---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 205-1 https://www.debian.org/ debian-release@lists.debian.org Adam D. Barratt October 4th, 2021 ---------------------------------------------------------------------------- Upcoming Debian 11 Update (11.1) An update to Debian 11 is scheduled for Saturday, October 9th, 2021. As of now it will include the following bug fixes. They can be found in "bullseye- proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "bullseye-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: Package Reason ------- ------ apache2 Fix mod_proxy HTTP2 request line injection [CVE-2021-33193] apr Prevent out-of-bounds array dereference atftp Fix buffer overflow [CVE-2021-41054] automysqlbackup Fix crash when using LATEST=yes base-files Update for the 11.1 point release btrbk Fix arbitrary code execution issue [CVE-2021-38173] c-ares Fix missing input validation on hostnames returned by DNS servers [CVE-2021-3672] clamav New upstream stable release; fix clamdscan segfaults when --fdpass and --multipass are used together with ExcludePath cloud-init Avoid duplicate includedir in /etc/sudoers cyrus-imapd Fix denial-of-service issue [CVE-2021-33582] dazzdb Fix a use-after-free in DBstats debian-edu-config debian-edu-ltsp-install: extend main server related exclude list; add slapd and xrdp-sesman to the list of masked services detox Fix handling of large files devscripts Make --bpo target bullseye-backports dlt-viewer Add missing qdlt/qdlt*.h header files to dev package dpdk New upstream stable release exiv2 Fix overflow issues [CVE-2021-29457 CVE-2021-31292] fetchmail Fix segmentation fault and security regression flatpak New upstream stable release; don't inherit an unusual $XDG_RUNTIME_DIR setting into the sandbox freeradius Fix thread crash, sample configuration galera-3 New upstream stable release galera-4 New upstream stable release; solve circular Conflicts with galera-3 by no longer providing a virtual "galera" package glewlwyd Fix possible buffer overflow during FIDO2 signature validation in webauthn registration [CVE-2021-40818] glibc Restart openssh-server even if it has been deconfigured during the upgrade; fix text fallback when debconf is unusable gnome-maps New upstream stable release; fix a crash when starting up with last-used map type being aerial, and no aerial tile definition is found; don't sometimes write broken last view position on exit; fix hang when dragging around route markers gnome-shell New upstream stable release; fix freeze after cancelling (some) system-modal dialogs; fix word suggestions in on-screen keyboard; fix crashes hdf5 Adjust package dependencies to improve upgrade paths from older releases iotop-c Properly handle UTF-8 process names jailkit Fix creation of jails that need to use /dev; fix library presence check java-atk-wrapper Also use dbus to detect accessibility being enabled krb5 Fix KDC null dereference crash on FAST request with no server field [CVE-2021-37750]; fix memory leak in krb5_gss_inquire_cred libavif Use correct libdir in libavif.pc pkgconfig file libbluray Switch to embedded libasm. The version from libasm-java is too new libdatetime-timezone-perl New upstream stable release; update DST rules for Samoa and Jordon; confirmation of no leap second on 2021-12-31 libencode-perl Encode: mitigate @INC pollution when loading ConfigLocal [CVE-2021-36770] libslirp Fix multiple buffer overflow issues [CVE-2021-3592 CVE-2021-3593 CVE-2021-3594 CVE-2021-3595] libspf2 spf_compile.c: Correct size of ds_avail [CVE-2021-20314]; fix 'reverse' macro modifier linux New upstream stable release; increase ABI to 9; [rt] Update to 5.10.65-rt53; [mipsel] bpf, mips: Validate conditional branch offsets [CVE-2021-38300] lynx Fix leakage of credentials if SNI was used together with a URL containing credentials [CVE-2021-38165] mariadb-10.5 New upstream stable release; security fixes [CVE-2021-2372 CVE-2021-2389] mbrola Fix end of file detection modsecurity-crs Fix request body bypass issue [CVE-2021-35368] mtr Fix regression in JSON output mutter New upstream stable release; kms: Improve handling of common video modes that might exceed the possible bandwidth; ensure valid window texture size after viewport changes nautilus Avoid opening multiple selected files in multiple application instances; don't save window size and position when tiled; fix some memory leaks; update translations node-ansi-regex Fix regular expression-based denial of service issue [CVE-2021-3807] node-axios Fix regular expression-based denial of service issue [CVE-2021-3749] node-object-path Fix prototype pollution issues [CVE-2021-23434 CVE-2021-3805] node-prismjs Fix regular expression-based denial of service issue [CVE-2021-3801] node-set-value Fix prototype pollution [CVE-2021-23440] node-tar Remove non-directory paths from the directory cache [CVE-2021-32803]; strip absolute paths more comprehensively [CVE-2021-32804] nodejs New upstream stable release; fix use after free issue [CVE-2021-22930] osmcoastline Fix projections other than WGS84 osmpbf Rebuild against protobuf 3.12.4 pam Fix syntax error in libpam0g.postinst when a systemd unit fails perl Encode: mitigate @INC pollution when loading ConfigLocal [CVE-2021-36770]; fix a regular expression memory leak pglogical Update for PostgreSQL 13.4 snapshot handling fixes pmdk Fix missing barriers after non-temporal memcpy postgresql-13 New upstream stable release; fix mis-planning of repeated application of a projection step [CVE-2021-3677]; disallow SSL renegotiation more completely proftpd-dfsg Fix "mod_radius leaks memory contents to radius server" and "sftp connection aborts with "Corrupted MAC on input""; skip escaping of already-escaped SQL text pyx3 Fix horizontal font alignment issue with texlive 2020 reportbug Update suite names following bullseye release request-tracker4 Fix login timing side-channel attack issue [CVE-2021-38562] rhonabwy Fix jwe cbc tag computation and jws alg:none signature verification rpki-trust-anchors Add HTTPS URL to the LACNIC TAL rsync Re-add --copy-devices; fix regression in --delay-updates; fix edge case in --mkpath; fix rsync-ssl; fix --sparce and --inplace; update options available to rrsync; documentation fixes ruby-rqrcode-rails3 Fix for ruby-rqrcode 1.0 compatibility sabnzbdplus Prevent directory escape in renamer function [CVE-2021-29488] shellcheck Fix rendering of long options in manpage shiro Fix authentication bypass issues [CVE-2020-1957 CVE-2020-11989 CVE-2020-13933 CVE-2020-17510]; update Spring Framework compatibility patch; support Guice 4 speech-dispatcher Fix setting voice name for the generic module telegram-desktop Avoid crash when auto-delete is enabled termshark Include themes in package tmux Fix a race condition which results in the config not being loaded if several clients are interacting with the server while it's initializing tomcat9 Fix authentication bypass issue [CVE-2021-30640] and request smuggling issue [CVE-2021-33037] txt2man Fix regression in handling display blocks tzdata Update DST rules for Samoa and Jordan; confirm the absence of a leap second on 2021-12-31 ublock-origin New upstream stable release; fix denial of service issue [CVE-2021-36773] ulfius Ensure memory is initialised before use [CVE-2021-40540] xmlgraphics-commons Fix server side request forgery issue [CVE-2020-11988] A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/stable.html> If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part