Introduction
You are running Debian stable, because you prefer the Debian stable tree. It runs great, there is just one problem: the software is a little bit outdated compared to other distributions. This is where backports come in.
Backports are packages taken from the next Debian release (called "testing"), adjusted and recompiled for usage on Debian stable. Because the package is also present in the next Debian release, you can easily upgrade your stable+backports system once the next Debian release comes out. (In a few cases, usually for security updates, backports are also created from the Debian unstable distribution.)
Backports cannot be tested as extensively as Debian stable, and backports are provided on an as-is basis, with risk of incompatibilities with other components in Debian stable. Use with care!
It is therefore recommended to only select single backported packages that fit your needs, and not use all available backports.
Where to start
- Users should start at the Instructions page.
- Contributors should start Contribute page.
- If you want to know which packages are available via backports.debian.org look at the Packages page.
News
Throw away binaries for uploads to BACKPORTS-NEW
Hi all,
Thanks to the initiative of Jochen Sprickerhof, the ftp-masters have merged a change to the Debian configuration of DAK that will enable a feature to throw away binaries after processing of the BACKPORTS-NEW queue [1]. The benefit is that all binary packages (in main) will get built by the Debian buildds before we distribute them within the archive. Packages in contrib, non-free and non-free-firmware will not benefit this change for technical reasons (see [2] for a more detailed explanation).
Please reach out to me if details are still not clear after reading the wiki.
Enjoy, Micha
[1] https://salsa.debian.org/ftp-team/dak/-/merge_requests/300 [2] https://wiki.debian.org/ThrowAwayNewBinaries
Mathias Gibbens uploaded new packages for incus which fixed the following
security problems:
CVE ID : CVE-2025-64507
It was discovered that Incus, a system container and virtual machine
manager, is prone to a local privilege escalation vulnerability if
unprivileged users are allowed access to Incus through incus-user.
For the bookworm-backports distribution the problems have been fixed in
version 6.0.4-2+deb13u2~bpo12+1.
Mathias Gibbens uploaded new packages for incus which fixed the following
security problems:
CVE ID : CVE-2025-54286 CVE-2025-54287 CVE-2025-54288
CVE-2025-54289 CVE-2025-54290 CVE-2025-54291
CVE-2025-54293
Multiple security issues were discovered in Incus, a system container
and virtual machine manager, which could result in file disclosure,
information disclosure, privilege escalation or cross-site request
forgery.
For the bookworm-backports distribution the problems have been fixed in
version 6.0.4-2+deb13u1~bpo12+1.
trixie-backports and bookworm-backports-sloppy open for uploads
Now after Debian trixie got released, we are pleased to announce that trixie-backports and bookworm-backports-sloppy are now open for uploads. Please ensure to follow the rules of those distributions. In short, uploads to these two distributions need to be available in forky (a.k.a. testing).
Thanks
Thanks have to go out to all people making backports possible, and that includes up front the backporters themselves who prepare the backports and upload the packages, track and update them on a regular basis. Also a big thanks goes to the buildd team making the autobuilding possible and the ftp masters for creating the suites in the first place.
Thanks Alex, Rhonda, Micha - backports ftpmasters
[1] https://backports.debian.org/Contribute/
Colin Watson uploaded new packages for python-django which fixed the
following security problems:
CVE-2025-32873
Denial-of-service possibility in strip_tags().
django.utils.html.strip_tags() would be slow to evaluate certain
inputs containing large sequences of incomplete HTML tags. This
function is used to implement the striptags template filter,
which was therefore also vulnerable. strip_tags() now raises a
SuspiciousOperation exception if it encounters an unusually
large number of unclosed opening tags.
For the bookworm-backports distribution the problem has been fixed
in version 3:4.2.21-1~bpo12+1.
Colin Watson uploaded new packages for python-django which fixed the
following security problems:
CVE-2025-26699
Potential denial-of-service vulnerability in
django.utils.text.wrap(). The wrap() method and wordwrap
template filter were subject to a potential denial-of-service
attack when used with very long strings.
For the bookworm-backports distribution the problem has been fixed
in version 3:4.2.20-1~bpo12+1.
Colin Watson uploaded new packages for python-django which fixed the
following security problems:
CVE-2024-45230
Potential denial-of-service vulnerability in
django.utils.html.urlize(). urlize and urlizetrunc were subject to a
potential denial-of-service attack via very large inputs with a
specific sequence of characters.
CVE-2024-45231
Potential user email enumeration via response status on password
reset. Due to unhandled email sending failures, the
django.contrib.auth.forms.PasswordResetForm class allowed remote
attackers to enumerate user emails by issuing password reset
requests and observing the outcomes. To mitigate this risk,
exceptions occurring during password reset email sending are now
handled and logged using the django.contrib.auth logger.
CVE-2024-53907
Potential DoS in django.utils.html.strip_tags. The strip_tags()
method and striptags template filter were subject to a potential
denial-of-service attack via certain inputs containing large
sequences of nested incomplete HTML entities.
CVE-2024-53908
Potential SQL injection in HasKey(lhs, rhs) on Oracle. Direct
usage of the django.db.models.fields.json.HasKey lookup on
Oracle was subject to SQL injection if untrusted data is used as
a lhs value. Applications that use the jsonfield.has_key lookup
through the __ syntax are unaffected.
CVE-2024-56374
Potential denial-of-service vulnerability in IPv6 validation. A
lack of upper bound limit enforcement in strings passed when
performing IPv6 validation could have led to a potential
denial-of-service (DoS) attack. The undocumented and private
functions clean_ipv6_address and is_valid_ipv6_address were
vulnerable, as was the GenericIPAddressField form field, which
has now been updated to define a max_length of 39 characters.
The GenericIPAddressField model field was not affected.
For the bookworm-backports distribution the problems have been fixed
in version 3:4.2.18-1~bpo12+1.
Philippe Coval uploaded new packages for mosquitto which fixed the
following security problems:
CVE-2024-8376
In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.
For the bookworm-backports distribution the problems have been fixed in
version 2.0.20-1~bpo12+1.
as you may know, oldstable is only supported for 1 year. For bookworm this was 2024-06-10. We added a small grace period afterwards, but we will not allow updates after this point. We will also remove the suite from the debian mirrors soon.
Thanks for your attention
Debian Backports does not support LTS [1], therefore buster-backports is unsupported since August 1st 2022.
Despite of the documentation buster-backport was still available on the mirrors, that changed recently with the archival of buster-backports. Unfortunately we missed to create an announcement in 2022 which led so some surprise. Please take this as the missing announcement.