Updated Debian 11: 11.9 released

February 10th, 2024

The Debian project is pleased to announce the ninth update of its oldstable distribution Debian 11 (codename bullseye). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 11 but only updates some of the packages included. There is no need to throw away old bullseye media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:


Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following packages:

Package Reason
axis Filter out unsupported protocols in the client class ServiceFactory [CVE-2023-40743]
base-files Update for the 11.9 point release
cifs-utils Fix non-parallel builds
compton Remove recommendation of picom
conda-package-handling Skip unreliable tests
conmon Do not hang when forwarding container stdout/stderr with lots of output
crun Fix containers with systemd as their init system, when using newer kernel versions
debian-installer Increase Linux kernel ABI to 5.10.0-28; rebuild against proposed-updates
debian-installer-netboot-images Rebuild against proposed-updates
debian-ports-archive-keyring Add Debian Ports Archive Automatic Signing Key (2025)
debian-security-support Mark tor, consul and xen as end-of-life; limit samba support to non-AD DC use cases; match golang packages with regular expression; drop version-based checking; add chromium to security-support-ended.deb11; add tiles and libspring-java to security-support-limited
debootstrap Backport merged-/usr support changes from trixie: implement merged-/usr by post-merging, default to merged-/usr for suites newer than bookworm in all profiles
distro-info Update tests for distro-info-data 0.58+deb12u1, which adjusted Debian 7's EoL date
distro-info-data Add Ubuntu 24.04 LTS Noble Numbat; fix several End Of Life dates
dpdk New upstream stable release
dropbear Fix security measure bypass issue [CVE-2021-36369]; fix terrapin attack [CVE-2023-48795]
exuberant-ctags Fix arbitrary command execution issue [CVE-2022-4515]
filezilla Prevent terrapin exploit [CVE-2023-48795]
gimp Remove old versions of separately packaged dds plugin
glib2.0 Align with upstream stable fixes; fix denial of service issues [CVE-2023-32665 CVE-2023-32611 CVE-2023-29499 CVE-2023-32636]
glibc Fix a memory corruption in qsort() when using nontransitive comparison functions.
gnutls28 Security fix for timing sidechannel attack [CVE-2023-5981]
imagemagick Various security fixes [CVE-2021-20241 CVE-2021-20243 CVE-2021-20244 CVE-2021-20245 CVE-2021-20246 CVE-2021-20309 CVE-2021-3574 CVE-2021-39212 CVE-2021-4219 CVE-2022-1114 CVE-2022-28463 CVE-2022-32545 CVE-2022-32546]
jqueryui Fix cross-site scripting issue [CVE-2022-31160]
knewstuff Ensure correct ProvidersUrl to fix denial of service
libdatetime-timezone-perl Update included timezone data
libde265 Fix segmentation violation in the function decoder_context::process_slice_segment_header [CVE-2023-27102]; fix heap buffer overflow in the function derive_collocated_motion_vectors [CVE-2023-27103]; fix buffer over-read in pic_parameter_set::dump [CVE-2023-43887]; fix buffer overflow in the slice_segment_header function [CVE-2023-47471]; fix buffer overflow issues [CVE-2023-49465 CVE-2023-49467 CVE-2023-49468]
libmateweather Update included location data; update data server URL
libpod Fix incorrect handling of supplementary groups [CVE-2022-2989]
libsolv Enable zstd compression support
libspreadsheet-parsexlsx-perl Fix possible memory bomb [CVE-2024-22368]; fix XML External Entity issue [CVE-2024-23525]
linux New upstream stable release; increase ABI to 28
linux-signed-amd64 New upstream stable release; increase ABI to 28
linux-signed-arm64 New upstream stable release; increase ABI to 28
linux-signed-i386 New upstream stable release; increase ABI to 28
llvm-toolchain-16 New backported package to support builds of newer chromium versions; build-dep on llvm-spirv instead of llvm-spirv-16
mariadb-10.5 New upstream stable release; fix denial of service issue [CVE-2023-22084]
minizip Reject overflows of zip header fields [CVE-2023-45853]
modsecurity-apache Fix protection bypass issues [CVE-2022-48279 CVE-2023-24021]
nftables Fix incorrect bytecode generation
node-dottie Fix prototype pollution issue [CVE-2023-26132]
node-url-parse Fix authorisation bypass issue [CVE-2022-0512]
node-xml2js Fix prototype pollution issue [CVE-2023-0842]
nvidia-graphics-drivers New upstream release [CVE-2023-31022]
nvidia-graphics-drivers-tesla-470 New upstream release [CVE-2023-31022]
opendkim Properly delete Authentication-Results headers [CVE-2022-48521]
perl Prevent buffer overflow via illegal Unicode property [CVE-2023-47038]
plasma-desktop Fix denial of service bug in discover
plasma-discover Fix denial of service bug; fix build failure
postfix New upstream stable release; address SMTP smuggling issue [CVE-2023-51764]
postgresql-13 New upstream stable release; fix SQL injection issue [CVE-2023-39417]
postgresql-common Fix autopkgtests
python-cogent Skip parallel tests on single-CPU systems
python-django-imagekit Avoid triggering path traversal detection in tests
python-websockets Fix predictable duration issue [CVE-2021-33880]
pyzoltan Build on single core systems
ruby-aws-sdk-core Include VERSION file in package
spip Fix cross-site scripting issue
swupdate Prevent acquiring root privileges through inappropriate socket mode
symfony Ensure CodeExtension's filters properly escape their input [CVE-2023-46734]
tar Fix boundary checking in base-256 decoder [CVE-2022-48303], handling of extended header prefixes [CVE-2023-39804]
tinyxml Fix assertion issue [CVE-2023-34194]
tzdata Update included timezone data
unadf Fix stack buffer overflow issue [CVE-2016-1243]; fix arbitary code execution issue [CVE-2016-1244]
usb.ids Update included data list
vlfeat Fix FTBFS with newer ImageMagick
weborf Fix denial of service issue
wolfssl Fix buffer overflow issues [CVE-2022-39173 CVE-2022-42905], key disclosure issue [CVE-2022-42961], predictable buffer in input keying material [CVE-2023-3724]
xerces-c Fix use-after-free issue [CVE-2018-1311]; fix integer overflow issue [CVE-2023-37536]
zeromq3 Fix fork() detection with gcc 7; update copyright relicense statement

Security Updates

This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package
DSA-5496 firefox-esr
DSA-5499 chromium
DSA-5506 firefox-esr
DSA-5508 chromium
DSA-5509 firefox-esr
DSA-5511 mosquitto
DSA-5512 exim4
DSA-5513 thunderbird
DSA-5514 glibc
DSA-5515 chromium
DSA-5516 libxpm
DSA-5517 libx11
DSA-5518 libvpx
DSA-5519 grub-efi-amd64-signed
DSA-5519 grub-efi-arm64-signed
DSA-5519 grub-efi-ia32-signed
DSA-5519 grub2
DSA-5520 mediawiki
DSA-5522 tomcat9
DSA-5523 curl
DSA-5524 libcue
DSA-5526 chromium
DSA-5527 webkit2gtk
DSA-5528 node-babel7
DSA-5530 ruby-rack
DSA-5531 roundcube
DSA-5533 gst-plugins-bad1.0
DSA-5534 xorg-server
DSA-5535 firefox-esr
DSA-5536 chromium
DSA-5537 openjdk-11
DSA-5538 thunderbird
DSA-5539 node-browserify-sign
DSA-5540 jetty9
DSA-5542 request-tracker4
DSA-5543 open-vm-tools
DSA-5544 zookeeper
DSA-5545 vlc
DSA-5546 chromium
DSA-5547 pmix
DSA-5548 openjdk-17
DSA-5549 trafficserver
DSA-5550 cacti
DSA-5551 chromium
DSA-5554 postgresql-13
DSA-5556 chromium
DSA-5557 webkit2gtk
DSA-5558 netty
DSA-5560 strongswan
DSA-5561 firefox-esr
DSA-5563 intel-microcode
DSA-5564 gimp
DSA-5565 gst-plugins-bad1.0
DSA-5566 thunderbird
DSA-5567 tiff
DSA-5569 chromium
DSA-5570 nghttp2
DSA-5571 rabbitmq-server
DSA-5572 roundcube
DSA-5573 chromium
DSA-5574 libreoffice
DSA-5576 xorg-server
DSA-5577 chromium
DSA-5579 freeimage
DSA-5581 firefox-esr
DSA-5582 thunderbird
DSA-5584 bluez
DSA-5585 chromium
DSA-5586 openssh
DSA-5587 curl
DSA-5588 putty
DSA-5590 haproxy
DSA-5591 libssh
DSA-5592 libspreadsheet-parseexcel-perl
DSA-5594 linux-signed-amd64
DSA-5594 linux-signed-arm64
DSA-5594 linux-signed-i386
DSA-5594 linux
DSA-5595 chromium
DSA-5597 exim4
DSA-5598 chromium
DSA-5599 phpseclib
DSA-5600 php-phpseclib
DSA-5602 chromium
DSA-5603 xorg-server
DSA-5604 openjdk-11
DSA-5605 thunderbird
DSA-5606 firefox-esr
DSA-5608 gst-plugins-bad1.0
DSA-5613 openjdk-17
DSA-5614 zbar
DSA-5615 runc

Removed packages

The following obsolete package was removed from the distribution:

Package Reason
gimp-dds Integrated in gimp>=2.10

Debian Installer

The installer has been updated to include the fixes incorporated into oldstable by the point release.


The complete lists of packages that have changed with this revision:


The current oldstable distribution:


Proposed updates to the oldstable distribution:


oldstable distribution information (release notes, errata etc.):


Security announcements and information:


About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.