Debian 13.5 is the fifth point release for the stable distribution “trixie.” The update folds in roughly 100 Debian Security Advisories and corrections for more than 130 source packages, covering everything from the Linux kernel and Apache HTTP Server to OpenSSH, sudo, systemd, OpenSSL, glibc, and FreeRDP. Fresh installer images carrying the same fixes will follow at the regular download locations.
Sysadmins running trixie do not need to reinstall. Existing media remain valid, and machines already pulling from security.debian.org will find that most of the patches in 13.5 are already on disk.
The headline items include a new Apache upstream release that closes an authentication bypass and a use-after-free flaw, a privilege escalation fix in sudo, an nspawn container escape patch in systemd, multiple OpenSSH corrections affecting scp and key handling, and a sweeping FreeRDP3 update that resolves dozens of CVEs. One package, dav4tbsync, was withdrawn because Thunderbird 140 now covers its functionality.
Wide range of package corrections
The miscellaneous bugfix section covers more than a hundred source packages. Apache HTTP Server moves to a new upstream stable release that addresses a use-after-free flaw (CVE-2026-23918), a privilege escalation issue (CVE-2026-24072), an authentication bypass (CVE-2026-33006), HTTP response splitting (CVE-2026-33523), and several out-of-bounds read and NULL pointer dereference conditions.
OpenSSH receives corrections covering scp behavior around setuid and setgid bits (CVE-2026-35385), a command execution flaw (CVE-2026-35386), incomplete enforcement of PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms for ECDSA keys (CVE-2026-35387), connection multiplexing handling in proxy mode (CVE-2026-35388), and the authorized_keys “principals” option (CVE-2026-35414).
Sudo gains a fix for a privilege escalation flaw (CVE-2026-35535). Systemd moves to a new upstream stable release and addresses an nspawn container escape (CVE-2026-40226), code execution issues (CVE-2026-40225 and CVE-2026-4105), and a freeze condition (CVE-2026-29111). The glibc package corrects DNS response handling errors tracked as CVE-2026-4437 and CVE-2026-4438, along with an assertion failure (CVE-2026-4046).
FreeRDP3 sees one of the largest single-package updates, with corrections for dozens of CVEs spanning use-after-free conditions, buffer overflows, out-of-bounds reads, and denial of service flaws. The OpenSSL package also moves to a new upstream stable release. Other notable packages receiving security or stability fixes include curl, nginx, rsync, jq, jpeg-xl, libarchive, libcap2, sed, nano, exim4, dovecot, and python3.13.
Security advisories rolled in
The release incorporates roughly one hundred Debian Security Advisories. Among the packages covered are the Linux kernel, Chromium, Firefox ESR, Thunderbird, OpenSSL, OpenSSH, BIND 9, MediaWiki, GIMP, MuPDF, Pillow, Roundcube, Dovecot, Tor, OpenJDK 21, OpenJDK 25, Apache HTTP Server, Wireshark, LibreOffice, Prosody, strongSwan, and several PowerDNS components. Three separate kernel advisories appear in the list, reflecting ongoing Linux maintenance across the trixie cycle.
Installer and infrastructure
The Debian Installer was rebuilt to include the fixes pulled into stable through this point release, including a bump of the Linux ABI to 6.12.86+deb13. Supporting data packages received routine refreshes. The tzdata package picks up an updated time zone database with corrections for British Columbia, and distro-info-data adds an entry for Ubuntu 26.10 “Stonking Stingray.” The libdatetime-timezone-perl package was updated to match the new tzdata.
Administrators can apply the changes by running their normal package management update against any Debian mirror.
