----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 255-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
June 24th, 2024
----------------------------------------------------------------------------
Upcoming Debian 12 Update (12.6)
An update to Debian 12 is scheduled for Saturday, June 29th, 2024. As of now
it will include the following bug fixes. They can be found in "bookworm-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bookworm-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
aide Fix concurrent reading of extended attributes
amavisd-new Handle multiple boundary parameters that
contain conflicting values [CVE-2024-28054];
fix race condition in postinst
archlinux-keyring Switch to pre-built keyrings; sync with
upstream
base-files Update for the 12.6 point release
bash Rebuild to fix outdated Built-Using
bioawk Disable parallel builds to fix random failures
bluez Fix remote code execution issues
[CVE-2023-27349 CVE-2023-50229 CVE-2023-50230]
cdo Disable hirlam-extensions to avoid causing
issues with ICON data files
chkrootkit Rebuild to fix outdated Built-Using
cjson Fix missing NULL checks [CVE-2023-50471
CVE-2023-50472]
clamav New upstream stable release; fix possible heap
overflow issue [CVE-2024-20290], possible
command injection issue [CVE-2024-20328]
cloud-init Declare conflicts/replaces on versioned package
introduced for bullseye
comitup Ensure service is unmasked in post install
cpu Provide exactly one definition of globalLdap in
ldap plugin
crmsh Create log directory and file on installation
crowdsec-custom-bouncer Rebuild to fix outdated Built-Using
crowdsec-firewall-bouncer Rebuild to fix outdated Built-Using; rebuild
against golang-github-google-nftables version
with fixed little-endian architecture support
cups Fix issues with domain socket handling
[CVE-2024-35235]
curl Do not keep default protocols when deselected
[CVE-2024-2004]; fix memory leak
[CVE-2024-2398]
dar Rebuild to fix outdated Built-Using
dcmtk Clean up properly on purge
debvm debvm-create: do install login; bin/debvm-
waitssh: make --timeout=N work; bin/debvm-run:
allow being run in environments without TERM
set; fix resolv.conf in stretch
dhcpcd5 privsep: Allow zero length messages through;
fix server not being restarted correctly during
upgrades
distro-info-data Declare intentions for bulllseye/bookworm; fix
past data; add Ubuntu 24.10
djangorestframework Reinstate missing static files
dm-writeboost Fix build error with 6.9 kernel and backports
dns-root-data Update root hints; update expired security
information
dpdk New upstream stable release
ebook-speaker Support username over 8 characters when
enumerating groups
emacs Security fixes [CVE-2024-30202 CVE-2024-30203
CVE-2024-30204 CVE-2024-30205]; replace expired
package-keyring.gpg with a current version
extrepo-data Update repository information
flatpak New upstream stable release
fpga-icestorm Restore compatibility with yosys
freetype Disable COLRv1 support, which was
unintentionally enabled by upstream;
fix function existence check when calling
get_colr_glyph_paint()
galera-4 New upstream bugfix release; update upstream
release signing key; prevent date-related test
failures
gdk-pixbuf ANI: Reject files with multiple anih chunks
[CVE-2022-48622]; ANI: Reject files with
multiple INAM or IART chunks; ANI: Validate
anih chunk size
glewlwyd Fix potential buffer overflow during FIDO2
credential validation [CVE-2023-49208]; fix
open redirection via redirect_uri
[CVE-2024-25715]
glib2.0 Fix a (rare) memory leak
glibc Revert fix to always call destructors in
reverse constructor order due to unforeseen
application compatibility issues; fix a DTV
corruption due to a reuse of a TLS module ID
following dlclose with unused TLS
gnutls28 Fix certtool crash when verifying a certificate
chain with more than 16 certificates
[CVE-2024-28835]; fix side-channel in the
deterministic ECDSA [CVE-2024-28834]; fix a
memory leak; fix two segfault issues
golang-github-containers- Rebuild for outdated Built-Using
storage
golang-github-google- Fix AddSet() function on little-endian
nftables architectures
golang-github-openshift- Rebuild for outdated Built-Using
imagebuilder
gosu Rebuild for outdated Built-Using
gpaste Fix conflict with older libpgpaste6
gross Fix stack-based buffer overflow
[CVE-2023-52159]
hovercraft Depend on python3-setuptools
icinga2 Fix segmentation fault on ppc64el
igtf-policy-bundle Address CAB Forum S/MIME policy change; apply
accumulated updates to trust anchors
intel-microcode Security mitigations [CVE-2023-22655
CVE-2023-28746 CVE-2023-38575 CVE-2023-39368
CVE-2023-43490]; mitigate for INTEL-SA-01051
[CVE-2023-45733], INTEL-SA-01052
[CVE-2023-46103], INTEL-SA-01036
[CVE-2023-45745, CVE-2023-47855] and
unspecified functional issues on various Intel
processors
jose Fix potential denial-of-service issue
[CVE-2023-50967]
json-smart Fix excessive recursion leading to stack
overflow [CVE-2023-1370]; fix denial of service
via crafted request [CVE-2021-31684]
kio Fix file loss and potential locking issues on
CIFS
lacme Fix post-issuance validation logic
libapache2-mod-auth- Fix mising input validation leading to DoS
openidc [CVE-2024-24814]
libesmtp Break and replace older library versions
libimage-imlib2-perl Fix package build
libjwt Fix timing side channel attack [CVE-2024-25189]
libkf5ksieve Prevent leaking passwords into server-side logs
libmail-dkim-perl Add dependency on libgetopt-long-descriptive-
perl
libpod Handle removed containers properly
libreoffice Fix backup copy creation for files on mounted
samba shares; don't remove libforuilo.so in
-core-nogui
libseccomp Add support for syscalls up to Linux 6.7
libtommath Fix integer overflow [CVE-2023-36328]
libtool Conflict with libltdl3-dev; fix check for +=
operator in func_append
libxml-stream-perl Fix compatibility with IO::Socket::SSL >= 2.078
linux New upstream stable release; increase ABI to 22
linux-signed-amd64 New upstream stable release; increase ABI to 22
linux-signed-arm64 New upstream stable release; increase ABI to 22
linux-signed-i386 New upstream stable release; increase ABI to 22
lua5.4 debian/version-script: Export additional
missing symbols for lua 5.4.4
lxc-templates Fix the "mirror" option of lxc-debian
mailman3 Depend alternatively on cron-daemon; fix
postgresql:// url in post-installation script
mksh Handle merged /usr in /etc/shells; fix crash
with nested bashism; fix arguments to the dot
command; distinguish unset and empty in
`typeset -p`
mobian-keyring Update Mobian archive key
ms-gsl Mark not_null constructors as noexcept
nano Fix format string issues; fix "with
--cutfromcursor, undoing a justification can
eat a line"; fix malicious symlink issue; fix
example bindings in nanorc
netcfg Handle routing for single-address netmasks
ngircd Respect "SSLConnect" option for incoming
connections; server certificate validation on
server links (S2S-TLS); METADATA: Fix unsetting
"cloakhost"
node-babel7 Fix building against nodejs
18.19.0+dfsg-6~deb12u1; add Breaks/Replaces
against obsolete node-babel-* packages
node-undici Properly export typescript types
node-v8-compile-cache Fix tests when a newer nodejs version is used
node-zx Fix flaky test
nodejs Skip flaky tests for mipsel/mips64el
nsis Don't allow unprivileged users to delete the
uninstaller directory [CVE-2023-37378]; fix
regression in disabling stub relocations; build
reproducibly for arm64
numpy Conflict with python-numpy
nvidia-graphics-drivers Restore compatibility with newer Linux kernel
builds; take over packages from nvidia-
graphics-drivers-tesla; add new nvidia-suspend-
common package; fix Tesla 470 detection; relax
dh-dkms build-dependency for compatibility with
bookworm; new upstream stable release
[CVE-2023-0180 CVE-2023-0183 CVE-2023-0184
CVE-2023-0185 CVE-2023-0187 CVE-2023-0188
CVE-2023-0189 CVE-2023-0190 CVE-2023-0191
CVE-2023-0194 CVE-2023-0195 CVE-2023-0198
CVE-2023-0199 CVE-2023-25515 CVE-2023-25516
CVE-2023-31022 CVE-2024-0074 CVE-2024-0075
CVE-2024-0078 CVE-2024-0090 CVE-2024-0092]
nvidia-graphics-drivers- Restore compatibility with newer Linux kernel
tesla builds
nvidia-graphics-drivers- Restore compatibility with newer Linux kernel
tesla-470 builds; stop building nvidia-cuda-mps; new
upstream stable release; security fixes
[CVE-2022-42265 CVE-2024-0074 CVE-2024-0078
CVE-2024-0090 CVE-2024-0092]
nvidia-modprobe Prepare to switch to 535 series LTS drivers
nvidia-open-gpu-kernel- Update to 535 series LTS drivers [CVE-2023-0180
modules CVE-2023-0183 CVE-2023-0184 CVE-2023-0185
CVE-2023-0187 CVE-2023-0188 CVE-2023-0189
CVE-2023-0190 CVE-2023-0191 CVE-2023-0194
CVE-2023-0195 CVE-2023-0198 CVE-2023-0199
CVE-2023-25515 CVE-2023-25516 CVE-2023-31022
CVE-2024-0074 CVE-2024-0075 CVE-2024-0078
CVE-2024-0090 CVE-2024-0092]
nvidia-persistenced Switch to 535 series LTS drivers; update list
of supported drivers
nvidia-settings Also build for ppc64el; new upstream LTS
release
nvidia-xconfig New upstream LTS release
openrc Ignore non-executable scripts in /etc/init.d
openssl New upstream stable release; fix excessive time
taken issues [CVE-2023-5678 CVE-2023-6237],
vector register corruption issue on PowerPC
[CVE-2023-6129], PKCS12 Decoding crashes
[CVE-2024-0727]
openvpn-dco-dkms Build for Linux >= 6.5; install compat-include
directory; fix refcount imbalance
orthanc-dicomweb Rebuild to fix outdated Built-Using
orthanc-gdcm Rebuild to fix outdated Built-Using
orthanc-mysql Rebuild to fix outdated Built-Using
orthanc-neuro Rebuild to fix outdated Built-Using
orthanc-postgresql Rebuild to fix outdated Built-Using
orthanc-python Rebuild to fix outdated Built-Using
orthanc-webviewer Rebuild to fix outdated Built-Using
orthanc-wsi Rebuild to fix outdated Built-Using
ovn New upstream stable version; fix insufficient
validation of incoming BFD packets
[CVE-2024-2182]
pdudaemon Depend on python3-aiohttp
php-composer-class-map- Force system dependency loading
generator
php-composer-pcre Add missing Breaks+Replaces: composer (<< 2.2)
php-composer-xdebug- Force system dependency loading
handler
php-doctrine-annotations Force system dependency loading
php-doctrine-deprecations Force system dependency loading
php-doctrine-lexer Force system dependency loading
php-phpseclib Guard isPrime() and randomPrime() for
BigInteger [CVE-2024-27354]; limit OID length
in ASN1 [CVE-2024-27355]; fix BigInteger
getLength(); remove visibitility modifiers from
static variables
php-phpseclib3 Force system dependency loading; guard
isPrime() and randomPrime() for BigInteger
[CVE-2024-27354]; limit OID length in ASN1
[CVE-2024-27355]; fix BigInteger getLength()
php-proxy-manager Force system dependency loading
php-symfony-contracts Force system dependency loading
php-zend-code Force system dependency loading
phpldapadmin Fix compatbility with PHP 8.1+
phpseclib Force system dependency loading; guard
isPrime() and randomPrime() for BigInteger
[CVE-2024-27354]; limit OID length in ASN1
[CVE-2024-27355]; fix BigInteger getLength()
postfix New upstream stable release
postgresql-15 New upstream stable release; restrict
visibility of pg_stats_ext and
pg_stats_ext_exprs entries to the table owner
[CVE-2024-4317]
prometheus-node-exporter- Do not adversely affect mirror network; fix
collectors deadlock with other apt update runs
pymongo Fix out-of-bounds read issue [CVE-2024-5629]
pypy3 Strip C0 control and space characters in
urlsplit [CVE-2023-24329]; avoid bypass of TLS
handshake protections on closed sockets
[CVE-2023-40217]; tempfile.TemporaryDirectory:
fix symlink bug in cleanup [CVE-2023-6597];
protect zipfile from "quoted-overlap" zipbomb
[CVE-2024-0450]
python-aiosmtpd Fix SMTP smuggling issue [CVE-2024-27305]; fix
STARTTLS unencrypted command injection issue
[CVE-2024-34083]
python-asdf Remove unnecessary dependency on asdf-unit-
schemas
python-channels-redis Ensure pools are closed on loop close in core
python-idna Fix denial of service issue [CVE-2024-3651]
python-jwcrypto Fix denial of service issue [CVE-2024-28102]
python-xapian-haystack Drop dependency on django.utils.six
python3.11 Fix use-after-free crash when deallocating a
frame object; protect zipfile from "quoted-
overlap" zipbomb [CVE-2024-0450];
tempfile.TemporaryDirectory: fix symlink bug in
cleanup [CVE-2023-6597]; fix
"os.path.normpath(): Path truncation at null
bytes" [CVE-2023-41105]; avoid bypass of TLS
handshake protections on closed sockets
[CVE-2023-40217]; strip C0 control and space
characters in urlsplit [CVE-2023-24329]; avoid
a potential null pointer dereference in
filleutils
qemu New upstream stable release; security fixes
[CVE-2024-26327 CVE-2024-26328 CVE-2024-3446
CVE-2024-3447]
qtbase-opensource-src Fix regression in patch for CVE-2023-24607;
avoid using system CA certificates when not
wanted [CVE-2023-34410]; fix buffer overflow
[CVE-2023-37369]; fix infinite loop in XML
recursive entity expansion [CVE-2023-38197];
fix buffer overflow with crafted KTX image file
[CVE-2024-25580]; fix HPack integer overflow
check [CVE-2023-51714]
rails Declare breaks and replaces on obsolete ruby-
arel package
riseup-vpn Use system certificate bundle by default,
restoring ability to connect to an endpoint
using LetsEncrypt certificate
ruby-aws-partitions Ensure binary package includes partitions.json
and partitions-metadata.json files
ruby-premailer-rails Remove build-dependency on obsolete ruby-arel
rust-cbindgen-web New source package to support builds of newer
Firefox ESR versions
rustc-web New source package to support builds of web
browsers
schleuder Fix argument parsing insufficient validation;
fix importing keys from attachments sent by
Thunderbird and handle mails without further
content; look for keywords only at the start of
mail; validate downcased email addresses when
checking subscribers; consider From header for
finding reply addresses
sendmail Fix SMTP smuggling issue [CVE-2023-51765]; fix
location for debian/NEWS
skeema Rebuild for outdated Built-Using
skopeo Rebuild for outdated Built-Using
software-properties software-properties-qt: Add Conflicts+Replaces:
software-properties-kde for smoother upgrades
from bullseye
supermin Rebuild to fix outdated Built-Using
symfony Force system dependency loading; DateTypTest:
ensure submitted year is accepted choice
systemd New upstream stable release; fix denial of
service issues [CVE-2023-50387 CVE-2023-50868];
libnss-myhostname.nss: Install after "files";
libnss-mymachines.nss: Install before "resolve"
and "dns"
termshark Rebuild to fix outdated Built-Using
tripwire Rebuild to fix outdated Built-Using
tryton-client Only send compressed content in authenticated
sessions
tryton-server Prevent "zip-bomb" attacks from unauthenticated
sources
u-boot Fix orion-timer for booting sheevaplug and
related platforms
uif Support VLAN interface names
umoci Rebuild for outdated Built-Using
user-mode-linux Rebuilt to fix outdated Built-Using
wayfire Add missing dependencies
what-is-python Declare breaks and replaces on python-dev-is-
python2; fix version mangling in build rules
wpa Fix authentication bypass issue
[CVE-2023-52160]
xscreensaver Disable warning about old versions
yapet Do not call EVP_CIPHER_CTX_set_key_length() in
crypt/blowfish and crypt/aes
zsh Rebuild to fix outdated Built-Using
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
phppgadmin Security issues; incompatible with bookworm's
PostgreSQL version
pytest-salt-factories Only needed for salt, which is not part of
bookworm
ruby-arel Obsolete, integrated into ruby-activerecord,
incompatible with ruby-activerecord 6.1.x
spip Incompatible with bookworm's PHP version
vasttrafik-cli API withdrawn
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part