The ninth point release for Debian GNU/Linux 11 is now available. The majority of the changes that are included in this point release are corrections for security issues, along with a few adjustments for more serious issues.
Updated Debian 11: 11.9 released
The Debian project is pleased to announce the ninth update of its oldstable distribution Debian 11 (codename bullseye). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian 11 but only updates some of the packages included. There is no need to throw away old bullseye media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
This oldstable update adds a few important corrections to the following packages:
Package Reason axis Filter out unsupported protocols in the client class ServiceFactory [CVE-2023-40743] base-files Update for the 11.9 point release cifs-utils Fix non-parallel builds compton Remove recommendation of picom conda-package-handling Skip unreliable tests conmon Do not hang when forwarding container stdout/stderr with lots of output crun Fix containers with systemd as their init system, when using newer kernel versions debian-installer Increase Linux kernel ABI to 5.10.0-28; rebuild against proposed-updates debian-installer-netboot-images Rebuild against proposed-updates debian-ports-archive-keyring Add Debian Ports Archive Automatic Signing Key (2025) debian-security-support Mark tor, consul and xen as end-of-life; limit samba support to non-AD DC use cases; match golang packages with regular expression; drop version-based checking; add chromium to security-support-ended.deb11; add tiles and libspring-java to security-support-limited debootstrap Backport merged-/usr support changes from trixie: implement merged-/usr by post-merging, default to merged-/usr for suites newer than bookworm in all profiles distro-info Update tests for distro-info-data 0.58+deb12u1, which adjusted Debian 7's EoL date distro-info-data Add Ubuntu 24.04 LTS Noble Numbat; fix several End Of Life dates dpdk New upstream stable release dropbear Fix security measure bypass issue [CVE-2021-36369]; fix terrapin attack [CVE-2023-48795] exuberant-ctags Fix arbitrary command execution issue [CVE-2022-4515] filezilla Prevent terrapin exploit [CVE-2023-48795] gimp Remove old versions of separately packaged dds plugin glib2.0 Align with upstream stable fixes; fix denial of service issues [CVE-2023-32665 CVE-2023-32611 CVE-2023-29499 CVE-2023-32636] glibc Fix a memory corruption in qsort() when using nontransitive comparison functions. gnutls28 Security fix for timing sidechannel attack [CVE-2023-5981] imagemagick Various security fixes [CVE-2021-20241 CVE-2021-20243 CVE-2021-20244 CVE-2021-20245 CVE-2021-20246 CVE-2021-20309 CVE-2021-3574 CVE-2021-39212 CVE-2021-4219 CVE-2022-1114 CVE-2022-28463 CVE-2022-32545 CVE-2022-32546] jqueryui Fix cross-site scripting issue [CVE-2022-31160] knewstuff Ensure correct ProvidersUrl to fix denial of service libdatetime-timezone-perl Update included timezone data libde265 Fix segmentation violation in the function decoder_context::process_slice_segment_header [CVE-2023-27102]; fix heap buffer overflow in the function derive_collocated_motion_vectors [CVE-2023-27103]; fix buffer over-read in pic_parameter_set::dump [CVE-2023-43887]; fix buffer overflow in the slice_segment_header function [CVE-2023-47471]; fix buffer overflow issues [CVE-2023-49465 CVE-2023-49467 CVE-2023-49468] libmateweather Update included location data; update data server URL libpod Fix incorrect handling of supplementary groups [CVE-2022-2989] libsolv Enable zstd compression support libspreadsheet-parsexlsx-perl Fix possible memory bomb [CVE-2024-22368]; fix XML External Entity issue [CVE-2024-23525] linux New upstream stable release; increase ABI to 28 linux-signed-amd64 New upstream stable release; increase ABI to 28 linux-signed-arm64 New upstream stable release; increase ABI to 28 linux-signed-i386 New upstream stable release; increase ABI to 28 llvm-toolchain-16 New backported package to support builds of newer chromium versions; build-dep on llvm-spirv instead of llvm-spirv-16 mariadb-10.5 New upstream stable release; fix denial of service issue [CVE-2023-22084] minizip Reject overflows of zip header fields [CVE-2023-45853] modsecurity-apache Fix protection bypass issues [CVE-2022-48279 CVE-2023-24021] nftables Fix incorrect bytecode generation node-dottie Fix prototype pollution issue [CVE-2023-26132] node-url-parse Fix authorisation bypass issue [CVE-2022-0512] node-xml2js Fix prototype pollution issue [CVE-2023-0842] nvidia-graphics-drivers New upstream release [CVE-2023-31022] nvidia-graphics-drivers-tesla-470 New upstream release [CVE-2023-31022] opendkim Properly delete Authentication-Results headers [CVE-2022-48521] perl Prevent buffer overflow via illegal Unicode property [CVE-2023-47038] plasma-desktop Fix denial of service bug in discover plasma-discover Fix denial of service bug; fix build failure postfix New upstream stable release; address SMTP smuggling issue [CVE-2023-51764] postgresql-13 New upstream stable release; fix SQL injection issue [CVE-2023-39417] postgresql-common Fix autopkgtests python-cogent Skip parallel tests on single-CPU systems python-django-imagekit Avoid triggering path traversal detection in tests python-websockets Fix predictable duration issue [CVE-2021-33880] pyzoltan Build on single core systems ruby-aws-sdk-core Include VERSION file in package spip Fix cross-site scripting issue swupdate Prevent acquiring root privileges through inappropriate socket mode symfony Ensure CodeExtension's filters properly escape their input [CVE-2023-46734] tar Fix boundary checking in base-256 decoder [CVE-2022-48303], handling of extended header prefixes [CVE-2023-39804] tinyxml Fix assertion issue [CVE-2023-34194] tzdata Update included timezone data unadf Fix stack buffer overflow issue [CVE-2016-1243]; fix arbitary code execution issue [CVE-2016-1244] usb.ids Update included data list vlfeat Fix FTBFS with newer ImageMagick weborf Fix denial of service issue wolfssl Fix buffer overflow issues [CVE-2022-39173 CVE-2022-42905], key disclosure issue [CVE-2022-42961], predictable buffer in input keying material [CVE-2023-3724] xerces-c Fix use-after-free issue [CVE-2018-1311]; fix integer overflow issue [CVE-2023-37536] zeromq3 Fix fork() detection with gcc 7; update copyright relicense statement
This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:
The following obsolete package was removed from the distribution:
Package Reason gimp-dds Integrated in gimp>=2.10
The installer has been updated to include the fixes incorporated into oldstable by the point release.
The complete lists of packages that have changed with this revision:
The current oldstable distribution:
Proposed updates to the oldstable distribution:
oldstable distribution information (release notes, errata etc.):
Security announcements and information:
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.