Aggiornata Debian 12: rilascio di 12.6
29 Giugno 2024
Il progetto Debian è felice di annunciare il sesto aggiornamento della
distribuzione stabile Debian 12 (nome in codice bookworm
).
Questo aggiornamento minore aggiunge principalmente soluzioni a problemi di
sicurezza, oltre ad alcune correzioni a problemi seri. I bollettini di sicurezza
sono già stati pubblicati separatamente e sono elencati ove
possibile.
Si prega di notare che questo aggiornamento minore non è una nuova
versione di Debian 12 ma solo un aggiornamento dei pacchetti che ne fanno
parte. Non è necessario buttar via il vecchio supporto di installazione
di bookworm
. Dopo l'installazione, i pacchetti saranno aggiornati alle
ultime versioni usando uno qualsiasi dei mirror Debian aggiornati.
Coloro che aggiornano il sistema frequentemente tramite security.debian.org non avranno molti pacchetti da aggiornare, e molti di questi sono inclusi nel rilascio minore.
Le nuove immagini di installazione saranno presto disponibili nelle posizioni usuali.
Aggiornare un'installazione esistente a questa revisione, può essere fatto configurando il sistema di gestione di pacchetti facendolo puntare a uno dei tanti mirror HTTP Debian. Una lista completa dei mirror è disponibile qui:
Risoluzione di problemi vari
Questo aggiornamento aggiunge importanti correzioni ai seguenti pacchetti (in inglese):
Pacchetto | Motivo |
---|---|
aide | Fix concurrent reading of extended attributes |
amavisd-new | Handle multiple boundary parameters that contain conflicting values [CVE-2024-28054]; fix race condition in postinst |
archlinux-keyring | Switch to pre-built keyrings; sync with upstream |
base-files | Update for the 12.6 point release |
bash | Rebuild to fix outdated Built-Using |
bioawk | Disable parallel builds to fix random failures |
bluez | Fix remote code execution issues [CVE-2023-27349 CVE-2023-50229 CVE-2023-50230] |
cdo | Disable hirlam-extensions to avoid causing issues with ICON data files |
chkrootkit | Rebuild to fix outdated Built-Using |
cjson | Fix missing NULL checks [CVE-2023-50471 CVE-2023-50472] |
clamav | New upstream stable release; fix possible heap overflow issue [CVE-2024-20290], possible command injection issue [CVE-2024-20328] |
cloud-init | Declare conflicts/replaces on versioned package introduced for bullseye |
comitup | Ensure service is unmasked in post install |
cpu | Provide exactly one definition of globalLdap in LDAP plugin |
crmsh | Create log directory and file on installation |
crowdsec-custom-bouncer | Rebuild to fix outdated Built-Using |
crowdsec-firewall-bouncer | Rebuild against golang-github-google-nftables version with fixed little-endian architecture support |
curl | Do not keep default protocols when deselected [CVE-2024-2004]; fix memory leak [CVE-2024-2398] |
dar | Rebuild to fix outdated Built-Using |
dcmtk | Clean up properly on purge |
debian-installer | Increase Linux kernel ABI to 6.1.0-22; rebuild against proposed-updates |
debian-installer-netboot-images | Rebuild against proposed-updates |
debvm | debvm-create: do install login; bin/debvm-waitssh: make --timeout=N work; bin/debvm-run: allow being run in environments without TERM set; fix resolv.conf in stretch |
dhcpcd5 | privsep: Allow zero length messages through; fix server not being restarted correctly during upgrades |
distro-info-data | Declare intentions for bullseye/bookworm; fix past data; add Ubuntu 24.10 |
djangorestframework | Reinstate missing static files |
dm-writeboost | Fix build error with 6.9 kernel and backports |
dns-root-data | Update root hints; update expired security information |
dpdk | New upstream stable release |
ebook-speaker | Support username over 8 characters when enumerating groups |
emacs | Security fixes [CVE-2024-30202 CVE-2024-30203 CVE-2024-30204 CVE-2024-30205]; replace expired package-keyring.gpg with a current version |
extrepo-data | Update repository information |
flatpak | New upstream stable release |
fpga-icestorm | Restore compatibility with yosys |
freetype | Disable COLRv1 support, which was unintentionally enabled by upstream; fix function existence check when calling get_colr_glyph_paint() |
galera-4 | New upstream bugfix release; update upstream release signing key; prevent date-related test failures |
gdk-pixbuf | ANI: Reject files with multiple anih chunks [CVE-2022-48622]; ANI: Reject files with multiple INAM or IART chunks; ANI: Validate anih chunk size |
glewlwyd | Fix potential buffer overflow during FIDO2 credential validation [CVE-2023-49208]; fix open redirection via redirect_uri [CVE-2024-25715] |
glib2.0 | Fix a (rare) memory leak |
glibc | Revert fix to always call destructors in reverse constructor order due to unforeseen application compatibility issues; fix a DTV corruption due to a reuse of a TLS module ID following dlclose with unused TLS |
gnutls28 | Fix certtool crash when verifying a certificate chain with more than 16 certificates [CVE-2024-28835]; fix side-channel in the deterministic ECDSA [CVE-2024-28834]; fix a memory leak; fix two segfault issues |
golang-github-containers-storage | Rebuild for outdated Built-Using |
golang-github-google-nftables | Fix AddSet() function on little-endian architectures |
golang-github-openshift-imagebuilder | Rebuild for outdated Built-Using |
gosu | Rebuild for outdated Built-Using |
gpaste | Fix conflict with older libpgpaste6 |
gross | Fix stack-based buffer overflow [CVE-2023-52159] |
hovercraft | Depend on python3-setuptools |
icinga2 | Fix segmentation fault on ppc64el |
igtf-policy-bundle | Address CAB Forum S/MIME policy change; apply accumulated updates to trust anchors |
intel-microcode | Security mitigations [CVE-2023-22655 CVE-2023-28746 CVE-2023-38575 CVE-2023-39368 CVE-2023-43490]; mitigate for INTEL-SA-01051 [CVE-2023-45733], INTEL-SA-01052 [CVE-2023-46103], INTEL-SA-01036 [CVE-2023-45745, CVE-2023-47855] and unspecified functional issues on various Intel processors |
jose | Fix potential denial-of-service issue [CVE-2023-50967] |
json-smart | Fix excessive recursion leading to stack overflow [CVE-2023-1370]; fix denial of service via crafted request [CVE-2021-31684] |
kio | Fix file loss and potential locking issues on CIFS |
lacme | Fix post-issuance validation logic |
libapache2-mod-auth-openidc | Fix mising input validation leading to DoS [CVE-2024-24814] |
libesmtp | Break and replace older library versions |
libimage-imlib2-perl | Fix package build |
libjwt | Fix timing side channel attack [CVE-2024-25189] |
libkf5ksieve | Prevent leaking passwords into server-side logs |
libmail-dkim-perl | Add dependency on libgetopt-long-descriptive-perl |
libpod | Handle removed containers properly |
libreoffice | Fix backup copy creation for files on mounted samba shares; don't remove libforuilo.so in -core-nogui |
libseccomp | Add support for syscalls up to Linux 6.7 |
libtommath | Fix integer overflow [CVE-2023-36328] |
libtool | Conflict with libltdl3-dev; fix check for += operator in func_append |
libxml-stream-perl | Fix compatibility with IO::Socket::SSL >= 2.078 |
linux | New upstream stable release; increase ABI to 22 |
linux-signed-amd64 | New upstream stable release; increase ABI to 22 |
linux-signed-arm64 | New upstream stable release; increase ABI to 22 |
linux-signed-i386 | New upstream stable release; increase ABI to 22 |
lua5.4 | debian/version-script: Export additional missing symbols for lua 5.4.4 |
lxc-templates | Fix the mirroroption of lxc-debian |
mailman3 | Depend alternatively on cron-daemon; fix postgresql:// url in post-installation script |
mksh | Handle merged /usr in /etc/shells; fix crash with nested bashism; fix arguments to the dot command; distinguish unset and empty in `typeset -p` |
mobian-keyring | Update Mobian archive key |
ms-gsl | Mark not_null constructors as noexcept |
nano | Fix format string issues; fix with --cutfromcursor, undoing a justification can eat a line; fix malicious symlink issue; fix example bindings in nanorc |
netcfg | Handle routing for single-address netmasks |
ngircd | Respect SSLConnectoption for incoming connections; server certificate validation on server links (S2S-TLS); METADATA: Fix unsetting cloakhost |
node-babel7 | Fix building against nodejs 18.19.0+dfsg-6~deb12u1; add Breaks/Replaces against obsolete node-babel-* packages |
node-undici | Properly export typescript types |
node-v8-compile-cache | Fix tests when a newer nodejs version is used |
node-zx | Fix flaky test |
nodejs | Skip flaky tests for mipsel/mips64el |
nsis | Don't allow unprivileged users to delete the uninstaller directory [CVE-2023-37378]; fix regression in disabling stub relocations; build reproducibly for arm64 |
nvidia-graphics-drivers | Restore compatibility with newer Linux kernel builds; take over packages from nvidia-graphics-drivers-tesla; add new nvidia-suspend-common package; relax dh-dkms build-dependency for compatibility with bookworm; new upstream stable release [CVE-2023-0180 CVE-2023-0183 CVE-2023-0184 CVE-2023-0185 CVE-2023-0187 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199 CVE-2023-25515 CVE-2023-25516 CVE-2023-31022 CVE-2024-0074 CVE-2024-0075 CVE-2024-0078 CVE-2024-0090 CVE-2024-0092] |
nvidia-graphics-drivers-tesla | Restore compatibility with newer Linux kernel builds |
nvidia-graphics-drivers-tesla-470 | Restore compatibility with newer Linux kernel builds; stop building nvidia-cuda-mps; new upstream stable release; security fixes [CVE-2022-42265 CVE-2024-0074 CVE-2024-0078 CVE-2024-0090 CVE-2024-0092] |
nvidia-modprobe | Prepare to switch to 535 series LTS drivers |
nvidia-open-gpu-kernel-modules | Update to 535 series LTS drivers [CVE-2023-0180 CVE-2023-0183 CVE-2023-0184 CVE-2023-0185 CVE-2023-0187 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199 CVE-2023-25515 CVE-2023-25516 CVE-2023-31022 CVE-2024-0074 CVE-2024-0075 CVE-2024-0078 CVE-2024-0090 CVE-2024-0092] |
nvidia-persistenced | Switch to 535 series LTS drivers; update list of supported drivers |
nvidia-settings | Also build for ppc64el; new upstream LTS release |
nvidia-xconfig | New upstream LTS release |
openrc | Ignore non-executable scripts in /etc/init.d |
openssl | New upstream stable release; fix excessive time taken issues [CVE-2023-5678 CVE-2023-6237], vector register corruption issue on PowerPC [CVE-2023-6129], PKCS12 Decoding crashes [CVE-2024-0727] |
openvpn-dco-dkms | Build for Linux >= 6.5; install compat-include directory; fix refcount imbalance |
orthanc-dicomweb | Rebuild to fix outdated Built-Using |
orthanc-gdcm | Rebuild to fix outdated Built-Using |
orthanc-mysql | Rebuild to fix outdated Built-Using |
orthanc-neuro | Rebuild to fix outdated Built-Using |
orthanc-postgresql | Rebuild to fix outdated Built-Using |
orthanc-python | Rebuild to fix outdated Built-Using |
orthanc-webviewer | Rebuild to fix outdated Built-Using |
orthanc-wsi | Rebuild to fix outdated Built-Using |
ovn | New upstream stable version; fix insufficient validation of incoming BFD packets [CVE-2024-2182] |
pdudaemon | Depend on python3-aiohttp |
php-composer-class-map-generator | Force system dependency loading |
php-composer-pcre | Add missing Breaks+Replaces: on composer (<< 2.2) |
php-composer-xdebug-handler | Force system dependency loading |
php-doctrine-annotations | Force system dependency loading |
php-doctrine-deprecations | Force system dependency loading |
php-doctrine-lexer | Force system dependency loading |
php-phpseclib | Guard isPrime() and randomPrime() for BigInteger [CVE-2024-27354]; limit OID length in ASN1 [CVE-2024-27355]; fix BigInteger getLength(); remove visibitility modifiers from static variables |
php-phpseclib3 | Force system dependency loading; guard isPrime() and randomPrime() for BigInteger [CVE-2024-27354]; limit OID length in ASN1 [CVE-2024-27355]; fix BigInteger getLength() |
php-proxy-manager | Force system dependency loading |
php-symfony-contracts | Force system dependency loading |
php-zend-code | Force system dependency loading |
phpldapadmin | Fix compatbility with PHP 8.1+ |
phpseclib | Force system dependency loading; guard isPrime() and randomPrime() for BigInteger [CVE-2024-27354]; limit OID length in ASN1 [CVE-2024-27355]; fix BigInteger getLength() |
postfix | New upstream stable release |
postgresql-15 | New upstream stable release; restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner [CVE-2024-4317] |
prometheus-node-exporter-collectors | Do not adversely affect mirror network; fix deadlock with other apt update runs |
pymongo | Fix out-of-bounds read issue [CVE-2024-5629] |
pypy3 | Strip C0 control and space characters in urlsplit [CVE-2023-24329]; avoid bypass of TLS handshake protections on closed sockets [CVE-2023-40217]; tempfile.TemporaryDirectory: fix symlink bug in cleanup [CVE-2023-6597]; protect zipfile from quoted-overlapzipbomb [CVE-2024-0450] |
python-aiosmtpd | Fix SMTP smuggling issue [CVE-2024-27305]; fix STARTTLS unencrypted command injection issue [CVE-2024-34083] |
python-asdf | Remove unnecessary dependency on asdf-unit-schemas |
python-channels-redis | Ensure pools are closed on loop close in core |
python-idna | Fix denial of service issue [CVE-2024-3651] |
python-jwcrypto | Fix denial of service issue [CVE-2024-28102] |
python-xapian-haystack | Drop dependency on django.utils.six |
python3.11 | Fix use-after-free crash when deallocating a frame object; protect zipfile from quoted-overlapzipbomb [CVE-2024-0450]; tempfile.TemporaryDirectory: fix symlink bug in cleanup [CVE-2023-6597]; fix os.path.normpath(): Path truncation at null bytes[CVE-2023-41105]; avoid bypass of TLS handshake protections on closed sockets [CVE-2023-40217]; strip C0 control and space characters in urlsplit [CVE-2023-24329]; avoid a potential null pointer dereference in filleutils |
qemu | New upstream stable release; security fixes [CVE-2024-26327 CVE-2024-26328 CVE-2024-3446 CVE-2024-3447] |
qtbase-opensource-src | Fix regression in patch for CVE-2023-24607; avoid using system CA certificates when not wanted [CVE-2023-34410]; fix buffer overflow [CVE-2023-37369]; fix infinite loop in XML recursive entity expansion [CVE-2023-38197]; fix buffer overflow with crafted KTX image file [CVE-2024-25580]; fix HPack integer overflow check [CVE-2023-51714] |
rails | Declare breaks and replaces on obsolete ruby-arel package |
riseup-vpn | Use system certificate bundle by default, restoring ability to connect to an endpoint using LetsEncrypt certificate |
ruby-aws-partitions | Ensure binary package includes partitions.json and partitions-metadata.json files |
ruby-premailer-rails | Remove build-dependency on obsolete ruby-arel |
rust-cbindgen-web | New source package to support builds of newer Firefox ESR versions |
rustc-web | New source package to support builds of web browsers |
schleuder | Fix argument parsing insufficient validation; fix importing keys from attachments sent by Thunderbird and handle mails without further content; look for keywords only at the start of mail; validate downcased email addresses when checking subscribers; consider From header for finding reply addresses |
sendmail | Fix SMTP smuggling issue [CVE-2023-51765] |
skeema | Rebuild for outdated Built-Using |
skopeo | Rebuild for outdated Built-Using |
software-properties | software-properties-qt: Add Conflicts+Replaces: on software-properties-kde for smoother upgrades from bullseye |
supermin | Rebuild to fix outdated Built-Using |
symfony | Force system dependency loading; DateTypTest: ensure submitted year is accepted choice |
systemd | New upstream stable release; fix denial of service issues [CVE-2023-50387 CVE-2023-50868]; libnss-myhostname.nss: Install after files; libnss-mymachines.nss: Install before resolveand dns |
termshark | Rebuild to fix outdated Built-Using |
tripwire | Rebuild to fix outdated Built-Using |
tryton-client | Only send compressed content in authenticated sessions |
tryton-server | Prevent zip-bombattacks from unauthenticated sources |
u-boot | Fix orion-timer for booting sheevaplug and related platforms |
uif | Support VLAN interface names |
umoci | Rebuild for outdated Built-Using |
user-mode-linux | Rebuilt to fix outdated Built-Using |
wayfire | Add missing dependencies |
what-is-python | Declare breaks and replaces on python-dev-is-python2; fix version mangling in build rules |
wpa | Fix authentication bypass issue [CVE-2023-52160] |
xscreensaver | Disable warning about old versions |
yapet | Do not call EVP_CIPHER_CTX_set_key_length() in crypt/blowfish and crypt/aes |
zsh | Rebuild to fix outdated Built-Using |
Aggiornamenti della sicurezza
Questa revisione aggiunge i seguenti aggiornamenti di sicurezza al rilascio stabile. Il Team di Sicurezza ha già rilasciato bollettini per ognuno di essi:
Pacchetti rimossi
I seguenti pacchetti sono stati rimossi a causa di circostanze fuori dal nostro controllo:
Package | Reason |
---|---|
phppgadmin | Security issues; incompatible with bookworm's PostgreSQL version |
pytest-salt-factories | Only needed for salt, which is not part of bookworm |
ruby-arel | Obsolete, integrated into ruby-activerecord, incompatible with ruby-activerecord 6.1.x |
spip | Incompatible with bookworm's PHP version |
vasttrafik-cli | API withdrawn |
Installatore Debian
L'installatore è stato aggiornato per includere le correzioni di questo aggiornamento minore.
URL
La lista completa dei pacchetti modificati in questa revisione:
La distribuzione stabile attuale:
Aggiornamenti proposti per la distribuzione stabile:
Informazioni sulla distribuzione stabile (note di rilascio, errata, ecc.):
Annunci e informazioni della sicurezza:
Su Debian
Il Progetto Debian è un'associazione di sviluppatori di software libero che volontariamente offrono il loro tempo libero e il loro lavoro per produrre il sistema operativo libero Debian.
Contatti
Per maggiori informazioni si prega di visitare il sito web https://www.debian.org/, mandare un'e-mail a <press@debian.org>, o contattare il Team di rilascio stabile all'indirizzo <debian-release@lists.debian.org>