------------------------------------------------------------------------
The Debian Project https://www.debian.org/
Updated Debian 11: 11.1 released press@debian.org
October 9th, 2021 https://www.debian.org/News/2021/20211009
------------------------------------------------------------------------
The Debian project is pleased to announce the first update of its stable
distribution Debian 11 (codename "bullseye"). This point release mainly
adds corrections for security issues, along with a few adjustments for
serious problems. Security advisories have already been published
separately and are referenced where available.
Please note that the point release does not constitute a new version of
Debian 11 but only updates some of the packages included. There is no
need to throw away old "bullseye" media. After installation, packages
can be upgraded to the current versions using an up-to-date Debian
mirror.
Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:
https://www.debian.org/mirror/list
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
+---------------------------+-----------------------------------------+
| Package | Reason |
+---------------------------+-----------------------------------------+
| apr [1] | Prevent out-of-bounds array dereference |
| | |
| atftp [2] | Fix buffer overflow [CVE-2021-41054] |
| | |
| automysqlbackup [3] | Fix crash when using "LATEST=yes" |
| | |
| base-files [4] | Update for the 11.1 point release |
| | |
| clamav [5] | New upstream stable release; fix |
| | clamdscan segfaults when --fdpass and |
| | --multipass are used together with |
| | ExcludePath |
| | |
| cloud-init [6] | Avoid duplicate includedir in /etc/ |
| | sudoers |
| | |
| cyrus-imapd [7] | Fix denial-of-service issue [CVE-2021- |
| | 33582] |
| | |
| dazzdb [8] | Fix a use-after-free in DBstats |
| | |
| debian-edu-config [9] | debian-edu-ltsp-install: extend main |
| | server related exclude list; add slapd |
| | and xrdp-sesman to the list of masked |
| | services |
| | |
| debian-installer [10] | Rebuild against proposed updates; |
| | update Linux ABI to 5.10.0-9; use udebs |
| | from proposed-updates |
| | |
| debian-installer-netboot- | Rebuild against proposed-updates; use |
| images [11] | udebs from proposed-updates and stable; |
| | use xz-compressed Packages files |
| | |
| detox [12] | Fix handling of large files |
| | |
| devscripts [13] | Make the --bpo option target bullseye- |
| | backports |
| | |
| dlt-viewer [14] | Add missing qdlt/qdlt*.h header files |
| | to dev package |
| | |
| dpdk [15] | New upstream stable release |
| | |
| fetchmail [16] | Fix segmentation fault and security |
| | regression |
| | |
| flatpak [17] | New upstream stable release; don't |
| | inherit an unusual $XDG_RUNTIME_DIR |
| | setting into the sandbox |
| | |
| freeradius [18] | Fix thread crash and sample |
| | configuration |
| | |
| galera-3 [19] | New upstream stable release |
| | |
| galera-4 [20] | New upstream stable release; solve |
| | circular Conflicts with galera-3 by no |
| | longer providing a virtual "galera" |
| | package |
| | |
| glewlwyd [21] | Fix possible buffer overflow during |
| | FIDO2 signature validation in webauthn |
| | registration [CVE-2021-40818] |
| | |
| glibc [22] | Restart openssh-server even if it has |
| | been deconfigured during the upgrade; |
| | fix text fallback when debconf is |
| | unusable |
| | |
| gnome-maps [23] | New upstream stable release; fix a |
| | crash when starting up with last-used |
| | map type being aerial, and no aerial |
| | tile definition is found; don't |
| | sometimes write broken last view |
| | position on exit; fix hang when |
| | dragging around route markers |
| | |
| gnome-shell [24] | New upstream stable release; fix freeze |
| | after cancelling (some) system-modal |
| | dialogs; fix word suggestions in on- |
| | screen keyboard; fix crashes |
| | |
| hdf5 [25] | Adjust package dependencies to improve |
| | upgrade paths from older releases |
| | |
| iotop-c [26] | Properly handle UTF-8 process names |
| | |
| jailkit [27] | Fix creation of jails that need to |
| | use /dev; fix library presence check |
| | |
| java-atk-wrapper [28] | Also use dbus to detect accessibility |
| | being enabled |
| | |
| krb5 [29] | Fix KDC null dereference crash on FAST |
