[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 262-1] Upcoming Debian 12 Update (12.9)



----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 262-1         https://www.debian.org/
debian-release@lists.debian.org                           Jonathan Wiltshire
January 6th, 2025
----------------------------------------------------------------------------

Upcoming Debian 12 Update (12.9)

An update to Debian 12 is scheduled for Saturday, January 11th 2025. As of
now it will include the following bug fixes. They can be found in "bookworm-
proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bookworm-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.

The point release will also include a rebuild of debian-installer.


Miscellaneous Bugfixes
----------------------

This stable update adds a few important corrections to the following
packages:

  Package                    Reason
  -------                    ------

  allow-html-temp            Update for Thunderbird 128 compatibility

  ansible-core               New upstream stable release; fix arbitrary code
                             execution issue [CVE-2024-11079]; fix
                             information disclosure issue [CVE-2024-8775];
                             fix file overwrite issue [CVE-2024-9902]; fix
                             test failure

  audiofile                  Fix null pointer dereference issue
                             [CVE-2019-13147]; fix information leak issue
                             [CVE-2022-24599]

  avahi                      Fix denial of service issues [CVE-2023-38469
                             CVE-2023-38470 CVE-2023-38471 CVE-2023-38472
                             CVE-2023-38473]; fix browsing when invalid
                             services are present

  base-files                 Update for the point release

  bochs                      Build BIOS images for 386 CPUs

  cpuinfo                    Make test failures during build non-fatal

  criu                       Dynamically handle different libc at runtime
                             than compilation time

  debian-security-support    Update list of packages receiving limited
                             support in bookworm

  debootstrap                Do not pull in usr-is-merged in trixie/sid

  dnsmasq                    Fix denial of service issues [CVE-2023-50387
                             CVE-2023-50868]; set default maximum EDNS.0 UDP
                             packet size to 1232 [CVE-2023-28450]

  eas4tbsync                 Update for Thunderbird 128 compatibility

  espeak-ng                  Fix dropping last byte of stdin input

  geoclue-2.0                Use beaconDB rather than the now retired
                             Mozilla Location Service

  glib2.0                    Fix buffer overflow when configured to use a
                             SOCKS4a proxy with a very long username
                             [CVE-2024-52533]

  gnuchess                   Fix arbitrary code execution issue
                             [CVE-2021-30184]

  grml-rescueboot            Update supported architectures from amd64/i386
                             to arm64/amd64

  gsl                        Fix buffer overflow calculating the quantile
                             value [CVE-2020-35357]

  gst-plugins-base1.0        Don't try parsing extended header if not enough
                             data is available (id3v2) [CVE-2024-47542]

  gunicorn                   Prevent HTTP request smuggling [CVE-2024-1135]

  icinga2                    Prevent TLS certificate bypass [CVE-2024-49369]

  intel-microcode            New upstream security release [CVE-2024-21853
                             CVE-2024-23918 CVE-2024-24968 CVE-2024-23984]

  jinja2                     Prevent HTML attribute injection
                             [CVE-2024-22195 CVE-2024-34064]

  lemonldap-ng               Fix privilege escalation when adaptive auth
                             levels used [CVE-2024-52946]; fix XSS in
                             upgrade plugin [CVE-2024-52947]

  libebml                    Fix buffer overflow issue [CVE-2023-52339]

  libpgjava                  Fix SQL injection issue [CVE-2024-1597]

  libsoup2.4                 Prevent HTTP request smuggling
                             [CVE-2024-52530]; fix buffer overflow in
                             soup_header_parse_param_list_strict
                             [CVE-2024-52531]; fix DoS reading from
                             WebSocket clients [CVE-2024-52532]

  libxstream-java            Fix denial of service issue [CVE-2024-47072]

  linux                      New upstream release; bump ABI to 29

  linux-signed-amd64         New upstream release; bump ABI to 29

  linux-signed-arm64         New upstream release; bump ABI to 29

  linux-signed-i386          New upstream release; bump ABI to 29

  live-boot                  Attempt DHCP on all connected interfaces

  llvm-toolchain-19          New source package, to support builds of
                             chromium

  lxc                        Fix null pointer dereference when using a
                             shared rootfs

  mailmindr                  Update for Thunderbird 128 compatibility

  nfs-utils                  Fix referrals when --enable-junction=no

  nvidia-graphics-drivers    Upstream stable release [CVE-2024-0126]

  nvidia-open-gpu-kernel-modules
                             New upstream LTS release [CVE-2024-0126]

  oar                        Add missing dependency on libcgi-fast-perl; fix
                             oar user creation on new installations; fix SVG
                             functions with PHP 8

  opensc                     Fix data leak issue [CVE-2023-5992]; fix use-
                             after-free issue [CVE-2024-1454]; fix missing
                             initialisation issue [CVE-2024-45615]; fix
                             various issues with APDU buffer handling
                             [CVE-2024-45616]; fix missing or incorrect
                             function return value checks [CVE-2024-45617
                             CVE-2024-45618]; fix "incorrect handling of
                             length of buffers or files" issues
                             [CVE-2024-45619 CVE-2024-45620]; fix arbitary
                             code execution issue [CVE-2024-8443]

