---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 220-1 https://www.debian.org/ debian-release@lists.debian.org Adam D. Barratt September 5th, 2022 ---------------------------------------------------------------------------- Upcoming Debian 11 Update (11.5) An update to Debian 11 is scheduled for Saturday, September 10th, 2022. As of now it will include the following bug fixes. They can be found in "bullseye- proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "bullseye-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: Package Reason ------- ------ avahi Fix display of URLs containing '&' in avahi- discover; do not disable timeout cleanup on watch cleanup; fix NULL pointer crashes when trying to resolve badly-formatted hostnames [CVE-2021-3502] base-files Update /etc/debian_version for the 11.5 point release cargo-mozilla New source package to support building of newer firefox-esr and thunderbird versions clamav New upstream stable release commons-daemon Fix JVM detection curl Reject cookies with "control bytes" [CVE-2022-35252] dbus-broker Fix assertion failure when disconnecting peer groups; fix memory leak; fix null pointer dereference [CVE-2022-31213] debian-security-support Update support status of various packages debootstrap Ensure non-merged-usr chroots can continue to be created for older releases and buildd chroots dlt-daemon Fix double free issue [CVE-2022-31291] dnsproxy Listen on localhost by defualt, rather than the possibly unavailable 192.168.168.1 dovecot Fix possible security issues when two passdb configuration entries exist with the same driver and args settings [CVE-2022-30550] dpkg Fix conffile removal-on-upgrade handling, memory leak in remove-on-upgrade handling; Dpkg::Shlibs::Objdump: Fix apply_relocations to work with versioned symbols; add support for ARCv2 CPU; several updates and fixes to dpkg- fsys-usrunmess fig2dev Fix double free issue [CVE-2021-37529], denial of service issue [CVE-2021-37530]; stop misplacement of embedded eps images foxtrotgps Fix crash by ensuring that threads are always unreferenced gif2apng Fix heap-based buffer overflows [CVE-2021-45909 CVE-2021-45910 CVE-2021-45911] glibc Fix an off-by-one buffer overflow/underflow in getcwd() [CVE-2021-3999]; fix several overflows in wide character functions; add a few EVEX optimized string functions to fix a performance issue (up to 40%) with Skylake-X processors; make grantpt usable after multi-threaded fork; ensure that libio vtable protection is enabled golang-github-pkg-term Fix building on newer Linux kernels gri Use ps2pdf instead of convert for converting from ps to pdf grub-efi-amd64-signed New upstream release grub-efi-arm64-signed New upstream release grub-efi-ia32-signed New upstream release grub2 New upstream release http-parser Unset F_CHUNKED on new Transfer-Encoding, fixing possible HTTP request smuggling issue [CVE-2020-8287] ifenslave Fix bonded interface configurations inetutils Fix buffer overflow issue [CVE-2019-0053], stack exhaustion issue, handling of FTP PASV responses [CVE-2021-40491], denial of service issue [CVE-2022-39028] knot Fix IXFR to AXFR fallback with dnsmasq krb5 Use SHA256 as Pkinit CMS Digest libayatana-appindicator Provide compatibility for software that depends on libappindicator libdatetime-timezone-perl Update included data libhttp-daemon-perl Improve handling of Content-Length header [CVE-2022-31081] libreoffice Support EUR in .hr locale; add HRK<->EUR conversion rate to Calc and the Euro Wizard; security fixes [CVE-2021-25636 CVE-2022-26305 CVE-2022-26306 CVE-2022-26307]; fix hang accessing Evolution address books linux New upstream stable release linux-signed-amd64 New upstream stable release linux-signed-arm64 New upstream stable release linux-signed-i386 New upstream stable release llvm-toolchain-13 New source package to support building of newer firefox-esr and thunderbird versions lwip Fix buffer overflow issues [CVE-2020-22283 CVE-2020-22284] mokutil New upstream version, to allow for SBAT management node-log4js Do not create world-readable files by default [CVE-2022-21704] node-moment Fix regular expression-based denial of service issue [CVE-2022-31129] nvidia-graphics-drivers New upstream release; security fixes [CVE-2022-31607 CVE-2022-31608 CVE-2022-31615] nvidia-graphics-drivers- New upstream release; security fixes legacy-390xx [CVE-2022-31607 CVE-2022-31608 CVE-2022-31615] nvidia-graphics-drivers- New upstream release; security fixes tesla-450 [CVE-2022-31607 CVE-2022-31608 CVE-2022-31615] nvidia-graphics-drivers- New upstream release; security fixes tesla-470 [CVE-2022-31607 CVE-2022-31608 CVE-2022-31615] nvidia-settings New upstream release; fix cross-building nvidia-settings-tesla-470 New upstream release; fix cross-building pcre2 Fix out-of-bounds read issues [CVE-2022-1586 CVE-2022-1587] postgresql-13 Do not let extension scripts replace objects not already belonging to the extension [CVE-2022-2625] publicsuffix Update included data rocksdb Fix illegal instruction on arm64 rust-cbindgen New upstream version to support building of newer firefox-esr and thunderbird versions rustc-mozilla New upstream version to support building of newer firefox-esr and thunderbird versions sbuild Buildd::Mail: support MIME encoded Subject: header, also copy the Content-Type: header when forwarding mail shim New upstream release shim-helpers-amd64-signed New upstream release shim-helpers-arm64-signed New upstream release shim-helpers-i386-signed New upstream release systemd Drop bundled copy of linux/if_arp.h, fixing build failures with newer kernel headers; support detection for ARM64 Hyper-V guests; detect OpenStack instance as KVM on arm twitter-bootstrap4 Actually install CSS map files tzdata Update timezone data for Iran and Chile xtables-addons Support both old and new versions of security_skb_classify_flow() A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/stable.html> Removed packages ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason ------- ------ evenement Unmaintained; only needed for already-removed movim php-cocur-slugify Unmaintained; only needed for already-removed movim php-defuse-php-encryption Unmaintained; only needed for already-removed movim php-dflydev-fig-cookies Unmaintained; only needed for already-removed movim php-embed Unmaintained; only needed for already-removed movim php-fabiang-sasl Unmaintained; only needed for already-removed movim php-markdown Unmaintained; only needed for already-removed movim php-raintpl Unmaintained; only needed for already-removed movim php-react-child-process Unmaintained; only needed for already-removed movim php-react-http Unmaintained; only needed for already-removed movim php-respect-validation Unmaintained; only needed for already-removed movim php-robmorgan-phinx Unmaintained; only needed for already-removed movim ratchet-pawl Unmaintained; only needed for already-removed movim ratchet-rfc6455 Unmaintained; only needed for already-removed movim ratchetphp Unmaintained; only needed for already-removed movim reactphp-cache Unmaintained; only needed for already-removed movim reactphp-dns Unmaintained; only needed for already-removed movim reactphp-event-loop Unmaintained; only needed for already-removed movim reactphp-promise-stream Unmaintained; only needed for already-removed movim reactphp-promise-timer Unmaintained; only needed for already-removed movim reactphp-socket Unmaintained; only needed for already-removed movim reactphp-stream Unmaintained; only needed for already-removed movim If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part