----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 242-1 https://www.debian.org/
debian-release@lists.debian.org Jonathan Wiltshire
October 3rd, 2023
----------------------------------------------------------------------------
Upcoming Debian 12 Update (12.2)
An update to Debian 12 is scheduled for Saturday, Oct 7th, 2023. As of now
it will include the following bug fixes. They can be found in "bookworm-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bookworm-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
amd64-microcode Update included microcode, including fixes for
"AMD Inception" on AMD Zen4 processors
[CVE-2023-20569]
arctica-greeter Support configuring the onscreen keyboard theme
via ArcticaGreeter's gsettings; use 'Compact'
OSK layout (instead of Small) which includes
special keys such as German Umlauts; fix
display of authentication failure messages; use
active theme rather then emerald
autofs Fix regression determining reachability on
dual-stack hosts
base-files Update for the 12.2 point release
batik Fix Server Side Request Forgery issues
[CVE-2022-44729 CVE-2022-44730]
boxer-data No longer install https-everywhere for Firefox
brltty Xbrlapi: Do not try to start brltty with ba+a2
when unavailable; fix cursor routing and
braille panning in Orca when xbrlapi is
installed but the a2 screen driver is not
ca-certificates-java Work around unconfigured JRE during new
installations
cairosvg Handle data: URLs in safe mode
calibre Fix export feature
clamav New upstream stable release; security fixes
[CVE-2023-20197 CVE-2023-20212]
cryptmount Avoid memory initialisation issues in command
line parser
cups Fix heap-based buffer overflow issue
[CVE-2023-4504]; fix unauthenticated access
issue [CVE-2023-32360]
curl Build with OpenLDAP to correct improper fetch
of binary LDAP attributes; fix excessive memory
consumption issue [CVE-2023-38039]
cyrus-imapd Ensure mailboxes are not lost on upgrades from
bullseye
dar Fix issues with creating isolated catalogs when
dar was built using a recent gcc version
dbus New upstream stable release; fix a dbus-daemon
crash during policy reload if a connection
belongs to a user account that has been
deleted, or if a Name Service Switch plugin is
broken, on kernels not supporting
SO_PEERGROUPS; report the error correctly if
getting the groups of a uid fails; dbus-user-
session: Copy XDG_CURRENT_DESKTOP to activation
environment
debian-archive-keyring Clean up leftover keyrings in trusted.gpg.d
debian-edu-doc Update Debian Edu Bookworm manual
debian-edu-install New upstream release; adjust D-I auto-
partitioning sizes
debian-installer Increase Linux kernel ABI to 6.1.0-13; rebuild
against proposed-updates
debian-parl Rebuild with newer boxer-data; no longer depend
on webext-https-everywhere
debianutils Fix duplicate entries in /etc/shells; manage
/bin/sh in the state file; fix canonicalization
of shells in aliased locations
dgit Use the old /updates security map only for
buster; prevent pushing older versions than are
already in the archive
dhcpcd5 Ease upgrades with leftovers from wheezy; drop
deprecated ntpd integration; fix version in
cleanup script
dpdk New upstream stable release
dput-ng Update permitted upload targets; fix failure to
build from source
efibootguard Fix Insufficient or missing validation and
sanitization of input from untrustworthy
bootloader environment files [CVE-2023-39950]
electrum Fix a Lightning security issue
filezilla Fix builds for 32-bit architectures; fix crash
when removing filetypes from list
firewalld Don't mix IPv4 and IPv6 addresses in a single
nftables rule
flann Drop extra -llz4 from flann.pc
foot Ignore XTGETTCAP queries with invalid hex
encodings
freedombox Use n= in apt preferences for smooth upgrades
freeradius Ensure TLS-Client-Cert-Common-Name contains
correct data
ghostscript Fix buffer overflow issue [CVE-2023-38559]; try
and secure the IJS server startup
[CVE-2023-43115]
gitit Rebuild against new pandoc
gjs Avoid infinite loops of idle callbacks if an
idle handler is called during GC
glibc Fix the value of F_GETLK/F_SETLK/F_SETLKW with
__USE_FILE_OFFSET64 on ppc64el; fix a stack
read overflow in getaddrinfo in no-aaaa mode
[CVE-2023-4527]; fix use after free in
getcanonname [CVE-2023-4806 CVE-2023-5156]; fix
_dl_find_object to return correct values even
during early startup
gosa-plugins-netgroups Silence deprecation warnings in web interface
gosa-plugins-systems Fix management of DHCP/DNS entries in default
theme; fix adding (standalone) "Network
printer" systems; fix generation of target DNs
for various system types; fix icon rendering in
DHCP servlet; enforce unqualified hostname for
workstations
gtk+3.0 New upstream stable release; fix several
crashes; show more information in the
"inspector" debugging interface; silence
GFileInfo warnings if used with a backported
version of GLib; use a light colour for the
caret in dark themes, making it much easier to
see in some apps, in particular Evince
gtk4 Fix truncation in places sidebar with large
text accessibility setting
haskell-hakyll Rebuild against new pandoc
highway Fix support for armhf systems lacking NEON
hnswlib Fix double free in init_index when the M
argument is a large integer [CVE-2023-37365]
horizon Fix open redirect issue [CVE-2022-45582]
icingaweb2 Suppress undesirable deprecation notices
imlib2 Fix preservation of alpha channel flag
indent Fix out of buffer read; fix buffer overwrite
[CVE-2023-40305]
inetutils Check return values when dropping privileges
[CVE-2023-40303]
inn2 Fix nnrpd hangs when compression is enabled;
add support for high-precision syslog
timestamps; make inn-{radius,secrets}.conf not
world readable
jekyll Support YAML aliases
kernelshark Fix segfault in libshark-tepdata; fix capturing
when target directory contains a space
krb5 Fix freeing of uninitialised pointer
[CVE-2023-36054]
lemonldap-ng Apply login control to auth-slave requests; fix
open redirection due to incorrect escape
handling; fix open redirection when OIDC RP has
no redirect URIs; fix Server Side Request
Forgery issue [CVE-2023-44469]
libapache-mod-jk Remove implicit mapping functionality, which
could lead to unintended exposure of the status
worker and/or bypass of security constraints
[CVE-2023-41081]
libclamunrar New upstream stable release
libmatemixer Fix heap corruptions / application crashes when
removing audio devices
libpam-mklocaluser pam-auth-update: ensure the module is ordered
before other session type modules
libxnvctrl New source package split from nvidia-settings
linux New upstream stable release
linux-signed-amd64 New upstream stable release
linux-signed-arm64 New upstream stable release
linux-signed-i386 New upstream stable release
llvm-defaults Fix /usr/include/lld symlink; add Breaks
against not co-installable packages for
smoother upgrades from bullseye
ltsp Avoid using mv on init symlink
lxc Fix nftables syntax for IPv6 NAT
lxcfs Fix CPU reporting within an arm32 container
with large numbers of CPUs
marco Only enable compositing if it is available
mariadb New upstream bugfix release
mate-notification-daemon Fix two memory leaks
mgba Fix broken audio in libretro core; fix crash on
hardware incapable of OpenGL 3.2
modsecurity Fix denial of service issue [CVE-2023-38285]
monitoring-plugins Check_disk: avoid mounting when searching for
matching mount points, resolving a regression
in speed from bullseye
mozjs102 New upstream stable release; fix "incorrect
value used during WASM compilation"
[CVE-2023-4046], potential use after free issue
[CVE-2023-37202], memory safety issues
[CVE-2023-37211 CVE-2023-34416]
mutt New upstream stable release
nco Re-enable udunits2 support
nftables Fix incorrect bytecode generation hit with new
kernel check that rejects adding rules to bound
chains
node-dottie Security fix (prototype pollution)
[CVE-2023-26132]
nvidia-settings-tesla New upstream bugfix release
nx-libs Fix missing symlink /usr/share/nx/fonts; fix
manual page
open-ath9k-htc-firmware Load correct firmware
openbsd-inetd Fix memory handling issues
openrefine Fix arbitrary code execution issue
[CVE-2023-37476]
openscap Fix dependencies of openscap-utils and
python3-openscap
openssh Fix remote code execution issue via a forwarded
agent socket [CVE-2023-38408]
openssl New upstream stable release; security fixes
[CVE-2023-2975 CVE-2023-3446 CVE-2023-3817];
new upstream stable release
pam Fix pam-auth-update --disable; update Turkish
translation
pandoc Fix arbitrary file write issue [CVE-2023-35936]
plasma-framework Fix plasmashell crashes
plasma-workspace Fix crash in krunner
python-git Fix remote code execution issue
[CVE-2023-40267], blind local file inclusion
issue [CVE-2023-41040]
pywinrm Fix compatibility with Python 3.11
qemu Update to upstream 7.2.5 tree; ui/vnc-
clipboard: fix infinite loop in inflate_buffer
[CVE-2023-3255]; fix NULL pointer dereference
issue [CVE-2023-3354]; fix buffer overflow
issue [CVE-2023-3180]
qtlocation-opensource-src Fix freeze when loading map tiles
rar Upstream bugfix release [CVE-2023-40477]
reprepro Fix race condition when using external
decompressors
rmlint Fix error in other packages caused by invalid
python package version; fix GUI startup failure
with recent python3.11
roundcube New upstream stable release; fix OAuth2
authentication; fix cross site scripting issues
[CVE-2023-43770]
runit-services Dhclient: don't hardcode use of eth1
samba New upstream stable release
sitesummary New upstream release; fix installation of
sitesummary-maintenance CRON/systemd-timerd
script; fix insecure temporary file and
directory creation
slbackup-php Bug fixes: log remote commands to stderr;
disable SSH known hosts files; PHP 8
compatibility
spamprobe Fix crashes parsing JPEG attachments
stunnel4 Fix handling of a peer closing TLS connection
without proper shutdown messaging
systemd New upstream bugfix release; new upstream
stable release; fix minor security issue in
arm64 and riscv64 systemd-boot (EFI) with
device tree blobs loading
testng7 Backport to stable for future openjdk-17 builds
timg Fix buffer overflow vulnerability
[CVE-2023-40968]
transmission Replace openssl3 compat patch to fix memory
leak
unbound Fix error log flooding when using DNS over TLS
with openssl 3.0
unrar-nonfree Fix remote code execution issue
[CVE-2023-40477]
vorta Handle ctime and mtime changes in diffs
vte2.91 Invalidate ring view more often when necessary,
fixing various assertion failures during event
handling
x2goserver X2goruncommand: add support for KDE Plasma 5;
x2gostartagent: prevent logfile corruption;
keystrokes.cfg: sync with nx-libs; fix encoding
of Finnish translation
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
https-everywhere RoM; obsolete, major browsers offer native
support
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: PGP signature