  openssh                    Always use internal mkdtemp implementation; fix
                             gssapi-keyex declaration; add ssh-gssapi
                             automated test; don't prefer host-bound public
                             key signatures if there was no initial host
                             key; make sntrup761x25519-sha512 key exchange
                             algorithm available without the @openssh.com
                             suffix too

  pgtcl                      Install library in default Tcl auto_path

  poco                       Fix integer overflow issue [CVE-2023-52389]

  prometheus-node-exporter-collectors
                             Reinstate missing
                             `apt_package_cache_timestamp_seconds` metrics;
                             fix apt_upgrades_pending and apt_upgrades_held
                             metrics; improve heuristic for apt update last
                             run time

  pypy3                      Fix email address parsing issue
                             [CVE-2023-27043]; fix possible Server Side
                             Request Forgery issue [CVE-2024-11168]; fix
                             private IP address range parsing
                             [CVE-2024-4032]; fix regular expression based
                             Denial of Service issue [CVE-2024-6232]; fix
                             header injection issue [CVE-2024-6923]; fix
                             denial of service issue [CVE-2024-7592
                             CVE-2024-8088]; fix command injection issue
                             [CVE-2024-9287]

  python-asyncssh            Fix "rogue extension negotiation" issue
                             [CVE-2023-46445]; fix "rogue session attack"
                             issue [CVE-2023-46446]

  python-tornado             Fix open redirect issue [CVE-2023-28370]; fix
                             denial of service issue [CVE-2024-52804]

  python-urllib3             Fix possible information leak during cross-
                             origin redirects [CVE-2023-43804]; fix "request
                             body not stripped after redirect from 303
                             status changes request method to GET"
                             [CVE-2023-45803]; fix "Proxy-Authorization
                             request header isn't stripped during cross-
                             origin redirects" [CVE-2024-37891]

  python-werkzeug            Fix denial of service when file upload begins
                             with CR or LF [CVE-2023-46136]; fix arbitrary
                             code execution on developer's machine via the
                             debugger [CVE-2024-34069]; fix denial of
                             service when processing multipart/form-data
                             requests [CVE-2024-49767]

  python3.11                 Reject malformed addresses in email.parseaddr()
                             [CVE-2023-27043]; encode newlines in headers in
                             the email module [CVE-2024-6923]; quadratic
                             complexity parsing cookies with backslashes
                             [CVE-2024-7592]; venv activation scripts did't
                             quote paths [CVE-2024-9287]; urllib functions
                             improperly validated bracketed hosts
                             [CVE-2024-11168]

  qemu                       Fix build failure on arm64; mark internal
                             codegen helper symbols as hidden, fixing build
                             failure on arm64; new upstream bugfix release
                             [CVE-2024-7409]; update to upstream bugfix
                             release

  quicktext                  Update for Thunderbird 128 compatibility

  redis                      Fix denial of service with malform ACL
                             selectors [CVE-2024-31227]; fix denial of
                             service through unbound pattern matching
                             [CVE-2024-31228]; fix stack overflow
                             [CVE-202431449]

  renderdoc                  Fix integer overflows [CVE-2023-33863
                             CVE-2023-33864]; fix symlink attack vector
                             [CVE-2023-33865]

  ruby-doorkeeper            Prevent skipping of authorization steps
                             [CVE-2023-34246]

  setuptools                 Fix remote code execution issue [CVE-2024-6345]

  sqlparse                   Fix regular expression-related denial of
                             service issue [CVE-2023-30608]; fix denial of
                             service issue [CVE-2024-4340]

  srt                        Fix dependencies for consumers of the -dev
                             packages

  systemd                    New upstream stable release

  tango                      Make the property_* tables compatible with
                             MariaDB 10.11 at install time; add autopkgtest

  tbsync                     Update for Thunderbird 128 compatibility

  texlive-bin                Fix data loss when using discretionaries with
                             priorities; fix heap buffer overflow
                             [CVE-2024-25262]

  tiff                       Fix buffer overflow issues [CVE-2023-25433
                             CVE-2023-26966]; fix use-after-free issue
                             [CVE-2023-26965]; fix null pointer dereference
                             issue [CVE-2023-2908]; fix denial of service
                             issues [CVE-2023-3618 CVE-2023-52356
                             CVE-2024-7006]

  tzdata                     New upstream release; improve historical data
                             for some zones; confirm lack of leap second for
                             2024

  ucf                        Initialise variable subsequently passed to eval

  util-linux                 Fix wider mitigation for CVE-2024-28085

  xsane                      Add Recommends for firefox-esr as well as
                             firefox

  zfs-linux                  Add missing symbols in libzfs4linux and
                             libzpool5linux; fix dnode dirty test
                             [CVE-2023-49298]; fix sharenfx IPv6 address
                             parsing [CVE-2013-20001]; fixes related to NULL
                             pointer, memory allocation, etc.

  zookeeper                  Fix information disclosure in persistent
                             watchers handling [CVE-2024-23944]


A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:

  <https://release.debian.org/proposed-updates/stable.html>


Removed packages
----------------

The following packages will be removed due to circumstances beyond our
control:

  Package                    Reason
  -------                    ------

  criu [armhf]               Fails to build on arm64 host

  tk-html3                   Unmaintained; security issues


If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: PGP signature


Reply to: