Debian 10166 Published by

The Debian project has released the ninth version of their oldstable distribution, Debian 11, which includes security fixes and changes to major issues.

The update includes several major bugfixes, including buffer overflow concerns, dealing with multiple border parameters, bart , base-files, cloud-init-22.4.2, cpu, curl, debian-installer, debsig-verify, deets, distro-info-data, django-mailman3, dns-root-data, emacs, galera-4, gdk-pixbuf, glib2.0, gnutls28, gross, hovercraft, imlib2, intel-microcode, jose, json-smart, lacme, libapache2-mod-auth-openidc, libjwt, libkf5ksieve, links php-composer-xdebug-handler, php-doctrine-annotations, PHP-phpseclib, php-proxy-manager php-symfony-contracts, php-zend-code, php-stdnum, qtbase-opensource-src, reportbug, and rust-cbindgen-src.



Updated Debian 11: 11.10 released

The Debian project is pleased to announce the tenth update of its oldstable distribution Debian 11 (codename bullseye). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 11 but only updates some of the packages included. There is no need to throw away old bullseye media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

Gnome_shell_screenshot_ko3w60

Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following packages:

PackageReason
allegro5Fix buffer overflow issues [CVE-2021-36489]
amavisd-newHandle multiple boundary parameters that contain conflicting values [CVE-2024-28054]
bartFix build test failures by relaxing a floating-point comparison
bart-cudaFix build test failures by relaxing a floating-point comparison
base-filesUpdate for the point release
cloud-init-22.4.2Introduce later-versioned replacement for cloud-init package
cpuProvide exactly one definition of globalLdap in ldap plugin
curlFix memory leak when HTTP/2 server push is aborted [CVE-2024-2398]
debian-installerIncrease Linux kernel ABI to 5.10.0-30; rebuild against proposed-updates
debian-installer-netboot-imagesRebuild against proposed-updates
debsig-verifyRebuild for outdated Built-Using
deetsRebuild for outdated Built-Using
distro-info-dataDeclare intentions for bullseye/bookworm; fix past data; add Ubuntu 24.10
django-mailman3Scrub messages before archiving
dns-root-dataUpdate root hints; update expired security information
emacsProtect against unsafe remote resources [CVE-2024-30203 CVE-2024-30204 CVE-2024-30205]; fix memory leak in patch for CVE-2022-48337
galera-4New upstream bugfix release; update upstream release signing key; prevent date-related test failures
gdk-pixbufANI: Reject files with multiple anih chunks [CVE-2022-48622]; ANI: Reject files with multiple INAM or IART chunks; ANI: Validate anih chunk size
glib2.0Fix a (rare) memory leak
gnutls28Fix assertion failure verifying a certificate chain with a cycle of cross signatures [CVE-2024-0567]; fix timing side-channel attack inside RSA-PSK key exchange [CVE-2024-0553]
grossFix stack-based buffer overflow [CVE-2023-52159]
hovercraftDepend on python3-setuptools
imlib2Fix heap-buffer overflow vulnerability when using the tgaflip function in loader_tga.c [CVE-2024-25447 CVE-2024-25448 CVE-2024-25450]
intel-microcodeFixes for INTEL-SA-INTEL-SA-00972 [CVE-2023-39368], INTEL-SA-INTEL-SA-00982 [CVE-2023-38575], INTEL-SA-INTEL-SA-00898 [CVE-2023-28746], INTEL-SA-INTEL-SA-00960 [CVE-2023-22655] and INTEL-SA-INTEL-SA-01045 [CVE-2023-43490]; mitigate for INTEL-SA-01051 [CVE-2023-45733], INTEL-SA-01052 [CVE-2023-46103], INTEL-SA-01036 [CVE-2023-45745, CVE-2023-47855] and unspecified functional issues on various Intel processors
joseFix potential denial-of-service issue [CVE-2023-50967]
json-smartFix excessive recursion leading to stack overflow [CVE-2023-1370]; fix denial of service via crafted request [CVE-2021-31684]
lacmeFix post-issuance validation logic
libapache2-mod-auth-openidcFix mising input validation leading to DoS [CVE-2024-24814]
libjwtFix a timing side channel via strcmp() [CVE-2024-25189]
libkf5ksievePrevent leaking passwords into server-side logs
libmicrohttpdFix out of bounds read with crafted POST requests [CVE-2023-27371]
libssh2Fix out of bounds memory check in _libssh2_packet_add [CVE-2020-22218]
links2Rebuild for outdated Built-Using
nanoFix malicious symlink issue [CVE-2024-5742]
ngircdRespect SSLConnect option for incoming connections; server certificate validation on server links (S2S-TLS); METADATA: Fix unsetting cloakhost
nvidia-graphics-driversEnd support for Tesla 450 drivers; build libnvidia-fbc1 for arm64; upstream security fixes [CVE-2022-42265 CVE-2024-0074 CVE-2024-0078]; new upstream stable release; security fixes [CVE-2024-0090 CVE-2024-0092]; fix build on ppc64el
nvidia-graphics-drivers-tesla-450Convert to transitional packages
nvidia-graphics-drivers-tesla-470New upstream LTS release [CVE-2024-0074 CVE-2024-0078 CVE-2022-42265 CVE-2024-0090 CVE-2024-0092]; fix build on ppc64el
nvidia-settingsNew upstream bugfix release; build for ppc64el
org-modeProtect against unsafe remote resources [CVE-2024-30203 CVE-2024-30204 CVE-2024-30205]
php-composer-xdebug-handlerForce system dependency loading
php-doctrine-annotationsForce system dependency loading
php-phpseclibForce system dependency loading; guard isPrime() and randomPrime() for BigInteger [CVE-2024-27354]; limit OID length in ASN1 [CVE-2024-27355]; fix BigInteger getLength()
php-proxy-managerForce system dependency loading
php-symfony-contractsForce system dependency loading
php-zend-codeForce system dependency loading
phpseclibForce system dependency loading; guard isPrime() and randomPrime() for BigInteger [CVE-2024-27354]; limit OID length in ASN1 [CVE-2024-27355]; fix BigInteger getLength()
postfixUpstream bugfix release
postgresql-13New upstream stable release
pypdf2Fix quadratic runtime with malformed PDF missing xref marker [CVE-2023-36810]; fix infinite loop with crafted input [CVE-2022-24859]
python-aiosmtpdFix SMTP smuggling issue [CVE-2024-27305]; fix STARTTLS unencrypted command injection issue [CVE-2024-34083]
python-dnslibValidate transaction ID in client.py
python-idnaFix denial of service issue [CVE-2024-3651]
python-stdnumFix FTBFS when test date is not far enough in the future
qtbase-opensource-srcSecurity fixes [CVE-2022-25255 CVE-2023-24607 CVE-2023-32762 CVE-2023-32763 CVE-2023-33285 CVE-2023-34410 CVE-2023-37369 CVE-2023-38197 CVE-2023-51714 CVE-2024-25580]
reportbugFix suite name to codename mappings to reflect the bookworm release
rust-cbindgen-webNew source package to support builds of newer Firefox ESR versions
rustc-webSupport firefox-esr and thunderbird in bullseye for LTS
sendmailFix SMTP smuggling issue [CVE-2023-51765]; add forgotten configuration for rejecting NUL by defualt
symfonyForce system dependency loading; DateTypeTest: ensure submitted year is accepted choice
systemdMeson: drop arch filtering in syscall list; unset TZ before timezone-sensitive unit tests are run
wpaFix authentication bypass issue [CVE-2023-52160]

Security Updates

This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:

Advisory IDPackage
DSA-5146 puma
DSA-5360 emacs
DSA-5575 webkit2gtk
DSA-5580 webkit2gtk
DSA-5596 asterisk
DSA-5616 ruby-sanitize
DSA-5618 webkit2gtk
DSA-5619 libgit2
DSA-5620 unbound
DSA-5621 bind9
DSA-5622 postgresql-13
DSA-5624 edk2
DSA-5625 engrampa
DSA-5627 firefox-esr
DSA-5628 imagemagick
DSA-5630 thunderbird
DSA-5631 iwd
DSA-5632 composer
DSA-5635 yard
DSA-5637 squid
DSA-5638 libuv1
DSA-5640 openvswitch
DSA-5641 fontforge
DSA-5643 firefox-esr
DSA-5644 thunderbird
DSA-5645 firefox-esr
DSA-5646 cacti
DSA-5647 samba
DSA-5650 util-linux
DSA-5651 mediawiki
DSA-5652 py7zr
DSA-5653 gtkwave
DSA-5657 xorg-server
DSA-5659 trafficserver
DSA-5660 php7.4
DSA-5662 apache2
DSA-5663 firefox-esr
DSA-5664 jetty9
DSA-5666 flatpak
DSA-5667 tomcat9
DSA-5669 guix
DSA-5670 thunderbird
DSA-5671 openjdk-11
DSA-5672 openjdk-17
DSA-5673 glibc
DSA-5678 glibc
DSA-5679 less
DSA-5681 linux-signed-amd64
DSA-5681 linux-signed-arm64
DSA-5681 linux-signed-i386
DSA-5681 linux
DSA-5682 glib2.0
DSA-5682 gnome-shell
DSA-5684 webkit2gtk
DSA-5685 wordpress
DSA-5686 dav1d
DSA-5688 atril
DSA-5690 libreoffice
DSA-5691 firefox-esr
DSA-5692 ghostscript
DSA-5693 thunderbird
DSA-5695 webkit2gtk
DSA-5698 ruby-rack
DSA-5700 python-pymysql
DSA-5702 gst-plugins-base1.0
DSA-5703 linux-signed-amd64
DSA-5703 linux-signed-arm64
DSA-5703 linux-signed-i386
DSA-5703 linux
DSA-5704 pillow
DSA-5707 vlc
DSA-5709 firefox-esr
DSA-5711 thunderbird
DSA-5713 libndp
DSA-5714 roundcube
DSA-5715 composer

Removed packages

The following packages were removed due to circumstances beyond our control:

PackageReason
phppgadminSecurity issues
pytest-salt-factoriesOnly needed for to-be-removed salt
pytest-testinfraOnly needed for to-be-removed salt
saltUnsupportable, unmaintained
snortSecurity concerns, unmaintained

Debian Installer

The installer has been updated to include the fixes incorporated into oldstable by the point release.

URLs

The complete lists of packages that have changed with this revision:

The current oldstable distribution:

Proposed updates to the oldstable distribution:

oldstable distribution information (release notes, errata etc.):

Security announcements and information:

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.