• Home
  • Categories
  • WIKI
  • LANGUAGE: en
    • [Community Announcements] [Upgrade Recommended] deepin 25.1 Update Announcement – April 23
    News 19 views · 0 replies ·
    Tofloor
    poster avatar
    deepin小助手
    Super Moderator
    OM
    3 hours ago
    Author

    Dear Community Friends,

    deepin 25.1 update is here! This update includes an emergency fix for the recently discovered “Pack2TheRoot” high-risk vulnerability, along with an optimization for audio device loss issues some users experienced after recent upgrades. We strongly recommend updating as soon as possible. We welcome all deepin community members and open-source enthusiasts to upgrade to the latest system and share your feedback! Feel free to join the discussion in the comments and share your thoughts – thank you!

    Update Details – April 23, 2026

    • Fixed audio device loss issues for some users.
    • Removed some invalid/failed intelligent mirrors and fixed update failures caused by IP blocking for certain users.
    • Fixed several known CVE security vulnerabilities (including the “Pack2TheRoot” high-risk vulnerability) to improve system security.

    About the Emergency Fix for the “Pack2TheRoot” High-Risk Vulnerability

    Security researchers from Deutsche Telekom’s Red Team recently discovered a Time-of-check Time-of-use (TOCTOU) vulnerability in PackageKit. This vulnerability could allow an unprivileged attacker to install or remove software packages without authorization, thereby gaining root privileges or performing other malicious actions.

    Vulnerability IDs: CVE-2026-41651 / GHSA-f55j-vvr9-69xv

    Am I affected?

    All deepin 25 users who have not applied this update are affected. We recommend updating immediately.

    Fixed Version

    deepin 25 has been patched via this update, You can check your current version with:

    dpkg -l | grep -i packagekit

    • Vulnerable version: 1.2.8-2deepin1 and lower
    • Fixed version: 1.2.8-2deepin2

    Timeline

    • 2026-04-22 18:56 UTC+8 – Upstream release 1.3.5
    • 2026-04-22 19:31 UTC+8 – Upstream release announcement
    • 2026-04-22 20:30 UTC+8 – deepin detects vulnerability information
    • 2026-04-23 09:56 UTC+8 – Patch created and integrated
    • 2026-04-23 13:15 UTC+8 – Integration testing passed
    • 2026-04-23 16:58 UTC+8 – Patch integrated and push begins

    References

    • https://lists.freedesktop.org/archives/packagekit/2026-April/026513.html
    • https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html
    • https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv
    • https://www.openwall.com/lists/oss-security/2026/04/22/6
    • https://github.com/PackageKit/PackageKit/commit/76cfb675fb31acc3ad5595d4380bfff56d2a8697

    That’s all for the deepin 25.1 official release. Thank you once again for your support.

    Reply Favorite View the author
    All Replies

    No replies yet