[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 205-1] Upcoming Debian 11 Update (11.1)

Debian Stable Updates Announcement SUA 205-1         https://www.debian.org/
debian-release@lists.debian.org                              Adam D. Barratt
October 4th, 2021

Upcoming Debian 11 Update (11.1)

An update to Debian 11 is scheduled for Saturday, October 9th, 2021. As of now
it will include the following bug fixes. They can be found in "bullseye-
proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bullseye-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.

The point release will also include a rebuild of debian-installer.

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following

  Package                    Reason
  -------                    ------

  apache2                    Fix mod_proxy HTTP2 request line injection

  apr                        Prevent out-of-bounds array dereference

  atftp                      Fix buffer overflow [CVE-2021-41054]

  automysqlbackup            Fix crash when using LATEST=yes

  base-files                 Update for the 11.1 point release

  btrbk                      Fix arbitrary code execution issue

  c-ares                     Fix missing input validation on hostnames
                             returned by DNS servers [CVE-2021-3672]

  clamav                     New upstream stable release; fix clamdscan
                             segfaults when --fdpass and --multipass are
                             used together with ExcludePath

  cloud-init                 Avoid duplicate includedir in /etc/sudoers

  cyrus-imapd                Fix denial-of-service issue [CVE-2021-33582]

  dazzdb                     Fix a use-after-free in DBstats

  debian-edu-config          debian-edu-ltsp-install: extend main server
                             related exclude list; add slapd and xrdp-sesman
                             to the list of masked services

  detox                      Fix handling of large files

  devscripts                 Make --bpo target bullseye-backports

  dlt-viewer                 Add missing qdlt/qdlt*.h header files to dev

  dpdk                       New upstream stable release

  exiv2                      Fix overflow issues [CVE-2021-29457

  fetchmail                  Fix segmentation fault and security regression

  flatpak                    New upstream stable release; don't inherit an
                             unusual $XDG_RUNTIME_DIR setting into the

  freeradius                 Fix thread crash, sample configuration

  galera-3                   New upstream stable release

  galera-4                   New upstream stable release; solve circular
                             Conflicts with galera-3 by no longer providing
                             a virtual "galera" package

  glewlwyd                   Fix possible buffer overflow during FIDO2
                             signature validation in webauthn registration

  glibc                      Restart openssh-server even if it has been
                             deconfigured during the upgrade; fix text
                             fallback when debconf is unusable

  gnome-maps                 New upstream stable release; fix a crash when
                             starting up with last-used map type being
                             aerial, and no aerial tile definition is found;
                             don't sometimes write broken last view position
                             on exit; fix hang when dragging around route

  gnome-shell                New upstream stable release; fix freeze after
                             cancelling (some) system-modal dialogs; fix
                             word suggestions in on-screen keyboard; fix

  hdf5                       Adjust package dependencies to improve upgrade
                             paths from older releases

  iotop-c                    Properly handle UTF-8 process names

  jailkit                    Fix creation of jails that need to use /dev;
                             fix library presence check

  java-atk-wrapper           Also use dbus to detect accessibility being

  krb5                       Fix KDC null dereference crash on FAST request
                             with no server field [CVE-2021-37750]; fix
                             memory leak in krb5_gss_inquire_cred

  libavif                    Use correct libdir in libavif.pc pkgconfig file

  libbluray                  Switch to embedded libasm. The version from
                             libasm-java is too new

  libdatetime-timezone-perl  New upstream stable release; update DST rules
                             for Samoa and Jordon; confirmation of no leap
                             second on 2021-12-31

  libencode-perl             Encode: mitigate @INC pollution when loading
                             ConfigLocal [CVE-2021-36770]

  libslirp                   Fix multiple buffer overflow issues
                             [CVE-2021-3592 CVE-2021-3593 CVE-2021-3594

  libspf2                    spf_compile.c: Correct size of ds_avail
                             [CVE-2021-20314]; fix 'reverse' macro modifier

  linux                      New upstream stable release; increase ABI to 9;
                             [rt] Update to 5.10.65-rt53; [mipsel] bpf,
                             mips: Validate conditional branch offsets

  lynx                       Fix leakage of credentials if SNI was used
                             together with a URL containing credentials

  mariadb-10.5               New upstream stable release; security fixes
                             [CVE-2021-2372 CVE-2021-2389]

  mbrola                     Fix end of file detection

  modsecurity-crs            Fix request body bypass issue [CVE-2021-35368]

  mtr                        Fix regression in JSON output

  mutter                     New upstream stable release; kms: Improve
                             handling of common video modes that might
                             exceed the possible bandwidth; ensure valid
                             window texture size after viewport changes

  nautilus                   Avoid opening multiple selected files in
                             multiple application instances; don't save
                             window size and position when tiled; fix some
                             memory leaks; update translations

  node-ansi-regex            Fix regular expression-based denial of service
                             issue [CVE-2021-3807]

  node-axios                 Fix regular expression-based denial of service
                             issue [CVE-2021-3749]

  node-object-path           Fix prototype pollution issues [CVE-2021-23434

  node-prismjs               Fix regular expression-based denial of service
                             issue [CVE-2021-3801]

  node-set-value             Fix prototype pollution [CVE-2021-23440]

  node-tar                   Remove non-directory paths from the directory
                             cache [CVE-2021-32803]; strip absolute paths
                             more comprehensively [CVE-2021-32804]

  nodejs                     New upstream stable release; fix use after
                             free issue [CVE-2021-22930]

  osmcoastline               Fix projections other than WGS84

  osmpbf                     Rebuild against protobuf 3.12.4

  pam                        Fix syntax error in libpam0g.postinst when a
                             systemd unit fails

  perl                       Encode: mitigate @INC pollution when loading
                             ConfigLocal [CVE-2021-36770]; fix a regular
                             expression memory leak

  pglogical                  Update for PostgreSQL 13.4 snapshot handling

  pmdk                       Fix missing barriers after non-temporal memcpy

  postgresql-13              New upstream stable release; fix mis-planning
                             of repeated application of a projection step
                             [CVE-2021-3677]; disallow SSL renegotiation
                             more completely

  proftpd-dfsg               Fix "mod_radius leaks memory contents to radius
                             server" and "sftp connection aborts with
                             "Corrupted MAC on input""; skip escaping of
                             already-escaped SQL text

  pyx3                       Fix horizontal font alignment issue with
                             texlive 2020

  reportbug                  Update suite names following bullseye release

  request-tracker4           Fix login timing side-channel attack issue

  rhonabwy                   Fix jwe cbc tag computation and jws alg:none
                             signature verification

  rpki-trust-anchors         Add HTTPS URL to the LACNIC TAL

  rsync                      Re-add --copy-devices; fix regression in
                             --delay-updates; fix edge case in --mkpath; fix
                             rsync-ssl; fix --sparce and --inplace; update
                             options available to rrsync; documentation

  ruby-rqrcode-rails3        Fix for ruby-rqrcode 1.0 compatibility

  sabnzbdplus                Prevent directory escape in renamer function

  shellcheck                 Fix rendering of long options in manpage

  shiro                      Fix authentication bypass issues [CVE-2020-1957
                             CVE-2020-11989 CVE-2020-13933 CVE-2020-17510];
                             update Spring Framework compatibility patch;
                             support Guice 4

  speech-dispatcher          Fix setting voice name for the generic module

  telegram-desktop           Avoid crash when auto-delete is enabled

  termshark                  Include themes in package

  tmux                       Fix a race condition which results in the
                             config not being loaded if several clients are
                             interacting with the server while it's

  tomcat9                    Fix authentication bypass issue [CVE-2021-30640]
                             and request smuggling issue [CVE-2021-33037]

  txt2man                    Fix regression in handling display blocks

  tzdata                     Update DST rules for Samoa and Jordan; confirm
                             the absence of a leap second on 2021-12-31

  ublock-origin              New upstream stable release; fix denial of
                             service issue [CVE-2021-36773]

  ulfius                     Ensure memory is initialised before use

  xmlgraphics-commons        Fix server side request forgery issue

A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:


If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: