------------------------------------------------------------------------
The Debian Project https://www.debian.org/
Updated Debian 11: 11.2 released press@debian.org
December 18th, 2021 https://www.debian.org/News/2021/20211218
------------------------------------------------------------------------
The Debian project is pleased to announce the second update of its
stable distribution Debian 11 (codename "bullseye"). This point release
mainly adds corrections for security issues, along with a few
adjustments for serious problems. Security advisories have already been
published separately and are referenced where available.
Please note that the point release does not constitute a new version of
Debian 11 but only updates some of the packages included. There is no
need to throw away old "bullseye" media. After installation, packages
can be upgraded to the current versions using an up-to-date Debian
mirror.
Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:
https://www.debian.org/mirror/list
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
+--------------------------+------------------------------------------+
| Package | Reason |
+--------------------------+------------------------------------------+
| authheaders [1] | New upstream bug-fix release |
| | |
| base-files [2] | Update /etc/debian_version for the 11.2 |
| | point release |
| | |
| bpftrace [3] | Fix array indexing |
| | |
| brltty [4] | Fix operation under X when using |
| | sysvinit |
| | |
| btrbk [5] | Fix regression in the update for |
| | CVE-2021-38173 |
| | |
| calibre [6] | Fix syntax error |
| | |
| chrony [7] | Fix binding a socket to a network device |
| | with a name longer than 3 characters |
| | when the system call filter is enabled |
| | |
| cmake [8] | Add PostgreSQL 13 to known versions |
| | |
| containerd [9] | New upstream stable release; handle |
| | ambiguous OCI manifest parsing |
| | [CVE-2021-41190]; support "clone3" in |
| | default seccomp profile |
| | |
| curl [10] | Remove -ffile-prefix-map from curl- |
| | config, fixing co-installability of |
| | libcurl4-gnutls-dev under multiarch |
| | |
| datatables.js [11] | Fix insufficient escaping of arrays |
| | passed to the HTML escape entities |
| | function [CVE-2021-23445] |
| | |
| debian-edu-config [12] | pxe-addfirmware: Fix TFTP server path; |
| | improve support for LTSP chroot setup |
| | and maintenance |
| | |
| debian-edu-doc [13] | Update Debian Edu Bullseye manual from |
| | the wiki; update translations |
| | |
| debian-installer [14] | Rebuild against proposed-updates; update |
| | kernel ABI to -10 |
| | |
| debian-installer- | Rebuild against proposed-updates |
| netboot-images [15] | |
| | |
| distro-info-data [16] | Update included data for Ubuntu 14.04 |
| | and 16.04 ESM; add Ubuntu 22.04 LTS |
| | |
| docker.io [17] | Fix possible change of host file system |
| | permissions [CVE-2021-41089]; lock down |
| | file permissions in /var/lib/docker |
| | [CVE-2021-41091]; prevent credentials |
| | being sent to the default registry |
| | [CVE-2021-41092]; add support for |
| | "clone3" syscall in default seccomp |
| | policy |
| | |
| edk2 [18] | Address Boot Guard TOCTOU vulnerability |
| | [CVE-2019-11098] |
| | |
| freeipmi [19] | Install pkgconfig files to correct |
| | location |
| | |
| gdal [20] | Fix BAG 2.0 Extract support in LVBAG |
| | driver |
| | |
| gerbv [21] | Fix out-of-bounds write issue [CVE-2021- |
| | 40391] |
| | |
| gmp [22] | Fix integer and buffer overflow issue |
| | [CVE-2021-43618] |
| | |
| golang-1.15 [23] | New upstream stable release; fix "net/ |
| | http: panic due to racy read of |
| | persistConn after handler |
| | panic" [CVE-2021-36221]; fix "archive/ |
| | zip: overflow in preallocation check can |
| | cause OOM panic" [CVE-2021-39293]; fix |
| | buffer over-run issue [CVE-2021-38297], |
| | out of bounds read issue [CVE-2021- |
| | 41771], denial of service issues |
| | [CVE-2021-44716 CVE-2021-44717] |
| | |
| grass [24] | Fix parsing of GDAL formats where the |
| | description contains a colon |
| | |
| horizon [25] | Re-enable translations |
| | |
| htmldoc [26] | Fix buffer overflow issues [CVE-2021- |
| | 40985 CVE-2021-43579] |
| | |
| im-config [27] | Prefer Fcitx5 over Fcitx4 |
| | |
| isync [28] | Fix multiple buffer overflow issues |
| | [CVE-2021-3657] |
| | |
| jqueryui [29] | Fix untrusted code execution issues |
| | [CVE-2021-41182 CVE-2021-41183 CVE-2021- |
| | 41184] |
| | |
| jwm [30] | Fix crash when using "Move" menu item |
| | |
| keepalived [31] | Fix overly broad DBus policy [CVE-2021- |
| | 44225] |
| | |
| keystone [32] | Resolve information leak allowing |
| | determination of whether users exist |
| | [CVE-2021-38155]; apply some performance |
| | improvements to the default keystone- |
| | uwsgi.ini |
| | |
| kodi [33] | Fix buffer overflow in PLS playlists |
| | [CVE-2021-42917] |
| | |
| libayatana- | Scale icons when loading from file; |
| indicator [34] | prevent regular crashes in indicator |
| | applets |
| | |
| libdatetime-timezone- | Update included data |
| perl [35] | |
| | |
| libencode-perl [36] | Fix a memory leak in Encode.xs |
| | |
| libseccomp [37] | Add support for syscalls up to Linux |
| | 5.15 |
| | |
| linux [38] | New upstream release; increase ABI to |
| | 10; RT: update to 5.10.83-rt58 |
| | |
| linux-signed-amd64 [39] | New upstream release; increase ABI to |
| | 10; RT: update to 5.10.83-rt58 |
| | |
| linux-signed-arm64 [40] | New upstream release; increase ABI to |
| | 10; RT: update to 5.10.83-rt58 |
| | |
| linux-signed-i386 [41] | New upstream release; increase ABI to |
| | 10; RT: update to 5.10.83-rt58 |
| | |
| lldpd [42] | Fix heap overflow issue [CVE-2021- |
| | 43612]; do not set VLAN tag if client |
| | did not set it |
| | |
| mrtg [43] | Correct errors in variable names |
| | |
| node-getobject [44] | Resolve prototype pollution issue |
| | [CVE-2020-28282] |
| | |
| node-json-schema [45] | Resolve prototype pollution issue |
| | [CVE-2021-3918] |
| | |
| open3d [46] | Ensure that python3-open3d depends on |
| | python3-numpy |
| | |
| opendmarc [47] | Fix opendmarc-import; increase maximum |
| | supported length of tokens in ARC_Seal |
| | headers, resolving crashes |
| | |
| plib [48] | Fix integer overflow issue [CVE-2021- |
| | 38714] |
| | |
| plocate [49] | Fix an issue where non-ASCII characters |
| | would be wrongly escaped |
| | |
| poco [50] | Fix installation of CMake files |
| | |
| privoxy [51] | Fix memory leaks [CVE-2021-44540 |
| | CVE-2021-44541 CVE-2021-44542]; fix |
| | cross-site scripting issue [CVE-2021- |
| | 44543] |
| | |
| publicsuffix [52] | Update included data |
| | |
| python-django [53] | New upstream security release: fix |
| | potential bypass of an upstream access |
| | control based on URL paths [CVE-2021- |
| | 44420] |
| | |
| python-eventlet [54] | Fix compatibility with dnspython 2 |
| | |
| python-virtualenv [55] | Fix crash when using --no-setuptools |
| | |
| ros-ros-comm [56] | Fix denial of service issue [CVE-2021- |
| | 37146] |
| | |
| ruby-httpclient [57] | Use system certificate store |
| | |
| rustc-mozilla [58] | New source package to support building |
| | of newer firefox-esr and thunderbird |
| | versions |
| | |
| supysonic [59] | Symlink jquery instead of loading it |
| | directly; correctly symlink minimized |
| | bootstrap CSS files |
| | |
| tzdata [60] | Update data for Fiji and Palestine |
| | |
| udisks2 [61] | Mount options: Always use |
| | errors=remount-ro for ext filesystems |
| | [CVE-2021-3802]; use the mkfs command to |
| | format exfat partitions; add Recommends |
| | exfatprogs as preferred alternative |
| | |
| ulfius [62] | Fix use of custom allocators with |
| | ulfius_url_decode and ulfius_url_encode |
| | |
| vim [63] | Fix heap overflows [CVE-2021-3770 |
| | CVE-2021-3778], use after free issue |
| | [CVE-2021-3796]; remove vim-gtk |
| | alternatives during vim-gtk -> vim-gtk3 |
| | transition, easing upgrades from buster |
| | |
| wget [64] | Fix downloads over 2GB on 32-bit systems |
| | |
+--------------------------+------------------------------------------+
1: https://packages.debian.org/src:authheaders
2: https://packages.debian.org/src:base-files
3: https://packages.debian.org/src:bpftrace
4: https://packages.debian.org/src:brltty
5: https://packages.debian.org/src:btrbk
6: https://packages.debian.org/src:calibre
7: https://packages.debian.org/src:chrony
8: https://packages.debian.org/src:cmake
9: https://packages.debian.org/src:containerd
10: https://packages.debian.org/src:curl
11: https://packages.debian.org/src:datatables.js
12: https://packages.debian.org/src:debian-edu-config
13: https://packages.debian.org/src:debian-edu-doc
14: https://packages.debian.org/src:debian-installer
15: https://packages.debian.org/src:debian-installer-netboot-images
16: https://packages.debian.org/src:distro-info-data
17: https://packages.debian.org/src:docker.io
18: https://packages.debian.org/src:edk2
19: https://packages.debian.org/src:freeipmi
20: https://packages.debian.org/src:gdal
21: https://packages.debian.org/src:gerbv
22: https://packages.debian.org/src:gmp
23: https://packages.debian.org/src:golang-1.15
24: https://packages.debian.org/src:grass
25: https://packages.debian.org/src:horizon
26: https://packages.debian.org/src:htmldoc
27: https://packages.debian.org/src:im-config
28: https://packages.debian.org/src:isync
29: https://packages.debian.org/src:jqueryui
30: https://packages.debian.org/src:jwm
31: https://packages.debian.org/src:keepalived
32: https://packages.debian.org/src:keystone
33: https://packages.debian.org/src:kodi
34: https://packages.debian.org/src:libayatana-indicator
35: https://packages.debian.org/src:libdatetime-timezone-perl
36: https://packages.debian.org/src:libencode-perl
37: https://packages.debian.org/src:libseccomp
38: https://packages.debian.org/src:linux
39: https://packages.debian.org/src:linux-signed-amd64
40: https://packages.debian.org/src:linux-signed-arm64
41: https://packages.debian.org/src:linux-signed-i386
42: https://packages.debian.org/src:lldpd
43: https://packages.debian.org/src:mrtg
44: https://packages.debian.org/src:node-getobject
45: https://packages.debian.org/src:node-json-schema
46: https://packages.debian.org/src:open3d
47: https://packages.debian.org/src:opendmarc
48: https://packages.debian.org/src:plib
49: https://packages.debian.org/src:plocate
50: https://packages.debian.org/src:poco
51: https://packages.debian.org/src:privoxy
52: https://packages.debian.org/src:publicsuffix
53: https://packages.debian.org/src:python-django
54: https://packages.debian.org/src:python-eventlet
55: https://packages.debian.org/src:python-virtualenv
56: https://packages.debian.org/src:ros-ros-comm
57: https://packages.debian.org/src:ruby-httpclient
58: https://packages.debian.org/src:rustc-mozilla
59: https://packages.debian.org/src:supysonic
60: https://packages.debian.org/src:tzdata
61: https://packages.debian.org/src:udisks2
62: https://packages.debian.org/src:ulfius
63: https://packages.debian.org/src:vim
64: https://packages.debian.org/src:wget
Security Updates
----------------
This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:
+----------------+----------------------------+
| Advisory ID | Package |
+----------------+----------------------------+
| DSA-4980 [65] | qemu [66] |
| | |
| DSA-4981 [67] | firefox-esr [68] |
| | |
| DSA-4982 [69] | apache2 [70] |
| | |
| DSA-4983 [71] | neutron [72] |
| | |
| DSA-4984 [73] | flatpak [74] |
| | |
| DSA-4985 [75] | wordpress [76] |
| | |
| DSA-4986 [77] | tomcat9 [78] |
| | |
| DSA-4987 [79] | squashfs-tools [80] |
| | |
| DSA-4988 [81] | libreoffice [82] |
| | |
| DSA-4989 [83] | strongswan [84] |
| | |
| DSA-4992 [85] | php7.4 [86] |
| | |
| DSA-4994 [87] | bind9 [88] |
| | |
| DSA-4995 [89] | webkit2gtk [90] |
| | |
| DSA-4996 [91] | wpewebkit [92] |
| | |
| DSA-4998 [93] | ffmpeg [94] |
| | |
| DSA-5002 [95] | containerd [96] |
| | |
| DSA-5003 [97] | ldb [98] |
| | |
| DSA-5003 [99] | samba [100] |
| | |
| DSA-5004 [101] | libxstream-java [102] |
| | |
| DSA-5007 [103] | postgresql-13 [104] |
| | |
| DSA-5008 [105] | node-tar [106] |
| | |
| DSA-5009 [107] | tomcat9 [108] |
| | |
| DSA-5010 [109] | libxml-security-java [110] |
| | |
| DSA-5011 [111] | salt [112] |
| | |
| DSA-5013 [113] | roundcube [114] |
| | |
| DSA-5016 [115] | nss [116] |
| | |
| DSA-5017 [117] | xen [118] |
| | |
| DSA-5019 [119] | wireshark [120] |
| | |
| DSA-5020 [121] | apache-log4j2 [122] |
| | |
| DSA-5022 [123] | apache-log4j2 [124] |
| | |
+----------------+----------------------------+
65: https://www.debian.org/security/2021/dsa-4980
66: https://packages.debian.org/src:qemu
67: https://www.debian.org/security/2021/dsa-4981
68: https://packages.debian.org/src:firefox-esr
69: https://www.debian.org/security/2021/dsa-4982
70: https://packages.debian.org/src:apache2
71: https://www.debian.org/security/2021/dsa-4983
72: https://packages.debian.org/src:neutron
73: https://www.debian.org/security/2021/dsa-4984
74: https://packages.debian.org/src:flatpak
75: https://www.debian.org/security/2021/dsa-4985
76: https://packages.debian.org/src:wordpress
77: https://www.debian.org/security/2021/dsa-4986
78: https://packages.debian.org/src:tomcat9
79: https://www.debian.org/security/2021/dsa-4987
80: https://packages.debian.org/src:squashfs-tools
81: https://www.debian.org/security/2021/dsa-4988
82: https://packages.debian.org/src:libreoffice
83: https://www.debian.org/security/2021/dsa-4989
84: https://packages.debian.org/src:strongswan
85: https://www.debian.org/security/2021/dsa-4992
86: https://packages.debian.org/src:php7.4
87: https://www.debian.org/security/2021/dsa-4994
88: https://packages.debian.org/src:bind9
89: https://www.debian.org/security/2021/dsa-4995
90: https://packages.debian.org/src:webkit2gtk
91: https://www.debian.org/security/2021/dsa-4996
92: https://packages.debian.org/src:wpewebkit
93: https://www.debian.org/security/2021/dsa-4998
94: https://packages.debian.org/src:ffmpeg
95: https://www.debian.org/security/2021/dsa-5002
96: https://packages.debian.org/src:containerd
97: https://www.debian.org/security/2021/dsa-5003
98: https://packages.debian.org/src:ldb
99: https://www.debian.org/security/2021/dsa-5003
100: https://packages.debian.org/src:samba
101: https://www.debian.org/security/2021/dsa-5004
102: https://packages.debian.org/src:libxstream-java
103: https://www.debian.org/security/2021/dsa-5007
104: https://packages.debian.org/src:postgresql-13
105: https://www.debian.org/security/2021/dsa-5008
106: https://packages.debian.org/src:node-tar
107: https://www.debian.org/security/2021/dsa-5009
108: https://packages.debian.org/src:tomcat9
109: https://www.debian.org/security/2021/dsa-5010
110: https://packages.debian.org/src:libxml-security-java
111: https://www.debian.org/security/2021/dsa-5011
112: https://packages.debian.org/src:salt
113: https://www.debian.org/security/2021/dsa-5013
114: https://packages.debian.org/src:roundcube
115: https://www.debian.org/security/2021/dsa-5016
116: https://packages.debian.org/src:nss
117: https://www.debian.org/security/2021/dsa-5017
118: https://packages.debian.org/src:xen
119: https://www.debian.org/security/2021/dsa-5019
120: https://packages.debian.org/src:wireshark
121: https://www.debian.org/security/2021/dsa-5020
122: https://packages.debian.org/src:apache-log4j2
123: https://www.debian.org/security/2021/dsa-5022
124: https://packages.debian.org/src:apache-log4j2
Debian Installer
----------------
The installer has been updated to include the fixes incorporated into
stable by the point release.
URLs
----
The complete lists of packages that have changed with this revision:
https://deb.debian.org/debian/dists/bullseye/ChangeLog
The current stable distribution:
https://deb.debian.org/debian/dists/stable/
Proposed updates to the stable distribution:
https://deb.debian.org/debian/dists/proposed-updates
stable distribution information (release notes, errata etc.):
https://www.debian.org/releases/stable/
Security announcements and information:
https://www.debian.org/security/
About Debian
------------
The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian.
Contact Information
-------------------
For further information, please visit the Debian web pages at
https://www.debian.org/, send mail to <press@debian.org>, or contact the
stable release team at <debian-release@lists.debian.org>.
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature