----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 217-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
July 4th, 2022
----------------------------------------------------------------------------
Upcoming Debian 11 Update (11.4)
An update to Debian 11 is scheduled for Saturday, July 9th, 2022. As of now
it will include the following bug fixes. They can be found in "bullseye-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bullseye-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
apache2 New upstream stable release; fix HTTP request
smuggling issue [CVE-2022-26377], out-of-bounds
read issues [CVE-2022-28330 CVE-2022-28614
CVE-2022-28615], denial of service issues
[CVE-2022-29404 CVE-2022-30522], possible out-
of-bounds read issue [CVE-2022-30556], possible
IP-based authentication bypass issue
[CVE-2022-31813]
base-files Update /etc/debian_version for the 11.4 point
release
bash Fix 1-byte buffer overflow read, causing
corrupted multibyte characters in command
substitutions
clamav New upstream stable release; security fixes
[CVE-2022-20770 CVE-2022-20771 CVE-2022-20785
CVE-2022-20792 CVE-2022-20796]
clementine Add missing dependency on libqt5sql5-sqlite
composer Fix code injection issue [CVE-2022-24828];
update GitHub token pattern
cyrus-imapd Ensure that all mailboxes have a "uniqueid"
field, fixing upgrades to version 3.6
dbus-broker Fix buffer overflow issue [CVE-2022-31212]
debian-edu-config Accept mail from the local network sent to
root@<mynetwork-names>; only create Kerberos
host and service principals if they don't yet
exist; ensure libsss-sudo is installed on
Roaming Workstations; fix naming and visibility
of print queues; support krb5i on Diskless
Workstations; squid: prefer DNSv4 lookups over
DNSv6
distro-info-data Add Ubuntu 22.10, Kinetic Kudu
docker.io Order docker.service after containerd.service
to fix shutdown of containers; explicitly pass
the containerd socket path to dockerd to make
sure it doesn't start containerd on its own
dpkg dpkg-deb: Fix unexpected end of file conditions
on .deb extract; libdpkg: Do not restrict
source:* virtual fields to installed packages;
Dpkg::Source::Package::V2: Always fix the
permissions for upstream tarballs (regression
from DSA-5147-1]
freetype Fix buffer overflow issue [CVE-2022-27404]; fix
crashes [CVE-2022-27405 CVE-2022-27406]
fribidi Fix buffer overflow issues [CVE-2022-25308
CVE-2022-25309]; fix crash [CVE-2022-25310]
ganeti New upstream release; fix several upgrade
issues; fix live migration with QEMU 4 and
"security_model" of "user" or "pool"
geeqie Fix Ctrl click inside of a block selection
gnutls28 Fix SSSE3 SHA384 miscalculation; fix null
pointer deference issue [CVE-2021-4209]
golang-github- Fix null pointer dereference caused by crafted
russellhaering- XML signatures [CVE-2020-7711]
goxmldsig
grunt Fix path traversal issue [CVE-2022-0436]
hdmi2usb-mode-switch udev: Add a suffix to /dev/video device nodes
to disambiguate them; move udev rules to
priority 70, to come after
60-persistent-v4l.rules
hexchat Add missing dependency on python3-cffi-backend
htmldoc Fix infinite loop [CVE-2022-24191], integer
overflow issues [CVE-2022-27114] and heap
buffer overflow issue [CVE-2022-28085]
knot-resolver Fix possible assertion failure in NSEC3 edge-
case [CVE-2021-40083]
libapache2-mod-auth- New upstream stable release; fix open redirect
openidc issue [CVE-2021-39191]; fix crash on reload /
restart
libintl-perl Really install gettext_xs.pm
libsdl2 Avoid out-of-bounds read while loading
malformed BMP file [CVE-2021-33657], and during
YUV to RGB conversion
libtgowt New upstream stable release, to support newer
telegram-desktop
linux New upstream stable release; increase ABI to 16
linux-signed-amd64 New upstream stable release; increase ABI to 16
linux-signed-arm64 New upstream stable release; increase ABI to 16
linux-signed-i386 New upstream stable release; increase ABI to 16
logrotate Skip locking if state file is world-readable
[CVE-2022-1348]; make configuration parsing
stricter in order to avoid parsing foreign
files such as core dumps
lxc Update default GPG key server, fixing creating
of containers using the "download" template
minidlna Validate HTTP requests to protect against DNS
rebinding attacks [CVE-2022-26505]
mutt Fix uudecode buffer overflow issue
[CVE-2022-1328]
nano Several bug fixes, including crashes
needrestart Make cgroup detection for services and user
sessions cgroup v2 aware
network-manager New upstream stable release
nginx Fix crash when libnginx-mod-http-lua is loaded
and init_worker_by_lua* is used; mitigate
application layer protocol content confusion
attack in the Mail module [CVE-2021-3618]
node-ejs Fix server-side template injection issue
[CVE-2022-29078]
node-eventsource Sttrip sensitive headers on redirect to
different origin [CVE-2022-1650]
node-got Don't allow redirection to Unix socket
[CVE-2022-33987]
node-mermaid Fix cross-site scripting issue
[CVE-2021-23648]; fix cross-site scripting
issue [CVE-2021-43861]
node-minimist Fix prototype pollution issue [CVE-2021-44906]
node-moment Fix path traversal issue [CVE-2022-24785]
node-node-forge Fix signature verification issues
[CVE-2022-24771 CVE-2022-24772 CVE-2022-24773]
node-raw-body Fix potential denial of service issue in node-
express, by using node-iconv-lite rather than
node-iconv
node-sqlite3 Fix denial of service issue [CVE-2022-21227]
node-url-parse Fix authentication bypass issues [CVE-2022-0686
CVE-2022-0691]
nvidia-cuda-toolkit Use OpenJDK8 snapshots for amd64 and ppc64el;
check usability of the java binary; nsight-
compute: Move the 'sections' folder to a
multiarch location
nvidia-graphics-drivers New upstream release; switch to upstream 470
tree; fix denial of service issues
[CVE-2022-21813 CVE-2022-21814]; new upstream
stable release; fix out-of-bounds write issue
[CVE-2022-28181], out-of-bounds read issue
[CVE-2022-28183], denial of service issues
[CVE-2022-28184 CVE-2022-28191 CVE-2022-28192]
nvidia-graphics-drivers- New upstream release; fix out-of-bound write
legacy-390xx issues [CVE-2022-28181 CVE-2022-28185]
nvidia-graphics-drivers- New upstream stable release
tesla-418
nvidia-graphics-drivers- New upstream stable release; fix out-of-bounds
tesla-450 write issues [CVE-2022-28181 CVE-2022-28185],
denial of service issue [CVE-2022-28192]
nvidia-graphics-drivers- New upstream stable release
tesla-460
nvidia-graphics-drivers- New package, switching Tesla support to
tesla-470 upstream 470 tree; fix out-of-bounds write
issue [CVE-2022-28181], out-of-bounds read
issue [CVE-2022-28183], denial of service
issues [CVE-2022-28184 CVE-2022-28191
CVE-2022-28192]
nvidia-persistenced New upstream release; switch to upstream 470
tree
nvidia-settings New upstream release; switch to upstream 470
tree
nvidia-settings-tesla-470 New package, switching Tesla support to
upstream 470 tree
nvidia-xconfig New upstream release
openssh seccomp: add pselect6_time64 syscall on 32-bit
architectures
orca Fix usage with webkitgtk 2.36
php-guzzlehttp-psr7 Fix improper header parsing [CVE-2022-24775]
phpmyadmin Fix some SQL queries generating a server error
postfix New upstream stable release; do not override
user set default_transport in postinst; if-
up.d: do not error out if postfix can't send
mail yet
procmail Fix null pointer dereference
python-scrapy Don't send authentication data with all
requests [CVE-2021-41125]; don't expose cookies
cross-domain when redirecting [CVE-2022-0577]
ruby-net-ssh Fix authentication against systems using
OpenSSH 8.8
runc Honour seccomp defaultErrnoRet; do not set
inheritable capabilities [CVE-2022-29162]
samba Fix winbind start failure when "allow trusted
domains = no" is used; fix MIT Kerberos
authentication; fix share escape issue via
mkdir race condition [CVE-2021-43566]; fix
possible serious data corruption issue due to
Windows client cache poisoning; fix
installation on non-systemd systems
tcpdump Update AppArmor profile to allow access to
*.cap files, and handle numerical suffix in
filenames added by -W
telegram-desktop New upstream stable release, restoring
functionality
tigervnc Fix GNOME desktop start up when using
tigervncserver@.service; fix colour display
when vncviewer and X11 server use different
endianness
twisted Fix information disclosure issue with cross-
domain redirects [CVE-2022-21712], denial of
service issue during SSH handshakes
[CVE-2022-21716], HTTP request smuggling issues
[CVE-2022-24801]
tzdata Update timezone data for Palestine; update leap
second list
ublock-origin New upstream stable release
unrar-nonfree Fix directory traversal issue [CVE-2022-30333]
usb.ids New upstream release; update included data
wireless-regdb New upstream release; remove diversion added by
the installer, ensuring that files from the
package are used
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
elog Unmaintained; security issues
obfs4proxy Security issues
python-hbmqtt Unamintained and broken
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part