----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 256-1 https://www.debian.org/
debian-release@lists.debian.org Jonathan Wiltshire
August 26th, 2024
----------------------------------------------------------------------------
Upcoming Debian 11 Update (11.11)
A final update to Debian 11 is scheduled for Saturday, August 31st, 2024.
As of now it will include the following bug fixes. They can be found in
"bullseye-proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bullseye-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This oldstable update adds a few important corrections to the following
packages:
Package Reason
------- ------
amd64-microcode New upstream release; security fixes
[CVE-2023-31315]; SEV firmware fixes
[CVE-2023-20584 CVE-2023-31356]
ansible New usptream stable release: fix template
injection issue [CVE-2021-3583], information
disclosure issue [CVE-2021-3620], file
overwrite issue [CVE-2023-5115], template
injection issue [CVE-2023-5764], information
disclosure issues [CVE-2024-0690
CVE-2022-3697]; document workaround for ec2
private key leak [CVE-2023-4237]
apache2 New upstream stable release; fix content
disclosure issue [CVE-2024-40725]
bind9 Allow the limits introduced to fix
CVE-2024-1737 to be configured
choose-mirror Update list of available mirrors
cjson Add NULL checks to cJSON_SetValuestring and
cJSON_InsertItemInArray [CVE-2023-50472
CVE-2023-50471 CVE-2024-31755]
cups Fix issues with domain socket handling
[CVE-2024-35235]; fix regression when domain
sockets only are used
curl Fix ASN.1 date parser overread issue
[CVE-2024-7264]
dropbear Fix "noremotetcp" behaviour of keepalive
packets in combination with the ‛no-port-
forwarding’ authorized_keys(5) restriction
fusiondirectory Backport compatibility with php-cas version
addressing CVE 2022-39369; fix improper seesion
handling issue [CVE-2022-36179]; fix cross site
scripting issue [CVE-2022-36180]
gettext.js Fix server side request forgery issue
[CVE-2024-43370]
glewlwyd Fix buffer overflow during webauthn signature
assertion [CVE-2022-27240]; prevent directory
traversal in
static_compressed_inmemory_website_callback.c
[CVE-2022-29967]; copy bootstrap, jquery, fork-
awesome instead of linking them; buffer
overflow during FIDO2 signature validation
[CVE-2023-49208]
glibc Fix ffsll() performance issue depending on code
alignment; performance improvements for
memcpy() on arm64; fix y2038 regression in nscd
following CVE-2024-33601 and CVE-2024-33602 fix
graphviz Fix broken scaling
gtk+2.0 Avoid looking for modules in current working
directory [CVE-2024-6655]
gtk+3.0 Avoid looking for modules in current working
directory [CVE-2024-6655]
healpix-java Fix build failure
imagemagick Fix divide-by-zero issues [CVE-2021-20312
CVE-2021-20313]; fix incomplete fix for
CVE-2023-34151
indent Reinstate ROUND_UP macro and adjust the initial
buffer size to fix memory handling problems;
fix out-of-buffer read in
search_brace()/lexi(); fix heap buffer
overwrite in search_brace() [CVE-2023-40305];
heap buffer underread in set_buf_break()
[CVE-2024-0911]
intel-microcode New upstream release; security fixes
[CVE-2023-42667 CVE-2023-49141 CVE-2024-24853
CVE-2024-24980 CVE-2024-25939]
libvirt Fix sVirt confinement issue [CVE-2021-3631],
use after free issue [CVE-2021-3975], denial of
service issues [CVE-2021-3667 CVE-2021-4147
CVE-2022-0897 CVE-2024-1441 CVE-2024-2494
CVE-2024-2496]
midge Exclude examples/covers/* for DFSG-compliance;
add build-arch/build-indep build targets; use
quilt (3.0) source package format
mlpost Fix build failure with newer ImageMagick
versions
net-tools Drop build-dependency on libdnet-dev
nfs-utils Pass all valid export flags to nfsd
ntfs-3g Fix use-after-free in 'ntfs_uppercase_mbs'
[CVE-2023-52890]
nvidia-graphics-drivers-tesla-418
Fix use of GPL-only symbols causing build
failures
nvidia-graphics-drivers-tesla-450
New upstream stable release
nvidia-graphics-drivers-tesla-460
New upstream stable release
ocsinventory-server Backport compatibility with php-cas version
addressing CVE-2022-39369
onionshare Demote obfs4proxy dependency to Recommends, to
allow removal of obfs4proxy
php-cas Fix Service Hostname Discovery Exploitation
issue [CVE-2022-39369]
poe.app Make comment cells editable; fix drawing when
an NSActionCell in the preferences is acted on
to change state
putty Fix weak ECDSA nonce generation allowing secret
key recovery [CVE-2024-31497]
riemann-c-client Prevent malformed payload in GnuTLS
send/receive operations
runc Fix busybox tarball url; prevent buffer
overflow writing netlink messages
[CVE-2021-43784]; fix tests on newer kernels;
prevent write access to user-owned cgroup
hierarchy '/sys/fs/cgroup/user.slice/...'
[CVE-2023-25809]; fix access control regression
[CVE-2023-27561 CVE-2023-28642]
rustc-web New upstream stable release, to support building
new chromium and firefox-esr versions
shim New upstream release
shim-helpers-amd64-signed Rebuild against shim 15.8.1
shim-helpers-arm64-signed Rebuild against shim 15.8.1
shim-helpers-i386-signed Rebuild against shim 15.8.1
shim-signed New upstream stable release
symfony Fix homemade autoload
trinity Fix build failure by dropping support for
DECNET
usb.ids Update included data list
xmedcon Fix heap overflow [CVE-2024-29421]
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/oldstable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
bachefs-tools Buggy, obsolete
dnprogs Buggy, obsolete
iotjs Unmaintained, security concerns
obfs4proxy Security issues
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: PGP signature