• Updated Debian 12: 12.6 released (1/3)

    From Jean-Pierre Giraud@21:1/5 to All on Sun Jun 30 00:30:02 2024
    ------------------------------------------------------------------------
    The Debian Project https://www.debian.org/ Updated Debian 12: 12.6 released press@debian.org
    June 29th, 2024 https://www.debian.org/News/2024/20240629 ------------------------------------------------------------------------


    The Debian project is pleased to announce the sixth update of its stable distribution Debian 12 (codename "bookworm"). This point release mainly
    adds corrections for security issues, along with a few adjustments for
    serious problems. Security advisories have already been published
    separately and are referenced where available.

    Please note that the point release does not constitute a new version of
    Debian 12 but only updates some of the packages included. There is no
    need to throw away old "bookworm" media. After installation, packages
    can be upgraded to the current versions using an up-to-date Debian
    mirror.

    Those who frequently install updates from security.debian.org won't have
    to update many packages, and most such updates are included in the point release.

    New installation images will be available soon at the regular locations.

    Upgrading an existing installation to this revision can be achieved by
    pointing the package management system at one of Debian's many HTTP
    mirrors. A comprehensive list of mirrors is available at:

    https://www.debian.org/mirror/list



    Miscellaneous Bugfixes
    ----------------------

    This stable update adds a few important corrections to the following
    packages:

    +--------------------------+------------------------------------------+
    | Package | Reason | +--------------------------+------------------------------------------+
    | aide [1] | Fix concurrent reading of extended |
    | | attributes |
    | | |
    | amavisd-new [2] | Handle multiple boundary parameters that |
    | | contain conflicting values [CVE-2024- |
    | | 28054]; fix race condition in postinst |
    | | |
    | archlinux-keyring [3] | Switch to pre-built keyrings; sync with |
    | | upstream |
    | | |
    | base-files [4] | Update for the 12.6 point release |
    | | |
    | bash [5] | Rebuild to fix outdated Built-Using |
    | | |
    | bioawk [6] | Disable parallel builds to fix random |
    | | failures |
    | | |
    | bluez [7] | Fix remote code execution issues |
    | | [CVE-2023-27349 CVE-2023-50229 CVE-2023- |
    | | 50230] |
    | | |
    | cdo [8] | Disable hirlam-extensions to avoid |
    | | causing issues with ICON data files |
    | | |
    | chkrootkit [9] | Rebuild to fix outdated Built-Using |
    | | |
    | cjson [10] | Fix missing NULL checks [CVE-2023-50471 |
    | | CVE-2023-50472] |
    | | |
    | clamav [11] | New upstream stable release; fix |
    | | possible heap overflow issue [CVE-2024- |
    | | 20290], possible command injection issue |
    | | [CVE-2024-20328] |
    | | |
    | cloud-init [12] | Declare conflicts/replaces on versioned |
    | | package introduced for bullseye |
    | | |
    | comitup [13] | Ensure service is unmasked in post |
    | | install |
    | | |
    | cpu [14] | Provide exactly one definition of |
    | | globalLdap in LDAP plugin |
    | | |
    | crmsh [15] | Create log directory and file on |
    | | installation |
    | | |
    | crowdsec-custom- | Rebuild to fix outdated Built-Using |
    | bouncer [16] | |
    | | |
    | crowdsec-firewall- | Rebuild against golang-github-google- |
    | bouncer [17] | nftables version with fixed little- |
    | | endian architecture support |
    | | |
    | curl [18] | Do not keep default protocols when |
    | | deselected [CVE-2024-2004]; fix memory |
    | | leak [CVE-2024-2398] |
    | | |
    | dar [19] | Rebuild to fix outdated Built-Using |
    | | |
    | dcmtk [20] | Clean up properly on purge |
    | | |
    | debian-installer [21] | Increase Linux kernel ABI to 6.1.0-22; |
    | | rebuild against proposed-updates |
    | | |
    | debian-installer- | Rebuild against proposed-updates |
    | netboot-images [22] | |
    | | |
    | debvm [23] | debvm-create: do install login; bin/ |
    | | debvm-waitssh: make --timeout=N work; |
    | | bin/debvm-run: allow being run in |
    | | environments without TERM set; fix |
    | | resolv.conf in stretch |
    | | |
    | dhcpcd5 [24] | privsep: Allow zero length messages |
    | | through; fix server not being restarted |
    | | correctly during upgrades |
    | | |
    | distro-info-data [25] | Declare intentions for bullseye/ |
    | | bookworm; fix past data; add Ubuntu |
    | | 24.10 |
    | | |
    | djangorestframework [26] | Reinstate missing static files |
    | | |
    | dm-writeboost [27] | Fix build error with 6.9 kernel and |
    | | backports |
    | | |
    | dns-root-data [28] | Update root hints; update expired |
    | | security information |
    | | |
    | dpdk [29] | New upstream stable release |
    | | |
    | ebook-speaker [30] | Support username over 8 characters when |
    | | enumerating groups |
    | | |
    | emacs [31] | Security fixes [CVE-2024-30202 CVE-2024- |
    | | 30203 CVE-2024-30204 CVE-2024-30205]; |
    | | replace expired package-keyring.gpg with |
    | | a current version |
    | | |
    | extrepo-data [32] | Update repository information |
    | | |
    | flatpak [33] | New upstream stable release |
    | | |
    | fpga-icestorm [34] | Restore compatibility with yosys |
    | | |
    | freetype [35] | Disable COLRv1 support, which was |
    | | unintentionally enabled by upstream; fix |
    | | function existence check when calling |
    | | get_colr_glyph_paint() |
    | | |
    | galera-4 [36] | New upstream bugfix release; update |
    | | upstream release signing key; prevent |
    | | date-related test failures |
    | | |
    | gdk-pixbuf [37] | ANI: Reject files with multiple anih |
    | | chunks [CVE-2022-48622]; ANI: Reject |
    | | files with multiple INAM or IART chunks; |
    | | ANI: Validate anih chunk size |
    | | |
    | glewlwyd [38] | Fix potential buffer overflow during |
    | | FIDO2 credential validation [CVE-2023- |
    | | 49208]; fix open redirection via |
    | | redirect_uri [CVE-2024-25715] |
    | | |
    | glib2.0 [39] | Fix a (rare) memory leak |
    | | |
    | glibc [40] | Revert fix to always call destructors in |
    | | reverse constructor order due to |
    | | unforeseen application compatibility |
    | | issues; fix a DTV corruption due to a |
    | | reuse of a TLS module ID following |
    | | dlclose with unused TLS |
    | | |
    | gnutls28 [41] | Fix certtool crash when verifying a |
    | | certificate chain with more than 16 |
    | | certificates [CVE-2024-28835]; fix side- |
    | | channel in the deterministic ECDSA |
    | | [CVE-2024-28834]; fix a memory leak; fix |
    | | two segfault issues |
    | | |
    | golang-github- | Rebuild for outdated Built-Using |
    | containers-storage [42] | |
    | | |
    | golang-github-google- | Fix AddSet() function on little-endian |
    | nftables [43] | architectures |
    | | |
    | golang-github-openshift- | Rebuild for outdated Built-Using |
    | imagebuilder [44] | |
    | | |
    | gosu [45] | Rebuild for outdated Built-Using |
    | | |
    | gpaste [46] | Fix conflict with older libpgpaste6 |
    | | |
    | gross [47] | Fix stack-based buffer overflow |
    | | [CVE-2023-52159] |
    | | |
    | hovercraft [48] | Depend on python3-setuptools |
    | | |
    | icinga2 [49] | Fix segmentation fault on ppc64el |
    | | |
    | igtf-policy-bundle [50] | Address CAB Forum S/MIME policy change; |
    | | apply accumulated updates to trust |
    | | anchors |
    | | |
    | intel-microcode [51] | Security mitigations [CVE-2023-22655 |
    | | CVE-2023-28746 CVE-2023-38575 CVE-2023- |
    | | 39368 CVE-2023-43490]; mitigate for |
    | | INTEL-SA-01051 [CVE-2023-45733], INTEL- |
    | | SA-01052 [CVE-2023-46103], INTEL- |
    | | SA-01036 [CVE-2023-45745, CVE-2023- |
    | | 47855] and unspecified functional issues |
    | | on various Intel processors |
    | | |
    | jose [52] | Fix potential denial-of-service issue |
    | | [CVE-2023-50967] |
    | | |
    | json-smart [53] | Fix excessive recursion leading to stack |
    | | overflow [CVE-2023-1370]; fix denial of |
    | | service via crafted request [CVE-2021- |
    | | 31684] |
    | | |
    | kio [54] | Fix file loss and potential locking |
    | | issues on CIFS |
    | | |
    | lacme [55] | Fix post-issuance validation logic |
    | | |
    | libapache2-mod-auth- | Fix missing input validation leading to |
    | openidc [56] | DoS [CVE-2024-24814] |
    | | |
    | libesmtp [57] | Break and replace older library versions |
    | | |
    | libimage-imlib2- | Fix package build |
    | perl [58] | |
    | | |
    | libjwt [59] | Fix timing side channel attack |
    | | [CVE-2024-25189] |
    | | |
    | libkf5ksieve [60] | Prevent leaking passwords into server- |
    | | side logs |
    | | |
    | libmail-dkim-perl [61] | Add dependency on libgetopt-long- |
    | | descriptive-perl |
    | | |
    | libpod [62] | Handle removed containers properly |
    | | |
    | libreoffice [63] | Fix backup copy creation for files on |
    | | mounted samba shares; don't remove |
    | | libforuilo.so in -core-nogui |
    | | |
    | libseccomp [64] | Add support for syscalls up to Linux 6.7 |
    | | |
    | libtommath [65] | Fix integer overflow [CVE-2023-36328] |
    | | |
    | libtool [66] | Conflict with libltdl3-dev; fix check |
    | | for += operator in func_append |
    | | |
    | libxml-stream-perl [67] | Fix compatibility with IO::Socket::SSL |
    | | >= 2.078 |
    | | |
    | linux [68] | New upstream stable release; increase |
    | | ABI to 22 |
    | | |
    | linux-signed-amd64 [69] | New upstream stable release; increase |
    | | ABI to 22 |
    | | |
    | linux-signed-arm64 [70] | New upstream stable release; increase |
    | | ABI to 22 |
    | | |
    | linux-signed-i386 [71] | New upstream stable release; increase |
    | | ABI to 22 |
    | | |
    | lua5.4 [72] | debian/version-script: Export additional |
    | | missing symbols for lua 5.4.4 |
    | | |
    | lxc-templates [73] | Fix the "mirror" option of lxc-debian |
    | | |
    | mailman3 [74] | Depend alternatively on cron-daemon; fix |
    | | postgresql:// url in post-installation |
    | | script |
    | | |
    | mksh [75] | Handle merged /usr in /etc/shells; fix |
    | | crash with nested bashism; fix arguments |
    | | to the dot command; distinguish unset |
    | | and empty in `typeset -p` |
    | | |
    | mobian-keyring [76] | Update Mobian archive key |
    | | |
    | ms-gsl [77] | Mark not_null constructors as noexcept |
    | | |
    | nano [78] | Fix format string issues; fix "with -- |
    | | cutfromcursor, undoing a justification |
    | | can eat a line" ; fix malicious symlink |
    | | issue; fix example bindings in nanorc |
    | | |
    | netcfg [79] | Handle routing for single-address |
    | | netmasks |
    | | |
    | ngircd [80] | Respect "SSLConnect" option for |
    | | incoming connections; server certificate |
    | | validation on server links (S2S-TLS); |
    | | METADATA: Fix unsetting "cloakhost" |
    | | |
    | node-babel7 [81] | Fix building against nodejs |
    | | 18.19.0+dfsg-6~deb12u1; add Breaks/ |
    | | Replaces against obsolete node-babel-* |
    | | packages |
    | | |
    | node-undici [82] | Properly export typescript types |
    | | |
    | node-v8-compile- | Fix tests when a newer nodejs version is |
    | cache [83] | used |
    | | |
    | node-zx [84] | Fix flaky test |
    | | |
    | nodejs [85] | Skip flaky tests for mipsel/mips64el |
    | | |
    | nsis [86] | Don't allow unprivileged users to delete |
    | | the uninstaller directory [CVE-2023- |
    | | 37378]; fix regression in disabling stub |
    | | relocations; build reproducibly for |
    | | arm64 |
    | | |
    | nvidia-graphics- | Restore compatibility with newer Linux |
    | drivers [87] | kernel builds; take over packages from |
