------------------------------------------------------------------------
The Debian Project https://www.debian.org/
Updated Debian 11: 11.11 released press@debian.org
August 31st, 2024 https://www.debian.org/News/2024/2024083102
------------------------------------------------------------------------
The Debian project is pleased to announce the eleventh and final update
of its oldstable distribution Debian 11 (codename "bullseye"). This
point release mainly adds corrections for security issues, along with a
few adjustments for serious problems. Security advisories have already
been published separately and are referenced where available.
Please note that the point release does not constitute a new version of
Debian 11 but only updates some of the packages included. There is no
need to throw away old "bullseye" media. After installation, packages
can be upgraded to the current versions using an up-to-date Debian
mirror.
Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:
https://www.debian.org/mirror/list
Secure Boot and other operating systems
---------------------------------------
Users who boot other operating systems on the same hardware, and who
have Secure Boot enabled, should be aware that shim 15.8 (included with
Debian 11.11) revokes signatures across older versions of shim in the
UEFI firmware. This may leave other operating systems using shim before
15.8 unable to boot.
Affected users can temporarily disable Secure Boot before updating other
operating systems.
Miscellaneous Bugfixes
----------------------
This oldstable update adds a few important corrections to the following
packages:
+----------------------+------------------------------------------------+
| Package | Reason |
+----------------------+------------------------------------------------+
| amd64-microcode [1] | New upstream release; security fixes |
| | [CVE-2023-31315]; SEV firmware fixes |
| | [CVE-2023-20584 CVE-2023-31356] |
| | |
| ansible [2] | New usptream stable release; fix template |
| | injection issue [CVE-2021-3583], information |
| | disclosure issue [CVE-2021-3620], file |
| | overwrite issue [CVE-2023-5115], template |
| | injection issue [CVE-2023-5764], information |
| | disclosure issues [CVE-2024-0690 CVE-2022- |
| | 3697]; document workaround for ec2 private key |
| | leak [CVE-2023-4237] |
| | |
| apache2 [3] | New upstream stable release; fix content |
| | disclosure issue [CVE-2024-40725] |
| | |
| base-files [4] | Update for the point release |
| | |
| bind9 [5] | Allow the limits introduced to fix CVE-2024- |
| | 1737 to be configured |
| | |
| calibre [6] | Fix cross site scripting issue [CVE-2024- |
| | 7008], SQL injection issue [CVE-2024-7009] |
| | |
| choose-mirror [7] | Update list of available mirrors |
| | |
| cjson [8] | Add NULL checks to cJSON_SetValuestring and |
| | cJSON_InsertItemInArray [CVE-2023-50472 |
| | CVE-2023-50471 CVE-2024-31755] |
| | |
| cups [9] | Fix issues with domain socket handling |
| | [CVE-2024-35235]; fix regression when domain |
| | sockets only are used |
| | |
| curl [10] | Fix ASN.1 date parser overread issue |
| | [CVE-2024-7264] |
| | |
| debian- | Increase Linux kernel ABI to 5.10.0-32; |
| installer [11] | rebuild against proposed-updates |
| | |
| debian-installer- | Rebuild against proposed-updates |
| netboot-images [12] | |
| | |
| dropbear [13] | Fix "noremotetcp" behaviour of keepalive |
| | packets in combination with the "no-port- |
| | forwarding" authorized_keys(5) restriction |
| | |
| fusiondirectory [14] | Backport compatibility with php-cas version |
| | addressing CVE 2022-39369; fix improper |
| | session handling issue [CVE-2022-36179]; fix |
| | cross site scripting issue [CVE-2022-36180] |
| | |
| gettext.js [15] | Fix server side request forgery issue |
| | [CVE-2024-43370] |
| | |
| glewlwyd [16] | Fix buffer overflow during webauthn signature |
| | assertion [CVE-2022-27240]; prevent directory |
| | traversal in |
| | static_compressed_inmemory_website_callback.c |
| | [CVE-2022-29967]; copy bootstrap, jquery, |
| | fork-awesome instead of linking them; buffer |
