---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 262-1 https://www.debian.org/ debian-release@lists.debian.org Jonathan Wiltshire January 6th, 2025 ---------------------------------------------------------------------------- Upcoming Debian 12 Update (12.9) An update to Debian 12 is scheduled for Saturday, January 11th 2025. As of now it will include the following bug fixes. They can be found in "bookworm- proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "bookworm-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: Package Reason ------- ------ allow-html-temp Update for Thunderbird 128 compatibility ansible-core New upstream stable release; fix arbitrary code execution issue [CVE-2024-11079]; fix information disclosure issue [CVE-2024-8775]; fix file overwrite issue [CVE-2024-9902]; fix test failure audiofile Fix null pointer dereference issue [CVE-2019-13147]; fix information leak issue [CVE-2022-24599] avahi Fix denial of service issues [CVE-2023-38469 CVE-2023-38470 CVE-2023-38471 CVE-2023-38472 CVE-2023-38473]; fix browsing when invalid services are present base-files Update for the point release bochs Build BIOS images for 386 CPUs cpuinfo Make test failures during build non-fatal criu Dynamically handle different libc at runtime than compilation time debian-security-support Update list of packages receiving limited support in bookworm debootstrap Do not pull in usr-is-merged in trixie/sid dnsmasq Fix denial of service issues [CVE-2023-50387 CVE-2023-50868]; set default maximum EDNS.0 UDP packet size to 1232 [CVE-2023-28450] eas4tbsync Update for Thunderbird 128 compatibility espeak-ng Fix dropping last byte of stdin input geoclue-2.0 Use beaconDB rather than the now retired Mozilla Location Service glib2.0 Fix buffer overflow when configured to use a SOCKS4a proxy with a very long username [CVE-2024-52533] gnuchess Fix arbitrary code execution issue [CVE-2021-30184] grml-rescueboot Update supported architectures from amd64/i386 to arm64/amd64 gsl Fix buffer overflow calculating the quantile value [CVE-2020-35357] gst-plugins-base1.0 Don't try parsing extended header if not enough data is available (id3v2) [CVE-2024-47542] gunicorn Prevent HTTP request smuggling [CVE-2024-1135] icinga2 Prevent TLS certificate bypass [CVE-2024-49369] intel-microcode New upstream security release [CVE-2024-21853 CVE-2024-23918 CVE-2024-24968 CVE-2024-23984] jinja2 Prevent HTML attribute injection [CVE-2024-22195 CVE-2024-34064] lemonldap-ng Fix privilege escalation when adaptive auth levels used [CVE-2024-52946]; fix XSS in upgrade plugin [CVE-2024-52947] libebml Fix buffer overflow issue [CVE-2023-52339] libpgjava Fix SQL injection issue [CVE-2024-1597] libsoup2.4 Prevent HTTP request smuggling [CVE-2024-52530]; fix buffer overflow in soup_header_parse_param_list_strict [CVE-2024-52531]; fix DoS reading from WebSocket clients [CVE-2024-52532] libxstream-java Fix denial of service issue [CVE-2024-47072] linux New upstream release; bump ABI to 29 linux-signed-amd64 New upstream release; bump ABI to 29 linux-signed-arm64 New upstream release; bump ABI to 29 linux-signed-i386 New upstream release; bump ABI to 29 live-boot Attempt DHCP on all connected interfaces llvm-toolchain-19 New source package, to support builds of chromium lxc Fix null pointer dereference when using a shared rootfs mailmindr Update for Thunderbird 128 compatibility nfs-utils Fix referrals when --enable-junction=no nvidia-graphics-drivers Upstream stable release [CVE-2024-0126] nvidia-open-gpu-kernel-modules New upstream LTS release [CVE-2024-0126] oar Add missing dependency on libcgi-fast-perl; fix oar user creation on new installations; fix SVG functions with PHP 8 opensc Fix data leak issue [CVE-2023-5992]; fix use- after-free issue [CVE-2024-1454]; fix missing initialisation issue [CVE-2024-45615]; fix various issues with APDU buffer handling [CVE-2024-45616]; fix missing or incorrect function return value checks [CVE-2024-45617 CVE-2024-45618]; fix "incorrect handling of length of buffers or files" issues [CVE-2024-45619 CVE-2024-45620]; fix arbitary code execution issue [CVE-2024-8443] openssh Always use internal mkdtemp implementation; fix gssapi-keyex declaration; add ssh-gssapi automated test; don't prefer host-bound public key signatures if there was no initial host key; make sntrup761x25519-sha512 key exchange algorithm available without the @openssh.com suffix too pgtcl Install library in default Tcl auto_path poco Fix integer overflow issue [CVE-2023-52389] prometheus-node-exporter-collectors Reinstate missing `apt_package_cache_timestamp_seconds` metrics; fix apt_upgrades_pending and apt_upgrades_held metrics; improve heuristic for apt update last run time pypy3 Fix email address parsing issue [CVE-2023-27043]; fix possible Server Side Request Forgery issue [CVE-2024-11168]; fix private IP address range parsing [CVE-2024-4032]; fix regular expression based Denial of Service issue [CVE-2024-6232]; fix header injection issue [CVE-2024-6923]; fix denial of service issue [CVE-2024-7592 CVE-2024-8088]; fix command injection issue [CVE-2024-9287] python-asyncssh Fix "rogue extension negotiation" issue [CVE-2023-46445]; fix "rogue session attack" issue [CVE-2023-46446] python-tornado Fix open redirect issue [CVE-2023-28370]; fix denial of service issue [CVE-2024-52804] python-urllib3 Fix possible information leak during cross- origin redirects [CVE-2023-43804]; fix "request body not stripped after redirect from 303 status changes request method to GET" [CVE-2023-45803]; fix "Proxy-Authorization request header isn't stripped during cross- origin redirects" [CVE-2024-37891] python-werkzeug Fix denial of service when file upload begins with CR or LF [CVE-2023-46136]; fix arbitrary code execution on developer's machine via the debugger [CVE-2024-34069]; fix denial of service when processing multipart/form-data requests [CVE-2024-49767] python3.11 Reject malformed addresses in email.parseaddr() [CVE-2023-27043]; encode newlines in headers in the email module [CVE-2024-6923]; quadratic complexity parsing cookies with backslashes [CVE-2024-7592]; venv activation scripts did't quote paths [CVE-2024-9287]; urllib functions improperly validated bracketed hosts [CVE-2024-11168] qemu Fix build failure on arm64; mark internal codegen helper symbols as hidden, fixing build failure on arm64; new upstream bugfix release [CVE-2024-7409]; update to upstream bugfix release quicktext Update for Thunderbird 128 compatibility redis Fix denial of service with malform ACL selectors [CVE-2024-31227]; fix denial of service through unbound pattern matching [CVE-2024-31228]; fix stack overflow [CVE-202431449] renderdoc Fix integer overflows [CVE-2023-33863 CVE-2023-33864]; fix symlink attack vector [CVE-2023-33865] ruby-doorkeeper Prevent skipping of authorization steps [CVE-2023-34246] setuptools Fix remote code execution issue [CVE-2024-6345] sqlparse Fix regular expression-related denial of service issue [CVE-2023-30608]; fix denial of service issue [CVE-2024-4340] srt Fix dependencies for consumers of the -dev packages systemd New upstream stable release tango Make the property_* tables compatible with MariaDB 10.11 at install time; add autopkgtest tbsync Update for Thunderbird 128 compatibility texlive-bin Fix data loss when using discretionaries with priorities; fix heap buffer overflow [CVE-2024-25262] tiff Fix buffer overflow issues [CVE-2023-25433 CVE-2023-26966]; fix use-after-free issue [CVE-2023-26965]; fix null pointer dereference issue [CVE-2023-2908]; fix denial of service issues [CVE-2023-3618 CVE-2023-52356 CVE-2024-7006] tzdata New upstream release; improve historical data for some zones; confirm lack of leap second for 2024 ucf Initialise variable subsequently passed to eval util-linux Fix wider mitigation for CVE-2024-28085 xsane Add Recommends for firefox-esr as well as firefox zfs-linux Add missing symbols in libzfs4linux and libzpool5linux; fix dnode dirty test [CVE-2023-49298]; fix sharenfx IPv6 address parsing [CVE-2013-20001]; fixes related to NULL pointer, memory allocation, etc. zookeeper Fix information disclosure in persistent watchers handling [CVE-2024-23944] A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/stable.html> Removed packages ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason ------- ------ criu [armhf] Fails to build on arm64 host tk-html3 Unmaintained; security issues If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: PGP signature