----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 212-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
March 22nd, 2022
----------------------------------------------------------------------------
Upcoming Debian 11 Update (11.3)
An update to Debian 11 is scheduled for Saturday, March 26th, 2022. As of now
it will include the following bug fixes. They can be found in "bullseye-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bullseye-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
apache-log4j1.2 Resolve security issues [CVE-2021-4104
CVE-2022-23302 CVE-2022-23305 CVE-2022-23307],
by removing support for the JMSSink,
JDBCAppender, JMSAppender and Apache Chainsaw
modules
apache-log4j2 Fix remote code execution issue
[CVE-2021-44832]
apache2 New upstream release; fix crash due to random
memory read [CVE-2022-22719]; fix HTTP request
smuggling issue [CVE-2022-22720]; fix out-of-
bounds write issues [CVE-2022-22721
CVE-2022-23943]
atftp Fix information leak issue [CVE-2021-46671]
base-files Update for the 11.3 point release
bible-kjv Fix off-by-one-error in search
chrony Allow reading the chronyd configuration file
that timemaster(8) generates
cinnamon Fix crash when adding an online account with
login
clamav New upstream stable release; fix denial of
service issue [CVE-2022-20698]
cups-filters apparmor: allow reading from Debian Edu's
cups-browsed configuration file
dask.distributed Fix undesired listening of workers on public
interfaces [CVE-2021-42343]; fix compatibility
with Python 3.9
debian-ports-archive- Add "Debian Ports Archive Automatic Signing Key
keyring (2023)"; move the 2021 signing key to the
removed keyring
django-allauth Fix OpenID support
djbdns Raise the axfrdns, dnscache, and tinydns data
limit
dpdk New upstream stable release
e2guardian Fix missing SSL certificate validation issue
[CVE-2021-44273]
epiphany-browser Work around a bug in GLib, fixing a UI process
crash
espeak-ng Drop spurious 50ms delay while processing
events
espeakup debian/espeakup.service: Protect espeakup from
system overloads
fcitx5-chinese-addons fcitx5-table: add missing dependencies on
fcitx5-module-pinyinhelper and fcitx5-module-
punctuation
flac Fix out-of-bounds write issue [CVE-2021-0561]
freerdp2 Disable additional debug logging
galera-3 New upstream release
galera-4 New upstream release
gbonds Use Treasury API for redemption data
glewlwyd Fix possible privilege escalation
glibc Fix bad conversion from ISO-2022-JP-3 with
iconv [CVE-2021-43396]; fix buffer overflow
issues [CVE-2022-23218 CVE-2022-23219]; fix
use-after-free issue [CVE-2021-33574]; stop
replacing older versions of /etc/nsswitch.conf;
simplify the check for supported kernel
versions, as 2.x kernels are no longer
supported; support installation on kernels with
a release number greater than 255
glx-alternatives After initial setup of the diversions, install
a minimal alternative to the diverted files so
that libraries are not missing until glx-
alternative-mesa processes its triggers
gnupg2 scd: Fix CCID driver for SCM SPR332/SPR532;
avoid network interaction in generator, which
can lead to hangs
gnuplot Fix division by zero [CVE-2021-44917]
golang-1.15 Fix IsOnCurve for big.Int values that are not
valid coordinates [CVE-2022-23806]; math/big:
prevent large memory consumption in
Rat.SetString [CVE-2022-23772]; cmd/go: prevent
branches from materializing into versions
[CVE-2022-23773]; fix stack exhaustion
compiling deeply nested expressions
[CVE-2022-24921]
golang-github-containers- Update seccomp support to enable use of newer
common kernel versions
golang-github- Update seccomp support to enable use of newer
opencontainers-specs kernel versions
gtk+3.0 Fix missing search results when using NFS;
prevent Wayland clipboard handling from locking
up in certain corner cases; improve printing to
mDNS-discovered printers
heartbeat Fix creation of /run/heartbeat on systems using
systemd
htmldoc Fix out-of-bounds read issue [CVE-2022-0534]
installation-guide Update documentation and translations
intel-microcode Update included microcode; mitigate some
security issues [CVE-2020-8694 CVE-2020-8695
CVE-2021-0127 CVE-2021-0145 CVE-2021-0146
CVE-2021-33120]
ldap2zone Use "mktemp" rather than the deprecated
"tempfile", avoiding warnings
lemonldap-ng Fix auth process in password-testing plugins
[CVE-2021-40874]
libarchive Fix extracting hardlinks to symlinks; fix
handling of symlink ACLs [CVE-2021-23177];
never follow symlinks when setting file flags
[CVE-2021-31566]
libdatetime-timezone-perl Update included data
libgdal-grass Rebuild against grass 7.8.5-1+deb11u1
libpod Update seccomp support to enable use of newer
kernel versions
libxml2 Fix use-after-free issue [CVE-2022-23308]
linux New upstream stable release; [rt] Update to
5.10.106-rt64; increase ABI to 13
linux-signed-amd64 New upstream stable release; [rt] Update to
5.10.106-rt64; increase ABI to 13
linux-signed-arm64 New upstream stable release; [rt] Update to
5.10.106-rt64; increase ABI to 13
linux-signed-i386 New upstream stable release; [rt] Update to
5.10.106-rt64; increase ABI to 13
mariadb-10.5 New upstream release; security fixes
[CVE-2021-35604]; new upstream release;
security fixes [CVE-2021-35604 CVE-2021-46659
CVE-2021-46661 CVE-2021-46662 CVE-2021-46663
CVE-2021-46664 CVE-2021-46665 CVE-2021-46667
CVE-2021-46668 CVE-2022-24048 CVE-2022-24050
CVE-2022-24051 CVE-2022-24052]
mpich Add Breaks: on older versions of
libmpich1.0-dev, resolving some upgrade issues
mujs Fix buffer overflow issue [CVE-2021-45005]
mutter Backport various fixes from upstream's stable
branch
node-cached-path-relative Fix prototype pollution issue [CVE-2021-23518]
node-fetch Don't forward secure headers to third party
domains [CVE-2022-0235]
node-follow-redirects Don't send Cookie header across domains
[CVE-2022-0155]; don't send confidential
headers across schemes [CVE-2022-0536]
node-markdown-it Fix regular expression-based denial of service
issue [CVE-2022-21670]
node-nth-check Fix regular expression-based denial of service
issue [CVE-2021-3803]
node-prismjs Escape markup in command line output
[CVE-2022-23647]; update minified files to
ensure that Regular Expression Denial of
Service issue is resolved [CVE-2021-3801]
node-trim-newlines Fix regular expression-based denial of service
issue [CVE-2021-33623]
nvidia-cuda-toolkit cuda-gdb: Disable non-functional python support
causing segmentation faults; use a snapshot of
openjdk-8-jre (8u312-b07-1)
nvidia-graphics-drivers- New upstream release; fix denial of service
tesla-450 issues [CVE-2022-21813 CVE-2022-21814]; nvidia-
kernel-support: Provide /etc/modprobe.d/nvidia-
options.conf as a template
nvidia-modprobe New upstream release
openboard Fix application icon
openssl New upstream release; fix armv8 pointer
authentication
openvswitch Fix use-after-free issue [CVE-2021-36980]; fix
installation of libofproto
ostree Fix compatibility with eCryptFS; avoid infinite
recursion when recovering from certain errors;
mark commits as partial before downloading; fix
an assertion failure when using a backport or
local build of GLib >= 2.71; fix the ability to
fetch OSTree content from paths containing non-
URI characters (such as backslashes) or non-
ASCII
pdb2pqr Fix compatibility of propka with Python 3.8 or
above
php-crypt-gpg Prevent additional options being passed to GPG
[CVE-2022-24953]
php-laravel-framework Fix cross-site scripting issue
[CVE-2021-43808], missing blocking of
executable content upload [CVE-2021-43617]
phpliteadmin Fix cross-site scripting issue [CVE-2021-46709]
prips Fix infinite wrapping if a range reaches
255.255.255.255; fix CIDR output with addresses
that differ in their first bit
pypy3 Fix build failures by removing extraneous
#endif from import.h
python-django Fix denial of service issue [CVE-2021-45115],
information disclosure issue [CVE-2021-45116],
directory traversal issue [CVE-2021-45452]; fix
a traceback around the handling of
RequestSite/get_current_site() due to a
circular import
python-pip Avoid a race condition when using zip-imported
dependencies
rust-cbindgen New upstream stable release to support builds
of newer firefox-esr and thunderbird versions
schleuder Migrate boolean values to integers, if the
ActiveRecord SQLite3 connection adapter is in
use, restoring functionality
sphinx-bootstrap-theme Fix search functionality
spip Fix several cross-site scripting issues
symfony Fix CVE injection issue [CVE-2021-41270]
systemd Fix uncontrolled recursion in systemd-tmpfiles
[CVE-2021-3997]; demote systemd-timesyncd from
Depends to Recommends, removing a dependency
cycle; fix failure to bind mount a directory
into a container using machinectl; fix
regression in udev resulting in long delays
when processing partitions with the same label;
fix a regression when using systemd-networkd in
an unprivileged LXD container
sysvinit Fix parsing of "shutdown +0"; clarify that when
called with a "time" shutdown will not exit
tasksel Install CUPS for all *-desktop tasks, as task-
print-service no longer exists
usb.ids Update included data
weechat Fix denial of service issue [CVE-2021-40516]
wolfssl Fix several issues related to OCSP-handling
[CVE-2021-3336 CVE-2021-37155 CVE-2021-38597]
and TLS1.3 support [CVE-2021-44718
CVE-2022-25638 CVE-2022-25640]
xserver-xorg-video-intel Fix SIGILL crash on non-SSE2 CPUs
xterm Fix buffer overflow issue [CVE-2022-24130]
zziplib Fix denial of service issue [CVE-2020-18442]
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
angular-maven-plugin No longer useful
minify-maven-plugin No longer useful
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part