Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Updated Debian 11: 11.2 released

User discussion about Debian Development, Debian Project News and Announcements. Not for support questions.
Post Reply
Message
Author
User avatar
donald
Debian Developer, Site Admin
Debian Developer, Site Admin
Posts: 1041
Joined: 2021-03-30 20:08
Has thanked: 185 times
Been thanked: 240 times

Updated Debian 11: 11.2 released

#1 Post by donald »

------------------------------------------------------------------------
The Debian Project https://www.debian.org/
Updated Debian 11: 11.2 released press@debian.org
December 18th, 2021 https://www.debian.org/News/2021/20211218
------------------------------------------------------------------------


The Debian project is pleased to announce the second update of its
stable distribution Debian 11 (codename "bullseye"). This point release
mainly adds corrections for security issues, along with a few
adjustments for serious problems. Security advisories have already been
published separately and are referenced where available.

Please note that the point release does not constitute a new version of
Debian 11 but only updates some of the packages included. There is no
need to throw away old "bullseye" media. After installation, packages
can be upgraded to the current versions using an up-to-date Debian
mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list



Miscellaneous Bugfixes
----------------------

This stable update adds a few important corrections to the following
packages:

Code: Select all

+--------------------------+------------------------------------------+
| Package                  | Reason                                   |
+--------------------------+------------------------------------------+
| authheaders [1]          | New upstream bug-fix release             |
|                          |                                          |
| base-files [2]           | Update /etc/debian_version for the 11.2  |
|                          | point release                            |
|                          |                                          |
| bpftrace [3]             | Fix array indexing                       |
|                          |                                          |
| brltty [4]               | Fix operation under X when using         |
|                          | sysvinit                                 |
|                          |                                          |
| btrbk [5]                | Fix regression in the update for         |
|                          | CVE-2021-38173                           |
|                          |                                          |
| calibre [6]              | Fix syntax error                         |
|                          |                                          |
| chrony [7]               | Fix binding a socket to a network device |
|                          | with a name longer than 3 characters     |
|                          | when the system call filter is enabled   |
|                          |                                          |
| cmake [8]                | Add PostgreSQL 13 to known versions      |
|                          |                                          |
| containerd [9]           | New upstream stable release; handle      |
|                          | ambiguous OCI manifest parsing           |
|                          | [CVE-2021-41190]; support  "clone3"  in  |
|                          | default seccomp profile                  |
|                          |                                          |
| curl [10]                | Remove -ffile-prefix-map from curl-      |
|                          | config, fixing co-installability of      |
|                          | libcurl4-gnutls-dev under multiarch      |
|                          |                                          |
| datatables.js [11]       | Fix insufficient escaping of arrays      |
|                          | passed to the HTML escape entities       |
|                          | function [CVE-2021-23445]                |
|                          |                                          |
| debian-edu-config [12]   | pxe-addfirmware: Fix TFTP server path;   |
|                          | improve support for LTSP chroot setup    |
|                          | and maintenance                          |
|                          |                                          |
| debian-edu-doc [13]      | Update Debian Edu Bullseye manual from   |
|                          | the wiki; update translations            |
|                          |                                          |
| debian-installer [14]    | Rebuild against proposed-updates; update |
|                          | kernel ABI to -10                        |
|                          |                                          |
| debian-installer-        | Rebuild against proposed-updates         |
| netboot-images [15]      |                                          |
|                          |                                          |
| distro-info-data [16]    | Update included data for Ubuntu 14.04    |
|                          | and 16.04 ESM; add Ubuntu 22.04 LTS      |
|                          |                                          |
| docker.io [17]           | Fix possible change of host file system  |
|                          | permissions [CVE-2021-41089]; lock down  |
|                          | file permissions in /var/lib/docker      |
|                          | [CVE-2021-41091]; prevent credentials    |
|                          | being sent to the default registry       |
|                          | [CVE-2021-41092]; add support for        |
