------------------------------------------------------------------------
The Debian Project https://www.debian.org/
Updated Debian 12: 12.8 released press@debian.org
November 9th, 2024 https://www.debian.org/News/2024/20241109
------------------------------------------------------------------------
The Debian project is pleased to announce the eighth update of its
stable distribution Debian 12 (codename "bookworm"). This point release
mainly adds corrections for security issues, along with a few
adjustments for serious problems. Security advisories have already been
published separately and are referenced where available.
Please note that the point release does not constitute a new version of
Debian 12 but only updates some of the packages included. There is no
need to throw away old "bookworm" media. After installation, packages
can be upgraded to the current versions using an up-to-date Debian
mirror.
Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:
https://www.debian.org/mirror/list
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
+--------------------------+------------------------------------------+
| Package | Reason |
+--------------------------+------------------------------------------+
| 7zip [1] | Fix heap buffer overflow in NTFS handler |
| | [CVE-2023-52168]; fix out-of-bounds read |
| | in NTFS handler [CVE-2023-52169] |
| | |
| amanda [2] | Update incomplete fix for CVE-2022- |
| | 37704, restoring operation with xfsdump |
| | |
| apr [3] | Use 0600 perms for named shared mem |
| | consistently [CVE-2023-49582] |
| | |
| base-files [4] | Update for the point release |
| | |
| btrfs-progs [5] | Fix checksum calculation errors during |
| | volume conversion in btrfs-convert |
| | |
| calamares-settings- | Fix missing launcher on KDE desktops; |
| debian [6] | fix btrfs mounts |
| | |
| cjson [7] | Fix segmentation violation issue |
| | [CVE-2024-31755] |
| | |
| clamav [8] | New upstream stable release; fix denial |
| | of service issue [CVE-2024-20505], file |
| | corruption issue [CVE-2024-20506] |
| | |
| cloud-init [9] | Add support for multiple networkd Route |
| | sections |
| | |
| cloud-initramfs- | Add missing dependencies in the |
| tools [10] | initramfs |
| | |
| curl [11] | Fix incorrect handling of some OCSP |
| | responses [CVE-2024-8096] |
| | |
| debian-installer [12] | Reinstate some armel netboot targets |
| | (openrd); increase Linux kernel ABI to |
| | 6.1.0-27; rebuild against proposed- |
| | updates |
| | |
| debian-installer- | Rebuild against proposed-updates |
| netboot-images [13] | |
| | |
| devscripts [14] | bts: always upgrade to STARTTLS on 587/ |
| | tcp; build-rdeps: add support for non- |
| | free-firmware; chdist: update |
| | sources.list examples with non-free- |
| | firmware; build-rdeps: use all available |
| | distros by default |
| | |
| diffoscope [15] | Fix build failure when processing a |
| | deliberately overlapping zip file in |
| | tests |
| | |
| distro-info-data [16] | Add Ubuntu 25.04 |
| | |
| docker.io [17] | Fix bypassing of AuthZ plugins in some |
| | circumstances [CVE-2024-41110] |
| | |
| dpdk [18] | New upstream stable release |
| | |
| exim4 [19] | Fix crash in dbmnz when looking up keys |
| | with no content |
| | |
| fcgiwrap [20] | Set proper ownership on repositories in |
| | git backend |
| | |
| galera-4 [21] | New upstream stable release |
| | |
| glib2.0 [22] | Provide libgio-2.0-dev from libglib2.0- |
| | dev, and libgio-2.0-dev-bin from |
| | libglib2.0-dev-bin |
| | |
| glibc [23] | Change Croatian locale to use Euro as |
| | currency; revert upstream commit that |
| | modified the GLIBC_PRIVATE ABI, causing |
| | crashes with some static binaries on |
| | arm64; vfscanf(): fix matches longer |
| | than INT_MAX; ungetc(): fix |
| | uninitialized read when putting into |
| | unused streams, backup buffer leak on |
| | program exit; mremap(): fix support for |
| | the MREMAP_DONTUNMAP option; resolv: fix |
| | timeouts caused by short error responses |
| | or when single-request mode is enabled |
| | in resolv.conf |
| | |
| gtk+3.0 [24] | Fix letting Orca announce initial focus |
| | |
| ikiwiki-hosting [25] | Allow reading of all user repositories |
| | |
| intel-microcode [26] | New upstream release; security fixes |
| | [CVE-2024-23984 CVE-2024-24968] |
| | |
| ipmitool [27] | Fix a buffer overrun in "open" |
| | interface; fix "lan print fails on |
| | unsupported parameters" ; fix reading of |
| | temperature sensors; fix using hex |
| | values when sending raw data |
| | |
| iputils [28] | Fix incorrect handling of ICMP responses |
| | intended for other processes |
| | |
| kexec-tools [29] | Mask kexec.service to prevent the init.d |
| | script handling kexec process on a |
| | systemd enabled system |
| | |
| lemonldap-ng [30] | Fix cross-site scripting vulnerability |
| | on login page [CVE-2024-48933] |
| | |
| lgogdownloader [31] | Fix parsing of Galaxy URLs |
| | |
| libskk [32] | Prevent crash on invalid JSON escape |
| | |
| libvirt [33] | Fix running i686 VMs with AppArmor on |
| | the host; prevent certain guests from |
| | becoming unbootable or disappearing |
| | during upgrade |
| | |
| linux [34] | New upstream release; bump ABI to 27 |
| | |
| linux-signed-amd64 [35] | New upstream release; bump ABI to 27 |
| | |
| linux-signed-arm64 [36] | New upstream release; bump ABI to 27 |
| | |
| linux-signed-i386 [37] | New upstream release; bump ABI to 27 |
| | |
| llvm-toolchain-15 [38] | Architecture-specific rebuild on |
| | mips64el to sync version with other |
| | architectures |
| | |
| nghttp2 [39] | Fix denial of service issue [CVE-2024- |
| | 28182] |
| | |
| ninja-build [40] | Support large inode numbers on 32-bit |
| | systems |
| | |
| node-dompurify [41] | Fix prototype pollution issues |
| | [CVE-2024-45801 CVE-2024-48910] |
| | |
| node-es-module- | Fix build failure |
| lexer [42] | |
| | |
| node-globby [43] | Fix build failure |
| | |
| node-mdn-browser-compat- | Fix build failure |
| data [44] | |
| | |
| node-rollup-plugin-node- | Fix build failure |
| polyfills [45] | |
| | |
| node-tap [46] | Fix build failure |
| | |
| node-xterm [47] | Fix TypeScript declarations |
| | |
| node-y-protocols [48] | Fix build failure |
| | |
| node-y-websocket [49] | Fix build failure |
| | |
| node-ytdl-core [50] | Fix build failure |
| | |
| notify-osd [51] | Correct executable path in desktop |
| | launcher file |
| | |
| ntfs-3g [52] | Fix use-after-free in "ntfs-uppercase- |
| | mbs" ; re-classify fuse as Depends, not |
| | Pre-Depends |
| | |
| openssl [53] | New upstream stable release; fix buffer |
| | overread issue [CVE-2024-5535], out of |
| | bounds memory access [CVE-2024-9143] |
| | |
| ostree [54] | Prevent crashing libflatpak when using |
| | curl 8.10 |
| | |
| puppetserver [55] | Reinstate scheduled job to clean reports |
| | after 30 days, avoiding disk space |
| | exhaustion |
| | |
| puredata [56] | Fix privilege escalation issue |
| | [CVE-2023-47480] |
| | |
| python-cryptography [57] | Fix NULL dereference when loading PKCS7 |
| | certificates [CVE-2023-49083]; fix NULL |
| | dereference when PKCS#12 key and cert |
| | don't match [CVE-2024-26130] |
| | |
| python3.11 [58] | Fix regression in zipfile.Path; prevent |
| | ReDoS vulnerability with crafted tar |
| | archives |
| | |
| reprepro [59] | Prevent hangs when running unzstd |
| | |
| sqlite3 [60] | Fix a buffer overread issue [CVE-2023- |
| | 7104], a stack overflow issue and an |
| | integer overflow issue |
| | |
| sumo [61] | Fix a race condition when building |
| | documentation |
| | |
| systemd [62] | New upstream stable release |
| | |
| tgt [63] | chap: Use proper entropy source |
| | [CVE-2024-45751] |
| | |
| timeshift [64] | Add missing dependency on pkexec |
| | |
| util-linux [65] | Allow lscpu to identify new Arm cores |
| | |
| vmdb2 [66] | Set locale to UTF-8 |
| | |
| wireshark [67] | New upstream security release [CVE-2024- |
| | 0208, CVE-2024-0209, CVE-2024-2955, |
| | CVE-2024-4853, CVE-2024-4854, CVE-2024- |
| | 4855, CVE-2024-8250, CVE-2024-8645] |
| | |
| xfpt [68] | Fix buffer overflow issue [CVE-2024- |
| | 43700] |
| | |
+--------------------------+------------------------------------------+
1: https://packages.debian.org/src:7zip
2: https://packages.debian.org/src:amanda
3: https://packages.debian.org/src:apr
4: https://packages.debian.org/src:base-files
5: https://packages.debian.org/src:btrfs-progs
6: https://packages.debian.org/src:calamares-settings-debian
7: https://packages.debian.org/src:cjson
8: https://packages.debian.org/src:clamav
9: https://packages.debian.org/src:cloud-init
10: https://packages.debian.org/src:cloud-initramfs-tools
11: https://packages.debian.org/src:curl
12: https://packages.debian.org/src:debian-installer
13: https://packages.debian.org/src:debian-installer-netboot-images
14: https://packages.debian.org/src:devscripts
15: https://packages.debian.org/src:diffoscope
16: https://packages.debian.org/src:distro-info-data
17: https://packages.debian.org/src:docker.io
18: https://packages.debian.org/src:dpdk
19: https://packages.debian.org/src:exim4
20: https://packages.debian.org/src:fcgiwrap
21: https://packages.debian.org/src:galera-4
22: https://packages.debian.org/src:glib2.0
23: https://packages.debian.org/src:glibc
24: https://packages.debian.org/src:gtk+3.0
25: https://packages.debian.org/src:ikiwiki-hosting
26: https://packages.debian.org/src:intel-microcode
27: https://packages.debian.org/src:ipmitool
28: https://packages.debian.org/src:iputils
29: https://packages.debian.org/src:kexec-tools
30: https://packages.debian.org/src:lemonldap-ng
31: https://packages.debian.org/src:lgogdownloader
32: https://packages.debian.org/src:libskk
33: https://packages.debian.org/src:libvirt
34: https://packages.debian.org/src:linux
35: https://packages.debian.org/src:linux-signed-amd64
36: https://packages.debian.org/src:linux-signed-arm64
37: https://packages.debian.org/src:linux-signed-i386
38: https://packages.debian.org/src:llvm-toolchain-15
39: https://packages.debian.org/src:nghttp2
40: https://packages.debian.org/src:ninja-build
41: https://packages.debian.org/src:node-dompurify
42: https://packages.debian.org/src:node-es-module-lexer
43: https://packages.debian.org/src:node-globby
44: https://packages.debian.org/src:node-mdn-browser-compat-data
45: https://packages.debian.org/src:node-rollup-plugin-node-polyfills
46: https://packages.debian.org/src:node-tap
47: https://packages.debian.org/src:node-xterm
48: https://packages.debian.org/src:node-y-protocols
49: https://packages.debian.org/src:node-y-websocket
50: https://packages.debian.org/src:node-ytdl-core
51: https://packages.debian.org/src:notify-osd
52: https://packages.debian.org/src:ntfs-3g
53: https://packages.debian.org/src:openssl
54: https://packages.debian.org/src:ostree
55: https://packages.debian.org/src:puppetserver
56: https://packages.debian.org/src:puredata
57: https://packages.debian.org/src:python-cryptography
58: https://packages.debian.org/src:python3.11
59: https://packages.debian.org/src:reprepro
60: https://packages.debian.org/src:sqlite3
61: https://packages.debian.org/src:sumo
62: https://packages.debian.org/src:systemd
63: https://packages.debian.org/src:tgt
64: https://packages.debian.org/src:timeshift
65: https://packages.debian.org/src:util-linux
66: https://packages.debian.org/src:vmdb2
67: https://packages.debian.org/src:wireshark
68: https://packages.debian.org/src:xfpt
Security Updates
----------------
This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:
+----------------+--------------------------+
| Advisory ID | Package |
+----------------+--------------------------+
| DSA-5729 [69] | apache2 [70] |
| | |
| DSA-5733 [71] | thunderbird [72] |
| | |
| DSA-5744 [73] | thunderbird [74] |
| | |
| DSA-5758 [75] | trafficserver [76] |
| | |
| DSA-5759 [77] | python3.11 [78] |
| | |
| DSA-5760 [79] | ghostscript [80] |
| | |
| DSA-5761 [81] | chromium [82] |
| | |
| DSA-5762 [83] | webkit2gtk [84] |
| | |
| DSA-5763 [85] | pymatgen [86] |
| | |
| DSA-5764 [87] | openssl [88] |
| | |
| DSA-5765 [89] | firefox-esr [90] |
| | |
| DSA-5766 [91] | chromium [92] |
| | |
| DSA-5767 [93] | thunderbird [94] |
| | |
| DSA-5768 [95] | chromium [96] |
| | |
| DSA-5769 [97] | git [98] |
| | |
| DSA-5770 [99] | expat [100] |
| | |
| DSA-5771 [101] | php-twig [102] |
| | |
| DSA-5772 [103] | libreoffice [104] |
| | |
| DSA-5773 [105] | chromium [106] |
| | |
| DSA-5774 [107] | ruby-saml [108] |
| | |
| DSA-5775 [109] | chromium [110] |
| | |
| DSA-5776 [111] | tryton-server [112] |
| | |
| DSA-5777 [113] | booth [114] |
| | |
| DSA-5778 [115] | cups-filters [116] |
| | |
| DSA-5779 [117] | cups [118] |
| | |
| DSA-5780 [119] | php8.2 [120] |
| | |
| DSA-5781 [121] | chromium [122] |
| | |
| DSA-5782 [123] | linux-signed-amd64 [124] |
| | |
| DSA-5782 [125] | linux-signed-arm64 [126] |
| | |
| DSA-5782 [127] | linux-signed-i386 [128] |
| | |
| DSA-5782 [129] | linux [130] |
| | |
| DSA-5783 [131] | firefox-esr [132] |
| | |
| DSA-5784 [133] | oath-toolkit [134] |
| | |
| DSA-5785 [135] | mediawiki [136] |
| | |
| DSA-5786 [137] | libgsf [138] |
| | |
| DSA-5787 [139] | chromium [140] |
| | |
| DSA-5788 [141] | firefox-esr [142] |
| | |
| DSA-5789 [143] | thunderbird [144] |
| | |
| DSA-5790 [145] | node-dompurify [146] |
| | |
| DSA-5791 [147] | python-reportlab [148] |
| | |
| DSA-5792 [149] | webkit2gtk [150] |
| | |
| DSA-5793 [151] | chromium [152] |
| | |
| DSA-5794 [153] | openjdk-17 [154] |
| | |
| DSA-5795 [155] | python-sql [156] |
| | |
| DSA-5796 [157] | libheif [158] |
| | |
| DSA-5797 [159] | twisted [160] |
| | |
| DSA-5798 [161] | activemq [162] |
| | |
| DSA-5799 [163] | chromium [164] |
| | |
| DSA-5800 [165] | xorg-server [166] |
| | |
| DSA-5802 [167] | chromium [168] |
| | |
+----------------+--------------------------+
69: https://www.debian.org/security/2024/dsa-5729
70: https://packages.debian.org/src:apache2
71: https://www.debian.org/security/2024/dsa-5733
72: https://packages.debian.org/src:thunderbird
73: https://www.debian.org/security/2024/dsa-5744
74: https://packages.debian.org/src:thunderbird
75: https://www.debian.org/security/2024/dsa-5758
76: https://packages.debian.org/src:trafficserver
77: https://www.debian.org/security/2024/dsa-5759
78: https://packages.debian.org/src:python3.11
79: https://www.debian.org/security/2024/dsa-5760
80: https://packages.debian.org/src:ghostscript
81: https://www.debian.org/security/2024/dsa-5761
82: https://packages.debian.org/src:chromium
83: https://www.debian.org/security/2024/dsa-5762
84: https://packages.debian.org/src:webkit2gtk
85: https://www.debian.org/security/2024/dsa-5763
86: https://packages.debian.org/src:pymatgen
87: https://www.debian.org/security/2024/dsa-5764
88: https://packages.debian.org/src:openssl
89: https://www.debian.org/security/2024/dsa-5765
90: https://packages.debian.org/src:firefox-esr
91: https://www.debian.org/security/2024/dsa-5766
92: https://packages.debian.org/src:chromium
93: https://www.debian.org/security/2024/dsa-5767
94: https://packages.debian.org/src:thunderbird
95: https://www.debian.org/security/2024/dsa-5768
96: https://packages.debian.org/src:chromium
97: https://www.debian.org/security/2024/dsa-5769
98: https://packages.debian.org/src:git
99: https://www.debian.org/security/2024/dsa-5770
100: https://packages.debian.org/src:expat
101: https://www.debian.org/security/2024/dsa-5771
102: https://packages.debian.org/src:php-twig
103: https://www.debian.org/security/2024/dsa-5772
104: https://packages.debian.org/src:libreoffice
105: https://www.debian.org/security/2024/dsa-5773
106: https://packages.debian.org/src:chromium
107: https://www.debian.org/security/2024/dsa-5774
108: https://packages.debian.org/src:ruby-saml
109: https://www.debian.org/security/2024/dsa-5775
110: https://packages.debian.org/src:chromium
111: https://www.debian.org/security/2024/dsa-5776
112: https://packages.debian.org/src:tryton-server
113: https://www.debian.org/security/2024/dsa-5777
114: https://packages.debian.org/src:booth
115: https://www.debian.org/security/2024/dsa-5778
116: https://packages.debian.org/src:cups-filters
117: https://www.debian.org/security/2024/dsa-5779
118: https://packages.debian.org/src:cups
119: https://www.debian.org/security/2024/dsa-5780
120: https://packages.debian.org/src:php8.2
121: https://www.debian.org/security/2024/dsa-5781
122: https://packages.debian.org/src:chromium
123: https://www.debian.org/security/2024/dsa-5782
124: https://packages.debian.org/src:linux-signed-amd64
125: https://www.debian.org/security/2024/dsa-5782
126: https://packages.debian.org/src:linux-signed-arm64
127: https://www.debian.org/security/2024/dsa-5782
128: https://packages.debian.org/src:linux-signed-i386
129: https://www.debian.org/security/2024/dsa-5782
130: https://packages.debian.org/src:linux
131: https://www.debian.org/security/2024/dsa-5783
132: https://packages.debian.org/src:firefox-esr
133: https://www.debian.org/security/2024/dsa-5784
134: https://packages.debian.org/src:oath-toolkit
135: https://www.debian.org/security/2024/dsa-5785
136: https://packages.debian.org/src:mediawiki
137: https://www.debian.org/security/2024/dsa-5786
138: https://packages.debian.org/src:libgsf
139: https://www.debian.org/security/2024/dsa-5787
140: https://packages.debian.org/src:chromium
141: https://www.debian.org/security/2024/dsa-5788
142: https://packages.debian.org/src:firefox-esr
143: https://www.debian.org/security/2024/dsa-5789
144: https://packages.debian.org/src:thunderbird
145: https://www.debian.org/security/2024/dsa-5790
146: https://packages.debian.org/src:node-dompurify
147: https://www.debian.org/security/2024/dsa-5791
148: https://packages.debian.org/src:python-reportlab
149: https://www.debian.org/security/2024/dsa-5792
150: https://packages.debian.org/src:webkit2gtk
151: https://www.debian.org/security/2024/dsa-5793
152: https://packages.debian.org/src:chromium
153: https://www.debian.org/security/2024/dsa-5794
154: https://packages.debian.org/src:openjdk-17
155: https://www.debian.org/security/2024/dsa-5795
156: https://packages.debian.org/src:python-sql
157: https://www.debian.org/security/2024/dsa-5796
158: https://packages.debian.org/src:libheif
159: https://www.debian.org/security/2024/dsa-5797
160: https://packages.debian.org/src:twisted
161: https://www.debian.org/security/2024/dsa-5798
162: https://packages.debian.org/src:activemq
163: https://www.debian.org/security/2024/dsa-5799
164: https://packages.debian.org/src:chromium
165: https://www.debian.org/security/2024/dsa-5800
166: https://packages.debian.org/src:xorg-server
167: https://www.debian.org/security/2024/dsa-5802
168: https://packages.debian.org/src:chromium
Debian Installer
----------------
The installer has been updated to include the fixes incorporated into
stable by the point release.
URLs
----
The complete lists of packages that have changed with this revision:
https://deb.debian.org/debian/dists/bookworm/ChangeLog
The current stable distribution:
https://deb.debian.org/debian/dists/stable/
Proposed updates to the stable distribution:
https://deb.debian.org/debian/dists/proposed-updates
stable distribution information (release notes, errata etc.):
https://www.debian.org/releases/stable/
Security announcements and information:
https://www.debian.org/security/
About Debian
------------
The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian.
Contact Information
-------------------
For further information, please visit the Debian web pages at
https://www.debian.org/, send mail to <press@debian.org>, or contact the
stable release team at <debian-release@lists.debian.org>.
Attachment:
signature.asc
Description: This is a digitally signed message part