Uppdaterad Debian 13; 13.6 utgiven
11 juli 2026
Debianprojektet presenterar stolt sin sjätte uppdatering till dess
stabila utgåva Debian 13 (med kodnamnet trixie
).
Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem,
tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner
har redan publicerats separat och refereras när de finns tillgängliga.
Vänligen notera att punktutgåvan inte innebär en ny version av Debian
13 utan endast uppdaterar några av de inkluderade paketen. Det behövs
inte kastas bort gamla media av trixie
. Efter installationen
kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad
Debianspegling..
De som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.
Nya installationsavbildningar kommer snart att finnas tillgängliga på de vanliga platserna.
En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:
Betydande uppdateringar
fwupd
och Secure Boot CA upphör
fwupd
har uppdaterats till uppströmsversionen 2.0.20, som har
möjlighet att uppdatera databaserna Secure Boot-certifikatutfärdare (CA),
Key Exchange Key (KEK) och återkallelse (DBX).
2013 års UEFI Secure Boot CA som installerats som standard på de flesta
datorer och använts för att signera bootloaders, har nu löpt ut.
Framtida uppdateringar av shim-signed
kan därför leda till att system
inte kan starta med Secure Boot aktiverat.
Användare rekommenderas starkt att installera CA
-, KEK
- och
DBX
-uppdateringar från deras systemtillverkare i enlighet med följande
riktlinjer:
geoip-database
återställd
Av licensskäl har geoip-database
återställts till en version daterad
ungefär december 2019. Som ett resultat av detta kan applikationer som använder
denna databas använda föråldrad allekeringsinformation.
Nyare versioner av geoip-database
(GeoLite) är inte kompatibla
med Debians riktlinjer för fri programvara och kan därför inte distribueras.
Konsumenter av dessa data uppmanas starkt att skaffa en GroLite-licens direkt
och sluta förlita sig på paketet geoip-database
./
Blandade felrättningar
Denna uppdatering av den stabila utgåvan lägger till några viktiga felrättningar till följande paket:
| Paket | Orsak |
|---|---|
| apache2 | Fix use-after-free issues [CVE-2026-29167 CVE-2026-48913]; fix cross-site scripting issue [CVE-2026-29170]; fix buffer overflow issues [CVE-2026-34355 CVE-2026-34356 CVE-2026-42536]; fix denial of service issues [CVE-2026-42535 CVE-2026-44186 CVE-2026-49975]; fix out of bounds read issues [CVE-2026-43951 CVE-2026-44185]; fix file read issue [CVE-2026-44119]; fix buffer underwrite issue [CVE-2026-44631] |
| archlinux-keyring | Update keys |
| awstats | Prevent freezing on keyword stat |
| base-files | Update for the point release |
| beets | Fix XSS vulnerability [CVE-2026-42052] |
| calibre | Fix unsafe e-book extraction and resource path handling [CVE-2026-30853 CVE-2026-33206]; prevent e-book viewer local file reads and SSRF/exfiltration [CVE-2026-33205]; avoid unsafe catalog rule evaluation; correct XPath and SQL query handling; fix reader-background endpoint path normalisation; improve exception diagnostics |
| cdebootstrap | Rebuild with updated xz-utils |
| chrony | Ensure if-up/down hook scripts exit successfully |
| ckermit | Block remote control of the local kermit by default [CVE-2025-68920]; disable unnecessary OpenSSL version check |
| composer | Fix support for new GitHub token format [CVE-2026-45793] |
| courier | Fix webadmin paths to imapd and imapd-ssl |
| curl | Fix bearer token redirect leaks [CVE-2025-14524 CVE-2026-3783]; correct OpenSSL CA cache reuse [CVE-2025-14819]; fix HTTP Negotiate and proxy connection reuse [CVE-2026-1965 CVE-2026-3784 CVE-2026-5545]; prevent clear-text STARTTLS connection reuse [CVE-2026-4873]; fix SMB use-after-free and wrong share reuse [CVE-2026-3805 CVE-2026-5773]; clear redirected host/proxy/netrc credentials [CVE-2026-6253 CVE-2026-6429]; prevent stale cookie leaks [CVE-2026-6276]; clear proxy Digest state when switching proxies [CVE-2026-7168] |
| dar | Rebuild with updated curl, libgcrypt20, openssl |
| dcmtk | Fix NULL pointer dereference issues [CVE-2022-4981 CVE-2025-14841]; fix memory corruption issues [CVE-2025-2357 CVE-2025-9732 CVE-2025-14607]; fix command injection issue [CVE-2026-5663]; fix buffer overflow issues [CVE-2026-10194 CVE-2026-12805] |
| debian-installer | Bump linux ABI 6.12.94+deb13; rebuild for point release |
| debian-installer-netboot-images | Rebuild from proposed updates |
| debusine | Enforce file upload permissions; restrict artifact relation creation/deletion [CVE-2026-11852]; harden sbuild repository command quoting; reject unsafe .dsc/.changes checksum paths [CVE-2026-11853] |
| deepdiff | Fix class pollution issue [CVE-2025-58367]; fix denial of service issue [CVE-2026-33155] |
| dhcpcd | Fix memory safety issues [CVE-2025-70102 CVE-2026-56113 CVE-2026-56114]; fix IPv6 Router Advertisement information leakage [CVE-2026-56116]; correct control socket lifetime handling [CVE-2026-56117] |
| distrobuilder | Rebuild with updated incus |
| dolphin | Fix sandbox escape issue [CVE-2026-41525] |
| errands | Fix verification of TLS certificates for CalDAV servers [CVE-2025-71063] |
| execnet | Disable unreliable build-time tests |
| fldigi | Force LC_NUMERIC=C.UTF-8 to use proper decimal separator in API and ADIF log files |
| freecad | Fix fanuc post processor; fix build failure on arm64 |
| fwupd | Enable UEFI CA/db/KEK updates for the 2026 Secure Boot certificate transition; fix UEFI PK/KEK/dbx enumeration; fix Thunderbolt controller deployment; correct firmware update regressions; update fwupd hardware support and tests |
| gambas3 | Fix Qt component loading |
| gdown | Fix arbitray file write issue [CVE-2026-40491] |
| geoip | Reinstate generator scripts, relied upon by geoip-database |
| geoip-database | Revert to a DFSG-compatible version |
| giflib | Fix memory corruption issues [CVE-2026-23868 CVE-2026-26740] |
| gimp | Fix integer overflow issues [CVE-2026-4154 CVE-2026-40915] |
| gnupg2 | Rebuild with updated libgcrypt20 |
| gnustep-sqlclient | Remove Multi-Arch: same |
| graphite2 | Fix out-of-bounds write [CVE-2026-50593] |
| horizon | Fix escaping of special characters in project |
| ironic | Fix credential forwarding from configuration molds [CVE-2026-42997]; fix IPMI console command injection [CVE-2026-42510]; sandbox kickstart template rendering [CVE-2026-44916]; prevent conductor thread exhaustion from file special devices [CVE-2026-44919]; restrict unsafe file image paths; improve image download validation and checksumming; correct Redfish power, boot and firmware workflows; fix inspection rule validation and hook failures; avoid stuck service/deploy states |
| isc-kea | Fix denial of service issue [CVE-2026-3608] |
| isenkram | Handle usr-merge migration in update-fw-list; update generated firmware lists |
| keystone | Fix behaviour of user_enabled_invert [CVE-2026-40683]; prevent unauthorized EC2 credential creation and deletion [CVE-2026-33551] |
| libapache-session-browseable-perl | Improve entropy source [CVE-2026-8503] |
| libass | Fix out of bounds read and write issues |
| libbytes-random-secure-perl | Fix incorrect usage of seed in PRNG [CVE-2026-11625] |
| libcaca | Prevent undefined behaviour in overflow check [CVE-2026-42046] |
| libcrypt-pbkdf2-perl | Change default hash algorithm to HMAC-SHA256 and default iterations to 600,000 [CVE-2026-9641]; generate salts using Crypt::URandom [CVE-2026-9638]; use a constant-time comparison in `validate` to avoid timing attacks [CVE-2017-20240] |
| libcrypt-urandom-perl | Fix buffer overflow issue [CVE-2026-2474] |
| libhtml-parser-perl | Fix heap-use-after-free in _decode_entities [CVE-2026-8829] |
| libnet-cidr-lite-perl | Fix IP/CIDR parser validation: reject non-ASCII digits and trailing newlines [CVE-2026-55190]; reject zero-padded CIDR masks [CVE-2026-45191] |
| libreoffice | Gracefully handle failure in graphite2 |
| libslirp | Fix memory disclosure issue [CVE-2026-9539] |
| libtasn1-6 | Fix buffer overflow issue [CVE-2025-13151] |
| libvncserver | Fix buffer overflow and out-of-bounds write [CVE-2026-44988 CVE-2026-50538] |
| libxml-libxml-perl | Fix out-of-bounds read [CVE-2026-8177] |
| libxml2 | Fix RelaxNG include recursion limits [CVE-2026-0989]; prevent XML and SGML catalog recursion/resource exhaustion [CVE-2025-8732 CVE-2026-0990 CVE-2026-0992]; fix xmllint shell memory leak [CVE-2026-1757]; correct XML writer and Schematron error-path leaks; avoid RelaxNG validation use-after-free; update regression tests |
| libxpm | Fix out of bounds read issue [CVE-2026-4367] |
| linuxcnc | Sanitize module names |
| lxml-html-clean | Fix filter bypass issue [CVE-2026-28348]; fix tag injection issue [CVE-2026-28350] |
| mariadb | New upstream stable release; fix code execution issues [CVE-2026-44168 CVE-2026-48163 CVE-2026-48165]; fix authorization bypass [CVE-2026-44169]; fix path traversal issue [CVE-2026-44171]; fix SQL injection issue [CVE-2026-44172]; fix incomplete privilege check issue [CVE-2026-44173]; fix Illegal mix of collationserror; fix Mroonga hangs on invalid index flag; fix crash in information_schema.table_constraints |
| mesa | Fix WebGPU/SPIR-V allocation handling [CVE-2026-40393] |
| miniupnpd | Fix integer underflow issue [CVE-2026-5720] |
| modsecurity | Prevent denial of service in hexDecode handling [CVE-2026-30923]; prevent denial of service in SSN/CPF/SVNR verification [CVE-2026-42268] |
| mutt | Fix buffer truncation issues [CVE-2026-43859 CVE-2026-43860 CVE-2026-43861]; fix mishandling of imap_auth_gss security level [CVE-2026-43862]; fix denial of service issue [CVE-2026-43863]; fix NULL pointer dereference issue [CVE-2026-43864] |
| mxml | Fix out-of-bounds read [CVE-2026-5037] |
| nbconvert | Fix arbitrary file read/write issues [CVE-2026-39377 CVE-2026-39378] |
| neutron | Fix tagging policy bypass |
| nss | Improve handling of escape sequences in pk11uri_ParseAttributes [CVE-2026-12318] |
| ojalgo | Reduce frequency of built-time test failures |
| opencc | Fix out-of-bounds read issue [CVE-2025-15536] |
| openslide | Fix possible code execution issue [CVE-2026-48977] |
| php-guzzlehttp-psr7 | Fix Host authority validation [CVE-2026-48998]; reject control characters in URI hosts [CVE-2026-49214]; harden ServerRequest globals handling; normalise global header values; encode literal plus signs in query helpers |
| php-league-csv | Fix build time test with PHP >=8.4.14 |
| php-twig | Security update |
| pillow | Followup fix for CVE-2026-42310 |
| poco | Fix segmentation fault [CVE-2025-6375] |
| poetry | Fix arbitrary file write issue [CVE-2026-34591] |
| poppler | Fix invalid signature creation issue |
| postfix | New upstream stable release; fix denial of service issue [CVE-2026-43964]; keep daemon running during upgrades |
| protobuf | Fix parser recursion limits [CVE-2024-7254 CVE-2025-4565 CVE-2026-0994 CVE-2026-6409] |
| psd-tools | Fix denial of service issue [CVE-2026-27809] |
| pupnp | Fix SSRF port confusion issue [CVE-2026-41682] |
| pymdown-extensions | Fix regular expression-based denial of service issue [CVE-2025-68142] |
| pyopenssl | Fix handling of exceptions and connection cancelling [CVE-2026-27448]; fix buffer overflow in DTLS cookie callback [CVE-2026-27459] |
| pytest-httpbin | Disable unreliable build-time test |
| python-daphne | Fix denial of service issue [CVE-2026-44545]; fix header injection issue [CVE-2026-44546] |
| python-django | Update test suite following changes in python3.13 |
| python-dynaconf | Fix Server-Side Template Injection issue [CVE-2026-33154] |
| python-grpc-tools | Fix TypeError in command.build_package_protos |
| python-handy-archives | Fix end of central diretory locator for Zip64 |
| python-idna | Fix denial of service issue [CVE-2026-45409] |
| python-iniparse | Fix race condition in build-time tests |
| python-jwcrypto | Fix denial of service issue [CVE-2026-39373] |
| python-markdown | Adapt to changes in Python's html.parser module |
| python-marshmallow | Fix denial of service issue [CVE-2025-68480] |
| python-memray | Fix cross-site scripting issue [CVE-2026-32722] |
| python-virtualenv | Fix time-of-check / time-of-use issues [CVE-2026-22702] |
| python-webob | Fix open redirect issue [CVE-2026-44889] |
| python-xmltodict | Fix XML injection issue [CVE-2025-9375] |
| python3.13 | Fix a crash in SNI callback when the SSL object is gone; fix reference leaks in ssl.SSLContext objects; avoid garbage collecting objects too early when sharing __dict__; fix CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host[CVE-2026-1502]; fix denial of service issues [CVE-2026-3276 CVE-2026-9669]; fix insufficient escaping issue [CVE-2026-6019]; fix path traversal issue [CVE-2026-7774]; fix server-side request forgery issue [CVE-2026-8328] |
| qemu | New upstream stable release; security fixes [CVE-2024-6519 CVE-2026-2243 CVE-2026-3195 CVE-2026-3196 CVE-2026-3842 CVE-2026-3886 CVE-2026-3890 CVE-2026-41435 CVE-2026-41436 CVE-2026-41437 CVE-2026-41438 CVE-2026-41439 CVE-2026-41440 CVE-2026-5744 CVE-2026-5761 CVE-2026-5763 CVE-2026-6502 CVE-2026-8341 CVE-2026-48002 CVE-2026-48003 CVE-2026-48004 CVE-2026-48914 CVE-2026-48915 CVE-2026-6425 CVE-2026-8343] |
| qtmir | Fix Lomiri rendering, scaling, focus handling, and session crash issues; correct stale window and dead surface cleanup; ensure Xwayland applications inherit DISPLAY; improve Asahi Linux rendering provider selection |
| rauc | Fix improper signing of large bundles [CVE-2026-34155] |
| resource-agents | Fix syntax error |
| rhino | Fix denial of service issue [CVE-2025-66453] |
| rlottie | Fix out-of-bounds read issue [CVE-2026-10305]; fix denial of service issues [CVE-2026-47319 CVE-2026-47320] |
| rsync | Reject excessively long HTTP proxy response lines [CVE-2026-45232] |
| rtl-433 | Fix buffer overflow issue [CVE-2025-34450] |
| ruby-css-parser | Fix validation of HTTPS certificates for remote CSS [CVE-2026-44312] |
| rust-time | Fix denial of service [CVE-2026-25727] |
| samba | New upstream stable release |
| shim | New upstream release; build with default gcc; set SBAT revocation level to 2025021800 |
| shim-helpers-amd64-signed | Update to shim 16.1-2~deb13u1 |
| shim-helpers-arm64-signed | Update to shim 16.1-2~deb13u1 |
| shim-signed | Ensure Secure Boot compatibility with 2023 Microsoft UEFI CA; check for likely boot issues before installation; combine and verify multiple shim signatures; update signed shim binaries |
| skanpage | Fix data leakage issue [CVE-2025-55174] |
| smartdns | Fix buffer overflow issue [CVE-2026-1425] |
| squirrel3 | Fix sandbox escape [CVE-2021-41556] |
| sshfs-fuse | Add contain_symlinks option to prevent symlink escape attacks [CVE-2026-47187]; reject hostname option injection via bracketed mount source [CVE-2026-48711] |
| starman | Fix request smuggling issue [CVE-2026-40560] |
| symfony | Security update |
| tigervnc | Prevent other users reading x0vncserver screen [CVE-2026-34352] |
| user-mode-linux | Rebuild with updated linux |
| vitrage | Fix remote code execution vulnerability [CVE-2026-28370] |
| wireless-regdb | New upstream stable release; update regulatory information for several countries |
| wireshark | New upstream stable release; fix denial of service issue [CVE-2026-9759] |
| xz-utils | Fix buffer overflow issue [CVE-2026-34743] |
Säkerhetsuppdateringar
Denna revision lägger till följande säkerhetsuppdateringar till den stabila utgåvan. Säkerhetsgruppen har redan släppt bulletiner för alla dessa uppdateringar:
Debianinstalleraren
Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den stabila utgåvan med denna punktutgåva.
URLer
Den fullständiga listan på paket som har förändrats i denna revision:
Den aktuella stabila utgåvan:
Föreslagna uppdateringar till den stabila utgåvan:
Information om den stabila utgåvan (versionsfakta, kända problem osv.):
Säkerhetsbulletiner och information:
Om Debian
Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.
Kontaktinformation
För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org>, eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.
