Updated Debian 12: 12.15 released

July 11th, 2026

The Debian project is pleased to announce the fifteenth and final update of its oldstable distribution Debian 12 (codename bookworm). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 12 but only updates some of the packages included. There is no need to throw away old bookworm media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Noteworthy updates

fwupd and Secure Boot CA expiry

fwupd has been updated to upstream version 2.0.20, which has the ability to update the Secure Boot certificate authority (CA), Key Exchange Key (KEK) and revocation (DBX) databases.

The 2013 UEFI Secure Boot CA installed by default on most PCs and used to sign bootloaders has now expired. Future updates to shim-signed could therefore lead to systems being unable to boot with Secure Boot enabled.

Users are strongly advised to apply CA, KEK and DBX updates from their system OEM in line with the following guidance:

https://wiki.debian.org/SecureBoot/CAChanges#What_should_I_do.3F

geoip-database reverted

For licensing reasons geoip-database has been reverted to a version dated approximately December 2019. As a result, applications using this database might use out-of-date allocation information.

More recent versions of geoip-database (GeoLite) are not compatible with the Debian Free Software Guidelines and cannot be distributed.

Consumers of this data are strongly encouraged to obtain a GeoLite license directly and cease reliance on the geoip-database package.

End of Debian support for bookworm

This update marks the end of Debian Release Team, Debian Security Team and Debian Backports support for version 12. Ongoing support for some architectures will be provided by the Debian Long Term Support team supported by Freexian. Users are advised to upgrade systems to Debian 13 trixie.

Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following packages:

Package Reason
7zip New upstream stable release; fix buffer overflow issues [CVE-2026-48092 CVE-2026-48095]; fix memory disclosure issue [CVE-2026-48101]; fix out-of-bounds read issues [CVE-2026-48102 CVE-2026-48103 CVE-2026-48111 CVE-2026-48112]; fix uninitialised memory read issue [CVE-2026-48104]
apache2 Fix HTTP/2 request DoS and file handle exhaustion [CVE-2026-49975 CVE-2026-48913]; fix proxy, DAV, LDAP, SSL, XML and header memory/crash issues [CVE-2026-29167 CVE-2026-34355 CVE-2026-34356 CVE-2026-42535 CVE-2026-42536 CVE-2026-43951 CVE-2026-44185]; fix proxy FTP directory listing XSS and backend loop [CVE-2026-29170 CVE-2026-44186]; restrict htaccess expression file access [CVE-2026-44119]; fix regex parsing underflow [CVE-2026-44631]; correct SSI, file-cache, WebDAV DELETE and proxy health-check handling; update documentation and tests
appstream Rebuild with updated libxmlb
base-files Update for the point release
beets Fix XSS vulnerability [CVE-2026-42052]; fix build-time test failures
calibre Fix various potential security issues; read resources only from book contents [CVE-2026-33206]; keep extracted files within container dir [CVE-2026-30853]; prevent reading background images from outside the config dir [CVE-2026-33205]
cdebootstrap Rebuild with updated xz-utils
chrony Ensure if-up/down hook scripts exit successfully
cloud-init Fix OpenStack bond initialisation
composer Fix support for new GitHub token format [CVE-2026-45793]
curl Fix cache poisoning issue [CVE-2025-10148]; fix data leak issues [CVE-2025-14524 CVE-2026-3783]; fix incorrect connection re-use issues [CVE-2025-14819 CVE-2026-3784 CVE-2026-5773 CVE-2026-7168]
dar Rebuild with updated libgcrypt20
dcmtk Fix NULL pointer dereference issues [CVE-2022-4981 CVE-2025-14841]; fix memory corruption issues [CVE-2025-2357 CVE-2025-9732 CVE-2025-14607]; fix command injection issue [CVE-2026-5663]; fix buffer overflow issues [CVE-2026-10194 CVE-2026-12805]
debian-installer Bump linux ABI 6.1.0-50; rebuild for point release
debian-installer-netboot-images Rebuild from proposed updates
debian-security-support Prepare support limitations ahead of transition to LTS
delve Fix failure to build on 4th generation EYPC processors
dhcpcd5 Fix NULL pointer dereference issue [CVE-2025-70102]; fix out-of-bounds write issue [CVE-2026-56114]
firewalld Fix DBUS policy checking [CVE-2026-4948]
fwupd Rebuild with updated libjcat, libxmlb; add support for updating DBX and KEK stores; rebuild in a clean environment
geoip-database Revert to a DFSG-compatible version
ghdl Rebuild with updated gcc-12
giflib Fix memory corruption issues [CVE-2026-23868 CVE-2026-26740]
gnome-firmware Rebuild with updated libxmlb; backport patch for libfwupd3 compatibility
gnome-software Rebuild with updated libxmlb; backport patch for libfwupd3 compatibility
graphite2 Fix out-of-bounds write [CVE-2026-50593]
gss Fix build failures caused by an expired Kerberos ticket; avoid krb5context self-tests with timebomb
horizon Fix escaping of special characters in project
ironic Fix file disclosure via image sources [CVE-2025-44021]; fix console command injection [CVE-2026-42510]; fix Swift token disclosure [CVE-2026-42997]; fix unsafe template execution [CVE-2026-44916]
keystone Fix behaviour of user_enabled_invert [CVE-2026-40683]; prevent unauthorized EC2 credential creation and deletion [CVE-2026-33551]
libapache-session-browseable-perl Improve entropy of generated session IDs
libbytes-random-secure-perl Fix incorrect usage of seed in PRNG [CVE-2026-11625]
libcaca Prevent undefined behaviour in overflow check [CVE-2026-42046]
libcrypt-pbkdf2-perl Change default hash algorithm to HMAC-SHA256 and default iterations to 600,000 [CVE-2026-9641]; generate salts using Crypt::URandom [CVE-2026-9638]; use a constant-time comparison in `validate` to avoid timing attacks [CVE-2017-20240]
libhtml-gumbo-perl Fix uninitialized memory access [CVE-2025-15646]
libhtml-parser-perl Fix heap-use-after-free in _decode_entities [CVE-2026-8829]
libjcat Add support for ed25519 types and SHA512 hashes
libnet-cidr-lite-perl Fix IP/CIDR parser validation: reject non-ASCII digits and trailing newlines [CVE-2026-55190]; reject zero-padded CIDR masks [CVE-2026-45191]
libreoffice Gracefully handle failure in graphite2
libvncserver Fix buffer overflow and out-of-bounds write [CVE-2026-44988 CVE-2026-50538]
libxml-libxml-perl Fix out-of-bounds read [CVE-2026-8177]
libxml2 Fix catalogue recursion and duplicate-catalog handling [CVE-2025-8732 CVE-2026-0990 CVE-2026-0992]; limit RelaxNG include recursion [CVE-2026-0989]; fix xmllint shell memory leak [CVE-2026-1757]; correct schematron regression-test outputs [CVE-2025-49794 CVE-2025-49796]; fix XML writer and schematron memory leaks; mitigate RelaxNG validation use-after-free; update catalogue and RelaxNG regression tests
libxmlb Add support for zstd decompression; fix XMLb store/truncation validation; correct query binding/index handling; fix XML export and empty text() handling
linuxcnc Sanitize module names
mariadb New upstream stable release; fix code execution issues [CVE-2025-13699 CVE-2026-44168 CVE-2026-48163 CVE-2026-48165 CVE-2026-49261]; fix denial of service issues [CVE-2026-21968 CVE-2026-34303]; fix logging bypass issue [CVE-2026-3494]; fix path traversal issue [CVE-2026-44171]; fix SQL injection issue [CVE-2026-44172]; fix incomplete privilege check issue [CVE-2026-44173]; fix Illegal mix of collations error; fix Mroonga hangs on invalid index flag; fix crash in information_schema.table_constraints
mesa Fix WebGPU/SPIR-V allocation handling [CVE-2026-40393]
modsecurity Prevent denial of service in hexDecode handling [CVE-2026-30923]; prevent denial of service in SSN/CPF/SVNR verification [CVE-2026-42268]
mxml Fix out-of-bounds read [CVE-2026-5037]
node-flatted Fix prototype pollution issue [CVE-2026-33228]
node-jschardet Fix build link references
node-regexpp Add missing link to undici-types
ojalgo Reduce frequency of built-time test failures
openslide Fix possible code execution issue [CVE-2026-48977]
p7zip New upstream stable release; fix buffer overflow issues [CVE-2026-48092 CVE-2026-48095]; fix memory disclosure issue [CVE-2026-48101]; fix out-of-bounds read issues [CVE-2026-48102 CVE-2026-48103 CVE-2026-48111 CVE-2026-48112]; fix uninitialised memory read issue [CVE-2026-48104]
php-guzzlehttp-psr7 Fix Host authority validation [CVE-2026-48998]; reject control characters in URI hosts [CVE-2026-49214]; harden ServerRequest globals handling; normalise global header values; encode literal plus signs in query helpers
phpunit Fix unsafe deserialization in PHPT code coverage handling [CVE-2026-24765]
plasma-discover Backport patch for libfwupd3 compatibility
prometheus Fix date-sensitive build-time test
protobuf Fix parser recursion limits [CVE-2024-7254 CVE-2025-4565 CVE-2026-0994 CVE-2026-6409]
pydantic Fix denial of service in email verification [CVE-2024-3772]
pymatgen Fix denial of service in GaussianInput.from_string [CVE-2022-42964]
python-ase Disable unreliable built-time test
python-django Update test suite following changes in python3.13
python-filelock Fix symlink vulnerabilies [CVE-2025-68146 CVE-2026-22701]
python-markdown Fix parsing of bogus HTML markup [CVE-2025-69534]
python-pyramid Fix information disclosure issue [CVE-2023-40587]
python-xmltodict Fix XML injection issue [CVE-2025-9375]
python3.11 Prevent incorrect tar archive handling [CVE-2025-13462]; ensure bytecode-only imports use normal security checks [CVE-2026-2297]; reject unsafe cookie values [CVE-2026-3644]; prevent XML parser crashes [CVE-2026-4224]; prevent browser command injection [CVE-2026-4519]; prevent bz2/lzma decompressor memory corruption [CVE-2026-6100]; restore XML autopkgtests
qemu Rebuild with updated gnutls28
rhino Fix denial of service issue [CVE-2025-66453]
rlottie Fix out-of-bounds read issue [CVE-2026-10305]; fix denial of service issues [CVE-2026-47319 CVE-2026-47320]
rsync Reject excessively long HTTP proxy response lines [CVE-2026-45232]
ruby-css-parser Fix validation of HTTPS certificates for remote CSS [CVE-2026-44312]
rust-time Fix denial of service [CVE-2026-25727]
science.js Fix build time race condition
sentry-python Fix subprocess environment sanitisation [CVE-2024-40647]
shim New upstream release; build with default gcc; set SBAT revocation level to 2025021800
shim-helpers-amd64-signed Update to shim 16.1-2~deb12u1
shim-helpers-arm64-signed Update to shim 16.1-2~deb12u1
shim-helpers-i386-signed Update to shim 16.1-2~deb12u1
shim-signed Ensure Secure Boot compatibility with 2023 Microsoft UEFI CA; check for likely boot issues before installation; combine and verify multiple shim signatures; update signed shim binaries
sqlite-utils Add dependency on python3-click-default-group
sshfs-fuse Add contain_symlinks option to prevent symlink escape attacks [CVE-2026-47187]; reject hostname option injection via bracketed mount source [CVE-2026-48711]
sylpheed Fix link checking [CVE-2021-37746]
user-mode-linux Rebuild with updated linux
vitrage Fix remote code execution vulnerability [CVE-2026-28370]
wireless-regdb New upstream stable release; update regulatory information for several countries
xz-utils Fix buffer overflow issue [CVE-2026-34743]

Security Updates

This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package
DLA-4627 kernel-wedge
DLA-4628 linux-base
DLA-4632 atril
DLA-4633 libreoffice
DLA-4635 firefox-esr
DLA-4636 thunderbird
DLA-4637 libconfig-inifiles-perl
DLA-4638 libgd-perl
DLA-4639 libhttp-daemon-perl
DLA-4642 u-boot
DLA-4643 imagemagick
DLA-4644 libmatio
DLA-4648 libtext-csv-xs-perl
DLA-4651 python-urllib3
DLA-4654 chromium
DLA-4656 tor
DLA-4657 sogo
DLA-4658 librabbitmq
DLA-4662 jq
DLA-4665 linux-signed-amd64
DLA-4665 linux-signed-arm64
DLA-4665 linux-signed-i386
DLA-4665 linux
DLA-4666 openvpn
DLA-4667 nginx
DLA-4668 sympa
DLA-4669 php8.2
DLA-4672 chromium
DLA-4674 chromium
DSA-6250 chromium
DSA-6266 nghttp2
DSA-6267 thunderbird
DSA-6269 postgresql-15
DSA-6271 gsasl
DSA-6272 nodejs
DSA-6273 chromium
DSA-6275 linux-signed-amd64
DSA-6275 linux-signed-arm64
DSA-6275 linux-signed-i386
DSA-6275 linux
DSA-6276 ffmpeg
DSA-6277 openjpeg2
DSA-6278 nginx
DSA-6279 redis
DSA-6281 gnutls28
DSA-6282 rsync
DSA-6283 firefox-esr
DSA-6285 bind9
DSA-6286 evince
DSA-6287 chromium
DSA-6288 thunderbird
DSA-6289 openvpn
DSA-6292 haveged
DSA-6293 krb5
DSA-6294 libgcrypt20
DSA-6297 samba
DSA-6299 kdenlive
DSA-6300 node-shell-quote
DSA-6301 roundcube
DSA-6302 starlette
DSA-6306 linux-signed-amd64
DSA-6306 linux-signed-arm64
DSA-6306 linux-signed-i386
DSA-6306 linux
DSA-6308 nagios4
DSA-6309 exim4
DSA-6310 imagemagick
DSA-6313 dovecot
DSA-6316 chromium
DSA-6317 php-symfony-contracts
DSA-6317 symfony
DSA-6319 yelp
DSA-6320 php-twig
DSA-6321 ceph
DSA-6322 frr
DSA-6323 apache2
DSA-6324 request-tracker5
DSA-6325 chromium
DSA-6326 nginx
DSA-6327 request-tracker4
DSA-6328 tomcat10
DSA-6330 strongswan
DSA-6331 keystone
DSA-6332 okular
DSA-6333 mistral
DSA-6334 poppler
DSA-6335 openssl
DSA-6336 jackson-core
DSA-6336 jackson-databind
DSA-6336 jackson-dataformat-smile
DSA-6337 chromium
DSA-6338 libdbi-perl
DSA-6339 libinput
DSA-6341 ironic
DSA-6341 python-oslo.messaging
DSA-6344 chromium
DSA-6352 chromium

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
smb4k Unable to continue security support

Debian Installer

The installer has been updated to include the fixes incorporated into oldstable by the point release.

URLs

The complete lists of packages that have changed with this revision:

https://deb.debian.org/debian/dists/bookworm/ChangeLog

The current oldstable distribution:

https://deb.debian.org/debian/dists/oldstable/

Proposed updates to the oldstable distribution:

https://deb.debian.org/debian/dists/oldstable-proposed-updates

oldstable distribution information (release notes, errata etc.):

https://www.debian.org/releases/oldstable/

Security announcements and information:

https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.