| | overflow during FIDO2 signature validation |
| | [CVE-2023-49208] |
| | |
| glibc [17] | Fix ffsll() performance issue depending on |
| | code alignment; performance improvements for |
| | memcpy() on arm64; fix y2038 regression in |
| | nscd following CVE-2024-33601 and CVE-2024- |
| | 33602 fix |
| | |
| graphviz [18] | Fix broken scaling |
| | |
| gtk+2.0 [19] | Avoid looking for modules in current working |
| | directory [CVE-2024-6655] |
| | |
| gtk+3.0 [20] | Avoid looking for modules in current working |
| | directory [CVE-2024-6655] |
| | |
| healpix-java [21] | Fix build failure |
| | |
| imagemagick [22] | Fix divide by zero issues [CVE-2021-20312 |
| | CVE-2021-20313]; fix incomplete fix for |
| | CVE-2023-34151 |
| | |
| indent [23] | Reinstate ROUND_UP macro and adjust the |
| | initial buffer size to fix memory handling |
| | problems; fix out-of-buffer read in |
| | search_brace()/lexi(); fix heap buffer |
| | overwrite in search_brace() [CVE-2023-40305]; |
| | heap buffer underread in set_buf_break() |
| | [CVE-2024-0911] |
| | |
| intel-microcode [24] | New upstream release; security fixes |
| | [CVE-2023-42667 CVE-2023-49141 CVE-2024-24853 |
| | CVE-2024-24980 CVE-2024-25939] |
| | |
| libvirt [25] | Fix sVirt confinement issue [CVE-2021-3631], |
| | use after free issue [CVE-2021-3975], denial |
| | of service issues [CVE-2021-3667 CVE-2021-4147 |
| | CVE-2022-0897 CVE-2024-1441 CVE-2024-2494 |
| | CVE-2024-2496] |
| | |
| midge [26] | Exclude examples/covers/* for DFSG-compliance; |
| | add build-arch/build-indep build targets; use |
| | quilt (3.0) source package format |
| | |
| mlpost [27] | Fix build failure with newer ImageMagick |
| | versions |
| | |
| net-tools [28] | Drop build-dependency on libdnet-dev |
| | |
| nfs-utils [29] | Pass all valid export flags to nfsd |
| | |
| ntfs-3g [30] | Fix use-after-free in |
| | "ntfs_uppercase_mbs" [CVE-2023-52890] |
| | |
| nvidia-graphics- | Fix use of GPL-only symbols causing build |
| drivers- | failures |
| tesla-418 [31] | |
| | |
| nvidia-graphics- | New upstream stable release |
| drivers- | |
| tesla-450 [32] | |
| | |
| nvidia-graphics- | New upstream stable release |
| drivers- | |
| tesla-460 [33] | |
| | |
| ocsinventory- | Backport compatibility with php-cas version |
| server [34] | addressing CVE 2022-39369 |
| | |
| onionshare [35] | Demote obfs4proxy dependency to Recommends, to |
| | allow removal of obfs4proxy |
| | |
| php-cas [36] | Fix Service Hostname Discovery Exploitation |
| | issue [CVE-2022-39369] |
| | |
| poe.app [37] | Make comment cells editable; fix drawing when |
| | an NSActionCell in the preferences is acted on |
| | to change state |
| | |
| putty [38] | Fix weak ECDSA nonce generation allowing |
| | secret key recovery [CVE-2024-31497] |
| | |
| riemann-c- | Prevent malformed payload in GnuTLS send/ |
| client [39] | receive operations |
| | |
| runc [40] | Fix busybox tarball url; prevent buffer |
| | overflow writing netlink messages [CVE-2021- |
| | 43784]; fix tests on newer kernels; prevent |
| | write access to user-owned cgroup hierarchy |
| | "/sys/fs/cgroup/user.slice/..." [CVE-2023- |
| | 25809]; fix access control regression |
| | [CVE-2023-27561 CVE-2023-28642] |
| | |
| rustc-web [41] | New upstream stable release, to support |
| | building new chromium and firefox-esr versions |
| | |
| shim [42] | New upstream release |
| | |
| shim-helpers-amd64- | Rebuild against shim 15.8.1 |
| signed [43] | |
| | |
| shim-helpers-arm64- | Rebuild against shim 15.8.1 |
| signed [44] | |
| | |
| shim-helpers-i386- | Rebuild against shim 15.8.1 |
| signed [45] | |
| | |
| shim-signed [46] | New upstream stable release |
| | |
| symfony [47] | Fix autoloading of HttpClient |
| | |
| trinity [48] | Fix build failure by dropping support for |
| | DECNET |
| | |
| usb.ids [49] | Update included data list |
| | |
| xmedcon [50] | Fix heap overflow [CVE-2024-29421] |
| | |
+----------------------+------------------------------------------------+
1: https://packages.debian.org/src:amd64-microcode
