[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 209-1] Upcoming Debian 11 Update (11.2)

Debian Stable Updates Announcement SUA 209-1         https://www.debian.org/
debian-release@lists.debian.org                              Adam D. Barratt
December 13th, 2021

Upcoming Debian 11 Update (11.2)

An update to Debian 11 is scheduled for Saturday, December 18th, 2021. As of
now it will include the following bug fixes. They can be found in "bullseye-
proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bullseye-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.

The point release will also include a rebuild of debian-installer.

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following

  Package                    Reason
  -------                    ------

  authheaders                New upstream bug-fix release

  base-files                 Update /etc/debian_version for the 11.2 point

  bpftrace                   Fix arrary indexing

  brltty                     Fix operation under X when using sysvinit

  btrbk                      Fix regression in the update for CVE-2021-38173

  calibre                    Fix syntax error

  chrony                     Fix binding a socket to a network device with a
                             name longer than 3 characters when the system
                             call filter is enabled

  cmake                      Add PostgreSQL 13 to known versions

  containerd                 New upstream stable release; handle ambiguous
                             OCI manifest parsing [CVE-2021-41190]; support
                             "clone3" in default seccomp profile

  curl                       Remove -ffile-prefix-map from curl-config,
                             fixing co-installability of libcurl4-gnutls-dev
                             under multiarch

  datatables.js              Fix insufficient escaping of arrays passed to
                             the HTML escape entities function

  debian-edu-config          pxe-addfirmware: Fix TFTP server path; improve
                             support for LTSP chroot setup and maintenance

  debian-edu-doc             Update Debian Edu Bullseye manual from the
                             wiki; update translations

  distro-info-data           Update included data for Ubuntu 14.04 and 16.04
                             ESM; add Ubuntu 22.04 LTS

  docker.io                  Fix possible change of host file system
                             permissions [CVE-2021-41089]; lock down file
                             permissions in /var/lib/docker
                             [CVE-2021-41091]; prevent credentials being
                             sent to the default registry [CVE-2021-41092];
                             add support for "clone3" syscall in default
                             seccomp policy

  edk2                       Address Boot Guard TOCTOU vulnerability

  freeipmi                   Install pkgconfig files to correct location

  gdal                       Fix BAG 2.0 Extract support in LVBAG driver

  gerbv                      Fix out-of-bounds write issue [CVE-2021-40391]

  gmp                        Fix integer and buffer overflow issue

  golang-1.15                New upstream stable release; fix "net/http:
                             panic due to racy read of persistConn after
                             handler panic" [CVE-2021-36221]; fix
                             "archive/zip: overflow in preallocation check
                             can cause OOM panic" [CVE-2021-39293]; fix
                             buffer over-run issue [CVE-2021-38297], out of
                             bounds read issue [CVE-2021-41771], denial of
                             service issues [CVE-2021-44716 CVE-2021-44717]

  grass                      Fix parsing of GDAL formats where the
                             description contains a colon

  horizon                    Re-enable translations

  htmldoc                    Fix buffer overflow issues [CVE-2021-40985

  im-config                  Prefer Fcitx5 over Fcitx4

  isync                      Fix multiple buffer overflow issues

  jqueryui                   Fix untrusted code execution issues
                             [CVE-2021-41182 CVE-2021-41183 CVE-2021-41184]

  jwm                        Fix crash when using "Move" menu item

  keepalived                 Fix overly broad DBus policy [CVE-2021-44225]

  keystone                   Resolve information leak allowing determination
                             of whether users exist [CVE-2021-38155]; apply
                             some performance improvements to the default

  kodi                       Fix buffer overflow in PLS playlists

  libayatana-indicator       Scale icons when loading from file; prevent
                             regular crashes in indicator applets

  libdatetime-timezone-perl  Update included data

  libencode-perl             Fix a memory leak in Encode.xs

  libseccomp                 Add support for syscalls up to Linux 5.15

  linux                      New upstream release; increase ABI to 10; RT:
                             update to 5.10.83-rt58

  lldpd                      Fix heap overflow issue [CVE-2021-43612]; do
                             not set VLAN tag if client did not set it

  mrtg                       Correct errors in variable names

  node-getobject             Resolve prototype pollution issue

  node-json-schema           Resolve prototype pollution issue

  open3d                     Ensure that python3-open3d depends on

  opendmarc                  Fix opendmarc-import; increase maximum
                             supported length of tokens in ARC_Seal headers,
                             resolving crashes

  plib                       Fix integer overflow issue [CVE-2021-38714]

  plocate                    Fix an issue where non-ASCII characters would
                             be wrongly escaped

  poco                       Fix installation of CMake files

  privoxy                    Fix memory leaks [CVE-2021-44540 CVE-2021-44541
                             CVE-2021-44542]; fix cross-site scripting issue

  publicsuffix               Update included data

  python-django              New upstream security release: fix potential
                             bypass of an upstream access control based on
                             URL paths [CVE-2021-44420]

  python-eventlet            Fix compatibility with dnspython 2

  python-virtualenv          Fix crash when using --no-setuptools

  ros-ros-comm               Fix denial of service issue [CVE-2021-37146]

  ruby-httpclient            Use system certificate store

  rustc-mozilla              New source package to support building of newer
                             firefox-esr and thunderbird versions

  supysonic                  Symlink jquery instead of loading it directly;
                             correctly symlink minimized bootstrap CSS files

  tzdata                     Update data for Fiji and Palestine

  udisks2                    Mount options: Always use errors=remount-ro for
                             ext filesystems [CVE-2021-3802]; use the mkfs
                             command to format exfat partitions; add
                             Recommends exfatprogs as preferred alternative

  ulfius                     Fix use of custom allocators with
                             ulfius_url_decode and ulfius_url_encode

  vim                        Fix heap overflows [CVE-2021-3770
                             CVE-2021-3778], use after free issue
                             [CVE-2021-3796]; remove vim-gtk alternatives
                             during vim-gtk -> vim-gtk3 transition, easing
                             upgrades from buster

  wget                       Fix downloads over 2GB on 32-bit systems

A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:


If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: