Debian -- News -- Updated Debian 12: 12.15 released
Skip Quicknav
Blog
Micronews
Planet
Wiki
Latest News<br>/ News from 2026<br>News -- Updated Debian 12: 12.15 released
Updated Debian 12: 12.15 released
July 11th, 2026
The Debian project is pleased to announce the fifteenth and final update of its<br>oldstable distribution Debian 12 (codename bookworm).<br>This point release mainly adds corrections for security issues,<br>along with a few adjustments for serious problems. Security advisories<br>have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian<br>12 but only updates some of the packages included. There is<br>no need to throw away old bookworm media. After installation,<br>packages can be upgraded to the current versions using an up-to-date Debian<br>mirror.
Those who frequently install updates from security.debian.org won't have<br>to update many packages, and most such updates are<br>included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by<br>pointing the package management system at one of Debian's many HTTP mirrors.<br>A comprehensive list of mirrors is available at:
https://www.debian.org/mirror/list
Noteworthy updates
fwupd and Secure Boot CA expiry
fwupd has been updated to upstream version 2.0.20, which has the ability<br>to update the Secure Boot certificate authority (CA), Key Exchange Key (KEK)<br>and revocation (DBX) databases.
The 2013 UEFI Secure Boot CA installed by default on most PCs and<br>used to sign bootloaders has now expired. Future updates to shim-signed<br>could therefore lead to systems being unable to boot with Secure Boot enabled.
Users are strongly advised to apply CA, KEK and DBX updates<br>from their system OEM in line with the following guidance:
https://wiki.debian.org/SecureBoot/CAChanges#What_should_I_do.3F
geoip-database reverted
For licensing reasons geoip-database has been reverted to a version<br>dated approximately December 2019. As a result, applications using this database<br>might use out-of-date allocation information.
More recent versions of geoip-database (GeoLite)<br>are not compatible with the Debian Free Software Guidelines and cannot be<br>distributed.
Consumers of this data are strongly encouraged to obtain a GeoLite license<br>directly and cease reliance on the geoip-database package.
End of Debian support for bookworm
This update marks the end of Debian Release Team, Debian Security Team<br>and Debian Backports support for version 12. Ongoing support for some<br>architectures will be provided by the Debian Long Term Support team supported<br>by Freexian. Users are advised to upgrade systems to Debian 13 trixie.
Miscellaneous Bugfixes
This oldstable update adds a few important corrections to the following packages:
Package Reason<br>7zip New upstream stable release; fix buffer overflow issues [CVE-2026-48092 CVE-2026-48095]; fix memory disclosure issue [CVE-2026-48101]; fix out-of-bounds read issues [CVE-2026-48102 CVE-2026-48103 CVE-2026-48111 CVE-2026-48112]; fix uninitialised memory read issue [CVE-2026-48104]<br>apache2 Fix HTTP/2 request DoS and file handle exhaustion [CVE-2026-49975 CVE-2026-48913]; fix proxy, DAV, LDAP, SSL, XML and header memory/crash issues [CVE-2026-29167 CVE-2026-34355 CVE-2026-34356 CVE-2026-42535 CVE-2026-42536 CVE-2026-43951 CVE-2026-44185]; fix proxy FTP directory listing XSS and backend loop [CVE-2026-29170 CVE-2026-44186]; restrict htaccess expression file access [CVE-2026-44119]; fix regex parsing underflow [CVE-2026-44631]; correct SSI, file-cache, WebDAV DELETE and proxy health-check handling; update documentation and tests<br>appstream Rebuild with updated libxmlb<br>base-files Update for the point release<br>beets Fix XSS vulnerability [CVE-2026-42052]; fix build-time test failures<br>calibre Fix various potential security issues; read resources only from book contents [CVE-2026-33206]; keep extracted files within container dir [CVE-2026-30853]; prevent reading background images from outside the config dir [CVE-2026-33205]<br>cdebootstrap Rebuild with updated xz-utils<br>chrony Ensure if-up/down hook scripts exit successfully<br>cloud-init Fix OpenStack bond initialisation<br>composer Fix support for new GitHub token format [CVE-2026-45793]<br>curl Fix cache poisoning issue [CVE-2025-10148]; fix data leak issues [CVE-2025-14524 CVE-2026-3783]; fix incorrect connection re-use issues [CVE-2025-14819 CVE-2026-3784 CVE-2026-5773 CVE-2026-7168]<br>dar Rebuild with updated libgcrypt20<br>dcmtk Fix NULL pointer dereference issues [CVE-2022-4981 CVE-2025-14841]; fix memory corruption issues [CVE-2025-2357 CVE-2025-9732 CVE-2025-14607]; fix command injection issue [CVE-2026-5663]; fix buffer overflow issues [CVE-2026-10194 CVE-2026-12805]<br>debian-installer Bump linux ABI 6.1.0-50; rebuild for point release<br>debian-installer-netboot-images Rebuild from proposed updates<br>debian-security-support...