[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 242-1] Upcoming Debian 12 Update (12.2)



----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 242-1         https://www.debian.org/
debian-release@lists.debian.org                           Jonathan Wiltshire
October 3rd, 2023
----------------------------------------------------------------------------

Upcoming Debian 12 Update (12.2)

An update to Debian 12 is scheduled for Saturday, Oct 7th, 2023. As of now
it will include the following bug fixes. They can be found in "bookworm-
proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bookworm-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.

The point release will also include a rebuild of debian-installer.

Miscellaneous Bugfixes
----------------------

This stable update adds a few important corrections to the following
packages:

  Package                    Reason
  -------                    ------

  amd64-microcode            Update included microcode, including fixes for
                             "AMD Inception" on AMD Zen4 processors
                             [CVE-2023-20569]

  arctica-greeter            Support configuring the onscreen keyboard theme
                             via ArcticaGreeter's gsettings; use 'Compact'
                             OSK layout (instead of Small) which includes
                             special keys such as German Umlauts; fix
                             display of authentication failure messages; use
                             active theme rather then emerald

  autofs                     Fix regression determining reachability on
                             dual-stack hosts

  base-files                 Update for the 12.2 point release

  batik                      Fix Server Side Request Forgery issues
                             [CVE-2022-44729 CVE-2022-44730]

  boxer-data                 No longer install https-everywhere for Firefox

  brltty                     Xbrlapi: Do not try to start brltty with ba+a2
                             when unavailable; fix cursor routing and
                             braille panning in Orca when xbrlapi is
                             installed but the a2 screen driver is not

  ca-certificates-java       Work around unconfigured JRE during new
                             installations

  cairosvg                   Handle data: URLs in safe mode

  calibre                    Fix export feature

  clamav                     New upstream stable release; security fixes
                             [CVE-2023-20197 CVE-2023-20212]

  cryptmount                 Avoid memory initialisation issues in command
                             line parser

  cups                       Fix heap-based buffer overflow issue
                             [CVE-2023-4504]; fix unauthenticated access
                             issue [CVE-2023-32360]

  curl                       Build with OpenLDAP to correct improper fetch
                             of binary LDAP attributes; fix excessive memory
                             consumption issue [CVE-2023-38039]

  cyrus-imapd                Ensure mailboxes are not lost on upgrades from
                             bullseye

  dar                        Fix issues with creating isolated catalogs when
                             dar was built using a recent gcc version

  dbus                       New upstream stable release; fix a dbus-daemon
                             crash during policy reload if a connection
                             belongs to a user account that has been
                             deleted, or if a Name Service Switch plugin is
                             broken, on kernels not supporting
                             SO_PEERGROUPS; report the error correctly if
                             getting the groups of a uid fails; dbus-user-
                             session: Copy XDG_CURRENT_DESKTOP to activation
                             environment

  debian-archive-keyring     Clean up leftover keyrings in trusted.gpg.d

  debian-edu-doc             Update Debian Edu Bookworm manual

  debian-edu-install         New upstream release; adjust D-I auto-
                             partitioning sizes

  debian-installer           Increase Linux kernel ABI to 6.1.0-13; rebuild
                             against proposed-updates

  debian-parl                Rebuild with newer boxer-data; no longer depend
                             on webext-https-everywhere

  debianutils                Fix duplicate entries in /etc/shells; manage
                             /bin/sh in the state file; fix canonicalization
                             of shells in aliased locations

  dgit                       Use the old /updates security map only for
                             buster; prevent pushing older versions than are
                             already in the archive

  dhcpcd5                    Ease upgrades with leftovers from wheezy; drop
                             deprecated ntpd integration; fix version in
                             cleanup script

  dpdk                       New upstream stable release

  dput-ng                    Update permitted upload targets; fix failure to
                             build from source

  efibootguard               Fix Insufficient or missing validation and
                             sanitization of input from untrustworthy
                             bootloader environment files [CVE-2023-39950]

  electrum                   Fix a Lightning security issue

  filezilla                  Fix builds for 32-bit architectures; fix crash
                             when removing filetypes from list

  firewalld                  Don't mix IPv4 and IPv6 addresses in a single
                             nftables rule

  flann                      Drop extra -llz4 from flann.pc

  foot                       Ignore XTGETTCAP queries with invalid hex
                             encodings

  freedombox                 Use n= in apt preferences for smooth upgrades

  freeradius                 Ensure TLS-Client-Cert-Common-Name contains
                             correct data

  ghostscript                Fix buffer overflow issue [CVE-2023-38559]; try
                             and secure the IJS server startup
                             [CVE-2023-43115]

  gitit                      Rebuild against new pandoc

  gjs                        Avoid infinite loops of idle callbacks if an
                             idle handler is called during GC

  glibc                      Fix the value of F_GETLK/F_SETLK/F_SETLKW with
                             __USE_FILE_OFFSET64 on ppc64el; fix a stack
                             read overflow in getaddrinfo in no-aaaa mode
                             [CVE-2023-4527]; fix use after free in
                             getcanonname [CVE-2023-4806 CVE-2023-5156]; fix
                             _dl_find_object to return correct values even
                             during early startup

  gosa-plugins-netgroups     Silence deprecation warnings in web interface

  gosa-plugins-systems       Fix management of DHCP/DNS entries in default
                             theme; fix adding (standalone) "Network
                             printer" systems; fix generation of target DNs
                             for various system types; fix icon rendering in
                             DHCP servlet; enforce unqualified hostname for
                             workstations

  gtk+3.0                    New upstream stable release; fix several
                             crashes; show more information in the
                             "inspector" debugging interface; silence
                             GFileInfo warnings if used with a backported
                             version of GLib; use a light colour for the
                             caret in dark themes, making it much easier to
                             see in some apps, in particular Evince

  gtk4                       Fix truncation in places sidebar with large
                             text accessibility setting

  haskell-hakyll             Rebuild against new pandoc

  highway                    Fix support for armhf systems lacking NEON

  hnswlib                    Fix double free in init_index when the M
                             argument is a large integer [CVE-2023-37365]

  horizon                    Fix open redirect issue [CVE-2022-45582]

  icingaweb2                 Suppress undesirable deprecation notices

  imlib2                     Fix preservation of alpha channel flag

  indent                     Fix out of buffer read; fix buffer overwrite
                             [CVE-2023-40305]

  inetutils                  Check return values when dropping privileges
                             [CVE-2023-40303]

  inn2                       Fix nnrpd hangs when compression is enabled;
                             add support for high-precision syslog
                             timestamps; make inn-{radius,secrets}.conf not
                             world readable

  jekyll                     Support YAML aliases

  kernelshark                Fix segfault in libshark-tepdata; fix capturing
                             when target directory contains a space

  krb5                       Fix freeing of uninitialised pointer
                             [CVE-2023-36054]

  lemonldap-ng               Apply login control to auth-slave requests; fix
                             open redirection due to incorrect escape
                             handling; fix open redirection when OIDC RP has
                             no redirect URIs; fix Server Side Request
                             Forgery issue [CVE-2023-44469]

  libapache-mod-jk           Remove implicit mapping functionality, which
                             could lead to unintended exposure of the status
                             worker and/or bypass of security constraints
                             [CVE-2023-41081]

  libclamunrar               New upstream stable release

  libmatemixer               Fix heap corruptions / application crashes when
                             removing audio devices

  libpam-mklocaluser         pam-auth-update: ensure the module is ordered
                             before other session type modules

  libxnvctrl                 New source package split from nvidia-settings

  linux                      New upstream stable release

  linux-signed-amd64         New upstream stable release

  linux-signed-arm64         New upstream stable release

  linux-signed-i386          New upstream stable release

  llvm-defaults              Fix /usr/include/lld symlink; add Breaks
                             against not co-installable packages for
                             smoother upgrades from bullseye

  ltsp                       Avoid using mv on init symlink

  lxc                        Fix nftables syntax for IPv6 NAT

  lxcfs                      Fix CPU reporting within an arm32 container
                             with large numbers of CPUs

  marco                      Only enable compositing if it is available

  mariadb                    New upstream bugfix release

  mate-notification-daemon   Fix two memory leaks

  mgba                       Fix broken audio in libretro core; fix crash on
                             hardware incapable of OpenGL 3.2

  modsecurity                Fix denial of service issue [CVE-2023-38285]

  monitoring-plugins         Check_disk: avoid mounting when searching for
                             matching mount points, resolving a regression
                             in speed from bullseye

  mozjs102                   New upstream stable release; fix "incorrect
                             value used during WASM compilation"
                             [CVE-2023-4046], potential use after free issue
                             [CVE-2023-37202], memory safety issues
                             [CVE-2023-37211 CVE-2023-34416]

  mutt                       New upstream stable release

  nco                        Re-enable udunits2 support

  nftables                   Fix incorrect bytecode generation hit with new
                             kernel check that rejects adding rules to bound
                             chains

  node-dottie                Security fix (prototype pollution)
                             [CVE-2023-26132]

  nvidia-settings-tesla      New upstream bugfix release

  nx-libs                    Fix missing symlink /usr/share/nx/fonts; fix
                             manual page

  open-ath9k-htc-firmware    Load correct firmware

  openbsd-inetd              Fix memory handling issues

  openrefine                 Fix arbitrary code execution issue
                             [CVE-2023-37476]

  openscap                   Fix dependencies of openscap-utils and
                             python3-openscap

  openssh                    Fix remote code execution issue via a forwarded
                             agent socket [CVE-2023-38408]

  openssl                    New upstream stable release; security fixes
                             [CVE-2023-2975 CVE-2023-3446 CVE-2023-3817];
                             new upstream stable release

  pam                        Fix pam-auth-update --disable; update Turkish
                             translation

  pandoc                     Fix arbitrary file write issue [CVE-2023-35936]

  plasma-framework           Fix plasmashell crashes

  plasma-workspace           Fix crash in krunner

  python-git                 Fix remote code execution issue
                             [CVE-2023-40267], blind local file inclusion
                             issue [CVE-2023-41040]

  pywinrm                    Fix compatibility with Python 3.11

  qemu                       Update to upstream 7.2.5 tree; ui/vnc-
                             clipboard: fix infinite loop in inflate_buffer
                             [CVE-2023-3255]; fix NULL pointer dereference
                             issue [CVE-2023-3354]; fix buffer overflow
                             issue [CVE-2023-3180]

  qtlocation-opensource-src  Fix freeze when loading map tiles

  rar                        Upstream bugfix release [CVE-2023-40477]

  reprepro                   Fix race condition when using external
                             decompressors

  rmlint                     Fix error in other packages caused by invalid
                             python package version; fix GUI startup failure
                             with recent python3.11

  roundcube                  New upstream stable release; fix OAuth2
                             authentication; fix cross site scripting issues
                             [CVE-2023-43770]

  runit-services             Dhclient: don't hardcode use of eth1

  samba                      New upstream stable release

  sitesummary                New upstream release; fix installation of
                             sitesummary-maintenance CRON/systemd-timerd
                             script; fix insecure temporary file and
                             directory creation

  slbackup-php               Bug fixes: log remote commands to stderr;
                             disable SSH known hosts files; PHP 8
                             compatibility

  spamprobe                  Fix crashes parsing JPEG attachments

  stunnel4                   Fix handling of a peer closing TLS connection
                             without proper shutdown messaging

  systemd                    New upstream bugfix release; new upstream
                             stable release; fix minor security issue in
                             arm64 and riscv64 systemd-boot (EFI) with
                             device tree blobs loading

  testng7                    Backport to stable for future openjdk-17 builds

  timg                       Fix buffer overflow vulnerability
                             [CVE-2023-40968]

  transmission               Replace openssl3 compat patch to fix memory
                             leak

  unbound                    Fix error log flooding when using DNS over TLS
                             with openssl 3.0

  unrar-nonfree              Fix remote code execution issue
                             [CVE-2023-40477]

  vorta                      Handle ctime and mtime changes in diffs

  vte2.91                    Invalidate ring view more often when necessary,
                             fixing various assertion failures during event
                             handling

  x2goserver                 X2goruncommand: add support for KDE Plasma 5;
                             x2gostartagent: prevent logfile corruption;
                             keystrokes.cfg: sync with nx-libs; fix encoding
                             of Finnish translation

A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:

  <https://release.debian.org/proposed-updates/stable.html>


Removed packages
----------------

The following packages will be removed due to circumstances beyond our
control:

  Package                    Reason
  -------                    ------

  https-everywhere           RoM; obsolete, major browsers offer native
                             support


If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: PGP signature


Reply to: