----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 257-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
August 26th, 2024
----------------------------------------------------------------------------
Upcoming Debian 12 Update (12.7)
An update to Debian 12 is scheduled for Saturday, August 31st, 2024. As of
now it will include the following bug fixes. They can be found in "bookworm-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bookworm-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
amd64-microcode New upstream release; security fixes
[CVE-2023-31315]; SEV firmware fixes
[CVE-2023-20584 CVE-2023-31356]
ansible New upstream stable release; fix key leakage
issue [CVE-2023-4237]
ansible-core New upstream stable release; fix information
disclosure issue [CVE-2024-0690]; fix template
injection issue [CVE-2023-5764]; fix path
traversal issue [CVE-2023-5115]
apache2 New upstream stable release; fix content
disclosure issue [CVE-2024-40725]
base-files Update for the point release
cacti Fix remote code execution issues
[CVE-2024-25641 CVE-2024-31459], cross site
scripting issues [CVE-2024-29894 CVE-2024-31443
CVE-2024-31444], SQL injection issues
[CVE-2024-31445 CVE-2024-31458 CVE-2024-31460],
"type juggling" issue [CVE-2024-34340]; fix
autopkgtest failure
calamares-settings-debian Fix Xfce launcher permission issue
calibre Fix remote code execution issue [CVE-2024-6782,
cross site scripting issue [CVE-2024-7008], SQL
injection issue [CVE-2024-7009]
choose-mirror Update list of available mirrors
cockpit Fix denial of service issue [CVE-2024-6126]
cups Fix issues with domain socket handling
[CVE-2024-35235]
curl Fix ASN.1 date parser overread issue
[CVE-2024-7264]
cyrus-imapd Fix regression introduced in CVE-2024-34055 fix
dcm2niix Fix potential code execution issue
[CVE-2024-27629]
dmitry Security fixes [CVE-2024-31837 CVE-2020-14931
CVE-2017-7938]
dropbear Fix "noremotetcp" behaviour of keepalive
packets in combination with the ‛no-port-
forwarding’ authorized_keys(5) restriction
gettext.js Fix server side request forgery issue
[CVE-2024-43370]
glibc Fix freeing uninitialized memory in
libc_freeres_fn(); fix several performance
issues and possible crashses
glogic Require Gtk 3.0 and PangoCairo 1.0
graphviz Fix broken scale
gtk+2.0 Avoid looking for modules in current working
directory [CVE-2024-6655]
gtk+3.0 Avoid looking for modules in current working
directory [CVE-2024-6655]
imagemagick Fix segmentation fault issue; fix incomplete
fix for CVE-2023-34151
initramfs-tools hook_functions: Fix copy_file with source
including a directory symlink; hook-functions:
copy_file: Canonicalise target filename;
install hid-multitouch module for Surface Pro 4
Keyboard; add hyper-keyboard module, needed to
enter LUKS password in Hyper-V;
auto_add_modules: Add onboard_usb_hub,
onboard_usb_dev
intel-microcode New upstream release; security fixes
[CVE-2023-42667 CVE-2023-49141 CVE-2024-24853
CVE-2024-24980 CVE-2024-25939]
ipmitool Add missing enterprise-numbers.txt file
libapache2-mod-auth- Avoid crash when the Forwarded header is not
openidc present but OIDCXForwardedHeaders is configured
for it
libnvme Fix buffer overflow during scanning devices
that do not support sub-4k reads
libvirt virsh: Make domif-setlink work more than once;
qemu: domain: Fix logic when tainting domain;
fix denial of service issues [CVE-2023-3750
CVE-2024-1441 CVE-2024-2494 CVE-2024-2496]
linux New upstream release; bump ABI to 24
linux-signed-amd64 New upstream release; bump ABI to 24
linux-signed-arm64 New upstream release; bump ABI to 24
linux-signed-i386 New upstream release; bump ABI to 24
newlib Fix buffer overflow issue [CVE-2021-3420]
numpy Conflict with python-numpy
openssl New upstream stable release; fix denial of
service issues [CVE-2024-2511 CVE-2024-4603];
fix use after free issue [CVE-2024-4741]
poe.app Make comment cells editable; fix drawing when
an NSActionCell in the preferences is acted on
to change state
putty Fix weak ECDSA nonce generation allowing secret
key recovery [CVE-2024-31497]
python-django Fix regular expression-based denial of service
issue [CVE-2023-36053], denial of service
issues [CVE-2024-38875 CVE-2024-39614
CVE-2024-41990 CVE-2024-41991], user
enumeration issue [CVE-2024-39329], directory
traversal issue [CVE-2024-39330], excessive
memory consumption issue [CVE-2024-41989], SQL
injection issue [CVE-2024-42005]
qemu New upstream stable release; fix denial of
service issue [CVE-2024-4467]
riemann-c-client Prevent malformed payload in GnuTLS
send/receive operations
rustc-web New upstream stable release, to support building
newer chromium and firefox-esr versions
shim New upstream release
shim-helpers-amd64-signed Rebuild against shim 15.8.1
shim-helpers-arm64-signed Rebuild against shim 15.8.1
shim-helpers-i386-signed Rebuild against shim 15.8.1
shim-signed New upstream stable release
systemd New upstream stable release; update hwdb
usb.ids Update included data list
xmedcon Fix buffer overflow issue [CVE-2024-29421]
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
bcachefs-tools Buggy; obsolete
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part