----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 251-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
February 5th, 2024
----------------------------------------------------------------------------
Upcoming Debian 11 Update (11.9)
An update to Debian 11 is scheduled for Saturday, February 10th, 2024. As of
now it will include the following bug fixes. They can be found in "bullseye-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bullseye-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
Miscellaneous Bugfixes
----------------------
This oldstable update adds a few important corrections to the following
packages:
Package Reason
------- ------
axis Filter out unsupported protocols in the client
class ServiceFactory [CVE-2023-40743]
base-files Update for the 11.9 point release
cifs-utils Fix non-parallel builds
compton Remove recommendation of picom
conda-package-handling Skip unreliable tests
conmon Do not hang when forwarding container
stdout/stderr with lots of output
crun Fix containers with systemd as their init
system, when using newer kernel versions
debian-installer Increase Linux kernel ABI to 5.10.0-28; rebuild
against proposed-updates
debian-ports-archive- Add Debian Ports Archive Automatic Signing Key
keyring (2025)
debian-security-support Mark tor, consul and xen as end-of-life; limit
samba support to non-AD DC use cases; match
golang packages with regular expression; drop
version-based checking; add chromium to
security-support-ended.deb11; add tiles and
libspring-java to security-support-limited
debootstrap Backport merged-/usr support changes from
trixie: implement merged-/usr by post-merging,
default to merged-/usr for suites newer than
bookworm in all profiles
distro-info Update tests for distro-info-data 0.58+deb12u1,
which adjusted Debian 7's EoL date
distro-info-data Add Ubuntu 24.04 LTS Noble Numbat; fix several
End Of Life dates
dpdk New upstream stable release
dropbear Fix security measure bypass issue
[CVE-2021-36369]; fix "terrapin" attack
[CVE-2023-48795]
exuberant-ctags Fix arbitrary command execution issue
[CVE-2022-4515]
filezilla Prevent 'Terrapin' exploit [CVE-2023-48795]
gimp Remove old versions of separately packaged dds
plugin
glib2.0 Align with upstream stable fixes; fix denial of
service issues [CVE-2023-32665 CVE-2023-32611
CVE-2023-29499 CVE-2023-32636]
glibc Fix a memory corruption in qsort() when using
nontransitive comparison functions.
gnutls28 Security fix for timing sidechannel attack
[CVE-2023-5981]
imagemagick Various security fixes [CVE-2021-20241
CVE-2021-20243 CVE-2021-20244 CVE-2021-20245
CVE-2021-20246 CVE-2021-20309 CVE-2021-3574
CVE-2021-39212 CVE-2021-4219 CVE-2022-1114
CVE-2022-28463 CVE-2022-32545 CVE-2022-32546]
jqueryui Fix cross-site scripting issue [CVE-2022-31160]
knewstuff Ensure correct ProvidersUrl to fix denial of
service
libdatetime-timezone-perl Update included timezone data
libde265 Fix segmentation violation in the function
decoder_context::process_slice_segment_header
[CVE-2023-27102]; fix heap buffer overflow in
the function derive_collocated_motion_vectors
[CVE-2023-27103]; fix buffer over-read in
pic_parameter_set::dump [CVE-2023-43887]; fix
buffer overflow in the slice_segment_header
function [CVE-2023-47471]; fix buffer overflow
issues [CVE-2023-49465 CVE-2023-49467
CVE-2023-49468]
libmateweather Update included location data; update data
server URL
libpod Fix incorrect handling of supplementary groups
[CVE-2022-2989]
libsolv Enable zstd compression support
libspreadsheet-parsexlsx- Fix possible memory bomb [CVE-2024-22368]; fix
perl XML External Entity issue [CVE-2024-23525]
linux New upstream stable release; increase ABI to 28
llvm-toolchain-16 New backported package to support builds of
newer chromium versions
mariadb-10.5 New upstream stable release; fix denial of
service issue [CVE-2023-22084]
minizip Reject overflows of zip header fields
[CVE-2023-45853]
modsecurity-apache Fix protection bypass issues [CVE-2022-48279
CVE-2023-24021]
nftables Fix incorrect bytecode generation
node-dottie Fix prototype pollution issue [CVE-2023-26132]
node-url-parse Fix authorisation bypass issue [CVE-2022-0512]
node-xml2js Fix prototype pollution issue [CVE-2023-0842]
nvidia-graphics-drivers New upstream release [CVE-2023-31022]
nvidia-graphics-drivers- New upstream release [CVE-2023-31022]
tesla-470
opendkim Properly delete Authentication-Results headers
[CVE-2022-48521]
perl Prevent buffer overflow via illegal Unicode
property [CVE-2023-47038]
plasma-desktop Fix denial of service bug in discover
plasma-discover Fix denial of service bug; fix build failure
postfix New upstream stable release; address SMTP
smuggling issue [CVE-2023-51764]
postgresql-13 New upstream stable release; fix SQL injection
issue [CVE-2023-39417]
postgresql-common Fix autopkgtests
python-cogent Skip parallel tests on single-CPU systems
python-django-imagekit Avoid triggering path traversal detection in
tests
python-websockets Fix predictable duration issue [CVE-2021-33880]
pyzoltan Build on single core systems
ruby-aws-sdk-core Include VERSION file in package
spip Fix cross-site scripting issue
swupdate Prevent acquiring root privileges through
inappropriate socket mode
symfony Ensure CodeExtension's filters properly escape
their input [CVE-2023-46734]
tar Fix boundary checking in base-256 decoder
[CVE-2022-48303], handling of extended header
prefixes [CVE-2023-39804]
tinyxml Fix assertion issue [CVE-2023-34194]
tzdata Update leap seconds file; fix a typo in the
Egypt change introduced in tzdata
2021a-1+deb11u9; new upstream stable release
unadf Fix stack buffer overflow issue
[CVE-2016-1243]; fix arbitary code execution
issue [CVE-2016-1244]
usb.ids Update included data list
vlfeat Fix FTBFS with newer ImageMagick
weborf Fix denial of service issue
wolfssl Fix buffer overflow issues [CVE-2022-39173
CVE-2022-42905], key disclosure issue
[CVE-2022-42961], predictable buffer in input
keying material [CVE-2023-3724]
xerces-c Fix use-after-free issue [CVE-2018-1311]; fix
integer overflow issue [CVE-2023-37536]
zeromq3 Fix fork() detection with gcc 7; update
copyright relicense statement
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/oldstable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
gimp-dds Integrated in gimp >=2.10
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part