Debian 10168 Published by

The Debian project has released the sixth version of its stable distribution, Debian 12, which includes security fixes and changes to major vulnerabilities. The stable update also fixes several problems, including a possible heap overflow, a possible command injection, cloud-init declarations, and djangorestframework. It also includes security fixes, such as one for a missing static file, another for a construction issue in the 6.9 kernel and backports, and one for a memory leak.

The update also fixes security mitigations, such as INTEL-SA-01051, INTEL-SA-01052, and INTEL-SA-01036, as well as unnamed functional concerns with other Intel processors. It also covers post-issuance validation logic, libapache2-mod-auth-openidc, json-smart, kio, file loss, and probable CIFS locking concerns, among other topics.



Updated Debian 12: 12.6 released

The Debian project is pleased to announce the sixth update of its stable distribution Debian 12 (codename bookworm). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 12 but only updates some of the packages included. There is no need to throw away old bookworm media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

Debian_12

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

PackageReason
aideFix concurrent reading of extended attributes
amavisd-newHandle multiple boundary parameters that contain conflicting values [CVE-2024-28054]; fix race condition in postinst
archlinux-keyringSwitch to pre-built keyrings; sync with upstream
base-filesUpdate for the 12.6 point release
bashRebuild to fix outdated Built-Using
bioawkDisable parallel builds to fix random failures
bluezFix remote code execution issues [CVE-2023-27349 CVE-2023-50229 CVE-2023-50230]
cdoDisable hirlam-extensions to avoid causing issues with ICON data files
chkrootkitRebuild to fix outdated Built-Using
cjsonFix missing NULL checks [CVE-2023-50471 CVE-2023-50472]
clamavNew upstream stable release; fix possible heap overflow issue [CVE-2024-20290], possible command injection issue [CVE-2024-20328]
cloud-initDeclare conflicts/replaces on versioned package introduced for bullseye
comitupEnsure service is unmasked in post install
cpuProvide exactly one definition of globalLdap in LDAP plugin
crmshCreate log directory and file on installation
crowdsec-custom-bouncerRebuild to fix outdated Built-Using
crowdsec-firewall-bouncerRebuild against golang-github-google-nftables version with fixed little-endian architecture support
curlDo not keep default protocols when deselected [CVE-2024-2004]; fix memory leak [CVE-2024-2398]
darRebuild to fix outdated Built-Using
dcmtkClean up properly on purge
debian-installerIncrease Linux kernel ABI to 6.1.0-22; rebuild against proposed-updates
debian-installer-netboot-imagesRebuild against proposed-updates
debvmdebvm-create: do install login; bin/debvm-waitssh: make --timeout=N work; bin/debvm-run: allow being run in environments without TERM set; fix resolv.conf in stretch
dhcpcd5privsep: Allow zero length messages through; fix server not being restarted correctly during upgrades
distro-info-dataDeclare intentions for bullseye/bookworm; fix past data; add Ubuntu 24.10
djangorestframeworkReinstate missing static files
dm-writeboostFix build error with 6.9 kernel and backports
dns-root-dataUpdate root hints; update expired security information
dpdkNew upstream stable release
ebook-speakerSupport username over 8 characters when enumerating groups
emacsSecurity fixes [CVE-2024-30202 CVE-2024-30203 CVE-2024-30204 CVE-2024-30205]; replace expired package-keyring.gpg with a current version
extrepo-dataUpdate repository information
flatpakNew upstream stable release
fpga-icestormRestore compatibility with yosys
freetypeDisable COLRv1 support, which was unintentionally enabled by upstream; fix function existence check when calling get_colr_glyph_paint()
galera-4New upstream bugfix release; update upstream release signing key; prevent date-related test failures
gdk-pixbufANI: Reject files with multiple anih chunks [CVE-2022-48622]; ANI: Reject files with multiple INAM or IART chunks; ANI: Validate anih chunk size
glewlwydFix potential buffer overflow during FIDO2 credential validation [CVE-2023-49208]; fix open redirection via redirect_uri [CVE-2024-25715]
glib2.0Fix a (rare) memory leak
glibcRevert fix to always call destructors in reverse constructor order due to unforeseen application compatibility issues; fix a DTV corruption due to a reuse of a TLS module ID following dlclose with unused TLS
gnutls28Fix certtool crash when verifying a certificate chain with more than 16 certificates [CVE-2024-28835]; fix side-channel in the deterministic ECDSA [CVE-2024-28834]; fix a memory leak; fix two segfault issues
golang-github-containers-storageRebuild for outdated Built-Using
golang-github-google-nftablesFix AddSet() function on little-endian architectures
golang-github-openshift-imagebuilderRebuild for outdated Built-Using
gosuRebuild for outdated Built-Using
gpasteFix conflict with older libpgpaste6
grossFix stack-based buffer overflow [CVE-2023-52159]
hovercraftDepend on python3-setuptools
icinga2Fix segmentation fault on ppc64el
igtf-policy-bundleAddress CAB Forum S/MIME policy change; apply accumulated updates to trust anchors
intel-microcodeSecurity mitigations [CVE-2023-22655 CVE-2023-28746 CVE-2023-38575 CVE-2023-39368 CVE-2023-43490]; mitigate for INTEL-SA-01051 [CVE-2023-45733], INTEL-SA-01052 [CVE-2023-46103], INTEL-SA-01036 [CVE-2023-45745, CVE-2023-47855] and unspecified functional issues on various Intel processors
joseFix potential denial-of-service issue [CVE-2023-50967]
json-smartFix excessive recursion leading to stack overflow [CVE-2023-1370]; fix denial of service via crafted request [CVE-2021-31684]
kioFix file loss and potential locking issues on CIFS
lacmeFix post-issuance validation logic
libapache2-mod-auth-openidcFix mising input validation leading to DoS [CVE-2024-24814]
libesmtpBreak and replace older library versions
libimage-imlib2-perlFix package build
libjwtFix timing side channel attack [CVE-2024-25189]
libkf5ksievePrevent leaking passwords into server-side logs
libmail-dkim-perlAdd dependency on libgetopt-long-descriptive-perl
libpodHandle removed containers properly
libreofficeFix backup copy creation for files on mounted samba shares; don't remove libforuilo.so in -core-nogui
libseccompAdd support for syscalls up to Linux 6.7
libtommathFix integer overflow [CVE-2023-36328]
libtoolConflict with libltdl3-dev; fix check for += operator in func_append
libxml-stream-perlFix compatibility with IO::Socket::SSL >= 2.078
linuxNew upstream stable release; increase ABI to 22
linux-signed-amd64New upstream stable release; increase ABI to 22
linux-signed-arm64New upstream stable release; increase ABI to 22
linux-signed-i386New upstream stable release; increase ABI to 22
lua5.4debian/version-script: Export additional missing symbols for lua 5.4.4
lxc-templatesFix the mirror option of lxc-debian
mailman3Depend alternatively on cron-daemon; fix postgresql:// url in post-installation script
mkshHandle merged /usr in /etc/shells; fix crash with nested bashism; fix arguments to the dot command; distinguish unset and empty in `typeset -p`
mobian-keyringUpdate Mobian archive key
ms-gslMark not_null constructors as noexcept
nanoFix format string issues; fix with --cutfromcursor, undoing a justification can eat a line; fix malicious symlink issue; fix example bindings in nanorc
netcfgHandle routing for single-address netmasks
ngircdRespect SSLConnect option for incoming connections; server certificate validation on server links (S2S-TLS); METADATA: Fix unsetting cloakhost
node-babel7Fix building against nodejs 18.19.0+dfsg-6~deb12u1; add Breaks/Replaces against obsolete node-babel-* packages
node-undiciProperly export typescript types