    | | nvidia-graphics-drivers-tesla; add new |
    | | nvidia-suspend-common package; relax dh- |
    | | dkms build-dependency for compatibility |
    | | with bookworm; new upstream stable |
    | | release [CVE-2023-0180 CVE-2023-0183 |
    | | CVE-2023-0184 CVE-2023-0185 CVE-2023- |
    | | 0187 CVE-2023-0188 CVE-2023-0189 |
    | | CVE-2023-0190 CVE-2023-0191 CVE-2023- |
    | | 0194 CVE-2023-0195 CVE-2023-0198 |
    | | CVE-2023-0199 CVE-2023-25515 CVE-2023- |
    | | 25516 CVE-2023-31022 CVE-2024-0074 |
    | | CVE-2024-0075 CVE-2024-0078 CVE-2024- |
    | | 0090 CVE-2024-0092] |
    | | |
    | nvidia-graphics-drivers- | Restore compatibility with newer Linux |
    | tesla [88] | kernel builds |
    | | |
    | nvidia-graphics-drivers- | Restore compatibility with newer Linux |
    | tesla-470 [89] | kernel builds; stop building nvidia- |
    | | cuda-mps; new upstream stable release; |
    | | security fixes [CVE-2022-42265 CVE-2024- |
    | | 0074 CVE-2024-0078 CVE-2024-0090 |
    | | CVE-2024-0092] |
    | | |
    | nvidia-modprobe [90] | Prepare to switch to 535 series LTS |
    | | drivers |
    | | |
    | nvidia-open-gpu-kernel- | Update to 535 series LTS drivers |
    | modules [91] | [CVE-2023-0180 CVE-2023-0183 CVE-2023- |
    | | 0184 CVE-2023-0185 CVE-2023-0187 |
    | | CVE-2023-0188 CVE-2023-0189 CVE-2023- |
    | | 0190 CVE-2023-0191 CVE-2023-0194 |
    | | CVE-2023-0195 CVE-2023-0198 CVE-2023- |
    | | 0199 CVE-2023-25515 CVE-2023-25516 |
    | | CVE-2023-31022 CVE-2024-0074 CVE-2024- |
    | | 0075 CVE-2024-0078 CVE-2024-0090 |
    | | CVE-2024-0092] |
    | | |
    | nvidia-persistenced [92] | Switch to 535 series LTS drivers; update |
    | | list of supported drivers |
    | | |
    | nvidia-settings [93] | Also build for ppc64el; new upstream LTS |
    | | release |
    | | |
    | nvidia-xconfig [94] | New upstream LTS release |
    | | |
    | openrc [95] | Ignore non-executable scripts in /etc/ |
    | | init.d |
    | | |
    | openssl [96] | New upstream stable release; fix |
    | | excessive time taken issues [CVE-2023- |
    | | 5678 CVE-2023-6237], vector register |
    | | corruption issue on PowerPC [CVE-2023- |
    | | 6129], PKCS12 Decoding crashes |
    | | [CVE-2024-0727] |
    | | |
    | openvpn-dco-dkms [97] | Build for Linux >= 6.5; install compat- |
    | | include directory; fix refcount |
    | | imbalance |
    | | |
    | orthanc-dicomweb [98] | Rebuild to fix outdated Built-Using |
    | | |
    | orthanc-gdcm [99] | Rebuild to fix outdated Built-Using |
    | | |
    | orthanc-mysql [100] | Rebuild to fix outdated Built-Using |
    | | |
    | orthanc-neuro [101] | Rebuild to fix outdated Built-Using |
    | | |
    | orthanc-postgresql [102] | Rebuild to fix outdated Built-Using |
    | | |
    | orthanc-python [103] | Rebuild to fix outdated Built-Using |
    | | |
    | orthanc-webviewer [104] | Rebuild to fix outdated Built-Using |
    | | |
    | orthanc-wsi [105] | Rebuild to fix outdated Built-Using |
    | | |
    | ovn [106] | New upstream stable version; fix |
    | | insufficient validation of incoming BFD |
    | | packets [CVE-2024-2182] |
    | | |
    | pdudaemon [107] | Depend on python3-aiohttp |
    | | |
    | php-composer-class-map- | Force system dependency loading |
    | generator [108] | |
    | | |
    | php-composer-pcre [109] | Add missing Breaks+Replaces: on composer |
    | | (<< 2.2) |
    | | |
    | php-composer-xdebug- | Force system dependency loading |
    | handler [110] | |
    | | |
    | php-doctrine- | Force system dependency loading |
    | annotations [111] | |
    | | |
    | php-doctrine- | Force system dependency loading |
    | deprecations [112] | |
    | | |
    | php-doctrine-lexer [113] | Force system dependency loading |
    | | |
    | php-phpseclib [114] | Guard isPrime() and randomPrime() for |
    | | BigInteger [CVE-2024-27354]; limit OID |
    | | length in ASN1 [CVE-2024-27355]; fix |
    | | BigInteger getLength(); remove |
    | | visibitility modifiers from static |
    | | variables |
    | | |
    | php-phpseclib3 [115] | Force system dependency loading; guard |
    | | isPrime() and randomPrime() for |
    | | BigInteger [CVE-2024-27354]; limit OID |
    | | length in ASN1 [CVE-2024-27355]; fix |
    | | BigInteger getLength() |
    | | |
    | php-proxy-manager [116] | Force system dependency loading |
    | | |
    | php-symfony- | Force system dependency loading |
    | contracts [117] | |
    | | |
    | php-zend-code [118] | Force system dependency loading |
    | | |
    | phpldapadmin [119] | Fix compatbility with PHP 8.1+ |
    | | |
    | phpseclib [120] | Force system dependency loading; guard |
    | | isPrime() and randomPrime() for |
    | | BigInteger [CVE-2024-27354]; limit OID |
    | | length in ASN1 [CVE-2024-27355]; fix |
    | | BigInteger getLength() |
    | | |
    | postfix [121] | New upstream stable release |
    | | |
    | postgresql-15 [122] | New upstream stable release; restrict |
    | | visibility of pg_stats_ext and |
    | | pg_stats_ext_exprs entries to the table |
    | | owner [CVE-2024-4317] |

    [continued in next message]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)