Upcoming Debian 12 Update (12.5)

[None1975]

Upcoming Debian 12 Update (12.5)

An update to Debian 12 is scheduled for Saturday, February 10th, 2024. As of
now it will include the following bug fixes. They can be found in "bookworm-
proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bookworm-updates".

Miscellaneous Bugfixes
----------------------

This stable update adds a few important corrections to the following
packages:

Package Reason
------- ------

apktool Prevent arbitrary file writes with malicious
resource names [CVE-2024-21633]

atril Fix crash when opening some epub files; fix
index loading for certain epub documents; add
fallback for malformed epub files in
check_mime_type; use libarchive instead of
external command for extracing documents
[CVE-2023-51698]

base-files Update for the 12.5 point release

caja Fix desktop rendering artifacts after
resolution changes; fix use of "informal" date
format

calibre Fix "HTML Input: Don't add resources that exist
outside the folder hierarchy rooted at the
parent folder of the input HTML file by default"
[CVE-2023-46303]

compton Remove recommendation of picom

cryptsetup cryptsetup-initramfs: Add support for
compressed kernel modules; cryptsetup-suspend-
wrapper: Don't error out on missing
/lib/systemd/system-sleep directory;
add_modules(): Change suffix drop logic to
match initramfs-tools

debian-edu-artwork Provide an Emerald theme based artwork for
Debian Edu 12

debian-edu-config New upstream release

debian-edu-doc Update included documentation and translations

debian-edu-fai New upstream release

debian-edu-install New upstream release; fix security sources.list

debian-installer Increase Linux kernel ABI to 6.1.0-18; rebuild
against proposed-updates

debian-ports-archive- Add Debian Ports Archive Automatic Signing Key
keyring (2025)

dpdk New upstream stable release

dropbear Fix "terrapin attack" [CVE-2023-48795]

engrampa Fix several memory leaks; fix archive "save as"
functionality

espeak-ng Fix buffer overflow issues [CVE-2023-49990
CVE-2023-49992 CVE-2023-49993], buffer
underflow issue [CVE-2023-49991], floating
point exception issue [CVE-2023-49994]

filezilla Prevent 'Terrapin' exploit [CVE-2023-48795]

fish Handle Unicode non-printing characters safely
when given as command substitution
[CVE-2023-49284]

fssync Disable flaky tests

gnutls28 Fix assertion failure when verifying a
certificate chain with a cycle of cross
signatures [CVE-2024-0567]; fix timing side-
channel issue [CVE-2024-0553]

indent Fix buffer under read issue [CVE-2024-0911]

isl Fix use on older CPUs

jtreg7 New source package to support builds of
openjdk-17

libdatetime-timezone-perl Update included timezone data

libde265 Fix buffer overflow issues [CVE-2023-49465
CVE-2023-49467 CVE-2023-49468]

libfirefox-marionette-perl Fix compatibility with newer firefox-esr
versions

libmateweather Fix URL for aviationweather.gov

libspreadsheet-parsexlsx- Fix possible memory bomb [CVE-2024-22368]; fix
perl XML External Entity issue [CVE-2024-23525]

linux New upstream stable release; bump ABI to 18

localslackirc Send authorization and cookie headers to the
websocket

mariadb New upstream stable release; fix denial of
service issue [CVE-2023-22084]

mate-screensaver Fix memory leaks

mate-settings-daemon Fix memory leaks; relax High DPI limits; fix
handling of multiple rfkill events

mate-utils Fix various memory leaks

monitoring-plugins Fix check_http plugin when "--no-body" is used
and the upstream response is chunked

needrestart Fix microcode check regression on AMD CPUs

netplan.io Fix autopkgtests with newer systemd versions

nextcloud-desktop Fix "fails to sync files with special chars
like ':'"; fix two-factor authentication
notifications

node-yarnpkg Fix use with Commander 8

onionprobe Fix initialisation of Tor if using hashed
passwords

pipewire Use malloc_trim() when available to release
memory

pluma Fix memory leak issues; fix double activation
of extensions

postfix New upstream stable release; address SMTP
smuggling issue [CVE-2023-51764]

proftpd-dfsg Implement fix for the Terrapin attack
[CVE-2023-48795]; fix out-of-bounds read issue
[CVE-2023-51713]

proftpd-mod-proxy Implement fix for the Terrapin attack
[CVE-2023-48795]

pypdf Fix infinite loop issue [CVE-2023-36464]

pypdf2 Fix infinite loop issue [CVE-2023-36464]

pypy3 Avoid an rpython assertion error in the JIT if
integer ranges don't overlap in a loop

qemu New upstream stable release; virtio-net:
correctly copy vnet header when flushing TX
[CVE-2023-6693]; fix null pointer dereference
issue [CVE-2023-6683]

rpm Enable the read-only BerkeleyDB backend

rss-glx Install screensavers into
/usr/libexec/xscreensaver; call GLFinish()
prior to glXSwapBuffers()

spip Fix two cross-site scripting issues

swupdate Prevent acquiring root privileges through
inappropriate socket mode

systemd New upstream stable release; fix missing
verification issue in systemd-resolved
[CVE-2023-7008]

tar Fix boundary checking in base-256 decoder
[CVE-2022-48303], handling of extended header
prefixes [CVE-2023-39804]

tinyxml Fix assertion issue [CVE-2023-34194]

tzdata New upstream stable release

usb.ids Update included data list

usbutils Fix usb-devices not printing all devices

usrmerge Clean up biarch directories when not needed;
don't run convert-etc-shells again on converted
systems; handle mounted /lib/modules on Xen
systems; improve error reporting; add versioned
conflicts with libc-bin, dhcpcd,
libparted1.8-10 and lustre-utils

wolfssl Fix security issue when client sent neither PSK
nor KSE extensions [CVE-2023-3724]

xen New upstream stable release; security fixes
[CVE-2023-46837 CVE-2023-46839 CVE-2023-46840]


A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
https://release.debian.org/proposed-updates/stable.htm