تحديث دبيان 11: الإصدار 11.1

09 أكتوبر 2021

يسعد مشروع دبيان الإعلان عن التحديث الأول لتوزيعته المستقرة دبيان 11 (الاسم الرمزي bullseye). بالإضافة إلى تسوية بعض المشكلات الحرجة يصلح هذا التحديث بالأساس مشاكلات الأمان. تنبيهات الأمان أعلنت بشكل منفصل وفقط مُشار إليها في هذا الإعلان.

يرجى ملاحظة أن هذا التحديث لا يشكّل إصدار جديد لدبيان 11 بل فقط تحديثات لبعض الحزم المضمّنة وبالتالي ليس بالضرورة رمي الوسائط القديمة للإصدار bullseye، يمكن تحديث الحزم باستخدام مرآة دبيان محدّثة.

الذين يثبّتون التحديثات من security.debian.org باستمرار لن يكون عليهم تحديث العديد من الحزم، أغلب التحديثات مضمّنة في هذا التحديث.

صور جديدة لأقراص التثبيت ستكون متوفرة في موضعها المعتاد.

يمكن الترقية من تثبيت آنيّ إلى هذه المراجعة بتوجيه نظام إدارة الحزم إلى إحدى مرايا HTTP الخاصة بدبيان. قائمة شاملة لمرايا دبيان على المسار:

https://www.debian.org/mirror/list

إصلاح العديد من العلاّت

أضاف هذا التحديث للإصدار المستقر بعض الإصلاحات المهمة للحزم التالية:

الحزمة السبب
apr Prevent out-of-bounds array dereference
atftp Fix buffer overflow [CVE-2021-41054]
automysqlbackup Fix crash when using LATEST=yes
base-files Update for the 11.1 point release
clamav New upstream stable release; fix clamdscan segfaults when --fdpass and --multipass are used together with ExcludePath
cloud-init Avoid duplicate includedir in /etc/sudoers
cyrus-imapd Fix denial-of-service issue [CVE-2021-33582]
dazzdb Fix a use-after-free in DBstats
debian-edu-config debian-edu-ltsp-install: extend main server related exclude list; add slapd and xrdp-sesman to the list of masked services
debian-installer Rebuild against proposed updates; update Linux ABI to 5.10.0-9; use udebs from proposed-updates
debian-installer-netboot-images Rebuild against proposed-updates; use udebs from proposed-updates and stable; use xz-compressed Packages files
detox Fix handling of large files
devscripts Make the --bpo option target bullseye-backports
dlt-viewer Add missing qdlt/qdlt*.h header files to dev package
dpdk New upstream stable release
fetchmail Fix segmentation fault and security regression
flatpak New upstream stable release; don't inherit an unusual $XDG_RUNTIME_DIR setting into the sandbox
freeradius Fix thread crash and sample configuration
galera-3 New upstream stable release
galera-4 New upstream stable release; solve circular Conflicts with galera-3 by no longer providing a virtual galera package
glewlwyd Fix possible buffer overflow during FIDO2 signature validation in webauthn registration [CVE-2021-40818]
glibc Restart openssh-server even if it has been deconfigured during the upgrade; fix text fallback when debconf is unusable
gnome-maps New upstream stable release; fix a crash when starting up with last-used map type being aerial, and no aerial tile definition is found; don't sometimes write broken last view position on exit; fix hang when dragging around route markers
gnome-shell New upstream stable release; fix freeze after cancelling (some) system-modal dialogs; fix word suggestions in on-screen keyboard; fix crashes
hdf5 Adjust package dependencies to improve upgrade paths from older releases
iotop-c Properly handle UTF-8 process names
jailkit Fix creation of jails that need to use /dev; fix library presence check
java-atk-wrapper Also use dbus to detect accessibility being enabled
krb5 Fix KDC null dereference crash on FAST request with no server field [CVE-2021-37750]; fix memory leak in krb5_gss_inquire_cred
libavif Use correct libdir in libavif.pc pkgconfig file
libbluray Switch to embedded libasm; the version from libasm-java is too new
libdatetime-timezone-perl New upstream stable release; update DST rules for Samoa and Jordon; confirmation of no leap second on 2021-12-31
libslirp Fix multiple buffer overflow issues [CVE-2021-3592 CVE-2021-3593 CVE-2021-3594 CVE-2021-3595]
linux New upstream stable release; increase ABI to 9; [rt] Update to 5.10.65-rt53; [mipsel] bpf, mips: Validate conditional branch offsets [CVE-2021-38300]
linux-signed-amd64 New upstream stable release; increase ABI to 9; [rt] Update to 5.10.65-rt53; [mipsel] bpf, mips: Validate conditional branch offsets [CVE-2021-38300]
linux-signed-arm64 New upstream stable release; increase ABI to 9; [rt] Update to 5.10.65-rt53; [mipsel] bpf, mips: Validate conditional branch offsets [CVE-2021-38300]
linux-signed-i386 New upstream stable release; increase ABI to 9; [rt] Update to 5.10.65-rt53; [mipsel] bpf, mips: Validate conditional branch offsets [CVE-2021-38300]
mariadb-10.5 New upstream stable release; security fixes [CVE-2021-2372 CVE-2021-2389]
mbrola Fix end of file detection
modsecurity-crs Fix request body bypass issue [CVE-2021-35368]
mtr Fix regression in JSON output
mutter New upstream stable release; kms: Improve handling of common video modes that might exceed the possible bandwidth; ensure valid window texture size after viewport changes
nautilus Avoid opening multiple selected files in multiple application instances; don't save window size and position when tiled; fix some memory leaks; update translations
node-ansi-regex Fix regular expression-based denial of service issue [CVE-2021-3807]
node-axios Fix regular expression-based denial of service issue [CVE-2021-3749]
node-object-path Fix prototype pollution issues [CVE-2021-23434 CVE-2021-3805]
node-prismjs Fix regular expression-based denial of service issue [CVE-2021-3801]
node-set-value Fix prototype pollution [CVE-2021-23440]
node-tar Remove non-directory paths from the directory cache [CVE-2021-32803]; strip absolute paths more comprehensively [CVE-2021-32804]
osmcoastline Fix projections other than WGS84
osmpbf Rebuild against protobuf 3.12.4
pam Fix syntax error in libpam0g.postinst when a systemd unit fails
perl Security update; fix a regular expression memory leak
pglogical Update for PostgreSQL 13.4 snapshot handling fixes
pmdk Fix missing barriers after non-temporal memcpy
postgresql-13 New upstream stable release; fix mis-planning of repeated application of a projection step [CVE-2021-3677]; disallow SSL renegotiation more completely
proftpd-dfsg Fix mod_radius leaks memory contents to radius server and sftp connection aborts with Corrupted MAC on input; skip escaping of already-escaped SQL text
pyx3 Fix horizontal font alignment issue with texlive 2020
reportbug Update suite names following bullseye release
request-tracker4 Fix login timing side-channel attack issue [CVE-2021-38562]
rhonabwy Fix JWE CBC tag computation and JWS alg:none signature verification
rpki-trust-anchors Add HTTPS URL to the LACNIC TAL
rsync Re-add --copy-devices; fix regression in --delay-updates; fix edge case in --mkpath; fix rsync-ssl; fix --sparce and --inplace; update options available to rrsync; documentation fixes
ruby-rqrcode-rails3 Fix for ruby-rqrcode 1.0 compatibility
sabnzbdplus Prevent directory escape in renamer function [CVE-2021-29488]
shellcheck Fix rendering of long options in manpage
shiro Fix authentication bypass issues [CVE-2020-1957 CVE-2020-11989 CVE-2020-13933 CVE-2020-17510]; update Spring Framework compatibility patch; support Guice 4
speech-dispatcher Fix setting of voice name for the generic module
telegram-desktop Avoid crash when auto-delete is enabled
termshark Include themes in package
tmux Fix a race condition which results in the config not being loaded if several clients are interacting with the server while it's initializing
txt2man Fix regression in handling display blocks
tzdata Update DST rules for Samoa and Jordan; confirm the absence of a leap second on 2021-12-31
ublock-origin New upstream stable release; fix denial of service issue [CVE-2021-36773]
ulfius Ensure memory is initialised before use [CVE-2021-40540]

تحديثات الأمان

أضافت هذه المراجعة تحديثات الأمان التالية للإصدار المستقر. سبق لفريق الأمان نشر تنبيه لكل تحديث:

معرَّف التنبيه الحزمة
DSA-4959 thunderbird
DSA-4960 haproxy
DSA-4961 tor
DSA-4962 ledgersmb
DSA-4963 openssl
DSA-4964 grilo
DSA-4965 libssh
DSA-4966 gpac
DSA-4967 squashfs-tools
DSA-4968 haproxy
DSA-4969 firefox-esr
DSA-4970 postorius
DSA-4971 ntfs-3g
DSA-4972 ghostscript
DSA-4973 thunderbird
DSA-4974 nextcloud-desktop
DSA-4975 webkit2gtk
DSA-4976 wpewebkit
DSA-4977 xen
DSA-4978 linux-signed-amd64
DSA-4978 linux-signed-arm64
DSA-4978 linux-signed-i386
DSA-4978 linux
DSA-4979 mediawiki

خلال مرحلة تجميد bullseye، بعض التحديثات أصدرت عبر أرشيف الأمان دون إرفاقها بتنبيهات أمان دبيان (DSA) هذه التحديثات مفصلة أدناه:

الحزمة السبب
apache2 Fix mod_proxy HTTP2 request line injection [CVE-2021-33193]
btrbk Fix arbitrary code execution issue [CVE-2021-38173]
c-ares Fix missing input validation on hostnames returned by DNS servers [CVE-2021-3672]
exiv2 Fix overflow issues [CVE-2021-29457 CVE-2021-31292]
firefox-esr New upstream stable release [CVE-2021-29980 CVE-2021-29984 CVE-2021-29985 CVE-2021-29986 CVE-2021-29988 CVE-2021-29989]
libencode-perl Encode: mitigate @INC pollution when loading ConfigLocal [CVE-2021-36770]
libspf2 spf_compile.c: Correct size of ds_avail [CVE-2021-20314]; fix reverse macro modifier
lynx Fix leakage of credentials if SNI was used together with a URL containing credentials [CVE-2021-38165]
nodejs New upstream stable release; fix use after free issue [CVE-2021-22930]
tomcat9 Fix authentication bypass issue [CVE-2021-30640] and request smuggling issue [CVE-2021-33037]
xmlgraphics-commons Fix server side request forgery issue [CVE-2020-11988]

مُثبِّت دبيان

حدِّث المُثبِّت ليتضمن الإصلاحات المندرجة في هذا الإصدار المستقر.

المسارات

القائمة الكاملة للحزم المغيّرة في هذه المراجعة:

https://deb.debian.org/debian/dists/bullseye/ChangeLog

التوزيعة المستقرة الحالية:

https://deb.debian.org/debian/dists/stable/

التحديثات المقترحة للتوزيعة المستقرة:

https://deb.debian.org/debian/dists/proposed-updates

معلومات حول التوزيعة المستقرة (ملاحظات الإصدار والأخطاء إلخ):

https://www.debian.org/releases/stable/

معلومات وإعلانات الأمان:

https://www.debian.org/security/

حول دبيان

مشروع دبيان هو اتحاد لمطوري البرمجيات الحرة تطوعوا بالوقت والمجهود لإنتاج نظام تشعيل دبيان حر بالكامل.

معلومات الاتصال

لمزيد من المعلومات يرجى زيارة موقع دبيان https://www.debian.org/ أو إرسال بريد إلكتروني إلى <press@debian.org> أو الاتصال بفريق إصدار المستقرة على <debian-release@lists.debian.org>.