There are 136 open security issues in trixie.
There are 100 open security issues in sid.
There are 1278 open security issues in bullseye.
There are 500 open security issues in bookworm.
You can find information about how to handle these issues in the security team's documentation.
There are 636 open security issues in buster.
commit 5793cdbfeb743605f038060d2f6ede97c0f27f7e Merge: 0b2447fa1 eb756b0ee Author: Ben Hutchings <benh@debian.org> Date: Thu May 8 02:10:38 2025 +0000 Merge branch 'sh4-updates' into 'debian/latest' Fix sh4 build and disable broken flavour See merge request kernel-team/linux!1489 commit eb756b0ee1bb2a8e2e4fe05e92e1202e537da6c2 Author: Ben Hutchings <benh@debian.org> Date: Fri May 2 20:43:26 2025 +0200 [sh4] Enable KERNEL_GZIP instead of KERNEL_XZ The current sh4 buildds have limited memory, and since upstream commit 8653c9099227 "xz: use 128 MiB dictionary and force single-threaded mode" xz tries and fails to allocate 1346 MiB for compression. Switch to gzip compresion, which has much lower memory requirements. Closes: #1104080 commit 31c8d8856f583744591ded1851af2200b5123f1e Author: Ben Hutchings <benh@debian.org> Date: Fri May 2 20:29:20 2025 +0200 [sh4] Disable sh7785lcr flavour which is broken due to size limits The Renesas SH7785 reference board supported by the sh7785lcr flavour has a 4 MiB flash partition for the kernel and no partition for an initramfs. Currently we build a kernel image that requires an initramfs, and is still larger than 4 MiB, making it unusable on the target hardware. This situation will soon be exacerbated because we need to avoid using xz compression on this architecture due to lack of memory on buildds. This is apparently a low priority for sh4 porters, so disable the broken flavour until and unless it can be fixed. commit 0b2447fa19edc90be801f6b3c6ac9d257e3ca917 Merge: fa6bb7d03 1162c04a1 Author: Salvatore Bonaccorso <carnil@debian.org> Date: Wed May 7 20:12:04 2025 +0000 Merge branch 'virtio-console-y' into 'debian/latest' drivers/char/virtio_console: set VIRTIO_CONSOLE=y See merge request kernel-team/linux!1499 commit 1162c04a1aa8d74e65730079fc6227b40553f981 Author: Ross Vandegrift <ross@kallisti.us> Date: Mon May 5 18:50:38 2025 -0700 drivers/char/virtio_console: set VIRTIO_CONSOLE=y This ensures that qemu's virtconsole works regardless of the contents of the initrd. If the module isn't loaded early enough, then the guest console can fail. Rather than leaving it up to initrd contents, setting to y ensures the console will always work. In addition to the bugs in Closes, this has come up in: #689962 and #989181. Closes: #989153, #1041891 commit fa6bb7d032f1e140d6230856d56b332f4c2f661b Merge: 0b230216b e2079fd1a Author: Salvatore Bonaccorso <carnil@debian.org> Date: Tue May 6 18:16:08 2025 +0000 Merge branch 'enable-dm-clone' into 'debian/latest' drivers/md: Enable DM_CLONE as module See merge request kernel-team/linux!1498 commit e2079fd1a4f3aee8a6824525a64c38f4692e7929 Author: Salvatore Bonaccorso <carnil@debian.org> Date: Tue May 6 18:34:33 2025 +0200 drivers/md: Enable DM_CLONE as module Closes: #948782 commit 0b230216be7c53ebd6ab510ed987d6d6cb4aecd2 Merge: 6cac48381 ff88b7b8f Author: Salvatore Bonaccorso <carnil@debian.org> Date: Sat May 3 13:18:48 2025 +0000 Merge branch 'enable-uclamp-task' into 'debian/latest' init: Enable UCLAMP_TASK and UCLAMP_TASK_GROUP (Utilization clamping) See merge request kernel-team/linux!1492 commit ff88b7b8fb87fe2618926cf69f5ca066428b3456 Author: Salvatore Bonaccorso <carnil@debian.org> Date: Fri May 2 23:34:24 2025 +0200 init: Enable UCLAMP_TASK and UCLAMP_TASK_GROUP (Utilization clamping) Closes: #1036666 commit 6cac483810c5ea4504755f027b7ea3abc8761a76 Merge: 2e158f264 3cdb20cf9 Author: Ben Hutchings <benh@debian.org> Date: Fri May 2 22:42:30 2025 +0200 Merge branch 'enable-ipv6-rpl-lwtunnel' into debian/latest net/ipv6: Enable IPV6_RPL_LWTUNNEL See merge request kernel-team/linux!1488 commit 2e158f26477b56ff16f44476f2bf418e9c13fcfa Merge: 1cc75b331 fb9e9b441 Author: Ben Hutchings <benh@debian.org> Date: Fri May 2 22:32:25 2025 +0200 Merge branch 'lintian-fixes' into debian/latest Fix various lintian errors and warnings See merge request kernel-team/linux!1466 commit 1cc75b331a54f108f3d724f6a1f32ab4d96083d3 Merge: dfcae3513 4d26a01f3 Author: Ben Hutchings <benh@debian.org> Date: Fri May 2 22:24:47 2025 +0200 Merge branch 'udeb-mtk-cmdq-mailbox' into debian/latest [arm64] udeb: Add mtk-cmdq-mailbox to kernel-image See merge request kernel-team/linux!1471 commit 3cdb20cf91dae7d41cbabd66bc84b17577285994 Author: Salvatore Bonaccorso <carnil@debian.org> Date: Fri May 2 17:50:44 2025 +0200 net/ipv6: Enable IPV6_RPL_LWTUNNEL Closes: #1027861 commit fb9e9b44141a5e091c2d03a718945842583bd203 Author: Ben Hutchings <benh@debian.org> Date: Sun Apr 20 16:08:09 2025 +0200 linux-doc: Use dh_sphinxdoc to replace embedded Javascript Sphinx copies some static Javascript into the output directory, which is against Debian policy. We also don't have a Built-Using reference to the Sphinx packages. Use dh_sphinxdoc to replace the copies with symlinks, and add the required Depends and Built-Using fields to the linux-doc control template. Fixes lintian warnings: W: linux-doc-6.13: embedded-javascript-library please use sphinx [usr/share/doc/linux-doc-6.13/html/_static/doctools.js] W: linux-doc-6.13: embedded-javascript-library please use sphinx [usr/share/doc/linux-doc-6.13/html/_static/language_data.js] W: linux-doc-6.13: embedded-javascript-library please use sphinx [usr/share/doc/linux-doc-6.13/html/_static/searchtools.js] commit bcb3760467ba20c3bd76a171b8469448a3ec9405 Author: Ben Hutchings <benh@debian.org> Date: Sat Apr 19 03:57:50 2025 +0200 d/rules.real: Exclude vDSOs from processing by dh_makeshlibs On architectures where we install vDSOs in linux-image-dbg packages, dh_makeshlibs is wrongly detecting these as shared libraries that should trigger an ldconfig run. Exclude them by adding the option -Xvdso. Fixes lintian warnings like: W: linux-image-6.13-amd64-dbg: package-has-unnecessary-activation-of-ldconfig-trigger commit 3c5b464d53c22874275f17a95ecbfdf40dfbc66b Author: Ben Hutchings <benh@debian.org> Date: Sat Apr 19 03:14:35 2025 +0200 d/copyright: Replace old FSF addresses with current GNU license URL We still refer to a snail mail address in the GPL-2 paragraph to get a copy of the full license. Replace this with the current GNU licenses URL. In the LGPL-2.1 paragraph we already made this change but using the insecure http URL scheme. Change it to https. Fixes lintian warnings like: W: bpftool: old-fsf-address-in-copyright-file commit 693916b11cdf7ae84ba52f320ba333ca01bcdb2a Author: Ben Hutchings <benh@debian.org> Date: Sat Apr 19 00:57:01 2025 +0200 [amd64] linux-image-cloud-amd64-dbg: lintian: Drop overrides for vdsox32.so CONFIG_X86_X32_ABI is not enabled in the cloud-amd64 flavour so we don't build vdsox32.so. Change the condition for the lintian overrides on vdsox32.ko to exclude this flavour. commit 68848a0cb4d4fba8d342d86e7a027d9216278084 Author: Ben Hutchings <benh@debian.org> Date: Fri Apr 18 23:31:50 2025 +0200 linux-image-dbg: lintian: Drop mismatched override for ... ... wrong-section-according-to-package-name. This was downgraded from warning to informational in lintian 2.5.69, and at some point the context generated for it changed format so our override doesn't match, producing warnings. I don't think it's worth overriding informational tags, so just remove the overide. commit 608d24d6c2272422abed70dafc027dfc5d6f5447 Author: Ben Hutchings <benh@debian.org> Date: Fri Apr 18 23:21:31 2025 +0200 linux-source: Suggest pkgconf, not the obsolete pkg-config Fixes lintian warning: W: linux-source-6.13 depends-on-obsolete-package Suggests: pkg-config => pkgconf commit beda9cda045179ffa7a3d8aee967fdc613982318 Author: Ben Hutchings <benh@debian.org> Date: Fri Apr 18 23:12:31 2025 +0200 [ppc64*] linux-image: Fix version in NEWS entry There was no version 6.10-1~exp2, as specified in the NEWS entry for these architectures. The changes documented here were released in version 6.10.1-1~exp1, so specify that version instead. Fixes lintian warnings like: W: linux-image-6.13-powerpc64le: debian-news-entry-has-unknown-version 6.10-1~exp2 [usr/share/doc/linux-image-6.13-powerpc64le/NEWS.Debian.gz:1] commit 107adf8c1a47c2dc8078821c0adaa27cd8f5edbd Author: Ben Hutchings <benh@debian.org> Date: Fri Apr 18 23:07:53 2025 +0200 [arm64] linux-perf: Override statically-linked-binary for asm_pure_loop This is a test program that does not link any libraries, either statically or dynamically. commit 44ac5fa729678beba9ccb6e3f44b7a0bb6cee4c3 Author: Ben Hutchings <benh@debian.org> Date: Fri Apr 18 23:06:14 2025 +0200 [riscv64] linux-image-dbg: lintian: Override shared-library-lacks-stack-section ... for vdso.so, the same as we do for several other architectures. commit 4f8ecdbb2d8b06f5b8458d95666c270c9553e7aa Author: Ben Hutchings <benh@debian.org> Date: Fri Apr 18 23:05:20 2025 +0200 linux-headers: lintian: Override another error and warning for vmlinux This 'executable' file intentionally contains only BTF sections. Override the shared-library-lacks-prerequisites warning and unstripped-binary-or-object error, and add a comment about why this file is special. commit 4d26a01f33f3d10cc37a0ada673e2c97b2394acc Author: Alper Nebi Yasak <alpernebiyasak@gmail.com> Date: Wed Apr 23 10:46:36 2025 +0300 [arm64] udeb: Add mtk-cmdq-mailbox to kernel-image The mtk-cmdq-helper driver included in the kernel-image udeb as an SoC driver used to explicitly depend on mtk-cmdq-mailbox which means the latter was also included in kernel-image. This dependency is somehow missing in v6.14, so the latter module ends up being dropped from the udeb. However, missing this module either breaks or at least degrades display initialization, so there is an implicit dependency. Since the mtk-cmdq-mailbox module is already in kernel-image on v6.12 builds, explicitly list it in that module list to fix display on the installer. Signed-off-by: Alper Nebi Yasak <alpernebiyasak@gmail.com>
Among the 78 debian patches available in version 6.12.27-1 of the package, we noticed the following issues: