---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 254-1 https://www.debian.org/ debian-release@lists.debian.org Jonathan Wiltshire June 24th, 2024 ---------------------------------------------------------------------------- Upcoming Debian 11 Update (11.10) An update to Debian 11 is scheduled for Saturday, June 29th, 2024. As of now it will include the following bug fixes. They can be found in "bullseye- proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "bullseye-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This oldstable update adds a few important corrections to the following packages: Package Reason ------- ------ allegro5 Fix buffer overflow issues [CVE-2021-36489] amavisd-new Handle multiple boundary parameters that contain conflicting values [CVE-2024-28054] bart Fix build test failures by relaxing a floating- point comparison bart-cuda Fix build test failures by relaxing a floating- point comparison base-files Update for the point release cloud-init-22.4.2 Introduce later-versioned replacement for cloud-init package cpu Provide exactly one definition of globalLdap in ldap plugin cups Fix issues with domain socket handling [CVE-2024-35235] curl Fix memory leak when HTTP/2 server push is aborted [CVE-2024-2398] debsig-verify Rebuild for outdated Built-Using deets Rebuild for outdated Built-Using distro-info-data Declare intentions for bulllseye/bookworm; fix past data; add Ubuntu 24.10 django-mailman3 Scrub messages before archiving dns-root-data Update root hints; update expired security information emacs Protect against unsafe remote resources [CVE-2024-30203 CVE-2024-30204 CVE-2024-30205]; fix memory leak in patch for CVE-2022-48337 galera-4 New upstream bugfix release; update upstream release signing key; prevent date-related test failures gdk-pixbuf ANI: Reject files with multiple anih chunks [CVE-2022-48622]; ANI: Reject files with multiple INAM or IART chunks; ANI: Validate anih chunk size glib2.0 Fix a (rare) memory leak gnutls28 Fix assertion failure verifying a certificate chain with a cycle of cross signatures [CVE-2024-0567]; fix timing side-channel attack inside RSA-PSK key exchange [CVE-2024-0553] gross Fix stack-based buffer overflow [CVE-2023-52159] hovercraft Depend on python3-setuptools imlib2 Fix heap-buffer overflow vulnerability when using the tgaflip function in loader_tga.c [CVE-2024-25447 CVE-2024-25448 CVE-2024-25450] intel-microcode Fixes for INTEL-SA-INTEL-SA-00972 [CVE-2023-39368], INTEL-SA-INTEL-SA-00982 [CVE-2023-38575], INTEL-SA-INTEL-SA-00898 [CVE-2023-28746], INTEL-SA-INTEL-SA-00960 [CVE-2023-22655] and INTEL-SA-INTEL-SA-01045 [CVE-2023-43490]; mitigate for INTEL-SA-01051 [CVE-2023-45733], INTEL-SA-01052 [CVE-2023-46103], INTEL-SA-01036 [CVE-2023-45745, CVE-2023-47855] and unspecified functional issues on various Intel processors jose Fix potential denial-of-service issue [CVE-2023-50967] json-smart Fix excessive recursion leading to stack overflow [CVE-2023-1370]; fix denial of service via crafted request [CVE-2021-31684] lacme Fix post-issuance validation logic libapache2-mod-auth-openidc Fix mising input validation leading to DoS [CVE-2024-24814] libjwt Fix a timing side channel via strcmp() [CVE-2024-25189] libkf5ksieve Prevent leaking passwords into server-side logs libmicrohttpd Fix out of bounds read with crafted POST requests [CVE-2023-27371] libssh2 Fix out of bounds memory check in _libssh2_packet_add [CVE-2020-22218] links2 Rebuild for outdated Built-Using nano Fix malicious symlink issue [CVE-2024-5742] ngircd Respect "SSLConnect" option for incoming connections; server certificate validation on server links (S2S-TLS); METADATA: Fix unsetting "cloakhost" nvidia-settings New upstream bugfix release; build for ppc64el org-mode Protect against unsafe remote resources [CVE-2024-30203 CVE-2024-30204 CVE-2024-30205] php-composer-xdebug-handler Force system dependency loading php-doctrine-annotations Force system dependency loading php-phpseclib Force system dependency loading; guard isPrime() and randomPrime() for BigInteger [CVE-2024-27354]; limit OID length in ASN1 [CVE-2024-27355]; fix BigInteger getLength() php-proxy-manager Force system dependency loading php-symfony-contracts Force system dependency loading php-zend-code Force system dependency loading phpseclib Force system dependency loading; guard isPrime() and randomPrime() for BigInteger [CVE-2024-27354]; limit OID length in ASN1 [CVE-2024-27355]; fix BigInteger getLength() postfix Upstream bugfix release postgresql-13 New upstream stable release pypdf2 Fix quadratic runtime with malformed PDF missing xref marker [CVE-2023-36810]; fix infinite loop with crafted input [CVE-2022-24859] python-aiosmtpd Fix SMTP smuggling issue [CVE-2024-27305]; fix STARTTLS unencrypted command injection issue [CVE-2024-34083] python-dnslib Validate transaction ID in client.py python-idna Fix denial of service issue [CVE-2024-3651] python-stdnum Fix FTBFS when test date is not far enough in the future qtbase-opensource-src Security fixes [CVE-2022-25255 CVE-2023-24607 CVE-2023-32762 CVE-2023-32763 CVE-2023-33285 CVE-2023-34410 CVE-2023-37369 CVE-2023-38197 CVE-2023-51714 CVE-2024-25580] reportbug Fix suite name to codename mappings to reflect the bookworm release rust-cbindgen-web New source package to support builds of newer Firefox ESR versions rustc-web Support firefox-esr and thunderbird in bullseye for LTS sendmail Fix SMTP smuggling issue [CVE-2023-51765]; fix location of debian/NEWS; add forgotten configuration for rejecting NUL by defualt symfony Force system dependency loading; DateTypeTest: ensure submitted year is accepted choice systemd Meson: drop arch filtering in syscall list; unset TZ before timezone-sensitive unit tests are run wpa Fix authentication bypass issue [CVE-2023-52160] A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/oldstable.html> Removed packages ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason ------- ------ phppgadmin Security issues pytest-salt-factories Only needed for to-be-removed salt pytest-testinfra Only needed for to-be-removed salt salt Unsupportable, unmaintained snort Security concerns, unmaintained If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: PGP signature