|                          | "clone3"  syscall in default seccomp     |
|                          | policy                                   |
|                          |                                          |
| edk2 [18]                | Address Boot Guard TOCTOU vulnerability  |
|                          | [CVE-2019-11098]                         |
|                          |                                          |
| freeipmi [19]            | Install pkgconfig files to correct       |
|                          | location                                 |
|                          |                                          |
| gdal [20]                | Fix BAG 2.0 Extract support in LVBAG     |
|                          | driver                                   |
|                          |                                          |
| gerbv [21]               | Fix out-of-bounds write issue [CVE-2021- |
|                          | 40391]                                   |
|                          |                                          |
| gmp [22]                 | Fix integer and buffer overflow issue    |
|                          | [CVE-2021-43618]                         |
|                          |                                          |
| golang-1.15 [23]         | New upstream stable release; fix  "net/  |
|                          | http: panic due to racy read of          |
|                          | persistConn after handler                |
|                          | panic"  [CVE-2021-36221]; fix  "archive/ |
|                          | zip: overflow in preallocation check can |
|                          | cause OOM panic"  [CVE-2021-39293]; fix  |
|                          | buffer over-run issue [CVE-2021-38297],  |
|                          | out of bounds read issue [CVE-2021-      |
|                          | 41771], denial of service issues         |
|                          | [CVE-2021-44716 CVE-2021-44717]          |
|                          |                                          |
| grass [24]               | Fix parsing of GDAL formats where the    |
|                          | description contains a colon             |
|                          |                                          |
| horizon [25]             | Re-enable translations                   |
|                          |                                          |
| htmldoc [26]             | Fix buffer overflow issues [CVE-2021-    |
|                          | 40985 CVE-2021-43579]                    |
|                          |                                          |
| im-config [27]           | Prefer Fcitx5 over Fcitx4                |
|                          |                                          |
| isync [28]               | Fix multiple buffer overflow issues      |
|                          | [CVE-2021-3657]                          |
|                          |                                          |
| jqueryui [29]            | Fix untrusted code execution issues      |
|                          | [CVE-2021-41182 CVE-2021-41183 CVE-2021- |
|                          | 41184]                                   |
|                          |                                          |
| jwm [30]                 | Fix crash when using  "Move"  menu item  |
|                          |                                          |
| keepalived [31]          | Fix overly broad DBus policy [CVE-2021-  |
|                          | 44225]                                   |
|                          |                                          |
| keystone [32]            | Resolve information leak allowing        |
|                          | determination of whether users exist     |
|                          | [CVE-2021-38155]; apply some performance |
|                          | improvements to the default keystone-    |
|                          | uwsgi.ini                                |
|                          |                                          |
| kodi [33]                | Fix buffer overflow in PLS playlists     |
|                          | [CVE-2021-42917]                         |
|                          |                                          |
| libayatana-              | Scale icons when loading from file;      |
| indicator [34]           | prevent regular crashes in indicator     |
|                          | applets                                  |
|                          |                                          |
| libdatetime-timezone-    | Update included data                     |
| perl [35]                |                                          |
|                          |                                          |
| libencode-perl [36]      | Fix a memory leak in Encode.xs           |
|                          |                                          |
| libseccomp [37]          | Add support for syscalls up to Linux     |
|                          | 5.15                                     |
|                          |                                          |
| linux [38]               | New upstream release; increase ABI to    |
|                          | 10; RT: update to 5.10.83-rt58           |
|                          |                                          |
| linux-signed-amd64 [39]  | New upstream release; increase ABI to    |
|                          | 10; RT: update to 5.10.83-rt58           |
|                          |                                          |
| linux-signed-arm64 [40]  | New upstream release; increase ABI to    |
|                          | 10; RT: update to 5.10.83-rt58           |
|                          |                                          |
| linux-signed-i386 [41]   | New upstream release; increase ABI to    |
|                          | 10; RT: update to 5.10.83-rt58           |
|                          |                                          |
| lldpd [42]               | Fix heap overflow issue [CVE-2021-       |
|                          | 43612]; do not set VLAN tag if client    |
|                          | did not set it                           |
|                          |                                          |
| mrtg [43]                | Correct errors in variable names         |
|                          |                                          |
| node-getobject [44]      | Resolve prototype pollution issue        |
|                          | [CVE-2020-28282]                         |
|                          |                                          |
| node-json-schema [45]    | Resolve prototype pollution issue        |
|                          | [CVE-2021-3918]                          |
|                          |                                          |
| open3d [46]              | Ensure that python3-open3d depends on    |
|                          | python3-numpy                            |
|                          |                                          |
| opendmarc [47]           | Fix opendmarc-import; increase maximum   |
|                          | supported length of tokens in ARC_Seal   |
|                          | headers, resolving crashes               |
|                          |                                          |
| plib [48]                | Fix integer overflow issue [CVE-2021-    |
|                          | 38714]                                   |
|                          |                                          |
| plocate [49]             | Fix an issue where non-ASCII characters  |
|                          | would be wrongly escaped                 |
|                          |                                          |
| poco [50]                | Fix installation of CMake files          |
|                          |                                          |
| privoxy [51]             | Fix memory leaks [CVE-2021-44540         |
|                          | CVE-2021-44541 CVE-2021-44542]; fix      |
|                          | cross-site scripting issue [CVE-2021-    |
|                          | 44543]                                   |
|                          |                                          |
| publicsuffix [52]        | Update included data                     |
|                          |                                          |
| python-django [53]       | New upstream security release: fix       |
|                          | potential bypass of an upstream access   |
|                          | control based on URL paths [CVE-2021-    |
|                          | 44420]                                   |
|                          |                                          |
| python-eventlet [54]     | Fix compatibility with dnspython 2       |
|                          |                                          |
| python-virtualenv [55]   | Fix crash when using --no-setuptools     |
|                          |                                          |
| ros-ros-comm [56]        | Fix denial of service issue [CVE-2021-   |
|                          | 37146]                                   |
|                          |                                          |
| ruby-httpclient [57]     | Use system certificate store             |
|                          |                                          |
| rustc-mozilla [58]       | New source package to support building   |
|                          | of newer firefox-esr and thunderbird     |
|                          | versions                                 |
|                          |                                          |
| supysonic [59]           | Symlink jquery instead of loading it     |
|                          | directly; correctly symlink minimized    |
|                          | bootstrap CSS files                      |
|                          |                                          |
| tzdata [60]              | Update data for Fiji and Palestine       |
|                          |                                          |
| udisks2 [61]             | Mount options: Always use                |
|                          | errors=remount-ro for ext filesystems    |
|                          | [CVE-2021-3802]; use the mkfs command to |
|                          | format exfat partitions; add Recommends  |
|                          | exfatprogs as preferred alternative      |
|                          |                                          |
| ulfius [62]              | Fix use of custom allocators with        |
|                          | ulfius_url_decode and ulfius_url_encode  |
|                          |                                          |
| vim [63]                 | Fix heap overflows [CVE-2021-3770        |
|                          | CVE-2021-3778], use after free issue     |
|                          | [CVE-2021-3796]; remove vim-gtk          |
|                          | alternatives during vim-gtk -> vim-gtk3  |
|                          | transition, easing upgrades from buster  |
|                          |                                          |
| wget [64]                | Fix downloads over 2GB on 32-bit systems |
|                          |                                          |
+--------------------------+------------------------------------------+

    1: https://packages.debian.org/src:authheaders
    2: https://packages.debian.org/src:base-files
    3: https://packages.debian.org/src:bpftrace
    4: https://packages.debian.org/src:brltty
    5: https://packages.debian.org/src:btrbk
    6: https://packages.debian.org/src:calibre
    7: https://packages.debian.org/src:chrony
    8: https://packages.debian.org/src:cmake
    9: https://packages.debian.org/src:containerd
   10: https://packages.debian.org/src:curl
   11: https://packages.debian.org/src:datatables.js
   12: https://packages.debian.org/src:debian-edu-config
   13: https://packages.debian.org/src:debian-edu-doc
   14: https://packages.debian.org/src:debian-installer
   15: https://packages.debian.org/src:debian-installer-netboot-images
   16: https://packages.debian.org/src:distro-info-data
   17: https://packages.debian.org/src:docker.io
   18: https://packages.debian.org/src:edk2
   19: https://packages.debian.org/src:freeipmi
   20: https://packages.debian.org/src:gdal
   21: https://packages.debian.org/src:gerbv
   22: https://packages.debian.org/src:gmp
   23: https://packages.debian.org/src:golang-1.15
   24: https://packages.debian.org/src:grass
   25: https://packages.debian.org/src:horizon
   26: https://packages.debian.org/src:htmldoc
   27: https://packages.debian.org/src:im-config
   28: https://packages.debian.org/src:isync
   29: https://packages.debian.org/src:jqueryui
   30: https://packages.debian.org/src:jwm
   31: https://packages.debian.org/src:keepalived
   32: https://packages.debian.org/src:keystone
   33: https://packages.debian.org/src:kodi
   34: https://packages.debian.org/src:libayatana-indicator
   35: https://packages.debian.org/src:libdatetime-timezone-perl
   36: https://packages.debian.org/src:libencode-perl
   37: https://packages.debian.org/src:libseccomp
   38: https://packages.debian.org/src:linux
   39: https://packages.debian.org/src:linux-signed-amd64
   40: https://packages.debian.org/src:linux-signed-arm64
   41: https://packages.debian.org/src:linux-signed-i386
   42: https://packages.debian.org/src:lldpd
   43: https://packages.debian.org/src:mrtg
   44: https://packages.debian.org/src:node-getobject
   45: https://packages.debian.org/src:node-json-schema
   46: https://packages.debian.org/src:open3d
   47: https://packages.debian.org/src:opendmarc
   48: https://packages.debian.org/src:plib
   49: https://packages.debian.org/src:plocate
   50: https://packages.debian.org/src:poco
   51: https://packages.debian.org/src:privoxy
   52: https://packages.debian.org/src:publicsuffix
   53: https://packages.debian.org/src:python-django
   54: https://packages.debian.org/src:python-eventlet
   55: https://packages.debian.org/src:python-virtualenv
   56: https://packages.debian.org/src:ros-ros-comm
   57: https://packages.debian.org/src:ruby-httpclient
   58: https://packages.debian.org/src:rustc-mozilla
   59: https://packages.debian.org/src:supysonic
   60: https://packages.debian.org/src:tzdata
   61: https://packages.debian.org/src:udisks2
   62: https://packages.debian.org/src:ulfius
   63: https://packages.debian.org/src:vim
   64: https://packages.debian.org/src:wget

Security Updates
----------------

This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:

+----------------+----------------------------+
| Advisory ID    | Package                    |
+----------------+----------------------------+
| DSA-4980 [65]  | qemu [66]                  |
|                |                            |
| DSA-4981 [67]  | firefox-esr [68]           |
|                |                            |
| DSA-4982 [69]  | apache2 [70]               |
|                |                            |
| DSA-4983 [71]  | neutron [72]               |
|                |                            |
| DSA-4984 [73]  | flatpak [74]               |
|                |                            |
| DSA-4985 [75]  | wordpress [76]             |
|                |                            |
| DSA-4986 [77]  | tomcat9 [78]               |
|                |                            |
| DSA-4987 [79]  | squashfs-tools [80]        |
|                |                            |
| DSA-4988 [81]  | libreoffice [82]           |
|                |                            |
| DSA-4989 [83]  | strongswan [84]            |
|                |                            |
| DSA-4992 [85]  | php7.4 [86]                |
|                |                            |
| DSA-4994 [87]  | bind9 [88]                 |
|                |                            |
| DSA-4995 [89]  | webkit2gtk [90]            |
|                |                            |
| DSA-4996 [91]  | wpewebkit [92]             |
|                |                            |
| DSA-4998 [93]  | ffmpeg [94]                |
|                |                            |
| DSA-5002 [95]  | containerd [96]            |
|                |                            |
| DSA-5003 [97]  | ldb [98]                   |
|                |                            |
| DSA-5003 [99]  | samba [100]                |
|                |                            |
| DSA-5004 [101] | libxstream-java [102]      |
|                |                            |
| DSA-5007 [103] | postgresql-13 [104]        |
|                |                            |
| DSA-5008 [105] | node-tar [106]             |
|                |                            |
| DSA-5009 [107] | tomcat9 [108]              |
|                |                            |
| DSA-5010 [109] | libxml-security-java [110] |
|                |                            |
| DSA-5011 [111] | salt [112]                 |
|                |                            |
| DSA-5013 [113] | roundcube [114]            |
|                |                            |
| DSA-5016 [115] | nss [116]                  |
|                |                            |
| DSA-5017 [117] | xen [118]                  |
|                |                            |
| DSA-5019 [119] | wireshark [120]            |
|                |                            |
| DSA-5020 [121] | apache-log4j2 [122]        |
|                |                            |
| DSA-5022 [123] | apache-log4j2 [124]        |
|                |                            |
+----------------+----------------------------+
65: https://www.debian.org/security/2021/dsa-4980
66: https://packages.debian.org/src:qemu
67: https://www.debian.org/security/2021/dsa-4981
68: https://packages.debian.org/src:firefox-esr
69: https://www.debian.org/security/2021/dsa-4982
70: https://packages.debian.org/src:apache2
71: https://www.debian.org/security/2021/dsa-4983
72: https://packages.debian.org/src:neutron
73: https://www.debian.org/security/2021/dsa-4984
74: https://packages.debian.org/src:flatpak
75: https://www.debian.org/security/2021/dsa-4985
76: https://packages.debian.org/src:wordpress
77: https://www.debian.org/security/2021/dsa-4986
78: https://packages.debian.org/src:tomcat9
79: https://www.debian.org/security/2021/dsa-4987
80: https://packages.debian.org/src:squashfs-tools
81: https://www.debian.org/security/2021/dsa-4988
82: https://packages.debian.org/src:libreoffice
83: https://www.debian.org/security/2021/dsa-4989
84: https://packages.debian.org/src:strongswan
85: https://www.debian.org/security/2021/dsa-4992
86: https://packages.debian.org/src:php7.4
87: https://www.debian.org/security/2021/dsa-4994
88: https://packages.debian.org/src:bind9
89: https://www.debian.org/security/2021/dsa-4995
90: https://packages.debian.org/src:webkit2gtk
91: https://www.debian.org/security/2021/dsa-4996
92: https://packages.debian.org/src:wpewebkit
93: https://www.debian.org/security/2021/dsa-4998
94: https://packages.debian.org/src:ffmpeg
95: https://www.debian.org/security/2021/dsa-5002
96: https://packages.debian.org/src:containerd
97: https://www.debian.org/security/2021/dsa-5003
98: https://packages.debian.org/src:ldb
99: https://www.debian.org/security/2021/dsa-5003
100: https://packages.debian.org/src:samba
101: https://www.debian.org/security/2021/dsa-5004
102: https://packages.debian.org/src:libxstream-java
103: https://www.debian.org/security/2021/dsa-5007
104: https://packages.debian.org/src:postgresql-13
105: https://www.debian.org/security/2021/dsa-5008
106: https://packages.debian.org/src:node-tar
107: https://www.debian.org/security/2021/dsa-5009
108: https://packages.debian.org/src:tomcat9
109: https://www.debian.org/security/2021/dsa-5010
110: https://packages.debian.org/src:libxml-security-java
111: https://www.debian.org/security/2021/dsa-5011
112: https://packages.debian.org/src:salt
113: https://www.debian.org/security/2021/dsa-5013
114: https://packages.debian.org/src:roundcube
115: https://www.debian.org/security/2021/dsa-5016
116: https://packages.debian.org/src:nss
117: https://www.debian.org/security/2021/dsa-5017
118: https://packages.debian.org/src:xen
119: https://www.debian.org/security/2021/dsa-5019
120: https://packages.debian.org/src:wireshark
121: https://www.debian.org/security/2021/dsa-5020
122: https://packages.debian.org/src:apache-log4j2
123: https://www.debian.org/security/2021/dsa-5022
124: https://packages.debian.org/src:apache-log4j2

Debian Installer
----------------

The installer has been updated to include the fixes incorporated into
stable by the point release.


URLs
----

The complete lists of packages that have changed with this revision:

https://deb.debian.org/debian/dists/bullseye/ChangeLog


The current stable distribution:

https://deb.debian.org/debian/dists/stable/


Proposed updates to the stable distribution:

https://deb.debian.org/debian/dists/proposed-updates


stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/


Security announcements and information:

https://www.debian.org/security/



About Debian
------------

The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian.


Contact Information
-------------------

For further information, please visit the Debian web pages at
https://www.debian.org/, send mail to <press@debian.org>, or contact the
stable release team at <debian-release@lists.debian.org>.
Typo perfectionish.


"The advice given above is all good, and just because a new message has appeared it does not mean that a problem has arisen, just that a new gremlin hiding in the hardware has been exposed." - FreewheelinFrank

Post Reply