Updated Debian 11: 11.7 released

April 29th, 2023

The Debian project is pleased to announce the seventh update of its stable distribution Debian 11 (codename bullseye). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 11 but only updates some of the packages included. There is no need to throw away old bullseye media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package Reason
akregator Fix validity checks, including fixing deletion of feeds and folders
apache2 Don't automatically enable apache2-doc.conf; fix regressions in http2 and mod_rewrite introduced in 2.4.56
at-spi2-core Set stop timeout to 5 seconds, so as not to needlessly block system shutdowns
avahi Fix local denial of service issue [CVE-2021-3468]
base-files Update for the 11.7 point release
c-ares Prevent stack overflow and denial of service [CVE-2022-4904]
clamav New upstream stable release; fix possible remote code execution issue in the HFS+ file parser [CVE-2023-20032], possible information leak in the DMG file parser [CVE-2023-20052]
command-not-found Add new non-free-firmware component, fixing upgrades to bookworm
containerd Fix denial of service issue [CVE-2023-25153]; fix possible privilege escalation via incorrect setup of supplementary groups [CVE-2023-25173]
crun Fix capability escalation issue due to containers being incorrectly started with non-empty default permissions [CVE-2022-27650]
cwltool Add missing dependency on python3-distutils
debian-archive-keyring Add bookworm keys; move stretch keys to the removed keyring
debian-installer Increase Linux kernel ABI to 5.10.0-22; rebuild against proposed-updates
debian-installer-netboot-images Rebuild against proposed-updates
debian-ports-archive-keyring Extend the 2023 signing key's expiration by one year; add 2024 signing key; move 2022 signing key to the removed keyring
dpdk New upstream stable release
duktape Fix crash issue [CVE-2021-46322]
e2tools Fix build failure by adding build dependency on e2fsprogs
erlang Fix client authentication bypass issue [CVE-2022-37026]; use -O1 optimization for armel because -O2 makes erl segfault on certain platforms, e.g. Marvell
exiv2 Security fixes [CVE-2021-29458 CVE-2021-29463 CVE-2021-29464 CVE-2021-29470 CVE-2021-29473 CVE-2021-29623 CVE-2021-32815 CVE-2021-34334 CVE-2021-34335 CVE-2021-3482 CVE-2021-37615 CVE-2021-37616 CVE-2021-37618 CVE-2021-37619 CVE-2021-37620 CVE-2021-37621 CVE-2021-37622 CVE-2021-37623]
flask-security Fix open redirect vulnerability [CVE-2021-23385]
flatpak New upstream stable release; escape special characters when displaying permissions and metadata [CVE-2023-28101]; don't allow copy/paste via the TIOCLINUX ioctl when running in a Linux virtual console [CVE-2023-28100]
galera-3 New upstream stable release
ghostscript Fix path for PostScript helper file in ps2epsi
glibc Fix memory leak in printf-family functions with long multibyte strings; fix crash in printf-family due to width/precision-dependent allocations; fix segfault in printf handling thousands separator; fix overflow in the AVX2 implementation of wcsnlen when crossing pages
golang-github-containers-common Fix parsing of DBUS_SESSION_BUS_ADDRESS
golang-github-containers-psgo Do not enter the process user namespace [CVE-2022-1227]
golang-github-containers-storage Make previously internal functions publicly accessible, required to allow fixing CVE-2022-1227 in other packages
golang-github-prometheus-exporter-toolkit Patch tests to avoid race condition; fix authentication cache poisoning issue [CVE-2022-46146]
grep Fix incorrect matching when the last of multiple patterns includes a backreference
gtk+3.0 Fix Wayland + EGL on GLES-only platforms
guix Fix build failure due to expired keys used in test suite
intel-microcode New upstream bug-fix release
isc-dhcp Fix IPv6 address lifetime handling
jersey1 Fix build failure with libjettison-java 1.5.3
joblib Fix arbitrary code execution issue [CVE-2022-21797]
lemonldap-ng Fix URL validation bypass issue; fix 2FA issue when using AuthBasic handler [CVE-2023-28862]
libapache2-mod-auth-openidc Fix open redirect issue [CVE-2022-23527]
libapreq2 Fix buffer overflow issue [CVE-2022-22728]
libdatetime-timezone-perl Update included data
libexplain Enhance compatibility with newer kernel versions - Linux 5.11 no longer has if_frad.h, termiox removed since kernel 5.12
