Debian Backports

Debian Backports
Debian Backports
Main
News
Instructions
Packages
Mailinglists
Contribute
Documentation
FAQ
Miscellaneous
Uploaders
Trixie
Bookworm
Bookworm-sloppy
NEW Queue
Diffstats
trixie
bookworm
bookworm-sloppy
Feedback
Introduction
You are running Debian stable, because you prefer the Debian stable tree. It runs great, there is just one problem: the software is a little bit outdated compared to other distributions. This is where backports come in.
Backports are packages taken from the next Debian release (called
"testing"), adjusted and recompiled for usage on Debian stable. Because the
package is also present in the next Debian release, you can easily upgrade your
stable+backports system once the next Debian release comes out. (In a few
cases, usually for security updates, backports are also created from the Debian
unstable distribution.)
Backports cannot be tested as extensively as Debian stable, and backports
are provided on an as-is basis, with risk of incompatibilities with other
components in Debian stable. Use with care!
It is therefore recommended to only select single backported packages that fit
your needs, and not use all available backports.
Where to start
Users should start at the
Instructions
page.
Contributors should start
Contribute
page.
If you want to know which packages are available via backports.debian.org look at the
Packages
page.
News
RSS
Atom
Mathias Gibbens uploaded new packages for incus which fixed the
following security problems:

CVE ID : CVE-2026-34178 CVE-2026-34179

Two security issues were discovered in Incus, a system container and
virtual machine manager, which could result in restriction bypass
or privilege escalation.

For the bookworm-backports distribution the problems have been fixed in
version 6.0.4-2+deb13u6~bpo12+1.
Simon McVittie uploaded new packages for flatpak which fixed the
following security problems, the same as in DSA 6207-1:

* CVE-2026-34078, which allowed a Flatpak app to break out of the
sandbox, resulting in code execution in the host context
* CVE-2026-34079, which allowed a Flatpak app to delete arbitrary
files on the host system
* GHSA-2fxp-43j9-pwvc, which allowed a local user to read any file
that is readable by the `_flatpak` system user
* GHSA-89xm-3m96-w3jg, which allowed a local user to interfere with
another local user's ability to cancel an ongoing download

For the bookworm-backports distribution, the problems have been fixed in
version 1.16.6-1~deb13u1~bpo12+1.
Colin Watson uploaded new packages for openssh which fixed the
following security problems:

CVE-2026-3497 (DSA-6204-1)
Jeremy Brown discovered a flaw in the GSSAPI Key Exchange patch
applied in Debian to OpenSSH, an implementation of the SSH
protocol suite, affecting non-default configurations with the
GSSAPIKeyExchange setting enabled. A remote attacker can take
advantage of this flaw to cause a denial of service, or
potentially the execution of arbitrary code.

For the trixie-backports distribution, the problem has been fixed in
version 1:10.2p1-6~bpo13+1.
Mathias Gibbens uploaded new packages for incus which fixed the
following security problems:

CVE ID : CVE-2026-28384 CVE-2026-33542 CVE-2026-33743 CVE-2026-33897

Multiple security issues were discovered in Incus, a system container
and virtual machine manager, which could result in denial of service
or the execution of arbitrary commands.

For the bookworm-backports distribution the problems have been fixed in
version 6.0.4-2+deb13u5~bpo12+1.
Mathias Gibbens uploaded new packages for incus which fixed the following
security problems:

CVE ID : CVE-2026-23953 CVE-2026-23954

Two security issues were discovered in Incus, a system container and
virtual machine manager, which could result the in execution of
arbitrary commands via malformed images.

For the bookworm-backports distribution the problems have been fixed in
version 6.0.4-2+deb13u4~bpo12+1.
Throw away binaries for uploads to BACKPORTS-NEW
Hi all,
Thanks to the initiative of Jochen Sprickerhof, the ftp-masters have merged a
change to the Debian configuration of DAK that will enable a feature to throw
away binaries after processing of the BACKPORTS-NEW queue [1]. The benefit is
that all binary packages (in main) will get built by the Debian buildds before
we distribute them within the archive. Packages in contrib, non-free and
non-free-firmware will not benefit this change for technical reasons (see [2]
for a more detailed explanation).
Please reach out to me if details are still not clear after reading the wiki.
Enjoy,
Micha
[1] https://salsa.debian.org/ftp-team/dak/-/merge_requests/300
[2] https://wiki.debian.org/ThrowAwayNewBinaries
Mathias Gibbens uploaded new packages for incus which fixed the following
security problems:

CVE ID : CVE-2025-64507

It was discovered that Incus, a system container and virtual machine
manager, is prone to a local privilege escalation vulnerability if
unprivileged users are allowed access to Incus through incus-user.

For the bookworm-backports distribution the problems have been fixed in
version 6.0.4-2+deb13u2~bpo12+1.
Mathias Gibbens uploaded new packages for incus which fixed the following
security problems:

CVE ID : CVE-2025-54286 CVE-2025-54287 CVE-2025-54288
CVE-2025-54289 CVE-2025-54290 CVE-2025-54291
CVE-2025-54293

Multiple security issues were discovered in Incus, a system container
and virtual machine manager, which could result in file disclosure,
information disclosure, privilege escalation or cross-site request
forgery.

For the bookworm-backports distribution the problems have been fixed in
version 6.0.4-2+deb13u1~bpo12+1.
trixie-backports and bookworm-backports-sloppy open for uploads
Now after Debian trixie got released, we are pleased to announce that
trixie-backports and bookworm-backports-sloppy are now open for uploads.
Please ensure to follow the
rules
of those distributions. In short, uploads to these two distributions need to be
available in forky (a.k.a. testing).
Thanks
Thanks have to go out to all people making backports possible, and that
includes up front the backporters themselves who prepare the backports and
upload the packages, track and update them on a regular basis. Also a big
thanks goes to the buildd team making the autobuilding possible and the ftp
masters for creating the suites in the first place.
Thanks
Alex, Rhonda, Micha - backports ftpmasters
[1] https://backports.debian.org/Contribute/
Colin Watson uploaded new packages for python-django which fixed the
following security problems:

CVE-2025-32873

Denial-of-service possibility in strip_tags().
django.utils.html.strip_tags() would be slow to evaluate certain
inputs containing large sequences of incomplete HTML tags. This
function is used to implement the striptags template filter,
which was therefore also vulnerable. strip_tags() now raises a
SuspiciousOperation exception if it encounters an unusually
large number of unclosed opening tags.

For the bookworm-backports distribution the problem has been fixed
in version 3:4.2.21-1~bpo12+1.
Links:
sidebar
Last edited
Wed Mar 27 09:13:11 2013
from https://salsa.debian.org/backports-team/backports-website