| | request with no server field [CVE-2021- |
| | 37750]; fix memory leak in |
| | krb5_gss_inquire_cred |
| | |
| libavif [30] | Use correct libdir in libavif.pc |
| | pkgconfig file |
| | |
| libbluray [31] | Switch to embedded libasm; the version |
| | from libasm-java is too new |
| | |
| libdatetime-timezone-perl | New upstream stable release; update DST |
| [32] | rules for Samoa and Jordon; |
| | confirmation of no leap second on 2021- |
| | 12-31 |
| | |
| libslirp [33] | Fix multiple buffer overflow issues |
| | [CVE-2021-3592 CVE-2021-3593 CVE-2021- |
| | 3594 CVE-2021-3595] |
| | |
| linux [34] | New upstream stable release; increase |
| | ABI to 9; [rt] Update to 5.10.65-rt53; |
| | [mipsel] bpf, mips: Validate |
| | conditional branch offsets [CVE-2021- |
| | 38300] |
| | |
| linux-signed-amd64 [35] | New upstream stable release; increase |
| | ABI to 9; [rt] Update to 5.10.65-rt53; |
| | [mipsel] bpf, mips: Validate |
| | conditional branch offsets [CVE-2021- |
| | 38300] |
| | |
| linux-signed-arm64 [36] | New upstream stable release; increase |
| | ABI to 9; [rt] Update to 5.10.65-rt53; |
| | [mipsel] bpf, mips: Validate |
| | conditional branch offsets [CVE-2021- |
| | 38300] |
| | |
| linux-signed-i386 [37] | New upstream stable release; increase |
| | ABI to 9; [rt] Update to 5.10.65-rt53; |
| | [mipsel] bpf, mips: Validate |
| | conditional branch offsets [CVE-2021- |
| | 38300] |
| | |
| mariadb-10.5 [38] | New upstream stable release; security |
| | fixes [CVE-2021-2372 CVE-2021-2389] |
| | |
| mbrola [39] | Fix end of file detection |
| | |
| modsecurity-crs [40] | Fix request body bypass issue |
| | [CVE-2021-35368] |
| | |
| mtr [41] | Fix regression in JSON output |
| | |
| mutter [42] | New upstream stable release; kms: |
| | Improve handling of common video modes |
| | that might exceed the possible |
| | bandwidth; ensure valid window texture |
| | size after viewport changes |
| | |
| nautilus [43] | Avoid opening multiple selected files |
| | in multiple application instances; |
| | don't save window size and position |
| | when tiled; fix some memory leaks; |
| | update translations |
| | |
| node-ansi-regex [44] | Fix regular expression-based denial of |
| | service issue [CVE-2021-3807] |
| | |
| node-axios [45] | Fix regular expression-based denial of |
| | service issue [CVE-2021-3749] |
| | |
| node-object-path [46] | Fix prototype pollution issues |
| | [CVE-2021-23434 CVE-2021-3805] |
| | |
| node-prismjs [47] | Fix regular expression-based denial of |
| | service issue [CVE-2021-3801] |
| | |
| node-set-value [48] | Fix prototype pollution [CVE-2021- |
| | 23440] |
| | |
| node-tar [49] | Remove non-directory paths from the |
| | directory cache [CVE-2021-32803]; strip |
| | absolute paths more comprehensively |
| | [CVE-2021-32804] |
| | |
| osmcoastline [50] | Fix projections other than WGS84 |
| | |
| osmpbf [51] | Rebuild against protobuf 3.12.4 |
| | |
| pam [52] | Fix syntax error in libpam0g.postinst |
| | when a systemd unit fails |
| | |
| perl [53] | Security update; fix a regular |
| | expression memory leak |
| | |
| pglogical [54] | Update for PostgreSQL 13.4 snapshot |
| | handling fixes |
| | |
| pmdk [55] | Fix missing barriers after non-temporal |
| | memcpy |
| | |
| postgresql-13 [56] | New upstream stable release; fix mis- |
| | planning of repeated application of a |
| | projection step [CVE-2021-3677]; |
| | disallow SSL renegotiation more |
| | completely |
| | |
| proftpd-dfsg [57] | Fix "mod_radius leaks memory contents |
| | to radius server" and "sftp |
| | connection aborts with " Corrupted MAC |
| | on input; skip escaping of already- |
| | escaped SQL text |
| | |
| pyx3 [58] | Fix horizontal font alignment issue |
| | with texlive 2020 |
| | |
| reportbug [59] | Update suite names following bullseye |
| | release |
| | |
| request-tracker4 [60] | Fix login timing side-channel attack |
| | issue [CVE-2021-38562] |
| | |
| rhonabwy [61] | Fix JWE CBC tag computation and JWS |
| | alg:none signature verification |
| | |
| rpki-trust-anchors [62] | Add HTTPS URL to the LACNIC TAL |
| | |
| rsync [63] | Re-add --copy-devices; fix regression |
| | in --delay-updates; fix edge case in -- |
| | mkpath; fix rsync-ssl; fix --sparce and |
| | --inplace; update options available to |
