------------------------------------------------------------------------
The Debian Project
https://www.debian.org/ Updated Debian 11: 11.7 released
press@debian.org
April 29th, 2023
https://www.debian.org/News/2023/20230429 ------------------------------------------------------------------------
The Debian project is pleased to announce the seventh update of its
stable distribution Debian 11 (codename "bullseye"). This point release
mainly adds corrections for security issues, along with a few
adjustments for serious problems. Security advisories have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of
Debian 11 but only updates some of the packages included. There is no
need to throw away old "bullseye" media. After installation, packages
can be upgraded to the current versions using an up-to-date Debian
mirror.
Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:
https://www.debian.org/mirror/list
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
+----------------------------+----------------------------------------+
| Package | Reason | +----------------------------+----------------------------------------+
| akregator [1] | Fix validity checks, including fixing |
| | deletion of feeds and folders |
| | |
| apache2 [2] | Don't automatically enable apache2- |
| | doc.conf; fix regressions in http2 and |
| | mod_rewrite introduced in 2.4.56 |
| | |
| at-spi2-core [3] | Set stop timeout to 5 seconds, so as |
| | not to needlessly block system |
| | shutdowns |
| | |
| avahi [4] | Fix local denial of service issue |
| | [CVE-2021-3468] |
| | |
| base-files [5] | Update for the 11.7 point release |
| | |
| c-ares [6] | Prevent stack overflow and denial of |
| | service [CVE-2022-4904] |
| | |
| clamav [7] | New upstream stable release; fix |
| | possible remote code execution issue |
| | in the HFS+ file parser [CVE-2023- |
| | 20032], possible information leak in |
| | the DMG file parser [CVE-2023-20052] |
| | |
| command-not-found [8] | Add new non-free-firmware component, |
| | fixing upgrades to bookworm |
| | |
| containerd [9] | Fix denial of service issue [CVE-2023- |
| | 25153]; fix possible privilege |
| | escalation via incorrect setup of |
| | supplementary groups [CVE-2023-25173] |
| | |
| crun [10] | Fix capability escalation issue due to |
| | containers being incorrectly started |
| | with non-empty default permissions |
| | [CVE-2022-27650] |
| | |
| cwltool [11] | Add missing dependency on python3- |
| | distutils |
| | |
| debian-archive- | Add bookworm keys; move stretch keys |
| keyring [12] | to the removed keyring |
| | |
| debian-installer [13] | Increase Linux kernel ABI to 5.10.0- |
| | 22; rebuild against proposed-updates |
| | |
| debian-installer-netboot- | Rebuild against proposed-updates |
| images [14] | |
| | |
| debian-ports-archive- | Extend the 2023 signing key's |
| keyring [15] | expiration by one year; add 2024 |
| | signing key; move 2022 signing key to |
| | the removed keyring |
| | |
| dpdk [16] | New upstream stable release |
| | |
| duktape [17] | Fix crash issue [CVE-2021-46322] |
| | |
| e2tools [18] | Fix build failure by adding build |
| | dependency on e2fsprogs |
| | |
| erlang [19] | Fix client authentication bypass issue |
| | [CVE-2022-37026]; use -O1 optimization |
| | for armel because -O2 makes erl |
| | segfault on certain platforms, e.g. |
| | Marvell |
| | |
| exiv2 [20] | Security fixes [CVE-2021-29458 |
| | CVE-2021-29463 CVE-2021-29464 |
| | CVE-2021-29470 CVE-2021-29473 |
| | CVE-2021-29623 CVE-2021-32815 |
| | CVE-2021-34334 CVE-2021-34335 |
| | CVE-2021-3482 CVE-2021-37615 CVE-2021- |
| | 37616 CVE-2021-37618 CVE-2021-37619 |
| | CVE-2021-37620 CVE-2021-37621 |
| | CVE-2021-37622 CVE-2021-37623] |
| | |
| flask-security [21] | Fix open redirect vulnerability |
| | [CVE-2021-23385] |
| | |
| flatpak [22] | New upstream stable release; escape |
| | special characters when displaying |
| | permissions and metadata [CVE-2023- |
| | 28101]; don't allow copy/paste via the |
| | TIOCLINUX ioctl when running in a |
| | Linux virtual console [CVE-2023-28100] |
| | |
| galera-3 [23] | New upstream stable release |
| | |
| ghostscript [24] | Fix path for PostScript helper file in |
| | ps2epsi |
| | |
| glibc [25] | Fix memory leak in printf-family |
| | functions with long multibyte strings; |
| | fix crash in printf-family due to |
| | width/precision-dependent allocations; |
| | fix segfault in printf handling |
| | thousands separator; fix overflow in |
| | the AVX2 implementation of wcsnlen |
| | when crossing pages |
| | |
| golang-github-containers- | Fix parsing of |
| common [26] | DBUS_SESSION_BUS_ADDRESS |
| | |
| golang-github-containers- | Do not enter the process user |
| psgo [27] | namespace [CVE-2022-1227] |
| | |
| golang-github-containers- | Make previously internal functions |
| storage [28] | publicly accessible, required to allow |
| | fixing CVE-2022-1227 in other packages |
| | |
| golang-github-prometheus- | Patch tests to avoid race condition; |
| exporter-toolkit [29] | fix authentication cache poisoning |
| | issue [CVE-2022-46146] |
| | |
| grep [30] | Fix incorrect matching when the last |
| | of multiple patterns includes a |
| | backreference |
| | |
| gtk+3.0 [31] | Fix Wayland + EGL on GLES-only |
| | platforms |
| | |
| guix [32] | Fix build failure due to expired keys |
| | used in test suite |
| | |
| intel-microcode [33] | New upstream bug-fix release |
| | |
| isc-dhcp [34] | Fix IPv6 address lifetime handling |
| | |
| jersey1 [35] | Fix build failure with libjettison- |
| | java 1.5.3 |
| | |
| joblib [36] | Fix arbitrary code execution issue |
| | [CVE-2022-21797] |
| | |
| lemonldap-ng [37] | Fix URL validation bypass issue; fix |
| | 2FA issue when using AuthBasic handler |
| | [CVE-2023-28862] |
| | |
| libapache2-mod-auth- | Fix open redirect issue [CVE-2022- |
| openidc [38] | 23527] |
| | |
| libapreq2 [39] | Fix buffer overflow issue [CVE-2022- |
| | 22728] |
| | |
| libdatetime-timezone- | Update included data |
| perl [40] | |
| | |
| libexplain [41] | Enhance compatibility with newer |
| | kernel versions - Linux 5.11 no longer |
| | has if_frad.h, termiox removed since |
| | kernel 5.12 |
| | |
| libgit2 [42] | Enable SSH key verification by default |
| | [CVE-2023-22742] |
| | |
| libpod [43] | Fix privilege escalation issue |
| | [CVE-2022-1227]; fix capability |
| | escalation issue due to containers |
| | being incorrectly started with non- |
| | empty default permissions [CVE-2022- |
| | 27649]; fix parsing of |
| | DBUS_SESSION_BUS_ADDRESS |
| | |
| libreoffice [44] | Change Croatia's default currency to |
| | Euro; avoid empty -Djava.class.path= |
| | [CVE-2022-38745] |
| | |
| libvirt [45] | Fix container reboot-related issues; |
| | fix test failures when combined with |
| | newer Xen versions |
| | |
| libxpm [46] | Fix infinite loop issues [CVE-2022- |
| | 44617 CVE-2022-46285]; fix double free |
| | issue in error handling code; fix |
| | "compression commands depend on |
| | PATH" [CVE-2022-4883] |
| | |
| libzen [47] | Fix null pointer dereference issue |
| | [CVE-2020-36646] |
| | |
| linux [48] | New upstream stable release; increase |
| | ABI to 22; [rt] update to 5.10.176- |
| | rt86 |
| | |
| linux-signed-amd64 [49] | New upstream stable release; increase |
| | ABI to 22; [rt] update to 5.10.176- |
| | rt86 |
| | |
| linux-signed-arm64 [50] | New upstream stable release; increase |
| | ABI to 22; [rt] update to 5.10.176- |
| | rt86 |
| | |
| linux-signed-i386 [51] | New upstream stable release; increase |
| | ABI to 22; [rt] update to 5.10.176- |
| | rt86 |
| | |
| lxc [52] | Fix file existence oracle [CVE-2022- |
| | 47952] |
| | |
| macromoleculebuilder [53] | Fix build failure by adding build |
| | dependency on docbook-xsl |
| | |
| mariadb-10.5 [54] | New upstream stable release; revert |
| | upstream libmariadb API change |
| | |
| mono [55] | Remove desktop file |
| | |
| ncurses [56] | Guard against corrupt terminfo data |
| | [CVE-2022-29458]; fix tic crash on |
| | very long tc/use clauses |
| | |
| needrestart [57] | Fix warnings when using "-b" option |
| | |
| node-cookiejar [58] | Guard against maliciously-sized |
| | cookies [CVE-2022-25901] |
| | |
| node-webpack [59] | Avoid cross-realm object access |
| | [CVE-2023-28154] |
| | |
| nvidia-graphics- | New upstream release; security fixes |
| drivers [60] | [CVE-2023-0180 CVE-2023-0184 CVE-2023- |
| | 0185 CVE-2023-0187 CVE-2023-0188 |
| | CVE-2023-0189 CVE-2023-0190 CVE-2023- |
| | 0191 CVE-2023-0194 CVE-2023-0195 |
| | CVE-2023-0198 CVE-2023-0199] |
| | |
| nvidia-graphics-drivers- | New upstream release; security fixes |
| tesla-450 [61] | [CVE-2023-0180 CVE-2023-0184 CVE-2023- |
| | 0185 CVE-2023-0188 CVE-2023-0189 |
| | CVE-2023-0190 CVE-2023-0191 CVE-2023- |
| | 0194 CVE-2023-0195 CVE-2023-0198 |
| | CVE-2023-0199] |
| | |
| nvidia-graphics-drivers- | New upstream release; security fixes |
| tesla-470 [62] | [CVE-2023-0180 CVE-2023-0184 CVE-2023- |
| | 0185 CVE-2023-0187 CVE-2023-0188 |
| | CVE-2023-0189 CVE-2023-0190 CVE-2023- |
| | 0191 CVE-2023-0194 CVE-2023-0195 |
| | CVE-2023-0198 CVE-2023-0199] |
| | |
| nvidia-modprobe [63] | New upstream release |
| | |
| openvswitch [64] | Fix "openvswitch-switch update leaves |
| | interfaces down" |
| | |
| passenger [65] | Fix compatibility with more recent |
| | NodeJS versions |
| | |
| phyx [66] | Remove unnecessary build dependency on |
| | libatlas-cpp |
| | |
| postfix [67] | New upstream stable release |
| | |
| postgis [68] | Fix wrong Polar stereographic axis |
| | order |
| | |
| postgresql-13 [69] | New upstream stable release; fix |
| | client memory disclosure issue |
| | [CVE-2022-41862] |
| | |
| python-acme [70] | Fix version of created CSRs, to |
| | prevent problems with strictly RFC- |
| | complying implementations of the ACME |
| | API |
| | |
| ruby-aws-sdk-core [71] | Fix generation of version file |
| | |
| ruby-cfpropertylist [72] | Fix some functionality by dropping |
| | compatibility with Ruby 1.8 |
| | |
| shim [73] | New upstream release; new upstream |
| | stable release; enable NX support at |
| | build time; block Debian grub binaries |
| | with sbat < 4 |
| | |
| shim-helpers-amd64- | New upstream stable release; enable NX |
| signed [74] | support at build time; block Debian |
| | grub binaries with sbat < 4 |
| | |
