Uppdaterad Debian 11; 11.7 utgiven
29 april 2023
Debianprojektet presenterar stolt sin sjunde uppdatering till dess
stabila utgåva Debian 11 (med kodnamnet bullseye
).
Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem,
tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner
har redan publicerats separat och refereras när de finns tillgängliga.
Vänligen notera att punktutgåvan inte innebär en ny version av Debian
11 utan endast uppdaterar några av de inkluderade paketen. Det behövs
inte kastas bort gamla media av bullseye
. Efter installationen
kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad
Debianspegling..
De som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.
Nya installationsavbildningar kommer snart att finnas tillgängliga på de vanliga platserna.
En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:
Blandade felrättningar
Denna uppdatering av den stabila utgåvan lägger till några viktiga felrättningar till följande paket:
Paket | Orsak |
---|---|
akregator | Fix validity checks, including fixing deletion of feeds and folders |
apache2 | Don't automatically enable apache2-doc.conf; fix regressions in http2 and mod_rewrite introduced in 2.4.56 |
at-spi2-core | Set stop timeout to 5 andras, so as not to needlessly block system shutdowns |
avahi | Fix local denial of service issue [CVE-2021-3468] |
base-files | Update for the 11.7 point release |
c-ares | Prevent stack overflow and denial of service [CVE-2022-4904] |
clamav | New upstream stable release; fix possible remote code execution issue in the HFS+ file parser [CVE-2023-20032], possible information leak in the DMG file parser [CVE-2023-20052] |
command-not-found | Add new non-free-firmware component, fixing upgrades to bookworm |
containerd | Fix denial of service issue [CVE-2023-25153]; fix possible privilege escalation via incorrect setup of supplementary groups [CVE-2023-25173] |
crun | Fix capability escalation issue due to containers being incorrectly started with non-empty default permissions [CVE-2022-27650] |
cwltool | Add missing dependency on python3-distutils |
debian-archive-keyring | Add bookworm keys; move stretch keys to the removed keyring |
debian-installer | Increase Linux kernel ABI to 5.10.0-22; rebuild against proposed-updates |
debian-installer-netboot-images | Rebuild against proposed-updates |
debian-ports-archive-keyring | Extend the 2023 signing key's expiration by one year; add 2024 signing key; move 2022 signing key to the removed keyring |
dpdk | New upstream stable release |
duktape | Fix crash issue [CVE-2021-46322] |
e2tools | Fix build failure by adding build dependency on e2fsprogs |
erlang | Fix client authentication bypass issue [CVE-2022-37026]; use -O1 optimization for armel because -O2 makes erl segfault on certain platforms, e.g. Marvell |
exiv2 | Security fixes [CVE-2021-29458 CVE-2021-29463 CVE-2021-29464 CVE-2021-29470 CVE-2021-29473 CVE-2021-29623 CVE-2021-32815 CVE-2021-34334 CVE-2021-34335 CVE-2021-3482 CVE-2021-37615 CVE-2021-37616 CVE-2021-37618 CVE-2021-37619 CVE-2021-37620 CVE-2021-37621 CVE-2021-37622 CVE-2021-37623] |
flask-security | Fix open redirect vulnerability [CVE-2021-23385] |
flatpak | New upstream stable release; escape special characters when displaying permissions and metadata [CVE-2023-28101]; don't allow copy/paste via the TIOCLINUX ioctl when running in a Linux virtual console [CVE-2023-28100] |
galera-3 | New upstream stable release |
ghostscript | Fix path for PostScript helper file in ps2epsi |
glibc | Fix memory leak in printf-family functions with long multibyte strings; fix crash in printf-family due to width/precision-dependent allocations; fix segfault in printf handling thousands separator; fix overflow in the AVX2 implementation of wcsnlen when crossing pages |
golang-github-containers-common | Fix parsing of DBUS_SESSION_BUS_ADDRESS |
golang-github-containers-psgo | Do not enter the process user namespace [CVE-2022-1227] |
golang-github-containers-storage | Make previously internal functions publicly accessible, required to allow fixing CVE-2022-1227 in other packages |
golang-github-prometheus-exporter-toolkit | Patch tests to avoid race condition; fix authentication cache poisoning issue [CVE-2022-46146] |
grep | Fix incorrect matching when the last of multiple patterns includes a backreference |
gtk+3.0 | Fix Wayland + EGL on GLES-only platforms |
guix | Fix build failure due to expired keys used in test suite |
intel-microcode | New upstream bug-fix release |
isc-dhcp | Fix IPv6 address lifetime handling |
jersey1 | Fix build failure with libjettison-java 1.5.3 |
joblib | Fix arbitrary code execution issue [CVE-2022-21797] |
lemonldap-ng | Fix URL validation bypass issue; fix 2FA issue when using AuthBasic handler [CVE-2023-28862] |
libapache2-mod-auth-openidc | Fix open redirect issue [CVE-2022-23527] |
libapreq2 | Fix buffer overflow issue [CVE-2022-22728] |
libdatetime-timezone-perl | Update included data |
libexplain | Enhance compatibility with newer kernel versions - Linux 5.11 no longer has if_frad.h, termiox removed since kernel 5.12 |
libgit2 | Enable SSH key verification by default [CVE-2023-22742] |
libpod | Fix privilege escalation issue [CVE-2022-1227]; fix capability escalation issue due to containers being incorrectly started with non-empty default permissions [CVE-2022-27649]; fix parsing of DBUS_SESSION_BUS_ADDRESS |
libreoffice | Change Croatia's default currency to Euro; avoid empty -Djava.class.path= [CVE-2022-38745] |
libvirt | Fix container reboot-related issues; fix test failures when combined with newer Xen versions |
libxpm | Fix infinite loop issues [CVE-2022-44617 CVE-2022-46285]; fix double free issue in error handling code; fix compression commands depend on PATH[CVE-2022-4883] |
libzen | Fix null pointer dereference issue [CVE-2020-36646] |
linux | New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86 |
linux-signed-amd64 | New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86 |
linux-signed-arm64 | New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86 |
linux-signed-i386 | New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86 |
lxc | Fix file existence oracle [CVE-2022-47952] |
macromoleculebuilder | Fix build failure by adding build dependency on docbook-xsl |
mariadb-10.5 | New upstream stable release; revert upstream libmariadb API change |
mono | Remove desktop file |
ncurses | Guard against corrupt terminfo data [CVE-2022-29458]; fix tic crash on very long tc/use clauses |
needrestart | Fix warnings when using -boption |
node-cookiejar | Guard against maliciously-sized cookies [CVE-2022-25901] |
node-webpack | Avoid cross-realm object access [CVE-2023-28154] |
nvidia-graphics-drivers | New upstream release; security fixes [CVE-2023-0180 CVE-2023-0184 CVE-2023-0185 CVE-2023-0187 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199] |
nvidia-graphics-drivers-tesla-450 | New upstream release; security fixes [CVE-2023-0180 CVE-2023-0184 CVE-2023-0185 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199] |
nvidia-graphics-drivers-tesla-470 | New upstream release; security fixes [CVE-2023-0180 CVE-2023-0184 CVE-2023-0185 CVE-2023-0187 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199] |
nvidia-modprobe | New upstream release |
openvswitch | Fix openvswitch-switch update leaves interfaces down |
passenger | Fix compatibility with more recent NodeJS versions |
phyx | Remove unnecessary build dependency on libatlas-cpp |
postfix | New upstream stable release |
postgis | Fix wrong Polar stereographic axis order |
postgresql-13 | New upstream stable release; fix client memory disclosure issue [CVE-2022-41862] |
python-acme | Fix version of created CSRs, to prevent problems with strictly RFC-complying implementations of the ACME API |
ruby-aws-sdk-core | Fix generation of version file |
ruby-cfpropertylist | Fix some functionality by dropping compatibility with Ruby 1.8 |
shim | New upstream release; new upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4 |
shim-helpers-amd64-signed | New upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4 |
shim-helpers-arm64-signed | New upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4 |
shim-helpers-i386-signed | New upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4 |
shim-signed | New upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4 |
snakeyaml | Fix denial of service issues [CVE-2022-25857 CVE-2022-38749 CVE-2022-38750 CVE-2022-38751]; add documentation regarding security support / issues |
spyder | Fix duplication of code when saving |
symfony | Remove private headers before storing responses with HttpCache [CVE-2022-24894]; remove CSRF tokens from storage on successful login [CVE-2022-24895] |
systemd | Fix information leak issue [CVE-2022-4415], denial of service issue [CVE-2022-3821]; ata_id: fix getting Response Code from SCSI Sense Data; logind: fix getting property OnExternalPower via D-Bus; fix crash in systemd-machined |
tomcat9 | Add OpenJDK 17 support to JDK detection |
traceroute | Interpret v4mapped-IPv6 addresses as IPv4 |
tzdata | Update included data |
unbound | Fix Non-Responsive Delegation Attack [CVE-2022-3204]; fix ghost domain namesissue [CVE-2022-30698 CVE-2022-30699] |
usb.ids | Update included data |
vagrant | Add support for VirtualBox 7.0 |
voms-api-java | Fix build failures by disabling some non-working tests |
w3m | Fix out-of-bounds write issue [CVE-2022-38223] |
x4d-icons | Fix build failure with newer imagemagick versions |
xapian-core | Prevent database corruption on disk exhaustion |
zfs-linux | Add several stability improvements |
Säkerhetsuppdateringar
Denna revision lägger till följande säkerhetsuppdateringar till den stabila utgåvan. Säkerhetsgruppen har redan släppt bulletiner för alla dessa uppdateringar:
Borttagna paket
Följande paket har tagits bort på grund av omständigheter utom vår kontroll:
Paket | Orsak |
---|---|
bind-dyndb-ldap | Trasig med nya versioner av bind9; omöjlig att ge support för i stabila utgåvan |
matrix-mirage | Beroende på python-matrix-nio som är på väg att tas bort |
pantalaimon | Beroende på python-matrix-nio som är på väg att tas bort |
python-matrix-nio | Säkerhetsproblem: fungerar inte med nuvarande Matrixservrar |
weechat-matrix | Beroende på python-matrix-nio som är på väg att tas bort |
Debianinstalleraren
Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den stabila utgåvan med denna punktutgåva.
URLer
Den fullständiga listan på paket som har förändrats i denna revision:
Den aktuella stabila utgåvan:
Föreslagna uppdateringar till den stabila utgåvan:
Information om den stabila utgåvan (versionsfakta, kända problem osv.):
Säkerhetsbulletiner och information:
Om Debian
Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.
Kontaktinformation
För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org>, eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.