تحديث دبيان 11: الإصدار 11.7
29 أبريل 2023
يسعد مشروع دبيان الإعلان عن التحديث السابع لتوزيعته المستقرة دبيان 11 (الاسم الرمزي bullseye
).
بالإضافة إلى تسوية بعض المشكلات الحرجة يصلح هذا التحديث بالأساس مشاكلات الأمان. تنبيهات الأمان أعلنت بشكل منفصل ومشار إليها فقط في هذا الإعلان.
يرجى ملاحظة أن هذا التحديث لا يشكّل إصدار جديد لدبيان 11 بل فقط تحديثات لبعض الحزم المضمّنة
وبالتالي ليس بالضرورة رمي الوسائط القديمة للإصدار bullseye
، يمكن تحديث الحزم باستخدام مرآة دبيان محدّثة.
الذين يثبّتون التحديثات من security.debian.org باستمرار لن يكون عليهم تحديث العديد من الحزم، أغلب التحديثات مضمّنة في هذا التحديث.
صور جديدة لأقراص التثبيت ستكون متوفرة في موضعها المعتاد.
يمكن الترقية من تثبيت آنيّ إلى هذه المراجعة بتوجيه نظام إدارة الحزم إلى إحدى مرايا HTTP الخاصة بدبيان. قائمة شاملة لمرايا دبيان على المسار:
إصلاح العديد من العلاّت
أضاف هذا التحديث للإصدار المستقر بعض الإصلاحات المهمة للحزم التالية:
| الحزمة | السبب |
|---|---|
| akregator | Fix validity checks, including fixing deletion of feeds and folders |
| apache2 | Don't automatically enable apache2-doc.conf; fix regressions in http2 and mod_rewrite introduced in 2.4.56 |
| at-spi2-core | Set stop timeout to 5 seconds, so as not to needlessly block system shutdowns |
| avahi | Fix local denial of service issue [CVE-2021-3468] |
| base-files | Update for the 11.7 point release |
| c-ares | Prevent stack overflow and denial of service [CVE-2022-4904] |
| clamav | New upstream stable release; fix possible remote code execution issue in the HFS+ file parser [CVE-2023-20032], possible information leak in the DMG file parser [CVE-2023-20052] |
| command-not-found | Add new non-free-firmware component, fixing upgrades to bookworm |
| containerd | Fix denial of service issue [CVE-2023-25153]; fix possible privilege escalation via incorrect setup of supplementary groups [CVE-2023-25173] |
| crun | Fix capability escalation issue due to containers being incorrectly started with non-empty default permissions [CVE-2022-27650] |
| cwltool | Add missing dependency on python3-distutils |
| debian-archive-keyring | Add bookworm keys; move stretch keys to the removed keyring |
| debian-installer | Increase Linux kernel ABI to 5.10.0-22; rebuild against proposed-updates |
| debian-installer-netboot-images | Rebuild against proposed-updates |
| debian-ports-archive-keyring | Extend the 2023 signing key's expiration by one year; add 2024 signing key; move 2022 signing key to the removed keyring |
| dpdk | New upstream stable release |
| duktape | Fix crash issue [CVE-2021-46322] |
| e2tools | Fix build failure by adding build dependency on e2fsprogs |
| erlang | Fix client authentication bypass issue [CVE-2022-37026]; use -O1 optimization for armel because -O2 makes erl segfault on certain platforms, e.g. Marvell |
| exiv2 | Security fixes [CVE-2021-29458 CVE-2021-29463 CVE-2021-29464 CVE-2021-29470 CVE-2021-29473 CVE-2021-29623 CVE-2021-32815 CVE-2021-34334 CVE-2021-34335 CVE-2021-3482 CVE-2021-37615 CVE-2021-37616 CVE-2021-37618 CVE-2021-37619 CVE-2021-37620 CVE-2021-37621 CVE-2021-37622 CVE-2021-37623] |
| flask-security | Fix open redirect vulnerability [CVE-2021-23385] |
| flatpak | New upstream stable release; escape special characters when displaying permissions and metadata [CVE-2023-28101]; don't allow copy/paste via the TIOCLINUX ioctl when running in a Linux virtual console [CVE-2023-28100] |
| galera-3 | New upstream stable release |
| ghostscript | Fix path for PostScript helper file in ps2epsi |
| glibc | Fix memory leak in printf-family functions with long multibyte strings; fix crash in printf-family due to width/precision-dependent allocations; fix segfault in printf handling thousands separator; fix overflow in the AVX2 implementation of wcsnlen when crossing pages |
| golang-github-containers-common | Fix parsing of DBUS_SESSION_BUS_ADDRESS |
| golang-github-containers-psgo | Do not enter the process user namespace [CVE-2022-1227] |
| golang-github-containers-storage | Make previously internal functions publicly accessible, required to allow fixing CVE-2022-1227 in other packages |
| golang-github-prometheus-exporter-toolkit | Patch tests to avoid race condition; fix authentication cache poisoning issue [CVE-2022-46146] |
| grep | Fix incorrect matching when the last of multiple patterns includes a backreference |
| gtk+3.0 | Fix Wayland + EGL on GLES-only platforms |
| guix | Fix build failure due to expired keys used in test suite |
| intel-microcode | New upstream bug-fix release |
| isc-dhcp | Fix IPv6 address lifetime handling |
| jersey1 | Fix build failure with libjettison-java 1.5.3 |
| joblib | Fix arbitrary code execution issue [CVE-2022-21797] |
| lemonldap-ng | Fix URL validation bypass issue; fix 2FA issue when using AuthBasic handler [CVE-2023-28862] |
| libapache2-mod-auth-openidc | Fix open redirect issue [CVE-2022-23527] |
| libapreq2 | Fix buffer overflow issue [CVE-2022-22728] |
| libdatetime-timezone-perl | Update included data |
| libexplain | Enhance compatibility with newer kernel versions - Linux 5.11 no longer has if_frad.h, termiox removed since kernel 5.12 |
| libgit2 | Enable SSH key verification by default [CVE-2023-22742] |
| libpod | Fix privilege escalation issue [CVE-2022-1227]; fix capability escalation issue due to containers being incorrectly started with non-empty default permissions [CVE-2022-27649]; fix parsing of DBUS_SESSION_BUS_ADDRESS |
| libreoffice | Change Croatia's default currency to Euro; avoid empty -Djava.class.path= [CVE-2022-38745] |
| libvirt | Fix container reboot-related issues; fix test failures when combined with newer Xen versions |
| libxpm | Fix infinite loop issues [CVE-2022-44617 CVE-2022-46285]; fix double free issue in error handling code; fix compression commands depend on PATH[CVE-2022-4883] |
| libzen | Fix null pointer dereference issue [CVE-2020-36646] |
| linux | New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86 |
| linux-signed-amd64 | New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86 |
| linux-signed-arm64 | New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86 |
| linux-signed-i386 | New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86 |
| lxc | Fix file existence oracle [CVE-2022-47952] |
| macromoleculebuilder | Fix build failure by adding build dependency on docbook-xsl |
| mariadb-10.5 | New upstream stable release; revert upstream libmariadb API change |
| mono | Remove desktop file |
| ncurses | Guard against corrupt terminfo data [CVE-2022-29458]; fix tic crash on very long tc/use clauses |
| needrestart | Fix warnings when using -boption |
| node-cookiejar | Guard against maliciously-sized cookies [CVE-2022-25901] |
| node-webpack | Avoid cross-realm object access [CVE-2023-28154] |
| nvidia-graphics-drivers | New upstream release; security fixes [CVE-2023-0180 CVE-2023-0184 CVE-2023-0185 CVE-2023-0187 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199] |
| nvidia-graphics-drivers-tesla-450 | New upstream release; security fixes [CVE-2023-0180 CVE-2023-0184 CVE-2023-0185 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199] |
| nvidia-graphics-drivers-tesla-470 | New upstream release; security fixes [CVE-2023-0180 CVE-2023-0184 CVE-2023-0185 CVE-2023-0187 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199] |
| nvidia-modprobe | New upstream release |
| openvswitch | Fix openvswitch-switch update leaves interfaces down |
| passenger | Fix compatibility with more recent NodeJS versions |
| phyx | Remove unnecessary build dependency on libatlas-cpp |
| postfix | New upstream stable release |
| postgis | Fix wrong Polar stereographic axis order |
| postgresql-13 | New upstream stable release; fix client memory disclosure issue [CVE-2022-41862] |
| python-acme | Fix version of created CSRs, to prevent problems with strictly RFC-complying implementations of the ACME API |
| ruby-aws-sdk-core | Fix generation of version file |
| ruby-cfpropertylist | Fix some functionality by dropping compatibility with Ruby 1.8 |
| shim | New upstream release; new upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4 |
| shim-helpers-amd64-signed | New upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4 |
| shim-helpers-arm64-signed | New upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4 |
| shim-helpers-i386-signed | New upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4 |
| shim-signed | New upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4 |
| snakeyaml | Fix denial of service issues [CVE-2022-25857 CVE-2022-38749 CVE-2022-38750 CVE-2022-38751]; add documentation regarding security support / issues |
| spyder | Fix duplication of code when saving |
| symfony | Remove private headers before storing responses with HttpCache [CVE-2022-24894]; remove CSRF tokens from storage on successful login [CVE-2022-24895] |
| systemd | Fix information leak issue [CVE-2022-4415], denial of service issue [CVE-2022-3821]; ata_id: fix getting Response Code from SCSI Sense Data; logind: fix getting property OnExternalPower via D-Bus; fix crash in systemd-machined |
| tomcat9 | Add OpenJDK 17 support to JDK detection |
| traceroute | Interpret v4mapped-IPv6 addresses as IPv4 |
| tzdata | Update included data |
| unbound | Fix Non-Responsive Delegation Attack [CVE-2022-3204]; fix ghost domain namesissue [CVE-2022-30698 CVE-2022-30699] |
| usb.ids | Update included data |
| vagrant | Add support for VirtualBox 7.0 |
| voms-api-java | Fix build failures by disabling some non-working tests |
| w3m | Fix out-of-bounds write issue [CVE-2022-38223] |
| x4d-icons | Fix build failure with newer imagemagick versions |
| xapian-core | Prevent database corruption on disk exhaustion |
| zfs-linux | Add several stability improvements |
تحديثات الأمان
أضافت هذه المراجعة تحديثات الأمان التالية للإصدار المستقر. سبق لفريق الأمان نشر تنبيه لكل تحديث:
الحزم المزالة
الحزم التالية أزيلت لأسباب خارجة عن سيطرتنا:
| الحزمة | السبب |
|---|---|
| bind-dyndb-ldap | Broken with newer bind9 versions; unsupportable in stable |
| matrix-mirage | Depends on to-be-removed python-matrix-nio |
| pantalaimon | Depends on to-be-removed python-matrix-nio |
| python-matrix-nio | Security issues; doesn't work with current Matrix servers |
| weechat-matrix | Depends on to-be-removed python-matrix-nio |
مُثبِّت دبيان
حدِّث المُثبِّت ليتضمن الإصلاحات المندرجة في هذا الإصدار المستقر.
المسارات
القائمة الكاملة للحزم المغيّرة في هذه المراجعة:
التوزيعة المستقرة الحالية:
التحديثات المقترحة للتوزيعة المستقرة:
معلومات حول التوزيعة المستقرة (ملاحظات الإصدار والأخطاء إلخ):
معلومات وإعلانات الأمان:
حول دبيان
مشروع دبيان هو اتحاد لمطوري البرمجيات الحرة تطوعوا بالوقت والمجهود لإنتاج نظام تشعيل دبيان حر بالكامل.
معلومات الاتصال
لمزيد من المعلومات يرجى زيارة موقع دبيان https://www.debian.org/ أو إرسال بريد إلكتروني إلى <press@debian.org> أو الاتصال بفريق إصدار المستقرة على <debian-release@lists.debian.org>.