libgit2 Enable SSH key verification by default [CVE-2023-22742]
libpod Fix privilege escalation issue [CVE-2022-1227]; fix capability escalation issue due to containers being incorrectly started with non-empty default permissions [CVE-2022-27649]; fix parsing of DBUS_SESSION_BUS_ADDRESS
libreoffice Change Croatia's default currency to Euro; avoid empty -Djava.class.path= [CVE-2022-38745]
libvirt Fix container reboot-related issues; fix test failures when combined with newer Xen versions
libxpm Fix infinite loop issues [CVE-2022-44617 CVE-2022-46285]; fix double free issue in error handling code; fix compression commands depend on PATH [CVE-2022-4883]
libzen Fix null pointer dereference issue [CVE-2020-36646]
linux New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86
linux-signed-amd64 New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86
linux-signed-arm64 New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86
linux-signed-i386 New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86
lxc Fix file existence oracle [CVE-2022-47952]
macromoleculebuilder Fix build failure by adding build dependency on docbook-xsl
mariadb-10.5 New upstream stable release; revert upstream libmariadb API change
mono Remove desktop file
ncurses Guard against corrupt terminfo data [CVE-2022-29458]; fix tic crash on very long tc/use clauses
needrestart Fix warnings when using -b option
node-cookiejar Guard against maliciously-sized cookies [CVE-2022-25901]
node-webpack Avoid cross-realm object access [CVE-2023-28154]
nvidia-graphics-drivers New upstream release; security fixes [CVE-2023-0180 CVE-2023-0184 CVE-2023-0185 CVE-2023-0187 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199]
nvidia-graphics-drivers-tesla-450 New upstream release; security fixes [CVE-2023-0180 CVE-2023-0184 CVE-2023-0185 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199]
nvidia-graphics-drivers-tesla-470 New upstream release; security fixes [CVE-2023-0180 CVE-2023-0184 CVE-2023-0185 CVE-2023-0187 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199]
nvidia-modprobe New upstream release
openvswitch Fix openvswitch-switch update leaves interfaces down
passenger Fix compatibility with more recent NodeJS versions
phyx Remove unnecessary build dependency on libatlas-cpp
postfix New upstream stable release
postgis Fix wrong Polar stereographic axis order
postgresql-13 New upstream stable release; fix client memory disclosure issue [CVE-2022-41862]
python-acme Fix version of created CSRs, to prevent problems with strictly RFC-complying implementations of the ACME API
ruby-aws-sdk-core Fix generation of version file
ruby-cfpropertylist Fix some functionality by dropping compatibility with Ruby 1.8
shim New upstream release; new upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4
shim-helpers-amd64-signed New upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4
shim-helpers-arm64-signed New upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4
shim-helpers-i386-signed New upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4
shim-signed New upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4
snakeyaml Fix denial of service issues [CVE-2022-25857 CVE-2022-38749 CVE-2022-38750 CVE-2022-38751]; add documentation regarding security support / issues
spyder Fix duplication of code when saving
symfony Remove private headers before storing responses with HttpCache [CVE-2022-24894]; remove CSRF tokens from storage on successful login [CVE-2022-24895]
systemd Fix information leak issue [CVE-2022-4415], denial of service issue [CVE-2022-3821]; ata_id: fix getting Response Code from SCSI Sense Data; logind: fix getting property OnExternalPower via D-Bus; fix crash in systemd-machined
tomcat9 Add OpenJDK 17 support to JDK detection
traceroute Interpret v4mapped-IPv6 addresses as IPv4
tzdata Update included data
unbound Fix Non-Responsive Delegation Attack [CVE-2022-3204]; fix ghost domain names issue [CVE-2022-30698 CVE-2022-30699]
usb.ids Update included data
vagrant Add support for VirtualBox 7.0
voms-api-java Fix build failures by disabling some non-working tests
w3m Fix out-of-bounds write issue [CVE-2022-38223]
x4d-icons Fix build failure with newer imagemagick versions
xapian-core Prevent database corruption on disk exhaustion
zfs-linux Add several stability improvements

