Uppdaterad Debian 11; 11.7 utgiven

29 april 2023

Debianprojektet presenterar stolt sin sjunde uppdatering till dess stabila utgåva Debian 11 (med kodnamnet bullseye). Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem, tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner har redan publicerats separat och refereras när de finns tillgängliga.

Vänligen notera att punktutgåvan inte innebär en ny version av Debian 11 utan endast uppdaterar några av de inkluderade paketen. Det behövs inte kastas bort gamla media av bullseye. Efter installationen kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad Debianspegling..

De som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.

Nya installationsavbildningar kommer snart att finnas tillgängliga på de vanliga platserna.

En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:

https://www.debian.org/mirror/list

Blandade felrättningar

Denna uppdatering av den stabila utgåvan lägger till några viktiga felrättningar till följande paket:

Paket Orsak
akregator Fix validity checks, including fixing deletion of feeds and folders
apache2 Don't automatically enable apache2-doc.conf; fix regressions in http2 and mod_rewrite introduced in 2.4.56
at-spi2-core Set stop timeout to 5 andras, so as not to needlessly block system shutdowns
avahi Fix local denial of service issue [CVE-2021-3468]
base-files Update for the 11.7 point release
c-ares Prevent stack overflow and denial of service [CVE-2022-4904]
clamav New upstream stable release; fix possible remote code execution issue in the HFS+ file parser [CVE-2023-20032], possible information leak in the DMG file parser [CVE-2023-20052]
command-not-found Add new non-free-firmware component, fixing upgrades to bookworm
containerd Fix denial of service issue [CVE-2023-25153]; fix possible privilege escalation via incorrect setup of supplementary groups [CVE-2023-25173]
crun Fix capability escalation issue due to containers being incorrectly started with non-empty default permissions [CVE-2022-27650]
cwltool Add missing dependency on python3-distutils
debian-archive-keyring Add bookworm keys; move stretch keys to the removed keyring
debian-installer Increase Linux kernel ABI to 5.10.0-22; rebuild against proposed-updates
debian-installer-netboot-images Rebuild against proposed-updates
debian-ports-archive-keyring Extend the 2023 signing key's expiration by one year; add 2024 signing key; move 2022 signing key to the removed keyring
dpdk New upstream stable release
duktape Fix crash issue [CVE-2021-46322]
e2tools Fix build failure by adding build dependency on e2fsprogs
erlang Fix client authentication bypass issue [CVE-2022-37026]; use -O1 optimization for armel because -O2 makes erl segfault on certain platforms, e.g. Marvell
exiv2 Security fixes [CVE-2021-29458 CVE-2021-29463 CVE-2021-29464 CVE-2021-29470 CVE-2021-29473 CVE-2021-29623 CVE-2021-32815 CVE-2021-34334 CVE-2021-34335 CVE-2021-3482 CVE-2021-37615 CVE-2021-37616 CVE-2021-37618 CVE-2021-37619 CVE-2021-37620 CVE-2021-37621 CVE-2021-37622 CVE-2021-37623]
flask-security Fix open redirect vulnerability [CVE-2021-23385]
flatpak New upstream stable release; escape special characters when displaying permissions and metadata [CVE-2023-28101]; don't allow copy/paste via the TIOCLINUX ioctl when running in a Linux virtual console [CVE-2023-28100]
galera-3 New upstream stable release
ghostscript Fix path for PostScript helper file in ps2epsi
glibc Fix memory leak in printf-family functions with long multibyte strings; fix crash in printf-family due to width/precision-dependent allocations; fix segfault in printf handling thousands separator; fix overflow in the AVX2 implementation of wcsnlen when crossing pages
golang-github-containers-common Fix parsing of DBUS_SESSION_BUS_ADDRESS
golang-github-containers-psgo Do not enter the process user namespace [CVE-2022-1227]
golang-github-containers-storage Make previously internal functions publicly accessible, required to allow fixing CVE-2022-1227 in other packages
golang-github-prometheus-exporter-toolkit Patch tests to avoid race condition; fix authentication cache poisoning issue [CVE-2022-46146]
grep Fix incorrect matching when the last of multiple patterns includes a backreference
gtk+3.0 Fix Wayland + EGL on GLES-only platforms
guix Fix build failure due to expired keys used in test suite
intel-microcode New upstream bug-fix release
isc-dhcp Fix IPv6 address lifetime handling
jersey1 Fix build failure with libjettison-java 1.5.3
joblib Fix arbitrary code execution issue [CVE-2022-21797]
lemonldap-ng Fix URL validation bypass issue; fix 2FA issue when using AuthBasic handler [CVE-2023-28862]
libapache2-mod-auth-openidc Fix open redirect issue [CVE-2022-23527]
libapreq2 Fix buffer overflow issue [CVE-2022-22728]
libdatetime-timezone-perl Update included data
libexplain Enhance compatibility with newer kernel versions - Linux 5.11 no longer has if_frad.h, termiox removed since kernel 5.12
libgit2 Enable SSH key verification by default [CVE-2023-22742]
libpod Fix privilege escalation issue [CVE-2022-1227]; fix capability escalation issue due to containers being incorrectly started with non-empty default permissions [CVE-2022-27649]; fix parsing of DBUS_SESSION_BUS_ADDRESS
libreoffice Change Croatia's default currency to Euro; avoid empty -Djava.class.path= [CVE-2022-38745]
libvirt Fix container reboot-related issues; fix test failures when combined with newer Xen versions
libxpm Fix infinite loop issues [CVE-2022-44617 CVE-2022-46285]; fix double free issue in error handling code; fix compression commands depend on PATH [CVE-2022-4883]
libzen Fix null pointer dereference issue [CVE-2020-36646]
linux New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86
linux-signed-amd64 New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86
linux-signed-arm64 New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86
linux-signed-i386 New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86
lxc Fix file existence oracle [CVE-2022-47952]
macromoleculebuilder Fix build failure by adding build dependency on docbook-xsl
mariadb-10.5 New upstream stable release; revert upstream libmariadb API change
mono Remove desktop file
ncurses Guard against corrupt terminfo data [CVE-2022-29458]; fix tic crash on very long tc/use clauses
needrestart Fix warnings when using -b option
node-cookiejar Guard against maliciously-sized cookies [CVE-2022-25901]
node-webpack Avoid cross-realm object access [CVE-2023-28154]
nvidia-graphics-drivers New upstream release; security fixes [CVE-2023-0180 CVE-2023-0184 CVE-2023-0185 CVE-2023-0187 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199]
nvidia-graphics-drivers-tesla-450 New upstream release; security fixes [CVE-2023-0180 CVE-2023-0184 CVE-2023-0185 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199]
nvidia-graphics-drivers-tesla-470 New upstream release; security fixes [CVE-2023-0180 CVE-2023-0184 CVE-2023-0185 CVE-2023-0187 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199]
nvidia-modprobe New upstream release
openvswitch Fix openvswitch-switch update leaves interfaces down
passenger Fix compatibility with more recent NodeJS versions
phyx Remove unnecessary build dependency on libatlas-cpp
postfix New upstream stable release
postgis Fix wrong Polar stereographic axis order
postgresql-13 New upstream stable release; fix client memory disclosure issue [CVE-2022-41862]
python-acme Fix version of created CSRs, to prevent problems with strictly RFC-complying implementations of the ACME API
ruby-aws-sdk-core Fix generation of version file
ruby-cfpropertylist Fix some functionality by dropping compatibility with Ruby 1.8
shim New upstream release; new upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4
shim-helpers-amd64-signed New upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4
shim-helpers-arm64-signed New upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4
shim-helpers-i386-signed New upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4
shim-signed New upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4
snakeyaml Fix denial of service issues [CVE-2022-25857 CVE-2022-38749 CVE-2022-38750 CVE-2022-38751]; add documentation regarding security support / issues
spyder Fix duplication of code when saving
symfony Remove private headers before storing responses with HttpCache [CVE-2022-24894]; remove CSRF tokens from storage on successful login [CVE-2022-24895]
systemd Fix information leak issue [CVE-2022-4415], denial of service issue [CVE-2022-3821]; ata_id: fix getting Response Code from SCSI Sense Data; logind: fix getting property OnExternalPower via D-Bus; fix crash in systemd-machined
tomcat9 Add OpenJDK 17 support to JDK detection
traceroute Interpret v4mapped-IPv6 addresses as IPv4
tzdata Update included data
unbound Fix Non-Responsive Delegation Attack [CVE-2022-3204]; fix ghost domain names issue [CVE-2022-30698 CVE-2022-30699]
usb.ids Update included data
vagrant Add support for VirtualBox 7.0
voms-api-java Fix build failures by disabling some non-working tests
w3m Fix out-of-bounds write issue [CVE-2022-38223]
x4d-icons Fix build failure with newer imagemagick versions
xapian-core Prevent database corruption on disk exhaustion
zfs-linux Add several stability improvements

