Updated Debian 11: 11.9 released

February 10th, 2024

The Debian project is pleased to announce the ninth update of its oldstable distribution Debian 11 (codename bullseye). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 11 but only updates some of the packages included. There is no need to throw away old bullseye media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following packages:

Package	Reason
axis	Filter out unsupported protocols in the client class ServiceFactory [CVE-2023-40743]
base-files	Update for the 11.9 point release
cifs-utils	Fix non-parallel builds
compton	Remove recommendation of picom
conda-package-handling	Skip unreliable tests
conmon	Do not hang when forwarding container stdout/stderr with lots of output
crun	Fix containers with systemd as their init system, when using newer kernel versions
debian-installer	Increase Linux kernel ABI to 5.10.0-28; rebuild against proposed-updates
debian-installer-netboot-images	Rebuild against proposed-updates
debian-ports-archive-keyring	Add Debian Ports Archive Automatic Signing Key (2025)
debian-security-support	Mark tor, consul and xen as end-of-life; limit samba support to non-AD DC use cases; match golang packages with regular expression; drop version-based checking; add chromium to security-support-ended.deb11; add tiles and libspring-java to security-support-limited
debootstrap	Backport merged-/usr support changes from trixie: implement merged-/usr by post-merging, default to merged-/usr for suites newer than bookworm in all profiles
distro-info	Update tests for distro-info-data 0.58+deb12u1, which adjusted Debian 7's EoL date
distro-info-data	Add Ubuntu 24.04 LTS Noble Numbat; fix several End Of Life dates
dpdk	New upstream stable release
dropbear	Fix security measure bypass issue [CVE-2021-36369]; fix terrapin attack [CVE-2023-48795]
exuberant-ctags	Fix arbitrary command execution issue [CVE-2022-4515]
filezilla	Prevent terrapin exploit [CVE-2023-48795]
gimp	Remove old versions of separately packaged dds plugin
glib2.0	Align with upstream stable fixes; fix denial of service issues [CVE-2023-32665 CVE-2023-32611 CVE-2023-29499 CVE-2023-32636]
glibc	Fix a memory corruption in qsort() when using nontransitive comparison functions.
gnutls28	Security fix for timing sidechannel attack [CVE-2023-5981]
imagemagick	Various security fixes [CVE-2021-20241 CVE-2021-20243 CVE-2021-20244 CVE-2021-20245 CVE-2021-20246 CVE-2021-20309 CVE-2021-3574 CVE-2021-39212 CVE-2021-4219 CVE-2022-1114 CVE-2022-28463 CVE-2022-32545 CVE-2022-32546]
jqueryui	Fix cross-site scripting issue [CVE-2022-31160]
knewstuff	Ensure correct ProvidersUrl to fix denial of service
libdatetime-timezone-perl	Update included timezone data
libde265	Fix segmentation violation in the function decoder_context::process_slice_segment_header [CVE-2023-27102]; fix heap buffer overflow in the function derive_collocated_motion_vectors [CVE-2023-27103]; fix buffer over-read in pic_parameter_set::dump [CVE-2023-43887]; fix buffer overflow in the slice_segment_header function [CVE-2023-47471]; fix buffer overflow issues [CVE-2023-49465 CVE-2023-49467 CVE-2023-49468]
libmateweather	Update included location data; update data server URL
libpod	Fix incorrect handling of supplementary groups [CVE-2022-2989]
libsolv	Enable zstd compression support
libspreadsheet-parsexlsx-perl	Fix possible memory bomb [CVE-2024-22368]; fix XML External Entity issue [CVE-2024-23525]
linux	New upstream stable release; increase ABI to 28
linux-signed-amd64	New upstream stable release; increase ABI to 28
linux-signed-arm64	New upstream stable release; increase ABI to 28
linux-signed-i386	New upstream stable release; increase ABI to 28
llvm-toolchain-16	New backported package to support builds of newer chromium versions; build-dep on llvm-spirv instead of llvm-spirv-16
mariadb-10.5	New upstream stable release; fix denial of service issue [CVE-2023-22084]
minizip	Reject overflows of zip header fields [CVE-2023-45853]
modsecurity-apache	Fix protection bypass issues [CVE-2022-48279 CVE-2023-24021]
nftables	Fix incorrect bytecode generation
node-dottie	Fix prototype pollution issue [CVE-2023-26132]
node-url-parse	Fix authorisation bypass issue [CVE-2022-0512]
node-xml2js	Fix prototype pollution issue [CVE-2023-0842]
nvidia-graphics-drivers	New upstream release [CVE-2023-31022]
nvidia-graphics-drivers-tesla-470	New upstream release [CVE-2023-31022]
opendkim	Properly delete Authentication-Results headers [CVE-2022-48521]
perl	Prevent buffer overflow via illegal Unicode property [CVE-2023-47038]
plasma-desktop	Fix denial of service bug in discover
plasma-discover	Fix denial of service bug; fix build failure
postfix	New upstream stable release; address SMTP smuggling issue [CVE-2023-51764]
postgresql-13	New upstream stable release; fix SQL injection issue [CVE-2023-39417]
postgresql-common	Fix autopkgtests
python-cogent	Skip parallel tests on single-CPU systems
python-django-imagekit	Avoid triggering path traversal detection in tests
python-websockets	Fix predictable duration issue [CVE-2021-33880]
pyzoltan	Build on single core systems
ruby-aws-sdk-core	Include VERSION file in package
spip	Fix cross-site scripting issue
swupdate	Prevent acquiring root privileges through inappropriate socket mode
symfony	Ensure CodeExtension's filters properly escape their input [CVE-2023-46734]
tar	Fix boundary checking in base-256 decoder [CVE-2022-48303], handling of extended header prefixes [CVE-2023-39804]
tinyxml	Fix assertion issue [CVE-2023-34194]
tzdata	Update included timezone data
unadf	Fix stack buffer overflow issue [CVE-2016-1243]; fix arbitary code execution issue [CVE-2016-1244]
usb.ids	Update included data list
vlfeat	Fix FTBFS with newer ImageMagick
weborf	Fix denial of service issue
wolfssl	Fix buffer overflow issues [CVE-2022-39173 CVE-2022-42905], key disclosure issue [CVE-2022-42961], predictable buffer in input keying material [CVE-2023-3724]
xerces-c	Fix use-after-free issue [CVE-2018-1311]; fix integer overflow issue [CVE-2023-37536]
zeromq3	Fix fork() detection with gcc 7; update copyright relicense statement

Security Updates

This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:

Advisory ID	Package
DSA-5496	firefox-esr
DSA-5499	chromium
DSA-5506	firefox-esr
DSA-5508	chromium
DSA-5509	firefox-esr
DSA-5511	mosquitto
DSA-5512	exim4
DSA-5513	thunderbird
DSA-5514	glibc
DSA-5515	chromium
DSA-5516	libxpm
DSA-5517	libx11
DSA-5518	libvpx
DSA-5519	grub-efi-amd64-signed
DSA-5519	grub-efi-arm64-signed
DSA-5519	grub-efi-ia32-signed
DSA-5519	grub2
DSA-5520	mediawiki
DSA-5522	tomcat9
DSA-5523	curl
DSA-5524	libcue
DSA-5526	chromium
DSA-5527	webkit2gtk
DSA-5528	node-babel7
DSA-5530	ruby-rack
DSA-5531	roundcube
DSA-5533	gst-plugins-bad1.0
DSA-5534	xorg-server
DSA-5535	firefox-esr
DSA-5536	chromium
DSA-5537	openjdk-11
DSA-5538	thunderbird
DSA-5539	node-browserify-sign
DSA-5540	jetty9
DSA-5542	request-tracker4
DSA-5543	open-vm-tools
DSA-5544	zookeeper
DSA-5545	vlc
DSA-5546	chromium
DSA-5547	pmix
DSA-5548	openjdk-17
DSA-5549	trafficserver
DSA-5550	cacti
DSA-5551	chromium
DSA-5554	postgresql-13
DSA-5556	chromium
DSA-5557	webkit2gtk
DSA-5558	netty
DSA-5560	strongswan
DSA-5561	firefox-esr
DSA-5563	intel-microcode
DSA-5564	gimp
DSA-5565	gst-plugins-bad1.0
DSA-5566	thunderbird
DSA-5567	tiff
DSA-5569	chromium
DSA-5570	nghttp2
DSA-5571	rabbitmq-server
DSA-5572	roundcube
DSA-5573	chromium
DSA-5574	libreoffice
DSA-5576	xorg-server
DSA-5577	chromium
DSA-5579	freeimage
DSA-5581	firefox-esr
DSA-5582	thunderbird
DSA-5584	bluez
DSA-5585	chromium
DSA-5586	openssh
DSA-5587	curl
DSA-5588	putty
DSA-5590	haproxy
DSA-5591	libssh
DSA-5592	libspreadsheet-parseexcel-perl
DSA-5594	linux-signed-amd64
DSA-5594	linux-signed-arm64
DSA-5594	linux-signed-i386
DSA-5594	linux
DSA-5595	chromium
DSA-5597	exim4
DSA-5598	chromium
DSA-5599	phpseclib
DSA-5600	php-phpseclib
DSA-5602	chromium
DSA-5603	xorg-server
DSA-5604	openjdk-11
DSA-5605	thunderbird
DSA-5606	firefox-esr
DSA-5608	gst-plugins-bad1.0
DSA-5613	openjdk-17
DSA-5614	zbar
DSA-5615	runc

Removed packages

The following obsolete package was removed from the distribution:

Package	Reason
gimp-dds	Integrated in gimp>=2.10

Debian Installer

The installer has been updated to include the fixes incorporated into oldstable by the point release.

URLs

The complete lists of packages that have changed with this revision:

https://deb.debian.org/debian/dists/bullseye/ChangeLog

The current oldstable distribution:

https://deb.debian.org/debian/dists/oldstable/

Proposed updates to the oldstable distribution:

https://deb.debian.org/debian/dists/oldstable-proposed-updates

oldstable distribution information (release notes, errata etc.):

https://www.debian.org/releases/oldstable/

Security announcements and information:

https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.