Uppdaterad Debian 11; 11.4 utgiven

9 juli 2022

Debianprojektet presenterar stolt sin fjärde uppdatering till dess stabila utgåva Debian 11 (med kodnamnet bullseye). Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem, tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner har redan publicerats separat och refereras när de finns tillgängliga.

Vänligen notera att punktutgåvan inte innebär en ny version av Debian 11 utan endast uppdaterar några av de inkluderade paketen. Det behövs inte kastas bort gamla media av bullseye. Efter installationen kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad Debianspegling..

De som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.

Nya installationsavbildningar kommer snart att finnas tillgängliga på de vanliga platserna.

En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:


Blandade felrättningar

Denna uppdatering av den stabila utgåvan lägger till några viktiga felrättningar till följande paket:

Paket Orsak
apache2 New upstream stable release; fix HTTP request smuggling issue [CVE-2022-26377], out-of-bounds read issues [CVE-2022-28330 CVE-2022-28614 CVE-2022-28615], denial of service issues [CVE-2022-29404 CVE-2022-30522], possible out-of-bounds read issue [CVE-2022-30556], possible IP-based authentication bypass issue [CVE-2022-31813]
base-files Update /etc/debian_version for the 11.4 point release
bash Fix 1-byte buffer overflow read, causing corrupted multibyte characters in command substitutions
clamav New upstream stable release; security fixes [CVE-2022-20770 CVE-2022-20771 CVE-2022-20785 CVE-2022-20792 CVE-2022-20796]
clementine Add missing dependency on libqt5sql5-sqlite
composer Fix code injection issue [CVE-2022-24828]; update GitHub token pattern
cyrus-imapd Ensure that all mailboxes have a uniqueid field, fixing upgrades to version 3.6
dbus-broker Fix buffer overflow issue [CVE-2022-31212]
debian-edu-config Accept mail from the local network sent to root@<mynetwork-names>; only create Kerberos host and service principals if they don't yet exist; ensure libsss-sudo is installed on Roaming Workstations; fix naming and visibility of print queues; support krb5i on Diskless Workstations; squid: prefer DNSv4 lookups over DNSv6
debian-installer Rebuild against proposed-updates; increase Linux kernel ABI to 16; reinstate some armel netboot targets (openrd)
debian-installer-netboot-images Rebuild against proposed-updates; increase Linux kernel ABI to 16; reinstate some armel netboot targets (openrd)
distro-info-data Add Ubuntu 22.10, Kinetic Kudu
docker.io Order docker.service after containerd.service to fix shutdown of containers; explicitly pass the containerd socket path to dockerd to make sure it doesn't start containerd on its own
dpkg dpkg-deb: Fix unexpected end of file conditions on .deb extract; libdpkg: Do not restrict source:* virtual fields to installed packages; Dpkg::Source::Package::V2: Always fix the permissions for upstream tarballs (regression from DSA-5147-1]
freetype Fix buffer overflow issue [CVE-2022-27404]; fix crashes [CVE-2022-27405 CVE-2022-27406]
fribidi Fix buffer overflow issues [CVE-2022-25308 CVE-2022-25309]; fix crash [CVE-2022-25310]
ganeti New upstream release; fix several upgrade issues; fix live migration with QEMU 4 and security_model of user or pool
geeqie Fix Ctrl click inside of a block selection
gnutls28 Fix SSSE3 SHA384 miscalculation; fix null pointer deference issue [CVE-2021-4209]
golang-github-russellhaering-goxmldsig Fix null pointer dereference caused by crafted XML signatures [CVE-2020-7711]
grunt Fix path traversal issue [CVE-2022-0436]
hdmi2usb-mode-switch udev: Add a suffix to /dev/video device nodes to disambiguate them; move udev rules to priority 70, to come after 60-persistent-v4l.rules
hexchat Add missing dependency on python3-cffi-backend
htmldoc Fix infinite loop [CVE-2022-24191], integer overflow issues [CVE-2022-27114] and heap buffer overflow issue [CVE-2022-28085]
knot-resolver Fix possible assertion failure in NSEC3 edge-case [CVE-2021-40083]
libapache2-mod-auth-openidc New upstream stable release; fix open redirect issue [CVE-2021-39191]; fix crash on reload / restart
libintl-perl Really install gettext_xs.pm
libsdl2 Avoid out-of-bounds read while loading malformed BMP file [CVE-2021-33657], and during YUV to RGB conversion
libtgowt New upstream stable release, to support newer telegram-desktop
linux New upstream stable release; increase ABI to 16
linux-signed-amd64 New upstream stable release; increase ABI to 16
linux-signed-arm64 New upstream stable release; increase ABI to 16
linux-signed-i386 New upstream stable release; increase ABI to 16
logrotate Skip locking if state file is world-readable [CVE-2022-1348]; make configuration parsing stricter in order to avoid parsing foreign files such as core dumps
lxc Update default GPG key server, fixing creating of containers using the download template
minidlna Validate HTTP requests to protect against DNS rebinding attacks [CVE-2022-26505]
mutt Fix uudecode buffer overflow issue [CVE-2022-1328]
nano Several bug fixes, including fixes for crashes
needrestart Make cgroup detection for services and user sessions cgroup v2 aware
network-manager New upstream stable release
nginx Fix crash when libnginx-mod-http-lua is loaded and init_worker_by_lua* is used; mitigate application layer protocol content confusion attack in the Mail module [CVE-2021-3618]
node-ejs Fix server-side template injection issue [CVE-2022-29078]
node-eventsource Strip sensitive headers on redirect to different origin [CVE-2022-1650]
node-got Don't allow redirection to Unix socket [CVE-2022-33987]
node-mermaid Fix cross-site scripting issues [CVE-2021-23648 CVE-2021-43861]
node-minimist Fix prototype pollution issue [CVE-2021-44906]
node-moment Fix path traversal issue [CVE-2022-24785]
node-node-forge Fix signature verification issues [CVE-2022-24771 CVE-2022-24772 CVE-2022-24773]
node-raw-body Fix potential denial of service issue in node-express, by using node-iconv-lite rather than node-iconv
node-sqlite3 Fix denial of service issue [CVE-2022-21227]
node-url-parse Fix authentication bypass issues [CVE-2022-0686 CVE-2022-0691]
nvidia-cuda-toolkit Use OpenJDK8 snapshots for amd64 and ppc64el; check usability of the java binary; nsight-compute: Move the 'sections' folder to a multiarch location; fix nvidia-openjdk-8-jre version ordering
nvidia-graphics-drivers New upstream release; switch to upstream 470 tree; fix denial of service issues [CVE-2022-21813 CVE-2022-21814]; fix out-of-bounds write issue [CVE-2022-28181], out-of-bounds read issue [CVE-2022-28183], denial of service issues [CVE-2022-28184 CVE-2022-28191 CVE-2022-28192]
nvidia-graphics-drivers-legacy-390xx New upstream release; fix out-of-bound write issues [CVE-2022-28181 CVE-2022-28185]
nvidia-graphics-drivers-tesla-418 New upstream stable release
nvidia-graphics-drivers-tesla-450 New upstream stable release; fix out-of-bounds write issues [CVE-2022-28181 CVE-2022-28185], denial of service issue [CVE-2022-28192]
nvidia-graphics-drivers-tesla-460 New upstream stable release
nvidia-graphics-drivers-tesla-470 New package, switching Tesla support to upstream 470 tree; fix out-of-bounds write issue [CVE-2022-28181], out-of-bounds read issue [CVE-2022-28183], denial of service issues [CVE-2022-28184 CVE-2022-28191 CVE-2022-28192]
nvidia-persistenced New upstream release; switch to upstream 470 tree
nvidia-settings New upstream release; switch to upstream 470 tree
nvidia-settings-tesla-470 New package, switching Tesla support to upstream 470 tree
nvidia-xconfig New upstream release
openssh seccomp: add pselect6_time64 syscall on 32-bit architectures
orca Fix usage with webkitgtk 2.36
php-guzzlehttp-psr7 Fix improper header parsing [CVE-2022-24775]
phpmyadmin Fix some SQL queries generating a server error
postfix New upstream stable release; do not override user set default_transport in postinst; if-up.d: do not error out if postfix can't send mail yet
procmail Fix null pointer dereference
python-scrapy Don't send authentication data with all requests [CVE-2021-41125]; don't expose cookies cross-domain when redirecting [CVE-2022-0577]
ruby-net-ssh Fix authentication against systems using OpenSSH 8.8
runc Honour seccomp defaultErrnoRet; do not set inheritable capabilities [CVE-2022-29162]
samba Fix winbind start failure when allow trusted domains = no is used; fix MIT Kerberos authentication; fix share escape issue via mkdir race condition [CVE-2021-43566]; fix possible serious data corruption issue due to Windows client cache poisoning; fix installation on non-systemd systems
tcpdump Update AppArmor profile to allow access to *.cap files, and handle numerical suffix in filenames added by -W
telegram-desktop New upstream stable release, restoring functionality
tigervnc Fix GNOME desktop start up when using tigervncserver@.service; fix colour display when vncviewer and X11 server use different endianness
twisted Fix information disclosure issue with cross-domain redirects [CVE-2022-21712], denial of service issue during SSH handshakes [CVE-2022-21716], HTTP request smuggling issues [CVE-2022-24801]
tzdata Update timezone data for Palestine; update leap andra list
ublock-origin New upstream stable release
unrar-nonfree Fix directory traversal issue [CVE-2022-30333]
usb.ids New upstream release; update included data
wireless-regdb New upstream release; remove diversion added by the installer, ensuring that files from the package are used


Denna revision lägger till följande säkerhetsuppdateringar till den stabila utgåvan. Säkerhetsgruppen har redan släppt bulletiner för alla dessa uppdateringar:

Bulletin-ID Paket
DSA-4999 asterisk
DSA-5026 firefox-esr
DSA-5034 thunderbird
DSA-5044 firefox-esr
DSA-5045 thunderbird
DSA-5069 firefox-esr
DSA-5074 thunderbird
DSA-5086 thunderbird
DSA-5090 firefox-esr
DSA-5094 thunderbird
DSA-5097 firefox-esr
DSA-5106 thunderbird
DSA-5107 php-twig
DSA-5108 tiff
DSA-5110 chromium
DSA-5111 zlib
DSA-5112 chromium
DSA-5113 firefox-esr
DSA-5114 chromium
DSA-5115 webkit2gtk
DSA-5116 wpewebkit
DSA-5117 xen
DSA-5118 thunderbird
DSA-5119 subversion
DSA-5120 chromium
DSA-5121 chromium
DSA-5122 gzip
DSA-5123 xz-utils
DSA-5124 ffmpeg
DSA-5125 chromium
DSA-5127 linux-signed-amd64
DSA-5127 linux-signed-arm64
DSA-5127 linux-signed-i386
DSA-5127 linux
DSA-5128 openjdk-17
DSA-5129 firefox-esr
DSA-5130 dpdk
DSA-5131 openjdk-11
DSA-5132 ecdsautils
DSA-5133 qemu
DSA-5134 chromium
DSA-5136 postgresql-13
DSA-5137 needrestart
DSA-5138 waitress
DSA-5139 openssl
DSA-5140 openldap
DSA-5141 thunderbird
DSA-5142 libxml2
DSA-5143 firefox-esr
DSA-5145 lrzip
DSA-5147 dpkg
DSA-5148 chromium
DSA-5149 cups
DSA-5150 rsyslog
DSA-5151 smarty3
DSA-5152 spip
DSA-5153 trafficserver
DSA-5154 webkit2gtk
DSA-5155 wpewebkit
DSA-5156 firefox-esr
DSA-5157 cifs-utils
DSA-5158 thunderbird
DSA-5159 python-bottle
DSA-5160 ntfs-3g
DSA-5161 linux-signed-amd64
DSA-5161 linux-signed-arm64
DSA-5161 linux-signed-i386
DSA-5161 linux
DSA-5162 containerd
DSA-5163 chromium
DSA-5164 exo
DSA-5165 vlc
DSA-5166 slurm-wlm
DSA-5167 firejail
DSA-5168 chromium
DSA-5169 openssl
DSA-5171 squid
DSA-5172 firefox-esr
DSA-5174 gnupg2

Borttagna paket

Följande paket har tagits bort på grund av omständigheter utom vår kontroll:

Paket Orsak
elog Unmaintained; security issues
python-hbmqtt Unamintained and broken


Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den stabila utgåvan med denna punktutgåva.


Den fullständiga listan på paket som har förändrats i denna revision:


Den aktuella stabila utgåvan:


Föreslagna uppdateringar till den stabila utgåvan:


Information om den stabila utgåvan (versionsfakta, kända problem osv.):


Säkerhetsbulletiner och information:


Om Debian

Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.


För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org> (på engelska), eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.