----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 220-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
September 5th, 2022
----------------------------------------------------------------------------
Upcoming Debian 11 Update (11.5)
An update to Debian 11 is scheduled for Saturday, September 10th, 2022. As of
now it will include the following bug fixes. They can be found in "bullseye-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bullseye-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
avahi Fix display of URLs containing '&' in avahi-
discover; do not disable timeout cleanup on
watch cleanup; fix NULL pointer crashes when
trying to resolve badly-formatted hostnames
[CVE-2021-3502]
base-files Update /etc/debian_version for the 11.5 point
release
cargo-mozilla New source package to support building of newer
firefox-esr and thunderbird versions
clamav New upstream stable release
commons-daemon Fix JVM detection
curl Reject cookies with "control bytes"
[CVE-2022-35252]
dbus-broker Fix assertion failure when disconnecting peer
groups; fix memory leak; fix null pointer
dereference [CVE-2022-31213]
debian-security-support Update support status of various packages
debootstrap Ensure non-merged-usr chroots can continue to
be created for older releases and buildd
chroots
dlt-daemon Fix double free issue [CVE-2022-31291]
dnsproxy Listen on localhost by defualt, rather than the
possibly unavailable 192.168.168.1
dovecot Fix possible security issues when two passdb
configuration entries exist with the same
driver and args settings [CVE-2022-30550]
dpkg Fix conffile removal-on-upgrade handling,
memory leak in remove-on-upgrade handling;
Dpkg::Shlibs::Objdump: Fix apply_relocations to
work with versioned symbols; add support for
ARCv2 CPU; several updates and fixes to dpkg-
fsys-usrunmess
fig2dev Fix double free issue [CVE-2021-37529], denial
of service issue [CVE-2021-37530]; stop
misplacement of embedded eps images
foxtrotgps Fix crash by ensuring that threads are always
unreferenced
gif2apng Fix heap-based buffer overflows [CVE-2021-45909
CVE-2021-45910 CVE-2021-45911]
glibc Fix an off-by-one buffer overflow/underflow in
getcwd() [CVE-2021-3999]; fix several overflows
in wide character functions; add a few EVEX
optimized string functions to fix a performance
issue (up to 40%) with Skylake-X processors;
make grantpt usable after multi-threaded fork;
ensure that libio vtable protection is enabled
golang-github-pkg-term Fix building on newer Linux kernels
gri Use ps2pdf instead of convert for converting
from ps to pdf
grub-efi-amd64-signed New upstream release
grub-efi-arm64-signed New upstream release
grub-efi-ia32-signed New upstream release
grub2 New upstream release
http-parser Unset F_CHUNKED on new Transfer-Encoding,
fixing possible HTTP request smuggling issue
[CVE-2020-8287]
ifenslave Fix bonded interface configurations
inetutils Fix buffer overflow issue [CVE-2019-0053],
stack exhaustion issue, handling of FTP PASV
responses [CVE-2021-40491], denial of service
issue [CVE-2022-39028]
knot Fix IXFR to AXFR fallback with dnsmasq
krb5 Use SHA256 as Pkinit CMS Digest
libayatana-appindicator Provide compatibility for software that depends
on libappindicator
libdatetime-timezone-perl Update included data
libhttp-daemon-perl Improve handling of Content-Length header
[CVE-2022-31081]
libreoffice Support EUR in .hr locale; add HRK<->EUR
conversion rate to Calc and the Euro Wizard;
security fixes [CVE-2021-25636 CVE-2022-26305
CVE-2022-26306 CVE-2022-26307]; fix hang
accessing Evolution address books
linux New upstream stable release
linux-signed-amd64 New upstream stable release
linux-signed-arm64 New upstream stable release
linux-signed-i386 New upstream stable release
llvm-toolchain-13 New source package to support building of newer
firefox-esr and thunderbird versions
lwip Fix buffer overflow issues [CVE-2020-22283
CVE-2020-22284]
mokutil New upstream version, to allow for SBAT
management
node-log4js Do not create world-readable files by default
[CVE-2022-21704]
node-moment Fix regular expression-based denial of service
issue [CVE-2022-31129]
nvidia-graphics-drivers New upstream release; security fixes
[CVE-2022-31607 CVE-2022-31608 CVE-2022-31615]
nvidia-graphics-drivers- New upstream release; security fixes
legacy-390xx [CVE-2022-31607 CVE-2022-31608 CVE-2022-31615]
nvidia-graphics-drivers- New upstream release; security fixes
tesla-450 [CVE-2022-31607 CVE-2022-31608 CVE-2022-31615]
nvidia-graphics-drivers- New upstream release; security fixes
tesla-470 [CVE-2022-31607 CVE-2022-31608 CVE-2022-31615]
nvidia-settings New upstream release; fix cross-building
nvidia-settings-tesla-470 New upstream release; fix cross-building
pcre2 Fix out-of-bounds read issues [CVE-2022-1586
CVE-2022-1587]
postgresql-13 Do not let extension scripts replace objects
not already belonging to the extension
[CVE-2022-2625]
publicsuffix Update included data
rocksdb Fix illegal instruction on arm64
rust-cbindgen New upstream version to support building of
newer firefox-esr and thunderbird versions
rustc-mozilla New upstream version to support building of
newer firefox-esr and thunderbird versions
sbuild Buildd::Mail: support MIME encoded Subject:
header, also copy the Content-Type: header when
forwarding mail
shim New upstream release
shim-helpers-amd64-signed New upstream release
shim-helpers-arm64-signed New upstream release
shim-helpers-i386-signed New upstream release
systemd Drop bundled copy of linux/if_arp.h, fixing
build failures with newer kernel headers;
support detection for ARM64 Hyper-V guests;
detect OpenStack instance as KVM on arm
twitter-bootstrap4 Actually install CSS map files
tzdata Update timezone data for Iran and Chile
xtables-addons Support both old and new versions of
security_skb_classify_flow()
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
evenement Unmaintained; only needed for already-removed
movim
php-cocur-slugify Unmaintained; only needed for already-removed
movim
php-defuse-php-encryption Unmaintained; only needed for already-removed
movim
php-dflydev-fig-cookies Unmaintained; only needed for already-removed
movim
php-embed Unmaintained; only needed for already-removed
movim
php-fabiang-sasl Unmaintained; only needed for already-removed
movim
php-markdown Unmaintained; only needed for already-removed
movim
php-raintpl Unmaintained; only needed for already-removed
movim
php-react-child-process Unmaintained; only needed for already-removed
movim
php-react-http Unmaintained; only needed for already-removed
movim
php-respect-validation Unmaintained; only needed for already-removed
movim
php-robmorgan-phinx Unmaintained; only needed for already-removed
movim
ratchet-pawl Unmaintained; only needed for already-removed
movim
ratchet-rfc6455 Unmaintained; only needed for already-removed
movim
ratchetphp Unmaintained; only needed for already-removed
movim
reactphp-cache Unmaintained; only needed for already-removed
movim
reactphp-dns Unmaintained; only needed for already-removed
movim
reactphp-event-loop Unmaintained; only needed for already-removed
movim
reactphp-promise-stream Unmaintained; only needed for already-removed
movim
reactphp-promise-timer Unmaintained; only needed for already-removed
movim
reactphp-socket Unmaintained; only needed for already-removed
movim
reactphp-stream Unmaintained; only needed for already-removed
movim
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part