Uppdaterad Debian 11; 11.8 utgiven

7 oktober 2023

Debianprojektet presenterar stolt sin åttonde uppdatering till dess gamla stabila utgåva Debian 11 (med kodnamnet bullseye). Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem, tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner har redan publicerats separat och refereras när de finns tillgängliga.

Vänligen notera att punktutgåvan inte innebär en ny version av Debian 11 utan endast uppdaterar några av de inkluderade paketen. Det behövs inte kastas bort gamla media av bullseye. Efter installationen kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad Debianspegling..

De som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.

Nya installationsavbildningar kommer snart att finnas tillgängliga på de vanliga platserna.

En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:

https://www.debian.org/mirror/list

Blandade felrättningar

Denna uppdatering av den gamla stabila utgåvan lägger till några viktiga felrättningar till följande paket:

Paket Orsak
adduser Fix command injection vulnerability in deluser
aide Fix handling of extended attributes on symlinks
amd64-microcode Update included microcode, including fixes for AMD Inception on AMD Zen4 processors [CVE-2023-20569]
appstream-glib Handle <em> and <code> tags in metadata
asmtools Backport to bullseye for future openjdk-11 builds
autofs Fix missing mutex unlock; do not use rpcbind for NFS4 mounts; fix regression determining reachability on dual-stack hosts
base-files Update for the 11.8 point release
batik Fix Server Side Request Forgery issues [CVE-2022-44729 CVE-2022-44730]
bmake Conflict with bsdowl (<< 2.2.2-1.2~) to ensure smooth upgrades
boxer-data Backport thunderbird compatibility fixes
ca-certificates-java Work around unconfigured jre during new installations
cairosvg Handle data: URLs in safe mode
cargo-mozilla New upstream version, to support building newer firefox-esr versions
clamav New upstream stable release; fix denial of service vulnerability via HFS+ parser [CVE-2023-20197]
cpio Fix arbitrary code execution issue [CVE-2021-38185]; replace Suggests: on libarchive1 with libarchive-dev
cryptmount Fix memory-initialization in command-line parser
cups Fix heap-based buffer overflow issues [CVE-2023-4504 CVE-2023-32324], unauthenticated access issue [CVE-2023-32360], use-after-free issue [CVE-2023-34241]
curl Fix code execution issues [CVE-2023-27533 CVE-2023-27534], information disclosure issues [CVE-2023-27535 CVE-2023-27536 CVE-2023-28322], inappropriate connection re-use issue [CVE-2023-27538], improper certificate validation issue [CVE-2023-28321]
dbus New upstream stable release; fix denial of service issue [CVE-2023-34969]
debian-design Rebuild using newer boxer-data
debian-installer Increase Linux kernel ABI to 5.10.0-26; rebuild against proposed-updates
debian-installer-netboot-images Rebuild against proposed-updates
debian-parl Rebuild using newer boxer-data
debian-security-support Set DEB_NEXT_VER_ID=12 as bookworm is the next release; security-support-limited: add gnupg1
distro-info-data Add Debian 14 forky; correct Ubuntu 23.04 release date; add Ubuntu 23.10 Mantic Minotaur; add the planned release date for Debian bookworm
dkimpy New upstream bugfix release
dpdk New upstream stable release
dpkg Add support for loong64 CPU; handle missing Version when formatting source:Upstream-Version; fix varbuf memory leak in pkg_source_version()
flameshot Disable uploads to imgur by default; fix name of d/NEWS file in previous upload
ghostscript Fix buffer overflow issue [CVE-2023-38559]; try and secure the IJS server startup [CVE-2023-43115]
gitit Rebuild against new pandoc
grunt Fix race condition in symlink copying [CVE-2022-1537]
gss Add Breaks+Replaces: libgss0 (<< 0.1)
haskell-hakyll Rebuild against new pandoc
haskell-pandoc-citeproc Rebuild against new pandoc
hnswlib Fix double free in init_index when the M argument is a large integer [CVE-2023-37365]
horizon Fix open redirect issue [CVE-2022-45582]
inetutils Check return values for set*id() functions, avoiding potential security issues [CVE-2023-40303]
krb5 Fix free of uninitialised pointer [CVE-2023-36054]
kscreenlocker Fix authentication error when using PAM
lacme Handle CA ready, processing and valid states correctly
lapack Fix eigenvector matrix
lemonldap-ng Fix open redirection when OIDC RP has no redirect URIs; fix Server Side Request Forgery issue [CVE-2023-44469]; fix open redirection due to incorrect escape handling
libapache-mod-jk Remove implicit mapping functionality, which could lead to unintended exposure of the status worker and/or bypass of security constraints [CVE-2023-41081]
libbsd Fix infinite loop in MD5File
libclamunrar New upstream stable release
libprelude Make Python module usable
libreswan Fix denial of service issue [CVE-2023-30570]
libsignal-protocol-c Fix integer overflow issue [CVE-2022-48468]
linux New upstream stable release
linux-signed-amd64 New upstream stable release
linux-signed-arm64 New upstream stable release
linux-signed-i386 New upstream stable release
logrotate Avoid replacement of /dev/null with a regular file if used for the state file
ltsp Avoid using mv on init symlink in order to work around overlayfs issue
lttng-modules Fix build issues with newer kernel versions
lua5.3 Fix use after free in lua_upvaluejoin (lapi.c) [CVE-2019-6706]; fix segmentation fault in getlocal and setlocal (ldebug.c) [CVE-2020-24370]
mariadb-10.5 New upstream bugfix release [CVE-2022-47015]
mujs Security fix
ncurses Disallow loading of custom terminfo entries in setuid/setgid programs [CVE-2023-29491]
node-css-what Fix regular expression-based denial of service issue [CVE-2022-21222 CVE-2021-33587]
node-json5 Fix prototype pollution issue [CVE-2022-46175]
node-tough-cookie Security fix: prototype pollution [CVE-2023-26136]
nvidia-graphics-drivers New upstream release [CVE-2023-25515 CVE-2023-25516]; improve compatibility with recent kernels
nvidia-graphics-drivers-tesla-450 New upstream release [CVE-2023-25515 CVE-2023-25516]
nvidia-graphics-drivers-tesla-470 New upstream bugfix release [CVE-2023-25515 CVE-2023-25516]
openblas Fix results of DGEMM on AVX512-capable hardware, when the package has been built on pre-AVX2 hardware
openssh Fix remote code execution issue via a forwarded agent socket [CVE-2023-38408]
openssl New upstream stable release; fix denial of service issues [CVE-2023-3446 CVE-2023-3817]
org-mode Fix command injection vulnerability [CVE-2023-28617]
pandoc Fix arbitrary file write issues [CVE-2023-35936 CVE-2023-38745]
pev Fix buffer overflow issue [CVE-2021-45423]
php-guzzlehttp-psr7 Fix improper input validation [CVE-2023-29197]
php-nyholm-psr7 Fix improper input validation issue [CVE-2023-29197]
postgis Fix axis order regression
protobuf Security fixes: DoS in Java [CVE-2021-22569]; NULL pointer dereference [CVE-2021-22570]; memory DoS [CVE-2022-1941]
python2.7 Fix parameter cloaking issue [CVE-2021-23336], URL injection issue [CVE-2022-0391], use-after-free issue [CVE-2022-48560], XML External Entity issue [CVE-2022-48565]; improve constant-time comparisons in compare_digest() [CVE-2022-48566]; improve URL parsing [CVE-2023-24329]; prevent reading unauthenticated data on an SSLSocket [CVE-2023-40217]
qemu Fix infinite loop [CVE-2020-14394], NULL pointer dereference issue [CVE-2021-20196], integer overflow issue [CVE-2021-20203], buffer overflow issues [CVE-2021-3507 CVE-2023-3180], denial of service issues [CVE-2021-3930 CVE-2023-3301], use-after-free issue [CVE-2022-0216], possible stack overflow and use-after-free issues [CVE-2023-0330], out-of-bounds read issue [CVE-2023-1544]
rar New upstream release; fix directory traversal issue [CVE-2022-30333]; fix arbitrary code execution issue [CVE-2023-40477]
rhonabwy Fix aesgcm buffer overflow [CVE-2022-32096]
roundcube New upstream stable release; fix cross-site scripting issue [CVE-2023-43770]; Enigma: Fix initial synchronization of private keys
rust-cbindgen New upstream version, to support building newer firefox-esr versions
rustc-mozilla New upstream version, to support building newer firefox-esr versions
schleuder Add versioned dependency on ruby-activerecord
sgt-puzzles Fix various security issues in game loading [CVE-2023-24283 CVE-2023-24284 CVE-2023-24285 CVE-2023-24287 CVE-2023-24288 CVE-2023-24291]
spip Several security fixes; security fix for extended authentification data filtering
spyder Fix broken patch in previous update
systemd Udev: fix creating /dev/serial/by-id/ symlinks for USB devices; fix memory leak on daemon-reload; fix a calendar spec calculation hang on DST change if TZ=Europe/Dublin
tang Fix race condition when creating/rotating keys; assert restrictive permissions on key directory [CVE-2023-1672]; make tangd-rotate-keys executable
testng7 Backport to oldstable for future openjdk-17 builds
tinyssh Work around incoming packets which don't honour max packet length
unrar-nonfree Fix file overwrite issue [CVE-2022-48579]; fix remote code execution issue [CVE-2023-40477]
xen New upstream stable release; fix security issues [CVE-2023-20593 CVE-2023-20569 CVE-2022-40982]
yajl Memory leak security fix; security fixes: potential denial of service with crafted JSON file [CVE-2017-16516]; heap memory corruption when dealing with large (~2GB) inputs [CVE-2022-24795]; fix incomplete patch for CVE-2023-33460

Säkerhetsuppdateringar

Denna revision lägger till följande säkerhetsuppdateringar till den gamla stabila utgåvan. Säkerhetsgruppen har redan släppt bulletiner för alla dessa uppdateringar:

Bulletin-ID Paket
DSA-5394 ffmpeg
DSA-5395 nodejs
DSA-5396 evolution
DSA-5396 webkit2gtk
DSA-5397 wpewebkit
DSA-5398 chromium
DSA-5399 odoo
DSA-5400 firefox-esr
DSA-5401 postgresql-13
DSA-5402 linux-signed-amd64
DSA-5402 linux-signed-arm64
DSA-5402 linux-signed-i386
DSA-5402 linux
DSA-5403 thunderbird
DSA-5404 chromium
DSA-5405 libapache2-mod-auth-openidc
DSA-5406 texlive-bin
DSA-5407 cups-filters
DSA-5408 libwebp
DSA-5409 libssh
DSA-5410 sofia-sip
DSA-5411 gpac
DSA-5412 libraw
DSA-5413 sniproxy
DSA-5414 docker-registry
DSA-5415 libreoffice
DSA-5416 connman
DSA-5417 openssl
DSA-5418 chromium
DSA-5419 c-ares
DSA-5420 chromium
DSA-5421 firefox-esr
DSA-5422 jupyter-core
DSA-5423 thunderbird
DSA-5424 php7.4
DSA-5426 owslib
DSA-5427 webkit2gtk
DSA-5428 chromium
DSA-5430 openjdk-17
DSA-5431 sofia-sip
DSA-5432 xmltooling
DSA-5433 libx11
DSA-5434 minidlna
DSA-5435 trafficserver
DSA-5436 hsqldb1.8.0
DSA-5437 hsqldb
DSA-5438 asterisk
DSA-5439 bind9
DSA-5440 chromium
DSA-5441 maradns
DSA-5442 flask
DSA-5443 gst-plugins-base1.0
DSA-5444 gst-plugins-bad1.0
DSA-5445 gst-plugins-good1.0
DSA-5446 ghostscript
DSA-5447 mediawiki
DSA-5449 webkit2gtk
DSA-5450 firefox-esr
DSA-5451 thunderbird
DSA-5452 gpac
DSA-5453 linux-signed-amd64
DSA-5453 linux-signed-arm64
DSA-5453 linux-signed-i386
DSA-5453 linux
DSA-5455 iperf3
DSA-5456 chromium
DSA-5457 webkit2gtk
DSA-5459 amd64-microcode
DSA-5461 linux-signed-amd64
DSA-5461 linux-signed-arm64
DSA-5461 linux-signed-i386
DSA-5461 linux
DSA-5463 thunderbird
DSA-5464 firefox-esr
DSA-5465 python-django
DSA-5467 chromium
DSA-5468 webkit2gtk
DSA-5470 python-werkzeug
DSA-5471 libhtmlcleaner-java
DSA-5472 cjose
DSA-5473 orthanc
DSA-5474 intel-microcode
DSA-5475 linux-signed-amd64
DSA-5475 linux-signed-arm64
DSA-5475 linux-signed-i386
DSA-5475 linux
DSA-5476 gst-plugins-ugly1.0
DSA-5478 openjdk-11
DSA-5479 chromium
DSA-5480 linux-signed-amd64
DSA-5480 linux-signed-arm64
DSA-5480 linux-signed-i386
DSA-5480 linux
DSA-5481 fastdds
DSA-5482 tryton-server
DSA-5483 chromium
DSA-5484 librsvg
DSA-5485 firefox-esr
DSA-5486 json-c
DSA-5487 chromium
DSA-5489 file
DSA-5490 aom
DSA-5491 chromium
DSA-5493 open-vm-tools
DSA-5494 mutt
DSA-5495 frr
DSA-5497 libwebp
DSA-5500 flac
DSA-5502 xorgxrdp
DSA-5502 xrdp
DSA-5503 netatalk
DSA-5504 bind9
DSA-5505 lldpd
DSA-5507 jetty9
DSA-5510 libvpx

Borttagna paket

Följande paket har tagits bort på grund av omständigheter utom vår kontroll:

Paket Orsak
atlas-cpp instabil uppstöm, opassande för Debian
ember-media instabil uppstöm, opassande för Debian
eris instabil uppstöm, opassande för Debian
libwfut instabil uppstöm, opassande för Debian
mercator instabil uppstöm, opassande för Debian
nomad säkerhetsfixar inte längre tillgängliga
nomad-driver-lxc beroende på nomad som är på väg att tas bort
skstream instabil uppstöm, opassande för Debian
varconf instabil uppstöm, opassande för Debian
wfmath instabil uppstöm, opassande för Debian

Debianinstalleraren

Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den gamla stabila utgåvan med denna punktutgåva.

URLer

Den fullständiga listan på paket som har förändrats i denna revision:

https://deb.debian.org/debian/dists/bullseye/ChangeLog

Den aktuella gamla stabila utgåvan:

https://deb.debian.org/debian/dists/oldstable/

Föreslagna uppdateringar till den gamla stabila utgåvan:

https://deb.debian.org/debian/dists/oldstable-proposed-updates

Information om den gamla stabila utgåvan (versionsfakta, kända problem osv.):

https://www.debian.org/releases/oldstable/

Säkerhetsbulletiner och information:

https://www.debian.org/security/

Om Debian

Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.

Kontaktinformation

För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org>, eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.