----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 254-1 https://www.debian.org/
debian-release@lists.debian.org Jonathan Wiltshire
June 24th, 2024
----------------------------------------------------------------------------
Upcoming Debian 11 Update (11.10)
An update to Debian 11 is scheduled for Saturday, June 29th, 2024. As of now
it will include the following bug fixes. They can be found in "bullseye-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bullseye-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This oldstable update adds a few important corrections to the following
packages:
Package Reason
------- ------
allegro5 Fix buffer overflow issues [CVE-2021-36489]
amavisd-new Handle multiple boundary parameters that
contain conflicting values [CVE-2024-28054]
bart Fix build test failures by relaxing a floating-
point comparison
bart-cuda Fix build test failures by relaxing a floating-
point comparison
base-files Update for the point release
cloud-init-22.4.2 Introduce later-versioned replacement for
cloud-init package
cpu Provide exactly one definition of globalLdap in
ldap plugin
cups Fix issues with domain socket handling
[CVE-2024-35235]
curl Fix memory leak when HTTP/2 server push is
aborted [CVE-2024-2398]
debsig-verify Rebuild for outdated Built-Using
deets Rebuild for outdated Built-Using
distro-info-data Declare intentions for bulllseye/bookworm; fix
past data; add Ubuntu 24.10
django-mailman3 Scrub messages before archiving
dns-root-data Update root hints; update expired security
information
emacs Protect against unsafe remote resources
[CVE-2024-30203 CVE-2024-30204 CVE-2024-30205];
fix memory leak in patch for CVE-2022-48337
galera-4 New upstream bugfix release; update upstream
release signing key; prevent date-related test
failures
gdk-pixbuf ANI: Reject files with multiple anih chunks
[CVE-2022-48622]; ANI: Reject files with
multiple INAM or IART chunks; ANI: Validate
anih chunk size
glib2.0 Fix a (rare) memory leak
gnutls28 Fix assertion failure verifying a certificate
chain with a cycle of cross signatures
[CVE-2024-0567]; fix timing side-channel attack
inside RSA-PSK key exchange [CVE-2024-0553]
gross Fix stack-based buffer overflow
[CVE-2023-52159]
hovercraft Depend on python3-setuptools
imlib2 Fix heap-buffer overflow vulnerability when
using the tgaflip function in loader_tga.c
[CVE-2024-25447 CVE-2024-25448 CVE-2024-25450]
intel-microcode Fixes for INTEL-SA-INTEL-SA-00972
[CVE-2023-39368], INTEL-SA-INTEL-SA-00982
[CVE-2023-38575], INTEL-SA-INTEL-SA-00898
[CVE-2023-28746], INTEL-SA-INTEL-SA-00960
[CVE-2023-22655] and INTEL-SA-INTEL-SA-01045
[CVE-2023-43490]; mitigate for INTEL-SA-01051
[CVE-2023-45733], INTEL-SA-01052
[CVE-2023-46103], INTEL-SA-01036
[CVE-2023-45745, CVE-2023-47855] and
unspecified functional issues on various Intel
processors
jose Fix potential denial-of-service issue
[CVE-2023-50967]
json-smart Fix excessive recursion leading to stack
overflow [CVE-2023-1370]; fix denial of service
via crafted request [CVE-2021-31684]
lacme Fix post-issuance validation logic
libapache2-mod-auth-openidc
Fix mising input validation leading to DoS
[CVE-2024-24814]
libjwt Fix a timing side channel via strcmp()
[CVE-2024-25189]
libkf5ksieve Prevent leaking passwords into server-side logs
libmicrohttpd Fix out of bounds read with crafted POST
requests [CVE-2023-27371]
libssh2 Fix out of bounds memory check in
_libssh2_packet_add [CVE-2020-22218]
links2 Rebuild for outdated Built-Using
nano Fix malicious symlink issue [CVE-2024-5742]
ngircd Respect "SSLConnect" option for incoming
connections; server certificate validation on
server links (S2S-TLS); METADATA: Fix unsetting
"cloakhost"
nvidia-settings New upstream bugfix release; build for ppc64el
org-mode Protect against unsafe remote resources
[CVE-2024-30203 CVE-2024-30204 CVE-2024-30205]
php-composer-xdebug-handler
Force system dependency loading
php-doctrine-annotations Force system dependency loading
php-phpseclib Force system dependency loading; guard
isPrime() and randomPrime() for BigInteger
[CVE-2024-27354]; limit OID length in ASN1
[CVE-2024-27355]; fix BigInteger getLength()
php-proxy-manager Force system dependency loading
php-symfony-contracts Force system dependency loading
php-zend-code Force system dependency loading
phpseclib Force system dependency loading; guard
isPrime() and randomPrime() for BigInteger
[CVE-2024-27354]; limit OID length in ASN1
[CVE-2024-27355]; fix BigInteger getLength()
postfix Upstream bugfix release
postgresql-13 New upstream stable release
pypdf2 Fix quadratic runtime with malformed PDF
missing xref marker [CVE-2023-36810]; fix
infinite loop with crafted input
[CVE-2022-24859]
python-aiosmtpd Fix SMTP smuggling issue [CVE-2024-27305]; fix
STARTTLS unencrypted command injection issue
[CVE-2024-34083]
python-dnslib Validate transaction ID in client.py
python-idna Fix denial of service issue [CVE-2024-3651]
python-stdnum Fix FTBFS when test date is not far enough in
the future
qtbase-opensource-src Security fixes [CVE-2022-25255 CVE-2023-24607
CVE-2023-32762 CVE-2023-32763 CVE-2023-33285
CVE-2023-34410 CVE-2023-37369 CVE-2023-38197
CVE-2023-51714 CVE-2024-25580]
reportbug Fix suite name to codename mappings to reflect
the bookworm release
rust-cbindgen-web New source package to support builds of newer
Firefox ESR versions
rustc-web Support firefox-esr and thunderbird in bullseye
for LTS
sendmail Fix SMTP smuggling issue [CVE-2023-51765]; fix
location of debian/NEWS; add forgotten
configuration for rejecting NUL by defualt
symfony Force system dependency loading; DateTypeTest:
ensure submitted year is accepted choice
systemd Meson: drop arch filtering in syscall list;
unset TZ before timezone-sensitive unit tests
are run
wpa Fix authentication bypass issue
[CVE-2023-52160]
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/oldstable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
phppgadmin Security issues
pytest-salt-factories Only needed for to-be-removed salt
pytest-testinfra Only needed for to-be-removed salt
salt Unsupportable, unmaintained
snort Security concerns, unmaintained
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: PGP signature