[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Updated Debian 12: 12.8 released



------------------------------------------------------------------------
The Debian Project                               https://www.debian.org/
Updated Debian 12: 12.8 released                        press@debian.org
November 9th, 2024             https://www.debian.org/News/2024/20241109
------------------------------------------------------------------------


The Debian project is pleased to announce the eighth update of its
stable distribution Debian 12 (codename "bookworm"). This point release
mainly adds corrections for security issues, along with a few
adjustments for serious problems. Security advisories have already been
published separately and are referenced where available.

Please note that the point release does not constitute a new version of
Debian 12 but only updates some of the packages included. There is no
need to throw away old "bookworm" media. After installation, packages
can be upgraded to the current versions using an up-to-date Debian
mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list



Miscellaneous Bugfixes
----------------------

This stable update adds a few important corrections to the following
packages:

+--------------------------+------------------------------------------+
| Package                  | Reason                                   |
+--------------------------+------------------------------------------+
| 7zip [1]                 | Fix heap buffer overflow in NTFS handler |
|                          | [CVE-2023-52168]; fix out-of-bounds read |
|                          | in NTFS handler [CVE-2023-52169]         |
|                          |                                          |
| amanda [2]               | Update incomplete fix for CVE-2022-      |
|                          | 37704, restoring operation with xfsdump  |
|                          |                                          |
| apr [3]                  | Use 0600 perms for named shared mem      |
|                          | consistently [CVE-2023-49582]            |
|                          |                                          |
| base-files [4]           | Update for the point release             |
|                          |                                          |
| btrfs-progs [5]          | Fix checksum calculation errors during   |
|                          | volume conversion in btrfs-convert       |
|                          |                                          |
| calamares-settings-      | Fix missing launcher on KDE desktops;    |
| debian [6]               | fix btrfs mounts                         |
|                          |                                          |
| cjson [7]                | Fix segmentation violation issue         |
|                          | [CVE-2024-31755]                         |
|                          |                                          |
| clamav [8]               | New upstream stable release; fix denial  |
|                          | of service issue [CVE-2024-20505], file  |
|                          | corruption issue [CVE-2024-20506]        |
|                          |                                          |
| cloud-init [9]           | Add support for multiple networkd Route  |
|                          | sections                                 |
|                          |                                          |
| cloud-initramfs-         | Add missing dependencies in the          |
| tools [10]               | initramfs                                |
|                          |                                          |
| curl [11]                | Fix incorrect handling of some OCSP      |
|                          | responses [CVE-2024-8096]                |
|                          |                                          |
| debian-installer [12]    | Reinstate some armel netboot targets     |
|                          | (openrd); increase Linux kernel ABI to   |
|                          | 6.1.0-27; rebuild against proposed-      |
|                          | updates                                  |
|                          |                                          |
| debian-installer-        | Rebuild against proposed-updates         |
| netboot-images [13]      |                                          |
|                          |                                          |
| devscripts [14]          | bts: always upgrade to STARTTLS on 587/  |
|                          | tcp; build-rdeps: add support for non-   |
|                          | free-firmware; chdist: update            |
|                          | sources.list examples with non-free-     |
|                          | firmware; build-rdeps: use all available |
|                          | distros by default                       |
|                          |                                          |
| diffoscope [15]          | Fix build failure when processing a      |
|                          | deliberately overlapping zip file in     |
|                          | tests                                    |
|                          |                                          |
| distro-info-data [16]    | Add Ubuntu 25.04                         |
|                          |                                          |
| docker.io [17]           | Fix bypassing of AuthZ plugins in some   |
|                          | circumstances [CVE-2024-41110]           |
|                          |                                          |
| dpdk [18]                | New upstream stable release              |
|                          |                                          |
| exim4 [19]               | Fix crash in dbmnz when looking up keys  |
|                          | with no content                          |
|                          |                                          |
| fcgiwrap [20]            | Set proper ownership on repositories in  |
|                          | git backend                              |
|                          |                                          |
| galera-4 [21]            | New upstream stable release              |
|                          |                                          |
| glib2.0 [22]             | Provide libgio-2.0-dev from libglib2.0-  |
|                          | dev, and libgio-2.0-dev-bin from         |
|                          | libglib2.0-dev-bin                       |
|                          |                                          |
| glibc [23]               | Change Croatian locale to use Euro as    |
|                          | currency; revert upstream commit that    |
|                          | modified the GLIBC_PRIVATE ABI, causing  |
|                          | crashes with some static binaries on     |
|                          | arm64; vfscanf(): fix matches longer     |
|                          | than INT_MAX; ungetc(): fix              |
|                          | uninitialized read when putting into     |
|                          | unused streams, backup buffer leak on    |
|                          | program exit; mremap(): fix support for  |
|                          | the MREMAP_DONTUNMAP option; resolv: fix |
|                          | timeouts caused by short error responses |
|                          | or when single-request mode is enabled   |
|                          | in resolv.conf                           |
|                          |                                          |
| gtk+3.0 [24]             | Fix letting Orca announce initial focus  |
|                          |                                          |
| ikiwiki-hosting [25]     | Allow reading of all user repositories   |
|                          |                                          |
| intel-microcode [26]     | New upstream release; security fixes     |
|                          | [CVE-2024-23984 CVE-2024-24968]          |
|                          |                                          |
| ipmitool [27]            | Fix a buffer overrun in  "open"          |
|                          | interface; fix  "lan print fails on      |
|                          | unsupported parameters" ; fix reading of |
|                          | temperature sensors; fix using hex       |
|                          | values when sending raw data             |
|                          |                                          |
| iputils [28]             | Fix incorrect handling of ICMP responses |
|                          | intended for other processes             |
|                          |                                          |
| kexec-tools [29]         | Mask kexec.service to prevent the init.d |
|                          | script handling kexec process on a       |
|                          | systemd enabled system                   |
|                          |                                          |
| lemonldap-ng [30]        | Fix cross-site scripting vulnerability   |
|                          | on login page [CVE-2024-48933]           |
|                          |                                          |
| lgogdownloader [31]      | Fix parsing of Galaxy URLs               |
|                          |                                          |
| libskk [32]              | Prevent crash on invalid JSON escape     |
|                          |                                          |
| libvirt [33]             | Fix running i686 VMs with AppArmor on    |
|                          | the host; prevent certain guests from    |
|                          | becoming unbootable or disappearing      |
|                          | during upgrade                           |
|                          |                                          |
| linux [34]               | New upstream release; bump ABI to 27     |
|                          |                                          |
| linux-signed-amd64 [35]  | New upstream release; bump ABI to 27     |
|                          |                                          |
| linux-signed-arm64 [36]  | New upstream release; bump ABI to 27     |
|                          |                                          |
| linux-signed-i386 [37]   | New upstream release; bump ABI to 27     |
|                          |                                          |
| llvm-toolchain-15 [38]   | Architecture-specific rebuild on         |
|                          | mips64el to sync version with other      |
|                          | architectures                            |
|                          |                                          |
| nghttp2 [39]             | Fix denial of service issue [CVE-2024-   |
|                          | 28182]                                   |
|                          |                                          |
| ninja-build [40]         | Support large inode numbers on 32-bit    |
|                          | systems                                  |
|                          |                                          |
| node-dompurify [41]      | Fix prototype pollution issues           |
|                          | [CVE-2024-45801 CVE-2024-48910]          |
|                          |                                          |
| node-es-module-          | Fix build failure                        |
| lexer [42]               |                                          |
|                          |                                          |
| node-globby [43]         | Fix build failure                        |
|                          |                                          |
| node-mdn-browser-compat- | Fix build failure                        |
| data [44]                |                                          |
|                          |                                          |
| node-rollup-plugin-node- | Fix build failure                        |
| polyfills [45]           |                                          |
|                          |                                          |
| node-tap [46]            | Fix build failure                        |
|                          |                                          |
| node-xterm [47]          | Fix TypeScript declarations              |
|                          |                                          |
| node-y-protocols [48]    | Fix build failure                        |
|                          |                                          |
| node-y-websocket [49]    | Fix build failure                        |
|                          |                                          |
| node-ytdl-core [50]      | Fix build failure                        |
|                          |                                          |
| notify-osd [51]          | Correct executable path in desktop       |
|                          | launcher file                            |
|                          |                                          |
| ntfs-3g [52]             | Fix use-after-free in  "ntfs-uppercase-  |
|                          | mbs" ; re-classify fuse as Depends, not  |
|                          | Pre-Depends                              |
|                          |                                          |
| openssl [53]             | New upstream stable release; fix buffer  |
|                          | overread issue [CVE-2024-5535], out of   |
|                          | bounds memory access [CVE-2024-9143]     |
|                          |                                          |
| ostree [54]              | Prevent crashing libflatpak when using   |
|                          | curl 8.10                                |
|                          |                                          |
| puppetserver [55]        | Reinstate scheduled job to clean reports |
|                          | after 30 days, avoiding disk space       |
|                          | exhaustion                               |
|                          |                                          |
| puredata [56]            | Fix privilege escalation issue           |
|                          | [CVE-2023-47480]                         |
|                          |                                          |
| python-cryptography [57] | Fix NULL dereference when loading PKCS7  |
|                          | certificates [CVE-2023-49083]; fix NULL  |
|                          | dereference when PKCS#12 key and cert    |
|                          | don't match [CVE-2024-26130]             |
|                          |                                          |
| python3.11 [58]          | Fix regression in zipfile.Path; prevent  |
|                          | ReDoS vulnerability with crafted tar     |
|                          | archives                                 |
|                          |                                          |
| reprepro [59]            | Prevent hangs when running unzstd        |
|                          |                                          |
| sqlite3 [60]             | Fix a buffer overread issue [CVE-2023-   |
|                          | 7104], a stack overflow issue and an     |
|                          | integer overflow issue                   |
|                          |                                          |
| sumo [61]                | Fix a race condition when building       |
|                          | documentation                            |
|                          |                                          |
| systemd [62]             | New upstream stable release              |
|                          |                                          |
| tgt [63]                 | chap: Use proper entropy source          |
|                          | [CVE-2024-45751]                         |
|                          |                                          |
| timeshift [64]           | Add missing dependency on pkexec         |
|                          |                                          |
| util-linux [65]          | Allow lscpu to identify new Arm cores    |
|                          |                                          |
| vmdb2 [66]               | Set locale to UTF-8                      |
|                          |                                          |
| wireshark [67]           | New upstream security release [CVE-2024- |
|                          | 0208, CVE-2024-0209, CVE-2024-2955,      |
|                          | CVE-2024-4853, CVE-2024-4854, CVE-2024-  |
|                          | 4855, CVE-2024-8250, CVE-2024-8645]      |
|                          |                                          |
| xfpt [68]                | Fix buffer overflow issue [CVE-2024-     |
|                          | 43700]                                   |
|                          |                                          |
+--------------------------+------------------------------------------+

    1: https://packages.debian.org/src:7zip
    2: https://packages.debian.org/src:amanda
    3: https://packages.debian.org/src:apr
    4: https://packages.debian.org/src:base-files
    5: https://packages.debian.org/src:btrfs-progs
    6: https://packages.debian.org/src:calamares-settings-debian
    7: https://packages.debian.org/src:cjson
    8: https://packages.debian.org/src:clamav
    9: https://packages.debian.org/src:cloud-init
   10: https://packages.debian.org/src:cloud-initramfs-tools
   11: https://packages.debian.org/src:curl
   12: https://packages.debian.org/src:debian-installer
   13: https://packages.debian.org/src:debian-installer-netboot-images
   14: https://packages.debian.org/src:devscripts
   15: https://packages.debian.org/src:diffoscope
   16: https://packages.debian.org/src:distro-info-data
   17: https://packages.debian.org/src:docker.io
   18: https://packages.debian.org/src:dpdk
   19: https://packages.debian.org/src:exim4
   20: https://packages.debian.org/src:fcgiwrap
   21: https://packages.debian.org/src:galera-4
   22: https://packages.debian.org/src:glib2.0
   23: https://packages.debian.org/src:glibc
   24: https://packages.debian.org/src:gtk+3.0
   25: https://packages.debian.org/src:ikiwiki-hosting
   26: https://packages.debian.org/src:intel-microcode
   27: https://packages.debian.org/src:ipmitool
   28: https://packages.debian.org/src:iputils
   29: https://packages.debian.org/src:kexec-tools
   30: https://packages.debian.org/src:lemonldap-ng
   31: https://packages.debian.org/src:lgogdownloader
   32: https://packages.debian.org/src:libskk
   33: https://packages.debian.org/src:libvirt
   34: https://packages.debian.org/src:linux
   35: https://packages.debian.org/src:linux-signed-amd64
   36: https://packages.debian.org/src:linux-signed-arm64
   37: https://packages.debian.org/src:linux-signed-i386
   38: https://packages.debian.org/src:llvm-toolchain-15
   39: https://packages.debian.org/src:nghttp2
   40: https://packages.debian.org/src:ninja-build
   41: https://packages.debian.org/src:node-dompurify
   42: https://packages.debian.org/src:node-es-module-lexer
   43: https://packages.debian.org/src:node-globby
   44: https://packages.debian.org/src:node-mdn-browser-compat-data
   45: https://packages.debian.org/src:node-rollup-plugin-node-polyfills
   46: https://packages.debian.org/src:node-tap
   47: https://packages.debian.org/src:node-xterm
   48: https://packages.debian.org/src:node-y-protocols
   49: https://packages.debian.org/src:node-y-websocket
   50: https://packages.debian.org/src:node-ytdl-core
   51: https://packages.debian.org/src:notify-osd
   52: https://packages.debian.org/src:ntfs-3g
   53: https://packages.debian.org/src:openssl
   54: https://packages.debian.org/src:ostree
   55: https://packages.debian.org/src:puppetserver
   56: https://packages.debian.org/src:puredata
   57: https://packages.debian.org/src:python-cryptography
   58: https://packages.debian.org/src:python3.11
   59: https://packages.debian.org/src:reprepro
   60: https://packages.debian.org/src:sqlite3
   61: https://packages.debian.org/src:sumo
   62: https://packages.debian.org/src:systemd
   63: https://packages.debian.org/src:tgt
   64: https://packages.debian.org/src:timeshift
   65: https://packages.debian.org/src:util-linux
   66: https://packages.debian.org/src:vmdb2
   67: https://packages.debian.org/src:wireshark
   68: https://packages.debian.org/src:xfpt

Security Updates
----------------

This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:

+----------------+--------------------------+
| Advisory ID    | Package                  |
+----------------+--------------------------+
| DSA-5729 [69]  | apache2 [70]             |
|                |                          |
| DSA-5733 [71]  | thunderbird [72]         |
|                |                          |
| DSA-5744 [73]  | thunderbird [74]         |
|                |                          |
| DSA-5758 [75]  | trafficserver [76]       |
|                |                          |
| DSA-5759 [77]  | python3.11 [78]          |
|                |                          |
| DSA-5760 [79]  | ghostscript [80]         |
|                |                          |
| DSA-5761 [81]  | chromium [82]            |
|                |                          |
| DSA-5762 [83]  | webkit2gtk [84]          |
|                |                          |
| DSA-5763 [85]  | pymatgen [86]            |
|                |                          |
| DSA-5764 [87]  | openssl [88]             |
|                |                          |
| DSA-5765 [89]  | firefox-esr [90]         |
|                |                          |
| DSA-5766 [91]  | chromium [92]            |
|                |                          |
| DSA-5767 [93]  | thunderbird [94]         |
|                |                          |
| DSA-5768 [95]  | chromium [96]            |
|                |                          |
| DSA-5769 [97]  | git [98]                 |
|                |                          |
| DSA-5770 [99]  | expat [100]              |
|                |                          |
| DSA-5771 [101] | php-twig [102]           |
|                |                          |
| DSA-5772 [103] | libreoffice [104]        |
|                |                          |
| DSA-5773 [105] | chromium [106]           |
|                |                          |
| DSA-5774 [107] | ruby-saml [108]          |
|                |                          |
| DSA-5775 [109] | chromium [110]           |
|                |                          |
| DSA-5776 [111] | tryton-server [112]      |
|                |                          |
| DSA-5777 [113] | booth [114]              |
|                |                          |
| DSA-5778 [115] | cups-filters [116]       |
|                |                          |
| DSA-5779 [117] | cups [118]               |
|                |                          |
| DSA-5780 [119] | php8.2 [120]             |
|                |                          |
| DSA-5781 [121] | chromium [122]           |
|                |                          |
| DSA-5782 [123] | linux-signed-amd64 [124] |
|                |                          |
| DSA-5782 [125] | linux-signed-arm64 [126] |
|                |                          |
| DSA-5782 [127] | linux-signed-i386 [128]  |
|                |                          |
| DSA-5782 [129] | linux [130]              |
|                |                          |
| DSA-5783 [131] | firefox-esr [132]        |
|                |                          |
| DSA-5784 [133] | oath-toolkit [134]       |
|                |                          |
| DSA-5785 [135] | mediawiki [136]          |
|                |                          |
| DSA-5786 [137] | libgsf [138]             |
|                |                          |
| DSA-5787 [139] | chromium [140]           |
|                |                          |
| DSA-5788 [141] | firefox-esr [142]        |
|                |                          |
| DSA-5789 [143] | thunderbird [144]        |
|                |                          |
| DSA-5790 [145] | node-dompurify [146]     |
|                |                          |
| DSA-5791 [147] | python-reportlab [148]   |
|                |                          |
| DSA-5792 [149] | webkit2gtk [150]         |
|                |                          |
| DSA-5793 [151] | chromium [152]           |
|                |                          |
| DSA-5794 [153] | openjdk-17 [154]         |
|                |                          |
| DSA-5795 [155] | python-sql [156]         |
|                |                          |
| DSA-5796 [157] | libheif [158]            |
|                |                          |
| DSA-5797 [159] | twisted [160]            |
|                |                          |
| DSA-5798 [161] | activemq [162]           |
|                |                          |
| DSA-5799 [163] | chromium [164]           |
|                |                          |
| DSA-5800 [165] | xorg-server [166]        |
|                |                          |
| DSA-5802 [167] | chromium [168]           |
|                |                          |
+----------------+--------------------------+

   69: https://www.debian.org/security/2024/dsa-5729
   70: https://packages.debian.org/src:apache2
   71: https://www.debian.org/security/2024/dsa-5733
   72: https://packages.debian.org/src:thunderbird
   73: https://www.debian.org/security/2024/dsa-5744
   74: https://packages.debian.org/src:thunderbird
   75: https://www.debian.org/security/2024/dsa-5758
   76: https://packages.debian.org/src:trafficserver
   77: https://www.debian.org/security/2024/dsa-5759
   78: https://packages.debian.org/src:python3.11
   79: https://www.debian.org/security/2024/dsa-5760
   80: https://packages.debian.org/src:ghostscript
   81: https://www.debian.org/security/2024/dsa-5761
   82: https://packages.debian.org/src:chromium
   83: https://www.debian.org/security/2024/dsa-5762
   84: https://packages.debian.org/src:webkit2gtk
   85: https://www.debian.org/security/2024/dsa-5763
   86: https://packages.debian.org/src:pymatgen
   87: https://www.debian.org/security/2024/dsa-5764
   88: https://packages.debian.org/src:openssl
   89: https://www.debian.org/security/2024/dsa-5765
   90: https://packages.debian.org/src:firefox-esr
   91: https://www.debian.org/security/2024/dsa-5766
   92: https://packages.debian.org/src:chromium
   93: https://www.debian.org/security/2024/dsa-5767
   94: https://packages.debian.org/src:thunderbird
   95: https://www.debian.org/security/2024/dsa-5768
   96: https://packages.debian.org/src:chromium
   97: https://www.debian.org/security/2024/dsa-5769
   98: https://packages.debian.org/src:git
   99: https://www.debian.org/security/2024/dsa-5770
  100: https://packages.debian.org/src:expat
  101: https://www.debian.org/security/2024/dsa-5771
  102: https://packages.debian.org/src:php-twig
  103: https://www.debian.org/security/2024/dsa-5772
  104: https://packages.debian.org/src:libreoffice
  105: https://www.debian.org/security/2024/dsa-5773
  106: https://packages.debian.org/src:chromium
  107: https://www.debian.org/security/2024/dsa-5774
  108: https://packages.debian.org/src:ruby-saml
  109: https://www.debian.org/security/2024/dsa-5775
  110: https://packages.debian.org/src:chromium
  111: https://www.debian.org/security/2024/dsa-5776
  112: https://packages.debian.org/src:tryton-server
  113: https://www.debian.org/security/2024/dsa-5777
  114: https://packages.debian.org/src:booth
  115: https://www.debian.org/security/2024/dsa-5778
  116: https://packages.debian.org/src:cups-filters
  117: https://www.debian.org/security/2024/dsa-5779
  118: https://packages.debian.org/src:cups
  119: https://www.debian.org/security/2024/dsa-5780
  120: https://packages.debian.org/src:php8.2
  121: https://www.debian.org/security/2024/dsa-5781
  122: https://packages.debian.org/src:chromium
  123: https://www.debian.org/security/2024/dsa-5782
  124: https://packages.debian.org/src:linux-signed-amd64
  125: https://www.debian.org/security/2024/dsa-5782
  126: https://packages.debian.org/src:linux-signed-arm64
  127: https://www.debian.org/security/2024/dsa-5782
  128: https://packages.debian.org/src:linux-signed-i386
  129: https://www.debian.org/security/2024/dsa-5782
  130: https://packages.debian.org/src:linux
  131: https://www.debian.org/security/2024/dsa-5783
  132: https://packages.debian.org/src:firefox-esr
  133: https://www.debian.org/security/2024/dsa-5784
  134: https://packages.debian.org/src:oath-toolkit
  135: https://www.debian.org/security/2024/dsa-5785
  136: https://packages.debian.org/src:mediawiki
  137: https://www.debian.org/security/2024/dsa-5786
  138: https://packages.debian.org/src:libgsf
  139: https://www.debian.org/security/2024/dsa-5787
  140: https://packages.debian.org/src:chromium
  141: https://www.debian.org/security/2024/dsa-5788
  142: https://packages.debian.org/src:firefox-esr
  143: https://www.debian.org/security/2024/dsa-5789
  144: https://packages.debian.org/src:thunderbird
  145: https://www.debian.org/security/2024/dsa-5790
  146: https://packages.debian.org/src:node-dompurify
  147: https://www.debian.org/security/2024/dsa-5791
  148: https://packages.debian.org/src:python-reportlab
  149: https://www.debian.org/security/2024/dsa-5792
  150: https://packages.debian.org/src:webkit2gtk
  151: https://www.debian.org/security/2024/dsa-5793
  152: https://packages.debian.org/src:chromium
  153: https://www.debian.org/security/2024/dsa-5794
  154: https://packages.debian.org/src:openjdk-17
  155: https://www.debian.org/security/2024/dsa-5795
  156: https://packages.debian.org/src:python-sql
  157: https://www.debian.org/security/2024/dsa-5796
  158: https://packages.debian.org/src:libheif
  159: https://www.debian.org/security/2024/dsa-5797
  160: https://packages.debian.org/src:twisted
  161: https://www.debian.org/security/2024/dsa-5798
  162: https://packages.debian.org/src:activemq
  163: https://www.debian.org/security/2024/dsa-5799
  164: https://packages.debian.org/src:chromium
  165: https://www.debian.org/security/2024/dsa-5800
  166: https://packages.debian.org/src:xorg-server
  167: https://www.debian.org/security/2024/dsa-5802
  168: https://packages.debian.org/src:chromium

Debian Installer
----------------

The installer has been updated to include the fixes incorporated into
stable by the point release.


URLs
----

The complete lists of packages that have changed with this revision:

https://deb.debian.org/debian/dists/bookworm/ChangeLog


The current stable distribution:

https://deb.debian.org/debian/dists/stable/


Proposed updates to the stable distribution:

https://deb.debian.org/debian/dists/proposed-updates


stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/


Security announcements and information:

https://www.debian.org/security/



About Debian
------------

The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian.


Contact Information
-------------------

For further information, please visit the Debian web pages at
https://www.debian.org/, send mail to <press@debian.org>, or contact the
stable release team at <debian-release@lists.debian.org>.

Attachment: signature.asc
Description: This is a digitally signed message part


Reply to: