Updated Debian 11: 11.3 released

March 26th, 2022

The Debian project is pleased to announce the third update of its stable distribution Debian 11 (codename bullseye). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 11 but only updates some of the packages included. There is no need to throw away old bullseye media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package Reason
apache-log4j1.2 Resolve security issues [CVE-2021-4104 CVE-2022-23302 CVE-2022-23305 CVE-2022-23307], by removing support for the JMSSink, JDBCAppender, JMSAppender and Apache Chainsaw modules
apache-log4j2 Fix remote code execution issue [CVE-2021-44832]
apache2 New upstream release; fix crash due to random memory read [CVE-2022-22719]; fix HTTP request smuggling issue [CVE-2022-22720]; fix out-of-bounds write issues [CVE-2022-22721 CVE-2022-23943]
atftp Fix information leak issue [CVE-2021-46671]
base-files Update for the 11.3 point release
bible-kjv Fix off-by-one-error in search
chrony Allow reading the chronyd configuration file that timemaster(8) generates
cinnamon Fix crash when adding an online account with login
clamav New upstream stable release; fix denial of service issue [CVE-2022-20698]
cups-filters Apparmor: allow reading from Debian Edu's cups-browsed configuration file
dask.distributed Fix undesired listening of workers on public interfaces [CVE-2021-42343]; fix compatibility with Python 3.9
debian-installer Rebuild against proposed-updates; update Linux kernel ABI to 5.10.0-13
debian-installer-netboot-images Rebuild against proposed-updates
debian-ports-archive-keyring Add Debian Ports Archive Automatic Signing Key (2023); move the 2021 signing key to the removed keyring
django-allauth Fix OpenID support
djbdns Raise the axfrdns, dnscache, and tinydns data limit
dpdk New upstream stable release
e2guardian Fix missing SSL certificate validation issue [CVE-2021-44273]
epiphany-browser Work around a bug in GLib, fixing a UI process crash
espeak-ng Drop spurious 50ms delay while processing events
espeakup debian/espeakup.service: Protect espeakup from system overloads
fcitx5-chinese-addons fcitx5-table: add missing dependencies on fcitx5-module-pinyinhelper and fcitx5-module-punctuation
flac Fix out-of-bounds write issue [CVE-2021-0561]
freerdp2 Disable additional debug logging
galera-3 New upstream release
galera-4 New upstream release
gbonds Use Treasury API for redemption data
glewlwyd Fix possible privilege escalation
glibc Fix bad conversion from ISO-2022-JP-3 with iconv [CVE-2021-43396]; fix buffer overflow issues [CVE-2022-23218 CVE-2022-23219]; fix use-after-free issue [CVE-2021-33574]; stop replacing older versions of /etc/nsswitch.conf; simplify the check for supported kernel versions, as 2.x kernels are no longer supported; support installation on kernels with a release number greater than 255
glx-alternatives After initial setup of the diversions, install a minimal alternative to the diverted files so that libraries are not missing until glx-alternative-mesa processes its triggers
gnupg2 scd: Fix CCID driver for SCM SPR332/SPR532; avoid network interaction in generator, which can lead to hangs
gnuplot Fix division by zero [CVE-2021-44917]
golang-1.15 Fix IsOnCurve for big.Int values that are not valid coordinates [CVE-2022-23806]; math/big: prevent large memory consumption in Rat.SetString [CVE-2022-23772]; cmd/go: prevent branches from materializing into versions [CVE-2022-23773]; fix stack exhaustion compiling deeply nested expressions [CVE-2022-24921]
golang-github-containers-common Update seccomp support to enable use of newer kernel versions
golang-github-opencontainers-specs Update seccomp support to enable use of newer kernel versions
gtk+3.0 Fix missing search results when using NFS; prevent Wayland clipboard handling from locking up in certain corner cases; improve printing to mDNS-discovered printers
heartbeat Fix creation of /run/heartbeat on systems using systemd
htmldoc Fix out-of-bounds read issue [CVE-2022-0534]
installation-guide Update documentation and translations
intel-microcode Update included microcode; mitigate some security issues [CVE-2020-8694 CVE-2020-8695 CVE-2021-0127 CVE-2021-0145 CVE-2021-0146 CVE-2021-33120]
ldap2zone Use mktemp rather than the deprecated tempfile, avoiding warnings
lemonldap-ng Fix auth process in password-testing plugins [CVE-2021-40874]
libarchive Fix extracting hardlinks to symlinks; fix handling of symlink ACLs [CVE-2021-23177]; never follow symlinks when setting file flags [CVE-2021-31566]
libdatetime-timezone-perl Update included data
libgdal-grass Rebuild against grass 7.8.5-1+deb11u1
libpod Update seccomp support to enable use of newer kernel versions
libxml2 Fix use-after-free issue [CVE-2022-23308]
linux New upstream stable release; [rt] Update to 5.10.106-rt64; increase ABI to 13
linux-signed-amd64 New upstream stable release; [rt] Update to 5.10.106-rt64; increase ABI to 13
linux-signed-arm64 New upstream stable release; [rt] Update to 5.10.106-rt64; increase ABI to 13
linux-signed-i386 New upstream stable release; [rt] Update to 5.10.106-rt64; increase ABI to 13
mariadb-10.5 New upstream release; security fixes [CVE-2021-35604 CVE-2021-46659 CVE-2021-46661 CVE-2021-46662 CVE-2021-46663 CVE-2021-46664 CVE-2021-46665 CVE-2021-46667 CVE-2021-46668 CVE-2022-24048 CVE-2022-24050 CVE-2022-24051 CVE-2022-24052]
mpich Add Breaks: on older versions of libmpich1.0-dev, resolving some upgrade issues
mujs Fix buffer overflow issue [CVE-2021-45005]
mutter Backport various fixes from upstream's stable branch
node-cached-path-relative Fix prototype pollution issue [CVE-2021-23518]
node-fetch Don't forward secure headers to third party domains [CVE-2022-0235]
node-follow-redirects Don't send Cookie header across domains [CVE-2022-0155]; don't send confidential headers across schemes [CVE-2022-0536]
node-markdown-it Fix regular expression-based denial of service issue [CVE-2022-21670]
node-nth-check Fix regular expression-based denial of service issue [CVE-2021-3803]
node-prismjs Escape markup in command line output [CVE-2022-23647]; update minified files to ensure that Regular Expression Denial of Service issue is resolved [CVE-2021-3801]
node-trim-newlines Fix regular expression-based denial of service issue [CVE-2021-33623]
nvidia-cuda-toolkit cuda-gdb: Disable non-functional python support causing segmentation faults; use a snapshot of openjdk-8-jre (8u312-b07-1)
nvidia-graphics-drivers-tesla-450 New upstream release; fix denial of service issues [CVE-2022-21813 CVE-2022-21814]; nvidia-kernel-support: Provide /etc/modprobe.d/nvidia-options.conf as a template
nvidia-modprobe New upstream release
openboard Fix application icon
openssl New upstream release; fix armv8 pointer authentication
openvswitch Fix use-after-free issue [CVE-2021-36980]; fix installation of libofproto
ostree Fix compatibility with eCryptFS; avoid infinite recursion when recovering from certain errors; mark commits as partial before downloading; fix an assertion failure when using a backport or local build of GLib >= 2.71; fix the ability to fetch OSTree content from paths containing non-URI characters (such as backslashes) or non-ASCII
pdb2pqr Fix compatibility of propka with Python 3.8 or above
php-crypt-gpg Prevent additional options being passed to GPG [CVE-2022-24953]
php-laravel-framework Fix cross-site scripting issue [CVE-2021-43808], missing blocking of executable content upload [CVE-2021-43617]
phpliteadmin Fix cross-site scripting issue [CVE-2021-46709]
prips Fix infinite wrapping if a range reaches 255.255.255.255; fix CIDR output with addresses that differ in their first bit
pypy3 Fix build failures by removing extraneous #endif from import.h
python-django Fix denial of service issue [CVE-2021-45115], information disclosure issue [CVE-2021-45116], directory traversal issue [CVE-2021-45452]; fix a traceback around the handling of RequestSite/get_current_site() due to a circular import
python-pip Avoid a race-condition when using zip-imported dependencies
rust-cbindgen New upstream stable release to support builds of newer firefox-esr and thunderbird versions
s390-dasd Stop passing deprecated -f option to dasdfmt
schleuder Migrate boolean values to integers, if the ActiveRecord SQLite3 connection adapter is in use, restoring functionality
sphinx-bootstrap-theme Fix search functionality
spip Fix several cross-site scripting issues
symfony Fix CVE injection issue [CVE-2021-41270]
systemd Fix uncontrolled recursion in systemd-tmpfiles [CVE-2021-3997]; demote systemd-timesyncd from Depends to Recommends, removing a dependency cycle; fix failure to bind mount a directory into a container using machinectl; fix regression in udev resulting in long delays when processing partitions with the same label; fix a regression when using systemd-networkd in an unprivileged LXD container
sysvinit Fix parsing of shutdown +0; clarify that when called with a time shutdown will not exit
tasksel Install CUPS for all *-desktop tasks, as task-print-service no longer exists
usb.ids Update included data
weechat Fix denial of service issue [CVE-2021-40516]
wolfssl Fix several issues related to OCSP-handling [CVE-2021-3336 CVE-2021-37155 CVE-2021-38597] and TLS1.3 support [CVE-2021-44718 CVE-2022-25638 CVE-2022-25640]
xserver-xorg-video-intel Fix SIGILL crash on non-SSE2 CPUs
xterm Fix buffer overflow issue [CVE-2022-24130]
zziplib Fix denial of service issue [CVE-2020-18442]

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package
DSA-5000 openjdk-11
DSA-5001 redis
DSA-5012 openjdk-17
DSA-5021 mediawiki
DSA-5023 modsecurity-apache
DSA-5024 apache-log4j2
DSA-5025 tang
DSA-5027 xorg-server
DSA-5028 spip
DSA-5029 sogo
DSA-5030 webkit2gtk
DSA-5031 wpewebkit
DSA-5033 fort-validator
DSA-5035 apache2
DSA-5037 roundcube
DSA-5038 ghostscript
DSA-5039 wordpress
DSA-5040 lighttpd
DSA-5041 cfrpki
DSA-5042 epiphany-browser
DSA-5043 lxml
DSA-5046 chromium
DSA-5047 prosody
DSA-5048 libreswan
DSA-5049 flatpak-builder
DSA-5049 flatpak
DSA-5050 linux-signed-amd64
DSA-5050 linux-signed-arm64
DSA-5050 linux-signed-i386
DSA-5050 linux
DSA-5051 aide
DSA-5052 usbview
DSA-5053 pillow
DSA-5054 chromium
DSA-5055 util-linux
DSA-5056 strongswan
DSA-5057 openjdk-11
DSA-5058 openjdk-17
DSA-5059 policykit-1
DSA-5060 webkit2gtk
DSA-5061 wpewebkit
DSA-5062 nss
DSA-5063 uriparser
DSA-5064 python-nbxmpp
DSA-5065 ipython
DSA-5067 ruby2.7
DSA-5068 chromium
DSA-5070 cryptsetup
DSA-5071 samba
DSA-5072 debian-edu-config
DSA-5073 expat
DSA-5075 minetest
DSA-5076 h2database
DSA-5077 librecad
DSA-5078 zsh
DSA-5079 chromium
DSA-5080 snapd
DSA-5081 redis
DSA-5082 php7.4
DSA-5083 webkit2gtk
DSA-5084 wpewebkit
DSA-5085 expat
DSA-5087 cyrus-sasl2
DSA-5088 varnish
DSA-5089 chromium
DSA-5091 containerd
DSA-5092 linux-signed-amd64
DSA-5092 linux-signed-arm64
DSA-5092 linux-signed-i386
DSA-5092 linux
DSA-5093 spip
DSA-5095 linux-signed-amd64
DSA-5095 linux-signed-arm64
DSA-5095 linux-signed-i386
DSA-5095 linux
DSA-5098 tryton-server
DSA-5099 tryton-proteus
DSA-5100 nbd
DSA-5101 libphp-adodb
DSA-5102 haproxy
DSA-5103 openssl
DSA-5104 chromium
DSA-5105 bind9

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
angular-maven-plugin No longer useful
minify-maven-plugin No longer useful

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

https://deb.debian.org/debian/dists/bullseye/ChangeLog

The current stable distribution:

https://deb.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

https://deb.debian.org/debian/dists/proposed-updates

stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/

Security announcements and information:

https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.