------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 12: 12.1 released press@debian.org July 22nd, 2023 https://www.debian.org/News/2023/20230722 ------------------------------------------------------------------------ The Debian project is pleased to announce the first update of its stable distribution Debian 12 (codename "bookworm"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 12 but only updates some of the packages included. There is no need to throw away old "bookworm" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: +--------------------------+------------------------------------------+ | Package | Reason | +--------------------------+------------------------------------------+ | aide [1] | Properly handle creating the system | | | user; fix child directory processing on | | | equal match | | | | | autofs [2] | Fix hang when using Kerberos- | | | authenticated LDAP | | | | | ayatana-indicator- | Fix playing of custom alarm sounds | | datetime [3] | | | | | | base-files [4] | Update for the 12.1 point release | | | | | bepasty [5] | Fix rendering of text uploads | | | | | boost1.81 [6] | Add missing dependency on libboost- | | | json1.81.0 to libboost-json1.81-dev | | | | | bup [7] | Correctly restore POSIX ACLs | | | | | context [8] | Enable socket in ConTeXt mtxrun | | | | | cpdb-libs [9] | Fix a buffer overflow vulnerability | | | [CVE-2023-34095] | | | | | cpp-httplib [10] | Fix CRLF injection issue [CVE-2023- | | | 26130] | | | | | crowdsec [11] | Fix default acquis.yaml to also include | | | the journalctl datasource, limited to | | | the ssh.service unit, making sure | | | acquisition works even without the | | | traditional auth.log file; make sure an | | | invalid datasource doesn't make the | | | engine error out | | | | | cups [12] | Security fixes: use-after-free | | | [CVE-2023-34241]; heap buffer overflow | | | [CVE-2023-32324] | | | | | cvs [13] | Configure full path to ssh | | | | | dbus [14] | New upstream stable release; fix denial | | | of service issue [CVE-2023-34969]; stop | | | trying to take DPKG_ROOT into account, | | | restoring copying of systemd's /etc/ | | | machine-id in preference to creating an | | | entirely new machine ID | | | | | debian-installer [15] | Increase Linux kernel ABI to 6.1.0-10; | | | rebuild against proposed-updates | | | | | debian-installer- | Rebuild against proposed-updates | | netboot-images [16] | | | | | | desktop-base [17] | Remove emerald alternatives on package | | | uninstallation | | | | | dh-python [18] | Re-introduce Breaks+Replaces on python2 | | | needed to help apt in some upgrade | | | scenarios | | | | | dkms [19] | Add Breaks against obsolete, | | | incompatible *-dkms packages | | | | | dnf [20] | Fix default DNF const PYTHON_INSTALL_DIR | | | | | dpdk [21] | New upstream stable release | | | | | exim4 [22] | Fix argument parsing for ${run } | | | expansion; fix ${srs_encode ..} | | | returning incorrect result every 1024 | | | days | | | | | fai [23] | Fix IP address lifetime | | | | | glibc [24] | Fix a buffer overflow in gmon; fix a | | | deadlock in getaddrinfo (__check_pf) | | | with deferred cancellation; fix y2038 | | | support in strftime on 32-bit | | | architectures; fix corner case parsing | | | of /etc/gshadow which can return bad | | | pointers, causing segfaults in | | | applications; fix a deadlock in system() | | | when called concurrently from multiple | | | threads; cdefs: limit definition of | | | fortification macros to __FORTIFY_LEVEL | | | > 0 to support old C90 compilers | | | | | gnome-control- | New upstream bugfix release | | center [25] | | | | | | gnome-maps [26] | New upstream bugfix release | | | | | gnome-shell [27] | New upstream bugfix release | | | | | gnome-software [28] | New upstream release; memory leak fixes | | | | | gosa [29] | Silence PHP 8.2 deprecation warnings; | | | fix missing