Debian 9822 Published by

The ninth point release for Debian GNU/Linux 11 is now available. The majority of the changes that are included in this point release are corrections for security issues, along with a few adjustments for more serious issues.

Updated Debian 11: 11.9 released

The Debian project is pleased to announce the ninth update of its oldstable distribution Debian 11 (codename bullseye). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.


Please note that the point release does not constitute a new version of Debian 11 but only updates some of the packages included. There is no need to throw away old bullseye media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following packages:

axisFilter out unsupported protocols in the client class ServiceFactory [CVE-2023-40743]
base-filesUpdate for the 11.9 point release
cifs-utilsFix non-parallel builds
comptonRemove recommendation of picom
conda-package-handlingSkip unreliable tests
conmonDo not hang when forwarding container stdout/stderr with lots of output
crunFix containers with systemd as their init system, when using newer kernel versions
debian-installerIncrease Linux kernel ABI to 5.10.0-28; rebuild against proposed-updates
debian-installer-netboot-imagesRebuild against proposed-updates
debian-ports-archive-keyringAdd Debian Ports Archive Automatic Signing Key (2025)
debian-security-supportMark tor, consul and xen as end-of-life; limit samba support to non-AD DC use cases; match golang packages with regular expression; drop version-based checking; add chromium to security-support-ended.deb11; add tiles and libspring-java to security-support-limited
debootstrapBackport merged-/usr support changes from trixie: implement merged-/usr by post-merging, default to merged-/usr for suites newer than bookworm in all profiles
distro-infoUpdate tests for distro-info-data 0.58+deb12u1, which adjusted Debian 7's EoL date
distro-info-dataAdd Ubuntu 24.04 LTS Noble Numbat; fix several End Of Life dates
dpdkNew upstream stable release
dropbearFix security measure bypass issue [CVE-2021-36369]; fix terrapin attack [CVE-2023-48795]
exuberant-ctagsFix arbitrary command execution issue [CVE-2022-4515]
filezillaPrevent terrapin exploit [CVE-2023-48795]
gimpRemove old versions of separately packaged dds plugin
glib2.0Align with upstream stable fixes; fix denial of service issues [CVE-2023-32665 CVE-2023-32611 CVE-2023-29499 CVE-2023-32636]
glibcFix a memory corruption in qsort() when using nontransitive comparison functions.
gnutls28Security fix for timing sidechannel attack [CVE-2023-5981]
imagemagickVarious security fixes [CVE-2021-20241 CVE-2021-20243 CVE-2021-20244 CVE-2021-20245 CVE-2021-20246 CVE-2021-20309 CVE-2021-3574 CVE-2021-39212 CVE-2021-4219 CVE-2022-1114 CVE-2022-28463 CVE-2022-32545 CVE-2022-32546]
jqueryuiFix cross-site scripting issue [CVE-2022-31160]
knewstuffEnsure correct ProvidersUrl to fix denial of service
libdatetime-timezone-perlUpdate included timezone data
libde265Fix segmentation violation in the function decoder_context::process_slice_segment_header [CVE-2023-27102]; fix heap buffer overflow in the function derive_collocated_motion_vectors [CVE-2023-27103]; fix buffer over-read in pic_parameter_set::dump [CVE-2023-43887]; fix buffer overflow in the slice_segment_header function [CVE-2023-47471]; fix buffer overflow issues [CVE-2023-49465 CVE-2023-49467 CVE-2023-49468]
libmateweatherUpdate included location data; update data server URL
libpodFix incorrect handling of supplementary groups [CVE-2022-2989]
libsolvEnable zstd compression support
libspreadsheet-parsexlsx-perlFix possible memory bomb [CVE-2024-22368]; fix XML External Entity issue [CVE-2024-23525]
linuxNew upstream stable release; increase ABI to 28
linux-signed-amd64New upstream stable release; increase ABI to 28
linux-signed-arm64New upstream stable release; increase ABI to 28
linux-signed-i386New upstream stable release; increase ABI to 28
llvm-toolchain-16New backported package to support builds of newer chromium versions; build-dep on llvm-spirv instead of llvm-spirv-16
mariadb-10.5New upstream stable release; fix denial of service issue [CVE-2023-22084]
minizipReject overflows of zip header fields [CVE-2023-45853]
modsecurity-apacheFix protection bypass issues [CVE-2022-48279 CVE-2023-24021]
nftablesFix incorrect bytecode generation
node-dottieFix prototype pollution issue [CVE-2023-26132]
node-url-parseFix authorisation bypass issue [CVE-2022-0512]
node-xml2jsFix prototype pollution issue [CVE-2023-0842]
nvidia-graphics-driversNew upstream release [CVE-2023-31022]
nvidia-graphics-drivers-tesla-470New upstream release [CVE-2023-31022]
opendkimProperly delete Authentication-Results headers [CVE-2022-48521]
perlPrevent buffer overflow via illegal Unicode property [CVE-2023-47038]
plasma-desktopFix denial of service bug in discover
plasma-discoverFix denial of service bug; fix build failure
postfixNew upstream stable release; address SMTP smuggling issue [CVE-2023-51764]
postgresql-13New upstream stable release; fix SQL injection issue [CVE-2023-39417]
postgresql-commonFix autopkgtests
python-cogentSkip parallel tests on single-CPU systems
python-django-imagekitAvoid triggering path traversal detection in tests
python-websocketsFix predictable duration issue [CVE-2021-33880]
pyzoltanBuild on single core systems
ruby-aws-sdk-coreInclude VERSION file in package
spipFix cross-site scripting issue
swupdatePrevent acquiring root privileges through inappropriate socket mode
symfonyEnsure CodeExtension's filters properly escape their input [CVE-2023-46734]
tarFix boundary checking in base-256 decoder [CVE-2022-48303], handling of extended header prefixes [CVE-2023-39804]
tinyxmlFix assertion issue [CVE-2023-34194]
tzdataUpdate included timezone data
unadfFix stack buffer overflow issue [CVE-2016-1243]; fix arbitary code execution issue [CVE-2016-1244]
usb.idsUpdate included data list
vlfeatFix FTBFS with newer ImageMagick
weborfFix denial of service issue
wolfsslFix buffer overflow issues [CVE-2022-39173 CVE-2022-42905], key disclosure issue [CVE-2022-42961], predictable buffer in input keying material [CVE-2023-3724]
xerces-cFix use-after-free issue [CVE-2018-1311]; fix integer overflow issue [CVE-2023-37536]
zeromq3Fix fork() detection with gcc 7; update copyright relicense statement

Security Updates

This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:

Advisory IDPackage
DSA-5496 firefox-esr
DSA-5499 chromium
DSA-5506 firefox-esr
DSA-5508 chromium
DSA-5509 firefox-esr
DSA-5511 mosquitto
DSA-5512 exim4
DSA-5513 thunderbird
DSA-5514 glibc
DSA-5515 chromium
DSA-5516 libxpm
DSA-5517 libx11
DSA-5518 libvpx
DSA-5519 grub-efi-amd64-signed
DSA-5519 grub-efi-arm64-signed
DSA-5519 grub-efi-ia32-signed
DSA-5519 grub2
DSA-5520 mediawiki
DSA-5522 tomcat9
DSA-5523 curl
DSA-5524 libcue
DSA-5526 chromium
DSA-5527 webkit2gtk
DSA-5528 node-babel7
DSA-5530 ruby-rack
DSA-5531 roundcube
DSA-5533 gst-plugins-bad1.0
DSA-5534 xorg-server
DSA-5535 firefox-esr
DSA-5536 chromium
DSA-5537 openjdk-11
DSA-5538 thunderbird
DSA-5539 node-browserify-sign
DSA-5540 jetty9
DSA-5542 request-tracker4
DSA-5543 open-vm-tools
DSA-5544 zookeeper
DSA-5545 vlc
DSA-5546 chromium
DSA-5547 pmix
DSA-5548 openjdk-17
DSA-5549 trafficserver
DSA-5550 cacti
DSA-5551 chromium
DSA-5554 postgresql-13
DSA-5556 chromium
DSA-5557 webkit2gtk
DSA-5558 netty
DSA-5560 strongswan
DSA-5561 firefox-esr
DSA-5563 intel-microcode
DSA-5564 gimp
DSA-5565 gst-plugins-bad1.0
DSA-5566 thunderbird
DSA-5567 tiff
DSA-5569 chromium
DSA-5570 nghttp2
DSA-5571 rabbitmq-server
DSA-5572 roundcube
DSA-5573 chromium
DSA-5574 libreoffice
DSA-5576 xorg-server
DSA-5577 chromium
DSA-5579 freeimage
DSA-5581 firefox-esr
DSA-5582 thunderbird
DSA-5584 bluez
DSA-5585 chromium
DSA-5586 openssh
DSA-5587 curl
DSA-5588 putty
DSA-5590 haproxy
DSA-5591 libssh
DSA-5592 libspreadsheet-parseexcel-perl
DSA-5594 linux-signed-amd64
DSA-5594 linux-signed-arm64
DSA-5594 linux-signed-i386
DSA-5594 linux
DSA-5595 chromium
DSA-5597 exim4
DSA-5598 chromium
DSA-5599 phpseclib
DSA-5600 php-phpseclib
DSA-5602 chromium
DSA-5603 xorg-server
DSA-5604 openjdk-11
DSA-5605 thunderbird
DSA-5606 firefox-esr
DSA-5608 gst-plugins-bad1.0
DSA-5613 openjdk-17
DSA-5614 zbar
DSA-5615 runc

Removed packages

The following obsolete package was removed from the distribution:

gimp-ddsIntegrated in gimp>=2.10

Debian Installer

The installer has been updated to include the fixes incorporated into oldstable by the point release.


The complete lists of packages that have changed with this revision:

The current oldstable distribution:

Proposed updates to the oldstable distribution:

oldstable distribution information (release notes, errata etc.):

Security announcements and information:

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.