----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 230-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
December 12th, 2022
----------------------------------------------------------------------------
Upcoming Debian 11 Update (11.6)
An update to Debian 11 is scheduled for Saturday, December 17th, 2022. As of
now it will include the following bug fixes. They can be found in "bullseye-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bullseye-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
awstats Fix cross site scripting issue [CVE-2022-46391]
base-files Update /etc/debian_version for the 11.6 point
release
binfmt-support Run binfmt-support.service after systemd-
binfmt.service
clickhouse Fix out-of-bounds read issues [CVE-2021-42387
CVE-2021-42388], buffer overflow issues
[CVE-2021-43304 CVE-2021-43305]
containerd CRI plugin: Fix goroutine leak during Exec
[CVE-2022-23471]
core-async-clojure Fix build failures in test suite
dcfldd Fix SHA1 output on big-endian architectures
debmirror Add non-free-firmware to the default section
list
distro-info-data Add Ubuntu 23.04, Lunar Lobster; update Debian
ELTS end dates; correct Debian 8 (jessie)
release date
dojo Fix prototype pollution issue [CVE-2021-23450]
dovecot-fts-xapian Generate dependency on dovecot ABI in use
during build
efitools Fix intermittent build failure due to incorrect
dependency in makefile
evolution Move Google Contacts addressbooks to CalDAV
since the Google Contacts API has been turned
off
evolution-data-server Move Google Contacts addressbooks to CalDAV
since the Google Contacts API has been turned
off; fix compatibility with Gmail OAuth changes
evolution-ews Fix retrieval of user certificates of contacts
g810-led Control device access with uaccess instead of
making everything world-writable
[CVE-2022-46338]
glibc Fix regression in wmemchr and wcslen on CPUs
that have AVX2 but not BMI2 (e.g. Intel
Haswell)
golang-github-go-chef-chef Fix intermittent test failure
grub2 Don't strip Xen binaries so they work again;
include fonts in the memdisk build for EFI
images; fix bug in core file code so errors are
handled better; bump Debian SBAT level to 4
hydrapaper Add missing dependeny on python3-pil
isoquery Fix test failure caused by French translation
change in the iso-codes package
lemonldap-ng Improve session destroy propagation
[CVE-2022-37186]
leptonlib Fix divide-by-zero [CVE-2022-38266]
libapache2-mod-auth-mellon Fix open redirect issue [CVE-2021-3639]
libbluray Fix BD-J support with recent Oracle Java
updates
libconfuse Fix a heap-based buffer over-read in
cfg_tilde_expand [CVE-2022-40320]
libdatetime-timezone-perl Update included data
libtasn1-6 Fix out-of-bounds read issue [CVE-2021-46848]
libvirt Fix container reboot-related issues
libvncserver Fix memory leak [CVE-2020-29260]; support
larger screen sizes
linux New upstream stable release; increase ABI to
20; [rt] Update to 5.10.158-rt77
mariadb-10.5 New upstream stable release; security fixes
[CVE-2018-25032 CVE-2021-46669 CVE-2022-27376
CVE-2022-27377 CVE-2022-27378 CVE-2022-27379
CVE-2022-27380 CVE-2022-27381 CVE-2022-27382
CVE-2022-27383 CVE-2022-27384 CVE-2022-27386
CVE-2022-27387 CVE-2022-27444 CVE-2022-27445
CVE-2022-27446 CVE-2022-27447 CVE-2022-27448
CVE-2022-27449 CVE-2022-27451 CVE-2022-27452
CVE-2022-27455 CVE-2022-27456 CVE-2022-27457
CVE-2022-27458 CVE-2022-32081 CVE-2022-32082
CVE-2022-32083 CVE-2022-32084 CVE-2022-32085
CVE-2022-32086 CVE-2022-32087 CVE-2022-32088
CVE-2022-32089 CVE-2022-32091]
mod-wsgi Drop X-Client-IP header when it is not a
trusted header [CVE-2022-2255]
mplayer Fix several security issues [CVE-2022-38850
CVE-2022-38851 CVE-2022-38855 CVE-2022-38858
CVE-2022-38860 CVE-2022-38861 CVE-2022-38863
CVE-2022-38864 CVE-2022-38865 CVE-2022-38866]
mutt Fix gpgme crash when listing keys in a public
key block, and public key block listing for old
versions of gpgme
nano Fix crashes and a potential data loss issue
nftables Fix off-by-one / double free error
node-hawk Parse URLs using stdlib [CVE-2022-29167]
node-loader-utils Fix prototype pollution issue [CVE-2022-37599
CVE-2022-37601], regular expression-based
denial of service issue [CVE-2022-37603]
node-minimatch Improve protection against regular expression-
based denial of service [CVE-2022-3517]; fix
regression in patch for CVE-2022-3517
node-qs Fix prototype pollution issue [CVE-2022-24999]
node-xmldom Fix prototype pollution issue [CVE-2022-37616];
prevent insertion of non-well-formed nodes
[CVE-2022-39353]
nvidia-graphics-drivers New upstream release; security fixes
[CVE-2022-34670 CVE-2022-34674 CVE-2022-34675
CVE-2022-34677 CVE-2022-34679 CVE-2022-34680
CVE-2022-34682 CVE-2022-42254 CVE-2022-42255
CVE-2022-42256 CVE-2022-42257 CVE-2022-42258
CVE-2022-42259 CVE-2022-42260 CVE-2022-42261
CVE-2022-42262 CVE-2022-42263 CVE-2022-42264]
nvidia-graphics-drivers- New upstream release; security fixes
legacy-390xx [CVE-2022-34670 CVE-2022-34674 CVE-2022-34675
CVE-2022-34677 CVE-2022-34680 CVE-2022-42257
CVE-2022-42258 CVE-2022-42259]
nvidia-graphics-drivers- New upstream release; security fixes
tesla-450 [CVE-2022-34670 CVE-2022-34674 CVE-2022-34675
CVE-2022-34677 CVE-2022-34679 CVE-2022-34680
CVE-2022-34682 CVE-2022-42254 CVE-2022-42256
CVE-2022-42257 CVE-2022-42258 CVE-2022-42259
CVE-2022-42260 CVE-2022-42261 CVE-2022-42262
CVE-2022-42263 CVE-2022-42264]
nvidia-graphics-drivers- New upstream release; security fixes
tesla-470 [CVE-2022-34670 CVE-2022-34674 CVE-2022-34675
CVE-2022-34677 CVE-2022-34679 CVE-2022-34680
CVE-2022-34682 CVE-2022-42254 CVE-2022-42255
CVE-2022-42256 CVE-2022-42257 CVE-2022-42258
CVE-2022-42259 CVE-2022-42260 CVE-2022-42261
CVE-2022-42262 CVE-2022-42263 CVE-2022-42264]
omnievents Add missing dependency on libjs-jquery to the
omnievents-doc package
onionshare Fix denial of service issue [CVE-2022-21689],
HTML injection issue [CVE-2022-21690]
openvpn-auth-radius Support verify-client-cert directive
postfix New upstream stable release
postgresql-13 New upstream stable release
powerline-gitstatus Fix command injection via malicious repository
configuration [CVE-2022-42906]
pysubnettree Fix module build
speech-dispatcher Reduce espeak buffer size to avoid synth
artifacts
spf-engine Fix pyspf-milter failing to start due to an
invalid import statement
tinyexr Fix heap overflow issues [CVE-2022-34300
CVE-2022-38529]
tinyxml Fix infinite loop [CVE-2021-42260]
tzdata Update data for Palestine; update leap seconds
list; update DST rules for Fiji and Mexico
virglrenderer Fix out-of-bounds write issue [CVE-2022-0135]
x2gothinclient Make the x2gothinclient-minidesktop package
provide the lightdm-greeter virtual package
xfig Fix buffer overflow issue [CVE-2021-40241]
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part