template in default theme; | | | fix table styling; fix use of debugLevel | | | > 0 | | | | | groonga [30] | Fix documentation links | | | | | guestfs-tools [31] | Security update [CVE-2022-2211] | | | | | indent [32] | Restore the ROUND_UP macro and adjust | | | the initial buffer size | | | | | installation-guide [33] | Enable Indonesian translation | | | | | kanboard [34] | Fix malicious injection of HTML tags | | | into DOM [CVE-2023-32685]; fix | | | parameter-based indirect object | | | referencing leading to private file | | | exposure [CVE-2023-33956]; fix missing | | | access controls [CVE-2023-33968, | | | CVE-2023-33970]; fix stored XSS in Task | | | External Link functionality [CVE-2023- | | | 33969] | | | | | kf5-messagelib [35] | Search also for subkeys | | | | | libmatekbd [36] | Fix memory leaks | | | | | libnginx-mod-http- | Binary rebuild with pcre2 | | modsecurity [37] | | | | | | libreoffice [38] | New upstream bugfix release | | | | | libreswan [39] | Fix potential denial-of-service issue | | | [CVE-2023-30570] | | | | | libxml2 [40] | Fix NULL pointer dereference issue | | | [CVE-2022-2309] | | | | | linux [41] | New upstream stable release; netfilter: | | | nf_tables: do not ignore genmask when | | | looking up chain by id [CVE-2023-31248], | | | prevent OOB access in nft_byteorder_eval | | | [CVE-2023-35001] | | | | | linux-signed-amd64 [42] | New upstream stable release; netfilter: | | | nf_tables: do not ignore genmask when | | | looking up chain by id [CVE-2023-31248], | | | prevent OOB access in nft_byteorder_eval | | | [CVE-2023-35001] | | | | | linux-signed-arm64 [43] | New upstream stable release; netfilter: | | | nf_tables: do not ignore genmask when | | | looking up chain by id [CVE-2023-31248], | | | prevent OOB access in nft_byteorder_eval | | | [CVE-2023-35001] | | | | | linux-signed-i386 [44] | New upstream stable release; netfilter: | | | nf_tables: do not ignore genmask when | | | looking up chain by id [CVE-2023-31248], | | | prevent OOB access in nft_byteorder_eval | | | [CVE-2023-35001] | | | | | mailman3 [45] | Drop redundant cron job; handle ordering | | | of services when MariaDB is present | | | | | marco [46] | Show correct window title when owned by | | | superuser | | | | | mate-control-center [47] | Fix several memory leaks | | | | | mate-power-manager [48] | Fix several memory leaks | | | | | mate-session- | Fix several memory leaks; allow clutter | | manager [49] | backends other than x11 | | | | | multipath-tools [50] | Hide underlying paths from LVM; prevent | | | initial service failure on new | | | installations | | | | | mutter [51] | New upstream bugfix release | | | | | network-manager- | Build editor component with GTK 4 | | strongswan [52] | support | | | | | nfdump [53] | Return success when starting; fix | | | segfault in option parsing | | | | | nftables [54] | Fix regression in set listing format | | | | | node-openpgp-seek- | Correct installation of files in seek- | | bzip [55] | bzip package | | | | | node-tough-cookie [56] | Fix prototype pollution issue [CVE-2023- | | | 26136] | | | | | node-undici [57] | Security fixes: protect "Host" HTTP | | | header from CLRF injection [CVE-2023- | | | 23936]; potential ReDoS on Headers.set | | | and Headers.append [CVE-2023-24807] | | | | | node-webpack [58] | Security fix (cross-realm objects) | | | [CVE-2023-28154] | | | | | nvidia-cuda-toolkit [59] | Update bundled openjdk-8-jre | | | | | nvidia-graphics- | New upstream stable release; security | | drivers [60] | fixes [CVE-2023-25515 CVE-2023-25516] | | | | | nvidia-graphics-drivers- | New upstream stable release; security | | tesla [61] | fixes [CVE-2023-25515 CVE-2023-25516] | | | | | nvidia-graphics-drivers- | New upstream stable release; security | | tesla-470 [62] | fixes [CVE-2023-25515 CVE-2023-25516] | | | | | nvidia-modprobe [63] | New upstream bugfix release | | | | | nvidia-open-gpu-kernel- | New upstream stable release; security | | modules [64] | fixes [CVE-2023-25515 CVE-2023-25516] | | | | | nvidia-support [65] | Add Breaks against incompatible packages | | | from bullseye | | | | | onionshare [66] | Fix installation of desktop furniture | | | | | openvpn [67] | Fix memory leak and dangling pointer | | | (possible crash vector) | | | | | pacemaker [68] | Fix regression in the resource scheduler | | | | | postfix [69] | New upstream bugfix release; fix | | | "postfix set-permissions" | | | | | proftpd-dfsg [70] | Do not enable inetd-style socket at | | | installation | | | | | qemu [71] | New upstream stable release; fix USB | | | devices not being available to XEN HVM | | | domUs; 9pfs: prevent opening special | | | files [CVE-2023-2861]; fix reentrancy | | | issues in the LSI controller [CVE-2023- | | | 0330] | | | | | request-tracker5 [72] | Fix links to documentation | | | | | rime-cantonese [73] | Sort words and characters by frequency | | | | | rime-luna-pinyin [74] | Install missing pinyin schema data | | | | | samba [75] | New upstream stable release; ensure | | | manpages are generated during build; | | | enable ability to store kerberos tickets | | | in kernel keyring; fix build issues on | | | armel and mipsel; fix windows logon/ | | | trust issues with 2023-07 windows | | | updates | | | | | schleuder-cli [76] | Security fix (value escaping) | | | | | smarty4 [77] | Fix arbitrary code execution issue | | | [CVE-2023-28447] | | | | | spip [78] | Various security issues; security fix | | | (authentication data filtering) | | | | | sra-sdk [79] | Fix installation of files in libngs-java | | | | | sudo [80] | Fix event log format | | | | | systemd [81] | New upstream bugfix release | | | | | tang [82] | Fix race condition when creating/ | | | rotating keys [CVE-2023-1672] | | | | | texlive-bin [83] | Disable socket in luatex by default | | | [CVE-2023-32668]; make installable on | | | i386 | | | | | unixodbc [84] | Add Breaks+Replaces against | | | odbcinst1debian1 | | | | | usb.ids [85] | Update included data | | | | | vm [86] | Disable byte compilation | | | | | vte2.91 [87] | New upstream bugfix release | | | | | xerial-sqlite-jdbc [88] | Use a UUID for connection ID [CVE-2023- | | | 32697] | | | | | yajl [89] | Memory leak security fix; fix denial of | | | service issue [CVE-2017-16516], integer | | | overflow issue [CVE-2022-24795] | | | | +--------------------------+------------------------------------------+ 1: https://packages.debian.org/src:aide 2: https://packages.debian.org/src:autofs 3: https://packages.debian.org/src:ayatana-indicator-datetime 4: https://packages.debian.org/src:base-files 5: https://packages.debian.org/src:bepasty 6: https://packages.debian.org/src:boost1.81 7: https://packages.debian.org/src:bup 8: https://packages.debian.org/src:context 9: https://packages.debian.org/src:cpdb-libs 10: https://packages.debian.org/src:cpp-httplib 11: https://packages.debian.org/src:crowdsec 12: https://packages.debian.org/src:cups 13: https://packages.debian.org/src:cvs 14: https://packages.debian.org/src:dbus 15: https://packages.debian.org/src:debian-installer 16: https://packages.debian.org/src:debian-installer-netboot-images 17: https://packages.debian.org/src:desktop-base 18: https://packages.debian.org/src:dh-python 19: https://packages.debian.org/src:dkms 20: https://packages.debian.org/src:dnf 21: https://packages.debian.org/src:dpdk 22: https://packages.debian.org/src:exim4 23: https://packages.debian.org/src:fai 24: https://packages.debian.org/src:glibc 25: https://packages.debian.org/src:gnome-control-center 26: https://packages.debian.org/src:gnome-maps 27: https://packages.debian.org/src:gnome-shell 28: https://packages.debian.org/src:gnome-software 29: https://packages.debian.org/src:gosa 30: https://packages.debian.org/src:groonga 31: https://packages.debian.org/src:guestfs-tools 32: https://packages.debian.org/src:indent 33: https://packages.debian.org/src:installation-guide 34: https://packages.debian.org/src:kanboard 35: https://packages.debian.org/src:kf5-messagelib 36: https://packages.debian.org/src:libmatekbd 37: https://packages.debian.org/src:libnginx-mod-http-modsecurity 38: https://packages.debian.org/src:libreoffice 39: https://packages.debian.org/src:libreswan 40: https://packages.debian.org/src:libxml2 41: https://packages.debian.org/src:linux 42: https://packages.debian.org/src:linux-signed-amd64 43: https://packages.debian.org/src:linux-signed-arm64 44: https://packages.debian.org/src:linux-signed-i386 45: https://packages.debian.org/src:mailman3 46: https://packages.debian.org/src:marco 47: https://packages.debian.org/src:mate-control-center 48: https://packages.debian.org/src:mate-power-manager 49: https://packages.debian.org/src:mate-session-manager 50: https://packages.debian.org/src:multipath-tools 51: https://packages.debian.org/src:mutter 52: https://packages.debian.org/src:network-manager-strongswan 53: https://packages.debian.org/src:nfdump 54: https://packages.debian.org/src:nftables 55: https://packages.debian.org/src:node-openpgp-seek-bzip 56: https://packages.debian.org/src:node-tough-cookie 57: https://packages.debian.org/src:node-undici 58: https://packages.debian.org/src:node-webpack 59: https://packages.debian.org/src:nvidia-cuda-toolkit 60: https://packages.debian.org/src:nvidia-graphics-drivers 61: https://packages.debian.org/src:nvidia-graphics-drivers-tesla 62: https://packages.debian.org/src:nvidia-graphics-drivers-tesla-470 63: https://packages.debian.org/src:nvidia-modprobe 64: https://packages.debian.org/src:nvidia-open-gpu-kernel-modules 65: https://packages.debian.org/src:nvidia-support 66: https://packages.debian.org/src:onionshare 67: https://packages.debian.org/src:openvpn 68: https://packages.debian.org/src:pacemaker 69: https://packages.debian.org/src:postfix 70: https://packages.debian.org/src:proftpd-dfsg 71: https://packages.debian.org/src:qemu 72: https://packages.debian.org/src:request-tracker5 73: https://packages.debian.org/src:rime-cantonese 74: https://packages.debian.org/src:rime-luna-pinyin 75: https://packages.debian.org/src:samba 76: https://packages.debian.org/src:schleuder-cli 77: https://packages.debian.org/src:smarty4 78: https://packages.debian.org/src:spip 79: https://packages.debian.org/src:sra-sdk 80: https://packages.debian.org/src:sudo 81: https://packages.debian.org/src:systemd 82: https://packages.debian.org/src:tang 83: https://packages.debian.org/src:texlive-bin 84: https://packages.debian.org/src:unixodbc 85: https://packages.debian.org/src:usb.ids 86: https://packages.debian.org/src:vm 87: https://packages.debian.org/src:vte2.91 88: https://packages.debian.org/src:xerial-sqlite-jdbc 89: https://packages.debian.org/src:yajl Security Updates ---------------- This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates: +----------------+---------------------------+ | Advisory ID | Package | +----------------+---------------------------+ | DSA-5423 [90] | thunderbird [91] | | | | | DSA-5425 [92] | php8.2 [93] | | | | | DSA-5427 [94] | webkit2gtk [95] | | | | | DSA-5428 [96] | chromium [97] | | | | | DSA-5429 [98] | wireshark [99] | | | | | DSA-5430 [100] | openjdk-17 [101] | | | | | DSA-5432 [102] | xmltooling [103] | | | | | DSA-5433 [104] | libx11 [105] | | | | | DSA-5434 [106] | minidlna [107] | | | | | DSA-5435 [108] | trafficserver [109] | | | | | DSA-5436 [110] | hsqldb1.8.0 [111] | | | | | DSA-5437 [112] | hsqldb [113] | | | | | DSA-5439 [114] | bind9 [115] | | | | | DSA-5440 [116] | chromium [117] | | | | | DSA-5443 [118] | gst-plugins-base1.0 [119] | | | | | DSA-5444 [120] | gst-plugins-bad1.0 [121] | | | | | DSA-5445 [122] | gst-plugins-good1.0 [123] | | | | | DSA-5446 [124] | ghostscript [125] | | | | | DSA-5447 [126] | mediawiki [127] | | | | | DSA-5448 [128] | linux-signed-amd64 [129] | | | | | DSA-5448 [130] | linux-signed-arm64 [131] | | | | | DSA-5448 [132] | linux-signed-i386 [133] | | | | | DSA-5448 [134] | linux [135] | | | | | DSA-5449 [136] | webkit2gtk [137] | | | | | DSA-5450 [138] | firefox-esr [139] | | | | | DSA-5451 [140] | thunderbird [141] | | | | +----------------+---------------------------+ 90: https://www.debian.org/security/2023/dsa-5423 91: https://packages.debian.org/src:thunderbird 92: https://www.debian.org/security/2023/dsa-5425 93: https://packages.debian.org/src:php8.2 94: https://www.debian.org/security/2023/dsa-5427 95: https://packages.debian.org/src:webkit2gtk 96: https://www.debian.org/security/2023/dsa-5428 97: https://packages.debian.org/src:chromium 98: https://www.debian.org/security/2023/dsa-5429 99: https://packages.debian.org/src:wireshark 100: https://www.debian.org/security/2023/dsa-5430 101: https://packages.debian.org/src:openjdk-17 102: https://www.debian.org/security/2023/dsa-5432 103: https://packages.debian.org/src:xmltooling 104: https://www.debian.org/security/2023/dsa-5433 105: https://packages.debian.org/src:libx11 106: https://www.debian.org/security/2023/dsa-5434 107: https://packages.debian.org/src:minidlna 108: https://www.debian.org/security/2023/dsa-5435 109: https://packages.debian.org/src:trafficserver 110: https://www.debian.org/security/2023/dsa-5436 111: https://packages.debian.org/src:hsqldb1.8.0 112: https://www.debian.org/security/2023/dsa-5437 113: https://packages.debian.org/src:hsqldb 114: https://www.debian.org/security/2023/dsa-5439 115: https://packages.debian.org/src:bind9 116: https://www.debian.org/security/2023/dsa-5440 117: https://packages.debian.org/src:chromium 118: https://www.debian.org/security/2023/dsa-5443 119: https://packages.debian.org/src:gst-plugins-base1.0 120: https://www.debian.org/security/2023/dsa-5444 121: https://packages.debian.org/src:gst-plugins-bad1.0 122: https://www.debian.org/security/2023/dsa-5445 123: https://packages.debian.org/src:gst-plugins-good1.0 124: https://www.debian.org/security/2023/dsa-5446 125: https://packages.debian.org/src:ghostscript 126: https://www.debian.org/security/2023/dsa-5447 127: https://packages.debian.org/src:mediawiki 128: https://www.debian.org/security/2023/dsa-5448 129: https://packages.debian.org/src:linux-signed-amd64 130: https://www.debian.org/security/2023/dsa-5448 131: https://packages.debian.org/src:linux-signed-arm64 132: https://www.debian.org/security/2023/dsa-5448 133: https://packages.debian.org/src:linux-signed-i386 134: https://www.debian.org/security/2023/dsa-5448 135: https://packages.debian.org/src:linux 136: https://www.debian.org/security/2023/dsa-5449 137: https://packages.debian.org/src:webkit2gtk 138: https://www.debian.org/security/2023/dsa-5450 139: https://packages.debian.org/src:firefox-esr 140: https://www.debian.org/security/2023/dsa-5451 141: https://packages.debian.org/src:thunderbird Debian Installer ---------------- The installer has been updated to include the fixes incorporated into stable by the point release. URLs ---- The complete lists of packages that have changed with this revision: https://deb.debian.org/debian/dists/bookworm/ChangeLog The current stable distribution: https://deb.debian.org/debian/dists/stable/ Proposed updates to the stable distribution: https://deb.debian.org/debian/dists/proposed-updates stable distribution information (release notes, errata etc.): https://www.debian.org/releases/stable/ Security announcements and information: https://www.debian.org/security/ About Debian ------------ The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian. Contact Information ------------------- For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature