Debian Stable Updates Announcement SUA 241-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
October 2nd, 2023
----------------------------------------------------------------------------
Upcoming Debian 11 Update (11.
An update to Debian 11 is scheduled for Saturday, October 7th, 2023. As of now
it will include the following bug fixes. They can be found in "bullseye-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bullseye-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This oldstable update adds a few important corrections to the following
packages:
Package Reason
------- ------
adduser Fix command injection vulnerability in deluser
aide Fix handling of extended attributes on symlinks
amd64-microcode Update included microcode, including fixes for
"AMD Inception" on AMD Zen4 processors
[CVE-2023-20569]
appstream-glib Handle <em> and <code> tags in metadata
asmtools Backport to bullseye for future openjdk-11
builds
autofs Fix missing mutex unlock; do not use rpcbind
for NFS4 mounts; fix regression determining
reachability on dual-stack hosts
base-files Update for the 11.8 point release
batik Fix Server Side Request Forgery issues
[CVE-2022-44729 CVE-2022-44730]
bmake Conflict with bsdowl (<< 2.2.2-1.2~) to ensure
smooth upgrades
boxer-data Backport thunderbird compatibility fixes
ca-certificates-java Work around unconfigured JRE during new
installations
cairosvg Handle data: URLs in safe mode
cargo-mozilla New "upstream" version, to support building
newer firefox-esr versions
clamav New upstream stable release; fix denial of
service issue via HFS+ parser [CVE-2023-20197]
cpio Fix arbitrary code execution issue
[CVE-2021-38185]; replace Suggests: on
libarchive1 with libarchive-dev
cryptmount Fix memory-initialization in command-line
parser
cups Fix heap-based buffer overflow issues
[CVE-2023-4504 CVE-2023-32324], unauthenticated
access issue [CVE-2023-32360], use-after-free
issue [CVE-2023-34241]
curl Fix code execution issues [CVE-2023-27533
CVE-2023-27534], information disclosure issues
[CVE-2023-27535 CVE-2023-27536 CVE-2023-28322],
inappropriate connection re-use issue
[CVE-2023-27538], improper certificate validation
issue [CVE-2023-28321]
dbus New upstream stable release; fix denial of
service issue [CVE-2023-34969]
debian-design Rebuild using newer boxer-data
debian-parl Rebuild using newer boxer-data
debian-security-support Set DEB_NEXT_VER_ID=12 as bookworm is the next
release; security-support-limited: add gnupg1
distro-info-data Add Debian 14 "forky"; correct Ubuntu 23.04
release date; add Ubuntu 23.10 Mantic Minotaur;
add the planned release date for Debian
bookworm
dkimpy New upstream bugfix release
dpdk New upstream stable release
dpkg Add support for loong64 CPU; handle missing
Version when formatting source:Upstream-
Version; fix varbuf memory leak in
pkg_source_version()
flameshot Disable uploads to imgur by default; fix name
of d/NEWS file in previous upload
ghostscript Fix buffer overflow issue [CVE-2023-38559]; try
and secure the IJS server startup
[CVE-2023-43115]
gitit Rebuild against new pandoc
grunt Fix race condition in symlink copying
[CVE-2022-1537]
gss Add Breaks+Replaces: libgss0 (<< 0.1)
haskell-hakyll Rebuild against new pandoc
haskell-pandoc-citeproc Rebuild against new pandoc
hnswlib Fix double free in init_index when the M
argument is a large integer [CVE-2023-37365]
horizon Fix open redirect issue [CVE-2022-45582]
inetutils Check return values for set*id() functions,
avoiding potential security issues
[CVE-2023-40303]
knewstuff Ensure correct ProvidersUrl to fix denial of
service
krb5 Fix free of uninitialised pointer
[CVE-2023-36054]
kscreenlocker Fix authentication error when using PAM
lacme Handle CA ready, processing and valid states
correctly
lapack Fix eigenvector matrix
lemonldap-ng Fix open redirection when OIDC RP has no
redirect URIs; fix Server Side Request Forgery
issue [CVE-2023-44469]; fix open redirection
due to incorrect escape handling
libapache-mod-jk Remove implicit mapping functionality, which
could lead to unintended exposure of the status
worker and/or bypass of security constraints
[CVE-2023-41081]
libbsd Fix infinite loop in MD5File
libclamunrar New upstream stable release
libprelude Make Python module usable
libreswan Fix denial of service issue [CVE-2023-30570]
libsignal-protocol-c Fix integer overflow issue [CVE-2022-48468]
linux New upstream stable release
linux-signed-amd64 New upstream stable release
linux-signed-arm64 New upstream stable release
linux-signed-i386 New upstream stable release
logrotate Avoid replacement of /dev/null with a regular
file if used for the state file
ltsp Avoid using "mv" on init symlink in order to
work around overlayfs issue
lttng-modules Fix build issues with newer kernel versions
lua5.3 Fix use after free in lua_upvaluejoin (lapi.c)
[CVE-2019-6706]; fix segmentation fault in
getlocal and setlocal (ldebug.c)
[CVE-2020-24370]
mariadb-10.5 New upstream bugfix release [CVE-2022-47015]
mujs Security fix
ncurses Disallow loading of custom terminfo entries in
setuid/setgid programs [CVE-2023-29491]
node-css-what Fix regular expression-based denial of service
issue [CVE-2022-21222 CVE-2021-33587]
node-json5 Fix prototype pollution issue [CVE-2022-46175]
node-tough-cookie Security fix: prototype pollution
[CVE-2023-26136]
nvidia-graphics-drivers New upstream release [CVE-2023-25515
CVE-2023-25516]; improve compatibility with
recent kernels
nvidia-graphics-drivers- New upstream release [CVE-2023-25515
tesla-450 CVE-2023-25516]
nvidia-graphics-drivers- New upstream release [CVE-2023-25515
tesla-470 CVE-2023-25516]
openblas Fix results of DGEMM on AVX512-capable
hardware, when the package has been built on
pre-AVX2 hardware
openssh Fix remote code execution issue via a forwarded
agent socket [CVE-2023-38408]
openssl New upstream stable relase
org-mode Fix command injection vulnerability
[CVE-2023-28617]
pandoc Fix arbitrary file write issues [CVE-2023-35936
CVE-2023-38745]
pev Fix buffer overflow issue [CVE-2021-45423]
php-guzzlehttp-psr7 Fix improper input validation [CVE-2023-29197]
php-nyholm-psr7 Fix improper input validation issue
[CVE-2023-29197]
plasma-desktop Fix denial of service bug in discover
postgis Fix axis order regression
protobuf Security fixes: DoS in Java [CVE-2021-22569];
NULL pointer dereference [CVE-2021-22570];
memory DoS [CVE-2022-1941]
python2.7 Fix "parameter cloaking" issue
[CVE-2021-23336], URL injection issue
[CVE-2022-0391], use-after-free issue
[CVE-2022-48560], XML External Entity issue
[CVE-2022-48565]; improve constant-time
comparisons in compare_digest()
[CVE-2022-48566]; improve URL parsing
[CVE-2023-24329]; prevent reading
unauthenticated data on an SSLSocket
[CVE-2023-40217]
qemu Fix infinite loop [CVE-2020-14394], NULL pointer
reference issue [CVE-2021-20196], integer
overflow issue [CVE-2021-20203], buffer
overflow issues [CVE-2021-3507 CVE-2023-3180],
denial of service issues [CVE-2021-3930
CVE-2023-3301], use-after-free issue
[CVE-2022-0216], possible stack overflow and
use-after-free issues [CVE-2023-0330], out-of-
bounds read issue [CVE-2023-1544]
rar New upstream release; fix directory traversal
issue [CVE-2022-30333]; fix arbitrary code
execution issue [CVE-2023-40477]
rhonabwy Fix aesgcm buffer overflow [CVE-2022-32096]
roundcube New upstream stable release; fix cross-site
scripting issue [CVE-2023-43770]; Enigma: Fix
initial synchronization of private keys
rust-cbindgen New "upstream" version, to support building
newer firefox-esr versions
rustc-mozilla New "upstream" version, to support building
newer firefox-esr versions
schleuder Add versioned dependency on ruby-activerecord
sgt-puzzles Fix various security issues in game loading
[CVE-2023-24283 CVE-2023-24284 CVE-2023-24285
CVE-2023-24287 CVE-2023-24288 CVE-2023-24291]
spip Several security fixes
spyder Fix broken patch in previous update
systemd udev: fix creating /dev/serial/by-id/ symlinks
for USB devices; fix memory leak on daemon-
reload; fix a calendar spec calculation hang on
DST change if TZ=Europe/Dublin
tang Fix race condition when creating/rotating keys;
assert restrictive permissions on key directory
[CVE-2023-1672]; make tangd-rotate-keys
executable
testng7 Backport to oldstable for future openjdk-17
builds
tinyssh Work around incoming packets which don't honour
max packet length
unrar-nonfree Fix file overwrite issue [CVE-2022-48579]; fix
remote code execution issue [CVE-2023-40477]
xen New upstream stable release; fix security
issues [CVE-2023-20593 CVE-2023-20569
CVE-2022-40982]
yajl Memory leak security fix; security fixes:
potential denial of service with crafted JSON
file [CVE-2017-16516]; heap memory corruption
when dealing with large (~2GB) inputs
[CVE-2022-24795]; fix incomplete patch for
CVE-2023-33460
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-upd ... table.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
atlas-cpp Unstable upstream, unsuitable for Debian
ember-media Unstable upstream, unsuitable for Debian
eris Unstable upstream, unsuitable for Debian
libwfut Unstable upstream, unsuitable for Debian
mercator Unstable upstream, unsuitable for Debian
skstream Unstable upstream, unsuitable for Debian
varconf Unstable upstream, unsuitable for Debian
wfmath Unstable upstream, unsuitable for Debian
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