Säkerhetsuppdateringar

Denna revision lägger till följande säkerhetsuppdateringar till den stabila utgåvan. Säkerhetsgruppen har redan släppt bulletiner för alla dessa uppdateringar:

Bulletin-ID Paket
DSA-5170 nodejs
DSA-5237 firefox-esr
DSA-5238 thunderbird
DSA-5259 firefox-esr
DSA-5262 thunderbird
DSA-5282 firefox-esr
DSA-5284 thunderbird
DSA-5300 pngcheck
DSA-5301 firefox-esr
DSA-5302 chromium
DSA-5303 thunderbird
DSA-5304 xorg-server
DSA-5305 libksba
DSA-5306 gerbv
DSA-5307 libcommons-net-java
DSA-5308 webkit2gtk
DSA-5309 wpewebkit
DSA-5310 ruby-image-processing
DSA-5311 trafficserver
DSA-5312 libjettison-java
DSA-5313 hsqldb
DSA-5314 emacs
DSA-5315 libxstream-java
DSA-5316 netty
DSA-5317 chromium
DSA-5318 lava
DSA-5319 openvswitch
DSA-5320 tor
DSA-5321 sudo
DSA-5322 firefox-esr
DSA-5323 libitext5-java
DSA-5324 linux-signed-amd64
DSA-5324 linux-signed-arm64
DSA-5324 linux-signed-i386
DSA-5324 linux
DSA-5325 spip
DSA-5326 nodejs
DSA-5327 swift
DSA-5328 chromium
DSA-5329 bind9
DSA-5330 curl
DSA-5331 openjdk-11
DSA-5332 git
DSA-5333 tiff
DSA-5334 varnish
DSA-5335 openjdk-17
DSA-5336 glance
DSA-5337 nova
DSA-5338 cinder
DSA-5339 libhtml-stripscripts-perl
DSA-5340 webkit2gtk
DSA-5341 wpewebkit
DSA-5342 xorg-server
DSA-5343 openssl
DSA-5344 heimdal
DSA-5345 chromium
DSA-5346 libde265
DSA-5347 imagemagick
DSA-5348 haproxy
DSA-5349 gnutls28
DSA-5350 firefox-esr
DSA-5351 webkit2gtk
DSA-5352 wpewebkit
DSA-5353 nss
DSA-5355 thunderbird
DSA-5356 sox
DSA-5357 git
DSA-5358 asterisk
DSA-5359 chromium
DSA-5361 tiff
DSA-5362 frr
DSA-5363 php7.4
DSA-5364 apr-util
DSA-5365 curl
DSA-5366 multipath-tools
DSA-5367 spip
DSA-5368 libreswan
DSA-5369 syslog-ng
DSA-5370 apr
DSA-5371 chromium
DSA-5372 rails
DSA-5373 node-sqlite3
DSA-5374 firefox-esr
DSA-5375 thunderbird
DSA-5376 apache2
DSA-5377 chromium
DSA-5378 xen
DSA-5379 dino-im
DSA-5380 xorg-server
DSA-5381 tomcat9
DSA-5382 cairosvg
DSA-5383 ghostscript
DSA-5384 openimageio
DSA-5385 firefox-esr
DSA-5386 chromium
DSA-5387 openvswitch
DSA-5388 haproxy
DSA-5389 rails
DSA-5390 chromium
DSA-5391 libxml2
DSA-5392 thunderbird
DSA-5393 chromium

Borttagna paket

Följande paket har tagits bort på grund av omständigheter utom vår kontroll:

Paket Orsak
bind-dyndb-ldap Trasig med nya versioner av bind9; omöjlig att ge support för i stabila utgåvan
matrix-mirage Beroende på python-matrix-nio som är på väg att tas bort
pantalaimon Beroende på python-matrix-nio som är på väg att tas bort
python-matrix-nio Säkerhetsproblem: fungerar inte med nuvarande Matrixservrar
weechat-matrix Beroende på python-matrix-nio som är på väg att tas bort

Debianinstalleraren

Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den stabila utgåvan med denna punktutgåva.

URLer

Den fullständiga listan på paket som har förändrats i denna revision:

https://deb.debian.org/debian/dists/bullseye/ChangeLog

Den aktuella stabila utgåvan:

https://deb.debian.org/debian/dists/stable/

Föreslagna uppdateringar till den stabila utgåvan:

https://deb.debian.org/debian/dists/proposed-updates

Information om den stabila utgåvan (versionsfakta, kända problem osv.):

https://www.debian.org/releases/stable/

Säkerhetsbulletiner och information:

https://www.debian.org/security/

Om Debian

Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.

Kontaktinformation

För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org>, eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.