Updated Debian 13: 13.4 released

March 14th, 2026

The Debian project is pleased to announce the fourth update of its stable distribution Debian 13 (codename trixie). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 13 but only updates some of the packages included. There is no need to throw away old trixie media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package	Reason
akonadi	Show all folders in kmail
apache2	Fix HTTP/2 regression
arduino-core-avr	New upstream stable release; fix buffer overflow issue [CVE-2025-69209]
asahi-scripts	Fix SD card reader autosuspend
augeas	Fix null pointer dereference issue [CVE-2025-2588]
base-files	Update for the point release
bash	Rebuild with updated glibc
bglibs	Rebuild with updated glibc
bird2	Use Restart=on-abnormal instead of on-abort; RAdv: Fix flags for deprecated prefixes; BMP: Fix crash when exporting a route with non-bgp attributes; ASPA check fix for AS_SET
brltty	Fix taking the VT number from the chosen session
busybox	Rebuild with updated glibc
capstone	New upstream stable release; fix buffer overflow issue [CVE-2025-67873]; fix buffer underflow and overflow issue [CVE-2025-68114]
catatonit	Rebuild with updated glibc
cdebootstrap	Rebuild with updated glibc
chkrootkit	Rebuild with updated glibc
chrony	Open refclock writeable to maintain compatibility with newer kernels
civetweb	Fix denial of service issue [CVE-2025-9648]; fix buffer overflow issue [CVE-2025-55763]
ckb-next	Fix init script installation and initialisation; ensure cryptographic verification of firmware updates
clatd	Fix systemd unit installation; correct NetworkManager dispatcher install path; provide example configuration; ensure obsolete dispatcher script is removed on upgrade
condor	Rebuild with updated glibc
dar	Rebuild with updated glibc and openssl
debian-installer	Increase Linux kernel ABI to 6.12.73+deb13; rebuild against proposed updates
debian-installer-netboot-images	Rebuild against proposed-updates
debian-ports-archive-keyring	Add Debian Ports Archive Automatic Signing Key (2027); move 2025 signing key to the removed keys keyring
debsig-verify	Rebuild with updated dpkg
debvm	Only use the console in nographics mode; use correct variable name; autologin: prefer credentials to monkey patching unit; customize-resolved.sh: explicitly install systemd-resolved
deets	Rebuild with updated dpkg
direwolf	Fix stack buffer overflow [CVE-2025-34457]
distribution-gpg-keys	Update included keys
distrobuilder	Rebuild with updated incus
docker.io	Rebuild with updated glibc
dovecot	Fix possible crash in ldap userdb; fix crash in trash plugin; fix segfault when group ACLs are present but the user has no groups
dpkg	dpkg-query: Fix segfault with empty -S argument; Dpkg::OpenPGP: Do not run verify with no keyrings; Dpkg::Shlibs::Objdump::Object: Add support for Version References symbols; Dpkg::OpenPGP::Backend::GnuPG: Add missing Dpkg::Gettext import; fix denial of service issue [CVE-2026-2219]
e2fsprogs	Rebuild with updated glibc
ejabberd	Remove old apparmor profile file
ejabberd-contrib	Rebuild with updated ejabberd
erlang	Fix excessive resource use issues [CVE-2025-48038 CVE-2025-48039 CVE-2025-48040 CVE-2025-48041]; fix traffic redirection issue [CVE-2016-1000107]
ffmpegfs	Fix incomplete listing of files in output directory
flatpak	New upstream stable release
fluidsynth	Fix null pointer dereference issue [CVE-2025-56225]
fonttools	Fix arbitrary file write issue [CVE-2025-66034]
glibc	Update from upstream stable branch; fix heap corruption issue [CVE-2026-0861]; fix stack contents leak issue [CVE-2026-0915]; fix uninitialized memory use issue [CVE-2025-15281]; switch currency symbol for the bg_BG locale to euro; fix a null pointer dereference in symbol lookup when the symbol version hash is zero; fix various optimized functions
gnome-shell	Revert inadvertently backported change that can cause the Shell UI to not appear on some systems
gnu-efi	Fix build of UEFI binaries for armhf
gnuais	Fix displaying the map in gnuaisgui
gnupg2	Rebuild with updated glibc
gpsd	Fix out-of-bounds write issue [CVE-2025-67268]; fix denial of service issue [CVE-2025-67269]
grub-efi-amd64-signed	Fix ZFS root identification
grub-efi-arm64-signed	Fix ZFS root identification
grub-efi-ia32-signed	Fix ZFS root identification
grub2	Fix ZFS root identification
ifupdown	Fix IPv6 DAD handling in ifup; correct dhclient invocation ordering for IPv6; restore correct executable path detection in ifup scripts
integrit	Rebuild with updated glibc
jaraco.context	Prevent path traversal [CVE-2026-23949]
libcap2	Rebuild with updated glibc
libguestfs	Add dependency on isc-dhcp-client
libpng1.6	Fix heap buffer overflow issues [CVE-2026-22801 CVE-2026-22695]
libsndfile	Fix memory leak issue [CVE-2025-56226]
linux-base	Use compatible hook dir names for headers packages
lxc	Fix data corruption during heavy IO on PTS; update lxc-default-with-nesting apparmor profile; rebuild with updated glibc
mariadb	New upstream stable release; fix arbitrary code execution issue [CVE-2025-13699]; fix denial of service issue [CVE-CVE-2026-21968]; use tmpfiles.d to generate runtime directory; fix upgrades from version 10.4 when encryption is enabled; fix innodb_linux_aio support
mpg123	Do not modify raw ID3v2 data while parsing
node-proxy-agents	Fix path traversal issue [CVE-2026-27699]
open-iscsi	Fix discovery of static nodes
openssh	Fix mistracking of MaxStartups process exits in some situations; fix possible code execution issues [CVE-2025-61984 CVE-2025-61985]
openssl	New upstream stable release
passt	Increase AppArmor ABI version to 4.0 to enable user namespace creation
pcsx2	Fix code execution issue [CVE-2025-49589]
pdudaemon	Add missing dependency on setuputils
phpunit	Fix unsafe deserialization issue [CVE-2026-24765]
plastimatch	Repack to exclude non-free source files
policyd-rate-limit	Fix operation with Python >= 3.12
postgresql-17	New upstream stable release; fix buffer overrun issue [CVE-2026-2006]
python-cryptography	Fix missing validation in EC public key creation [CVE-2026-26007]
python-filelock	Fix TOCTOU symlink handling vulnerability in lock file creation [CVE-2025-68146]
python-multipart	Fix arbitrary file write issue [CVE-2026-24486]
python-os-ken	Accept empty OXM fields
python-pyspnego	Fix deprecation warnings
qemu	New upstream stable release; fix denial of service issues [CVE-2025-14876 CVE-2026-0665]
qtbase-opensource-src	Fix data races; X11: set fallback logical DPI to 96, fixing incorrect calculation
reprepro	Fix incorrect tracking data when copying packages
requests	Fix credential leak issue [CVE-2024-47081]
riseup-vpn	Support additional polkit providers
runit-services	Slim: start in foreground with -n; dbus-dep.fixer: correctly test for existing services definitions, only start dbus services, even with the sysv override
rust-ntp-proto	Fix excessive load issue [CVE-2026-26076]
rust-ntpd	Rebuild with rust-ntp-proto 1.4.0-4+deb13u1 to fix CVE-2026-26076
rust-tealdeer	Update archive URL
samba	New upstream stable release
sash	Rebuild with updated glibc
scilab	Fix build failure
snapd	Rebuild with updated glibc
sqlite3	Prevent integer overflow in FTSS extension [CVE-2025-7709]; add missing build dependency on pkgconf
starlette	Fix denial of service issue [CVE-2025-62727]
sudo	Only enable Intel CET on amd64; fix regression with sudoers.d filenames containing colons
suricata	Fix denial of service issues [CVE-2026-22258 CVE-2026-22259 CVE-2026-22261]; fix stack overflow issue [CVE-2026-22262]; fix heap overflow issue [CVE-2026-22264]
tayga	Fix EAM mapping for host addresses
tini	Rebuild with updated glibc
torsocks	Use correct environment variable; explicitly trigger ldconfig trigger
tripwire	Rebuild with updated glibc
tsocks	Rebuild with updated glibc
tzdata	New upstream release; Moldova has used EU transition times since 2022
uglifyjs	Fix test failure
units	Update URLs to packetizer.com
user-mode-linux	Rebuild with updated linux
wget2	Fix file overwrite issue with metalink [CVE-2025-69194]; fix remote buffer overflow [CVE-2025-69195]
wireless-regdb	New upstream stable release; update regulatory information for several countries
wireshark	New upstream stable release; fix USB HID dissector memory exhaustion [CVE-2026-3201]; fix RF4CE Profile dissector crash [CVE-2026-3203]
xen	New upstream stable release; fix buffer overrun issue [CVE-2025-58150]; fix incomplete vCPU isolation issue [CVE-2026-23553]
zabbix	New upstream stable release; fix data leakage issues [CVE-2025-27231 CVE-2025-27233 CVE-2025-27236 CVE-2025-27238 CVE-2025-49641]; fix denial of service issue [CVE-2025-49643]
zookeeper	Fix build failure by skipping some flaky tests
zsh	Rebuild with updated glibc

