----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 205-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
October 4th, 2021
----------------------------------------------------------------------------
Upcoming Debian 11 Update (11.1)
An update to Debian 11 is scheduled for Saturday, October 9th, 2021. As of now
it will include the following bug fixes. They can be found in "bullseye-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bullseye-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
apache2 Fix mod_proxy HTTP2 request line injection
[CVE-2021-33193]
apr Prevent out-of-bounds array dereference
atftp Fix buffer overflow [CVE-2021-41054]
automysqlbackup Fix crash when using LATEST=yes
base-files Update for the 11.1 point release
btrbk Fix arbitrary code execution issue
[CVE-2021-38173]
c-ares Fix missing input validation on hostnames
returned by DNS servers [CVE-2021-3672]
clamav New upstream stable release; fix clamdscan
segfaults when --fdpass and --multipass are
used together with ExcludePath
cloud-init Avoid duplicate includedir in /etc/sudoers
cyrus-imapd Fix denial-of-service issue [CVE-2021-33582]
dazzdb Fix a use-after-free in DBstats
debian-edu-config debian-edu-ltsp-install: extend main server
related exclude list; add slapd and xrdp-sesman
to the list of masked services
detox Fix handling of large files
devscripts Make --bpo target bullseye-backports
dlt-viewer Add missing qdlt/qdlt*.h header files to dev
package
dpdk New upstream stable release
exiv2 Fix overflow issues [CVE-2021-29457
CVE-2021-31292]
fetchmail Fix segmentation fault and security regression
flatpak New upstream stable release; don't inherit an
unusual $XDG_RUNTIME_DIR setting into the
sandbox
freeradius Fix thread crash, sample configuration
galera-3 New upstream stable release
galera-4 New upstream stable release; solve circular
Conflicts with galera-3 by no longer providing
a virtual "galera" package
glewlwyd Fix possible buffer overflow during FIDO2
signature validation in webauthn registration
[CVE-2021-40818]
glibc Restart openssh-server even if it has been
deconfigured during the upgrade; fix text
fallback when debconf is unusable
gnome-maps New upstream stable release; fix a crash when
starting up with last-used map type being
aerial, and no aerial tile definition is found;
don't sometimes write broken last view position
on exit; fix hang when dragging around route
markers
gnome-shell New upstream stable release; fix freeze after
cancelling (some) system-modal dialogs; fix
word suggestions in on-screen keyboard; fix
crashes
hdf5 Adjust package dependencies to improve upgrade
paths from older releases
iotop-c Properly handle UTF-8 process names
jailkit Fix creation of jails that need to use /dev;
fix library presence check
java-atk-wrapper Also use dbus to detect accessibility being
enabled
krb5 Fix KDC null dereference crash on FAST request
with no server field [CVE-2021-37750]; fix
memory leak in krb5_gss_inquire_cred
libavif Use correct libdir in libavif.pc pkgconfig file
libbluray Switch to embedded libasm. The version from
libasm-java is too new
libdatetime-timezone-perl New upstream stable release; update DST rules
for Samoa and Jordon; confirmation of no leap
second on 2021-12-31
libencode-perl Encode: mitigate @INC pollution when loading
ConfigLocal [CVE-2021-36770]
libslirp Fix multiple buffer overflow issues
[CVE-2021-3592 CVE-2021-3593 CVE-2021-3594
CVE-2021-3595]
libspf2 spf_compile.c: Correct size of ds_avail
[CVE-2021-20314]; fix 'reverse' macro modifier
linux New upstream stable release; increase ABI to 9;
[rt] Update to 5.10.65-rt53; [mipsel] bpf,
mips: Validate conditional branch offsets
[CVE-2021-38300]
lynx Fix leakage of credentials if SNI was used
together with a URL containing credentials
[CVE-2021-38165]
mariadb-10.5 New upstream stable release; security fixes
[CVE-2021-2372 CVE-2021-2389]
mbrola Fix end of file detection
modsecurity-crs Fix request body bypass issue [CVE-2021-35368]
mtr Fix regression in JSON output
mutter New upstream stable release; kms: Improve
handling of common video modes that might
exceed the possible bandwidth; ensure valid
window texture size after viewport changes
nautilus Avoid opening multiple selected files in
multiple application instances; don't save
window size and position when tiled; fix some
memory leaks; update translations
node-ansi-regex Fix regular expression-based denial of service
issue [CVE-2021-3807]
node-axios Fix regular expression-based denial of service
issue [CVE-2021-3749]
node-object-path Fix prototype pollution issues [CVE-2021-23434
CVE-2021-3805]
node-prismjs Fix regular expression-based denial of service
issue [CVE-2021-3801]
node-set-value Fix prototype pollution [CVE-2021-23440]
node-tar Remove non-directory paths from the directory
cache [CVE-2021-32803]; strip absolute paths
more comprehensively [CVE-2021-32804]
nodejs New upstream stable release; fix use after
free issue [CVE-2021-22930]
osmcoastline Fix projections other than WGS84
osmpbf Rebuild against protobuf 3.12.4
pam Fix syntax error in libpam0g.postinst when a
systemd unit fails
perl Encode: mitigate @INC pollution when loading
ConfigLocal [CVE-2021-36770]; fix a regular
expression memory leak
pglogical Update for PostgreSQL 13.4 snapshot handling
fixes
pmdk Fix missing barriers after non-temporal memcpy
postgresql-13 New upstream stable release; fix mis-planning
of repeated application of a projection step
[CVE-2021-3677]; disallow SSL renegotiation
more completely
proftpd-dfsg Fix "mod_radius leaks memory contents to radius
server" and "sftp connection aborts with
"Corrupted MAC on input""; skip escaping of
already-escaped SQL text
pyx3 Fix horizontal font alignment issue with
texlive 2020
reportbug Update suite names following bullseye release
request-tracker4 Fix login timing side-channel attack issue
[CVE-2021-38562]
rhonabwy Fix jwe cbc tag computation and jws alg:none
signature verification
rpki-trust-anchors Add HTTPS URL to the LACNIC TAL
rsync Re-add --copy-devices; fix regression in
--delay-updates; fix edge case in --mkpath; fix
rsync-ssl; fix --sparce and --inplace; update
options available to rrsync; documentation
fixes
ruby-rqrcode-rails3 Fix for ruby-rqrcode 1.0 compatibility
sabnzbdplus Prevent directory escape in renamer function
[CVE-2021-29488]
shellcheck Fix rendering of long options in manpage
shiro Fix authentication bypass issues [CVE-2020-1957
CVE-2020-11989 CVE-2020-13933 CVE-2020-17510];
update Spring Framework compatibility patch;
support Guice 4
speech-dispatcher Fix setting voice name for the generic module
telegram-desktop Avoid crash when auto-delete is enabled
termshark Include themes in package
tmux Fix a race condition which results in the
config not being loaded if several clients are
interacting with the server while it's
initializing
tomcat9 Fix authentication bypass issue [CVE-2021-30640]
and request smuggling issue [CVE-2021-33037]
txt2man Fix regression in handling display blocks
tzdata Update DST rules for Samoa and Jordan; confirm
the absence of a leap second on 2021-12-31
ublock-origin New upstream stable release; fix denial of
service issue [CVE-2021-36773]
ulfius Ensure memory is initialised before use
[CVE-2021-40540]
xmlgraphics-commons Fix server side request forgery issue
[CVE-2020-11988]
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part