----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 209-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
December 13th, 2021
----------------------------------------------------------------------------
Upcoming Debian 11 Update (11.2)
An update to Debian 11 is scheduled for Saturday, December 18th, 2021. As of
now it will include the following bug fixes. They can be found in "bullseye-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bullseye-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
authheaders New upstream bug-fix release
base-files Update /etc/debian_version for the 11.2 point
release
bpftrace Fix arrary indexing
brltty Fix operation under X when using sysvinit
btrbk Fix regression in the update for CVE-2021-38173
calibre Fix syntax error
chrony Fix binding a socket to a network device with a
name longer than 3 characters when the system
call filter is enabled
cmake Add PostgreSQL 13 to known versions
containerd New upstream stable release; handle ambiguous
OCI manifest parsing [CVE-2021-41190]; support
"clone3" in default seccomp profile
curl Remove -ffile-prefix-map from curl-config,
fixing co-installability of libcurl4-gnutls-dev
under multiarch
datatables.js Fix insufficient escaping of arrays passed to
the HTML escape entities function
[CVE-2021-23445]
debian-edu-config pxe-addfirmware: Fix TFTP server path; improve
support for LTSP chroot setup and maintenance
debian-edu-doc Update Debian Edu Bullseye manual from the
wiki; update translations
distro-info-data Update included data for Ubuntu 14.04 and 16.04
ESM; add Ubuntu 22.04 LTS
docker.io Fix possible change of host file system
permissions [CVE-2021-41089]; lock down file
permissions in /var/lib/docker
[CVE-2021-41091]; prevent credentials being
sent to the default registry [CVE-2021-41092];
add support for "clone3" syscall in default
seccomp policy
edk2 Address Boot Guard TOCTOU vulnerability
[CVE-2019-11098]
freeipmi Install pkgconfig files to correct location
gdal Fix BAG 2.0 Extract support in LVBAG driver
gerbv Fix out-of-bounds write issue [CVE-2021-40391]
gmp Fix integer and buffer overflow issue
[CVE-2021-43618]
golang-1.15 New upstream stable release; fix "net/http:
panic due to racy read of persistConn after
handler panic" [CVE-2021-36221]; fix
"archive/zip: overflow in preallocation check
can cause OOM panic" [CVE-2021-39293]; fix
buffer over-run issue [CVE-2021-38297], out of
bounds read issue [CVE-2021-41771], denial of
service issues [CVE-2021-44716 CVE-2021-44717]
grass Fix parsing of GDAL formats where the
description contains a colon
horizon Re-enable translations
htmldoc Fix buffer overflow issues [CVE-2021-40985
CVE-2021-43579]
im-config Prefer Fcitx5 over Fcitx4
isync Fix multiple buffer overflow issues
[CVE-2021-3657]
jqueryui Fix untrusted code execution issues
[CVE-2021-41182 CVE-2021-41183 CVE-2021-41184]
jwm Fix crash when using "Move" menu item
keepalived Fix overly broad DBus policy [CVE-2021-44225]
keystone Resolve information leak allowing determination
of whether users exist [CVE-2021-38155]; apply
some performance improvements to the default
keystone-uwsgi.ini
kodi Fix buffer overflow in PLS playlists
[CVE-2021-42917]
libayatana-indicator Scale icons when loading from file; prevent
regular crashes in indicator applets
libdatetime-timezone-perl Update included data
libencode-perl Fix a memory leak in Encode.xs
libseccomp Add support for syscalls up to Linux 5.15
linux New upstream release; increase ABI to 10; RT:
update to 5.10.83-rt58
lldpd Fix heap overflow issue [CVE-2021-43612]; do
not set VLAN tag if client did not set it
mrtg Correct errors in variable names
node-getobject Resolve prototype pollution issue
[CVE-2020-28282]
node-json-schema Resolve prototype pollution issue
[CVE-2021-3918]
open3d Ensure that python3-open3d depends on
python3-numpy
opendmarc Fix opendmarc-import; increase maximum
supported length of tokens in ARC_Seal headers,
resolving crashes
plib Fix integer overflow issue [CVE-2021-38714]
plocate Fix an issue where non-ASCII characters would
be wrongly escaped
poco Fix installation of CMake files
privoxy Fix memory leaks [CVE-2021-44540 CVE-2021-44541
CVE-2021-44542]; fix cross-site scripting issue
[CVE-2021-44543]
publicsuffix Update included data
python-django New upstream security release: fix potential
bypass of an upstream access control based on
URL paths [CVE-2021-44420]
python-eventlet Fix compatibility with dnspython 2
python-virtualenv Fix crash when using --no-setuptools
ros-ros-comm Fix denial of service issue [CVE-2021-37146]
ruby-httpclient Use system certificate store
rustc-mozilla New source package to support building of newer
firefox-esr and thunderbird versions
supysonic Symlink jquery instead of loading it directly;
correctly symlink minimized bootstrap CSS files
tzdata Update data for Fiji and Palestine
udisks2 Mount options: Always use errors=remount-ro for
ext filesystems [CVE-2021-3802]; use the mkfs
command to format exfat partitions; add
Recommends exfatprogs as preferred alternative
ulfius Fix use of custom allocators with
ulfius_url_decode and ulfius_url_encode
vim Fix heap overflows [CVE-2021-3770
CVE-2021-3778], use after free issue
[CVE-2021-3796]; remove vim-gtk alternatives
during vim-gtk -> vim-gtk3 transition, easing
upgrades from buster
wget Fix downloads over 2GB on 32-bit systems
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part