[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 217-1] Upcoming Debian 11 Update (11.4)

Debian Stable Updates Announcement SUA 217-1         https://www.debian.org/
debian-release@lists.debian.org                              Adam D. Barratt
July 4th, 2022

Upcoming Debian 11 Update (11.4)

An update to Debian 11 is scheduled for Saturday, July 9th, 2022. As of now
it will include the following bug fixes. They can be found in "bullseye-
proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bullseye-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.

The point release will also include a rebuild of debian-installer.

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following

  Package                    Reason
  -------                    ------

  apache2                    New upstream stable release; fix HTTP request
                             smuggling issue [CVE-2022-26377], out-of-bounds
                             read issues [CVE-2022-28330 CVE-2022-28614
                             CVE-2022-28615], denial of service issues
                             [CVE-2022-29404 CVE-2022-30522], possible out-
                             of-bounds read issue [CVE-2022-30556], possible
                             IP-based authentication bypass issue

  base-files                 Update /etc/debian_version for the 11.4 point

  bash                       Fix 1-byte buffer overflow read, causing
                             corrupted multibyte characters in command

  clamav                     New upstream stable release; security fixes
                             [CVE-2022-20770 CVE-2022-20771 CVE-2022-20785
                             CVE-2022-20792 CVE-2022-20796]

  clementine                 Add missing dependency on libqt5sql5-sqlite

  composer                   Fix code injection issue [CVE-2022-24828];
                             update GitHub token pattern

  cyrus-imapd                Ensure that all mailboxes have a "uniqueid"
                             field, fixing upgrades to version 3.6

  dbus-broker                Fix buffer overflow issue [CVE-2022-31212]

  debian-edu-config          Accept mail from the local network sent to
                             root@<mynetwork-names>; only create Kerberos
                             host and service principals if they don't yet
                             exist; ensure libsss-sudo is installed on
                             Roaming Workstations; fix naming and visibility
                             of print queues; support krb5i on Diskless
                             Workstations; squid: prefer DNSv4 lookups over

  distro-info-data           Add Ubuntu 22.10, Kinetic Kudu

  docker.io                  Order docker.service after containerd.service
                             to fix shutdown of containers; explicitly pass
                             the containerd socket path to dockerd to make
                             sure it doesn't start containerd on its own

  dpkg                       dpkg-deb: Fix unexpected end of file conditions
                             on .deb extract; libdpkg: Do not restrict
                             source:* virtual fields to installed packages;
                             Dpkg::Source::Package::V2: Always fix the
                             permissions for upstream tarballs (regression
                             from DSA-5147-1]

  freetype                   Fix buffer overflow issue [CVE-2022-27404]; fix
                             crashes [CVE-2022-27405 CVE-2022-27406]

  fribidi                    Fix buffer overflow issues [CVE-2022-25308
                             CVE-2022-25309]; fix crash [CVE-2022-25310]

  ganeti                     New upstream release; fix several upgrade
                             issues; fix live migration with QEMU 4 and
                             "security_model" of "user" or "pool"

  geeqie                     Fix Ctrl click inside of a block selection

  gnutls28                   Fix SSSE3 SHA384 miscalculation; fix null
                             pointer deference issue [CVE-2021-4209]

  golang-github-             Fix null pointer dereference caused by crafted
     russellhaering-         XML signatures [CVE-2020-7711]

  grunt                      Fix path traversal issue [CVE-2022-0436]

  hdmi2usb-mode-switch       udev: Add a suffix to /dev/video device nodes
                             to disambiguate them; move udev rules to
                             priority 70, to come after

  hexchat                    Add missing dependency on python3-cffi-backend

  htmldoc                    Fix infinite loop [CVE-2022-24191], integer
                             overflow issues [CVE-2022-27114] and heap
                             buffer overflow issue [CVE-2022-28085]

  knot-resolver              Fix possible assertion failure in NSEC3 edge-
                             case [CVE-2021-40083]

  libapache2-mod-auth-       New upstream stable release; fix open redirect
     openidc                 issue [CVE-2021-39191]; fix crash on reload /

  libintl-perl               Really install gettext_xs.pm

  libsdl2                    Avoid out-of-bounds read while loading
                             malformed BMP file [CVE-2021-33657], and during
                             YUV to RGB conversion

  libtgowt                   New upstream stable release, to support newer

  linux                      New upstream stable release; increase ABI to 16

  linux-signed-amd64         New upstream stable release; increase ABI to 16

  linux-signed-arm64         New upstream stable release; increase ABI to 16

  linux-signed-i386          New upstream stable release; increase ABI to 16

  logrotate                  Skip locking if state file is world-readable
                             [CVE-2022-1348]; make configuration parsing
                             stricter in order to avoid parsing foreign
                             files such as core dumps

  lxc                        Update default GPG key server, fixing creating
                             of containers using the "download" template

  minidlna                   Validate HTTP requests to protect against DNS
                             rebinding attacks [CVE-2022-26505]

  mutt                       Fix uudecode buffer overflow issue

  nano                       Several bug fixes, including crashes

  needrestart                Make cgroup detection for services and user
                             sessions cgroup v2 aware

  network-manager            New upstream stable release

  nginx                      Fix crash when libnginx-mod-http-lua is loaded
                             and init_worker_by_lua* is used; mitigate
                             application layer protocol content confusion
                             attack in the Mail module [CVE-2021-3618]

  node-ejs                   Fix server-side template injection issue

  node-eventsource           Sttrip sensitive headers on redirect to
                             different origin [CVE-2022-1650]

  node-got                   Don't allow redirection to Unix socket

  node-mermaid               Fix cross-site scripting issue
                             [CVE-2021-23648]; fix cross-site scripting
                             issue [CVE-2021-43861]

  node-minimist              Fix prototype pollution issue [CVE-2021-44906]

  node-moment                Fix path traversal issue [CVE-2022-24785]

  node-node-forge            Fix signature verification issues
                             [CVE-2022-24771 CVE-2022-24772 CVE-2022-24773]

  node-raw-body              Fix potential denial of service issue in node-
                             express, by using node-iconv-lite rather than

  node-sqlite3               Fix denial of service issue [CVE-2022-21227]

  node-url-parse             Fix authentication bypass issues [CVE-2022-0686

  nvidia-cuda-toolkit        Use OpenJDK8 snapshots for amd64 and ppc64el;
                             check usability of the java binary; nsight-
                             compute: Move the 'sections' folder to a
                             multiarch location

  nvidia-graphics-drivers    New upstream release; switch to upstream 470
                             tree; fix denial of service issues
                             [CVE-2022-21813 CVE-2022-21814]; new upstream
                             stable release; fix out-of-bounds write issue
                             [CVE-2022-28181], out-of-bounds read issue
                             [CVE-2022-28183], denial of service issues
                             [CVE-2022-28184 CVE-2022-28191 CVE-2022-28192]

  nvidia-graphics-drivers-   New upstream release; fix out-of-bound write
     legacy-390xx            issues [CVE-2022-28181 CVE-2022-28185]

  nvidia-graphics-drivers-   New upstream stable release

  nvidia-graphics-drivers-   New upstream stable release; fix out-of-bounds
     tesla-450               write issues [CVE-2022-28181 CVE-2022-28185],
                             denial of service issue [CVE-2022-28192]

  nvidia-graphics-drivers-   New upstream stable release

  nvidia-graphics-drivers-   New package, switching Tesla support to
     tesla-470               upstream 470 tree; fix out-of-bounds write
                             issue [CVE-2022-28181], out-of-bounds read
                             issue [CVE-2022-28183], denial of service
                             issues [CVE-2022-28184 CVE-2022-28191

  nvidia-persistenced        New upstream release; switch to upstream 470

  nvidia-settings            New upstream release; switch to upstream 470

  nvidia-settings-tesla-470  New package, switching Tesla support to
                             upstream 470 tree

  nvidia-xconfig             New upstream release

  openssh                    seccomp: add pselect6_time64 syscall on 32-bit

  orca                       Fix usage with webkitgtk 2.36

  php-guzzlehttp-psr7        Fix improper header parsing [CVE-2022-24775]

  phpmyadmin                 Fix some SQL queries generating a server error

  postfix                    New upstream stable release; do not override
                             user set default_transport in postinst; if-
                             up.d: do not error out if postfix can't send
                             mail yet

  procmail                   Fix null pointer dereference

  python-scrapy              Don't send authentication data with all
                             requests [CVE-2021-41125]; don't expose cookies
                             cross-domain when redirecting [CVE-2022-0577]

  ruby-net-ssh               Fix authentication against systems using
                             OpenSSH 8.8

  runc                       Honour seccomp defaultErrnoRet; do not set
                             inheritable capabilities [CVE-2022-29162]

  samba                      Fix winbind start failure when "allow trusted
                             domains = no" is used; fix MIT Kerberos
                             authentication; fix share escape issue via
                             mkdir race condition [CVE-2021-43566]; fix
                             possible serious data corruption issue due to
                             Windows client cache poisoning; fix
                             installation on non-systemd systems

  tcpdump                    Update AppArmor profile to allow access to
                             *.cap files, and handle numerical suffix in
                             filenames added by -W

  telegram-desktop           New upstream stable release, restoring

  tigervnc                   Fix GNOME desktop start up when using
                             tigervncserver@.service; fix colour display
                             when vncviewer and X11 server use different

  twisted                    Fix information disclosure issue with cross-
                             domain redirects [CVE-2022-21712], denial of
                             service issue during SSH handshakes
                             [CVE-2022-21716], HTTP request smuggling issues

  tzdata                     Update timezone data for Palestine; update leap
                             second list

  ublock-origin              New upstream stable release

  unrar-nonfree              Fix directory traversal issue [CVE-2022-30333]

  usb.ids                    New upstream release; update included data

  wireless-regdb             New upstream release; remove diversion added by
                             the installer, ensuring that files from the
                             package are used

A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:


Removed packages

The following packages will be removed due to circumstances beyond our

  Package                    Reason
  -------                    ------

  elog                       Unmaintained; security issues

  obfs4proxy                 Security issues

  python-hbmqtt              Unamintained and broken

If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: