[Announcement] [SUA 242-1] Upcoming Debian 12 Update (12.2)

[donald]

----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 242-1 https://www.debian.org/
debian-release@lists.debian.org Jonathan Wiltshire
October 3rd, 2023
----------------------------------------------------------------------------

Upcoming Debian 12 Update (12.2)

An update to Debian 12 is scheduled for Saturday, Oct 7th, 2023. As of now
it will include the following bug fixes. They can be found in "bookworm-
proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "bookworm-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.

The point release will also include a rebuild of debian-installer.

Miscellaneous Bugfixes
----------------------

This stable update adds a few important corrections to the following
packages:

Package Reason
------- ------

amd64-microcode Update included microcode, including fixes for
"AMD Inception" on AMD Zen4 processors
[CVE-2023-20569]

arctica-greeter Support configuring the onscreen keyboard theme
via ArcticaGreeter's gsettings; use 'Compact'
OSK layout (instead of Small) which includes
special keys such as German Umlauts; fix
display of authentication failure messages; use
active theme rather then emerald

autofs Fix regression determining reachability on
dual-stack hosts

base-files Update for the 12.2 point release

batik Fix Server Side Request Forgery issues
[CVE-2022-44729 CVE-2022-44730]

boxer-data No longer install https-everywhere for Firefox

brltty Xbrlapi: Do not try to start brltty with ba+a2
when unavailable; fix cursor routing and
braille panning in Orca when xbrlapi is
installed but the a2 screen driver is not

ca-certificates-java Work around unconfigured JRE during new
installations

cairosvg Handle data: URLs in safe mode

calibre Fix export feature

clamav New upstream stable release; security fixes
[CVE-2023-20197 CVE-2023-20212]

cryptmount Avoid memory initialisation issues in command
line parser

cups Fix heap-based buffer overflow issue
[CVE-2023-4504]; fix unauthenticated access
issue [CVE-2023-32360]

curl Build with OpenLDAP to correct improper fetch
of binary LDAP attributes; fix excessive memory
consumption issue [CVE-2023-38039]

cyrus-imapd Ensure mailboxes are not lost on upgrades from
bullseye

dar Fix issues with creating isolated catalogs when
dar was built using a recent gcc version

dbus New upstream stable release; fix a dbus-daemon
crash during policy reload if a connection
belongs to a user account that has been
deleted, or if a Name Service Switch plugin is
broken, on kernels not supporting
SO_PEERGROUPS; report the error correctly if
getting the groups of a uid fails; dbus-user-
session: Copy XDG_CURRENT_DESKTOP to activation
environment

debian-archive-keyring Clean up leftover keyrings in trusted.gpg.d

debian-edu-doc Update Debian Edu Bookworm manual

debian-edu-install New upstream release; adjust D-I auto-
partitioning sizes

debian-installer Increase Linux kernel ABI to 6.1.0-13; rebuild
against proposed-updates

debian-parl Rebuild with newer boxer-data; no longer depend
on webext-https-everywhere

debianutils Fix duplicate entries in /etc/shells; manage
/bin/sh in the state file; fix canonicalization
of shells in aliased locations

dgit Use the old /updates security map only for
buster; prevent pushing older versions than are
already in the archive

dhcpcd5 Ease upgrades with leftovers from wheezy; drop
deprecated ntpd integration; fix version in
cleanup script

dpdk New upstream stable release

dput-ng Update permitted upload targets; fix failure to
build from source

efibootguard Fix Insufficient or missing validation and
sanitization of input from untrustworthy
bootloader environment files [CVE-2023-39950]

electrum Fix a Lightning security issue

filezilla Fix builds for 32-bit architectures; fix crash
when removing filetypes from list

firewalld Don't mix IPv4 and IPv6 addresses in a single
nftables rule

flann Drop extra -llz4 from flann.pc

foot Ignore XTGETTCAP queries with invalid hex
encodings

freedombox Use n= in apt preferences for smooth upgrades

freeradius Ensure TLS-Client-Cert-Common-Name contains
correct data

ghostscript Fix buffer overflow issue [CVE-2023-38559]; try
and secure the IJS server startup
[CVE-2023-43115]

