------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 11: 11.1 released press@debian.org October 9th, 2021 https://www.debian.org/News/2021/20211009 ------------------------------------------------------------------------ The Debian project is pleased to announce the first update of its stable distribution Debian 11 (codename "bullseye"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 11 but only updates some of the packages included. There is no need to throw away old "bullseye" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: +---------------------------+-----------------------------------------+ | Package | Reason | +---------------------------+-----------------------------------------+ | apr [1] | Prevent out-of-bounds array dereference | | | | | atftp [2] | Fix buffer overflow [CVE-2021-41054] | | | | | automysqlbackup [3] | Fix crash when using "LATEST=yes" | | | | | base-files [4] | Update for the 11.1 point release | | | | | clamav [5] | New upstream stable release; fix | | | clamdscan segfaults when --fdpass and | | | --multipass are used together with | | | ExcludePath | | | | | cloud-init [6] | Avoid duplicate includedir in /etc/ | | | sudoers | | | | | cyrus-imapd [7] | Fix denial-of-service issue [CVE-2021- | | | 33582] | | | | | dazzdb [8] | Fix a use-after-free in DBstats | | | | | debian-edu-config [9] | debian-edu-ltsp-install: extend main | | | server related exclude list; add slapd | | | and xrdp-sesman to the list of masked | | | services | | | | | debian-installer [10] | Rebuild against proposed updates; | | | update Linux ABI to 5.10.0-9; use udebs | | | from proposed-updates | | | | | debian-installer-netboot- | Rebuild against proposed-updates; use | | images [11] | udebs from proposed-updates and stable; | | | use xz-compressed Packages files | | | | | detox [12] | Fix handling of large files | | | | | devscripts [13] | Make the --bpo option target bullseye- | | | backports | | | | | dlt-viewer [14] | Add missing qdlt/qdlt*.h header files | | | to dev package | | | | | dpdk [15] | New upstream stable release | | | | | fetchmail [16] | Fix segmentation fault and security | | | regression | | | | | flatpak [17] | New upstream stable release; don't | | | inherit an unusual $XDG_RUNTIME_DIR | | | setting into the sandbox | | | | | freeradius [18] | Fix thread crash and sample | | | configuration | | | | | galera-3 [19] | New upstream stable release | | | | | galera-4 [20] | New upstream stable release; solve | | | circular Conflicts with galera-3 by no | | | longer providing a virtual "galera" | | | package | | | | | glewlwyd [21] | Fix possible buffer overflow during | | | FIDO2 signature validation in webauthn | | | registration [CVE-2021-40818] | | | | | glibc [22] | Restart openssh-server even if it has | | | been deconfigured during the upgrade; | | | fix text fallback when debconf is | | | unusable | | | | | gnome-maps [23] | New upstream stable release; fix a | | | crash when starting up with last-used | | | map type being aerial, and no aerial | | | tile definition is found; don't | | | sometimes write broken last view | | | position on exit; fix hang when | | | dragging around route markers | | | | | gnome-shell [24] | New upstream stable release; fix freeze | | | after cancelling (some) system-modal | | | dialogs; fix word suggestions in on- | | | screen keyboard; fix crashes | | | | | hdf5 [25] | Adjust package dependencies to improve | | | upgrade paths from older releases | | | | | iotop-c [26] | Properly handle UTF-8 process names | | | | | jailkit [27] | Fix creation of jails that need to | | | use /dev; fix library presence check | | | | | java-atk-wrapper [28] | Also use dbus to detect accessibility | | | being enabled | | | | | krb5 [29] | Fix KDC null dereference crash on FAST | | | request with no server field [CVE-2021- | | | 37750]; fix memory leak in | | | krb5_gss_inquire_cred | | | | | libavif [30] | Use