------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 11: 11.5 released press@debian.org September 10th, 2022 https://www.debian.org/News/2022/2022091002 ------------------------------------------------------------------------ The Debian project is pleased to announce the fifth update of its stable distribution Debian 11 (codename "bullseye"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 11 but only updates some of the packages included. There is no need to throw away old "bullseye" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: +---------------------------+-----------------------------------------+ | Package | Reason | +---------------------------+-----------------------------------------+ | avahi [1] | Fix display of URLs containing '&' in | | | avahi-discover; do not disable timeout | | | cleanup on watch cleanup; fix NULL | | | pointer crashes when trying to resolve | | | badly-formatted hostnames [CVE-2021- | | | 3502] | | | | | base-files [2] | Update /etc/debian_version for the 11.5 | | | point release | | | | | cargo-mozilla [3] | New source package to support building | | | of newer firefox-esr and thunderbird | | | versions | | | | | clamav [4] | New upstream stable release | | | | | commons-daemon [5] | Fix JVM detection | | | | | curl [6] | Reject cookies with "control | | | bytes" [CVE-2022-35252] | | | | | dbus-broker [7] | Fix assertion failure when | | | disconnecting peer groups; fix memory | | | leak; fix null pointer dereference | | | [CVE-2022-31213] | | | | | debian-installer [8] | Rebuild against proposed-updates; | | | increase Linux kernel ABI to 5.10.0-18 | | | | | debian-installer-netboot- | Rebuild against proposed-updates; | | images [9] | increase Linux kernel ABI to 5.10.0-18 | | | | | debian-security- | Update support status of various | | support [10] | packages | | | | | debootstrap [11] | Ensure non-merged-usr chroots can | | | continue to be created for older | | | releases and buildd chroots | | | | | dlt-daemon [12] | Fix double free issue [CVE-2022-31291] | | | | | dnsproxy [13] | Listen on localhost by default, rather | | | than the possibly unavailable | | | 192.168.168.1 | | | | | dovecot [14] | Fix possible security issues when two | | | passdb configuration entries exist with | | | the same driver and args settings | | | [CVE-2022-30550] | | | | | dpkg [15] | Fix conffile removal-on-upgrade | | | handling, memory leak in remove-on- | | | upgrade handling; | | | Dpkg::Shlibs::Objdump: Fix | | | apply_relocations to work with | | | versioned symbols; add support for | | | ARCv2 CPU; several updates and fixes to | | | dpkg-fsys-usrunmess | | | | | fig2dev [16] | Fix double free issue [CVE-2021-37529], | | | denial of service issue [CVE-2021- | | | 37530]; stop misplacement of embedded | | | eps images | | | | | foxtrotgps [17] | Fix crash by ensuring that threads are | | | always unreferenced | | | | | gif2apng [18] | Fix heap-based buffer overflows | | | [CVE-2021-45909 CVE-2021-45910 | | | CVE-2021-45911] | | | | | glibc [19] | Fix an off-by-one buffer overflow/ | | | underflow in getcwd() [CVE-2021-3999]; | | | fix several overflows in wide character | | | functions; add a few EVEX optimized | | | string functions to fix a performance | | | issue (up to 40%) with Skylake-X | | | processors; make grantpt usable after | | | multi-threaded fork; ensure that libio | | | vtable protection is enabled | | | | | golang-github-pkg- | Fix building on newer Linux kernels | | term [20] | | | | | | gri [21] | Use "ps2pdf" instead of "convert" | | | for converting from PS to PDF | | | | | grub-efi-amd64- | New upstream release | | signed [22] | | | | | | grub-efi-arm64- | New upstream release | | signed [23] | | | | | | grub-efi-ia32-signed [24] | New upstream release | | | | | grub2 [25] | New upstream release | | | | | http-parser [26] | Unset F_CHUNKED on new Transfer- | | | Encoding, fixing possible HTTP request | | | smuggling issue [CVE-2020-8287] | | | | | ifenslave [27] | Fix bonded interface configurations | | | | | inetutils [28] | Fix buffer overflow issue [CVE-2019- | | | 0053], stack exhaustion issue, handling | | | of FTP PASV responses [CVE-2021-40491], | | | denial of service issue [CVE-2022- | | | 39028] | | | | | knot [29] | Fix IXFR to AXFR fallback with dnsmasq | | | | | krb5 [30] | Use SHA256 as Pkinit CMS Digest | | | | | libayatana- | Provide compatibility for software that | | appindicator [31] | depends on libappindicator | | | | | libdatetime-timezone- | Update included data | | perl [32] | | | | | | libhttp-daemon-perl [33] | Improve handling of Content-Length | | | header [CVE-2022-31081] | | | | | libreoffice [34] | Support EUR in .hr locale; add HRK<- | | | >EUR conversion rate to Calc and the | | | Euro Wizard; security fixes [CVE-2021- | | | 25636 CVE-2022-26305 CVE-2022-26306 | | | CVE-2022-26307]; fix hang accessing | | | Evolution address books | | | | | linux [35] | New upstream stable release | | | | | linux-signed-amd64 [36] | New upstream stable release | | | | | linux-signed-arm64 [37] | New upstream stable release | | | | | linux-signed-i386 [38] | New upstream stable release | | | | | llvm-toolchain-13 [39] | New source package to support building | | | of newer firefox-esr and thunderbird | | | versions | | | | | lwip [40] | Fix buffer overflow issues [CVE-2020- | | | 22283 CVE-2020-22284] | | | | | mokutil [41] | New upstream version, to allow for SBAT | | | management | | | | | node-log4js [42] | Do not create world-readable files by | | | default [CVE-2022-21704] | | | | | node-moment [43] | Fix regular expression-based denial of | | | service issue [CVE-2022-31129] | | | | | nvidia-graphics- | New upstream release; security fixes | | drivers [44] | [CVE-2022-31607 CVE-2022-31608 | | | CVE-2022-31615] | | | | | nvidia-graphics-drivers- | New upstream release; security fixes | | legacy-390xx [45] | [CVE-2022-31607 CVE-2022-31608 | | | CVE-2022-31615] | | | | | nvidia-graphics-drivers- | New upstream release; security fixes | | tesla-450 [46] | [CVE-2022-31607 CVE-2022-31608 | | | CVE-2022-31615] | | | | | nvidia-graphics-drivers- | New upstream release; security fixes | | tesla-470 [47] | [CVE-2022-31607 CVE-2022-31608 | | | CVE-2022-31615] | | | | | nvidia-settings [48] | New upstream release; fix cross- | | | building | | | | | nvidia-settings- | New upstream release; fix cross- | | tesla-470 [49] | building | | | | | pcre2 [50] | Fix out-of-bounds read issues | | | [CVE-2022-1586 CVE-2022-1587] | | | | | postgresql-13 [51] | Do not let extension scripts replace | | | objects not already belonging to the | | | extension [CVE-2022-2625] | | | | | publicsuffix [52] | Update included data | | | | | rocksdb [53] | Fix illegal instruction on arm64 | | | | | sbuild [54] | Buildd::Mail: support MIME encoded | | | Subject: header, also copy the Content- | | | Type: header when forwarding mail | | | | | systemd [55] | Drop bundled copy of linux/if_arp.h, | | | fixing build failures with newer kernel | | | headers; support detection for ARM64 | | | Hyper-V guests; detect OpenStack | | | instance as KVM on arm | | | | | twitter-bootstrap4 [56] | Actually install CSS map files | | | | | tzdata [57] | Update timezone data for Iran and Chile | | | | | xtables-addons [58] | Support both old and new versions of | | | security_skb_classify_flow() | | | | +---------------------------+-----------------------------------------+ 1: https://packages.debian.org/src:avahi 2: https://packages.debian.org/src:base-files 3: https://packages.debian.org/src:cargo-mozilla 4: https://packages.debian.org/src:clamav 5: https://packages.debian.org/src:commons-daemon 6: https://packages.debian.org/src:curl 7: https://packages.debian.org/src:dbus-broker 8: https://packages.debian.org/src:debian-installer 9: https://packages.debian.org/src:debian-installer-netboot-images 10: https://packages.debian.org/src:debian-security-support 11: https://packages.debian.org/src:debootstrap 12: https://packages.debian.org/src:dlt-daemon 13: https://packages.debian.org/src:dnsproxy 14: https://packages.debian.org/src:dovecot 15: https://packages.debian.org/src:dpkg 16: https://packages.debian.org/src:fig2dev 17: https://packages.debian.org/src:foxtrotgps 18: https://packages.debian.org/src:gif2apng 19: https://packages.debian.org/src:glibc 20: https://packages.debian.org/src:golang-github-pkg-term 21: https://packages.debian.org/src:gri 22: https://packages.debian.org/src:grub-efi-amd64-signed 23: https://packages.debian.org/src:grub-efi-arm64-signed 24: https://packages.debian.org/src:grub-efi-ia32-signed 25: https://packages.debian.org/src:grub2 26: https://packages.debian.org/src:http-parser 27: https://packages.debian.org/src:ifenslave 28: https://packages.debian.org/src:inetutils 29: https://packages.debian.org/src:knot 30: https://packages.debian.org/src:krb5 31: https://packages.debian.org/src:libayatana-appindicator 32: https://packages.debian.org/src:libdatetime-timezone-perl 33: https://packages.debian.org/src:libhttp-daemon-perl 34: https://packages.debian.org/src:libreoffice 35: https://packages.debian.org/src:linux 36: https://packages.debian.org/src:linux-signed-amd64 37: https://packages.debian.org/src:linux-signed-arm64 38: https://packages.debian.org/src:linux-signed-i386 39: https://packages.debian.org/src:llvm-toolchain-13 40: https://packages.debian.org/src:lwip 41: https://packages.debian.org/src:mokutil 42: https://packages.debian.org/src:node-log4js 43: https://packages.debian.org/src:node-moment 44: https://packages.debian.org/src:nvidia-graphics-drivers 45: https://packages.debian.org/src:nvidia-graphics-drivers-legacy-390xx 46: https://packages.debian.org/src:nvidia-graphics-drivers-tesla-450 47: https://packages.debian.org/src:nvidia-graphics-drivers-tesla-470 48: https://packages.debian.org/src:nvidia-settings 49: https://packages.debian.org/src:nvidia-settings-tesla-470 50: https://packages.debian.org/src:pcre2 51: https://packages.debian.org/src:postgresql-13 52: https://packages.debian.org/src:publicsuffix 53: https://packages.debian.org/src:rocksdb 54: https://packages.debian.org/src:sbuild 55: https://packages.debian.org/src:systemd 56: https://packages.debian.org/src:twitter-bootstrap4 57: https://packages.debian.org/src:tzdata 58: https://packages.debian.org/src:xtables-addons Security Updates ---------------- This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates: +----------------+---------------------------+ | Advisory ID | Package | +----------------+---------------------------+ | DSA-5175 [59] | thunderbird [60] | | | | | DSA-5176 [61] | blender [62] | | | | | DSA-5177 [63] | ldap-account-manager [64] | | | | | DSA-5178 [65] | intel-microcode [66] | | | | | DSA-5179 [67] | php7.4 [68] | | | | | DSA-5180 [69] | chromium [70] | | | | | DSA-5181 [71] | request-tracker4 [72] | | | | | DSA-5182 [73] | webkit2gtk [74] | | | | | DSA-5183 [75] | wpewebkit [76] | | | | | DSA-5184 [77] | xen [78] | | | | | DSA-5185 [79] | mat2 [80] | | | | | DSA-5187 [81] | chromium [82] | | | | | DSA-5188 [83] | openjdk-11 [84] | | | | | DSA-5189 [85] | gsasl [86] | | | | | DSA-5190 [87] | spip [88] | | | | | DSA-5191 [89] | linux-signed-amd64 [90] | | | | | DSA-5191 [91] | linux-signed-arm64 [92] | | | | | DSA-5191 [93] | linux-signed-i386 [94] | | | | | DSA-5191 [95] | linux [96] | | | | | DSA-5192 [97] | openjdk-17 [98] | | | | | DSA-5193 [99] | firefox-esr [100] | | | | | DSA-5194 [101] | booth [102] | | | | | DSA-5195 [103] | thunderbird [104] | | | | | DSA-5196 [105] | libpgjava [106] | | | | | DSA-5197 [107] | curl [108] | | | | | DSA-5198 [109] | jetty9 [110] | | | | | DSA-5199 [111] | xorg-server [112] | | | | | DSA-5200 [113] | libtirpc [114] | | | | | DSA-5201 [115] | chromium [116] | | | | | DSA-5202 [117] | unzip [118] | | | | | DSA-5203 [119] | gnutls28 [120] | | | | | DSA-5204 [121] | gst-plugins-good1.0 [122] | | | | | DSA-5205 [123] | ldb [124] | | | | | DSA-5205 [125] | samba [126] | | | | | DSA-5206 [127] | trafficserver [128] | | | | | DSA-5207 [129] | linux-signed-amd64 [130] | | | | | DSA-5207 [131] | linux-signed-arm64 [132] | | | | | DSA-5207 [133] | linux-signed-i386 [134] | | | | | DSA-5207 [135] | linux [136] | | | | | DSA-5208 [137] | epiphany-browser [138] | | | | | DSA-5209 [139] | net-snmp [140] | | | | | DSA-5210 [141] | webkit2gtk [142] | | | | | DSA-5211 [143] | wpewebkit [144] | | | | | DSA-5213 [145] | schroot [146] | | | | | DSA-5214 [147] | kicad [148] | | | | | DSA-5215 [149] | open-vm-tools [150] | | | | | DSA-5216 [151] | libxslt [152] | | | | | DSA-5217 [153] | firefox-esr [154] | | | | | DSA-5218 [155] | zlib [156] | | | | | DSA-5219 [157] | webkit2gtk [158] | | | | | DSA-5220 [159] | wpewebkit [160] | | | | | DSA-5221 [161] | thunderbird [162] | | | | | DSA-5222 [163] | dpdk [164] | | | | +----------------+---------------------------+ 59: https://www.debian.org/security/2022/dsa-5175 60: https://packages.debian.org/src:thunderbird 61: https://www.debian.org/security/2022/dsa-5176 62: https://packages.debian.org/src:blender 63: https://www.debian.org/security/2022/dsa-5177 64: https://packages.debian.org/src:ldap-account-manager 65: https://www.debian.org/security/2022/dsa-5178 66: https://packages.debian.org/src:intel-microcode 67: https://www.debian.org/security/2022/dsa-5179 68: https://packages.debian.org/src:php7.4 69: https://www.debian.org/security/2022/dsa-5180 70: https://packages.debian.org/src:chromium 71: https://www.debian.org/security/2022/dsa-5181 72: https://packages.debian.org/src:request-tracker4 73: https://www.debian.org/security/2022/dsa-5182 74: https://packages.debian.org/src:webkit2gtk 75: https://www.debian.org/security/2022/dsa-5183 76: https://packages.debian.org/src:wpewebkit 77: https://www.debian.org/security/2022/dsa-5184 78: https://packages.debian.org/src:xen 79: https://www.debian.org/security/2022/dsa-5185 80: https://packages.debian.org/src:mat2 81: https://www.debian.org/security/2022/dsa-5187 82: https://packages.debian.org/src:chromium 83: https://www.debian.org/security/2022/dsa-5188 84: https://packages.debian.org/src:openjdk-11 85: https://www.debian.org/security/2022/dsa-5189 86: https://packages.debian.org/src:gsasl 87: https://www.debian.org/security/2022/dsa-5190 88: https://packages.debian.org/src:spip 89: https://www.debian.org/security/2022/dsa-5191 90: https://packages.debian.org/src:linux-signed-amd64 91: https://www.debian.org/security/2022/dsa-5191 92: https://packages.debian.org/src:linux-signed-arm64 93: https://www.debian.org/security/2022/dsa-5191 94: https://packages.debian.org/src:linux-signed-i386 95: https://www.debian.org/security/2022/dsa-5191 96: https://packages.debian.org/src:linux 97: https://www.debian.org/security/2022/dsa-5192 98: https://packages.debian.org/src:openjdk-17 99: https://www.debian.org/security/2022/dsa-5193 100: https://packages.debian.org/src:firefox-esr 101: https://www.debian.org/security/2022/dsa-5194 102: https://packages.debian.org/src:booth 103: https://www.debian.org/security/2022/dsa-5195 104: https://packages.debian.org/src:thunderbird 105: https://www.debian.org/security/2022/dsa-5196 106: https://packages.debian.org/src:libpgjava 107: https://www.debian.org/security/2022/dsa-5197 108: https://packages.debian.org/src:curl 109: https://www.debian.org/security/2022/dsa-5198 110: https://packages.debian.org/src:jetty9 111: https://www.debian.org/security/2022/dsa-5199 112: https://packages.debian.org/src:xorg-server 113: https://www.debian.org/security/2022/dsa-5200 114: https://packages.debian.org/src:libtirpc 115: https://www.debian.org/security/2022/dsa-5201 116: https://packages.debian.org/src:chromium 117: https://www.debian.org/security/2022/dsa-5202 118: https://packages.debian.org/src:unzip 119: https://www.debian.org/security/2022/dsa-5203 120: https://packages.debian.org/src:gnutls28 121: https://www.debian.org/security/2022/dsa-5204 122: https://packages.debian.org/src:gst-plugins-good1.0 123: https://www.debian.org/security/2022/dsa-5205 124: https://packages.debian.org/src:ldb 125: https://www.debian.org/security/2022/dsa-5205 126: https://packages.debian.org/src:samba 127: https://www.debian.org/security/2022/dsa-5206 128: https://packages.debian.org/src:trafficserver 129: https://www.debian.org/security/2022/dsa-5207 130: https://packages.debian.org/src:linux-signed-amd64 131: https://www.debian.org/security/2022/dsa-5207 132: https://packages.debian.org/src:linux-signed-arm64 133: https://www.debian.org/security/2022/dsa-5207 134: https://packages.debian.org/src:linux-signed-i386 135: https://www.debian.org/security/2022/dsa-5207 136: https://packages.debian.org/src:linux 137: https://www.debian.org/security/2022/dsa-5208 138: https://packages.debian.org/src:epiphany-browser 139: https://www.debian.org/security/2022/dsa-5209 140: https://packages.debian.org/src:net-snmp 141: https://www.debian.org/security/2022/dsa-5210 142: https://packages.debian.org/src:webkit2gtk 143: https://www.debian.org/security/2022/dsa-5211 144: https://packages.debian.org/src:wpewebkit 145: https://www.debian.org/security/2022/dsa-5213 146: https://packages.debian.org/src:schroot 147: https://www.debian.org/security/2022/dsa-5214 148: https://packages.debian.org/src:kicad 149: https://www.debian.org/security/2022/dsa-5215 150: https://packages.debian.org/src:open-vm-tools 151: https://www.debian.org/security/2022/dsa-5216 152: https://packages.debian.org/src:libxslt 153: https://www.debian.org/security/2022/dsa-5217 154: https://packages.debian.org/src:firefox-esr 155: https://www.debian.org/security/2022/dsa-5218 156: https://packages.debian.org/src:zlib 157: https://www.debian.org/security/2022/dsa-5219 158: https://packages.debian.org/src:webkit2gtk 159: https://www.debian.org/security/2022/dsa-5220 160: https://packages.debian.org/src:wpewebkit 161: https://www.debian.org/security/2022/dsa-5221 162: https://packages.debian.org/src:thunderbird 163: https://www.debian.org/security/2022/dsa-5222 164: https://packages.debian.org/src:dpdk Removed packages ---------------- The following packages were removed due to circumstances beyond our control: +--------------------------------+------------------------------------+ | Package | Reason | +--------------------------------+------------------------------------+ | evenement [165] | Unmaintained; only needed for | | | already-removed movim | | | | | php-cocur-slugify [166] | Unmaintained; only needed for | | | already-removed movim | | | | | php-defuse-php- | Unmaintained; only needed for | | encryption [167] | already-removed movim | | | | | php-dflydev-fig-cookies [168] | Unmaintained; only needed for | | | already-removed movim | | | | | php-embed [169] | Unmaintained; only needed for | | | already-removed movim | | | | | php-fabiang-sasl [170] | Unmaintained; only needed for | | | already-removed movim | | | | | php-markdown [171] | Unmaintained; only needed for | | | already-removed movim | | | | | php-raintpl [172] | Unmaintained; only needed for | | | already-removed movim | | | | | php-react-child-process [173] | Unmaintained; only needed for | | | already-removed movim | | | | | php-react-http [174] | Unmaintained; only needed for | | | already-removed movim | | | | | php-respect-validation [175] | Unmaintained; only needed for | | | already-removed movim | | | | | php-robmorgan-phinx [176] | Unmaintained; only needed for | | | already-removed movim | | | | | ratchet-pawl [177] | Unmaintained; only needed for | | | already-removed movim | | | | | ratchet-rfc6455 [178] | Unmaintained; only needed for | | | already-removed movim | | | | | ratchetphp [179] | Unmaintained; only needed for | | | already-removed movim | | | | | reactphp-cache [180] | Unmaintained; only needed for | | | already-removed movim | | | | | reactphp-dns [181] | Unmaintained; only needed for | | | already-removed movim | | | | | reactphp-event-loop [182] | Unmaintained; only needed for | | | already-removed movim | | | | | reactphp-promise-stream [183] | Unmaintained; only needed for | | | already-removed movim | | | | | reactphp-promise-timer [184] | Unmaintained; only needed for | | | already-removed movim | | | | | reactphp-socket [185] | Unmaintained; only needed for | | | already-removed movim | | | | | reactphp-stream [186] | Unmaintained; only needed for | | | already-removed movim | | | | +--------------------------------+------------------------------------+ 165: https://packages.debian.org/src:evenement 166: https://packages.debian.org/src:php-cocur-slugify 167: https://packages.debian.org/src:php-defuse-php-encryption 168: https://packages.debian.org/src:php-dflydev-fig-cookies 169: https://packages.debian.org/src:php-embed 170: https://packages.debian.org/src:php-fabiang-sasl 171: https://packages.debian.org/src:php-markdown 172: https://packages.debian.org/src:php-raintpl 173: https://packages.debian.org/src:php-react-child-process 174: https://packages.debian.org/src:php-react-http 175: https://packages.debian.org/src:php-respect-validation 176: https://packages.debian.org/src:php-robmorgan-phinx 177: https://packages.debian.org/src:ratchet-pawl 178: https://packages.debian.org/src:ratchet-rfc6455 179: https://packages.debian.org/src:ratchetphp 180: https://packages.debian.org/src:reactphp-cache 181: https://packages.debian.org/src:reactphp-dns 182: https://packages.debian.org/src:reactphp-event-loop 183: https://packages.debian.org/src:reactphp-promise-stream 184: https://packages.debian.org/src:reactphp-promise-timer 185: https://packages.debian.org/src:reactphp-socket 186: https://packages.debian.org/src:reactphp-stream Debian Installer ---------------- The installer has been updated to include the fixes incorporated into stable by the point release. URLs ---- The complete lists of packages that have changed with this revision: https://deb.debian.org/debian/dists/bullseye/ChangeLog The current stable distribution: https://deb.debian.org/debian/dists/stable/ Proposed updates to the stable distribution: https://deb.debian.org/debian/dists/proposed-updates stable distribution information (release notes, errata etc.): https://www.debian.org/releases/stable/ Security announcements and information: https://www.debian.org/security/ About Debian ------------ The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian. Contact Information ------------------- For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature