[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 254-1] Upcoming Debian 11 Update (11.10)



----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 254-1         https://www.debian.org/
debian-release@lists.debian.org                           Jonathan Wiltshire
June 24th, 2024
----------------------------------------------------------------------------

Upcoming Debian 11 Update (11.10)

An update to Debian 11 is scheduled for Saturday, June 29th, 2024. As of now
it will include the following bug fixes. They can be found in "bullseye-
proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bullseye-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.

The point release will also include a rebuild of debian-installer.

Miscellaneous Bugfixes
----------------------

This oldstable update adds a few important corrections to the following
packages:

  Package                    Reason
  -------                    ------

  allegro5                   Fix buffer overflow issues [CVE-2021-36489]

  amavisd-new                Handle multiple boundary parameters that
                             contain conflicting values [CVE-2024-28054]

  bart                       Fix build test failures by relaxing a floating-
                             point comparison

  bart-cuda                  Fix build test failures by relaxing a floating-
                             point comparison

  base-files                 Update for the point release

  cloud-init-22.4.2          Introduce later-versioned replacement for
                             cloud-init package

  cpu                        Provide exactly one definition of globalLdap in
                             ldap plugin

  cups                       Fix issues with domain socket handling
                             [CVE-2024-35235]

  curl                       Fix memory leak when HTTP/2 server push is
                             aborted [CVE-2024-2398]

  debsig-verify              Rebuild for outdated Built-Using

  deets                      Rebuild for outdated Built-Using

  distro-info-data           Declare intentions for bulllseye/bookworm; fix
                             past data; add Ubuntu 24.10

  django-mailman3            Scrub messages before archiving

  dns-root-data              Update root hints; update expired security
                             information

  emacs                      Protect against unsafe remote resources
                             [CVE-2024-30203 CVE-2024-30204 CVE-2024-30205];
                             fix memory leak in patch for CVE-2022-48337

  galera-4                   New upstream bugfix release; update upstream
                             release signing key; prevent date-related test
                             failures

  gdk-pixbuf                 ANI: Reject files with multiple anih chunks
                             [CVE-2022-48622]; ANI: Reject files with
                             multiple INAM or IART chunks; ANI: Validate
                             anih chunk size

  glib2.0                    Fix a (rare) memory leak

  gnutls28                   Fix assertion failure verifying a certificate
                             chain with a cycle of cross signatures
                             [CVE-2024-0567]; fix timing side-channel attack
                             inside RSA-PSK key exchange [CVE-2024-0553]

  gross                      Fix stack-based buffer overflow
                             [CVE-2023-52159]

  hovercraft                 Depend on python3-setuptools

  imlib2                     Fix heap-buffer overflow vulnerability when
                             using the tgaflip function in loader_tga.c
                             [CVE-2024-25447 CVE-2024-25448 CVE-2024-25450]

  intel-microcode            Fixes for INTEL-SA-INTEL-SA-00972
                             [CVE-2023-39368], INTEL-SA-INTEL-SA-00982
                             [CVE-2023-38575], INTEL-SA-INTEL-SA-00898
                             [CVE-2023-28746], INTEL-SA-INTEL-SA-00960
                             [CVE-2023-22655] and INTEL-SA-INTEL-SA-01045
                             [CVE-2023-43490]; mitigate for INTEL-SA-01051
                             [CVE-2023-45733], INTEL-SA-01052
                             [CVE-2023-46103], INTEL-SA-01036
                             [CVE-2023-45745,  CVE-2023-47855] and
                             unspecified functional issues on various Intel
                             processors

  jose                       Fix potential denial-of-service issue
                             [CVE-2023-50967]

  json-smart                 Fix excessive recursion leading to stack
                             overflow [CVE-2023-1370]; fix denial of service
                             via crafted request [CVE-2021-31684]

  lacme                      Fix post-issuance validation logic

  libapache2-mod-auth-openidc
                             Fix mising input validation leading to DoS
                             [CVE-2024-24814]

  libjwt                     Fix a timing side channel via strcmp()
                             [CVE-2024-25189]

  libkf5ksieve               Prevent leaking passwords into server-side logs

  libmicrohttpd              Fix out of bounds read with crafted POST
                             requests [CVE-2023-27371]

  libssh2                    Fix out of bounds memory check in
                             _libssh2_packet_add [CVE-2020-22218]

  links2                     Rebuild for outdated Built-Using

  nano                       Fix malicious symlink issue [CVE-2024-5742]

  ngircd                     Respect "SSLConnect" option for incoming
                             connections; server certificate validation on
                             server links (S2S-TLS); METADATA: Fix unsetting
                             "cloakhost"

  nvidia-settings            New upstream bugfix release; build for ppc64el

  org-mode                   Protect against unsafe remote resources
                             [CVE-2024-30203 CVE-2024-30204 CVE-2024-30205]

  php-composer-xdebug-handler
                             Force system dependency loading

  php-doctrine-annotations   Force system dependency loading

  php-phpseclib              Force system dependency loading; guard
                             isPrime() and randomPrime() for BigInteger
                             [CVE-2024-27354]; limit OID length in ASN1
                             [CVE-2024-27355]; fix BigInteger getLength()

  php-proxy-manager          Force system dependency loading

  php-symfony-contracts      Force system dependency loading

  php-zend-code              Force system dependency loading

  phpseclib                  Force system dependency loading; guard
                             isPrime() and randomPrime() for BigInteger
                             [CVE-2024-27354]; limit OID length in ASN1
                             [CVE-2024-27355]; fix BigInteger getLength()

  postfix                    Upstream bugfix release

  postgresql-13              New upstream stable release

  pypdf2                     Fix quadratic runtime with malformed PDF
                             missing xref marker [CVE-2023-36810]; fix
                             infinite loop with crafted input
                             [CVE-2022-24859]

  python-aiosmtpd            Fix SMTP smuggling issue [CVE-2024-27305]; fix
                             STARTTLS unencrypted command injection issue
                             [CVE-2024-34083]

  python-dnslib              Validate transaction ID in client.py

  python-idna                Fix denial of service issue [CVE-2024-3651]

  python-stdnum              Fix FTBFS when test date is not far enough in
                             the future

  qtbase-opensource-src      Security fixes [CVE-2022-25255 CVE-2023-24607
                             CVE-2023-32762 CVE-2023-32763 CVE-2023-33285
                             CVE-2023-34410 CVE-2023-37369 CVE-2023-38197
                             CVE-2023-51714 CVE-2024-25580]

  reportbug                  Fix suite name to codename mappings to reflect
                             the bookworm release

  rust-cbindgen-web          New source package to support builds of newer
                             Firefox ESR versions

  rustc-web                  Support firefox-esr and thunderbird in bullseye
                             for LTS

  sendmail                   Fix SMTP smuggling issue [CVE-2023-51765]; fix
                             location of debian/NEWS; add forgotten
                             configuration for rejecting NUL by defualt

  symfony                    Force system dependency loading; DateTypeTest:
                             ensure submitted year is accepted choice

  systemd                    Meson: drop arch filtering in syscall list;
                             unset TZ before timezone-sensitive unit tests
                             are run

  wpa                        Fix authentication bypass issue
                             [CVE-2023-52160]


A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:

  <https://release.debian.org/proposed-updates/oldstable.html>


Removed packages
----------------

The following packages will be removed due to circumstances beyond our
control:

  Package                    Reason
  -------                    ------

  phppgadmin                 Security issues

  pytest-salt-factories      Only needed for to-be-removed salt

  pytest-testinfra           Only needed for to-be-removed salt

  salt                       Unsupportable, unmaintained

  snort                      Security concerns, unmaintained


If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: PGP signature


Reply to: