---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 234-1 https://www.debian.org/ debian-release@lists.debian.org Adam D. Barratt April 24th, 2023 ---------------------------------------------------------------------------- Upcoming Debian 11 Update (11.7) An update to Debian 11 is scheduled for Saturday, April 29th, 2023. As of now it will include the following bug fixes. They can be found in "bullseye- proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "bullseye-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: Package Reason ------- ------ akregator Fix validity checks, including fixing deletion of feeds and folders apache2 Don't automatically enable apache2-doc.conf; fix regressions in http2 and mod_rewrite introduced in 2.4.56 at-spi2-core Set stop timeout to 5 seconds, so as not to needlessly block system shutdowns avahi Fix local denial of service issue [CVE-2021-3468] base-files Update for the 11.7 point release c-ares Prevent stack overflow and denial of service [CVE-2022-4904] clamav New upstream stable release; fix possible remote code execution issue in the HFS+ file parser [CVE-2023-20032], possible information leak in the DMG file parser [CVE-2023-20052] command-not-found Add new non-free-firmware component, fixing upgrades to bookworm containerd Fix denial of service issue [CVE-2023-25153]; fix possible privilege escalation via incorrect setup of supplementary groups [CVE-2023-25173] crun Fix capability escalation issue due to containers being incorrectly started with non- empty default permissions [CVE-2022-27650] cwltool Add missing dependency on python3-distutils debian-archive-keyring Add bookworm keys; move stretch keys to the removed keyring debian-ports-archive- Extend the 2023 signing key's expiration by one keyring year; add 2024 signing key; move 2022 signing key to the removed keyring dpdk New upstream stable release duktape Fix crash issue [CVE-2021-46322] e2tools Fix build failure by adding build dependency on e2fsprogs erlang Fix client authentication bypass issue [CVE-2022-37026]; use -O1 optimization for armel because -O2 makes erl segfault on certain platforms, e.g. Marvell exiv2 Security fixes [CVE-2021-29458 CVE-2021-29463 CVE-2021-29464 CVE-2021-29470 CVE-2021-29473 CVE-2021-29623 CVE-2021-32815 CVE-2021-34334 CVE-2021-34335 CVE-2021-3482 CVE-2021-37615 CVE-2021-37616 CVE-2021-37618 CVE-2021-37619 CVE-2021-37620 CVE-2021-37621 CVE-2021-37622 CVE-2021-37623] flask-security Fix open redirect vulnerability [CVE-2021-23385] flatpak New upstream stable release; escape special characters when displaying permissions and metadata [CVE-2023-28101]; don't allow copy/paste via the TIOCLINUX ioctl when running in a Linux virtual console [CVE-2023-28100] galera-3 New upstream stable release ghostscript Fix path for PostScript helper file in ps2epsi glibc Fix memory leak in printf-family functions with long multibyte strings; fix crash in printf- family due to width/precision-dependent allocations; fix segfault in printf handling thousands separator; fix overflow in the AVX2 implementation of wcsnlen when crossing pages golang-github-containers- Fix parsing of DBUS_SESSION_BUS_ADDRESS common golang-github-containers- Do not enter the process user namespace psgo [CVE-2022-1227] golang-github-containers- Make previously internal functions publicly storage accessible, required to allow fixing CVE-2022-1227 in other packages golang-github-prometheus- Patch tests to avoid race condition; fix exporter-toolkit authentication cache poisoning issue [CVE-2022-46146] grep Fix incorrect matching when the last of multiple patterns includes a backref gtk+3.0 Fix Wayland combined with EGL on GLES-only platforms guix Fix build failure due to expired keys used in test suite intel-microcode New upstream bug-fix release isc-dhcp Fix IPv6 address lifetime handling jersey1 Fix build failure with libjettison-java 1.5.3 joblib Fix arbitrary code execution issue [CVE-2022-21797] lemonldap-ng Fix URL validation bypass issue; fix 2FA issue when using AuthBasic handler [CVE-2023-28862] libapache2-mod-auth- Fix open redirect issue [CVE-2022-23527] openidc libapreq2 Fix buffer overflow issue [CVE-2022-22728] libdatetime-timezone-perl Update included data libexplain Enhance compatibility with newer kernel versions - Linux 5.11 no longer has if_frad.h, termiox removed since kernel 5.12 libgit2 Enable SSH key verification by default [CVE-2023-22742] libpod Fix privilege escalation issue [CVE-2022-1227]; fix capability escalation issue due to containers being incorrectly started with non- empty default permissions [CVE-2022-27649]; fix parsing of DBUS_SESSION_BUS_ADDRESS libreoffice Change Croatia's default currency to Euro; avoid empty -Djava.class.path= [CVE-2022-38745] libvirt Fix container reboot-related issues; fix test failures when combined with newer Xen versions libxpm Fix infinite loop issues [CVE-2022-44617 CVE-2022-46285]; fix double free issue in error handling code; fix "compression commands depend on PATH" [CVE-2022-4883] libzen Fix null pointer dereference issue [CVE-2020-36646] linux New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86 linux-signed-amd64 New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86 linux-signed-arm64 New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86 linux-signed-i386 New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86 lxc Fix file existence oracle [CVE-2022-47952] macromoleculebuilder Fix build failure by adding build dependency on docbook-xsl mariadb-10.5 New upstream stable release mono Remove desktop file ncurses Guard against corrupt terminfo data [CVE-2022-29458]; fix tic crash on very long tc/use clauses needrestart Fix warnings when using "-b" option node-cookiejar Guard against maliciously-sized cookies [CVE-2022-25901] node-webpack Avoid cross-realm object access [CVE-2023-28154] nvidia-graphics-drivers New upstream release; security fixes [CVE-2023-0180 CVE-2023-0184 CVE-2023-0185 CVE-2023-0187 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199] nvidia-graphics-drivers- New upstream release; security fixes tesla-450 [CVE-2023-0180 CVE-2023-0184 CVE-2023-0185 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199] nvidia-graphics-drivers- New upstream release; security fixes tesla-470 [CVE-2023-0180 CVE-2023-0184 CVE-2023-0185 CVE-2023-0187 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199] nvidia-modprobe New upstream release openvswitch Fix "openvswitch-switch update leaves interfaces down" passenger Fix compatibility with more recent NodeJS versions phyx Remove unnecessary build dependency on libatlas-cpp postfix New upstream stable release postgis Fix wrong Polar stereographic axis order postgresql-13 New upstream stable release; fix client memory disclosure issue [CVE-2022-41862] python-acme Fix CSR version to prevent problems with strictly RFC-complying implementations of the ACME API ruby-aws-sdk-core Fix generation of version file ruby-cfpropertylist Fix some functionality by dropping compatibility with Ruby 1.8 shim New upstream release; enable NX support at build time; block Debian grub binaries with sbat < 4 shim-helpers-amd64-signed New upstream release; enable NX support at build time; block Debian grub binaries with sbat < 4 shim-helpers-arm64-signed New upstream release; enable NX support at build time; block Debian grub binaries with sbat < 4 shim-helpers-i386-signed New upstream release; enable NX support at build time; block Debian grub binaries with sbat < 4 shim-signed New upstream release; enable NX support at build time; block Debian grub binaries with sbat < 4 snakeyaml Fix denial of service issues [CVE-2022-25857 CVE-2022-38749 CVE-2022-38750 CVE-2022-38751]; add documentation regarding security support / issues spyder Fix duplication of code when saving symfony Remove private headers before storing responses with HttpCache [CVE-2022-24894]; remove CSRF tokens from storage on successful login [CVE-2022-24895] systemd Fix information leak issue [CVE-2022-4415], denial of service issue [CVE-2022-3821]; ata_id: fix getting Response Code from SCSI Sense Data; logind: fix getting property OnExternalPower via D-Bus; fix crash in systemd-machined tomcat9 Add OpenJDK 17 support to JDK detection traceroute Interpret v4mapped-IPv6 addresses as IPv4 tzdata Update included data unbound Fix Non-Responsive Delegation Attack [CVE-2022-3204]; fix "ghost domain names" issue [CVE-2022-30698 CVE-2022-30699] usb.ids Update included data vagrant Add support for VirtualBox 7.0 voms-api-java Fix build failures by disabling some non- working tests w3m Fix out-of-bounds write issue [CVE-2022-38223] x4d-icons Fix build failure with newer imagemagick versions xapian-core Prevent database corruption on disk exhaustion zfs-linux Add several stability improvements A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/stable.html> Removed packages ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason ------- ------ bind-dyndb-ldap Broken with newer bind9 versions; unsupportable in stable matrix-mirage Depends on to-be-removed python-matrix-nio pantalaimon Depends on to-be-removed python-matrix-nio python-matrix-nio Security issues; doesn't work with current Matrix servers weechat-matrix Depends on to-be-removed python-matrix-nio If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part