---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 251-1 https://www.debian.org/ debian-release@lists.debian.org Adam D. Barratt February 5th, 2024 ---------------------------------------------------------------------------- Upcoming Debian 11 Update (11.9) An update to Debian 11 is scheduled for Saturday, February 10th, 2024. As of now it will include the following bug fixes. They can be found in "bullseye- proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "bullseye-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. Miscellaneous Bugfixes ---------------------- This oldstable update adds a few important corrections to the following packages: Package Reason ------- ------ axis Filter out unsupported protocols in the client class ServiceFactory [CVE-2023-40743] base-files Update for the 11.9 point release cifs-utils Fix non-parallel builds compton Remove recommendation of picom conda-package-handling Skip unreliable tests conmon Do not hang when forwarding container stdout/stderr with lots of output crun Fix containers with systemd as their init system, when using newer kernel versions debian-installer Increase Linux kernel ABI to 5.10.0-28; rebuild against proposed-updates debian-ports-archive- Add Debian Ports Archive Automatic Signing Key keyring (2025) debian-security-support Mark tor, consul and xen as end-of-life; limit samba support to non-AD DC use cases; match golang packages with regular expression; drop version-based checking; add chromium to security-support-ended.deb11; add tiles and libspring-java to security-support-limited debootstrap Backport merged-/usr support changes from trixie: implement merged-/usr by post-merging, default to merged-/usr for suites newer than bookworm in all profiles distro-info Update tests for distro-info-data 0.58+deb12u1, which adjusted Debian 7's EoL date distro-info-data Add Ubuntu 24.04 LTS Noble Numbat; fix several End Of Life dates dpdk New upstream stable release dropbear Fix security measure bypass issue [CVE-2021-36369]; fix "terrapin" attack [CVE-2023-48795] exuberant-ctags Fix arbitrary command execution issue [CVE-2022-4515] filezilla Prevent 'Terrapin' exploit [CVE-2023-48795] gimp Remove old versions of separately packaged dds plugin glib2.0 Align with upstream stable fixes; fix denial of service issues [CVE-2023-32665 CVE-2023-32611 CVE-2023-29499 CVE-2023-32636] glibc Fix a memory corruption in qsort() when using nontransitive comparison functions. gnutls28 Security fix for timing sidechannel attack [CVE-2023-5981] imagemagick Various security fixes [CVE-2021-20241 CVE-2021-20243 CVE-2021-20244 CVE-2021-20245 CVE-2021-20246 CVE-2021-20309 CVE-2021-3574 CVE-2021-39212 CVE-2021-4219 CVE-2022-1114 CVE-2022-28463 CVE-2022-32545 CVE-2022-32546] jqueryui Fix cross-site scripting issue [CVE-2022-31160] knewstuff Ensure correct ProvidersUrl to fix denial of service libdatetime-timezone-perl Update included timezone data libde265 Fix segmentation violation in the function decoder_context::process_slice_segment_header [CVE-2023-27102]; fix heap buffer overflow in the function derive_collocated_motion_vectors [CVE-2023-27103]; fix buffer over-read in pic_parameter_set::dump [CVE-2023-43887]; fix buffer overflow in the slice_segment_header function [CVE-2023-47471]; fix buffer overflow issues [CVE-2023-49465 CVE-2023-49467 CVE-2023-49468] libmateweather Update included location data; update data server URL libpod Fix incorrect handling of supplementary groups [CVE-2022-2989] libsolv Enable zstd compression support libspreadsheet-parsexlsx- Fix possible memory bomb [CVE-2024-22368]; fix perl XML External Entity issue [CVE-2024-23525] linux New upstream stable release; increase ABI to 28 llvm-toolchain-16 New backported package to support builds of newer chromium versions mariadb-10.5 New upstream stable release; fix denial of service issue [CVE-2023-22084] minizip Reject overflows of zip header fields [CVE-2023-45853] modsecurity-apache Fix protection bypass issues [CVE-2022-48279 CVE-2023-24021] nftables Fix incorrect bytecode generation node-dottie Fix prototype pollution issue [CVE-2023-26132] node-url-parse Fix authorisation bypass issue [CVE-2022-0512] node-xml2js Fix prototype pollution issue [CVE-2023-0842] nvidia-graphics-drivers New upstream release [CVE-2023-31022] nvidia-graphics-drivers- New upstream release [CVE-2023-31022] tesla-470 opendkim Properly delete Authentication-Results headers [CVE-2022-48521] perl Prevent buffer overflow via illegal Unicode property [CVE-2023-47038] plasma-desktop Fix denial of service bug in discover plasma-discover Fix denial of service bug; fix build failure postfix New upstream stable release; address SMTP smuggling issue [CVE-2023-51764] postgresql-13 New upstream stable release; fix SQL injection issue [CVE-2023-39417] postgresql-common Fix autopkgtests python-cogent Skip parallel tests on single-CPU systems python-django-imagekit Avoid triggering path traversal detection in tests python-websockets Fix predictable duration issue [CVE-2021-33880] pyzoltan Build on single core systems ruby-aws-sdk-core Include VERSION file in package spip Fix cross-site scripting issue swupdate Prevent acquiring root privileges through inappropriate socket mode symfony Ensure CodeExtension's filters properly escape their input [CVE-2023-46734] tar Fix boundary checking in base-256 decoder [CVE-2022-48303], handling of extended header prefixes [CVE-2023-39804] tinyxml Fix assertion issue [CVE-2023-34194] tzdata Update leap seconds file; fix a typo in the Egypt change introduced in tzdata 2021a-1+deb11u9; new upstream stable release unadf Fix stack buffer overflow issue [CVE-2016-1243]; fix arbitary code execution issue [CVE-2016-1244] usb.ids Update included data list vlfeat Fix FTBFS with newer ImageMagick weborf Fix denial of service issue wolfssl Fix buffer overflow issues [CVE-2022-39173 CVE-2022-42905], key disclosure issue [CVE-2022-42961], predictable buffer in input keying material [CVE-2023-3724] xerces-c Fix use-after-free issue [CVE-2018-1311]; fix integer overflow issue [CVE-2023-37536] zeromq3 Fix fork() detection with gcc 7; update copyright relicense statement A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/oldstable.html> Removed packages ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason ------- ------ gimp-dds Integrated in gimp >=2.10 If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part