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID	Package
DSA-6054	firefox-esr
DSA-6078	firefox-esr
DSA-6093	gimp
DSA-6094	libsodium
DSA-6095	foomuuri
DSA-6096	vlc
DSA-6097	chromium
DSA-6098	net-snmp
DSA-6099	python-parsl
DSA-6100	chromium
DSA-6101	firefox-esr
DSA-6102	python-urllib3
DSA-6103	thunderbird
DSA-6104	python-keystonemiddleware
DSA-6105	modsecurity-crs
DSA-6106	inetutils
DSA-6107	bind9
DSA-6108	chromium
DSA-6109	incus
DSA-6111	imagemagick
DSA-6112	openjdk-21
DSA-6113	openssl
DSA-6114	pyasn1
DSA-6115	gimp
DSA-6116	chromium
DSA-6117	python-django
DSA-6118	thunderbird
DSA-6119	jtreg8
DSA-6119	openjdk-25
DSA-6120	tomcat10
DSA-6121	tomcat11
DSA-6122	chromium
DSA-6123	xrdp
DSA-6124	wireshark
DSA-6125	usbmuxd
DSA-6126	linux-signed-amd64
DSA-6126	linux-signed-arm64
DSA-6126	linux
DSA-6128	shaarli
DSA-6129	munge
DSA-6130	haproxy
DSA-6131	nginx
DSA-6133	postgresql-17
DSA-6134	pdns-recursor
DSA-6135	chromium
DSA-6137	roundcube
DSA-6138	libpng1.6
DSA-6139	gimp
DSA-6140	gnutls28
DSA-6141	linux-signed-amd64
DSA-6141	linux-signed-arm64
DSA-6141	linux
DSA-6142	gegl
DSA-6143	libvpx
DSA-6144	inetutils
DSA-6145	nova
DSA-6146	chromium
DSA-6147	pillow
DSA-6148	firefox-esr
DSA-6149	nss
DSA-6150	python-django
DSA-6151	chromium
DSA-6152	thunderbird
DSA-6153	lxd
DSA-6155	spip
DSA-6156	gimp
DSA-6157	chromium

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

https://deb.debian.org/debian/dists/trixie/ChangeLog

The current stable distribution:

https://deb.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

https://deb.debian.org/debian/dists/proposed-updates

stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/

Security announcements and information:

https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.