node-v8-compile-cacheFix tests when a newer nodejs version is used
node-zxFix flaky test
nodejsSkip flaky tests for mipsel/mips64el
nsisDon't allow unprivileged users to delete the uninstaller directory [CVE-2023-37378]; fix regression in disabling stub relocations; build reproducibly for arm64
nvidia-graphics-driversRestore compatibility with newer Linux kernel builds; take over packages from nvidia-graphics-drivers-tesla; add new nvidia-suspend-common package; relax dh-dkms build-dependency for compatibility with bookworm; new upstream stable release [CVE-2023-0180 CVE-2023-0183 CVE-2023-0184 CVE-2023-0185 CVE-2023-0187 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199 CVE-2023-25515 CVE-2023-25516 CVE-2023-31022 CVE-2024-0074 CVE-2024-0075 CVE-2024-0078 CVE-2024-0090 CVE-2024-0092]
nvidia-graphics-drivers-teslaRestore compatibility with newer Linux kernel builds
nvidia-graphics-drivers-tesla-470Restore compatibility with newer Linux kernel builds; stop building nvidia-cuda-mps; new upstream stable release; security fixes [CVE-2022-42265 CVE-2024-0074 CVE-2024-0078 CVE-2024-0090 CVE-2024-0092]
nvidia-modprobePrepare to switch to 535 series LTS drivers
nvidia-open-gpu-kernel-modulesUpdate to 535 series LTS drivers [CVE-2023-0180 CVE-2023-0183 CVE-2023-0184 CVE-2023-0185 CVE-2023-0187 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199 CVE-2023-25515 CVE-2023-25516 CVE-2023-31022 CVE-2024-0074 CVE-2024-0075 CVE-2024-0078 CVE-2024-0090 CVE-2024-0092]
nvidia-persistencedSwitch to 535 series LTS drivers; update list of supported drivers
nvidia-settingsAlso build for ppc64el; new upstream LTS release
nvidia-xconfigNew upstream LTS release
openrcIgnore non-executable scripts in /etc/init.d
opensslNew upstream stable release; fix excessive time taken issues [CVE-2023-5678 CVE-2023-6237], vector register corruption issue on PowerPC [CVE-2023-6129], PKCS12 Decoding crashes [CVE-2024-0727]
openvpn-dco-dkmsBuild for Linux >= 6.5; install compat-include directory; fix refcount imbalance
orthanc-dicomwebRebuild to fix outdated Built-Using
orthanc-gdcmRebuild to fix outdated Built-Using
orthanc-mysqlRebuild to fix outdated Built-Using
orthanc-neuroRebuild to fix outdated Built-Using
orthanc-postgresqlRebuild to fix outdated Built-Using
orthanc-pythonRebuild to fix outdated Built-Using
orthanc-webviewerRebuild to fix outdated Built-Using
orthanc-wsiRebuild to fix outdated Built-Using
ovnNew upstream stable version; fix insufficient validation of incoming BFD packets [CVE-2024-2182]
pdudaemonDepend on python3-aiohttp
php-composer-class-map-generatorForce system dependency loading
php-composer-pcreAdd missing Breaks+Replaces: on composer (<< 2.2)
php-composer-xdebug-handlerForce system dependency loading
php-doctrine-annotationsForce system dependency loading
php-doctrine-deprecationsForce system dependency loading
php-doctrine-lexerForce system dependency loading
php-phpseclibGuard isPrime() and randomPrime() for BigInteger [CVE-2024-27354]; limit OID length in ASN1 [CVE-2024-27355]; fix BigInteger getLength(); remove visibitility modifiers from static variables
php-phpseclib3Force system dependency loading; guard isPrime() and randomPrime() for BigInteger [CVE-2024-27354]; limit OID length in ASN1 [CVE-2024-27355]; fix BigInteger getLength()
php-proxy-managerForce system dependency loading
php-symfony-contractsForce system dependency loading
php-zend-codeForce system dependency loading
phpldapadminFix compatbility with PHP 8.1+
phpseclibForce system dependency loading; guard isPrime() and randomPrime() for BigInteger [CVE-2024-27354]; limit OID length in ASN1 [CVE-2024-27355]; fix BigInteger getLength()
postfixNew upstream stable release
postgresql-15New upstream stable release; restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner [CVE-2024-4317]
prometheus-node-exporter-collectorsDo not adversely affect mirror network; fix deadlock with other apt update runs
