----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 234-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
April 24th, 2023
----------------------------------------------------------------------------
Upcoming Debian 11 Update (11.7)
An update to Debian 11 is scheduled for Saturday, April 29th, 2023. As of now
it will include the following bug fixes. They can be found in "bullseye-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bullseye-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
akregator Fix validity checks, including fixing deletion
of feeds and folders
apache2 Don't automatically enable apache2-doc.conf;
fix regressions in http2 and mod_rewrite
introduced in 2.4.56
at-spi2-core Set stop timeout to 5 seconds, so as not to
needlessly block system shutdowns
avahi Fix local denial of service issue
[CVE-2021-3468]
base-files Update for the 11.7 point release
c-ares Prevent stack overflow and denial of service
[CVE-2022-4904]
clamav New upstream stable release; fix possible
remote code execution issue in the HFS+ file
parser [CVE-2023-20032], possible information
leak in the DMG file parser [CVE-2023-20052]
command-not-found Add new non-free-firmware component, fixing
upgrades to bookworm
containerd Fix denial of service issue [CVE-2023-25153];
fix possible privilege escalation via incorrect
setup of supplementary groups [CVE-2023-25173]
crun Fix capability escalation issue due to
containers being incorrectly started with non-
empty default permissions [CVE-2022-27650]
cwltool Add missing dependency on python3-distutils
debian-archive-keyring Add bookworm keys; move stretch keys to the
removed keyring
debian-ports-archive- Extend the 2023 signing key's expiration by one
keyring year; add 2024 signing key; move 2022 signing
key to the removed keyring
dpdk New upstream stable release
duktape Fix crash issue [CVE-2021-46322]
e2tools Fix build failure by adding build dependency on
e2fsprogs
erlang Fix client authentication bypass issue
[CVE-2022-37026]; use -O1 optimization for
armel because -O2 makes erl segfault on certain
platforms, e.g. Marvell
exiv2 Security fixes [CVE-2021-29458 CVE-2021-29463
CVE-2021-29464 CVE-2021-29470 CVE-2021-29473
CVE-2021-29623 CVE-2021-32815 CVE-2021-34334
CVE-2021-34335 CVE-2021-3482 CVE-2021-37615
CVE-2021-37616 CVE-2021-37618 CVE-2021-37619
CVE-2021-37620 CVE-2021-37621 CVE-2021-37622
CVE-2021-37623]
flask-security Fix open redirect vulnerability
[CVE-2021-23385]
flatpak New upstream stable release; escape special
characters when displaying permissions and
metadata [CVE-2023-28101]; don't allow
copy/paste via the TIOCLINUX ioctl when running
in a Linux virtual console [CVE-2023-28100]
galera-3 New upstream stable release
ghostscript Fix path for PostScript helper file in ps2epsi
glibc Fix memory leak in printf-family functions with
long multibyte strings; fix crash in printf-
family due to width/precision-dependent
allocations; fix segfault in printf handling
thousands separator; fix overflow in the AVX2
implementation of wcsnlen when crossing pages
golang-github-containers- Fix parsing of DBUS_SESSION_BUS_ADDRESS
common
golang-github-containers- Do not enter the process user namespace
psgo [CVE-2022-1227]
golang-github-containers- Make previously internal functions publicly
storage accessible, required to allow fixing
CVE-2022-1227 in other packages
golang-github-prometheus- Patch tests to avoid race condition; fix
exporter-toolkit authentication cache poisoning issue
[CVE-2022-46146]
grep Fix incorrect matching when the last of
multiple patterns includes a backref
gtk+3.0 Fix Wayland combined with EGL on GLES-only platforms
guix Fix build failure due to expired keys used in
test suite
intel-microcode New upstream bug-fix release
isc-dhcp Fix IPv6 address lifetime handling
jersey1 Fix build failure with libjettison-java 1.5.3
joblib Fix arbitrary code execution issue
[CVE-2022-21797]
lemonldap-ng Fix URL validation bypass issue; fix 2FA issue
when using AuthBasic handler [CVE-2023-28862]
libapache2-mod-auth- Fix open redirect issue [CVE-2022-23527]
openidc
libapreq2 Fix buffer overflow issue [CVE-2022-22728]
libdatetime-timezone-perl Update included data
libexplain Enhance compatibility with newer kernel
versions - Linux 5.11 no longer has if_frad.h,
termiox removed since kernel 5.12
libgit2 Enable SSH key verification by default
[CVE-2023-22742]
libpod Fix privilege escalation issue [CVE-2022-1227];
fix capability escalation issue due to
containers being incorrectly started with non-
empty default permissions [CVE-2022-27649]; fix
parsing of DBUS_SESSION_BUS_ADDRESS
libreoffice Change Croatia's default currency to Euro;
avoid empty -Djava.class.path= [CVE-2022-38745]
