----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 245-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
December 4th, 2023
----------------------------------------------------------------------------
Upcoming Debian 12 Update (12.3)
An update to Debian 12 is scheduled for Saturday, December 9th, 2023. As of
now it will include the following bug fixes. They can be found in "bookworm-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bookworm-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
adequate Skip symbol-size-mismatch test on architectures
where array symbols don't include a specific
length; disable deprecation warnings about
smartmatch, given, when in Perl 5.38; fix
version comparison for smartmatch being
experimental warnings
amanda Fix local privilege escalation [CVE-2023-30577]
arctica-greeter Move logo away from border when greeting
awstats Avoid prompts on upgrade due to logrotate
configuration cleanup
axis Filter out unsupported protocols in the client
class ServiceFactory [CVE-2023-40743]
base-files Update for the 12.3 point release
ca-certificates-java Remove circular dependencies
calibre Fix crash in Get Books when regenerating UIC
files
crun Fix containers with systemd as their init
system, when using newer kernel versions
cups Take into account that on some printers the
ColorModel option's choice for color printing
is CMYK and not RGB
dav4tbsync New upstream version, restoring compatibility
with newer Thunderbird versions
debian-edu-artwork Provide an Emerald theme based artwork for
Debian Edu 12
debian-edu-config New upstream stable version; fix setting and
changing of LDAP passwords
debian-edu-doc Update included documentation and translations
debian-edu-fai New upstream stable version
debian-edu-router Fix dnsmasq conf generation for networks over
VLAN; only generate UIF filter rules for SSH if
'Uplink' interface is defined; update
translations
debootstrap Backport merged-/usr support changes from
trixie: implement merged-/usr by post-merging,
default to merged-/usr for suites newer than
bookworm in all profiles
devscripts Debchange: Update to current Debian
distributions
dhcpcd5 Move Breaks/Replaces dhcpcd5 to Conflicts
di-netboot-assistant Fix support for bookworm live ISO image
distro-info Update tests for distro-info-data 0.58+deb12u1,
which adjusted Debian 7's EoL date
distro-info-data Add Ubuntu 24.04 LTS Noble Numbat; fix several
End Of Life dates
eas4tbsync New upstream version, restoring compatibility
with newer Thunderbird versions
exfatprogs Fix out-of-bounds memory access issues
[CVE-2023-45897]
exim4 Fix security issues relating to the proxy
protocol [CVE-2023-42117] and DNSDB lookups
[CVE-2023-42119]; add hardening for SPF
lookups; disallow UTF-16 surrogates from
${utf8clean:...}; fix crash with "tls_dhparam =
none"; fix $recipients expansion when used
within ${run...}; fix expiry date of auto-
generated SSL certificates; fix crash induced
by some combinations of zero-length strings and
${tr...}
fonts-noto-color-emoji Add support for Unicode 15.1
gimp Add Conflicts+Replaces: gimp-dds to remove old
versions of this plugin shipped by gimp itself
since 2.10.10
gnome-characters Add support for Unicode 15.1
gnome-session Open text files in gnome-text-editor if gedit
is not installed
gnome-shell New upstream stable release; allow
notifications to be dismissed with backspace
key in addition to the delete key; fix
duplicate devices shown when reconnecting to
PulseAudio; fix possible use-after-free crashes
on PulseAudio/Pipewire restart; avoid sliders
in quick settings (volume, etc.) being reported
to accessibility tools as their own parent
object; align scrolled viewports to the pixel
grid to avoid jitter visible during scrolling
gnutls28 Fix timing sidechannel issue [CVE-2023-5981]
gosa New upstream stable release
gosa-plugins-sudo Fix uninitialised variable
hash-slinger Fix generation of TLSA records
intel-graphics-compiler Fix compatibility with stable's intel-vc-
intrinsics version
iotop-c Fix the logic in 'only' option; fix busy loop
when ESC is pressed; fix ASCII graph rendering
jdupes Update prompts to help avoid choices that could
lead to unexpected data loss
lastpass-cli New upstream stable release; update certificate
hashes; add support for reading encrypted URLs
libapache2-mod-python Ensure binNMU versions are PEP-440-compliant
libde265 Fix segmentation violation issue
[CVE-2023-27102], buffer overflow issues
[CVE-2023-27103 CVE-2023-47471], buffer over-
read issue [CVE-2023-43887]
libervia-backend Fix start failure without pre-existing
configuration; make exec path absolute in dbus
service file; fix dependencies on
python3-txdbus/python3-dbus
libmateweather Locations: add San Miguel de Tucuman
(Argentina); update forecast zones for Chicago;
update data server URL; fix some location names
libsolv Enable support for zstd compression
linux Update to upstream stable release 6.1.64;
update ABI to 14; [rt] Update to 6.1.59-rt16;
enable X86_PLATFORM_DRIVERS_HP; nvmet: nul-
terminate the NQNs passed in the connect
command [CVE-2023-6121]
linux-signed-amd64 Update to upstream stable release 6.1.64;
update ABI to 14; [rt] Update to 6.1.59-rt16;
enable X86_PLATFORM_DRIVERS_HP; nvmet: nul-
terminate the NQNs passed in the connect
command [CVE-2023-6121]
linux-signed-arm64 Update to upstream stable release 6.1.64;
update ABI to 14; [rt] Update to 6.1.59-rt16;
enable X86_PLATFORM_DRIVERS_HP; nvmet: nul-
terminate the NQNs passed in the connect
command [CVE-2023-6121]
linux-signed-i386 Update to upstream stable release 6.1.64;
update ABI to 14; [rt] Update to 6.1.59-rt16;
enable X86_PLATFORM_DRIVERS_HP; nvmet: nul-
terminate the NQNs passed in the connect
command [CVE-2023-6121]
llvm-toolchain-16 New backported package to support builds of
newer chromium versions
lxc Fix creating of ephemeral copies
mda-lv2 Fix LV2 plugin installation location
midge Remove non-free example files
minizip Fix integer and heap overflow issues
[CVE-2023-45853]
mrtg Handle relocated configuration file;
translation updates; handle moved configuration
file in a policy-compliant way
mutter New upstream stable release; fix the ability to
drag libdecor windows by their title bar on
touchscreens; fix flickering and rendering
artifacts when using software rendering;
improve GNOME Shell app grid performance by
avoiding repainting monitors other than the one
it is displayed on
nagios-plugins-contrib Fix on-disk kernel version detection
network-manager- User Agent to Openconnect VPN for
openconnect NetworkManager
node-undici Delete cookie and host headers on cross-origin
redirect [CVE-2023-45143]
nvidia-graphics-drivers New upstream release; fix null pointer
dereference issue [CVE-2023-31022]
nvidia-graphics-drivers- New upstream release; fix null pointer
tesla dereference issue [CVE-2023-31022]
nvidia-graphics-drivers- New upstream release; fix null pointer
tesla-470 dereference issue [CVE-2023-31022]
nvidia-open-gpu-kernel- New upstream release; fix null pointer
modules dereference issue [CVE-2023-31022]
opendkim Fix removal of incoming Authentication-Results:
headers [CVE-2022-48521]
openrefine Fix remote code execution vulnerability
[CVE-2023-41887 CVE-2023-41886]
opensc Fix out-of-bounds read issue [CVE-2023-4535],
potential PIN bypass [CVE-2023-40660], memory-
handling issues [CVE-2023-40661]
oscrypto Fix OpenSSL version parsing; fix autopkgtest
pcs Fix "resource move"
perl Fix buffer overrun issue [CVE-2023-47038]
php-phpseclib3 Fix denial of service issue [CVE-2023-49316]
postgresql-15 New upstream stable release; fix SQL injection
issue [CVE-2023-39417]; fix MERGE to enforce
row security policies properly [CVE-2023-39418]
proftpd-dfsg Fix size of SSH key exchange buffers
python-cogent Only skip tests that require multiple CPUs when
running on a single CPU system
python3-onelogin-saml2 Fix expired test payloads
pyzoltan Support building on single core systems
qbittorrent Disable UPnP for web UI by default in
qbittorrent-nox
qemu Update to upstream stable release 7.2.7;
hw/scsi/scsi-disk: Disallow block sizes smaller
than 512 [CVE-2023-42467]
qpdf Fix data loss issue with some quoted octal
strings
redis Drop ProcSubset=pid hardening flag from the
systemd unit due to it causing crashes
rust-sd Ensure binary package versions sorts correctly
relative to older releases (where it was built
from a different source package)
sitesummary Use systemd timer for running sitesummary-
client if available
speech-dispatcher-contrib Enable voxin on armhf and arm64
spyder Fix interface language auto-configuration
symfony Fix session fixation issue [CVE-2023-46733];
add missing escaping [CVE-2023-46734]
systemd New upstream stable release
tbsync New upstream version, restoring compatibility
with newer Thunderbird versions
toil Only request a single core for tests
tzdata Update leap second list
unadf Fix buffer overflow issue [CVE-2016-1243]; fix
code execution issue [CVE-2016-1244]
vips Fix null pointer dereference issue
[CVE-2023-40032]
weborf Fix denial of service issue
wormhole-william Disable flaky tests, fixing build failures
xen New upstream stable update; fix several
security issues [CVE-2022-40982 CVE-2023-20569
CVE-2023-20588 CVE-2023-20593 CVE-2023-34320
CVE-2023-34321 CVE-2023-34322 CVE-2023-34323
CVE-2023-34325 CVE-2023-34326 CVE-2023-34327
CVE-2023-34328 CVE-2023-46835 CVE-2023-46836]
yuzu Strip :native from glslang-tools build
dependency, fixing build failure
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part