{"id":247801,"date":"2026-05-17T18:03:00","date_gmt":"2026-05-17T22:03:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/17\/debian-13-5-point-release-lands-with-security-fixes-bug-patches\/"},"modified":"2026-05-17T18:15:08","modified_gmt":"2026-05-17T22:15:08","slug":"debian-13-5-point-release-lands-with-security-fixes-bug-patches","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/17\/debian-13-5-point-release-lands-with-security-fixes-bug-patches\/","title":{"rendered":"Debian 13.5 point release lands with security fixes, bug patches"},"content":{"rendered":"<p><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/18\/debian-13-5-released\/\">Debian 13.5 point release lands with security fixes, bug patches<\/a><\/p>\n<p><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/18\/debian-13-5-released\/\">https:\/\/www.helpnetsecurity.com\/2026\/05\/18\/debian-13-5-released\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-17 18:03:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.helpnetsecurity.com\">www.helpnetsecurity.com<\/a><\/p>\n<p>Debian 13.5 is the fifth point release for the stable distribution \u201ctrixie.\u201d The update folds in roughly 100 Debian Security Advisories and corrections for more than 130 source packages, covering everything from the Linux kernel and Apache HTTP Server to OpenSSH, sudo, systemd, OpenSSL, glibc, and FreeRDP. Fresh installer images carrying the same fixes will follow at the regular download locations.<\/p>\n<\/p>\n<p>Sysadmins running trixie do not need to reinstall. Existing media remain valid, and machines already pulling from security.debian.org will find that most of the patches in 13.5 are already on disk.<\/p>\n<p>The headline items include a new Apache upstream release that closes an authentication bypass and a use-after-free flaw, a privilege escalation fix in sudo, an nspawn container escape patch in systemd, multiple OpenSSH corrections affecting scp and key handling, and a sweeping FreeRDP3 update that resolves dozens of CVEs. One package, dav4tbsync, was withdrawn because Thunderbird 140 now covers its functionality.<\/p>\n<h3>Wide range of package corrections<\/h3>\n<p>The miscellaneous bugfix section covers more than a hundred source packages. Apache HTTP Server moves to a new upstream stable release that addresses a use-after-free flaw (CVE-2026-23918), a privilege escalation issue (CVE-2026-24072), an authentication bypass (CVE-2026-33006), HTTP response splitting (CVE-2026-33523), and several out-of-bounds read and NULL pointer dereference conditions.<\/p>\n<p>OpenSSH receives corrections covering scp behavior around setuid and setgid bits (CVE-2026-35385), a command execution flaw (CVE-2026-35386), incomplete enforcement of PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms for ECDSA keys (CVE-2026-35387), connection multiplexing handling in proxy mode (CVE-2026-35388), and the authorized_keys \u201cprincipals\u201d option (CVE-2026-35414).<\/p>\n<p>Sudo gains a fix for a privilege escalation flaw (CVE-2026-35535). Systemd moves to a new upstream stable release and addresses an nspawn container&#8230;<\/p>\n<p><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/18\/debian-13-5-released\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Debian 13.5 point release lands with security fixes, bug patches https:\/\/www.helpnetsecurity.com\/2026\/05\/18\/debian-13-5-released\/ Publish Date: 2026-05-17 18:03:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":247802,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/img.helpnetsecurity.com\/wp-content\/uploads\/2026\/01\/07123846\/debian-1500.webp","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[90,91,89,71,57],"class_list":["post-247801","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-cve","tag-debian","tag-flaw","tag-linux","tag-security"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/247801"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=247801"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/247801\/revisions"}],"predecessor-version":[{"id":247803,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/247801\/revisions\/247803"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/247802"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=247801"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=247801"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=247801"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}