[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SUA 257-1] Upcoming Debian 12 Update (12.7)

Unsubscribe my email 

On Mon, Aug 26, 2024, 2:44 PM Adam D. Barratt <adam@adam-barratt.org.uk> wrote:
Boxbe This message is eligible for Automatic Cleanup! (adam@adam-barratt.org.uk) Add cleanup rule | More info
----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 257-1         https://www.debian.org/
debian-release@lists.debian.org                              Adam D. Barratt
August 26th, 2024
----------------------------------------------------------------------------

Upcoming Debian 12 Update (12.7)

An update to Debian 12 is scheduled for Saturday, August 31st, 2024. As of
now it will include the following bug fixes. They can be found in "bookworm-
proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bookworm-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.

The point release will also include a rebuild of debian-installer.


Miscellaneous Bugfixes
----------------------

This stable update adds a few important corrections to the following
packages:

  Package                    Reason
  -------                    ------

  amd64-microcode            New upstream release; security fixes
                             [CVE-2023-31315]; SEV firmware fixes
                             [CVE-2023-20584 CVE-2023-31356]

  ansible                    New upstream stable release; fix key leakage
                             issue [CVE-2023-4237]

  ansible-core               New upstream stable release; fix information
                             disclosure issue [CVE-2024-0690]; fix template
                             injection issue [CVE-2023-5764]; fix path
                             traversal issue [CVE-2023-5115]

  apache2                    New upstream stable release; fix content
                             disclosure issue [CVE-2024-40725]

  base-files                 Update for the point release

  cacti                      Fix remote code execution issues
                             [CVE-2024-25641 CVE-2024-31459], cross site
                             scripting issues [CVE-2024-29894 CVE-2024-31443
                             CVE-2024-31444], SQL injection issues
                             [CVE-2024-31445 CVE-2024-31458 CVE-2024-31460],
                             "type juggling" issue [CVE-2024-34340]; fix
                             autopkgtest failure

  calamares-settings-debian  Fix Xfce launcher permission issue

  calibre                    Fix remote code execution issue [CVE-2024-6782,
                             cross site scripting issue [CVE-2024-7008], SQL
                             injection issue [CVE-2024-7009]

  choose-mirror              Update list of available mirrors

  cockpit                    Fix denial of service issue [CVE-2024-6126]

  cups                       Fix issues with domain socket handling
                             [CVE-2024-35235]

  curl                       Fix ASN.1 date parser overread issue
                             [CVE-2024-7264]

  cyrus-imapd                Fix regression introduced in CVE-2024-34055 fix

  dcm2niix                   Fix potential code execution issue
                             [CVE-2024-27629]

  dmitry                     Security fixes [CVE-2024-31837 CVE-2020-14931
                             CVE-2017-7938]

  dropbear                   Fix "noremotetcp" behaviour of keepalive
                             packets in combination with the ‛no-port-
                             forwarding’ authorized_keys(5) restriction

  gettext.js                 Fix server side request forgery issue
                             [CVE-2024-43370]

  glibc                      Fix freeing uninitialized memory in
                             libc_freeres_fn(); fix several performance
                             issues and possible crashses

  glogic                     Require Gtk 3.0 and PangoCairo 1.0

  graphviz                   Fix broken scale

  gtk+2.0                    Avoid looking for modules in current working
                             directory [CVE-2024-6655]

  gtk+3.0                    Avoid looking for modules in current working
                             directory [CVE-2024-6655]

  imagemagick                Fix segmentation fault issue; fix incomplete
                             fix for CVE-2023-34151

  initramfs-tools            hook_functions: Fix copy_file with source
                             including a directory symlink; hook-functions:
                             copy_file: Canonicalise target filename;
                             install hid-multitouch module for Surface Pro 4
                             Keyboard; add hyper-keyboard module, needed to
                             enter LUKS password in Hyper-V;
                             auto_add_modules: Add onboard_usb_hub,
                             onboard_usb_dev

  intel-microcode            New upstream release; security fixes
                             [CVE-2023-42667 CVE-2023-49141 CVE-2024-24853
                             CVE-2024-24980 CVE-2024-25939]

  ipmitool                   Add missing enterprise-numbers.txt file

  libapache2-mod-auth-       Avoid crash when the Forwarded header is not
    openidc                  present but OIDCXForwardedHeaders is configured
                             for it

  libnvme                    Fix buffer overflow during scanning devices
                             that do not support sub-4k reads

  libvirt                    virsh: Make domif-setlink work more than once;
                             qemu: domain: Fix logic when tainting domain;
                             fix denial of service issues [CVE-2023-3750
                             CVE-2024-1441 CVE-2024-2494 CVE-2024-2496]

  linux                      New upstream release; bump ABI to 24

  linux-signed-amd64         New upstream release; bump ABI to 24

  linux-signed-arm64         New upstream release; bump ABI to 24

  linux-signed-i386          New upstream release; bump ABI to 24

  newlib                     Fix buffer overflow issue [CVE-2021-3420]

  numpy                      Conflict with python-numpy

  openssl                    New upstream stable release; fix denial of
                             service issues [CVE-2024-2511 CVE-2024-4603];
                             fix use after free issue [CVE-2024-4741]

  poe.app                    Make comment cells editable; fix drawing when
                             an NSActionCell in the preferences is acted on
                             to change state

  putty                      Fix weak ECDSA nonce generation allowing secret
                             key recovery [CVE-2024-31497]

  python-django              Fix regular _expression_-based denial of service
                             issue [CVE-2023-36053], denial of service
                             issues [CVE-2024-38875 CVE-2024-39614
                             CVE-2024-41990 CVE-2024-41991], user
                             enumeration issue [CVE-2024-39329], directory
                             traversal issue [CVE-2024-39330], excessive
                             memory consumption issue [CVE-2024-41989], SQL
                             injection issue [CVE-2024-42005]

  qemu                       New upstream stable release; fix denial of
                             service issue [CVE-2024-4467]

  riemann-c-client           Prevent malformed payload in GnuTLS
                             send/receive operations

  rustc-web                  New upstream stable release, to support building
                             newer chromium and firefox-esr versions

  shim                       New upstream release

  shim-helpers-amd64-signed  Rebuild against shim 15.8.1

  shim-helpers-arm64-signed  Rebuild against shim 15.8.1

  shim-helpers-i386-signed   Rebuild against shim 15.8.1

  shim-signed                New upstream stable release

  systemd                    New upstream stable release; update hwdb

  usb.ids                    Update included data list

  xmedcon                    Fix buffer overflow issue [CVE-2024-29421]


A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:

  <https://release.debian.org/proposed-updates/stable.html>


Removed packages
----------------

The following packages will be removed due to circumstances beyond our
control:

  Package                    Reason
  -------                    ------

  bcachefs-tools             Buggy; obsolete


If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".

Reply to: