----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 259-1 https://www.debian.org/
debian-release@lists.debian.org Jonathan Wiltshire
November 4th, 2024
----------------------------------------------------------------------------
Upcoming Debian 12 Update (12.8)
An update to Debian 12 is scheduled for Saturday, November 9th, 2024. As of now
it will include the following bug fixes. They can be found in "bookworm-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bookworm-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
7zip Fix heap buffer overflow in NTFS handler
[CVE-2023-52168]; fix out-of-bounds read in
NTFS handler [CVE-2023-52169]
amanda Update incomplete fix for CVE-2022-37704,
restoring operation with xfsdump
apr Use 0600 perms for named shared mem
consistently [CVE-2023-49582]
base-files Update for the point release
btrfs-progs Fix checksum calculation errors during volume
conversion in btrfs-convert
calamares-settings-debian Fix missing launcher on KDE desktops; fix btrfs
mounts
cjson Fix segmentation violation issue
[CVE-2024-31755]
clamav New upstream stable release; fix denial of
service issue [CVE-2024-20505], file corruption
issue [CVE-2024-20506]
cloud-init Add support for multiple networkd Route
sections
cloud-initramfs-tools Add missing dependencies in the initramfs
curl Fix incorrect handling of some OCSP responses
[CVE-2024-8096]
debian-installer Reinstate some armel netboot targets (openrd);
increase Linux kernel ABI to 6.1.0-27; rebuild
against proposed-updates
debian-installer-netboot-images
Rebuild against proposed-updates
devscripts bts: always upgrade to STARTTLS on 587/tcp;
build-rdeps: add support for non-free-firmware;
chdist: update sources.list examples with non-
free-firmware; build-rdeps: use all available
distros by default
diffoscope Fix FTBFS when processing a deliberately
overlapping zip file in tests
distro-info-data Add Ubuntu 25.04
docker.io Fix bypassing of AuthZ plugins in somme
circumstances [CVE-2024-41110]
dpdk New usptream stable release
exim4 Fix crash in dbmnz when looking up keys with no
content
fcgiwrap Set proper ownership on repositories in git
backend
galera-4 New upstream stable release
glib2.0 Provide libgio-2.0-dev from libglib2.0-dev, and
libgio-2.0-dev-bin from libglib2.0-dev-bin
glibc Change Croatian locale to use Euro as currency;
revert upstream commit that modified the
GLIBC_PRIVATE ABI, causing crashes with some
static binaries on arm64; vfscanf(): fix
matches longer than INT_MAX; ungetc(): fix
uninitialized read when putting into unused
streams, backup buffer leak on program exit;
mremap(): fix support for the MREMAP_DONTUNMAP
option; resolv: fix timeouts caused by short
error responses or when single-request mode is
enabled in resolv.conf
gtk+3.0 Fix letting Orca announce initial focus
ikiwiki-hosting Allow reading of all user repositories
intel-microcode New upstream release; security fixes
[CVE-2024-23984 CVE-2024-24968]
ipmitool Fix a buffer overrun in "open" interface; fix
"lan print fails on unsupported parameters";
fix reading of temperature sensors; fix using
hex values when sending raw data
iputils Fix incorrect handling of ICMP responses
intended for other processes
kexec-tools Mask kexec.service to prevent the init.d script
handling kexec process on a systemd enabled
system
lemonldap-ng Fix cross-site scripting vulnerability on login
page [CVE-2024-48933]
lgogdownloader Fix parsing of Galaxy URLs
libskk Prevent crash on invalid JSON escape
libvirt Fix running i686 VMs with AppArmor on the host;
prevent certain guests from becoming unbootable
or disappearing during upgrade
linux New upstream release; bump ABI to 27
linux-signed-amd64 New upstream release; bump ABI to 27
linux-signed-arm64 New upstream release; bump ABI to 27
linux-signed-i386 New upstream release; bump ABI to 27
llvm-toolchain-15 Architecture-specific rebuild on mips64el to
sync version with other architectures
nghttp2 Fix denial of service issue [CVE-2024-28182]
ninja-build Support large inode numbers on 32-bit systems
node-dompurify Fix prototype pollution issues [CVE-2024-45801
CVE-2024-48910]
node-es-module-lexer Fix build failure
node-globby Fix build failure
node-mdn-browser-compat-dataFix build failure
node-rollup-plugin-node-polyfillsFix build failure
node-tap Fix build failure
node-xterm Fix Typesript declarations
node-y-protocols Fix build failure
node-y-websocket Fix build failure
node-ytdl-core Fix build failure
notify-osd Correct executable path in desktop launcher
file
ntfs-3g Fix use-after-free in "ntfs-uppercase-mbs"; re-
classify fuse as Depends, not Pre-Depends
openssl New upstream stable release; fix buffer
overread issue [CVE-2024-5535], out of bounds
memory access [CVE-2024-9143]
ostree Prevent crashing libflatpak when using curl
8.10
puppetserver Reinstate scheduled job to clean reports after
30 days, avoiding disk space exhaustion
puredata Fix privilege escalation issue [CVE-2023-47480]
python-cryptography Fix NULL dereference when loading PKCS7
certificates [CVE-2023-49083]; fix NULL
dereference when PKCS#12 key and cert don't
match [CVE-2024-26130]
python3.11 Fix regression in zipfile.Path; prevent ReDoS
vulnerability with crafted tar archives
reprepro Prevent hangs when running unzstd
sqlite3 Fix a buffer overread issue [CVE-2023-7104], a
stack overflow issue and an integer overflow
issue
sumo Fix a race condition when building
documentation
systemd New upstream stable release
tgt Chap: Use proper entropy source
[CVE-2024-45751]
timeshift Add missing dependency on pkexec
util-linux Allow lscpu to identify new Arm cores
vmdb2 Set locale to UTF-8
wireshark New upstream security release [CVE-2024-0208,
CVE-2024-0209, CVE-2024-2955, CVE-2024-4853,
CVE-2024-4854, CVE-2024-4855, CVE-2024-8250,
CVE-2024-8645]
xfpt Fix buffer overflow issue [CVE-2024-43700]
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: PGP signature