---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 217-1 https://www.debian.org/ firstname.lastname@example.org Adam D. Barratt July 4th, 2022 ---------------------------------------------------------------------------- Upcoming Debian 11 Update (11.4) An update to Debian 11 is scheduled for Saturday, July 9th, 2022. As of now it will include the following bug fixes. They can be found in "bullseye- proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "bullseye-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "email@example.com" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: Package Reason ------- ------ apache2 New upstream stable release; fix HTTP request smuggling issue [CVE-2022-26377], out-of-bounds read issues [CVE-2022-28330 CVE-2022-28614 CVE-2022-28615], denial of service issues [CVE-2022-29404 CVE-2022-30522], possible out- of-bounds read issue [CVE-2022-30556], possible IP-based authentication bypass issue [CVE-2022-31813] base-files Update /etc/debian_version for the 11.4 point release bash Fix 1-byte buffer overflow read, causing corrupted multibyte characters in command substitutions clamav New upstream stable release; security fixes [CVE-2022-20770 CVE-2022-20771 CVE-2022-20785 CVE-2022-20792 CVE-2022-20796] clementine Add missing dependency on libqt5sql5-sqlite composer Fix code injection issue [CVE-2022-24828]; update GitHub token pattern cyrus-imapd Ensure that all mailboxes have a "uniqueid" field, fixing upgrades to version 3.6 dbus-broker Fix buffer overflow issue [CVE-2022-31212] debian-edu-config Accept mail from the local network sent to root@<mynetwork-names>; only create Kerberos host and service principals if they don't yet exist; ensure libsss-sudo is installed on Roaming Workstations; fix naming and visibility of print queues; support krb5i on Diskless Workstations; squid: prefer DNSv4 lookups over DNSv6 distro-info-data Add Ubuntu 22.10, Kinetic Kudu docker.io Order docker.service after containerd.service to fix shutdown of containers; explicitly pass the containerd socket path to dockerd to make sure it doesn't start containerd on its own dpkg dpkg-deb: Fix unexpected end of file conditions on .deb extract; libdpkg: Do not restrict source:* virtual fields to installed packages; Dpkg::Source::Package::V2: Always fix the permissions for upstream tarballs (regression from DSA-5147-1] freetype Fix buffer overflow issue [CVE-2022-27404]; fix crashes [CVE-2022-27405 CVE-2022-27406] fribidi Fix buffer overflow issues [CVE-2022-25308 CVE-2022-25309]; fix crash [CVE-2022-25310] ganeti New upstream release; fix several upgrade issues; fix live migration with QEMU 4 and "security_model" of "user" or "pool" geeqie Fix Ctrl click inside of a block selection gnutls28 Fix SSSE3 SHA384 miscalculation; fix null pointer deference issue [CVE-2021-4209] golang-github- Fix null pointer dereference caused by crafted russellhaering- XML signatures [CVE-2020-7711] goxmldsig grunt Fix path traversal issue [CVE-2022-0436] hdmi2usb-mode-switch udev: Add a suffix to /dev/video device nodes to disambiguate them; move udev rules to priority 70, to come after 60-persistent-v4l.rules hexchat Add missing dependency on python3-cffi-backend htmldoc Fix infinite loop [CVE-2022-24191], integer overflow issues [CVE-2022-27114] and heap buffer overflow issue [CVE-2022-28085] knot-resolver Fix possible assertion failure in NSEC3 edge- case [CVE-2021-40083] libapache2-mod-auth- New upstream stable release; fix open redirect openidc issue [CVE-2021-39191]; fix crash on reload / restart libintl-perl Really install gettext_xs.pm libsdl2 Avoid out-of-bounds read while loading malformed BMP file [CVE-2021-33657], and during YUV to RGB conversion libtgowt New upstream stable release, to support newer telegram-desktop linux New upstream stable release; increase ABI to 16 linux-signed-amd64 New upstream stable release; increase ABI to 16 linux-signed-arm64 New upstream stable release; increase ABI to 16 linux-signed-i386 New upstream stable release; increase ABI to 16 logrotate Skip locking if state file is world-readable [CVE-2022-1348]; make configuration parsing stricter in order to avoid parsing foreign files such as core dumps lxc Update default GPG key server, fixing creating of containers using the "download" template minidlna Validate HTTP requests to protect against DNS rebinding attacks [CVE-2022-26505] mutt Fix uudecode buffer overflow issue [CVE-2022-1328] nano Several bug fixes, including crashes needrestart Make cgroup detection for services and user sessions cgroup v2 aware network-manager New upstream stable release nginx Fix crash when libnginx-mod-http-lua is loaded and init_worker_by_lua* is used; mitigate application layer protocol content confusion attack in the Mail module [CVE-2021-3618] node-ejs Fix server-side template injection issue [CVE-2022-29078] node-eventsource Sttrip sensitive headers on redirect to different origin [CVE-2022-1650] node-got Don't allow redirection to Unix socket [CVE-2022-33987] node-mermaid Fix cross-site scripting issue [CVE-2021-23648]; fix cross-site scripting issue [CVE-2021-43861] node-minimist Fix prototype pollution issue [CVE-2021-44906] node-moment Fix path traversal issue [CVE-2022-24785] node-node-forge Fix signature verification issues [CVE-2022-24771 CVE-2022-24772 CVE-2022-24773] node-raw-body Fix potential denial of service issue in node- express, by using node-iconv-lite rather than node-iconv node-sqlite3 Fix denial of service issue [CVE-2022-21227] node-url-parse Fix authentication bypass issues [CVE-2022-0686 CVE-2022-0691] nvidia-cuda-toolkit Use OpenJDK8 snapshots for amd64 and ppc64el; check usability of the java binary; nsight- compute: Move the 'sections' folder to a multiarch location nvidia-graphics-drivers New upstream release; switch to upstream 470 tree; fix denial of service issues [CVE-2022-21813 CVE-2022-21814]; new upstream stable release; fix out-of-bounds write issue [CVE-2022-28181], out-of-bounds read issue [CVE-2022-28183], denial of service issues [CVE-2022-28184 CVE-2022-28191 CVE-2022-28192] nvidia-graphics-drivers- New upstream release; fix out-of-bound write legacy-390xx issues [CVE-2022-28181 CVE-2022-28185] nvidia-graphics-drivers- New upstream stable release tesla-418 nvidia-graphics-drivers- New upstream stable release; fix out-of-bounds tesla-450 write issues [CVE-2022-28181 CVE-2022-28185], denial of service issue [CVE-2022-28192] nvidia-graphics-drivers- New upstream stable release tesla-460 nvidia-graphics-drivers- New package, switching Tesla support to tesla-470 upstream 470 tree; fix out-of-bounds write issue [CVE-2022-28181], out-of-bounds read issue [CVE-2022-28183], denial of service issues [CVE-2022-28184 CVE-2022-28191 CVE-2022-28192] nvidia-persistenced New upstream release; switch to upstream 470 tree nvidia-settings New upstream release; switch to upstream 470 tree nvidia-settings-tesla-470 New package, switching Tesla support to upstream 470 tree nvidia-xconfig New upstream release openssh seccomp: add pselect6_time64 syscall on 32-bit architectures orca Fix usage with webkitgtk 2.36 php-guzzlehttp-psr7 Fix improper header parsing [CVE-2022-24775] phpmyadmin Fix some SQL queries generating a server error postfix New upstream stable release; do not override user set default_transport in postinst; if- up.d: do not error out if postfix can't send mail yet procmail Fix null pointer dereference python-scrapy Don't send authentication data with all requests [CVE-2021-41125]; don't expose cookies cross-domain when redirecting [CVE-2022-0577] ruby-net-ssh Fix authentication against systems using OpenSSH 8.8 runc Honour seccomp defaultErrnoRet; do not set inheritable capabilities [CVE-2022-29162] samba Fix winbind start failure when "allow trusted domains = no" is used; fix MIT Kerberos authentication; fix share escape issue via mkdir race condition [CVE-2021-43566]; fix possible serious data corruption issue due to Windows client cache poisoning; fix installation on non-systemd systems tcpdump Update AppArmor profile to allow access to *.cap files, and handle numerical suffix in filenames added by -W telegram-desktop New upstream stable release, restoring functionality tigervnc Fix GNOME desktop start up when using tigervncserver@.service; fix colour display when vncviewer and X11 server use different endianness twisted Fix information disclosure issue with cross- domain redirects [CVE-2022-21712], denial of service issue during SSH handshakes [CVE-2022-21716], HTTP request smuggling issues [CVE-2022-24801] tzdata Update timezone data for Palestine; update leap second list ublock-origin New upstream stable release unrar-nonfree Fix directory traversal issue [CVE-2022-30333] usb.ids New upstream release; update included data wireless-regdb New upstream release; remove diversion added by the installer, ensuring that files from the package are used A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/stable.html> Removed packages ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason ------- ------ elog Unmaintained; security issues obfs4proxy Security issues python-hbmqtt Unamintained and broken If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "firstname.lastname@example.org".
Description: This is a digitally signed message part