | | | heimdal [56] | Fix memory leak in heimdal-clients; add | | | build dependency on libcrypt-dev | | | | | initramfs-tools [57] | Include Cadence driver, fixing failure to | | | boot from USB storage on boards using | | | Starfive SoC; unmkinitramfs: Accept lower- | | | case hex digits in cpio headers, fixing | | | compatibility with some other tools | | | | | integrit [58] | Rebuild with updated glibc | | | | | jpeg-xl [59] | Fix uninitialised memory read issues | | | [CVE-2025-12474 CVE-2026-1837]; fix cross | | | build failure; fix "nojava" build | | | profile; fix build on big-endian | | | architectures | | | | | jq [60] | Fix buffer overflow issue [CVE-2026-32316]; | | | fix denial of service issues [CVE-2026- | | | 33947 CVE-2026-39956]; fix validation | | | bypass issue [CVE-2026-33948]; fix out-of- | | | bounds read issue [CVE-2026-39979]; fix use | | | of hardcoded seed [CVE-2026-40164] | | | | | kissfft [61] | Fix integer overflow issues [CVE-2025-34297 | | | CVE-2026-41445] | | | | | kpackage [62] | Skip unreliable build-time test | | | | | lemonldap-ng [63] | OIDC: don't ignore non default signature | | | algorithm; OIDC: register Front-Channel- | | | Logout URL; really hide passwords in | | | session-explorer when stored in session; | | | update documentation to avoid using | | | unsecured Nginx variable | | | | | libarchive [64] | Fix out-of-bounds read issues [CVE-2025- | | | 5918 CVE-2026-4424]; fix denial of service | | | issues [CVE-2026-4111 CVE-2026-4426]; fix | | | possible code execution issue [CVE-2026- | | | 5121] | | | | | libcap2 [65] | Fix time of check / time of use issue | | | [CVE-2026-4878] | | | | | libcdio [66] | Fix buffer overflow issue [CVE-2024-36600] | | | | | libcoap3 [67] | Fix out-of-bounds read issue [CVE-2026- | | | 29013]; fix buffer overflow issue | | | [CVE-2025-34468] | | | | | libcryptx-perl [68] | Fix "Crypt::PK key generation is not fork | | | safe and will generate identical | | | keys" [CVE-2026-41564] | | | | | libdatetime-timezone- | Update to database 2026a; update included | | perl [69] | timezone data | | | | | libexif [70] | Fix integer underflow issues [CVE-2026- | | | 40386 CVE-2026-32775]; fix integer overflow | | | issue [CVE-2026-40385] | | | | | libfinance-quote- | Fix date in quotes retrieved from XETRA | | perl [71] | source | | | | | libnet-cidr-lite- | Fix ACL bypass issues [CVE-2026-40198 | | perl [72] | CVE-2026-40199] | | | | | libreoffice- | Add dependency on dvipng/dvisvgm | | texmaths [73] | | | | | | libtext-csv-xs- | Fix stack corruption issue [CVE-2026-7111] | | perl [74] | | | | | | libvncserver [75] | Fix out of bounds read issue [CVE-2026- | | | 32853]; fix NULL pointer dereference issue | | | [CVE-2026-32854] | | | | | libxml-security- | Fix private key disclosure issue [CVE-2023- | | java [76] | 44483] | | | | | libxslt [77] | Fix deterministic generate-id() regression | | | causing build failures in other packages | | | | | lxc [78] | Fix authorisation bypass issue [CVE-2026- | | | 39402] | | | | | mailman-suite [79] | Add django.contrib.humanize to recommended | | | apps in sample config | | | | | mapserver [80] | Fix buffer overflow issue [CVE-2026-33721] | | | | | mksh [81] | Rebuild with updated musl | | | | | modsecurity-crs [82] | Fix file extension blocking bypass issue | | | [CVE-2026-33691] | | | | | mongo-c-driver [83] | Fix insufficient validation issues | | | [CVE-2025-14911 CVE-2026-6231]; fix denial | | | of service issue [CVE-2026-4359]; fix | | | buffer overflow issue [CVE-2026-6691]; | | | improve handling of corrupt GridFS files | | | | | mumble [84] | Fix Opus buffer overrun leading to crash | | | | | musl [85] | Fix denial of service issue [CVE-2026- | | | 6042]; fix stack corruption issue | | | [CVE-2026-40200] | | | | | nano [86] | Fix overly broad permissions issue | | | [CVE-2026-6842]; fix format string issue | | | [CVE-2026-6843] | | | | | nautilus-wipe [87] | Remove Multi-Arch: same | | | | | netatalk [88] | Fix authentication in complex AD | | | environments | | | | | nginx [89] | Fix buffer overflow issues [CVE-2026-27654 | | | CVE-2026-27784 CVE-2026-32647]; fix session | | | authentication issues [CVE-2026-27651 | | | CVE-2026-28753]; fix OCSP result bypass | | | issue [CVE-2026-28755]; use "$host" | | | instead of "$http_host" | | | | | node-flatted [90] | Fix prototype pollution issue [CVE-2026- | | | 33228] | | | | | node-node-rsa [91] | Fix builds with OpenSSL 3 | | | | | node-tar [92] | Properly sanitize absolute linkpaths | | | [CVE-2026-23745]; normalize out unicode | | | ligatures [CVE-2026-23950]; properly | | | sanitize hard links containing | | | '..' [CVE-2026-24842]; prevent hardlinking | | | to files outside the extraction root | | | [CVE-2026-26960]; strip leading '/' before | | | sanitizing '..' [CVE-2026-29786]; prevent | | | escaping symlinks with drive-relative paths | | | [CVE-2026-31802] | | | | | numba [93] | Conditionally skip tests requiring more | | | CPUs than available | | | | | openssh [94] | Ensure scp does not unexpectedly make | | | transferred files setuid or setgid | | | [CVE-2026-35385]; fix command execution | | | issue [CVE-2026-35386]; fix incomplete | | | application of PubkeyAcceptedAlgorithms and | | | HostbasedAcceptedAlgorithms with regard to | | | ECDSA keys [CVE-2026-35387]; use connection | | | multiplexing confirmation for proxy-mode | | | multiplexing sessions [CVE-2026-35388]; fix | | | handling of the authorized_keys | | | "principals" option [CVE-2026-35414]; | | | validate user and host names for | | | ProxyJump/-J options passed via the command | | | line; IPQoS handling improvements; don't | | | reuse c->isatty for signalling that the | | | remote channel has a tty attached | | | | | openssl [95] | New upstream stable release | | | | | orca [96] | Remove lightdm wrapper on package removal | | | | | osdlyrics [97] | Add missing runtime dependency python3- | | | pycurl; rebuild in a clean environment | | | | | pgbouncer [98] | Fix integer overflow issue [CVE-2026-6664]; | | | fix stack overflow issues [CVE-2026-6665]; | | | fix NULL pointer dereference issue | | | [CVE-2026-6666]; fix missing authorization | | | check [CVE-2026-6667] | | | | | phosh [99] | Cell-broadcast-prompt: close dialog on | | | swipe; strip whitespace; wifi-network: | | | don't unconditionally overwrite active | | | access point; don't set active indicator | | | visible | | | | | php-league- | Fix DisallowedRawHtml bypass via newline/ | | commonmark [100] | tab in tag names [CVE-2026-30838]; fix | | | DomainFilteringAdapter hostname boundary | | | bypass [CVE-2026-33347] | | | | | php-phpseclib [101] | Fix denial of service issue [CVE-2024- | | | 27355]; fix variable time comparison issue | | | [CVE-2026-40194] | | | | | php-phpseclib3 [102] | Fix denial of service issue [CVE-2024- | | | 27355]; fix variable time comparison issue | | | [CVE-2026-40194] | | | | | phpseclib [103] | Fix denial of service issue [CVE-2024- | | | 27355]; fix variable time comparison issue | | | [CVE-2026-40194] | | | | | proftpd-dfsg [104] | Fix SQL injection issue [CVE-2026-42167] | | | | | pymupdf [105] | Improve safety of 'pymupdf embed-extract' | | | when dealing with existing files [CVE-2026- | | | 3029] | | | | | python-authlib [106] | Fix cross-site request forgery issue | | | [CVE-2025-68158]; fix denial of service | | | issues [CVE-2025-62706 CVE-2025-61920]; fix | | | policy bypass issue [CVE-2025-59420] | | | | | python-bottle- | Fix compaibility with Python 3.11+ | | sqlite [107] | | | | | | python-certbot [108] | Re-use selected profile for renewals | | | | | python-ldap [109] | Fix insufficient escaping issue [CVE-2025- | | | 61911]; fix denial of service issue | | | [CVE-2025-61912] | | | | | python-mapbox- | Remove "Multi-Arch: same" annotation | | earcut [110] | | | | | | python-oslo.db [111] | Fix compatibility with newer mariadb | | | versions | | | | | python3-lxc [112] | Fix compatibility with Python 3.13 | | | | | python3.13 [113] | Fix header injection issues [CVE-2025-11468 | | | CVE-2025-15282 CVE-2026-0672 CVE-2026-0865 | | | CVE-2026-1299]; fix denial of service | | | issues [CVE-2025-12084 CVE-2025-13836 | | | CVE-2025-13837 CVE-2025-6069 CVE-2025-6075 | | | CVE-2025-8194]; fix incorrect parsing of | | | TarInfo header [CVE-2025-13462]; fix | | | insufficient validation in zipFile | | | [CVE-2025-8291]; fix missing sys.audit | | | invocation [CVE-2026-2297]; fix early halt | | | of base64 processing [CVE-2026-3446]; fix | | | validation bypass issue [CVE-2026-3644]; | | | fix stack overflow issue [CVE-2026-4224]; | | | fix insufficient validation issue | | | [CVE-2026-4519]; fix insufficient escaping | | | issue [CVE-2026-6019]; fix use-after-free | | | issue | | | | | qcoro [114] | Skip unreliable build-time tests | | | | | qemu [115] | Rebuild with updated glib2.0, glibc | | | | | qt6-base [116] | Fix data race issues | | | | | remmina [117] | Disable "phone home" functionality | | | | | request- | Fix builds of CKEditor when firefox is >= | | tracker5 [118] | 148 | | | | | rsync [119] | Fix symlink handling on the receiver; fix | | | use-after-free issue [CVE-2026-41035] | | | | | sash [120] | Rebuild with updated glibc | | | | | sed [121] | Fix time of check / time of use issue | | | [CVE-2026-5958] | | | | | snapd [122] | Rebuild with updated libcap2, glibc | | | | | starlet [123] | Fix HTTP request smuggling issue [CVE-2026- | | | 40561] | | | | | stayrtr [124] | Stop serving stale VRPs when the validator | | | is stuck; use Restart=on-abnormal instead | | | of on-abort | | | | | sudo [125] | Fix privilege escalation issue [CVE-2026- | | | 35535] | | | | | supermin [126] | Rebuild with updated musl | | | | | superqt [127] | Skip unreliable font metrics test | | | | | suricata [128] | Fix denial of service issues [CVE-2026- | | | 31932 CVE-2026-31933 CVE-2026-31935 | | | CVE-2026-31937] | | | | | swupdate [129] | Fix denial of service issue [CVE-2026- | | | 28525] | | | | | sylpheed [130] | Add link check to address [CVE-2021-37746] | | | | | systemd [131] | New upstream stable release; ensure /tmp | | | workaround does not override local unit/ | | | fstab; fix assert and freeze [CVE-2026- | | | 29111]; fix code execution issues | | | [CVE-2026-40225 CVE-2026-4105]; fix nspawn | | | escape-to-host issue [CVE-2026-40226] | | | | | systemd-boot-efi- | New upstream stable release; ensure /tmp | | amd64-signed [132] | workaround does not override local unit/ | | | fstab; fix assert and freeze [CVE-2026- | | | 29111]; fix code execution issues | | | [CVE-2026-40225 CVE-2026-4105]; fix nspawn | | | escape-to-host issue [CVE-2026-40226] | | | | | systemd-boot-efi- | New upstream stable release; ensure /tmp | | arm64-signed [133] | workaround does not override local unit/ | | | fstab; fix assert and freeze [CVE-2026- | | | 29111]; fix code execution issues | | | [CVE-2026-40225 CVE-2026-4105]; fix nspawn | | | escape-to-host issue [CVE-2026-40226] | | | | | tini [134] | Rebuild with updated glibc | | | | | tiv [135] | Rebuild with updated cimg | | | | | toil [136] | Conditionally skip build-time tests | | | requiring more CPUs than available | | | | | tripwire [137] | Rebuild with updated glibc | | | | | tsocks [138] | Rebuild with updated glibc | | | | | tzdata [139] | New upstream release; update data for | | | British Columbia | | | | | unbound [140] | Never try TLS to reach root nameservers | | | | | user-mode-linux [141] | Rebuild with updated linux | | | | | vips [142] | Fix buffer overflow issues [CVE-2026-2913 | | | CVE-2026-3147 CVE-2026-3281]; fix memory | | | corruption issue [CVE-2026-3145]; fix null | | | pointer dereference issue [CVE-2026-3146]; | | | fix out of bound read issues [CVE-2026-3282 | | | CVE-2026-3283]; fix integer overflow issue | | | [CVE-2026-3284] | | | | | xorg-server [143] | Fix buffer re-use issue [CVE-2026-33999]; | | | fix / improve bounds checking [CVE-2026- | | | 34000 CVE-2026-34003]; fix use after free | | | issue [CVE-2026-34001]; fix out-of-bounds | | | read issue [CVE-2026-34002] | | | | | zsh [144] | Rebuild with updated libcap2, glibc | | | | +-----------------------+---------------------------------------------+ 1: https://packages.debian.org/src:389-ds-base 2: https://packages.debian.org/src:7zip 3: https://packages.debian.org/src:apache2 4: https://packages.debian.org/src:awstats 5: https://packages.debian.org/src:base-files 6: https://packages.debian.org/src:bash 7: https://packages.debian.org/src:beads 8: https://packages.debian.org/src:bepasty 9: https://packages.debian.org/src:bglibs 10: https://packages.debian.org/src:bird2 11: https://packages.debian.org/src:black 12: https://packages.debian.org/src:bubblewrap 13: https://packages.debian.org/src:busybox 14: https://packages.debian.org/src:calibre 15: https://packages.debian.org/src:catatonit 16: https://packages.debian.org/src:cdebootstrap 17: https://packages.debian.org/src:chkrootkit 18: https://packages.debian.org/src:cimg 19: https://packages.debian.org/src:cockpit 20: https://packages.debian.org/src:composer 21: https://packages.debian.org/src:condor 22: https://packages.debian.org/src:curl 23: https://packages.debian.org/src:dar 24: https://packages.debian.org/src:debian-installer 25: https://packages.debian.org/src:debian-installer-netboot-images 26: https://packages.debian.org/src:debmirror 27: https://packages.debian.org/src:distribution-gpg-keys 28: https://packages.debian.org/src:distro-info-data 29: https://packages.debian.org/src:distrobuilder 30: https://packages.debian.org/src:docker.io 31: https://packages.debian.org/src:dovecot 32: https://packages.debian.org/src:e2fsprogs 33: https://packages.debian.org/src:efibootguard 34: https://packages.debian.org/src:ejabberd 35: https://packages.debian.org/src:ejabberd-contrib 36: https://packages.debian.org/src:epics-base 37: https://packages.debian.org/src:erlang 38: https://packages.debian.org/src:erlang-p1-tls 39: https://packages.debian.org/src:exim4 40: https://packages.debian.org/src:feed2toot 41: https://packages.debian.org/src:firewalld 42: https://packages.debian.org/src:freerdp3 43: https://packages.debian.org/src:fwupd 44: https://packages.debian.org/src:git-lfs 45: https://packages.debian.org/src:glance 46: https://packages.debian.org/src:glib2.0 47: https://packages.debian.org/src:glibc 48: https://packages.debian.org/src:gnupg2 49: https://packages.debian.org/src:gnutls28 50: https://packages.debian.org/src:grub-efi-amd64-signed 51: https://packages.debian.org/src:grub-efi-arm64-signed 52: https://packages.debian.org/src:grub-efi-ia32-signed 53: https://packages.debian.org/src:grub2 54: https://packages.debian.org/src:gvfs 55: https://packages.debian.org/src:harfbuzz 56: https://packages.debian.org/src:heimdal 57: https://packages.debian.org/src:initramfs-tools 58: https://packages.debian.org/src:integrit 59: https://packages.debian.org/src:jpeg-xl 60: https://packages.debian.org/src:jq 61: https://packages.debian.org/src:kissfft 62: https://packages.debian.org/src:kpackage 63: https://packages.debian.org/src:lemonldap-ng 64: https://packages.debian.org/src:libarchive 65: https://packages.debian.org/src:libcap2 66: https://packages.debian.org/src:libcdio 67: https://packages.debian.org/src:libcoap3 68: https://packages.debian.org/src:libcryptx-perl 69: https://packages.debian.org/src:libdatetime-timezone-perl 70: https://packages.debian.org/src:libexif 71: https://packages.debian.org/src:libfinance-quote-perl 72: https://packages.debian.org/src:libnet-cidr-lite-perl 73: https://packages.debian.org/src:libreoffice-texmaths 74: https://packages.debian.org/src:libtext-csv-xs-perl 75: https://packages.debian.org/src:libvncserver 76: https://packages.debian.org/src:libxml-security-java 77: https://packages.debian.org/src:libxslt 78: https://packages.debian.org/src:lxc 79: https://packages.debian.org/src:mailman-suite 80: https://packages.debian.org/src:mapserver 81: https://packages.debian.org/src:mksh 82: https://packages.debian.org/src:modsecurity-crs 83: https://packages.debian.org/src:mongo-c-driver 84: https://packages.debian.org/src:mumble 85: https://packages.debian.org/src:musl 86: https://packages.debian.org/src:nano 87: https://packages.debian.org/src:nautilus-wipe 88: https://packages.debian.org/src:netatalk 89: https://packages.debian.org/src:nginx 90: https://packages.debian.org/src:node-flatted 91: https://packages.debian.org/src:node-node-rsa 92: https://packages.debian.org/src:node-tar 93: https://packages.debian.org/src:numba 94: https://packages.debian.org/src:openssh 95: https://packages.debian.org/src:openssl 96: https://packages.debian.org/src:orca 97: https://packages.debian.org/src:osdlyrics 98: https://packages.debian.org/src:pgbouncer 99: https://packages.debian.org/src:phosh 100: https://packages.debian.org/src:php-league-commonmark 101: https://packages.debian.org/src:php-phpseclib 102: https://packages.debian.org/src:php-phpseclib3 103: https://packages.debian.org/src:phpseclib 104: https://packages.debian.org/src:proftpd-dfsg 105: https://packages.debian.org/src:pymupdf 106: https://packages.debian.org/src:python-authlib 107: https://packages.debian.org/src:python-bottle-sqlite 108: https://packages.debian.org/src:python-certbot 109: https://packages.debian.org/src:python-ldap 110: https://packages.debian.org/src:python-mapbox-earcut 111: https://packages.debian.org/src:python-oslo.db 112: https://packages.debian.org/src:python3-lxc 113: https://packages.debian.org/src:python3.13 114: https://packages.debian.org/src:qcoro 115: https://packages.debian.org/src:qemu 116: https://packages.debian.org/src:qt6-base 117: https://packages.debian.org/src:remmina 118: https://packages.debian.org/src:request-tracker5 119: https://packages.debian.org/src:rsync 120: https://packages.debian.org/src:sash 121: https://packages.debian.org/src:sed 122: https://packages.debian.org/src:snapd 123: https://packages.debian.org/src:starlet 124: https://packages.debian.org/src:stayrtr 125: https://packages.debian.org/src:sudo 126: https://packages.debian.org/src:supermin 127: https://packages.debian.org/src:superqt 128: https://packages.debian.org/src:suricata 129: https://packages.debian.org/src:swupdate 130: https://packages.debian.org/src:sylpheed 131: https://packages.debian.org/src:systemd 132: https://packages.debian.org/src:systemd-boot-efi-amd64-signed 133: https://packages.debian.org/src:systemd-boot-efi-arm64-signed 134: https://packages.debian.org/src:tini 135: https://packages.debian.org/src:tiv 136: https://packages.debian.org/src:toil 137: https://packages.debian.org/src:tripwire 138: https://packages.debian.org/src:tsocks 139: https://packages.debian.org/src:tzdata 140: https://packages.debian.org/src:unbound 141: https://packages.debian.org/src:user-mode-linux 142: https://packages.debian.org/src:vips 143: https://packages.debian.org/src:xorg-server 144: https://packages.debian.org/src:zsh Security Updates ---------------- This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates: +----------------+---------------------------+ | Advisory ID | Package | +----------------+---------------------------+ | DSA-6088 [145] | php8.4 [146] | | | | | DSA-6158 [147] | imagemagick [148] | | | | | DSA-6160 [149] | netty [150] | | | | | DSA-6161 [151] | multipart [152] | | | | | DSA-6162 [153] | linux-signed-amd64 [154] | | | | | DSA-6162 [155] | linux-signed-arm64 [156] | | | | | DSA-6162 [157] | linux [158] | | | | | DSA-6164 [159] | chromium [160] | | | | | DSA-6165 [161] | chromium [162] | | | | | DSA-6166 [163] | nodejs [164] | | | | | DSA-6167 [165] | gst-plugins-base1.0 [166] | | | | | DSA-6168 [167] | freetype [168] | | | | | DSA-6169 [169] | imagemagick [170] | | | | | DSA-6170 [171] | snapd [172] | | | | | DSA-6171 [173] | chromium [174] | | | | | DSA-6172 [175] | webkit2gtk [176] | | | | | DSA-6173 [177] | freeciv [178] | | | | | DSA-6174 [179] | spip [180] | | | | | DSA-6175 [181] | libyaml-syck-perl [182] | | | | | DSA-6176 [183] | strongswan [184] | | | | | DSA-6177 [185] | chromium [186] | | | | | DSA-6178 [187] | firefox-esr [188] | | | | | DSA-6179 [189] | thunderbird [190] | | | | | DSA-6180 [191] | ruby-rack [192] | | | | | DSA-6181 [193] | bind9 [194] | | | | | DSA-6182 [195] | libxml-parser-perl [196] | | | | | DSA-6183 [197] | nodejs [198] | | | | | DSA-6184 [199] | incus [200] | | | | | DSA-6185 [201] | phpseclib [202] | | | | | DSA-6186 [203] | php-phpseclib [204] | | | | | DSA-6187 [205] | php-phpseclib3 [206] | | | | | DSA-6188 [207] | lxd [208] | | | | | DSA-6189 [209] | libpng1.6 [210] | | | | | DSA-6190 [211] | gst-plugins-bad1.0 [212] | | | | | DSA-6191 [213] | gst-plugins-ugly1.0 [214] | | | | | DSA-6192 [215] | chromium [216] | | | | | DSA-6193 [217] | inetutils [218] | | | | | DSA-6194 [219] | pyasn1 [220] | | | | | DSA-6195 [221] | python-tornado [222] | | | | | DSA-6196 [223] | roundcube [224] | | | | | DSA-6197 [225] | dovecot [226] | | | | | DSA-6198 [227] | valkey [228] | | | | | DSA-6200 [229] | tor [230] | | | | | DSA-6201 [231] | openssl [232] | | | | | DSA-6202 [233] | firefox-esr [234] | | | | | DSA-6203 [235] | tiff [236] | | | | | DSA-6204 [237] | openssh [238] | | | | | DSA-6205 [239] | chromium [240] | | | | | DSA-6206 [241] | gdk-pixbuf [242] | | | | | DSA-6207 [243] | flatpak [244] | | | | | DSA-6208 [245] | mediawiki [246] | | | | | DSA-6209 [247] | xdg-dbus-proxy [248] | | | | | DSA-6211 [249] | thunderbird [250] | | | | | DSA-6212 [251] | incus [252] | | | | | DSA-6213 [253] | lxd [254] | | | | | DSA-6214 [255] | chromium [256] | | | | | DSA-6215 [257] | gimp [258] | | | | | DSA-6216 [259] | opam [260] | | | | | DSA-6217 [261] | luanti [262] | | | | | DSA-6218 [263] | mupdf [264] | | | | | DSA-6219 [265] | pillow [266] | | | | | DSA-6220 [267] | simpleeval [268] | | | | | DSA-6221 [269] | ntfs-3g [270] | | | | | DSA-6222 [271] | ngtcp2 [272] | | | | | DSA-6225 [273] | firefox-esr [274] | | | | | DSA-6226 [275] | packagekit [276] | | | | | DSA-6227 [277] | strongswan [278] | | | | | DSA-6228 [279] | cpp-httplib [280] | | | | | DSA-6229 [281] | thunderbird [282] | | | | | DSA-6230 [283] | chromium [284] | | | | | DSA-6231 [285] | jtreg7 [286] | | | | | DSA-6231 [287] | openjdk-21 [288] | | | | | DSA-6232 [289] | webkit2gtk [290] | | | | | DSA-6233 [291] | pdns [292] | | | | | DSA-6234 [293] | pdns-recursor [294] | | | | | DSA-6235 [295] | dnsdist [296] | | | | | DSA-6236 [297] | firefox-esr [298] | | | | | DSA-6238 [299] | linux-signed-amd64 [300] | | | | | DSA-6238 [301] | linux-signed-arm64 [302] | | | | | DSA-6238 [303] | linux [304] | | | | | DSA-6239 [305] | chromium [306] | | | | | DSA-6240 [307] | imagemagick [308] | | | | | DSA-6241 [309] | python-aiohttp [310] | | | | | DSA-6242 [311] | thunderbird [312] | | | | | DSA-6244 [313] | incus [314] | | | | | DSA-6246 [315] | openjdk-25 [316] | | | | | DSA-6247 [317] | lxd [318] | | | | | DSA-6248 [319] | apache2 [320] | | | | | DSA-6249 [321] | wireshark [322] | | | | | DSA-6251 [323] | libreoffice [324] | | | | | DSA-6252 [325] | prosody [326] | | | | | DSA-6253 [327] | linux-signed-amd64 [328] | | | | | DSA-6253 [329] | linux-signed-arm64 [330] | | | | | DSA-6253 [331] | linux [332] | | | | | DSA-6254 [333] | firefox-esr [334] | | | | | DSA-6257 [335] | postorius [336] | | | | | DSA-6259 [337] | pyjwt [338] | | | | | DSA-6260 [339] | tor [340] | | | | | DSA-6261 [341] | corosync [342] | | | | | DSA-6262 [343] | lcms2 [344] | | | | | DSA-6263 [345] | libpng1.6 [346] | | | | | DSA-6264 [347] | dnsmasq [348] | | | | | DSA-6265 [349] | exim4 [350] | | | | +----------------+---------------------------+ 145: https://www.debian.org/security/2025/dsa-6088 146: https://packages.debian.org/src:php8.4 147: https://www.debian.org/security/2026/dsa-6158 148: https://packages.debian.org/src:imagemagick 149: https://www.debian.org/security/2026/dsa-6160 150: https://packages.debian.org/src:netty 151: https://www.debian.org/security/2026/dsa-6161 152: https://packages.debian.org/src:multipart 153: https://www.debian.org/security/2026/dsa-6162 154: https://packages.debian.org/src:linux-signed-amd64 155: https://www.debian.org/security/2026/dsa-6162 156: https://packages.debian.org/src:linux-signed-arm64 157: https://www.debian.org/security/2026/dsa-6162 158: https://packages.debian.org/src:linux 159: https://www.debian.org/security/2026/dsa-6164 160: https://packages.debian.org/src:chromium 161: https://www.debian.org/security/2026/dsa-6165 162: https://packages.debian.org/src:chromium 163: https://www.debian.org/security/2026/dsa-6166 164: https://packages.debian.org/src:nodejs 165: https://www.debian.org/security/2026/dsa-6167 166: https://packages.debian.org/src:gst-plugins-base1.0 167: https://www.debian.org/security/2026/dsa-6168 168: https://packages.debian.org/src:freetype 169: https://www.debian.org/security/2026/dsa-6169 170: https://packages.debian.org/src:imagemagick 171: https://www.debian.org/security/2026/dsa-6170 172: https://packages.debian.org/src:snapd 173: https://www.debian.org/security/2026/dsa-6171 174: https://packages.debian.org/src:chromium 175: https://www.debian.org/security/2026/dsa-6172 176: https://packages.debian.org/src:webkit2gtk 177: https://www.debian.org/security/2026/dsa-6173 178: https://packages.debian.org/src:freeciv 179: https://www.debian.org/security/2026/dsa-6174 180: https://packages.debian.org/src:spip 181: https://www.debian.org/security/2026/dsa-6175 182: https://packages.debian.org/src:libyaml-syck-perl 183: https://www.debian.org/security/2026/dsa-6176 184: https://packages.debian.org/src:strongswan 185: https://www.debian.org/security/2026/dsa-6177 186: https://packages.debian.org/src:chromium 187: https://www.debian.org/security/2026/dsa-6178 188: https://packages.debian.org/src:firefox-esr 189: https://www.debian.org/security/2026/dsa-6179 190: https://packages.debian.org/src:thunderbird 191: https://www.debian.org/security/2026/dsa-6180 192: https://packages.debian.org/src:ruby-rack 193: https://www.debian.org/security/2026/dsa-6181 194: https://packages.debian.org/src:bind9 195: https://www.debian.org/security/2026/dsa-6182 196: https://packages.debian.org/src:libxml-parser-perl 197: https://www.debian.org/security/2026/dsa-6183 198: https://packages.debian.org/src:nodejs 199: https://www.debian.org/security/2026/dsa-6184 200: https://packages.debian.org/src:incus 201: https://www.debian.org/security/2026/dsa-6185 202: https://packages.debian.org/src:phpseclib 203: https://www.debian.org/security/2026/dsa-6186 204: https://packages.debian.org/src:php-phpseclib 205: https://www.debian.org/security/2026/dsa-6187 206: https://packages.debian.org/src:php-phpseclib3 207: https://www.debian.org/security/2026/dsa-6188 208: https://packages.debian.org/src:lxd 209: https://www.debian.org/security/2026/dsa-6189 210: https://packages.debian.org/src:libpng1.6 211: https://www.debian.org/security/2026/dsa-6190 212: https://packages.debian.org/src:gst-plugins-bad1.0 213: https://www.debian.org/security/2026/dsa-6191 214: https://packages.debian.org/src:gst-plugins-ugly1.0 215: https://www.debian.org/security/2026/dsa-6192 216: https://packages.debian.org/src:chromium 217: https://www.debian.org/security/2026/dsa-6193 218: https://packages.debian.org/src:inetutils 219: https://www.debian.org/security/2026/dsa-6194 220: https://packages.debian.org/src:pyasn1 221: https://www.debian.org/security/2026/dsa-6195 222: https://packages.debian.org/src:python-tornado 223: https://www.debian.org/security/2026/dsa-6196 224: https://packages.debian.org/src:roundcube 225: https://www.debian.org/security/2026/dsa-6197 226: https://packages.debian.org/src:dovecot 227: https://www.debian.org/security/2026/dsa-6198 228: https://packages.debian.org/src:valkey 229: https://www.debian.org/security/2026/dsa-6200 230: https://packages.debian.org/src:tor 231: https://www.debian.org/security/2026/dsa-6201 232: https://packages.debian.org/src:openssl 233: https://www.debian.org/security/2026/dsa-6202 234: https://packages.debian.org/src:firefox-esr 235: https://www.debian.org/security/2026/dsa-6203 236: https://packages.debian.org/src:tiff 237: https://www.debian.org/security/2026/dsa-6204 238: https://packages.debian.org/src:openssh 239: https://www.debian.org/security/2026/dsa-6205 240: https://packages.debian.org/src:chromium 241: https://www.debian.org/security/2026/dsa-6206 242: https://packages.debian.org/src:gdk-pixbuf 243: https://www.debian.org/security/2026/dsa-6207 244: https://packages.debian.org/src:flatpak 245: https://www.debian.org/security/2026/dsa-6208 246: https://packages.debian.org/src:mediawiki 247: https://www.debian.org/security/2026/dsa-6209 248: https://packages.debian.org/src:xdg-dbus-proxy 249: https://www.debian.org/security/2026/dsa-6211 250: https://packages.debian.org/src:thunderbird 251: https://www.debian.org/security/2026/dsa-6212 252: https://packages.debian.org/src:incus 253: https://www.debian.org/security/2026/dsa-6213 254: https://packages.debian.org/src:lxd 255: https://www.debian.org/security/2026/dsa-6214 256: https://packages.debian.org/src:chromium 257: https://www.debian.org/security/2026/dsa-6215 258: https://packages.debian.org/src:gimp 259: https://www.debian.org/security/2026/dsa-6216 260: https://packages.debian.org/src:opam 261: https://www.debian.org/security/2026/dsa-6217 262: https://packages.debian.org/src:luanti 263: https://www.debian.org/security/2026/dsa-6218 264: https://packages.debian.org/src:mupdf 265: https://www.debian.org/security/2026/dsa-6219 266: https://packages.debian.org/src:pillow 267: https://www.debian.org/security/2026/dsa-6220 268: https://packages.debian.org/src:simpleeval 269: https://www.debian.org/security/2026/dsa-6221 270: https://packages.debian.org/src:ntfs-3g 271: https://www.debian.org/security/2026/dsa-6222 272: https://packages.debian.org/src:ngtcp2 273: https://www.debian.org/security/2026/dsa-6225 274: https://packages.debian.org/src:firefox-esr 275: https://www.debian.org/security/2026/dsa-6226 276: https://packages.debian.org/src:packagekit 277: https://www.debian.org/security/2026/dsa-6227 278: https://packages.debian.org/src:strongswan 279: https://www.debian.org/security/2026/dsa-6228 280: https://packages.debian.org/src:cpp-httplib 281: https://www.debian.org/security/2026/dsa-6229 282: https://packages.debian.org/src:thunderbird 283: https://www.debian.org/security/2026/dsa-6230 284: https://packages.debian.org/src:chromium 285: https://www.debian.org/security/2026/dsa-6231 286: https://packages.debian.org/src:jtreg7 287: https://www.debian.org/security/2026/dsa-6231 288: https://packages.debian.org/src:openjdk-21 289: https://www.debian.org/security/2026/dsa-6232 290: https://packages.debian.org/src:webkit2gtk 291: https://www.debian.org/security/2026/dsa-6233 292: https://packages.debian.org/src:pdns 293: https://www.debian.org/security/2026/dsa-6234 294: https://packages.debian.org/src:pdns-recursor 295: https://www.debian.org/security/2026/dsa-6235 296: https://packages.debian.org/src:dnsdist 297: https://www.debian.org/security/2026/dsa-6236 298: https://packages.debian.org/src:firefox-esr 299: https://www.debian.org/security/2026/dsa-6238 300: https://packages.debian.org/src:linux-signed-amd64 301: https://www.debian.org/security/2026/dsa-6238 302: https://packages.debian.org/src:linux-signed-arm64 303: https://www.debian.org/security/2026/dsa-6238 304: https://packages.debian.org/src:linux 305: https://www.debian.org/security/2026/dsa-6239 306: https://packages.debian.org/src:chromium 307: https://www.debian.org/security/2026/dsa-6240 308: https://packages.debian.org/src:imagemagick 309: https://www.debian.org/security/2026/dsa-6241 310: https://packages.debian.org/src:python-aiohttp 311: https://www.debian.org/security/2026/dsa-6242 312: https://packages.debian.org/src:thunderbird 313: https://www.debian.org/security/2026/dsa-6244 314: https://packages.debian.org/src:incus 315: https://www.debian.org/security/2026/dsa-6246 316: https://packages.debian.org/src:openjdk-25 317: https://www.debian.org/security/2026/dsa-6247 318: https://packages.debian.org/src:lxd 319: https://www.debian.org/security/2026/dsa-6248 320: https://packages.debian.org/src:apache2 321: https://www.debian.org/security/2026/dsa-6249 322: https://packages.debian.org/src:wireshark 323: https://www.debian.org/security/2026/dsa-6251 324: https://packages.debian.org/src:libreoffice 325: https://www.debian.org/security/2026/dsa-6252 326: https://packages.debian.org/src:prosody 327: https://www.debian.org/security/2026/dsa-6253 328: https://packages.debian.org/src:linux-signed-amd64 329: https://www.debian.org/security/2026/dsa-6253 330: https://packages.debian.org/src:linux-signed-arm64 331: https://www.debian.org/security/2026/dsa-6253 332: https://packages.debian.org/src:linux 333: https://www.debian.org/security/2026/dsa-6254 334: https://packages.debian.org/src:firefox-esr 335: https://www.debian.org/security/2026/dsa-6257 336: https://packages.debian.org/src:postorius 337: https://www.debian.org/security/2026/dsa-6259 338: https://packages.debian.org/src:pyjwt 339: https://www.debian.org/security/2026/dsa-6260 340: https://packages.debian.org/src:tor 341: https://www.debian.org/security/2026/dsa-6261 342: https://packages.debian.org/src:corosync 343: https://www.debian.org/security/2026/dsa-6262 344: https://packages.debian.org/src:lcms2 345: https://www.debian.org/security/2026/dsa-6263 346: https://packages.debian.org/src:libpng1.6 347: https://www.debian.org/security/2026/dsa-6264 348: https://packages.debian.org/src:dnsmasq 349: https://www.debian.org/security/2026/dsa-6265 350: https://packages.debian.org/src:exim4 Removed packages ---------------- The following packages were removed due to circumstances beyond our control: +------------------+-------------------------------+ | Package | Reason | +------------------+-------------------------------+ | dav4tbsync [351] | Superseded by Thunderbird 140 | | | | +------------------+-------------------------------+ 351: https://packages.debian.org/src:dav4tbsync Debian Installer ---------------- The installer has been updated to include the fixes incorporated into stable by the point release. URLs ---- The complete lists of packages that have changed with this revision: https://deb.debian.org/debian/dists/trixie/ChangeLog The current stable distribution: https://deb.debian.org/debian/dists/stable/ Proposed updates to the stable distribution: https://deb.debian.org/debian/dists/proposed-updates stable distribution information (release notes, errata etc.): https://www.debian.org/releases/stable/ Security announcements and information: https://www.debian.org/security/ About Debian ------------ The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian. Contact Information ------------------- For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <[email protected]>, or contact the stable release team at <[email protected]>.
signature.asc
Description: This is a digitally signed message part