gitit Rebuild against new pandoc

gjs Avoid infinite loops of idle callbacks if an
idle handler is called during GC

glibc Fix the value of F_GETLK/F_SETLK/F_SETLKW with
__USE_FILE_OFFSET64 on ppc64el; fix a stack
read overflow in getaddrinfo in no-aaaa mode
[CVE-2023-4527]; fix use after free in
getcanonname [CVE-2023-4806 CVE-2023-5156]; fix
_dl_find_object to return correct values even
during early startup

gosa-plugins-netgroups Silence deprecation warnings in web interface

gosa-plugins-systems Fix management of DHCP/DNS entries in default
theme; fix adding (standalone) "Network
printer" systems; fix generation of target DNs
for various system types; fix icon rendering in
DHCP servlet; enforce unqualified hostname for
workstations

gtk+3.0 New upstream stable release; fix several
crashes; show more information in the
"inspector" debugging interface; silence
GFileInfo warnings if used with a backported
version of GLib; use a light colour for the
caret in dark themes, making it much easier to
see in some apps, in particular Evince

gtk4 Fix truncation in places sidebar with large
text accessibility setting

haskell-hakyll Rebuild against new pandoc

highway Fix support for armhf systems lacking NEON

hnswlib Fix double free in init_index when the M
argument is a large integer [CVE-2023-37365]

horizon Fix open redirect issue [CVE-2022-45582]

icingaweb2 Suppress undesirable deprecation notices

imlib2 Fix preservation of alpha channel flag

indent Fix out of buffer read; fix buffer overwrite
[CVE-2023-40305]

inetutils Check return values when dropping privileges
[CVE-2023-40303]

inn2 Fix nnrpd hangs when compression is enabled;
add support for high-precision syslog
timestamps; make inn-{radius,secrets}.conf not
world readable

jekyll Support YAML aliases

kernelshark Fix segfault in libshark-tepdata; fix capturing
when target directory contains a space

krb5 Fix freeing of uninitialised pointer
[CVE-2023-36054]

lemonldap-ng Apply login control to auth-slave requests; fix
open redirection due to incorrect escape
handling; fix open redirection when OIDC RP has
no redirect URIs; fix Server Side Request
Forgery issue [CVE-2023-44469]

libapache-mod-jk Remove implicit mapping functionality, which
could lead to unintended exposure of the status
worker and/or bypass of security constraints
[CVE-2023-41081]

libclamunrar New upstream stable release

libmatemixer Fix heap corruptions / application crashes when
removing audio devices

libpam-mklocaluser pam-auth-update: ensure the module is ordered
before other session type modules

libxnvctrl New source package split from nvidia-settings

linux New upstream stable release

linux-signed-amd64 New upstream stable release

linux-signed-arm64 New upstream stable release

linux-signed-i386 New upstream stable release

llvm-defaults Fix /usr/include/lld symlink; add Breaks
against not co-installable packages for
smoother upgrades from bullseye

ltsp Avoid using mv on init symlink

lxc Fix nftables syntax for IPv6 NAT

lxcfs Fix CPU reporting within an arm32 container
with large numbers of CPUs

marco Only enable compositing if it is available

mariadb New upstream bugfix release

mate-notification-daemon Fix two memory leaks

mgba Fix broken audio in libretro core; fix crash on
hardware incapable of OpenGL 3.2

modsecurity Fix denial of service issue [CVE-2023-38285]

monitoring-plugins Check_disk: avoid mounting when searching for
matching mount points, resolving a regression
in speed from bullseye

mozjs102 New upstream stable release; fix "incorrect
value used during WASM compilation"
[CVE-2023-4046], potential use after free issue
[CVE-2023-37202], memory safety issues
[CVE-2023-37211 CVE-2023-34416]

mutt New upstream stable release

nco Re-enable udunits2 support

nftables Fix incorrect bytecode generation hit with new
kernel check that rejects adding rules to bound
chains

node-dottie Security fix (prototype pollution)
[CVE-2023-26132]

nvidia-settings-tesla New upstream bugfix release

nx-libs Fix missing symlink /usr/share/nx/fonts; fix
manual page

open-ath9k-htc-firmware Load correct firmware

openbsd-inetd Fix memory handling issues

openrefine Fix arbitrary code execution issue
[CVE-2023-37476]

openscap Fix dependencies of openscap-utils and
python3-openscap

openssh Fix remote code execution issue via a forwarded
agent socket [CVE-2023-38408]

openssl New upstream stable release; security fixes
[CVE-2023-2975 CVE-2023-3446 CVE-2023-3817];
new upstream stable release

pam Fix pam-auth-update --disable; update Turkish
translation

pandoc Fix arbitrary file write issue [CVE-2023-35936]

plasma-framework Fix plasmashell crashes

plasma-workspace Fix crash in krunner

python-git Fix remote code execution issue
[CVE-2023-40267], blind local file inclusion
issue [CVE-2023-41040]

pywinrm Fix compatibility with Python 3.11

qemu Update to upstream 7.2.5 tree; ui/vnc-
clipboard: fix infinite loop in inflate_buffer
[CVE-2023-3255]; fix NULL pointer dereference
issue [CVE-2023-3354]; fix buffer overflow
issue [CVE-2023-3180]

qtlocation-opensource-src Fix freeze when loading map tiles

rar Upstream bugfix release [CVE-2023-40477]

reprepro Fix race condition when using external
decompressors

rmlint Fix error in other packages caused by invalid
python package version; fix GUI startup failure
with recent python3.11

roundcube New upstream stable release; fix OAuth2
authentication; fix cross site scripting issues
[CVE-2023-43770]

runit-services Dhclient: don't hardcode use of eth1

samba New upstream stable release

sitesummary New upstream release; fix installation of
sitesummary-maintenance CRON/systemd-timerd
script; fix insecure temporary file and
directory creation

slbackup-php Bug fixes: log remote commands to stderr;
disable SSH known hosts files; PHP 8
compatibility

spamprobe Fix crashes parsing JPEG attachments

stunnel4 Fix handling of a peer closing TLS connection
without proper shutdown messaging

systemd New upstream bugfix release; new upstream
stable release; fix minor security issue in
arm64 and riscv64 systemd-boot (EFI) with
device tree blobs loading

testng7 Backport to stable for future openjdk-17 builds

timg Fix buffer overflow vulnerability
[CVE-2023-40968]

transmission Replace openssl3 compat patch to fix memory
leak

unbound Fix error log flooding when using DNS over TLS
with openssl 3.0

unrar-nonfree Fix remote code execution issue
[CVE-2023-40477]

vorta Handle ctime and mtime changes in diffs

vte2.91 Invalidate ring view more often when necessary,
fixing various assertion failures during event
handling

x2goserver X2goruncommand: add support for KDE Plasma 5;
x2gostartagent: prevent logfile corruption;
keystrokes.cfg: sync with nx-libs; fix encoding
of Finnish translation

A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:

<https://release.debian.org/proposed-updates/stable.html>


Removed packages
----------------

The following packages will be removed due to circumstances beyond our
control:

Package Reason
------- ------

https-everywhere RoM; obsolete, major browsers offer native
support


If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".

[Fossy]

Upgrade done on 5 laptops , proceeded smoothly nothing to report :
https://www.debian.org/News/2023/20231007

Code: Select all

bookworm@bookworm-k54hr:~$ cat /etc/debian_version 
12.2
bookworm@bookworm-k54hr:~$ 

[donald]

Released today, download on the front page is live.

[felipsmartins]

I wonder why i did not receive this update, despite on my another PC received the 12.2 update. Both PC having the same source.list