| | rrsync; documentation fixes |
| | |
| ruby-rqrcode-rails3 [64] | Fix for ruby-rqrcode 1.0 compatibility |
| | |
| sabnzbdplus [65] | Prevent directory escape in renamer |
| | function [CVE-2021-29488] |
| | |
| shellcheck [66] | Fix rendering of long options in |
| | manpage |
| | |
| shiro [67] | Fix authentication bypass issues |
| | [CVE-2020-1957 CVE-2020-11989 CVE-2020- |
| | 13933 CVE-2020-17510]; update Spring |
| | Framework compatibility patch; support |
| | Guice 4 |
| | |
| speech-dispatcher [68] | Fix setting of voice name for the |
| | generic module |
| | |
| telegram-desktop [69] | Avoid crash when auto-delete is enabled |
| | |
| termshark [70] | Include themes in package |
| | |
| tmux [71] | Fix a race condition which results in |
| | the config not being loaded if several |
| | clients are interacting with the server |
| | while it's initializing |
| | |
| txt2man [72] | Fix regression in handling display |
| | blocks |
| | |
| tzdata [73] | Update DST rules for Samoa and Jordan; |
| | confirm the absence of a leap second on |
| | 2021-12-31 |
| | |
| ublock-origin [74] | New upstream stable release; fix denial |
| | of service issue [CVE-2021-36773] |
| | |
| ulfius [75] | Ensure memory is initialised before use |
| | [CVE-2021-40540] |
| | |
+---------------------------+-----------------------------------------+
1: https://packages.debian.org/src:apr
2: https://packages.debian.org/src:atftp
3: https://packages.debian.org/src:automysqlbackup
4: https://packages.debian.org/src:base-files
5: https://packages.debian.org/src:clamav
6: https://packages.debian.org/src:cloud-init
7: https://packages.debian.org/src:cyrus-imapd
8: https://packages.debian.org/src:dazzdb
9: https://packages.debian.org/src:debian-edu-config
10: https://packages.debian.org/src:debian-installer
11: https://packages.debian.org/src:debian-installer-netboot-images
12: https://packages.debian.org/src:detox
13: https://packages.debian.org/src:devscripts
14: https://packages.debian.org/src:dlt-viewer
15: https://packages.debian.org/src:dpdk
16: https://packages.debian.org/src:fetchmail
17: https://packages.debian.org/src:flatpak
18: https://packages.debian.org/src:freeradius
19: https://packages.debian.org/src:galera-3
20: https://packages.debian.org/src:galera-4
21: https://packages.debian.org/src:glewlwyd
22: https://packages.debian.org/src:glibc
23: https://packages.debian.org/src:gnome-maps
24: https://packages.debian.org/src:gnome-shell
25: https://packages.debian.org/src:hdf5
26: https://packages.debian.org/src:iotop-c
27: https://packages.debian.org/src:jailkit
28: https://packages.debian.org/src:java-atk-wrapper
29: https://packages.debian.org/src:krb5
30: https://packages.debian.org/src:libavif
31: https://packages.debian.org/src:libbluray
32: https://packages.debian.org/src:libdatetime-timezone-perl
33: https://packages.debian.org/src:libslirp
34: https://packages.debian.org/src:linux
35: https://packages.debian.org/src:linux-signed-amd64
36: https://packages.debian.org/src:linux-signed-arm64
37: https://packages.debian.org/src:linux-signed-i386
38: https://packages.debian.org/src:mariadb-10.5
39: https://packages.debian.org/src:mbrola
40: https://packages.debian.org/src:modsecurity-crs
41: https://packages.debian.org/src:mtr
42: https://packages.debian.org/src:mutter
43: https://packages.debian.org/src:nautilus
44: https://packages.debian.org/src:node-ansi-regex
45: https://packages.debian.org/src:node-axios
46: https://packages.debian.org/src:node-object-path
47: https://packages.debian.org/src:node-prismjs
48: https://packages.debian.org/src:node-set-value
49: https://packages.debian.org/src:node-tar
50: https://packages.debian.org/src:osmcoastline
51: https://packages.debian.org/src:osmpbf
52: https://packages.debian.org/src:pam
53: https://packages.debian.org/src:perl
54: https://packages.debian.org/src:pglogical
55: https://packages.debian.org/src:pmdk
56: https://packages.debian.org/src:postgresql-13
57: https://packages.debian.org/src:proftpd-dfsg
58: https://packages.debian.org/src:pyx3
59: https://packages.debian.org/src:reportbug
60: https://packages.debian.org/src:request-tracker4
61: https://packages.debian.org/src:rhonabwy
62: https://packages.debian.org/src:rpki-trust-anchors
63: https://packages.debian.org/src:rsync