correct libdir in libavif.pc | | | pkgconfig file | | | | | libbluray [31] | Switch to embedded libasm; the version | | | from libasm-java is too new | | | | | libdatetime-timezone-perl | New upstream stable release; update DST | | [32] | rules for Samoa and Jordon; | | | confirmation of no leap second on 2021- | | | 12-31 | | | | | libslirp [33] | Fix multiple buffer overflow issues | | | [CVE-2021-3592 CVE-2021-3593 CVE-2021- | | | 3594 CVE-2021-3595] | | | | | linux [34] | New upstream stable release; increase | | | ABI to 9; [rt] Update to 5.10.65-rt53; | | | [mipsel] bpf, mips: Validate | | | conditional branch offsets [CVE-2021- | | | 38300] | | | | | linux-signed-amd64 [35] | New upstream stable release; increase | | | ABI to 9; [rt] Update to 5.10.65-rt53; | | | [mipsel] bpf, mips: Validate | | | conditional branch offsets [CVE-2021- | | | 38300] | | | | | linux-signed-arm64 [36] | New upstream stable release; increase | | | ABI to 9; [rt] Update to 5.10.65-rt53; | | | [mipsel] bpf, mips: Validate | | | conditional branch offsets [CVE-2021- | | | 38300] | | | | | linux-signed-i386 [37] | New upstream stable release; increase | | | ABI to 9; [rt] Update to 5.10.65-rt53; | | | [mipsel] bpf, mips: Validate | | | conditional branch offsets [CVE-2021- | | | 38300] | | | | | mariadb-10.5 [38] | New upstream stable release; security | | | fixes [CVE-2021-2372 CVE-2021-2389] | | | | | mbrola [39] | Fix end of file detection | | | | | modsecurity-crs [40] | Fix request body bypass issue | | | [CVE-2021-35368] | | | | | mtr [41] | Fix regression in JSON output | | | | | mutter [42] | New upstream stable release; kms: | | | Improve handling of common video modes | | | that might exceed the possible | | | bandwidth; ensure valid window texture | | | size after viewport changes | | | | | nautilus [43] | Avoid opening multiple selected files | | | in multiple application instances; | | | don't save window size and position | | | when tiled; fix some memory leaks; | | | update translations | | | | | node-ansi-regex [44] | Fix regular expression-based denial of | | | service issue [CVE-2021-3807] | | | | | node-axios [45] | Fix regular expression-based denial of | | | service issue [CVE-2021-3749] | | | | | node-object-path [46] | Fix prototype pollution issues | | | [CVE-2021-23434 CVE-2021-3805] | | | | | node-prismjs [47] | Fix regular expression-based denial of | | | service issue [CVE-2021-3801] | | | | | node-set-value [48] | Fix prototype pollution [CVE-2021- | | | 23440] | | | | | node-tar [49] | Remove non-directory paths from the | | | directory cache [CVE-2021-32803]; strip | | | absolute paths more comprehensively | | | [CVE-2021-32804] | | | | | osmcoastline [50] | Fix projections other than WGS84 | | | | | osmpbf [51] | Rebuild against protobuf 3.12.4 | | | | | pam [52] | Fix syntax error in libpam0g.postinst | | | when a systemd unit fails | | | | | perl [53] | Security update; fix a regular | | | expression memory leak | | | | | pglogical [54] | Update for PostgreSQL 13.4 snapshot | | | handling fixes | | | | | pmdk [55] | Fix missing barriers after non-temporal | | | memcpy | | | | | postgresql-13 [56] | New upstream stable release; fix mis- | | | planning of repeated application of a | | | projection step [CVE-2021-3677]; | | | disallow SSL renegotiation more | | | completely | | | | | proftpd-dfsg [57] | Fix "mod_radius leaks memory contents | | | to radius server" and "sftp | | | connection aborts with " Corrupted MAC | | | on input; skip escaping of already- | | | escaped SQL text | | | | | pyx3 [58] | Fix horizontal font alignment issue | | | with texlive 2020 | | | | | reportbug [59] | Update suite names following bullseye | | | release | | | | | request-tracker4 [60] | Fix login timing side-channel attack | | | issue [CVE-2021-38562] | | | | | rhonabwy [61] | Fix JWE CBC tag computation and JWS | | | alg:none signature verification | | | | | rpki-trust-anchors [62] | Add HTTPS URL to the LACNIC TAL | | | | | rsync [63] | Re-add --copy-devices; fix regression | | | in --delay-updates; fix edge case in -- | | | mkpath; fix rsync-ssl; fix --sparce and | | | --inplace; update options available to | | | rrsync; documentation fixes | | | | | ruby-rqrcode-rails3 [64] | Fix for ruby-rqrcode 1.0 compatibility | | | | | sabnzbdplus [65] | Prevent directory escape in renamer | | | function [CVE-2021-29488] | | | | | shellcheck [66] | Fix rendering of long options in | | | manpage | | | | | shiro [67] | Fix authentication bypass issues | | | [CVE-2020-1957 CVE-2020-11989 CVE-2020- | | | 13933 CVE-2020-17510]; update Spring | | | Framework compatibility patch; support | | | Guice 4 | | | | | speech-dispatcher [68] | Fix setting of voice name for the | | | generic module | | | | | telegram-desktop [69] | Avoid crash when auto-delete is enabled | | | | | termshark [70] | Include themes in package | | | | | tmux [71] | Fix a race condition which results in | | | the config not being loaded if several | | | clients are interacting with the server | | | while it's initializing | | | | | txt2man [72] | Fix regression in handling display | | | blocks | | | | | tzdata [73] | Update DST rules for Samoa and Jordan; | | | confirm the absence of a leap second on | | | 2021-12-31 | | | | | ublock-origin [74] | New upstream stable release; fix denial | | | of service issue [CVE-2021-36773] | | | | | ulfius [75] | Ensure memory is initialised before use | | | [CVE-2021-40540] | | | | +---------------------------+-----------------------------------------+ 1: https://packages.debian.org/src:apr 2: https://packages.debian.org/src:atftp 3: https://packages.debian.org/src:automysqlbackup 4: https://packages.debian.org/src:base-files 5: https://packages.debian.org/src:clamav 6: https://packages.debian.org/src:cloud-init 7: https://packages.debian.org/src:cyrus-imapd 8: https://packages.debian.org/src:dazzdb 9: https://packages.debian.org/src:debian-edu-config 10: https://packages.debian.org/src:debian-installer 11: https://packages.debian.org/src:debian-installer-netboot-images 12: https://packages.debian.org/src:detox 13: https://packages.debian.org/src:devscripts 14: https://packages.debian.org/src:dlt-viewer 15: https://packages.debian.org/src:dpdk 16: https://packages.debian.org/src:fetchmail 17: https://packages.debian.org/src:flatpak 18: https://packages.debian.org/src:freeradius 19: https://packages.debian.org/src:galera-3 20: https://packages.debian.org/src:galera-4 21: https://packages.debian.org/src:glewlwyd 22: https://packages.debian.org/src:glibc 23: https://packages.debian.org/src:gnome-maps 24: https://packages.debian.org/src:gnome-shell 25: https://packages.debian.org/src:hdf5 26: https://packages.debian.org/src:iotop-c 27: https://packages.debian.org/src:jailkit 28: https://packages.debian.org/src:java-atk-wrapper 29: https://packages.debian.org/src:krb5 30: https://packages.debian.org/src:libavif 31: https://packages.debian.org/src:libbluray 32: https://packages.debian.org/src:libdatetime-timezone-perl 33: https://packages.debian.org/src:libslirp 34: https://packages.debian.org/src:linux 35: https://packages.debian.org/src:linux-signed-amd64 36: https://packages.debian.org/src:linux-signed-arm64 37: https://packages.debian.org/src:linux-signed-i386 38: https://packages.debian.org/src:mariadb-10.5 39: https://packages.debian.org/src:mbrola 40: https://packages.debian.org/src:modsecurity-crs 41: https://packages.debian.org/src:mtr 42: https://packages.debian.org/src:mutter 43: https://packages.debian.org/src:nautilus 44: https://packages.debian.org/src:node-ansi-regex 45: https://packages.debian.org/src:node-axios 46: https://packages.debian.org/src:node-object-path 47: https://packages.debian.org/src:node-prismjs 48: https://packages.debian.org/src:node-set-value 49: https://packages.debian.org/src:node-tar 50: https://packages.debian.org/src:osmcoastline 51: https://packages.debian.org/src:osmpbf 52: https://packages.debian.org/src:pam 53: https://packages.debian.org/src:perl 54: https://packages.debian.org/src:pglogical 55: https://packages.debian.org/src:pmdk 56: https://packages.debian.org/src:postgresql-13 57: https://packages.debian.org/src:proftpd-dfsg 58: https://packages.debian.org/src:pyx3 59: https://packages.debian.org/src:reportbug 60: https://packages.debian.org/src:request-tracker4 61: https://packages.debian.org/src:rhonabwy 62: https://packages.debian.org/src:rpki-trust-anchors 63: https://packages.debian.org/src:rsync 64: https://packages.debian.org/src:ruby-rqrcode-rails3 65: https://packages.debian.org/src:sabnzbdplus 66: https://packages.debian.org/src:shellcheck 67: https://packages.debian.org/src:shiro 68: https://packages.debian.org/src:speech-dispatcher 69: https://packages.debian.org/src:telegram-desktop 70: https://packages.debian.org/src:termshark 71: https://packages.debian.org/src:tmux 72: https://packages.debian.org/src:txt2man 73: https://packages.debian.org/src:tzdata 74: https://packages.debian.org/src:ublock-origin 75: https://packages.debian.org/src:ulfius Security Updates ---------------- This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates: +----------------+--------------------------+ | Advisory ID | Package | +----------------+--------------------------+ | DSA-4959 [76] | thunderbird [77] | | | | | DSA-4960 [78] | haproxy [79] | | | | | DSA-4961 [80] | tor [81] | | | | | DSA-4962 [82] | ledgersmb [83] | | | | | DSA-4963 [84] | openssl [85] | | | | | DSA-4964 [86] | grilo [87] | | | | | DSA-4965 [88] | libssh [89] | | | | | DSA-4966 [90] | gpac [91] | | | | | DSA-4967 [92] | squashfs-tools [93] | | | | | DSA-4968 [94] | haproxy [95] | | | | | DSA-4969 [96] | firefox-esr [97] | | | | | DSA-4970 [98] | postorius [99] | | | | | DSA-4971 [100] | ntfs-3g [101] | | | | | DSA-4972 [102] | ghostscript [103] | | | | | DSA-4973 [104] | thunderbird [105] | | | | | DSA-4974 [106] | nextcloud-desktop [107] | | | | | DSA-4975 [108] | webkit2gtk [109] | | | | | DSA-4976 [110] | wpewebkit [111] | | | | | DSA-4977 [112] | xen [113] | | | | | DSA-4978 [114] | linux-signed-amd64 [115] | | | | | DSA-4978 [116] | linux-signed-arm64 [117] | | | | | DSA-4978 [118] | linux-signed-i386 [119] | | | | | DSA-4978 [120] | linux [121] | | | | | DSA-4979 [122] | mediawiki [123] | | | | +----------------+--------------------------+ 76: https://www.debian.org/security/2021/dsa-4959 77: https://packages.debian.org/src:thunderbird 78: https://www.debian.org/security/2021/dsa-4960 79: https://packages.debian.org/src:haproxy 80: https://www.debian.org/security/2021/dsa-4961 81: https://packages.debian.org/src:tor 82: https://www.debian.org/security/2021/dsa-4962 83: https://packages.debian.org/src:ledgersmb 84: https://www.debian.org/security/2021/dsa-4963 85: https://packages.debian.org/src:openssl 86: https://www.debian.org/security/2021/dsa-4964 87: https://packages.debian.org/src:grilo 88: https://www.debian.org/security/2021/dsa-4965 89: https://packages.debian.org/src:libssh 90: https://www.debian.org/security/2021/dsa-4966 91: https://packages.debian.org/src:gpac 92: https://www.debian.org/security/2021/dsa-4967 93: https://packages.debian.org/src:squashfs-tools 94: https://www.debian.org/security/2021/dsa-4968 95: https://packages.debian.org/src:haproxy 96: https://www.debian.org/security/2021/dsa-4969 97: https://packages.debian.org/src:firefox-esr 98: https://www.debian.org/security/2021/dsa-4970 99: https://packages.debian.org/src:postorius 100: https://www.debian.org/security/2021/dsa-4971 101: https://packages.debian.org/src:ntfs-3g 102: https://www.debian.org/security/2021/dsa-4972 103: https://packages.debian.org/src:ghostscript 104: https://www.debian.org/security/2021/dsa-4973 105: https://packages.debian.org/src:thunderbird 106: https://www.debian.org/security/2021/dsa-4974 107: https://packages.debian.org/src:nextcloud-desktop 108: https://www.debian.org/security/2021/dsa-4975 109: https://packages.debian.org/src:webkit2gtk 110: https://www.debian.org/security/2021/dsa-4976 111: https://packages.debian.org/src:wpewebkit 112: https://www.debian.org/security/2021/dsa-4977 113: https://packages.debian.org/src:xen 114: https://www.debian.org/security/2021/dsa-4978 115: https://packages.debian.org/src:linux-signed-amd64 116: https://www.debian.org/security/2021/dsa-4978 117: https://packages.debian.org/src:linux-signed-arm64 118: https://www.debian.org/security/2021/dsa-4978 119: https://packages.debian.org/src:linux-signed-i386 120: https://www.debian.org/security/2021/dsa-4978 121: https://packages.debian.org/src:linux 122: https://www.debian.org/security/2021/dsa-4979 123: https://packages.debian.org/src:mediawiki During the final stages of the bullseye freeze, some updates were released via the security archive [124] but without an accompanying DSA. These updates are detailed below. 124: https://security.debian.org/ +---------------------------+------------------------------------------+ | Package | Reason | +---------------------------+------------------------------------------+ | apache2 [125] | Fix mod_proxy HTTP2 request line | | | injection [CVE-2021-33193] | | | | | btrbk [126] | Fix arbitrary code execution issue | | | [CVE-2021-38173] | | | | | c-ares [127] | Fix missing input validation on | | | hostnames returned by DNS servers | | | [CVE-2021-3672] | | | | | exiv2 [128] | Fix overflow issues [CVE-2021-29457 | | | CVE-2021-31292] | | | | | firefox-esr [129] | New upstream stable release [CVE-2021- | | | 29980 CVE-2021-29984 CVE-2021-29985 | | | CVE-2021-29986 CVE-2021-29988 CVE-2021- | | | 29989] | | | | | libencode-perl [130] | Encode: mitigate @INC pollution when | | | loading ConfigLocal [CVE-2021-36770] | | | | | libspf2 [131] | spf_compile.c: Correct size of ds_avail | | | [CVE-2021-20314]; fix "reverse" macro | | | modifier | | | | | lynx [132] | Fix leakage of credentials if SNI was | | | used together with a URL containing | | | credentials [CVE-2021-38165] | | | | | nodejs [133] | New upstream stable release; fix use | | | after free issue [CVE-2021-22930] | | | | | tomcat9 [134] | Fix authentication bypass issue | | | [CVE-2021-30640] and request smuggling | | | issue [CVE-2021-33037] | | | | | xmlgraphics-commons [135] | Fix server side request forgery issue | | | [CVE-2020-11988] | | | | +---------------------------+------------------------------------------+ 125: https://packages.debian.org/src:apache2 126: https://packages.debian.org/src:btrbk 127: https://packages.debian.org/src:c-ares 128: https://packages.debian.org/src:exiv2 129: https://packages.debian.org/src:firefox-esr 130: https://packages.debian.org/src:libencode-perl 131: https://packages.debian.org/src:libspf2 132: https://packages.debian.org/src:lynx 133: https://packages.debian.org/src:nodejs 134: https://packages.debian.org/src:tomcat9 135: https://packages.debian.org/src:xmlgraphics-commons Debian Installer ---------------- The installer has been updated to include the fixes incorporated into stable by the point release. URLs ---- The complete lists of packages that have changed with this revision: https://deb.debian.org/debian/dists/bullseye/ChangeLog The current stable distribution: https://deb.debian.org/debian/dists/stable/ Proposed updates to the stable distribution: https://deb.debian.org/debian/dists/proposed-updates stable distribution information (release notes, errata etc.): https://www.debian.org/releases/stable/ Security announcements and information: https://www.debian.org/security/ About Debian ------------ The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian. Contact Information ------------------- For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.
Attachment:
signature.asc
Description: PGP signature