Debian 10250 Published by

The Debian project has released the eleventh and final update of their oldstable distribution, Debian 11, which includes security fixes and changes to major issues.




Updated Debian 11: 11.11 released

The Debian project is pleased to announce the eleventh and final update of its oldstable distribution Debian 11 (codename bullseye). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 11 but only updates some of the packages included. There is no need to throw away old bullseye media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

Secure Boot and other operating systems

Users who boot other operating systems on the same hardware, and who have Secure Boot enabled, should be aware that shim 15.8 (included with Debian 11.11) revokes signatures across older versions of shim in the UEFI firmware. This may leave other operating systems using shim before 15.8 unable to boot.

Affected users can temporarily disable Secure Boot before updating other operating systems.

Gnome_shell_screenshot_ko3w60

Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following packages:

PackageReason
amd64-microcodeNew upstream release; security fixes [CVE-2023-31315]; SEV firmware fixes [CVE-2023-20584 CVE-2023-31356]
ansibleNew usptream stable release; fix template injection issue [CVE-2021-3583], information disclosure issue [CVE-2021-3620], file overwrite issue [CVE-2023-5115], template injection issue [CVE-2023-5764], information disclosure issues [CVE-2024-0690 CVE-2022-3697]; document workaround for ec2 private key leak [CVE-2023-4237]
apache2New upstream stable release; fix content disclosure issue [CVE-2024-40725]
base-filesUpdate for the point release
bind9Allow the limits introduced to fix CVE-2024-1737 to be configured
calibreFix cross site scripting issue [CVE-2024-7008], SQL injection issue [CVE-2024-7009]
choose-mirrorUpdate list of available mirrors
cjsonAdd NULL checks to cJSON_SetValuestring and cJSON_InsertItemInArray [CVE-2023-50472 CVE-2023-50471 CVE-2024-31755]
cupsFix issues with domain socket handling [CVE-2024-35235]; fix regression when domain sockets only are used
curlFix ASN.1 date parser overread issue [CVE-2024-7264]
debian-installerIncrease Linux kernel ABI to 5.10.0-32; rebuild against proposed-updates
debian-installer-netboot-imagesRebuild against proposed-updates
dropbearFix noremotetcp behaviour of keepalive packets in combination with the no-port-forwarding authorized_keys(5) restriction
fusiondirectoryBackport compatibility with php-cas version addressing CVE 2022-39369; fix improper session handling issue [CVE-2022-36179]; fix cross site scripting issue [CVE-2022-36180]
gettext.jsFix server side request forgery issue [CVE-2024-43370]
glewlwydFix buffer overflow during webauthn signature assertion [CVE-2022-27240]; prevent directory traversal in static_compressed_inmemory_website_callback.c [CVE-2022-29967]; copy bootstrap, jquery, fork-awesome instead of linking them; buffer overflow during FIDO2 signature validation [CVE-2023-49208]
glibcFix ffsll() performance issue depending on code alignment; performance improvements for memcpy() on arm64; fix y2038 regression in nscd following CVE-2024-33601 and CVE-2024-33602 fix
graphvizFix broken scaling
gtk+2.0Avoid looking for modules in current working directory [CVE-2024-6655]
gtk+3.0Avoid looking for modules in current working directory [CVE-2024-6655]
healpix-javaFix build failure
imagemagickFix divide by zero issues [CVE-2021-20312 CVE-2021-20313]; fix incomplete fix for CVE-2023-34151
indentReinstate ROUND_UP macro and adjust the initial buffer size to fix memory handling problems; fix out-of-buffer read in search_brace()/lexi(); fix heap buffer overwrite in search_brace() [CVE-2023-40305]; heap buffer underread in set_buf_break() [CVE-2024-0911]
intel-microcodeNew upstream release; security fixes [CVE-2023-42667 CVE-2023-49141 CVE-2024-24853 CVE-2024-24980 CVE-2024-25939]
libvirtFix sVirt confinement issue [CVE-2021-3631], use after free issue [CVE-2021-3975], denial of service issues [CVE-2021-3667 CVE-2021-4147 CVE-2022-0897 CVE-2024-1441 CVE-2024-2494 CVE-2024-2496]
midgeExclude examples/covers/* for DFSG-compliance; add build-arch/build-indep build targets; use quilt (3.0) source package format
mlpostFix build failure with newer ImageMagick versions
net-toolsDrop build-dependency on libdnet-dev
nfs-utilsPass all valid export flags to nfsd
ntfs-3gFix use-after-free in ntfs_uppercase_mbs [CVE-2023-52890]
nvidia-graphics-drivers-tesla-418Fix use of GPL-only symbols causing build failures
nvidia-graphics-drivers-tesla-450New upstream stable release
nvidia-graphics-drivers-tesla-460New upstream stable release
ocsinventory-serverBackport compatibility with php-cas version addressing CVE 2022-39369
onionshareDemote obfs4proxy dependency to Recommends, to allow removal of obfs4proxy
php-casFix Service Hostname Discovery Exploitation issue [CVE-2022-39369]
poe.appMake comment cells editable; fix drawing when an NSActionCell in the preferences is acted on to change state
puttyFix weak ECDSA nonce generation allowing secret key recovery [CVE-2024-31497]
riemann-c-clientPrevent malformed payload in GnuTLS send/receive operations
runcFix busybox tarball url; prevent buffer overflow writing netlink messages [CVE-2021-43784]; fix tests on newer kernels; prevent write access to user-owned cgroup hierarchy /sys/fs/cgroup/user.slice/... [CVE-2023-25809]; fix access control regression [CVE-2023-27561 CVE-2023-28642]
rustc-webNew upstream stable release, to support building new chromium and firefox-esr versions
shimNew upstream release
shim-helpers-amd64-signedRebuild against shim 15.8.1
shim-helpers-arm64-signedRebuild against shim 15.8.1
shim-helpers-i386-signedRebuild against shim 15.8.1
shim-signedNew upstream stable release
symfonyFix autoloading of HttpClient
trinityFix build failure by dropping support for DECNET
usb.idsUpdate included data list
xmedconFix heap overflow [CVE-2024-29421]

Security Updates

This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:

Advisory IDPackage
DSA-5718 org-mode
DSA-5719 emacs
DSA-5721 ffmpeg
DSA-5722 libvpx
DSA-5723 plasma-workspace
DSA-5725 znc
DSA-5726 krb5
DSA-5727 firefox-esr
DSA-5728 exim4
DSA-5729 apache2
DSA-5730 linux-signed-amd64
DSA-5730 linux-signed-arm64
DSA-5730 linux-signed-i386
DSA-5730 linux
DSA-5734 bind9
DSA-5736 openjdk-11
DSA-5737 libreoffice
DSA-5738 openjdk-17
DSA-5739 wpa
DSA-5740 firefox-esr
DSA-5742 odoo
DSA-5743 roundcube
DSA-5746 postgresql-13
DSA-5747 linux-signed-amd64
DSA-5747 linux-signed-arm64
DSA-5747 linux-signed-i386
DSA-5747 linux

Removed packages

The following packages were removed due to circumstances beyond our control:

PackageReason
bcachefs-toolsBuggy, obsolete
dnprogsBuggy, obsolete
iotjsUnmaintained, security concerns
obfs4proxySecurity issues

Debian Installer

The installer has been updated to include the fixes incorporated into oldstable by the point release.

URLs

The complete lists of packages that have changed with this revision:

The current oldstable distribution:

Proposed updates to the oldstable distribution:

oldstable distribution information (release notes, errata etc.):

Security announcements and information:

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.