| shim-helpers-arm64- | New upstream stable release; enable NX |
| signed [75] | support at build time; block Debian |
| | grub binaries with sbat < 4 |
| | |
| shim-helpers-i386- | New upstream stable release; enable NX |
| signed [76] | support at build time; block Debian |
| | grub binaries with sbat < 4 |
| | |
| shim-signed [77] | New upstream stable release; enable NX |
| | support at build time; block Debian |
| | grub binaries with sbat < 4 |
| | |
| snakeyaml [78] | Fix denial of service issues |
| | [CVE-2022-25857 CVE-2022-38749 |
| | CVE-2022-38750 CVE-2022-38751]; add |
| | documentation regarding security |
| | support / issues |
| | |
| spyder [79] | Fix duplication of code when saving |
| | |
| symfony [80] | Remove private headers before storing |
| | responses with HttpCache [CVE-2022- |
| | 24894]; remove CSRF tokens from |
| | storage on successful login [CVE-2022- |
| | 24895] |
| | |
| systemd [81] | Fix information leak issue [CVE-2022- |
| | 4415], denial of service issue |
| | [CVE-2022-3821]; ata_id: fix getting |
| | Response Code from SCSI Sense Data; |
| | logind: fix getting property |
| | OnExternalPower via D-Bus; fix crash |
| | in systemd-machined |
| | |
| tomcat9 [82] | Add OpenJDK 17 support to JDK |
| | detection |
| | |
| traceroute [83] | Interpret v4mapped-IPv6 addresses as |
| | IPv4 |
| | |
| tzdata [84] | Update included data |
| | |
| unbound [85] | Fix Non-Responsive Delegation Attack |
| | [CVE-2022-3204]; fix "ghost domain |
| | names" issue [CVE-2022-30698 |
| | CVE-2022-30699] |
| | |
| usb.ids [86] | Update included data |
| | |
| vagrant [87] | Add support for VirtualBox 7.0 |
| | |
| voms-api-java [88] | Fix build failures by disabling some |
| | non-working tests |
| | |
| w3m [89] | Fix out-of-bounds write issue |
| | [CVE-2022-38223] |
| | |
| x4d-icons [90] | Fix build failure with newer |
| | imagemagick versions |
| | |
| xapian-core [91] | Prevent database corruption on disk |
| | exhaustion |
| | |
| zfs-linux [92] | Add several stability improvements |
| | | +----------------------------+----------------------------------------+
1:
https://packages.debian.org/src:akregator
2:
https://packages.debian.org/src:apache2
3:
https://packages.debian.org/src:at-spi2-core
4:
https://packages.debian.org/src:avahi
5:
https://packages.debian.org/src:base-files
6:
https://packages.debian.org/src:c-ares
7:
https://packages.debian.org/src:clamav
8:
https://packages.debian.org/src:command-not-found
9:
https://packages.debian.org/src:containerd
10:
https://packages.debian.org/src:crun
11:
https://packages.debian.org/src:cwltool
12:
https://packages.debian.org/src:debian-archive-keyring
13:
https://packages.debian.org/src:debian-installer
14:
https://packages.debian.org/src:debian-installer-netboot-images
15:
https://packages.debian.org/src:debian-ports-archive-keyring
16:
https://packages.debian.org/src:dpdk
17:
https://packages.debian.org/src:duktape
18:
https://packages.debian.org/src:e2tools
19:
https://packages.debian.org/src:erlang
20:
https://packages.debian.org/src:exiv2
21:
https://packages.debian.org/src:flask-security
22:
https://packages.debian.org/src:flatpak
23:
https://packages.debian.org/src:galera-3
24:
https://packages.debian.org/src:ghostscript
25:
https://packages.debian.org/src:glibc
26:
https://packages.debian.org/src:golang-github-containers-common
27:
https://packages.debian.org/src:golang-github-containers-psgo
28:
https://packages.debian.org/src:golang-github-containers-storage
29:
https://packages.debian.org/src:golang-github-prometheus-exporter-toolkit
30:
https://packages.debian.org/src:grep
31:
https://packages.debian.org/src:gtk+3.0
32:
https://packages.debian.org/src:guix
33:
https://packages.debian.org/src:intel-microcode
34:
https://packages.debian.org/src:isc-dhcp
35:
https://packages.debian.org/src:jersey1
36:
https://packages.debian.org/src:joblib
37:
https://packages.debian.org/src:lemonldap-ng
38:
https://packages.debian.org/src:libapache2-mod-auth-openidc
39:
https://packages.debian.org/src:libapreq2
40:
https://packages.debian.org/src:libdatetime-timezone-perl
41:
https://packages.debian.org/src:libexplain
42:
https://packages.debian.org/src:libgit2
43:
https://packages.debian.org/src:libpod
44:
https://packages.debian.org/src:libreoffice
45:
https://packages.debian.org/src:libvirt
46:
https://packages.debian.org/src:libxpm
47:
https://packages.debian.org/src:libzen
48:
https://packages.debian.org/src:linux
49:
https://packages.debian.org/src:linux-signed-amd64
50:
https://packages.debian.org/src:linux-signed-arm64
51:
https://packages.debian.org/src:linux-signed-i386
52:
https://packages.debian.org/src:lxc
53:
https://packages.debian.org/src:macromoleculebuilder
54:
https://packages.debian.org/src:mariadb-10.5
55:
https://packages.debian.org/src:mono
56:
https://packages.debian.org/src:ncurses
57:
https://packages.debian.org/src:needrestart
58:
https://packages.debian.org/src:node-cookiejar
59:
https://packages.debian.org/src:node-webpack
60:
https://packages.debian.org/src:nvidia-graphics-drivers
61:
https://packages.debian.org/src:nvidia-graphics-drivers-tesla-450
62:
https://packages.debian.org/src:nvidia-graphics-drivers-tesla-470
63:
https://packages.debian.org/src:nvidia-modprobe
64:
https://packages.debian.org/src:openvswitch
65:
https://packages.debian.org/src:passenger
66:
https://packages.debian.org/src:phyx
67:
https://packages.debian.org/src:postfix
68:
https://packages.debian.org/src:postgis
69:
https://packages.debian.org/src:postgresql-13
70:
https://packages.debian.org/src:python-acme
71:
https://packages.debian.org/src:ruby-aws-sdk-core
72:
https://packages.debian.org/src:ruby-cfpropertylist
73:
https://packages.debian.org/src:shim
74:
https://packages.debian.org/src:shim-helpers-amd64-signed
75:
https://packages.debian.org/src:shim-helpers-arm64-signed
76:
https://packages.debian.org/src:shim-helpers-i386-signed
77:
https://packages.debian.org/src:shim-signed
78:
https://packages.debian.org/src:snakeyaml
79:
https://packages.debian.org/src:spyder
80:
https://packages.debian.org/src:symfony
81:
https://packages.debian.org/src:systemd
82:
https://packages.debian.org/src:tomcat9
83:
https://packages.debian.org/src:traceroute
84:
https://packages.debian.org/src:tzdata
85:
https://packages.debian.org/src:unbound
86:
https://packages.debian.org/src:usb.ids
87:
https://packages.debian.org/src:vagrant
88:
https://packages.debian.org/src:voms-api-java
89:
https://packages.debian.org/src:w3m
90:
https://packages.debian.org/src:x4d-icons
91:
https://packages.debian.org/src:xapian-core
92:
https://packages.debian.org/src:zfs-linux
Security Updates
----------------
This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:
+----------------+---------------------------------+
| Advisory ID | Package | +----------------+---------------------------------+
| DSA-5170 [93] | nodejs [94] |
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)