----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 262-1 https://www.debian.org/
debian-release@lists.debian.org Jonathan Wiltshire
January 6th, 2025
----------------------------------------------------------------------------
Upcoming Debian 12 Update (12.9)
An update to Debian 12 is scheduled for Saturday, January 11th 2025. As of
now it will include the following bug fixes. They can be found in "bookworm-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bookworm-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
allow-html-temp Update for Thunderbird 128 compatibility
ansible-core New upstream stable release; fix arbitrary code
execution issue [CVE-2024-11079]; fix
information disclosure issue [CVE-2024-8775];
fix file overwrite issue [CVE-2024-9902]; fix
test failure
audiofile Fix null pointer dereference issue
[CVE-2019-13147]; fix information leak issue
[CVE-2022-24599]
avahi Fix denial of service issues [CVE-2023-38469
CVE-2023-38470 CVE-2023-38471 CVE-2023-38472
CVE-2023-38473]; fix browsing when invalid
services are present
base-files Update for the point release
bochs Build BIOS images for 386 CPUs
cpuinfo Make test failures during build non-fatal
criu Dynamically handle different libc at runtime
than compilation time
debian-security-support Update list of packages receiving limited
support in bookworm
debootstrap Do not pull in usr-is-merged in trixie/sid
dnsmasq Fix denial of service issues [CVE-2023-50387
CVE-2023-50868]; set default maximum EDNS.0 UDP
packet size to 1232 [CVE-2023-28450]
eas4tbsync Update for Thunderbird 128 compatibility
espeak-ng Fix dropping last byte of stdin input
geoclue-2.0 Use beaconDB rather than the now retired
Mozilla Location Service
glib2.0 Fix buffer overflow when configured to use a
SOCKS4a proxy with a very long username
[CVE-2024-52533]
gnuchess Fix arbitrary code execution issue
[CVE-2021-30184]
grml-rescueboot Update supported architectures from amd64/i386
to arm64/amd64
gsl Fix buffer overflow calculating the quantile
value [CVE-2020-35357]
gst-plugins-base1.0 Don't try parsing extended header if not enough
data is available (id3v2) [CVE-2024-47542]
gunicorn Prevent HTTP request smuggling [CVE-2024-1135]
icinga2 Prevent TLS certificate bypass [CVE-2024-49369]
intel-microcode New upstream security release [CVE-2024-21853
CVE-2024-23918 CVE-2024-24968 CVE-2024-23984]
jinja2 Prevent HTML attribute injection
[CVE-2024-22195 CVE-2024-34064]
lemonldap-ng Fix privilege escalation when adaptive auth
levels used [CVE-2024-52946]; fix XSS in
upgrade plugin [CVE-2024-52947]
libebml Fix buffer overflow issue [CVE-2023-52339]
libpgjava Fix SQL injection issue [CVE-2024-1597]
libsoup2.4 Prevent HTTP request smuggling
[CVE-2024-52530]; fix buffer overflow in
soup_header_parse_param_list_strict
[CVE-2024-52531]; fix DoS reading from
WebSocket clients [CVE-2024-52532]
libxstream-java Fix denial of service issue [CVE-2024-47072]
linux New upstream release; bump ABI to 29
linux-signed-amd64 New upstream release; bump ABI to 29
linux-signed-arm64 New upstream release; bump ABI to 29
linux-signed-i386 New upstream release; bump ABI to 29
live-boot Attempt DHCP on all connected interfaces
llvm-toolchain-19 New source package, to support builds of
chromium
lxc Fix null pointer dereference when using a
shared rootfs
mailmindr Update for Thunderbird 128 compatibility
nfs-utils Fix referrals when --enable-junction=no
nvidia-graphics-drivers Upstream stable release [CVE-2024-0126]
nvidia-open-gpu-kernel-modules
New upstream LTS release [CVE-2024-0126]
oar Add missing dependency on libcgi-fast-perl; fix
oar user creation on new installations; fix SVG
functions with PHP 8
opensc Fix data leak issue [CVE-2023-5992]; fix use-
after-free issue [CVE-2024-1454]; fix missing
initialisation issue [CVE-2024-45615]; fix
various issues with APDU buffer handling
[CVE-2024-45616]; fix missing or incorrect
function return value checks [CVE-2024-45617
CVE-2024-45618]; fix "incorrect handling of
length of buffers or files" issues
[CVE-2024-45619 CVE-2024-45620]; fix arbitary
code execution issue [CVE-2024-8443]
openssh Always use internal mkdtemp implementation; fix
gssapi-keyex declaration; add ssh-gssapi
automated test; don't prefer host-bound public
key signatures if there was no initial host
key; make sntrup761x25519-sha512 key exchange
algorithm available without the @openssh.com
suffix too
pgtcl Install library in default Tcl auto_path
poco Fix integer overflow issue [CVE-2023-52389]
prometheus-node-exporter-collectors
Reinstate missing
`apt_package_cache_timestamp_seconds` metrics;
fix apt_upgrades_pending and apt_upgrades_held
metrics; improve heuristic for apt update last
run time
pypy3 Fix email address parsing issue
[CVE-2023-27043]; fix possible Server Side
Request Forgery issue [CVE-2024-11168]; fix
private IP address range parsing
[CVE-2024-4032]; fix regular expression based
Denial of Service issue [CVE-2024-6232]; fix
header injection issue [CVE-2024-6923]; fix
denial of service issue [CVE-2024-7592
CVE-2024-8088]; fix command injection issue
[CVE-2024-9287]
python-asyncssh Fix "rogue extension negotiation" issue
[CVE-2023-46445]; fix "rogue session attack"
issue [CVE-2023-46446]
python-tornado Fix open redirect issue [CVE-2023-28370]; fix
denial of service issue [CVE-2024-52804]
python-urllib3 Fix possible information leak during cross-
origin redirects [CVE-2023-43804]; fix "request
body not stripped after redirect from 303
status changes request method to GET"
[CVE-2023-45803]; fix "Proxy-Authorization
request header isn't stripped during cross-
origin redirects" [CVE-2024-37891]
python-werkzeug Fix denial of service when file upload begins
with CR or LF [CVE-2023-46136]; fix arbitrary
code execution on developer's machine via the
debugger [CVE-2024-34069]; fix denial of
service when processing multipart/form-data
requests [CVE-2024-49767]
python3.11 Reject malformed addresses in email.parseaddr()
[CVE-2023-27043]; encode newlines in headers in
the email module [CVE-2024-6923]; quadratic
complexity parsing cookies with backslashes
[CVE-2024-7592]; venv activation scripts did't
quote paths [CVE-2024-9287]; urllib functions
improperly validated bracketed hosts
[CVE-2024-11168]
qemu Fix build failure on arm64; mark internal
codegen helper symbols as hidden, fixing build
failure on arm64; new upstream bugfix release
[CVE-2024-7409]; update to upstream bugfix
release
quicktext Update for Thunderbird 128 compatibility
redis Fix denial of service with malform ACL
selectors [CVE-2024-31227]; fix denial of
service through unbound pattern matching
[CVE-2024-31228]; fix stack overflow
[CVE-202431449]
renderdoc Fix integer overflows [CVE-2023-33863
CVE-2023-33864]; fix symlink attack vector
[CVE-2023-33865]
ruby-doorkeeper Prevent skipping of authorization steps
[CVE-2023-34246]
setuptools Fix remote code execution issue [CVE-2024-6345]
sqlparse Fix regular expression-related denial of
service issue [CVE-2023-30608]; fix denial of
service issue [CVE-2024-4340]
srt Fix dependencies for consumers of the -dev
packages
systemd New upstream stable release
tango Make the property_* tables compatible with
MariaDB 10.11 at install time; add autopkgtest
tbsync Update for Thunderbird 128 compatibility
texlive-bin Fix data loss when using discretionaries with
priorities; fix heap buffer overflow
[CVE-2024-25262]
tiff Fix buffer overflow issues [CVE-2023-25433
CVE-2023-26966]; fix use-after-free issue
[CVE-2023-26965]; fix null pointer dereference
issue [CVE-2023-2908]; fix denial of service
issues [CVE-2023-3618 CVE-2023-52356
CVE-2024-7006]
tzdata New upstream release; improve historical data
for some zones; confirm lack of leap second for
2024
ucf Initialise variable subsequently passed to eval
util-linux Fix wider mitigation for CVE-2024-28085
xsane Add Recommends for firefox-esr as well as
firefox
zfs-linux Add missing symbols in libzfs4linux and
libzpool5linux; fix dnode dirty test
[CVE-2023-49298]; fix sharenfx IPv6 address
parsing [CVE-2013-20001]; fixes related to NULL
pointer, memory allocation, etc.
zookeeper Fix information disclosure in persistent
watchers handling [CVE-2024-23944]
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
criu [armhf] Fails to build on arm64 host
tk-html3 Unmaintained; security issues
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: PGP signature