2: https://packages.debian.org/src:ansible
3: https://packages.debian.org/src:apache2
4: https://packages.debian.org/src:base-files
5: https://packages.debian.org/src:bind9
6: https://packages.debian.org/src:calibre
7: https://packages.debian.org/src:choose-mirror
8: https://packages.debian.org/src:cjson
9: https://packages.debian.org/src:cups
10: https://packages.debian.org/src:curl
11: https://packages.debian.org/src:debian-installer
12: https://packages.debian.org/src:debian-installer-netboot-images
13: https://packages.debian.org/src:dropbear
14: https://packages.debian.org/src:fusiondirectory
15: https://packages.debian.org/src:gettext.js
16: https://packages.debian.org/src:glewlwyd
17: https://packages.debian.org/src:glibc
18: https://packages.debian.org/src:graphviz
19: https://packages.debian.org/src:gtk+2.0
20: https://packages.debian.org/src:gtk+3.0
21: https://packages.debian.org/src:healpix-java
22: https://packages.debian.org/src:imagemagick
23: https://packages.debian.org/src:indent
24: https://packages.debian.org/src:intel-microcode
25: https://packages.debian.org/src:libvirt
26: https://packages.debian.org/src:midge
27: https://packages.debian.org/src:mlpost
28: https://packages.debian.org/src:net-tools
29: https://packages.debian.org/src:nfs-utils
30: https://packages.debian.org/src:ntfs-3g
31: https://packages.debian.org/src:nvidia-graphics-drivers-tesla-418
32: https://packages.debian.org/src:nvidia-graphics-drivers-tesla-450
33: https://packages.debian.org/src:nvidia-graphics-drivers-tesla-460
34: https://packages.debian.org/src:ocsinventory-server
35: https://packages.debian.org/src:onionshare
36: https://packages.debian.org/src:php-cas
37: https://packages.debian.org/src:poe.app
38: https://packages.debian.org/src:putty
39: https://packages.debian.org/src:riemann-c-client
40: https://packages.debian.org/src:runc
41: https://packages.debian.org/src:rustc-web
42: https://packages.debian.org/src:shim
43: https://packages.debian.org/src:shim-helpers-amd64-signed
44: https://packages.debian.org/src:shim-helpers-arm64-signed
45: https://packages.debian.org/src:shim-helpers-i386-signed
46: https://packages.debian.org/src:shim-signed
47: https://packages.debian.org/src:symfony
48: https://packages.debian.org/src:trinity
49: https://packages.debian.org/src:usb.ids
50: https://packages.debian.org/src:xmedcon
Security Updates
----------------
This revision adds the following security updates to the oldstable
release. The Security Team has already released an advisory for each of
these updates:
+----------------+--------------------------+
| Advisory ID | Package |
+----------------+--------------------------+
| DSA-5718 [51] | org-mode [52] |
| | |
| DSA-5719 [53] | emacs [54] |
| | |
| DSA-5721 [55] | ffmpeg [56] |
| | |
| DSA-5722 [57] | libvpx [58] |
| | |
| DSA-5723 [59] | plasma-workspace [60] |
| | |
| DSA-5725 [61] | znc [62] |
| | |
| DSA-5726 [63] | krb5 [64] |
| | |
| DSA-5727 [65] | firefox-esr [66] |
| | |
| DSA-5728 [67] | exim4 [68] |
| | |
| DSA-5729 [69] | apache2 [70] |
| | |
| DSA-5730 [71] | linux-signed-amd64 [72] |
| | |
| DSA-5730 [73] | linux-signed-arm64 [74] |
| | |
| DSA-5730 [75] | linux-signed-i386 [76] |
| | |
| DSA-5730 [77] | linux [78] |
| | |
| DSA-5734 [79] | bind9 [80] |
| | |
| DSA-5736 [81] | openjdk-11 [82] |
| | |
| DSA-5737 [83] | libreoffice [84] |
| | |
| DSA-5738 [85] | openjdk-17 [86] |
| | |
| DSA-5739 [87] | wpa [88] |
| | |
| DSA-5740 [89] | firefox-esr [90] |
| | |
| DSA-5742 [91] | odoo [92] |
| | |
| DSA-5743 [93] | roundcube [94] |
| | |
| DSA-5746 [95] | postgresql-13 [96] |
| | |
| DSA-5747 [97] | linux-signed-amd64 [98] |
| | |
| DSA-5747 [99] | linux-signed-arm64 [100] |
| | |
| DSA-5747 [101] | linux-signed-i386 [102] |
| | |
| DSA-5747 [103] | linux [104] |
| | |
+----------------+--------------------------+
51: https://www.debian.org/security/2024/dsa-5718
52: https://packages.debian.org/src:org-mode
53: https://www.debian.org/security/2024/dsa-5719
54: https://packages.debian.org/src:emacs
55: https://www.debian.org/security/2024/dsa-5721
