Uppdaterad Debian 13; 13.6 utgiven

11 juli 2026

Debianprojektet presenterar stolt sin sjätte uppdatering till dess stabila utgåva Debian 13 (med kodnamnet trixie). Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem, tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner har redan publicerats separat och refereras när de finns tillgängliga.

Vänligen notera att punktutgåvan inte innebär en ny version av Debian 13 utan endast uppdaterar några av de inkluderade paketen. Det behövs inte kastas bort gamla media av trixie. Efter installationen kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad Debianspegling..

De som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.

Nya installationsavbildningar kommer snart att finnas tillgängliga på de vanliga platserna.

En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:

https://www.debian.org/mirror/list

Betydande uppdateringar

fwupd och Secure Boot CA upphör

fwupd har uppdaterats till uppströmsversionen 2.0.20, som har möjlighet att uppdatera databaserna Secure Boot-certifikatutfärdare (CA), Key Exchange Key (KEK) och återkallelse (DBX).

2013 års UEFI Secure Boot CA som installerats som standard på de flesta datorer och använts för att signera bootloaders, har nu löpt ut. Framtida uppdateringar av shim-signed kan därför leda till att system inte kan starta med Secure Boot aktiverat.

Användare rekommenderas starkt att installera CA-, KEK- och DBX-uppdateringar från deras systemtillverkare i enlighet med följande riktlinjer:

https://wiki.debian.org/SecureBoot/CAChanges#What_should_I_do.3F

geoip-database återställd

Av licensskäl har geoip-database återställts till en version daterad ungefär december 2019. Som ett resultat av detta kan applikationer som använder denna databas använda föråldrad allekeringsinformation.

Nyare versioner av geoip-database (GeoLite) är inte kompatibla med Debians riktlinjer för fri programvara och kan därför inte distribueras.

Konsumenter av dessa data uppmanas starkt att skaffa en GroLite-licens direkt och sluta förlita sig på paketet geoip-database./

Blandade felrättningar

Denna uppdatering av den stabila utgåvan lägger till några viktiga felrättningar till följande paket:

Paket Orsak
apache2 Fix use-after-free issues [CVE-2026-29167 CVE-2026-48913]; fix cross-site scripting issue [CVE-2026-29170]; fix buffer overflow issues [CVE-2026-34355 CVE-2026-34356 CVE-2026-42536]; fix denial of service issues [CVE-2026-42535 CVE-2026-44186 CVE-2026-49975]; fix out of bounds read issues [CVE-2026-43951 CVE-2026-44185]; fix file read issue [CVE-2026-44119]; fix buffer underwrite issue [CVE-2026-44631]
archlinux-keyring Update keys
awstats Prevent freezing on keyword stat
base-files Update for the point release
beets Fix XSS vulnerability [CVE-2026-42052]
calibre Fix unsafe e-book extraction and resource path handling [CVE-2026-30853 CVE-2026-33206]; prevent e-book viewer local file reads and SSRF/exfiltration [CVE-2026-33205]; avoid unsafe catalog rule evaluation; correct XPath and SQL query handling; fix reader-background endpoint path normalisation; improve exception diagnostics
cdebootstrap Rebuild with updated xz-utils
chrony Ensure if-up/down hook scripts exit successfully
ckermit Block remote control of the local kermit by default [CVE-2025-68920]; disable unnecessary OpenSSL version check
composer Fix support for new GitHub token format [CVE-2026-45793]
courier Fix webadmin paths to imapd and imapd-ssl
curl Fix bearer token redirect leaks [CVE-2025-14524 CVE-2026-3783]; correct OpenSSL CA cache reuse [CVE-2025-14819]; fix HTTP Negotiate and proxy connection reuse [CVE-2026-1965 CVE-2026-3784 CVE-2026-5545]; prevent clear-text STARTTLS connection reuse [CVE-2026-4873]; fix SMB use-after-free and wrong share reuse [CVE-2026-3805 CVE-2026-5773]; clear redirected host/proxy/netrc credentials [CVE-2026-6253 CVE-2026-6429]; prevent stale cookie leaks [CVE-2026-6276]; clear proxy Digest state when switching proxies [CVE-2026-7168]
dar Rebuild with updated curl, libgcrypt20, openssl
dcmtk Fix NULL pointer dereference issues [CVE-2022-4981 CVE-2025-14841]; fix memory corruption issues [CVE-2025-2357 CVE-2025-9732 CVE-2025-14607]; fix command injection issue [CVE-2026-5663]; fix buffer overflow issues [CVE-2026-10194 CVE-2026-12805]
debian-installer Bump linux ABI 6.12.94+deb13; rebuild for point release
debian-installer-netboot-images Rebuild from proposed updates
debusine Enforce file upload permissions; restrict artifact relation creation/deletion [CVE-2026-11852]; harden sbuild repository command quoting; reject unsafe .dsc/.changes checksum paths [CVE-2026-11853]
deepdiff Fix class pollution issue [CVE-2025-58367]; fix denial of service issue [CVE-2026-33155]
dhcpcd Fix memory safety issues [CVE-2025-70102 CVE-2026-56113 CVE-2026-56114]; fix IPv6 Router Advertisement information leakage [CVE-2026-56116]; correct control socket lifetime handling [CVE-2026-56117]
distrobuilder Rebuild with updated incus
dolphin Fix sandbox escape issue [CVE-2026-41525]
errands Fix verification of TLS certificates for CalDAV servers [CVE-2025-71063]
execnet Disable unreliable build-time tests
fldigi Force LC_NUMERIC=C.UTF-8 to use proper decimal separator in API and ADIF log files
freecad Fix fanuc post processor; fix build failure on arm64
fwupd Enable UEFI CA/db/KEK updates for the 2026 Secure Boot certificate transition; fix UEFI PK/KEK/dbx enumeration; fix Thunderbolt controller deployment; correct firmware update regressions; update fwupd hardware support and tests
gambas3 Fix Qt component loading
gdown Fix arbitray file write issue [CVE-2026-40491]
geoip Reinstate generator scripts, relied upon by geoip-database
geoip-database Revert to a DFSG-compatible version
giflib Fix memory corruption issues [CVE-2026-23868 CVE-2026-26740]
gimp Fix integer overflow issues [CVE-2026-4154 CVE-2026-40915]
gnupg2 Rebuild with updated libgcrypt20
gnustep-sqlclient Remove Multi-Arch: same
graphite2 Fix out-of-bounds write [CVE-2026-50593]
horizon Fix escaping of special characters in project
ironic Fix credential forwarding from configuration molds [CVE-2026-42997]; fix IPMI console command injection [CVE-2026-42510]; sandbox kickstart template rendering [CVE-2026-44916]; prevent conductor thread exhaustion from file special devices [CVE-2026-44919]; restrict unsafe file image paths; improve image download validation and checksumming; correct Redfish power, boot and firmware workflows; fix inspection rule validation and hook failures; avoid stuck service/deploy states
isc-kea Fix denial of service issue [CVE-2026-3608]
isenkram Handle usr-merge migration in update-fw-list; update generated firmware lists
keystone Fix behaviour of user_enabled_invert [CVE-2026-40683]; prevent unauthorized EC2 credential creation and deletion [CVE-2026-33551]
libapache-session-browseable-perl Improve entropy source [CVE-2026-8503]
libass Fix out of bounds read and write issues
libbytes-random-secure-perl Fix incorrect usage of seed in PRNG [CVE-2026-11625]
libcaca Prevent undefined behaviour in overflow check [CVE-2026-42046]
libcrypt-pbkdf2-perl Change default hash algorithm to HMAC-SHA256 and default iterations to 600,000 [CVE-2026-9641]; generate salts using Crypt::URandom [CVE-2026-9638]; use a constant-time comparison in `validate` to avoid timing attacks [CVE-2017-20240]
libcrypt-urandom-perl Fix buffer overflow issue [CVE-2026-2474]
libhtml-parser-perl Fix heap-use-after-free in _decode_entities [CVE-2026-8829]
libnet-cidr-lite-perl Fix IP/CIDR parser validation: reject non-ASCII digits and trailing newlines [CVE-2026-55190]; reject zero-padded CIDR masks [CVE-2026-45191]
libreoffice Gracefully handle failure in graphite2
libslirp Fix memory disclosure issue [CVE-2026-9539]
libtasn1-6 Fix buffer overflow issue [CVE-2025-13151]
libvncserver Fix buffer overflow and out-of-bounds write [CVE-2026-44988 CVE-2026-50538]
libxml-libxml-perl Fix out-of-bounds read [CVE-2026-8177]
libxml2 Fix RelaxNG include recursion limits [CVE-2026-0989]; prevent XML and SGML catalog recursion/resource exhaustion [CVE-2025-8732 CVE-2026-0990 CVE-2026-0992]; fix xmllint shell memory leak [CVE-2026-1757]; correct XML writer and Schematron error-path leaks; avoid RelaxNG validation use-after-free; update regression tests
libxpm Fix out of bounds read issue [CVE-2026-4367]
linuxcnc Sanitize module names
lxml-html-clean Fix filter bypass issue [CVE-2026-28348]; fix tag injection issue [CVE-2026-28350]
mariadb New upstream stable release; fix code execution issues [CVE-2026-44168 CVE-2026-48163 CVE-2026-48165]; fix authorization bypass [CVE-2026-44169]; fix path traversal issue [CVE-2026-44171]; fix SQL injection issue [CVE-2026-44172]; fix incomplete privilege check issue [CVE-2026-44173]; fix Illegal mix of collations error; fix Mroonga hangs on invalid index flag; fix crash in information_schema.table_constraints
mesa Fix WebGPU/SPIR-V allocation handling [CVE-2026-40393]
miniupnpd Fix integer underflow issue [CVE-2026-5720]
modsecurity Prevent denial of service in hexDecode handling [CVE-2026-30923]; prevent denial of service in SSN/CPF/SVNR verification [CVE-2026-42268]
mutt Fix buffer truncation issues [CVE-2026-43859 CVE-2026-43860 CVE-2026-43861]; fix mishandling of imap_auth_gss security level [CVE-2026-43862]; fix denial of service issue [CVE-2026-43863]; fix NULL pointer dereference issue [CVE-2026-43864]
mxml Fix out-of-bounds read [CVE-2026-5037]
nbconvert Fix arbitrary file read/write issues [CVE-2026-39377 CVE-2026-39378]
neutron Fix tagging policy bypass
nss Improve handling of escape sequences in pk11uri_ParseAttributes [CVE-2026-12318]
ojalgo Reduce frequency of built-time test failures
opencc Fix out-of-bounds read issue [CVE-2025-15536]
openslide Fix possible code execution issue [CVE-2026-48977]
php-guzzlehttp-psr7 Fix Host authority validation [CVE-2026-48998]; reject control characters in URI hosts [CVE-2026-49214]; harden ServerRequest globals handling; normalise global header values; encode literal plus signs in query helpers
php-league-csv Fix build time test with PHP >=8.4.14
php-twig Security update
pillow Followup fix for CVE-2026-42310
poco Fix segmentation fault [CVE-2025-6375]
poetry Fix arbitrary file write issue [CVE-2026-34591]
poppler Fix invalid signature creation issue
postfix New upstream stable release; fix denial of service issue [CVE-2026-43964]; keep daemon running during upgrades
protobuf Fix parser recursion limits [CVE-2024-7254 CVE-2025-4565 CVE-2026-0994 CVE-2026-6409]
psd-tools Fix denial of service issue [CVE-2026-27809]
pupnp Fix SSRF port confusion issue [CVE-2026-41682]
pymdown-extensions Fix regular expression-based denial of service issue [CVE-2025-68142]
pyopenssl Fix handling of exceptions and connection cancelling [CVE-2026-27448]; fix buffer overflow in DTLS cookie callback [CVE-2026-27459]
pytest-httpbin Disable unreliable build-time test
python-daphne Fix denial of service issue [CVE-2026-44545]; fix header injection issue [CVE-2026-44546]
python-django Update test suite following changes in python3.13
python-dynaconf Fix Server-Side Template Injection issue [CVE-2026-33154]
python-grpc-tools Fix TypeError in command.build_package_protos
python-handy-archives Fix end of central diretory locator for Zip64
python-idna Fix denial of service issue [CVE-2026-45409]
python-iniparse Fix race condition in build-time tests
python-jwcrypto Fix denial of service issue [CVE-2026-39373]
python-markdown Adapt to changes in Python's html.parser module
python-marshmallow Fix denial of service issue [CVE-2025-68480]
python-memray Fix cross-site scripting issue [CVE-2026-32722]
python-virtualenv Fix time-of-check / time-of-use issues [CVE-2026-22702]
python-webob Fix open redirect issue [CVE-2026-44889]
python-xmltodict Fix XML injection issue [CVE-2025-9375]
python3.13 Fix a crash in SNI callback when the SSL object is gone; fix reference leaks in ssl.SSLContext objects; avoid garbage collecting objects too early when sharing __dict__; fix CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host [CVE-2026-1502]; fix denial of service issues [CVE-2026-3276 CVE-2026-9669]; fix insufficient escaping issue [CVE-2026-6019]; fix path traversal issue [CVE-2026-7774]; fix server-side request forgery issue [CVE-2026-8328]
qemu New upstream stable release; security fixes [CVE-2024-6519 CVE-2026-2243 CVE-2026-3195 CVE-2026-3196 CVE-2026-3842 CVE-2026-3886 CVE-2026-3890 CVE-2026-41435 CVE-2026-41436 CVE-2026-41437 CVE-2026-41438 CVE-2026-41439 CVE-2026-41440 CVE-2026-5744 CVE-2026-5761 CVE-2026-5763 CVE-2026-6502 CVE-2026-8341 CVE-2026-48002 CVE-2026-48003 CVE-2026-48004 CVE-2026-48914 CVE-2026-48915 CVE-2026-6425 CVE-2026-8343]
qtmir Fix Lomiri rendering, scaling, focus handling, and session crash issues; correct stale window and dead surface cleanup; ensure Xwayland applications inherit DISPLAY; improve Asahi Linux rendering provider selection
rauc Fix improper signing of large bundles [CVE-2026-34155]
resource-agents Fix syntax error
rhino Fix denial of service issue [CVE-2025-66453]
rlottie Fix out-of-bounds read issue [CVE-2026-10305]; fix denial of service issues [CVE-2026-47319 CVE-2026-47320]
rsync Reject excessively long HTTP proxy response lines [CVE-2026-45232]
rtl-433 Fix buffer overflow issue [CVE-2025-34450]
ruby-css-parser Fix validation of HTTPS certificates for remote CSS [CVE-2026-44312]
rust-time Fix denial of service [CVE-2026-25727]
samba New upstream stable release
shim New upstream release; build with default gcc; set SBAT revocation level to 2025021800
shim-helpers-amd64-signed Update to shim 16.1-2~deb13u1
shim-helpers-arm64-signed Update to shim 16.1-2~deb13u1
shim-signed Ensure Secure Boot compatibility with 2023 Microsoft UEFI CA; check for likely boot issues before installation; combine and verify multiple shim signatures; update signed shim binaries
skanpage Fix data leakage issue [CVE-2025-55174]
smartdns Fix buffer overflow issue [CVE-2026-1425]
squirrel3 Fix sandbox escape [CVE-2021-41556]
sshfs-fuse Add contain_symlinks option to prevent symlink escape attacks [CVE-2026-47187]; reject hostname option injection via bracketed mount source [CVE-2026-48711]
starman Fix request smuggling issue [CVE-2026-40560]
symfony Security update
tigervnc Prevent other users reading x0vncserver screen [CVE-2026-34352]
user-mode-linux Rebuild with updated linux
vitrage Fix remote code execution vulnerability [CVE-2026-28370]
wireless-regdb New upstream stable release; update regulatory information for several countries
wireshark New upstream stable release; fix denial of service issue [CVE-2026-9759]
xz-utils Fix buffer overflow issue [CVE-2026-34743]

Säkerhetsuppdateringar

Denna revision lägger till följande säkerhetsuppdateringar till den stabila utgåvan. Säkerhetsgruppen har redan släppt bulletiner för alla dessa uppdateringar:

Bulletin-ID Paket
DSA-6250 chromium
DSA-6256 php8.4
DSA-6266 nghttp2
DSA-6267 thunderbird
DSA-6268 ffmpeg
DSA-6270 postgresql-17
DSA-6271 gsasl
DSA-6273 chromium
DSA-6274 linux-signed-amd64
DSA-6274 linux-signed-arm64
DSA-6274 linux
DSA-6277 openjpeg2
DSA-6278 nginx
DSA-6279 redis
DSA-6280 netatalk
DSA-6281 gnutls28
DSA-6282 rsync
DSA-6283 firefox-esr
DSA-6284 pdns
DSA-6285 bind9
DSA-6286 evince
DSA-6287 chromium
DSA-6288 thunderbird
DSA-6289 openvpn
DSA-6290 nss
DSA-6291 haproxy
DSA-6292 haveged
DSA-6293 krb5
DSA-6294 libgcrypt20
DSA-6295 linux-signed-amd64
DSA-6295 linux-signed-arm64
DSA-6295 linux
DSA-6296 spip
DSA-6297 samba
DSA-6298 imagemagick
DSA-6299 kdenlive
DSA-6300 node-shell-quote
DSA-6301 roundcube
DSA-6302 starlette
DSA-6303 varnish
DSA-6304 unbound
DSA-6305 linux-signed-amd64
DSA-6305 linux-signed-arm64
DSA-6305 linux
DSA-6307 kitty
DSA-6308 nagios4
DSA-6309 exim4
DSA-6311 php-twig
DSA-6312 symfony
DSA-6313 dovecot
DSA-6314 swift
DSA-6315 cyborg
DSA-6316 chromium
DSA-6318 gst-plugins-good1.0
DSA-6319 yelp
DSA-6321 ceph
DSA-6322 frr
DSA-6323 apache2
DSA-6324 request-tracker5
DSA-6325 chromium
DSA-6326 nginx
DSA-6328 tomcat10
DSA-6329 tomcat11
DSA-6330 strongswan
DSA-6331 keystone
DSA-6332 okular
DSA-6333 mistral
DSA-6334 poppler
DSA-6335 openssl
DSA-6336 jackson-core
DSA-6336 jackson-databind
DSA-6336 jackson-dataformat-smile
DSA-6337 chromium
DSA-6338 libdbi-perl
DSA-6339 libinput
DSA-6340 neutron
DSA-6341 ironic
DSA-6341 python-oslo.messaging
DSA-6342 jpeg-xl
DSA-6343 librabbitmq
DSA-6344 chromium
DSA-6345 libgd-perl
DSA-6346 libreoffice
DSA-6347 bird2
DSA-6348 gsasl
DSA-6349 atril
DSA-6350 firefox-esr
DSA-6351 thunderbird
DSA-6352 chromium
DSA-6353 gst-libav1.0
DSA-6354 libconfig-inifiles-perl
DSA-6355 linux-signed-amd64
DSA-6355 linux-signed-arm64
DSA-6355 linux
DSA-6356 imagemagick
DSA-6357 pillow
DSA-6358 libhttp-daemon-perl
DSA-6359 gst-plugins-good1.0
DSA-6360 squid
DSA-6361 ffmpeg
DSA-6362 gst-plugins-bad1.0
DSA-6363 python-urllib3
DSA-6364 chromium
DSA-6365 libssh2
DSA-6366 sogo
DSA-6367 dnsdist
DSA-6368 pdns
DSA-6369 pdns-recursor
DSA-6370 incus
DSA-6371 xorg-server
DSA-6372 tor
DSA-6373 lxd
DSA-6374 nginx
DSA-6375 fastnetmon
DSA-6376 openvpn
DSA-6377 php8.4
DSA-6379 bird3
DSA-6380 mediawiki

Debianinstalleraren

Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den stabila utgåvan med denna punktutgåva.

URLer

Den fullständiga listan på paket som har förändrats i denna revision:

https://deb.debian.org/debian/dists/trixie/ChangeLog

Den aktuella stabila utgåvan:

https://deb.debian.org/debian/dists/stable/

Föreslagna uppdateringar till den stabila utgåvan:

https://deb.debian.org/debian/dists/proposed-updates

Information om den stabila utgåvan (versionsfakta, kända problem osv.):

https://www.debian.org/releases/stable/

Säkerhetsbulletiner och information:

https://www.debian.org/security/

Om Debian

Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.

Kontaktinformation

För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org>, eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.