libvirt Fix container reboot-related issues; fix test
failures when combined with newer Xen versions
libxpm Fix infinite loop issues [CVE-2022-44617
CVE-2022-46285]; fix double free issue in error
handling code; fix "compression commands depend
on PATH" [CVE-2022-4883]
libzen Fix null pointer dereference issue
[CVE-2020-36646]
linux New upstream stable release; increase ABI to
22; [rt] update to 5.10.176-rt86
linux-signed-amd64 New upstream stable release; increase ABI to
22; [rt] update to 5.10.176-rt86
linux-signed-arm64 New upstream stable release; increase ABI to
22; [rt] update to 5.10.176-rt86
linux-signed-i386 New upstream stable release; increase ABI to
22; [rt] update to 5.10.176-rt86
lxc Fix file existence oracle [CVE-2022-47952]
macromoleculebuilder Fix build failure by adding build dependency on
docbook-xsl
mariadb-10.5 New upstream stable release
mono Remove desktop file
ncurses Guard against corrupt terminfo data
[CVE-2022-29458]; fix tic crash on very long
tc/use clauses
needrestart Fix warnings when using "-b" option
node-cookiejar Guard against maliciously-sized cookies
[CVE-2022-25901]
node-webpack Avoid cross-realm object access
[CVE-2023-28154]
nvidia-graphics-drivers New upstream release; security fixes
[CVE-2023-0180 CVE-2023-0184 CVE-2023-0185
CVE-2023-0187 CVE-2023-0188 CVE-2023-0189
CVE-2023-0190 CVE-2023-0191 CVE-2023-0194
CVE-2023-0195 CVE-2023-0198 CVE-2023-0199]
nvidia-graphics-drivers- New upstream release; security fixes
tesla-450 [CVE-2023-0180 CVE-2023-0184 CVE-2023-0185
CVE-2023-0188 CVE-2023-0189 CVE-2023-0190
CVE-2023-0191 CVE-2023-0194 CVE-2023-0195
CVE-2023-0198 CVE-2023-0199]
nvidia-graphics-drivers- New upstream release; security fixes
tesla-470 [CVE-2023-0180 CVE-2023-0184 CVE-2023-0185
CVE-2023-0187 CVE-2023-0188 CVE-2023-0189
CVE-2023-0190 CVE-2023-0191 CVE-2023-0194
CVE-2023-0195 CVE-2023-0198 CVE-2023-0199]
nvidia-modprobe New upstream release
openvswitch Fix "openvswitch-switch update leaves
interfaces down"
passenger Fix compatibility with more recent NodeJS
versions
phyx Remove unnecessary build dependency on
libatlas-cpp
postfix New upstream stable release
postgis Fix wrong Polar stereographic axis order
postgresql-13 New upstream stable release; fix client memory
disclosure issue [CVE-2022-41862]
python-acme Fix CSR version to prevent problems with
strictly RFC-complying implementations of the
ACME API
ruby-aws-sdk-core Fix generation of version file
ruby-cfpropertylist Fix some functionality by dropping
compatibility with Ruby 1.8
shim New upstream release; enable NX support at build
time; block Debian grub binaries with sbat < 4
shim-helpers-amd64-signed New upstream release; enable NX support at build
time; block Debian grub binaries with sbat < 4
shim-helpers-arm64-signed New upstream release; enable NX support at build
time; block Debian grub binaries with sbat < 4
shim-helpers-i386-signed New upstream release; enable NX support at build
time; block Debian grub binaries with sbat < 4
shim-signed New upstream release; enable NX support at build
time; block Debian grub binaries with sbat < 4
snakeyaml Fix denial of service issues [CVE-2022-25857
CVE-2022-38749 CVE-2022-38750 CVE-2022-38751];
add documentation regarding security support /
issues
spyder Fix duplication of code when saving
symfony Remove private headers before storing responses
with HttpCache [CVE-2022-24894]; remove CSRF
tokens from storage on successful login
[CVE-2022-24895]
systemd Fix information leak issue [CVE-2022-4415],
denial of service issue [CVE-2022-3821];
ata_id: fix getting Response Code from SCSI
Sense Data; logind: fix getting property
OnExternalPower via D-Bus; fix crash in
systemd-machined
tomcat9 Add OpenJDK 17 support to JDK detection
traceroute Interpret v4mapped-IPv6 addresses as IPv4
tzdata Update included data
unbound Fix Non-Responsive Delegation Attack
[CVE-2022-3204]; fix "ghost domain names" issue
[CVE-2022-30698 CVE-2022-30699]
usb.ids Update included data
vagrant Add support for VirtualBox 7.0
voms-api-java Fix build failures by disabling some non-
working tests
w3m Fix out-of-bounds write issue [CVE-2022-38223]
x4d-icons Fix build failure with newer imagemagick
versions
xapian-core Prevent database corruption on disk exhaustion
zfs-linux Add several stability improvements
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
bind-dyndb-ldap Broken with newer bind9 versions; unsupportable
in stable
matrix-mirage Depends on to-be-removed python-matrix-nio
pantalaimon Depends on to-be-removed python-matrix-nio
python-matrix-nio Security issues; doesn't work with current
Matrix servers
weechat-matrix Depends on to-be-removed python-matrix-nio
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part