56: https://packages.debian.org/src:ffmpeg
57: https://www.debian.org/security/2024/dsa-5722
58: https://packages.debian.org/src:libvpx
59: https://www.debian.org/security/2024/dsa-5723
60: https://packages.debian.org/src:plasma-workspace
61: https://www.debian.org/security/2024/dsa-5725
62: https://packages.debian.org/src:znc
63: https://www.debian.org/security/2024/dsa-5726
64: https://packages.debian.org/src:krb5
65: https://www.debian.org/security/2024/dsa-5727
66: https://packages.debian.org/src:firefox-esr
67: https://www.debian.org/security/2024/dsa-5728
68: https://packages.debian.org/src:exim4
69: https://www.debian.org/security/2024/dsa-5729
70: https://packages.debian.org/src:apache2
71: https://www.debian.org/security/2024/dsa-5730
72: https://packages.debian.org/src:linux-signed-amd64
73: https://www.debian.org/security/2024/dsa-5730
74: https://packages.debian.org/src:linux-signed-arm64
75: https://www.debian.org/security/2024/dsa-5730
76: https://packages.debian.org/src:linux-signed-i386
77: https://www.debian.org/security/2024/dsa-5730
78: https://packages.debian.org/src:linux
79: https://www.debian.org/security/2024/dsa-5734
80: https://packages.debian.org/src:bind9
81: https://www.debian.org/security/2024/dsa-5736
82: https://packages.debian.org/src:openjdk-11
83: https://www.debian.org/security/2024/dsa-5737
84: https://packages.debian.org/src:libreoffice
85: https://www.debian.org/security/2024/dsa-5738
86: https://packages.debian.org/src:openjdk-17
87: https://www.debian.org/security/2024/dsa-5739
88: https://packages.debian.org/src:wpa
89: https://www.debian.org/security/2024/dsa-5740
90: https://packages.debian.org/src:firefox-esr
91: https://www.debian.org/security/2024/dsa-5742
92: https://packages.debian.org/src:odoo
93: https://www.debian.org/security/2024/dsa-5743
94: https://packages.debian.org/src:roundcube
95: https://www.debian.org/security/2024/dsa-5746
96: https://packages.debian.org/src:postgresql-13
97: https://www.debian.org/security/2024/dsa-5747
98: https://packages.debian.org/src:linux-signed-amd64
99: https://www.debian.org/security/2024/dsa-5747
100: https://packages.debian.org/src:linux-signed-arm64
101: https://www.debian.org/security/2024/dsa-5747
102: https://packages.debian.org/src:linux-signed-i386
103: https://www.debian.org/security/2024/dsa-5747
104: https://packages.debian.org/src:linux
Removed packages
----------------
The following packages were removed due to circumstances beyond our
control:
+----------------------+---------------------------------+
| Package | Reason |
+----------------------+---------------------------------+
| bcachefs-tools [105] | Buggy, obsolete |
| | |
| dnprogs [106] | Buggy, obsolete |
| | |
| iotjs [107] | Unmaintained, security concerns |
| | |
| obfs4proxy [108] | Security issues |
| | |
+----------------------+---------------------------------+
105: https://packages.debian.org/src:bcachefs-tools
106: https://packages.debian.org/src:dnprogs
107: https://packages.debian.org/src:iotjs
108: https://packages.debian.org/src:obfs4proxy
Debian Installer
----------------
The installer has been updated to include the fixes incorporated into
oldstable by the point release.
URLs
----
The complete lists of packages that have changed with this revision:
https://deb.debian.org/debian/dists/bullseye/ChangeLog
The current oldstable distribution:
https://deb.debian.org/debian/dists/oldstable/
Proposed updates to the oldstable distribution:
https://deb.debian.org/debian/dists/oldstable-proposed-updates
oldstable distribution information (release notes, errata etc.):
https://www.debian.org/releases/oldstable/
Security announcements and information:
https://www.debian.org/security/
About Debian
------------
The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian.
Contact Information
-------------------
For further information, please visit the Debian web pages at
https://www.debian.org/, send mail to <press@debian.org>, or contact the
stable release team at <debian-release@lists.debian.org>.
Attachment:
signature.asc
Description: This is a digitally signed message part