Updated Debian 11: 11.8 released
October 7th, 2023
The Debian project is pleased to announce the eighth update of its
oldstable distribution Debian 11 (codename bullseye
).
This point release mainly adds corrections for security issues,
along with a few adjustments for serious problems. Security advisories
have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian
11 but only updates some of the packages included. There is
no need to throw away old bullseye
media. After installation,
packages can be upgraded to the current versions using an up-to-date Debian
mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This oldstable update adds a few important corrections to the following packages:
| Package | Reason |
|---|---|
| adduser | Fix command injection vulnerability in deluser |
| aide | Fix handling of extended attributes on symlinks |
| amd64-microcode | Update included microcode, including fixes for AMD Inceptionon AMD Zen4 processors [CVE-2023-20569] |
| appstream-glib | Handle <em> and <code> tags in metadata |
| asmtools | Backport to bullseye for future openjdk-11 builds |
| autofs | Fix missing mutex unlock; do not use rpcbind for NFS4 mounts; fix regression determining reachability on dual-stack hosts |
| base-files | Update for the 11.8 point release |
| batik | Fix Server Side Request Forgery issues [CVE-2022-44729 CVE-2022-44730] |
| bmake | Conflict with bsdowl (<< 2.2.2-1.2~) to ensure smooth upgrades |
| boxer-data | Backport thunderbird compatibility fixes |
| ca-certificates-java | Work around unconfigured jre during new installations |
| cairosvg | Handle data: URLs in safe mode |
| cargo-mozilla | New upstreamversion, to support building newer firefox-esr versions |
| clamav | New upstream stable release; fix denial of service vulnerability via HFS+ parser [CVE-2023-20197] |
| cpio | Fix arbitrary code execution issue [CVE-2021-38185]; replace Suggests: on libarchive1 with libarchive-dev |
| cryptmount | Fix memory-initialization in command-line parser |
| cups | Fix heap-based buffer overflow issues [CVE-2023-4504 CVE-2023-32324], unauthenticated access issue [CVE-2023-32360], use-after-free issue [CVE-2023-34241] |
| curl | Fix code execution issues [CVE-2023-27533 CVE-2023-27534], information disclosure issues [CVE-2023-27535 CVE-2023-27536 CVE-2023-28322], inappropriate connection re-use issue [CVE-2023-27538], improper certificate validation issue [CVE-2023-28321] |
| dbus | New upstream stable release; fix denial of service issue [CVE-2023-34969] |
| debian-design | Rebuild using newer boxer-data |
| debian-installer | Increase Linux kernel ABI to 5.10.0-26; rebuild against proposed-updates |
| debian-installer-netboot-images | Rebuild against proposed-updates |
| debian-parl | Rebuild using newer boxer-data |
| debian-security-support | Set DEB_NEXT_VER_ID=12 as bookworm is the next release; security-support-limited: add gnupg1 |
| distro-info-data | Add Debian 14 forky; correct Ubuntu 23.04 release date; add Ubuntu 23.10 Mantic Minotaur; add the planned release date for Debian bookworm |
| dkimpy | New upstream bugfix release |
| dpdk | New upstream stable release |
| dpkg | Add support for loong64 CPU; handle missing Version when formatting source:Upstream-Version; fix varbuf memory leak in pkg_source_version() |
| flameshot | Disable uploads to imgur by default; fix name of d/NEWS file in previous upload |
| ghostscript | Fix buffer overflow issue [CVE-2023-38559]; try and secure the IJS server startup [CVE-2023-43115] |
| gitit | Rebuild against new pandoc |
| grunt | Fix race condition in symlink copying [CVE-2022-1537] |
| gss | Add Breaks+Replaces: libgss0 (<< 0.1) |
| haskell-hakyll | Rebuild against new pandoc |
| haskell-pandoc-citeproc | Rebuild against new pandoc |
| hnswlib | Fix double free in init_index when the M argument is a large integer [CVE-2023-37365] |
| horizon | Fix open redirect issue [CVE-2022-45582] |
| inetutils | Check return values for set*id() functions, avoiding potential security issues [CVE-2023-40303] |
| krb5 | Fix free of uninitialised pointer [CVE-2023-36054] |
| kscreenlocker | Fix authentication error when using PAM |
| lacme | Handle CA ready, processing and valid states correctly |
| lapack | Fix eigenvector matrix |
| lemonldap-ng | Fix open redirection when OIDC RP has no redirect URIs; fix Server Side Request Forgery issue [CVE-2023-44469]; fix open redirection due to incorrect escape handling |
| libapache-mod-jk | Remove implicit mapping functionality, which could lead to unintended exposure of the status worker and/or bypass of security constraints [CVE-2023-41081] |
| libbsd | Fix infinite loop in MD5File |
| libclamunrar | New upstream stable release |
| libprelude | Make Python module usable |
| libreswan | Fix denial of service issue [CVE-2023-30570] |
| libsignal-protocol-c | Fix integer overflow issue [CVE-2022-48468] |
| linux | New upstream stable release |
| linux-signed-amd64 | New upstream stable release |
| linux-signed-arm64 | New upstream stable release |
| linux-signed-i386 | New upstream stable release |
| logrotate | Avoid replacement of /dev/null with a regular file if used for the state file |
| ltsp | Avoid using mvon init symlink in order to work around overlayfs issue |
