Debian -- News -- Updated Debian 13: 13.5 released
Skip Quicknav
Blog
Micronews
Planet
Wiki
Latest News<br>/ News from 2026<br>News -- Updated Debian 13: 13.5 released
Updated Debian 13: 13.5 released
May 16th, 2026
The Debian project is pleased to announce the fifth update of its<br>stable distribution Debian 13 (codename trixie).<br>This point release mainly adds corrections for security issues,<br>along with a few adjustments for serious problems. Security advisories<br>have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian<br>13 but only updates some of the packages included. There is<br>no need to throw away old trixie media. After installation,<br>packages can be upgraded to the current versions using an up-to-date Debian<br>mirror.
Those who frequently install updates from security.debian.org won't have<br>to update many packages, and most such updates are<br>included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by<br>pointing the package management system at one of Debian's many HTTP mirrors.<br>A comprehensive list of mirrors is available at:
https://www.debian.org/mirror/list
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
Package Reason<br>389-ds-base Fix heap overflow issue [CVE-2025-14905]<br>7zip Relax Breaks / Replaces versions to ease upgrades from bookworm<br>apache2 New upstream stable release; fix use-after-free issue [CVE-2026-23918]; fix privilege escalation issue [CVE-2026-24072]; fix NULL pointer dereference issues [CVE-2026-29169 CVE-2026-33007]; fix authentication bypass issue [CVE-2026-33006]; fix HTTP response splitting issue [CVE-2026-33523]; fix out-of-bounds read issues [CVE-2026-33857 CVE-2026-34032]; fix buffer over-read issue [CVE-2026-34059]<br>awstats Prevent command injection [CVE-2025-63261]<br>base-files Update for the point release<br>bash Rebuild with updated glibc<br>beads Rebuild with updated cimg<br>bepasty Fix loading pygments CSS<br>bglibs Rebuild with updated glibc<br>bird2 ASPA: Fix downstream validation; BGP: Fix restart behavior on reconfiguration; filters: Fix string attributes; logging: Fix error handling<br>black Fix arbitrary file write issue [CVE-2026-32274]<br>bubblewrap Fix privilege escalation issue [CVE-2026-41163]<br>busybox Rebuild with updated glibc<br>calibre Fix path traversal issues [CVE-2026-25635 CVE-2026-25636 CVE-2026-26064 CVE-2026-26065]; fix code execution issue [CVE-2026-25731]; fix HTTP response header injection issue [CVE-2026-27810]; fix IP ban bypass issue [CVE-2026-27824]<br>catatonit Rebuild with updated glibc<br>cdebootstrap Rebuild with updated glibc<br>chkrootkit Rebuild with updated glibc<br>cimg Fix overflow issue [CVE-2026-42144]; fix out of memory issue with crafted files [CVE-2026-42146]<br>cockpit Fix code execution issue [CVE-2026-4631]<br>composer Fix command injection issues [CVE-2026-40261 CVE-2026-40176]<br>condor Rebuild with updated glibc<br>curl Fix server certificate verification issue [CVE-2025-13034]<br>dar Rebuild with updated glibc, libcap2, openssl<br>debian-installer Bump linux ABI to 6.12.86+deb13<br>debian-installer-netboot-images Rebuild against proposed-updates<br>debmirror Add debmirror-specific User-Agent header<br>distribution-gpg-keys Update included keys<br>distro-info-data Add Ubuntu 26.10 Stonking Stingray<br>distrobuilder Rebuild with updated incus<br>docker.io Rebuild with updated glibc<br>dovecot Fix memory leak in CVE-2026-27857 fix<br>e2fsprogs Rebuild with updated glibc<br>efibootguard Rebuild against gnu-efi with #1086705 fixed<br>ejabberd Ignore certificate purpose for incoming s2s connections<br>ejabberd-contrib Rebuild with updated ejabberd<br>epics-base Skip failing build-time test<br>erlang Fix path traversal issues [CVE-2026-21620 CVE-2026-23942[; fix HTTP request smuggling issue [CVE-2026-23941]; fix denial of service issue [CVE-2026-23943]<br>erlang-p1-tls Accept client certificates without sslpurpose flag<br>exim4 Fix GnuTLS hostname verify of a server certificate with a zero-length Subject; fix denial of service issue [CVE-2026-40684]; fix out-of-bounds read/write issues [CVE-2026-40685 CVE-2026-40686 CVE-2026-40687]<br>feed2toot Ensure compatibility with Python 3.13<br>firewalld Prevent local users from being able to modify runtime firewall state without prior authentication if the desktop policy is active [CVE-2026-4948]<br>freerdp3 Fix issues with large certificates; fix clipboard paste issue; fix segmentation fault issue [CVE-2025-4478]; fix use-after-free issues [CVE-2026-22851 CVE-2026-22856 CVE-2026-22857 CVE-2026-23883 CVE-2026-23884 CVE-2026-24491 CVE-2026-24675 CVE-2026-24676 CVE-2026-24678 CVE-2026-24680 CVE-2026-24681 CVE-2026-24683 CVE-2026-24684 CVE-2026-25952 CVE-2026-25953 CVE-2026-25954 CVE-2026-25955 CVE-2026-25959 CVE-2026-25997 CVE-2026-26986]; fix buffer overflow issues [CVE-2026-22852 CVE-2026-22853 CVE-2026-22854 CVE-2026-23530...