64: https://packages.debian.org/src:ruby-rqrcode-rails3
65: https://packages.debian.org/src:sabnzbdplus
66: https://packages.debian.org/src:shellcheck
67: https://packages.debian.org/src:shiro
68: https://packages.debian.org/src:speech-dispatcher
69: https://packages.debian.org/src:telegram-desktop
70: https://packages.debian.org/src:termshark
71: https://packages.debian.org/src:tmux
72: https://packages.debian.org/src:txt2man
73: https://packages.debian.org/src:tzdata
74: https://packages.debian.org/src:ublock-origin
75: https://packages.debian.org/src:ulfius
Security Updates
----------------
This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:
+----------------+--------------------------+
| Advisory ID | Package |
+----------------+--------------------------+
| DSA-4959 [76] | thunderbird [77] |
| | |
| DSA-4960 [78] | haproxy [79] |
| | |
| DSA-4961 [80] | tor [81] |
| | |
| DSA-4962 [82] | ledgersmb [83] |
| | |
| DSA-4963 [84] | openssl [85] |
| | |
| DSA-4964 [86] | grilo [87] |
| | |
| DSA-4965 [88] | libssh [89] |
| | |
| DSA-4966 [90] | gpac [91] |
| | |
| DSA-4967 [92] | squashfs-tools [93] |
| | |
| DSA-4968 [94] | haproxy [95] |
| | |
| DSA-4969 [96] | firefox-esr [97] |
| | |
| DSA-4970 [98] | postorius [99] |
| | |
| DSA-4971 [100] | ntfs-3g [101] |
| | |
| DSA-4972 [102] | ghostscript [103] |
| | |
| DSA-4973 [104] | thunderbird [105] |
| | |
| DSA-4974 [106] | nextcloud-desktop [107] |
| | |
| DSA-4975 [108] | webkit2gtk [109] |
| | |
| DSA-4976 [110] | wpewebkit [111] |
| | |
| DSA-4977 [112] | xen [113] |
| | |
| DSA-4978 [114] | linux-signed-amd64 [115] |
| | |
| DSA-4978 [116] | linux-signed-arm64 [117] |
| | |
| DSA-4978 [118] | linux-signed-i386 [119] |
| | |
| DSA-4978 [120] | linux [121] |
| | |
| DSA-4979 [122] | mediawiki [123] |
| | |
+----------------+--------------------------+
76: https://www.debian.org/security/2021/dsa-4959
77: https://packages.debian.org/src:thunderbird
78: https://www.debian.org/security/2021/dsa-4960
79: https://packages.debian.org/src:haproxy
80: https://www.debian.org/security/2021/dsa-4961
81: https://packages.debian.org/src:tor
82: https://www.debian.org/security/2021/dsa-4962
83: https://packages.debian.org/src:ledgersmb
84: https://www.debian.org/security/2021/dsa-4963
85: https://packages.debian.org/src:openssl
86: https://www.debian.org/security/2021/dsa-4964
87: https://packages.debian.org/src:grilo
88: https://www.debian.org/security/2021/dsa-4965
89: https://packages.debian.org/src:libssh
90: https://www.debian.org/security/2021/dsa-4966
91: https://packages.debian.org/src:gpac
92: https://www.debian.org/security/2021/dsa-4967
93: https://packages.debian.org/src:squashfs-tools
94: https://www.debian.org/security/2021/dsa-4968
95: https://packages.debian.org/src:haproxy
96: https://www.debian.org/security/2021/dsa-4969
97: https://packages.debian.org/src:firefox-esr
98: https://www.debian.org/security/2021/dsa-4970
99: https://packages.debian.org/src:postorius
100: https://www.debian.org/security/2021/dsa-4971
101: https://packages.debian.org/src:ntfs-3g
102: https://www.debian.org/security/2021/dsa-4972
103: https://packages.debian.org/src:ghostscript
104: https://www.debian.org/security/2021/dsa-4973
105: https://packages.debian.org/src:thunderbird
106: https://www.debian.org/security/2021/dsa-4974
107: https://packages.debian.org/src:nextcloud-desktop
108: https://www.debian.org/security/2021/dsa-4975
109: https://packages.debian.org/src:webkit2gtk
110: https://www.debian.org/security/2021/dsa-4976
111: https://packages.debian.org/src:wpewebkit
112: https://www.debian.org/security/2021/dsa-4977
113: https://packages.debian.org/src:xen
114: https://www.debian.org/security/2021/dsa-4978
115: https://packages.debian.org/src:linux-signed-amd64
116: https://www.debian.org/security/2021/dsa-4978
117: https://packages.debian.org/src:linux-signed-arm64
118: https://www.debian.org/security/2021/dsa-4978
119: https://packages.debian.org/src:linux-signed-i386
120: https://www.debian.org/security/2021/dsa-4978
121: https://packages.debian.org/src:linux
122: https://www.debian.org/security/2021/dsa-4979
123: https://packages.debian.org/src:mediawiki
During the final stages of the bullseye freeze, some updates were
released via the security archive [124] but without an accompanying DSA.
These updates are detailed below.
124: https://security.debian.org/
+---------------------------+------------------------------------------+
| Package | Reason |
+---------------------------+------------------------------------------+
| apache2 [125] | Fix mod_proxy HTTP2 request line |
| | injection [CVE-2021-33193] |
| | |
| btrbk [126] | Fix arbitrary code execution issue |
| | [CVE-2021-38173] |
| | |
| c-ares [127] | Fix missing input validation on |
| | hostnames returned by DNS servers |
| | [CVE-2021-3672] |
| | |
| exiv2 [128] | Fix overflow issues [CVE-2021-29457 |
| | CVE-2021-31292] |
| | |
| firefox-esr [129] | New upstream stable release [CVE-2021- |
| | 29980 CVE-2021-29984 CVE-2021-29985 |
| | CVE-2021-29986 CVE-2021-29988 CVE-2021- |
| | 29989] |
| | |
| libencode-perl [130] | Encode: mitigate @INC pollution when |
| | loading ConfigLocal [CVE-2021-36770] |
| | |
| libspf2 [131] | spf_compile.c: Correct size of ds_avail |
| | [CVE-2021-20314]; fix "reverse" macro |
| | modifier |
| | |
| lynx [132] | Fix leakage of credentials if SNI was |
| | used together with a URL containing |
| | credentials [CVE-2021-38165] |
| | |
| nodejs [133] | New upstream stable release; fix use |
| | after free issue [CVE-2021-22930] |
| | |
| tomcat9 [134] | Fix authentication bypass issue |
| | [CVE-2021-30640] and request smuggling |
| | issue [CVE-2021-33037] |
| | |
| xmlgraphics-commons [135] | Fix server side request forgery issue |
| | [CVE-2020-11988] |
| | |
+---------------------------+------------------------------------------+
125: https://packages.debian.org/src:apache2
126: https://packages.debian.org/src:btrbk
127: https://packages.debian.org/src:c-ares
128: https://packages.debian.org/src:exiv2
129: https://packages.debian.org/src:firefox-esr
130: https://packages.debian.org/src:libencode-perl
131: https://packages.debian.org/src:libspf2
132: https://packages.debian.org/src:lynx
133: https://packages.debian.org/src:nodejs
134: https://packages.debian.org/src:tomcat9
135: https://packages.debian.org/src:xmlgraphics-commons
Debian Installer
----------------
The installer has been updated to include the fixes incorporated into
stable by the point release.
URLs
----
The complete lists of packages that have changed with this revision:
https://deb.debian.org/debian/dists/bullseye/ChangeLog
The current stable distribution:
https://deb.debian.org/debian/dists/stable/
Proposed updates to the stable distribution:
https://deb.debian.org/debian/dists/proposed-updates
stable distribution information (release notes, errata etc.):
https://www.debian.org/releases/stable/
Security announcements and information:
https://www.debian.org/security/
About Debian
------------
The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian.
Contact Information
-------------------
For further information, please visit the Debian web pages at
https://www.debian.org/, send mail to <press@debian.org>, or contact the
stable release team at <debian-release@lists.debian.org>.
Attachment:
signature.asc
Description: PGP signature