---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 212-1 https://www.debian.org/ debian-release@lists.debian.org Adam D. Barratt March 22nd, 2022 ---------------------------------------------------------------------------- Upcoming Debian 11 Update (11.3) An update to Debian 11 is scheduled for Saturday, March 26th, 2022. As of now it will include the following bug fixes. They can be found in "bullseye- proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "bullseye-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: Package Reason ------- ------ apache-log4j1.2 Resolve security issues [CVE-2021-4104 CVE-2022-23302 CVE-2022-23305 CVE-2022-23307], by removing support for the JMSSink, JDBCAppender, JMSAppender and Apache Chainsaw modules apache-log4j2 Fix remote code execution issue [CVE-2021-44832] apache2 New upstream release; fix crash due to random memory read [CVE-2022-22719]; fix HTTP request smuggling issue [CVE-2022-22720]; fix out-of- bounds write issues [CVE-2022-22721 CVE-2022-23943] atftp Fix information leak issue [CVE-2021-46671] base-files Update for the 11.3 point release bible-kjv Fix off-by-one-error in search chrony Allow reading the chronyd configuration file that timemaster(8) generates cinnamon Fix crash when adding an online account with login clamav New upstream stable release; fix denial of service issue [CVE-2022-20698] cups-filters apparmor: allow reading from Debian Edu's cups-browsed configuration file dask.distributed Fix undesired listening of workers on public interfaces [CVE-2021-42343]; fix compatibility with Python 3.9 debian-ports-archive- Add "Debian Ports Archive Automatic Signing Key keyring (2023)"; move the 2021 signing key to the removed keyring django-allauth Fix OpenID support djbdns Raise the axfrdns, dnscache, and tinydns data limit dpdk New upstream stable release e2guardian Fix missing SSL certificate validation issue [CVE-2021-44273] epiphany-browser Work around a bug in GLib, fixing a UI process crash espeak-ng Drop spurious 50ms delay while processing events espeakup debian/espeakup.service: Protect espeakup from system overloads fcitx5-chinese-addons fcitx5-table: add missing dependencies on fcitx5-module-pinyinhelper and fcitx5-module- punctuation flac Fix out-of-bounds write issue [CVE-2021-0561] freerdp2 Disable additional debug logging galera-3 New upstream release galera-4 New upstream release gbonds Use Treasury API for redemption data glewlwyd Fix possible privilege escalation glibc Fix bad conversion from ISO-2022-JP-3 with iconv [CVE-2021-43396]; fix buffer overflow issues [CVE-2022-23218 CVE-2022-23219]; fix use-after-free issue [CVE-2021-33574]; stop replacing older versions of /etc/nsswitch.conf; simplify the check for supported kernel versions, as 2.x kernels are no longer supported; support installation on kernels with a release number greater than 255 glx-alternatives After initial setup of the diversions, install a minimal alternative to the diverted files so that libraries are not missing until glx- alternative-mesa processes its triggers gnupg2 scd: Fix CCID driver for SCM SPR332/SPR532; avoid network interaction in generator, which can lead to hangs gnuplot Fix division by zero [CVE-2021-44917] golang-1.15 Fix IsOnCurve for big.Int values that are not valid coordinates [CVE-2022-23806]; math/big: prevent large memory consumption in Rat.SetString [CVE-2022-23772]; cmd/go: prevent branches from materializing into versions [CVE-2022-23773]; fix stack exhaustion compiling deeply nested expressions [CVE-2022-24921] golang-github-containers- Update seccomp support to enable use of newer common kernel versions golang-github- Update seccomp support to enable use of newer opencontainers-specs kernel versions gtk+3.0 Fix missing search results when using NFS; prevent Wayland clipboard handling from locking up in certain corner cases; improve printing to mDNS-discovered printers heartbeat Fix creation of /run/heartbeat on systems using systemd htmldoc Fix out-of-bounds read issue [CVE-2022-0534] installation-guide Update documentation and translations intel-microcode Update included microcode; mitigate some security issues [CVE-2020-8694 CVE-2020-8695 CVE-2021-0127 CVE-2021-0145 CVE-2021-0146 CVE-2021-33120] ldap2zone Use "mktemp" rather than the deprecated "tempfile", avoiding warnings lemonldap-ng Fix auth process in password-testing plugins [CVE-2021-40874] libarchive Fix extracting hardlinks to symlinks; fix handling of symlink ACLs [CVE-2021-23177]; never follow symlinks when setting file flags [CVE-2021-31566] libdatetime-timezone-perl Update included data libgdal-grass Rebuild against grass 7.8.5-1+deb11u1 libpod Update seccomp support to enable use of newer kernel versions libxml2 Fix use-after-free issue [CVE-2022-23308] linux New upstream stable release; [rt] Update to 5.10.106-rt64; increase ABI to 13 linux-signed-amd64 New upstream stable release; [rt] Update to 5.10.106-rt64; increase ABI to 13 linux-signed-arm64 New upstream stable release; [rt] Update to 5.10.106-rt64; increase ABI to 13 linux-signed-i386 New upstream stable release; [rt] Update to 5.10.106-rt64; increase ABI to 13 mariadb-10.5 New upstream release; security fixes [CVE-2021-35604]; new upstream release; security fixes [CVE-2021-35604 CVE-2021-46659 CVE-2021-46661 CVE-2021-46662 CVE-2021-46663 CVE-2021-46664 CVE-2021-46665 CVE-2021-46667 CVE-2021-46668 CVE-2022-24048 CVE-2022-24050 CVE-2022-24051 CVE-2022-24052] mpich Add Breaks: on older versions of libmpich1.0-dev, resolving some upgrade issues mujs Fix buffer overflow issue [CVE-2021-45005] mutter Backport various fixes from upstream's stable branch node-cached-path-relative Fix prototype pollution issue [CVE-2021-23518] node-fetch Don't forward secure headers to third party domains [CVE-2022-0235] node-follow-redirects Don't send Cookie header across domains [CVE-2022-0155]; don't send confidential headers across schemes [CVE-2022-0536] node-markdown-it Fix regular expression-based denial of service issue [CVE-2022-21670] node-nth-check Fix regular expression-based denial of service issue [CVE-2021-3803] node-prismjs Escape markup in command line output [CVE-2022-23647]; update minified files to ensure that Regular Expression Denial of Service issue is resolved [CVE-2021-3801] node-trim-newlines Fix regular expression-based denial of service issue [CVE-2021-33623] nvidia-cuda-toolkit cuda-gdb: Disable non-functional python support causing segmentation faults; use a snapshot of openjdk-8-jre (8u312-b07-1) nvidia-graphics-drivers- New upstream release; fix denial of service tesla-450 issues [CVE-2022-21813 CVE-2022-21814]; nvidia- kernel-support: Provide /etc/modprobe.d/nvidia- options.conf as a template nvidia-modprobe New upstream release openboard Fix application icon openssl New upstream release; fix armv8 pointer authentication openvswitch Fix use-after-free issue [CVE-2021-36980]; fix installation of libofproto ostree Fix compatibility with eCryptFS; avoid infinite recursion when recovering from certain errors; mark commits as partial before downloading; fix an assertion failure when using a backport or local build of GLib >= 2.71; fix the ability to fetch OSTree content from paths containing non- URI characters (such as backslashes) or non- ASCII pdb2pqr Fix compatibility of propka with Python 3.8 or above php-crypt-gpg Prevent additional options being passed to GPG [CVE-2022-24953] php-laravel-framework Fix cross-site scripting issue [CVE-2021-43808], missing blocking of executable content upload [CVE-2021-43617] phpliteadmin Fix cross-site scripting issue [CVE-2021-46709] prips Fix infinite wrapping if a range reaches 255.255.255.255; fix CIDR output with addresses that differ in their first bit pypy3 Fix build failures by removing extraneous #endif from import.h python-django Fix denial of service issue [CVE-2021-45115], information disclosure issue [CVE-2021-45116], directory traversal issue [CVE-2021-45452]; fix a traceback around the handling of RequestSite/get_current_site() due to a circular import python-pip Avoid a race condition when using zip-imported dependencies rust-cbindgen New upstream stable release to support builds of newer firefox-esr and thunderbird versions schleuder Migrate boolean values to integers, if the ActiveRecord SQLite3 connection adapter is in use, restoring functionality sphinx-bootstrap-theme Fix search functionality spip Fix several cross-site scripting issues symfony Fix CVE injection issue [CVE-2021-41270] systemd Fix uncontrolled recursion in systemd-tmpfiles [CVE-2021-3997]; demote systemd-timesyncd from Depends to Recommends, removing a dependency cycle; fix failure to bind mount a directory into a container using machinectl; fix regression in udev resulting in long delays when processing partitions with the same label; fix a regression when using systemd-networkd in an unprivileged LXD container sysvinit Fix parsing of "shutdown +0"; clarify that when called with a "time" shutdown will not exit tasksel Install CUPS for all *-desktop tasks, as task- print-service no longer exists usb.ids Update included data weechat Fix denial of service issue [CVE-2021-40516] wolfssl Fix several issues related to OCSP-handling [CVE-2021-3336 CVE-2021-37155 CVE-2021-38597] and TLS1.3 support [CVE-2021-44718 CVE-2022-25638 CVE-2022-25640] xserver-xorg-video-intel Fix SIGILL crash on non-SSE2 CPUs xterm Fix buffer overflow issue [CVE-2022-24130] zziplib Fix denial of service issue [CVE-2020-18442] A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/stable.html> Removed packages ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason ------- ------ angular-maven-plugin No longer useful minify-maven-plugin No longer useful If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part