Updated Debian 11: 11.7 released

April 29th, 2023

The Debian project is pleased to announce the seventh update of its stable distribution Debian 11 (codename bullseye). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 11 but only updates some of the packages included. There is no need to throw away old bullseye media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package	Reason
akregator	Fix validity checks, including fixing deletion of feeds and folders
apache2	Don't automatically enable apache2-doc.conf; fix regressions in http2 and mod_rewrite introduced in 2.4.56
at-spi2-core	Set stop timeout to 5 seconds, so as not to needlessly block system shutdowns
avahi	Fix local denial of service issue [CVE-2021-3468]
base-files	Update for the 11.7 point release
c-ares	Prevent stack overflow and denial of service [CVE-2022-4904]
clamav	New upstream stable release; fix possible remote code execution issue in the HFS+ file parser [CVE-2023-20032], possible information leak in the DMG file parser [CVE-2023-20052]
command-not-found	Add new non-free-firmware component, fixing upgrades to bookworm
containerd	Fix denial of service issue [CVE-2023-25153]; fix possible privilege escalation via incorrect setup of supplementary groups [CVE-2023-25173]
crun	Fix capability escalation issue due to containers being incorrectly started with non-empty default permissions [CVE-2022-27650]
cwltool	Add missing dependency on python3-distutils
debian-archive-keyring	Add bookworm keys; move stretch keys to the removed keyring
debian-installer	Increase Linux kernel ABI to 5.10.0-22; rebuild against proposed-updates
debian-installer-netboot-images	Rebuild against proposed-updates
debian-ports-archive-keyring	Extend the 2023 signing key's expiration by one year; add 2024 signing key; move 2022 signing key to the removed keyring
dpdk	New upstream stable release
duktape	Fix crash issue [CVE-2021-46322]
e2tools	Fix build failure by adding build dependency on e2fsprogs
erlang	Fix client authentication bypass issue [CVE-2022-37026]; use -O1 optimization for armel because -O2 makes erl segfault on certain platforms, e.g. Marvell
exiv2	Security fixes [CVE-2021-29458 CVE-2021-29463 CVE-2021-29464 CVE-2021-29470 CVE-2021-29473 CVE-2021-29623 CVE-2021-32815 CVE-2021-34334 CVE-2021-34335 CVE-2021-3482 CVE-2021-37615 CVE-2021-37616 CVE-2021-37618 CVE-2021-37619 CVE-2021-37620 CVE-2021-37621 CVE-2021-37622 CVE-2021-37623]
flask-security	Fix open redirect vulnerability [CVE-2021-23385]
flatpak	New upstream stable release; escape special characters when displaying permissions and metadata [CVE-2023-28101]; don't allow copy/paste via the TIOCLINUX ioctl when running in a Linux virtual console [CVE-2023-28100]
galera-3	New upstream stable release
ghostscript	Fix path for PostScript helper file in ps2epsi
glibc	Fix memory leak in printf-family functions with long multibyte strings; fix crash in printf-family due to width/precision-dependent allocations; fix segfault in printf handling thousands separator; fix overflow in the AVX2 implementation of wcsnlen when crossing pages
golang-github-containers-common	Fix parsing of DBUS_SESSION_BUS_ADDRESS
golang-github-containers-psgo	Do not enter the process user namespace [CVE-2022-1227]
golang-github-containers-storage	Make previously internal functions publicly accessible, required to allow fixing CVE-2022-1227 in other packages
golang-github-prometheus-exporter-toolkit	Patch tests to avoid race condition; fix authentication cache poisoning issue [CVE-2022-46146]
grep	Fix incorrect matching when the last of multiple patterns includes a backreference
gtk+3.0	Fix Wayland + EGL on GLES-only platforms
guix	Fix build failure due to expired keys used in test suite
intel-microcode	New upstream bug-fix release
isc-dhcp	Fix IPv6 address lifetime handling
jersey1	Fix build failure with libjettison-java 1.5.3
joblib	Fix arbitrary code execution issue [CVE-2022-21797]
lemonldap-ng	Fix URL validation bypass issue; fix 2FA issue when using AuthBasic handler [CVE-2023-28862]
libapache2-mod-auth-openidc	Fix open redirect issue [CVE-2022-23527]
libapreq2	Fix buffer overflow issue [CVE-2022-22728]
libdatetime-timezone-perl	Update included data
libexplain	Enhance compatibility with newer kernel versions - Linux 5.11 no longer has if_frad.h, termiox removed since kernel 5.12
libgit2	Enable SSH key verification by default [CVE-2023-22742]
libpod	Fix privilege escalation issue [CVE-2022-1227]; fix capability escalation issue due to containers being incorrectly started with non-empty default permissions [CVE-2022-27649]; fix parsing of DBUS_SESSION_BUS_ADDRESS
libreoffice	Change Croatia's default currency to Euro; avoid empty -Djava.class.path= [CVE-2022-38745]
libvirt	Fix container reboot-related issues; fix test failures when combined with newer Xen versions
libxpm	Fix infinite loop issues [CVE-2022-44617 CVE-2022-46285]; fix double free issue in error handling code; fix compression commands depend on PATH [CVE-2022-4883]
libzen	Fix null pointer dereference issue [CVE-2020-36646]
linux	New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86
linux-signed-amd64	New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86
linux-signed-arm64	New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86
linux-signed-i386	New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86
lxc	Fix file existence oracle [CVE-2022-47952]
macromoleculebuilder	Fix build failure by adding build dependency on docbook-xsl
mariadb-10.5	New upstream stable release; revert upstream libmariadb API change
mono	Remove desktop file
ncurses	Guard against corrupt terminfo data [CVE-2022-29458]; fix tic crash on very long tc/use clauses
needrestart	Fix warnings when using -b option
node-cookiejar	Guard against maliciously-sized cookies [CVE-2022-25901]
node-webpack	Avoid cross-realm object access [CVE-2023-28154]
nvidia-graphics-drivers	New upstream release; security fixes [CVE-2023-0180 CVE-2023-0184 CVE-2023-0185 CVE-2023-0187 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199]
nvidia-graphics-drivers-tesla-450	New upstream release; security fixes [CVE-2023-0180 CVE-2023-0184 CVE-2023-0185 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199]
nvidia-graphics-drivers-tesla-470	New upstream release; security fixes [CVE-2023-0180 CVE-2023-0184 CVE-2023-0185 CVE-2023-0187 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199]
nvidia-modprobe	New upstream release
openvswitch	Fix openvswitch-switch update leaves interfaces down
passenger	Fix compatibility with more recent NodeJS versions
phyx	Remove unnecessary build dependency on libatlas-cpp
postfix	New upstream stable release
postgis	Fix wrong Polar stereographic axis order
postgresql-13	New upstream stable release; fix client memory disclosure issue [CVE-2022-41862]
python-acme	Fix version of created CSRs, to prevent problems with strictly RFC-complying implementations of the ACME API
ruby-aws-sdk-core	Fix generation of version file
ruby-cfpropertylist	Fix some functionality by dropping compatibility with Ruby 1.8
shim	New upstream release; new upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4
shim-helpers-amd64-signed	New upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4
shim-helpers-arm64-signed	New upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4
shim-helpers-i386-signed	New upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4
shim-signed	New upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4
snakeyaml	Fix denial of service issues [CVE-2022-25857 CVE-2022-38749 CVE-2022-38750 CVE-2022-38751]; add documentation regarding security support / issues
spyder	Fix duplication of code when saving
symfony	Remove private headers before storing responses with HttpCache [CVE-2022-24894]; remove CSRF tokens from storage on successful login [CVE-2022-24895]
systemd	Fix information leak issue [CVE-2022-4415], denial of service issue [CVE-2022-3821]; ata_id: fix getting Response Code from SCSI Sense Data; logind: fix getting property OnExternalPower via D-Bus; fix crash in systemd-machined
tomcat9	Add OpenJDK 17 support to JDK detection
traceroute	Interpret v4mapped-IPv6 addresses as IPv4
tzdata	Update included data
unbound	Fix Non-Responsive Delegation Attack [CVE-2022-3204]; fix ghost domain names issue [CVE-2022-30698 CVE-2022-30699]
usb.ids	Update included data
vagrant	Add support for VirtualBox 7.0
voms-api-java	Fix build failures by disabling some non-working tests
w3m	Fix out-of-bounds write issue [CVE-2022-38223]
x4d-icons	Fix build failure with newer imagemagick versions
xapian-core	Prevent database corruption on disk exhaustion
zfs-linux	Add several stability improvements

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID	Package
DSA-5170	nodejs
DSA-5237	firefox-esr
DSA-5238	thunderbird
DSA-5259	firefox-esr
DSA-5262	thunderbird
DSA-5282	firefox-esr
DSA-5284	thunderbird
DSA-5300	pngcheck
DSA-5301	firefox-esr
DSA-5302	chromium
DSA-5303	thunderbird
DSA-5304	xorg-server
DSA-5305	libksba
DSA-5306	gerbv
DSA-5307	libcommons-net-java
DSA-5308	webkit2gtk
DSA-5309	wpewebkit
DSA-5310	ruby-image-processing
DSA-5311	trafficserver
DSA-5312	libjettison-java
DSA-5313	hsqldb
DSA-5314	emacs
DSA-5315	libxstream-java
DSA-5316	netty
DSA-5317	chromium
DSA-5318	lava
DSA-5319	openvswitch
DSA-5320	tor
DSA-5321	sudo
DSA-5322	firefox-esr
DSA-5323	libitext5-java
DSA-5324	linux-signed-amd64
DSA-5324	linux-signed-arm64
DSA-5324	linux-signed-i386
DSA-5324	linux
DSA-5325	spip
DSA-5326	nodejs
DSA-5327	swift
DSA-5328	chromium
DSA-5329	bind9
DSA-5330	curl
DSA-5331	openjdk-11
DSA-5332	git
DSA-5333	tiff
DSA-5334	varnish
DSA-5335	openjdk-17
DSA-5336	glance
DSA-5337	nova
DSA-5338	cinder
DSA-5339	libhtml-stripscripts-perl
DSA-5340	webkit2gtk
DSA-5341	wpewebkit
DSA-5342	xorg-server
DSA-5343	openssl
DSA-5344	heimdal
DSA-5345	chromium
DSA-5346	libde265
DSA-5347	imagemagick
DSA-5348	haproxy
DSA-5349	gnutls28
DSA-5350	firefox-esr
DSA-5351	webkit2gtk
DSA-5352	wpewebkit
DSA-5353	nss
DSA-5355	thunderbird
DSA-5356	sox
DSA-5357	git
DSA-5358	asterisk
DSA-5359	chromium
DSA-5361	tiff
DSA-5362	frr
DSA-5363	php7.4
DSA-5364	apr-util
DSA-5365	curl
DSA-5366	multipath-tools
DSA-5367	spip
DSA-5368	libreswan
DSA-5369	syslog-ng
DSA-5370	apr
DSA-5371	chromium
DSA-5372	rails
DSA-5373	node-sqlite3
DSA-5374	firefox-esr
DSA-5375	thunderbird
DSA-5376	apache2
DSA-5377	chromium
DSA-5378	xen
DSA-5379	dino-im
DSA-5380	xorg-server
DSA-5381	tomcat9
DSA-5382	cairosvg
DSA-5383	ghostscript
DSA-5384	openimageio
DSA-5385	firefox-esr
DSA-5386	chromium
DSA-5387	openvswitch
DSA-5388	haproxy
DSA-5389	rails
DSA-5390	chromium
DSA-5391	libxml2
DSA-5392	thunderbird
DSA-5393	chromium

Removed packages

The following packages were removed due to circumstances beyond our control:

Package	Reason
bind-dyndb-ldap	Broken with newer bind9 versions; unsupportable in stable
matrix-mirage	Depends on to-be-removed python-matrix-nio
pantalaimon	Depends on to-be-removed python-matrix-nio
python-matrix-nio	Security issues; doesn't work with current Matrix servers
weechat-matrix	Depends on to-be-removed python-matrix-nio

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

https://deb.debian.org/debian/dists/bullseye/ChangeLog

The current stable distribution:

https://deb.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

https://deb.debian.org/debian/dists/proposed-updates

stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/

Security announcements and information:

https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.