تحديث دبيان 11: الإصدار 11.8
07 أكتوبر 2023
يسعد مشروع دبيان الإعلان عن التحديث الثامن لتوزيعته المستقرة دبيان 11 (الاسم الرمزي bullseye
).
بالإضافة إلى تسوية بعض المشكلات الحرجة يصلح هذا التحديث بالأساس مشاكلات الأمان. تنبيهات الأمان أعلنت بشكل منفصل ومشار إليها فقط في هذا الإعلان.
يرجى ملاحظة أن هذا التحديث لا يشكّل إصدار جديد لدبيان 11 بل فقط تحديثات لبعض الحزم المضمّنة
وبالتالي ليس بالضرورة رمي الوسائط القديمة للإصدار bullseye
، يمكن تحديث الحزم باستخدام مرآة دبيان محدّثة.
الذين يثبّتون التحديثات من security.debian.org باستمرار لن يكون عليهم تحديث العديد من الحزم، أغلب التحديثات مضمّنة في هذا التحديث.
صور جديدة لأقراص التثبيت ستكون متوفرة في موضعها المعتاد.
يمكن الترقية من تثبيت آنيّ إلى هذه المراجعة بتوجيه نظام إدارة الحزم إلى إحدى مرايا HTTP الخاصة بدبيان. قائمة شاملة لمرايا دبيان على المسار:
إصلاح العديد من العلاّت
أضاف هذا التحديث للإصدار المستقر بعض الإصلاحات المهمة للحزم التالية:
| الحزمة | السبب |
|---|---|
| adduser | Fix command injection vulnerability in deluser |
| aide | Fix handling of extended attributes on symlinks |
| amd64-microcode | Update included microcode, including fixes for AMD Inceptionon AMD Zen4 processors [CVE-2023-20569] |
| appstream-glib | Handle <em> and <code> tags in metadata |
| asmtools | Backport to bullseye for future openjdk-11 builds |
| autofs | Fix missing mutex unlock; do not use rpcbind for NFS4 mounts; fix regression determining reachability on dual-stack hosts |
| base-files | Update for the 11.8 point release |
| batik | Fix Server Side Request Forgery issues [CVE-2022-44729 CVE-2022-44730] |
| bmake | Conflict with bsdowl (<< 2.2.2-1.2~) to ensure smooth upgrades |
| boxer-data | Backport thunderbird compatibility fixes |
| ca-certificates-java | Work around unconfigured jre during new installations |
| cairosvg | Handle data: URLs in safe mode |
| cargo-mozilla | New upstreamversion, to support building newer firefox-esr versions |
| clamav | New upstream stable release; fix denial of service vulnerability via HFS+ parser [CVE-2023-20197] |
| cpio | Fix arbitrary code execution issue [CVE-2021-38185]; replace Suggests: on libarchive1 with libarchive-dev |
| cryptmount | Fix memory-initialization in command-line parser |
| cups | Fix heap-based buffer overflow issues [CVE-2023-4504 CVE-2023-32324], unauthenticated access issue [CVE-2023-32360], use-after-free issue [CVE-2023-34241] |
| curl | Fix code execution issues [CVE-2023-27533 CVE-2023-27534], information disclosure issues [CVE-2023-27535 CVE-2023-27536 CVE-2023-28322], inappropriate connection re-use issue [CVE-2023-27538], improper certificate validation issue [CVE-2023-28321] |
| dbus | New upstream stable release; fix denial of service issue [CVE-2023-34969] |
| debian-design | Rebuild using newer boxer-data |
| debian-installer | Increase Linux kernel ABI to 5.10.0-26; rebuild against proposed-updates |
| debian-installer-netboot-images | Rebuild against proposed-updates |
| debian-parl | Rebuild using newer boxer-data |
| debian-security-support | Set DEB_NEXT_VER_ID=12 as bookworm is the next release; security-support-limited: add gnupg1 |
| distro-info-data | Add Debian 14 forky; correct Ubuntu 23.04 release date; add Ubuntu 23.10 Mantic Minotaur; add the planned release date for Debian bookworm |
| dkimpy | New upstream bugfix release |
| dpdk | New upstream stable release |
| dpkg | Add support for loong64 CPU; handle missing Version when formatting source:Upstream-Version; fix varbuf memory leak in pkg_source_version() |
| flameshot | Disable uploads to imgur by default; fix name of d/NEWS file in previous upload |
| ghostscript | Fix buffer overflow issue [CVE-2023-38559]; try and secure the IJS server startup [CVE-2023-43115] |
| gitit | Rebuild against new pandoc |
| grunt | Fix race condition in symlink copying [CVE-2022-1537] |
| gss | Add Breaks+Replaces: libgss0 (<< 0.1) |
| haskell-hakyll | Rebuild against new pandoc |
| haskell-pandoc-citeproc | Rebuild against new pandoc |
| hnswlib | Fix double free in init_index when the M argument is a large integer [CVE-2023-37365] |
| horizon | Fix open redirect issue [CVE-2022-45582] |
| inetutils | Check return values for set*id() functions, avoiding potential security issues [CVE-2023-40303] |
| krb5 | Fix free of uninitialised pointer [CVE-2023-36054] |
| kscreenlocker | Fix authentication error when using PAM |
| lacme | Handle CA ready, processing and valid states correctly |
| lapack | Fix eigenvector matrix |
| lemonldap-ng | Fix open redirection when OIDC RP has no redirect URIs; fix Server Side Request Forgery issue [CVE-2023-44469]; fix open redirection due to incorrect escape handling |
| libapache-mod-jk | Remove implicit mapping functionality, which could lead to unintended exposure of the status worker and/or bypass of security constraints [CVE-2023-41081] |
| libbsd | Fix infinite loop in MD5File |
| libclamunrar | New upstream stable release |
| libprelude | Make Python module usable |
| libreswan | Fix denial of service issue [CVE-2023-30570] |
| libsignal-protocol-c | Fix integer overflow issue [CVE-2022-48468] |
| linux | New upstream stable release |
| linux-signed-amd64 | New upstream stable release |
| linux-signed-arm64 | New upstream stable release |
| linux-signed-i386 | New upstream stable release |
| logrotate | Avoid replacement of /dev/null with a regular file if used for the state file |
| ltsp | Avoid using mvon init symlink in order to work around overlayfs issue |
| lttng-modules | Fix build issues with newer kernel versions |
| lua5.3 | Fix use after free in lua_upvaluejoin (lapi.c) [CVE-2019-6706]; fix segmentation fault in getlocal and setlocal (ldebug.c) [CVE-2020-24370] |
| mariadb-10.5 | New upstream bugfix release [CVE-2022-47015] |
| mujs | Security fix |
| ncurses | Disallow loading of custom terminfo entries in setuid/setgid programs [CVE-2023-29491] |
| node-css-what | Fix regular expression-based denial of service issue [CVE-2022-21222 CVE-2021-33587] |
| node-json5 | Fix prototype pollution issue [CVE-2022-46175] |
| node-tough-cookie | Security fix: prototype pollution [CVE-2023-26136] |
| nvidia-graphics-drivers | New upstream release [CVE-2023-25515 CVE-2023-25516]; improve compatibility with recent kernels |
| nvidia-graphics-drivers-tesla-450 | New upstream release [CVE-2023-25515 CVE-2023-25516] |
| nvidia-graphics-drivers-tesla-470 | New upstream bugfix release [CVE-2023-25515 CVE-2023-25516] |
| openblas | Fix results of DGEMM on AVX512-capable hardware, when the package has been built on pre-AVX2 hardware |
| openssh | Fix remote code execution issue via a forwarded agent socket [CVE-2023-38408] |
| openssl | New upstream stable release; fix denial of service issues [CVE-2023-3446 CVE-2023-3817] |
| org-mode | Fix command injection vulnerability [CVE-2023-28617] |
| pandoc | Fix arbitrary file write issues [CVE-2023-35936 CVE-2023-38745] |
| pev | Fix buffer overflow issue [CVE-2021-45423] |
| php-guzzlehttp-psr7 | Fix improper input validation [CVE-2023-29197] |
| php-nyholm-psr7 | Fix improper input validation issue [CVE-2023-29197] |
| postgis | Fix axis order regression |
| protobuf | Security fixes: DoS in Java [CVE-2021-22569]; NULL pointer dereference [CVE-2021-22570]; memory DoS [CVE-2022-1941] |
| python2.7 | Fix parameter cloakingissue [CVE-2021-23336], URL injection issue [CVE-2022-0391], use-after-free issue [CVE-2022-48560], XML External Entity issue [CVE-2022-48565]; improve constant-time comparisons in compare_digest() [CVE-2022-48566]; improve URL parsing [CVE-2023-24329]; prevent reading unauthenticated data on an SSLSocket [CVE-2023-40217] |
| qemu | Fix infinite loop [CVE-2020-14394], NULL pointer dereference issue [CVE-2021-20196], integer overflow issue [CVE-2021-20203], buffer overflow issues [CVE-2021-3507 CVE-2023-3180], denial of service issues [CVE-2021-3930 CVE-2023-3301], use-after-free issue [CVE-2022-0216], possible stack overflow and use-after-free issues [CVE-2023-0330], out-of-bounds read issue [CVE-2023-1544] |
| rar | New upstream release; fix directory traversal issue [CVE-2022-30333]; fix arbitrary code execution issue [CVE-2023-40477] |
| rhonabwy | Fix aesgcm buffer overflow [CVE-2022-32096] |
| roundcube | New upstream stable release; fix cross-site scripting issue [CVE-2023-43770]; Enigma: Fix initial synchronization of private keys |
| rust-cbindgen | New upstreamversion, to support building newer firefox-esr versions |
| rustc-mozilla | New upstreamversion, to support building newer firefox-esr versions |
| schleuder | Add versioned dependency on ruby-activerecord |
| sgt-puzzles | Fix various security issues in game loading [CVE-2023-24283 CVE-2023-24284 CVE-2023-24285 CVE-2023-24287 CVE-2023-24288 CVE-2023-24291] |
| spip | Several security fixes; security fix for extended authentification data filtering |
| spyder | Fix broken patch in previous update |
| systemd | Udev: fix creating /dev/serial/by-id/ symlinks for USB devices; fix memory leak on daemon-reload; fix a calendar spec calculation hang on DST change if TZ=Europe/Dublin |
| tang | Fix race condition when creating/rotating keys; assert restrictive permissions on key directory [CVE-2023-1672]; make tangd-rotate-keys executable |
| testng7 | Backport to oldstable for future openjdk-17 builds |
| tinyssh | Work around incoming packets which don't honour max packet length |
| unrar-nonfree | Fix file overwrite issue [CVE-2022-48579]; fix remote code execution issue [CVE-2023-40477] |
| xen | New upstream stable release; fix security issues [CVE-2023-20593 CVE-2023-20569 CVE-2022-40982] |
| yajl | Memory leak security fix; security fixes: potential denial of service with crafted JSON file [CVE-2017-16516]; heap memory corruption when dealing with large (~2GB) inputs [CVE-2022-24795]; fix incomplete patch for CVE-2023-33460 |
تحديثات الأمان
أضافت هذه المراجعة تحديثات الأمان التالية للإصدار المستقر. سبق لفريق الأمان نشر تنبيه لكل تحديث:
الحزم المزالة
الحزم التالية أزيلت لأسباب خارجة عن سيطرتنا:
| الحزمة | السبب |
|---|---|
| atlas-cpp | unstable upstream, unsuitable for Debian |
| ember-media | unstable upstream, unsuitable for Debian |
| eris | unstable upstream, unsuitable for Debian |
| libwfut | unstable upstream, unsuitable for Debian |
| mercator | unstable upstream, unsuitable for Debian |
| nomad | security fixes no longer available |
| nomad-driver-lxc | depends on to-be-removed nomad |
| skstream | unstable upstream, unsuitable for Debian |
| varconf | unstable upstream, unsuitable for Debian |
| wfmath | unstable upstream, unsuitable for Debian |
مُثبِّت دبيان
حدِّث المُثبِّت ليتضمن الإصلاحات المندرجة في هذا الإصدار المستقر.
المسارات
القائمة الكاملة للحزم المغيّرة في هذه المراجعة:
التوزيعة المستقرة الحالية:
التحديثات المقترحة للتوزيعة المستقرة:
معلومات حول التوزيعة المستقرة (ملاحظات الإصدار والأخطاء إلخ):
معلومات وإعلانات الأمان:
حول دبيان
مشروع دبيان هو اتحاد لمطوري البرمجيات الحرة تطوعوا بالوقت والمجهود لإنتاج نظام تشعيل دبيان حر بالكامل.
معلومات الاتصال
لمزيد من المعلومات يرجى زيارة موقع دبيان https://www.debian.org/ أو إرسال بريد إلكتروني إلى <press@debian.org> أو الاتصال بفريق إصدار المستقرة على <debian-release@lists.debian.org>.