------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 11: 11.2 released press@debian.org December 18th, 2021 https://www.debian.org/News/2021/20211218 ------------------------------------------------------------------------ The Debian project is pleased to announce the second update of its stable distribution Debian 11 (codename "bullseye"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 11 but only updates some of the packages included. There is no need to throw away old "bullseye" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: +--------------------------+------------------------------------------+ | Package | Reason | +--------------------------+------------------------------------------+ | authheaders [1] | New upstream bug-fix release | | | | | base-files [2] | Update /etc/debian_version for the 11.2 | | | point release | | | | | bpftrace [3] | Fix array indexing | | | | | brltty [4] | Fix operation under X when using | | | sysvinit | | | | | btrbk [5] | Fix regression in the update for | | | CVE-2021-38173 | | | | | calibre [6] | Fix syntax error | | | | | chrony [7] | Fix binding a socket to a network device | | | with a name longer than 3 characters | | | when the system call filter is enabled | | | | | cmake [8] | Add PostgreSQL 13 to known versions | | | | | containerd [9] | New upstream stable release; handle | | | ambiguous OCI manifest parsing | | | [CVE-2021-41190]; support "clone3" in | | | default seccomp profile | | | | | curl [10] | Remove -ffile-prefix-map from curl- | | | config, fixing co-installability of | | | libcurl4-gnutls-dev under multiarch | | | | | datatables.js [11] | Fix insufficient escaping of arrays | | | passed to the HTML escape entities | | | function [CVE-2021-23445] | | | | | debian-edu-config [12] | pxe-addfirmware: Fix TFTP server path; | | | improve support for LTSP chroot setup | | | and maintenance | | | | | debian-edu-doc [13] | Update Debian Edu Bullseye manual from | | | the wiki; update translations | | | | | debian-installer [14] | Rebuild against proposed-updates; update | | | kernel ABI to -10 | | | | | debian-installer- | Rebuild against proposed-updates | | netboot-images [15] | | | | | | distro-info-data [16] | Update included data for Ubuntu 14.04 | | | and 16.04 ESM; add Ubuntu 22.04 LTS | | | | | docker.io [17] | Fix possible change of host file system | | | permissions [CVE-2021-41089]; lock down | | | file permissions in /var/lib/docker | | | [CVE-2021-41091]; prevent credentials | | | being sent to the default registry | | | [CVE-2021-41092]; add support for | | | "clone3" syscall in default seccomp | | | policy | | | | | edk2 [18] | Address Boot Guard TOCTOU vulnerability | | | [CVE-2019-11098] | | | | | freeipmi [19] | Install pkgconfig files to correct | | | location | | | | | gdal [20] | Fix BAG 2.0 Extract support in LVBAG | | | driver | | | | | gerbv [21] | Fix out-of-bounds write issue [CVE-2021- | | | 40391] | | | | | gmp [22] | Fix integer and buffer overflow issue | | | [CVE-2021-43618] | | | | | golang-1.15 [23] | New upstream stable release; fix "net/ | | | http: panic due to racy read of | | | persistConn after handler | | | panic" [CVE-2021-36221]; fix "archive/ | | | zip: overflow in preallocation check can | | | cause OOM panic" [CVE-2021-39293]; fix | | | buffer over-run issue [CVE-2021-38297], | | | out of bounds read issue [CVE-2021- | | | 41771], denial of service issues | | | [CVE-2021-44716 CVE-2021-44717] | | | | | grass [24] | Fix parsing of GDAL formats where the | | | description contains a colon | | | | | horizon [25] | Re-enable translations | | | | | htmldoc [26] | Fix buffer overflow issues [CVE-2021- | | | 40985 CVE-2021-43579] | | | | | im-config [27] | Prefer Fcitx5 over Fcitx4 | | | | | isync [28] | Fix multiple buffer overflow issues | | | [CVE-2021-3657] | | | | | jqueryui [29] | Fix untrusted code execution issues | | | [CVE-2021-41182 CVE-2021-41183 CVE-2021- | | | 41184] | | | | | jwm [30] | Fix crash when using "Move" menu item | | | | | keepalived [31] | Fix overly broad DBus policy [CVE-2021- | | | 44225] | | | | | keystone [32] | Resolve information leak allowing | | | determination of whether users exist | | | [CVE-2021-38155]; apply some performance | | | improvements to the default keystone- | | | uwsgi.ini | | | | | kodi [33] | Fix buffer overflow in PLS playlists | | | [CVE-2021-42917] | | | | | libayatana- | Scale icons when loading from file; | | indicator [34] | prevent regular crashes in indicator | | | applets | | | | | libdatetime-timezone- | Update included data | | perl [35] | | | | | | libencode-perl [36] | Fix a memory leak in Encode.xs | | | | | libseccomp [37] | Add support for syscalls up to Linux | | | 5.15 | | | | | linux [38] | New upstream release; increase ABI to | | | 10; RT: update to 5.10.83-rt58 | | | | | linux-signed-amd64 [39] | New upstream release; increase ABI to | | | 10; RT: update to 5.10.83-rt58 | | | | | linux-signed-arm64 [40] | New upstream release; increase ABI to | | | 10; RT: update to 5.10.83-rt58 | | | | | linux-signed-i386 [41] | New upstream release; increase ABI to | | | 10; RT: update to 5.10.83-rt58 | | | | | lldpd [42] | Fix heap overflow issue [CVE-2021- | | | 43612]; do not set VLAN tag if client | | | did not set it | | | | | mrtg [43] | Correct errors in variable names | | | | | node-getobject [44] | Resolve prototype pollution issue | | | [CVE-2020-28282] | | | | | node-json-schema [45] | Resolve prototype pollution issue | | | [CVE-2021-3918] | | | | | open3d [46] | Ensure that python3-open3d depends on | | | python3-numpy | | | | | opendmarc [47] | Fix opendmarc-import; increase maximum | | | supported length of tokens in ARC_Seal | | | headers, resolving crashes | | | | | plib [48] | Fix integer overflow issue [CVE-2021- | | | 38714] | | | | | plocate [49] | Fix an issue where non-ASCII characters | | | would be wrongly escaped | | | | | poco [50] | Fix installation of CMake files | | | | | privoxy [51] | Fix memory leaks [CVE-2021-44540 | | | CVE-2021-44541 CVE-2021-44542]; fix | | | cross-site scripting issue [CVE-2021- | | | 44543] | | | | | publicsuffix [52] | Update included data | | | | | python-django [53] | New upstream security release: fix | | | potential bypass of an upstream access | | | control based on URL paths [CVE-2021- | | | 44420] | | | | | python-eventlet [54] | Fix compatibility with dnspython 2 | | | | | python-virtualenv [55] | Fix crash when using --no-setuptools | | | | | ros-ros-comm [56] | Fix denial of service issue [CVE-2021- | | | 37146] | | | | | ruby-httpclient [57] | Use system certificate store | | | | | rustc-mozilla [58] | New source package to support building | | | of newer firefox-esr and thunderbird | | | versions | | | | | supysonic [59] | Symlink jquery instead of loading it | | | directly; correctly symlink minimized | | | bootstrap CSS files | | | | | tzdata [60] | Update data for Fiji and Palestine | | | | | udisks2 [61] | Mount options: Always use | | | errors=remount-ro for ext filesystems | | | [CVE-2021-3802]; use the mkfs command to | | | format exfat partitions; add Recommends | | | exfatprogs as preferred alternative | | | | | ulfius [62] | Fix use of custom allocators with | | | ulfius_url_decode and ulfius_url_encode | | | | | vim [63] | Fix heap overflows [CVE-2021-3770 | | | CVE-2021-3778], use after free issue | | | [CVE-2021-3796]; remove vim-gtk | | | alternatives during vim-gtk -> vim-gtk3 | | | transition, easing upgrades from buster | | | | | wget [64] | Fix downloads over 2GB on 32-bit systems | | | | +--------------------------+------------------------------------------+ 1: https://packages.debian.org/src:authheaders 2: https://packages.debian.org/src:base-files 3: https://packages.debian.org/src:bpftrace 4: https://packages.debian.org/src:brltty 5: https://packages.debian.org/src:btrbk 6: https://packages.debian.org/src:calibre 7: https://packages.debian.org/src:chrony 8: https://packages.debian.org/src:cmake 9: https://packages.debian.org/src:containerd 10: https://packages.debian.org/src:curl 11: https://packages.debian.org/src:datatables.js 12: https://packages.debian.org/src:debian-edu-config 13: https://packages.debian.org/src:debian-edu-doc 14: https://packages.debian.org/src:debian-installer 15: https://packages.debian.org/src:debian-installer-netboot-images 16: https://packages.debian.org/src:distro-info-data 17: https://packages.debian.org/src:docker.io 18: https://packages.debian.org/src:edk2 19: https://packages.debian.org/src:freeipmi 20: https://packages.debian.org/src:gdal 21: https://packages.debian.org/src:gerbv 22: https://packages.debian.org/src:gmp 23: https://packages.debian.org/src:golang-1.15 24: https://packages.debian.org/src:grass 25: https://packages.debian.org/src:horizon 26: https://packages.debian.org/src:htmldoc 27: https://packages.debian.org/src:im-config 28: https://packages.debian.org/src:isync 29: https://packages.debian.org/src:jqueryui 30: https://packages.debian.org/src:jwm 31: https://packages.debian.org/src:keepalived 32: https://packages.debian.org/src:keystone 33: https://packages.debian.org/src:kodi 34: https://packages.debian.org/src:libayatana-indicator 35: https://packages.debian.org/src:libdatetime-timezone-perl 36: https://packages.debian.org/src:libencode-perl 37: https://packages.debian.org/src:libseccomp 38: https://packages.debian.org/src:linux 39: https://packages.debian.org/src:linux-signed-amd64 40: https://packages.debian.org/src:linux-signed-arm64 41: https://packages.debian.org/src:linux-signed-i386 42: https://packages.debian.org/src:lldpd 43: https://packages.debian.org/src:mrtg 44: https://packages.debian.org/src:node-getobject 45: https://packages.debian.org/src:node-json-schema 46: https://packages.debian.org/src:open3d 47: https://packages.debian.org/src:opendmarc 48: https://packages.debian.org/src:plib 49: https://packages.debian.org/src:plocate 50: https://packages.debian.org/src:poco 51: https://packages.debian.org/src:privoxy 52: https://packages.debian.org/src:publicsuffix 53: https://packages.debian.org/src:python-django 54: https://packages.debian.org/src:python-eventlet 55: https://packages.debian.org/src:python-virtualenv 56: https://packages.debian.org/src:ros-ros-comm 57: https://packages.debian.org/src:ruby-httpclient 58: https://packages.debian.org/src:rustc-mozilla 59: https://packages.debian.org/src:supysonic 60: https://packages.debian.org/src:tzdata 61: https://packages.debian.org/src:udisks2 62: https://packages.debian.org/src:ulfius 63: https://packages.debian.org/src:vim 64: https://packages.debian.org/src:wget Security Updates ---------------- This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates: +----------------+----------------------------+ | Advisory ID | Package | +----------------+----------------------------+ | DSA-4980 [65] | qemu [66] | | | | | DSA-4981 [67] | firefox-esr [68] | | | | | DSA-4982 [69] | apache2 [70] | | | | | DSA-4983 [71] | neutron [72] | | | | | DSA-4984 [73] | flatpak [74] | | | | | DSA-4985 [75] | wordpress [76] | | | | | DSA-4986 [77] | tomcat9 [78] | | | | | DSA-4987 [79] | squashfs-tools [80] | | | | | DSA-4988 [81] | libreoffice [82] | | | | | DSA-4989 [83] | strongswan [84] | | | | | DSA-4992 [85] | php7.4 [86] | | | | | DSA-4994 [87] | bind9 [88] | | | | | DSA-4995 [89] | webkit2gtk [90] | | | | | DSA-4996 [91] | wpewebkit [92] | | | | | DSA-4998 [93] | ffmpeg [94] | | | | | DSA-5002 [95] | containerd [96] | | | | | DSA-5003 [97] | ldb [98] | | | | | DSA-5003 [99] | samba [100] | | | | | DSA-5004 [101] | libxstream-java [102] | | | | | DSA-5007 [103] | postgresql-13 [104] | | | | | DSA-5008 [105] | node-tar [106] | | | | | DSA-5009 [107] | tomcat9 [108] | | | | | DSA-5010 [109] | libxml-security-java [110] | | | | | DSA-5011 [111] | salt [112] | | | | | DSA-5013 [113] | roundcube [114] | | | | | DSA-5016 [115] | nss [116] | | | | | DSA-5017 [117] | xen [118] | | | | | DSA-5019 [119] | wireshark [120] | | | | | DSA-5020 [121] | apache-log4j2 [122] | | | | | DSA-5022 [123] | apache-log4j2 [124] | | | | +----------------+----------------------------+ 65: https://www.debian.org/security/2021/dsa-4980 66: https://packages.debian.org/src:qemu 67: https://www.debian.org/security/2021/dsa-4981 68: https://packages.debian.org/src:firefox-esr 69: https://www.debian.org/security/2021/dsa-4982 70: https://packages.debian.org/src:apache2 71: https://www.debian.org/security/2021/dsa-4983 72: https://packages.debian.org/src:neutron 73: https://www.debian.org/security/2021/dsa-4984 74: https://packages.debian.org/src:flatpak 75: https://www.debian.org/security/2021/dsa-4985 76: https://packages.debian.org/src:wordpress 77: https://www.debian.org/security/2021/dsa-4986 78: https://packages.debian.org/src:tomcat9 79: https://www.debian.org/security/2021/dsa-4987 80: https://packages.debian.org/src:squashfs-tools 81: https://www.debian.org/security/2021/dsa-4988 82: https://packages.debian.org/src:libreoffice 83: https://www.debian.org/security/2021/dsa-4989 84: https://packages.debian.org/src:strongswan 85: https://www.debian.org/security/2021/dsa-4992 86: https://packages.debian.org/src:php7.4 87: https://www.debian.org/security/2021/dsa-4994 88: https://packages.debian.org/src:bind9 89: https://www.debian.org/security/2021/dsa-4995 90: https://packages.debian.org/src:webkit2gtk 91: https://www.debian.org/security/2021/dsa-4996 92: https://packages.debian.org/src:wpewebkit 93: https://www.debian.org/security/2021/dsa-4998 94: https://packages.debian.org/src:ffmpeg 95: https://www.debian.org/security/2021/dsa-5002 96: https://packages.debian.org/src:containerd 97: https://www.debian.org/security/2021/dsa-5003 98: https://packages.debian.org/src:ldb 99: https://www.debian.org/security/2021/dsa-5003 100: https://packages.debian.org/src:samba 101: https://www.debian.org/security/2021/dsa-5004 102: https://packages.debian.org/src:libxstream-java 103: https://www.debian.org/security/2021/dsa-5007 104: https://packages.debian.org/src:postgresql-13 105: https://www.debian.org/security/2021/dsa-5008 106: https://packages.debian.org/src:node-tar 107: https://www.debian.org/security/2021/dsa-5009 108: https://packages.debian.org/src:tomcat9 109: https://www.debian.org/security/2021/dsa-5010 110: https://packages.debian.org/src:libxml-security-java 111: https://www.debian.org/security/2021/dsa-5011 112: https://packages.debian.org/src:salt 113: https://www.debian.org/security/2021/dsa-5013 114: https://packages.debian.org/src:roundcube 115: https://www.debian.org/security/2021/dsa-5016 116: https://packages.debian.org/src:nss 117: https://www.debian.org/security/2021/dsa-5017 118: https://packages.debian.org/src:xen 119: https://www.debian.org/security/2021/dsa-5019 120: https://packages.debian.org/src:wireshark 121: https://www.debian.org/security/2021/dsa-5020 122: https://packages.debian.org/src:apache-log4j2 123: https://www.debian.org/security/2021/dsa-5022 124: https://packages.debian.org/src:apache-log4j2 Debian Installer ---------------- The installer has been updated to include the fixes incorporated into stable by the point release. URLs ---- The complete lists of packages that have changed with this revision: https://deb.debian.org/debian/dists/bullseye/ChangeLog The current stable distribution: https://deb.debian.org/debian/dists/stable/ Proposed updates to the stable distribution: https://deb.debian.org/debian/dists/proposed-updates stable distribution information (release notes, errata etc.): https://www.debian.org/releases/stable/ Security announcements and information: https://www.debian.org/security/ About Debian ------------ The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian. Contact Information ------------------- For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature