Uppdaterad Debian 11; 11.8 utgiven
7 oktober 2023
Debianprojektet presenterar stolt sin åttonde uppdatering till dess
gamla stabila utgåva Debian 11 (med kodnamnet bullseye
).
Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem,
tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner
har redan publicerats separat och refereras när de finns tillgängliga.
Vänligen notera att punktutgåvan inte innebär en ny version av Debian
11 utan endast uppdaterar några av de inkluderade paketen. Det behövs
inte kastas bort gamla media av bullseye
. Efter installationen
kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad
Debianspegling..
De som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.
Nya installationsavbildningar kommer snart att finnas tillgängliga på de vanliga platserna.
En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:
Blandade felrättningar
Denna uppdatering av den gamla stabila utgåvan lägger till några viktiga felrättningar till följande paket:
Paket | Orsak |
---|---|
adduser | Fix command injection vulnerability in deluser |
aide | Fix handling of extended attributes on symlinks |
amd64-microcode | Update included microcode, including fixes for AMD Inceptionon AMD Zen4 processors [CVE-2023-20569] |
appstream-glib | Handle <em> and <code> tags in metadata |
asmtools | Backport to bullseye for future openjdk-11 builds |
autofs | Fix missing mutex unlock; do not use rpcbind for NFS4 mounts; fix regression determining reachability on dual-stack hosts |
base-files | Update for the 11.8 point release |
batik | Fix Server Side Request Forgery issues [CVE-2022-44729 CVE-2022-44730] |
bmake | Conflict with bsdowl (<< 2.2.2-1.2~) to ensure smooth upgrades |
boxer-data | Backport thunderbird compatibility fixes |
ca-certificates-java | Work around unconfigured jre during new installations |
cairosvg | Handle data: URLs in safe mode |
cargo-mozilla | New upstreamversion, to support building newer firefox-esr versions |
clamav | New upstream stable release; fix denial of service vulnerability via HFS+ parser [CVE-2023-20197] |
cpio | Fix arbitrary code execution issue [CVE-2021-38185]; replace Suggests: on libarchive1 with libarchive-dev |
cryptmount | Fix memory-initialization in command-line parser |
cups | Fix heap-based buffer overflow issues [CVE-2023-4504 CVE-2023-32324], unauthenticated access issue [CVE-2023-32360], use-after-free issue [CVE-2023-34241] |
curl | Fix code execution issues [CVE-2023-27533 CVE-2023-27534], information disclosure issues [CVE-2023-27535 CVE-2023-27536 CVE-2023-28322], inappropriate connection re-use issue [CVE-2023-27538], improper certificate validation issue [CVE-2023-28321] |
dbus | New upstream stable release; fix denial of service issue [CVE-2023-34969] |
debian-design | Rebuild using newer boxer-data |
debian-installer | Increase Linux kernel ABI to 5.10.0-26; rebuild against proposed-updates |
debian-installer-netboot-images | Rebuild against proposed-updates |
debian-parl | Rebuild using newer boxer-data |
debian-security-support | Set DEB_NEXT_VER_ID=12 as bookworm is the next release; security-support-limited: add gnupg1 |
distro-info-data | Add Debian 14 forky; correct Ubuntu 23.04 release date; add Ubuntu 23.10 Mantic Minotaur; add the planned release date for Debian bookworm |
dkimpy | New upstream bugfix release |
dpdk | New upstream stable release |
dpkg | Add support for loong64 CPU; handle missing Version when formatting source:Upstream-Version; fix varbuf memory leak in pkg_source_version() |
flameshot | Disable uploads to imgur by default; fix name of d/NEWS file in previous upload |
ghostscript | Fix buffer overflow issue [CVE-2023-38559]; try and secure the IJS server startup [CVE-2023-43115] |
gitit | Rebuild against new pandoc |
grunt | Fix race condition in symlink copying [CVE-2022-1537] |
gss | Add Breaks+Replaces: libgss0 (<< 0.1) |
haskell-hakyll | Rebuild against new pandoc |
haskell-pandoc-citeproc | Rebuild against new pandoc |
hnswlib | Fix double free in init_index when the M argument is a large integer [CVE-2023-37365] |
horizon | Fix open redirect issue [CVE-2022-45582] |
inetutils | Check return values for set*id() functions, avoiding potential security issues [CVE-2023-40303] |
krb5 | Fix free of uninitialised pointer [CVE-2023-36054] |
kscreenlocker | Fix authentication error when using PAM |
lacme | Handle CA ready, processing and valid states correctly |
lapack | Fix eigenvector matrix |
lemonldap-ng | Fix open redirection when OIDC RP has no redirect URIs; fix Server Side Request Forgery issue [CVE-2023-44469]; fix open redirection due to incorrect escape handling |
libapache-mod-jk | Remove implicit mapping functionality, which could lead to unintended exposure of the status worker and/or bypass of security constraints [CVE-2023-41081] |
libbsd | Fix infinite loop in MD5File |
libclamunrar | New upstream stable release |
libprelude | Make Python module usable |
libreswan | Fix denial of service issue [CVE-2023-30570] |
libsignal-protocol-c | Fix integer overflow issue [CVE-2022-48468] |
linux | New upstream stable release |
linux-signed-amd64 | New upstream stable release |
linux-signed-arm64 | New upstream stable release |
linux-signed-i386 | New upstream stable release |
logrotate | Avoid replacement of /dev/null with a regular file if used for the state file |
ltsp | Avoid using mvon init symlink in order to work around overlayfs issue |
lttng-modules | Fix build issues with newer kernel versions |
lua5.3 | Fix use after free in lua_upvaluejoin (lapi.c) [CVE-2019-6706]; fix segmentation fault in getlocal and setlocal (ldebug.c) [CVE-2020-24370] |
mariadb-10.5 | New upstream bugfix release [CVE-2022-47015] |
mujs | Security fix |
ncurses | Disallow loading of custom terminfo entries in setuid/setgid programs [CVE-2023-29491] |
node-css-what | Fix regular expression-based denial of service issue [CVE-2022-21222 CVE-2021-33587] |
node-json5 | Fix prototype pollution issue [CVE-2022-46175] |
node-tough-cookie | Security fix: prototype pollution [CVE-2023-26136] |
nvidia-graphics-drivers | New upstream release [CVE-2023-25515 CVE-2023-25516]; improve compatibility with recent kernels |
nvidia-graphics-drivers-tesla-450 | New upstream release [CVE-2023-25515 CVE-2023-25516] |
nvidia-graphics-drivers-tesla-470 | New upstream bugfix release [CVE-2023-25515 CVE-2023-25516] |
openblas | Fix results of DGEMM on AVX512-capable hardware, when the package has been built on pre-AVX2 hardware |
openssh | Fix remote code execution issue via a forwarded agent socket [CVE-2023-38408] |
openssl | New upstream stable release; fix denial of service issues [CVE-2023-3446 CVE-2023-3817] |
org-mode | Fix command injection vulnerability [CVE-2023-28617] |
pandoc | Fix arbitrary file write issues [CVE-2023-35936 CVE-2023-38745] |
pev | Fix buffer overflow issue [CVE-2021-45423] |
php-guzzlehttp-psr7 | Fix improper input validation [CVE-2023-29197] |
php-nyholm-psr7 | Fix improper input validation issue [CVE-2023-29197] |
postgis | Fix axis order regression |
protobuf | Security fixes: DoS in Java [CVE-2021-22569]; NULL pointer dereference [CVE-2021-22570]; memory DoS [CVE-2022-1941] |
python2.7 | Fix parameter cloakingissue [CVE-2021-23336], URL injection issue [CVE-2022-0391], use-after-free issue [CVE-2022-48560], XML External Entity issue [CVE-2022-48565]; improve constant-time comparisons in compare_digest() [CVE-2022-48566]; improve URL parsing [CVE-2023-24329]; prevent reading unauthenticated data on an SSLSocket [CVE-2023-40217] |
qemu | Fix infinite loop [CVE-2020-14394], NULL pointer dereference issue [CVE-2021-20196], integer overflow issue [CVE-2021-20203], buffer overflow issues [CVE-2021-3507 CVE-2023-3180], denial of service issues [CVE-2021-3930 CVE-2023-3301], use-after-free issue [CVE-2022-0216], possible stack overflow and use-after-free issues [CVE-2023-0330], out-of-bounds read issue [CVE-2023-1544] |
rar | New upstream release; fix directory traversal issue [CVE-2022-30333]; fix arbitrary code execution issue [CVE-2023-40477] |
rhonabwy | Fix aesgcm buffer overflow [CVE-2022-32096] |
roundcube | New upstream stable release; fix cross-site scripting issue [CVE-2023-43770]; Enigma: Fix initial synchronization of private keys |
rust-cbindgen | New upstreamversion, to support building newer firefox-esr versions |
rustc-mozilla | New upstreamversion, to support building newer firefox-esr versions |
schleuder | Add versioned dependency on ruby-activerecord |
sgt-puzzles | Fix various security issues in game loading [CVE-2023-24283 CVE-2023-24284 CVE-2023-24285 CVE-2023-24287 CVE-2023-24288 CVE-2023-24291] |
spip | Several security fixes; security fix for extended authentification data filtering |
spyder | Fix broken patch in previous update |
systemd | Udev: fix creating /dev/serial/by-id/ symlinks for USB devices; fix memory leak on daemon-reload; fix a calendar spec calculation hang on DST change if TZ=Europe/Dublin |
tang | Fix race condition when creating/rotating keys; assert restrictive permissions on key directory [CVE-2023-1672]; make tangd-rotate-keys executable |
testng7 | Backport to oldstable for future openjdk-17 builds |
tinyssh | Work around incoming packets which don't honour max packet length |
unrar-nonfree | Fix file overwrite issue [CVE-2022-48579]; fix remote code execution issue [CVE-2023-40477] |
xen | New upstream stable release; fix security issues [CVE-2023-20593 CVE-2023-20569 CVE-2022-40982] |
yajl | Memory leak security fix; security fixes: potential denial of service with crafted JSON file [CVE-2017-16516]; heap memory corruption when dealing with large (~2GB) inputs [CVE-2022-24795]; fix incomplete patch for CVE-2023-33460 |
Säkerhetsuppdateringar
Denna revision lägger till följande säkerhetsuppdateringar till den gamla stabila utgåvan. Säkerhetsgruppen har redan släppt bulletiner för alla dessa uppdateringar:
Borttagna paket
Följande paket har tagits bort på grund av omständigheter utom vår kontroll:
Paket | Orsak |
---|---|
atlas-cpp | instabil uppstöm, opassande för Debian |
ember-media | instabil uppstöm, opassande för Debian |
eris | instabil uppstöm, opassande för Debian |
libwfut | instabil uppstöm, opassande för Debian |
mercator | instabil uppstöm, opassande för Debian |
nomad | säkerhetsfixar inte längre tillgängliga |
nomad-driver-lxc | beroende på nomad som är på väg att tas bort |
skstream | instabil uppstöm, opassande för Debian |
varconf | instabil uppstöm, opassande för Debian |
wfmath | instabil uppstöm, opassande för Debian |
Debianinstalleraren
Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den gamla stabila utgåvan med denna punktutgåva.
URLer
Den fullständiga listan på paket som har förändrats i denna revision:
Den aktuella gamla stabila utgåvan:
Föreslagna uppdateringar till den gamla stabila utgåvan:
Information om den gamla stabila utgåvan (versionsfakta, kända problem osv.):
Säkerhetsbulletiner och information:
Om Debian
Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.
Kontaktinformation
För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org>, eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.