pymongoFix out-of-bounds read issue [CVE-2024-5629]
pypy3Strip C0 control and space characters in urlsplit [CVE-2023-24329]; avoid bypass of TLS handshake protections on closed sockets [CVE-2023-40217]; tempfile.TemporaryDirectory: fix symlink bug in cleanup [CVE-2023-6597]; protect zipfile from quoted-overlap zipbomb [CVE-2024-0450]
python-aiosmtpdFix SMTP smuggling issue [CVE-2024-27305]; fix STARTTLS unencrypted command injection issue [CVE-2024-34083]
python-asdfRemove unnecessary dependency on asdf-unit-schemas
python-channels-redisEnsure pools are closed on loop close in core
python-idnaFix denial of service issue [CVE-2024-3651]
python-jwcryptoFix denial of service issue [CVE-2024-28102]
python-xapian-haystackDrop dependency on django.utils.six
python3.11Fix use-after-free crash when deallocating a frame object; protect zipfile from quoted-overlap zipbomb [CVE-2024-0450]; tempfile.TemporaryDirectory: fix symlink bug in cleanup [CVE-2023-6597]; fix os.path.normpath(): Path truncation at null bytes [CVE-2023-41105]; avoid bypass of TLS handshake protections on closed sockets [CVE-2023-40217]; strip C0 control and space characters in urlsplit [CVE-2023-24329]; avoid a potential null pointer dereference in filleutils
qemuNew upstream stable release; security fixes [CVE-2024-26327 CVE-2024-26328 CVE-2024-3446 CVE-2024-3447]
qtbase-opensource-srcFix regression in patch for CVE-2023-24607; avoid using system CA certificates when not wanted [CVE-2023-34410]; fix buffer overflow [CVE-2023-37369]; fix infinite loop in XML recursive entity expansion [CVE-2023-38197]; fix buffer overflow with crafted KTX image file [CVE-2024-25580]; fix HPack integer overflow check [CVE-2023-51714]
railsDeclare breaks and replaces on obsolete ruby-arel package
riseup-vpnUse system certificate bundle by default, restoring ability to connect to an endpoint using LetsEncrypt certificate
ruby-aws-partitionsEnsure binary package includes partitions.json and partitions-metadata.json files
ruby-premailer-railsRemove build-dependency on obsolete ruby-arel
rust-cbindgen-webNew source package to support builds of newer Firefox ESR versions
rustc-webNew source package to support builds of web browsers
schleuderFix argument parsing insufficient validation; fix importing keys from attachments sent by Thunderbird and handle mails without further content; look for keywords only at the start of mail; validate downcased email addresses when checking subscribers; consider From header for finding reply addresses
sendmailFix SMTP smuggling issue [CVE-2023-51765]
skeemaRebuild for outdated Built-Using
skopeoRebuild for outdated Built-Using
software-propertiessoftware-properties-qt: Add Conflicts+Replaces: on software-properties-kde for smoother upgrades from bullseye
superminRebuild to fix outdated Built-Using
symfonyForce system dependency loading; DateTypTest: ensure submitted year is accepted choice
systemdNew upstream stable release; fix denial of service issues [CVE-2023-50387 CVE-2023-50868]; libnss-myhostname.nss: Install after files; libnss-mymachines.nss: Install before resolve and dns
termsharkRebuild to fix outdated Built-Using
tripwireRebuild to fix outdated Built-Using
tryton-clientOnly send compressed content in authenticated sessions
tryton-serverPrevent zip-bomb attacks from unauthenticated sources
u-bootFix orion-timer for booting sheevaplug and related platforms
uifSupport VLAN interface names
umociRebuild for outdated Built-Using
user-mode-linuxRebuilt to fix outdated Built-Using
wayfireAdd missing dependencies
what-is-pythonDeclare breaks and replaces on python-dev-is-python2; fix version mangling in build rules
wpaFix authentication bypass issue [CVE-2023-52160]
xscreensaverDisable warning about old versions
yapetDo not call EVP_CIPHER_CTX_set_key_length() in crypt/blowfish and crypt/aes
zshRebuild to fix outdated Built-Using

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory IDPackage
DSA-5575 webkit2gtk
DSA-5580 webkit2gtk
DSA-5589 nodejs
DSA-5609 slurm-wlm-contrib
DSA-5616 ruby-sanitize
DSA-5618 webkit2gtk
DSA-5619 libgit2
DSA-5620 unbound
DSA-5621 bind9
DSA-5623 postgresql-15
DSA-5624 edk2
DSA-5625 engrampa
DSA-5626 pdns-recursor
DSA-5627 firefox-esr
DSA-5628 imagemagick
DSA-5630 thunderbird
DSA-5631 iwd
DSA-5632 composer
DSA-5633 knot-resolver
DSA-5635 yard
DSA-5637 squid
DSA-5638 libuv1
DSA-5640 openvswitch
DSA-5641 fontforge
DSA-5642 php-dompdf-svg-lib
DSA-5643 firefox-esr
DSA-5644 thunderbird
DSA-5645 firefox-esr
DSA-5646 cacti
DSA-5650 util-linux
DSA-5651 mediawiki
DSA-5653 gtkwave
DSA-5655 cockpit
DSA-5657 xorg-server
DSA-5658 linux-signed-amd64
DSA-5658 linux-signed-arm64
DSA-5658 linux-signed-i386
DSA-5658 linux
DSA-5659 trafficserver
DSA-5661 php8.2
DSA-5662 apache2
DSA-5663 firefox-esr
DSA-5664 jetty9
DSA-5665 tomcat10
DSA-5666 flatpak
DSA-5669 guix
DSA-5670 thunderbird
DSA-5672 openjdk-17
DSA-5673 glibc
DSA-5674 pdns-recursor
DSA-5677 ruby3.1
DSA-5678 glibc
DSA-5679 less
DSA-5680 linux-signed-amd64
DSA-5680 linux-signed-arm64
DSA-5680 linux-signed-i386
DSA-5680 linux
DSA-5682 glib2.0
DSA-5682 gnome-shell
DSA-5684 webkit2gtk
DSA-5685 wordpress
DSA-5686 dav1d
DSA-5688 atril
DSA-5690 libreoffice
DSA-5691 firefox-esr
DSA-5692 ghostscript
DSA-5693 thunderbird
DSA-5695 webkit2gtk
DSA-5698 ruby-rack
DSA-5699 redmine
DSA-5700 python-pymysql
DSA-5702 gst-plugins-base1.0
DSA-5704 pillow
DSA-5705 tinyproxy
DSA-5706 libarchive
DSA-5707 vlc
DSA-5708 cyrus-imapd
DSA-5709 firefox-esr
DSA-5711 thunderbird
DSA-5712 ffmpeg
DSA-5713 libndp
DSA-5714 roundcube
DSA-5715 composer
DSA-5717 php8.2

Removed packages

The following packages were removed due to circumstances beyond our control:

PackageReason
phppgadminSecurity issues; incompatible with bookworm's PostgreSQL version
pytest-salt-factoriesOnly needed for salt, which is not part of bookworm
ruby-arelObsolete, integrated into ruby-activerecord, incompatible with ruby-activerecord 6.1.x
spipIncompatible with bookworm's PHP version
vasttrafik-cliAPI withdrawn

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

The current stable distribution:

Proposed updates to the stable distribution:

stable distribution information (release notes, errata etc.):

Security announcements and information:

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.