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package
DSA-5170 nodejs
DSA-5237 firefox-esr
DSA-5238 thunderbird
DSA-5259 firefox-esr
DSA-5262 thunderbird
DSA-5282 firefox-esr
DSA-5284 thunderbird
DSA-5300 pngcheck
DSA-5301 firefox-esr
DSA-5302 chromium
DSA-5303 thunderbird
DSA-5304 xorg-server
DSA-5305 libksba
DSA-5306 gerbv
DSA-5307 libcommons-net-java
DSA-5308 webkit2gtk
DSA-5309 wpewebkit
DSA-5310 ruby-image-processing
DSA-5311 trafficserver
DSA-5312 libjettison-java
DSA-5313 hsqldb
DSA-5314 emacs
DSA-5315 libxstream-java
DSA-5316 netty
DSA-5317 chromium
DSA-5318 lava
DSA-5319 openvswitch
DSA-5320 tor
DSA-5321 sudo
DSA-5322 firefox-esr
DSA-5323 libitext5-java
DSA-5324 linux-signed-amd64
DSA-5324 linux-signed-arm64
DSA-5324 linux-signed-i386
DSA-5324 linux
DSA-5325 spip
DSA-5326 nodejs
DSA-5327 swift
DSA-5328 chromium
DSA-5329 bind9
DSA-5330 curl
DSA-5331 openjdk-11
DSA-5332 git
DSA-5333 tiff
DSA-5334 varnish
DSA-5335 openjdk-17
DSA-5336 glance
DSA-5337 nova
DSA-5338 cinder
DSA-5339 libhtml-stripscripts-perl
DSA-5340 webkit2gtk
DSA-5341 wpewebkit
DSA-5342 xorg-server
DSA-5343 openssl
DSA-5344 heimdal
DSA-5345 chromium
DSA-5346 libde265
DSA-5347 imagemagick
DSA-5348 haproxy
DSA-5349 gnutls28
DSA-5350 firefox-esr
DSA-5351 webkit2gtk
DSA-5352 wpewebkit
DSA-5353 nss
DSA-5355 thunderbird
DSA-5356 sox
DSA-5357 git
DSA-5358 asterisk
DSA-5359 chromium
DSA-5361 tiff
DSA-5362 frr
DSA-5363 php7.4
DSA-5364 apr-util
DSA-5365 curl
DSA-5366 multipath-tools
DSA-5367 spip
DSA-5368 libreswan
DSA-5369 syslog-ng
DSA-5370 apr
DSA-5371 chromium
DSA-5372 rails
DSA-5373 node-sqlite3
DSA-5374 firefox-esr
DSA-5375 thunderbird
DSA-5376 apache2
DSA-5377 chromium
DSA-5378 xen
DSA-5379 dino-im
DSA-5380 xorg-server
DSA-5381 tomcat9
DSA-5382 cairosvg
DSA-5383 ghostscript
DSA-5384 openimageio
DSA-5385 firefox-esr
DSA-5386 chromium
DSA-5387 openvswitch
DSA-5388 haproxy
DSA-5389 rails
DSA-5390 chromium
DSA-5391 libxml2
DSA-5392 thunderbird
DSA-5393 chromium

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
bind-dyndb-ldap Broken with newer bind9 versions; unsupportable in stable
matrix-mirage Depends on to-be-removed python-matrix-nio
pantalaimon Depends on to-be-removed python-matrix-nio
python-matrix-nio Security issues; doesn't work with current Matrix servers
weechat-matrix Depends on to-be-removed python-matrix-nio

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

https://deb.debian.org/debian/dists/bullseye/ChangeLog

The current stable distribution:

https://deb.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

https://deb.debian.org/debian/dists/proposed-updates

stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/

Security announcements and information:

https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.