| lttng-modules | Fix build issues with newer kernel versions |
| lua5.3 | Fix use after free in lua_upvaluejoin (lapi.c) [CVE-2019-6706]; fix segmentation fault in getlocal and setlocal (ldebug.c) [CVE-2020-24370] |
| mariadb-10.5 | New upstream bugfix release [CVE-2022-47015] |
| mujs | Security fix |
| ncurses | Disallow loading of custom terminfo entries in setuid/setgid programs [CVE-2023-29491] |
| node-css-what | Fix regular expression-based denial of service issue [CVE-2022-21222 CVE-2021-33587] |
| node-json5 | Fix prototype pollution issue [CVE-2022-46175] |
| node-tough-cookie | Security fix: prototype pollution [CVE-2023-26136] |
| nvidia-graphics-drivers | New upstream release [CVE-2023-25515 CVE-2023-25516]; improve compatibility with recent kernels |
| nvidia-graphics-drivers-tesla-450 | New upstream release [CVE-2023-25515 CVE-2023-25516] |
| nvidia-graphics-drivers-tesla-470 | New upstream bugfix release [CVE-2023-25515 CVE-2023-25516] |
| openblas | Fix results of DGEMM on AVX512-capable hardware, when the package has been built on pre-AVX2 hardware |
| openssh | Fix remote code execution issue via a forwarded agent socket [CVE-2023-38408] |
| openssl | New upstream stable release; fix denial of service issues [CVE-2023-3446 CVE-2023-3817] |
| org-mode | Fix command injection vulnerability [CVE-2023-28617] |
| pandoc | Fix arbitrary file write issues [CVE-2023-35936 CVE-2023-38745] |
| pev | Fix buffer overflow issue [CVE-2021-45423] |
| php-guzzlehttp-psr7 | Fix improper input validation [CVE-2023-29197] |
| php-nyholm-psr7 | Fix improper input validation issue [CVE-2023-29197] |
| postgis | Fix axis order regression |
| protobuf | Security fixes: DoS in Java [CVE-2021-22569]; NULL pointer dereference [CVE-2021-22570]; memory DoS [CVE-2022-1941] |
| python2.7 | Fix parameter cloakingissue [CVE-2021-23336], URL injection issue [CVE-2022-0391], use-after-free issue [CVE-2022-48560], XML External Entity issue [CVE-2022-48565]; improve constant-time comparisons in compare_digest() [CVE-2022-48566]; improve URL parsing [CVE-2023-24329]; prevent reading unauthenticated data on an SSLSocket [CVE-2023-40217] |
| qemu | Fix infinite loop [CVE-2020-14394], NULL pointer dereference issue [CVE-2021-20196], integer overflow issue [CVE-2021-20203], buffer overflow issues [CVE-2021-3507 CVE-2023-3180], denial of service issues [CVE-2021-3930 CVE-2023-3301], use-after-free issue [CVE-2022-0216], possible stack overflow and use-after-free issues [CVE-2023-0330], out-of-bounds read issue [CVE-2023-1544] |
| rar | New upstream release; fix directory traversal issue [CVE-2022-30333]; fix arbitrary code execution issue [CVE-2023-40477] |
| rhonabwy | Fix aesgcm buffer overflow [CVE-2022-32096] |
| roundcube | New upstream stable release; fix cross-site scripting issue [CVE-2023-43770]; Enigma: Fix initial synchronization of private keys |
| rust-cbindgen | New upstreamversion, to support building newer firefox-esr versions |
| rustc-mozilla | New upstreamversion, to support building newer firefox-esr versions |
| schleuder | Add versioned dependency on ruby-activerecord |
| sgt-puzzles | Fix various security issues in game loading [CVE-2023-24283 CVE-2023-24284 CVE-2023-24285 CVE-2023-24287 CVE-2023-24288 CVE-2023-24291] |
| spip | Several security fixes; security fix for extended authentification data filtering |
| spyder | Fix broken patch in previous update |
| systemd | Udev: fix creating /dev/serial/by-id/ symlinks for USB devices; fix memory leak on daemon-reload; fix a calendar spec calculation hang on DST change if TZ=Europe/Dublin |
| tang | Fix race condition when creating/rotating keys; assert restrictive permissions on key directory [CVE-2023-1672]; make tangd-rotate-keys executable |
| testng7 | Backport to oldstable for future openjdk-17 builds |
| tinyssh | Work around incoming packets which don't honour max packet length |
| unrar-nonfree | Fix file overwrite issue [CVE-2022-48579]; fix remote code execution issue [CVE-2023-40477] |
| xen | New upstream stable release; fix security issues [CVE-2023-20593 CVE-2023-20569 CVE-2022-40982] |
| yajl | Memory leak security fix; security fixes: potential denial of service with crafted JSON file [CVE-2017-16516]; heap memory corruption when dealing with large (~2GB) inputs [CVE-2022-24795]; fix incomplete patch for CVE-2023-33460 |
Security Updates
This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
| Package | Reason |
|---|---|
| atlas-cpp | unstable upstream, unsuitable for Debian |
| ember-media | unstable upstream, unsuitable for Debian |
| eris | unstable upstream, unsuitable for Debian |
| libwfut | unstable upstream, unsuitable for Debian |
| mercator | unstable upstream, unsuitable for Debian |
| nomad | security fixes no longer available |
| nomad-driver-lxc | depends on to-be-removed nomad |
| skstream | unstable upstream, unsuitable for Debian |
| varconf | unstable upstream, unsuitable for Debian |
| wfmath | unstable upstream, unsuitable for Debian |
Debian Installer
The installer has been updated to include the fixes incorporated into oldstable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current oldstable distribution:
Proposed updates to the oldstable distribution:
oldstable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.