Uppdaterad Debian 12; 12.6 utgiven
29 juni 2024
Debianprojektet presenterar stolt sin sjätte uppdatering till dess
stabila utgåva Debian 12 (med kodnamnet bookworm
).
Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem,
tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner
har redan publicerats separat och refereras när de finns tillgängliga.
Vänligen notera att punktutgåvan inte innebär en ny version av Debian
12 utan endast uppdaterar några av de inkluderade paketen. Det behövs
inte kastas bort gamla media av bookworm
. Efter installationen
kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad
Debianspegling..
De som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.
Nya installationsavbildningar kommer snart att finnas tillgängliga på de vanliga platserna.
En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:
Blandade felrättningar
Denna uppdatering av den stabila utgåvan lägger till några viktiga felrättningar till följande paket:
| Paket | Orsak |
|---|---|
| aide | Fix concurrent reading of extended attributes |
| amavisd-new | Handle multiple boundary parameters that contain conflicting values [CVE-2024-28054]; fix race condition in postinst |
| archlinux-keyring | Switch to pre-built keyrings; sync with upstream |
| base-files | Update for the 12.6 point release |
| bash | Rebuild to fix outdated Built-Using |
| bioawk | Disable parallel builds to fix random failures |
| bluez | Fix remote code execution issues [CVE-2023-27349 CVE-2023-50229 CVE-2023-50230] |
| cdo | Disable hirlam-extensions to avoid causing issues with ICON data files |
| chkrootkit | Rebuild to fix outdated Built-Using |
| cjson | Fix missing NULL checks [CVE-2023-50471 CVE-2023-50472] |
| clamav | New upstream stable release; fix possible heap overflow issue [CVE-2024-20290], possible command injection issue [CVE-2024-20328] |
| cloud-init | Declare conflicts/replaces on versioned package introduced for bullseye |
| comitup | Ensure service is unmasked in post install |
| cpu | Provide exactly one definition of globalLdap in LDAP plugin |
| crmsh | Create log directory and file on installation |
| crowdsec-custom-bouncer | Rebuild to fix outdated Built-Using |
| crowdsec-firewall-bouncer | Rebuild against golang-github-google-nftables version with fixed little-endian architecture support |
| curl | Do not keep default protocols when deselected [CVE-2024-2004]; fix memory leak [CVE-2024-2398] |
| dar | Rebuild to fix outdated Built-Using |
| dcmtk | Clean up properly on purge |
| debian-installer | Increase Linux kernel ABI to 6.1.0-22; rebuild against proposed-updates |
| debian-installer-netboot-images | Rebuild against proposed-updates |
| debvm | debvm-create: do install login; bin/debvm-waitssh: make --timeout=N work; bin/debvm-run: allow being run in environments without TERM set; fix resolv.conf in stretch |
| dhcpcd5 | privsep: Allow zero length messages through; fix server not being restarted correctly during upgrades |
| distro-info-data | Declare intentions for bullseye/bookworm; fix past data; add Ubuntu 24.10 |
| djangorestframework | Reinstate missing static files |
| dm-writeboost | Fix build error with 6.9 kernel and backports |
| dns-root-data | Update root hints; update expired security information |
| dpdk | New upstream stable release |
| ebook-speaker | Support username over 8 characters when enumerating groups |
| emacs | Security fixes [CVE-2024-30202 CVE-2024-30203 CVE-2024-30204 CVE-2024-30205]; replace expired package-keyring.gpg with a current version |
| extrepo-data | Update repository information |
| flatpak | New upstream stable release |
| fpga-icestorm | Restore compatibility with yosys |
| freetype | Disable COLRv1 support, which was unintentionally enabled by upstream; fix function existence check when calling get_colr_glyph_paint() |
| galera-4 | New upstream bugfix release; update upstream release signing key; prevent date-related test failures |
| gdk-pixbuf | ANI: Reject files with multiple anih chunks [CVE-2022-48622]; ANI: Reject files with multiple INAM or IART chunks; ANI: Validate anih chunk size |
| glewlwyd | Fix potential buffer overflow during FIDO2 credential validation [CVE-2023-49208]; fix open redirection via redirect_uri [CVE-2024-25715] |
| glib2.0 | Fix a (rare) memory leak |
| glibc | Revert fix to always call destructors in reverse constructor order due to unforeseen application compatibility issues; fix a DTV corruption due to a reuse of a TLS module ID following dlclose with unused TLS |
| gnutls28 | Fix certtool crash when verifying a certificate chain with more than 16 certificates [CVE-2024-28835]; fix side-channel in the deterministic ECDSA [CVE-2024-28834]; fix a memory leak; fix two segfault issues |
| golang-github-containers-storage | Rebuild for outdated Built-Using |
| golang-github-google-nftables | Fix AddSet() function on little-endian architectures |
| golang-github-openshift-imagebuilder | Rebuild for outdated Built-Using |
| gosu | Rebuild for outdated Built-Using |
| gpaste | Fix conflict with older libpgpaste6 |
| gross | Fix stack-based buffer overflow [CVE-2023-52159] |
| hovercraft | Depend on python3-setuptools |
| icinga2 | Fix segmentation fault on ppc64el |
| igtf-policy-bundle | Address CAB Forum S/MIME policy change; apply accumulated updates to trust anchors |
| intel-microcode | Security mitigations [CVE-2023-22655 CVE-2023-28746 CVE-2023-38575 CVE-2023-39368 CVE-2023-43490]; mitigate for INTEL-SA-01051 [CVE-2023-45733], INTEL-SA-01052 [CVE-2023-46103], INTEL-SA-01036 [CVE-2023-45745, CVE-2023-47855] and unspecified functional issues on various Intel processors |
| jose | Fix potential denial-of-service issue [CVE-2023-50967] |
| json-smart | Fix excessive recursion leading to stack overflow [CVE-2023-1370]; fix denial of service via crafted request [CVE-2021-31684] |
| kio | Fix file loss and potential locking issues on CIFS |
| lacme | Fix post-issuance validation logic |
| libapache2-mod-auth-openidc | Fix mising input validation leading to DoS [CVE-2024-24814] |
| libesmtp | Break and replace older library versions |
| libimage-imlib2-perl | Fix package build |
| libjwt | Fix timing side channel attack [CVE-2024-25189] |
| libkf5ksieve | Prevent leaking passwords into server-side logs |
| libmail-dkim-perl | Add dependency on libgetopt-long-descriptive-perl |
| libpod | Handle removed containers properly |
| libreoffice | Fix backup copy creation for files on mounted samba shares; don't remove libforuilo.so in -core-nogui |
| libseccomp | Add support for syscalls up to Linux 6.7 |
| libtommath | Fix integer overflow [CVE-2023-36328] |
| libtool | Conflict with libltdl3-dev; fix check for += operator in func_append |
| libxml-stream-perl | Fix compatibility with IO::Socket::SSL >= 2.078 |
| linux | New upstream stable release; increase ABI to 22 |
| linux-signed-amd64 | New upstream stable release; increase ABI to 22 |
| linux-signed-arm64 | New upstream stable release; increase ABI to 22 |
| linux-signed-i386 | New upstream stable release; increase ABI to 22 |
| lua5.4 | debian/version-script: Export additional missing symbols for lua 5.4.4 |
| lxc-templates | Fix the mirroroption of lxc-debian |
| mailman3 | Depend alternatively on cron-daemon; fix postgresql:// url in post-installation script |
| mksh | Handle merged /usr in /etc/shells; fix crash with nested bashism; fix arguments to the dot command; distinguish unset and empty in `typeset -p` |
| mobian-keyring | Update Mobian archive key |
| ms-gsl | Mark not_null constructors as noexcept |
| nano | Fix format string issues; fix with --cutfromcursor, undoing a justification can eat a line; fix malicious symlink issue; fix example bindings in nanorc |
| netcfg | Handle routing for single-address netmasks |
| ngircd | Respect SSLConnectoption for incoming connections; server certificate validation on server links (S2S-TLS); METADATA: Fix unsetting cloakhost |
| node-babel7 | Fix building against nodejs 18.19.0+dfsg-6~deb12u1; add Breaks/Replaces against obsolete node-babel-* packages |
| node-undici | Properly export typescript types |
| node-v8-compile-cache | Fix tests when a newer nodejs version is used |
| node-zx | Fix flaky test |
| nodejs | Skip flaky tests for mipsel/mips64el |
| nsis | Don't allow unprivileged users to delete the uninstaller directory [CVE-2023-37378]; fix regression in disabling stub relocations; build reproducibly for arm64 |
| nvidia-graphics-drivers | Restore compatibility with newer Linux kernel builds; take over packages from nvidia-graphics-drivers-tesla; add new nvidia-suspend-common package; relax dh-dkms build-dependency for compatibility with bookworm; new upstream stable release [CVE-2023-0180 CVE-2023-0183 CVE-2023-0184 CVE-2023-0185 CVE-2023-0187 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199 CVE-2023-25515 CVE-2023-25516 CVE-2023-31022 CVE-2024-0074 CVE-2024-0075 CVE-2024-0078 CVE-2024-0090 CVE-2024-0092] |
| nvidia-graphics-drivers-tesla | Restore compatibility with newer Linux kernel builds |
| nvidia-graphics-drivers-tesla-470 | Restore compatibility with newer Linux kernel builds; stop building nvidia-cuda-mps; new upstream stable release; security fixes [CVE-2022-42265 CVE-2024-0074 CVE-2024-0078 CVE-2024-0090 CVE-2024-0092] |
| nvidia-modprobe | Prepare to switch to 535 series LTS drivers |
| nvidia-open-gpu-kernel-modules | Update to 535 series LTS drivers [CVE-2023-0180 CVE-2023-0183 CVE-2023-0184 CVE-2023-0185 CVE-2023-0187 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199 CVE-2023-25515 CVE-2023-25516 CVE-2023-31022 CVE-2024-0074 CVE-2024-0075 CVE-2024-0078 CVE-2024-0090 CVE-2024-0092] |
| nvidia-persistenced | Switch to 535 series LTS drivers; update list of supported drivers |
| nvidia-settings | Also build for ppc64el; new upstream LTS release |
| nvidia-xconfig | New upstream LTS release |
| openrc | Ignore non-executable scripts in /etc/init.d |
| openssl | New upstream stable release; fix excessive time taken issues [CVE-2023-5678 CVE-2023-6237], vector register corruption issue on PowerPC [CVE-2023-6129], PKCS12 Decoding crashes [CVE-2024-0727] |
| openvpn-dco-dkms | Build for Linux >= 6.5; install compat-include directory; fix refcount imbalance |
| orthanc-dicomweb | Rebuild to fix outdated Built-Using |
| orthanc-gdcm | Rebuild to fix outdated Built-Using |
| orthanc-mysql | Rebuild to fix outdated Built-Using |
| orthanc-neuro | Rebuild to fix outdated Built-Using |
| orthanc-postgresql | Rebuild to fix outdated Built-Using |
| orthanc-python | Rebuild to fix outdated Built-Using |
| orthanc-webviewer | Rebuild to fix outdated Built-Using |
| orthanc-wsi | Rebuild to fix outdated Built-Using |
| ovn | New upstream stable version; fix insufficient validation of incoming BFD packets [CVE-2024-2182] |
| pdudaemon | Depend on python3-aiohttp |
| php-composer-class-map-generator | Force system dependency loading |
| php-composer-pcre | Add missing Breaks+Replaces: on composer (<< 2.2) |
| php-composer-xdebug-handler | Force system dependency loading |
| php-doctrine-annotations | Force system dependency loading |
| php-doctrine-deprecations | Force system dependency loading |
| php-doctrine-lexer | Force system dependency loading |
| php-phpseclib | Guard isPrime() and randomPrime() for BigInteger [CVE-2024-27354]; limit OID length in ASN1 [CVE-2024-27355]; fix BigInteger getLength(); remove visibitility modifiers from static variables |
| php-phpseclib3 | Force system dependency loading; guard isPrime() and randomPrime() for BigInteger [CVE-2024-27354]; limit OID length in ASN1 [CVE-2024-27355]; fix BigInteger getLength() |
| php-proxy-manager | Force system dependency loading |
| php-symfony-contracts | Force system dependency loading |
| php-zend-code | Force system dependency loading |
| phpldapadmin | Fix compatbility with PHP 8.1+ |
| phpseclib | Force system dependency loading; guard isPrime() and randomPrime() for BigInteger [CVE-2024-27354]; limit OID length in ASN1 [CVE-2024-27355]; fix BigInteger getLength() |
| postfix | New upstream stable release |
| postgresql-15 | New upstream stable release; restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner [CVE-2024-4317] |
| prometheus-node-exporter-collectors | Do not adversely affect mirror network; fix deadlock with other apt update runs |
| pymongo | Fix out-of-bounds read issue [CVE-2024-5629] |
| pypy3 | Strip C0 control and space characters in urlsplit [CVE-2023-24329]; avoid bypass of TLS handshake protections on closed sockets [CVE-2023-40217]; tempfile.TemporaryDirectory: fix symlink bug in cleanup [CVE-2023-6597]; protect zipfile from quoted-overlapzipbomb [CVE-2024-0450] |
| python-aiosmtpd | Fix SMTP smuggling issue [CVE-2024-27305]; fix STARTTLS unencrypted command injection issue [CVE-2024-34083] |
| python-asdf | Remove unnecessary dependency on asdf-unit-schemas |
| python-channels-redis | Ensure pools are closed on loop close in core |
| python-idna | Fix denial of service issue [CVE-2024-3651] |
| python-jwcrypto | Fix denial of service issue [CVE-2024-28102] |
| python-xapian-haystack | Drop dependency on django.utils.six |
| python3.11 | Fix use-after-free crash when deallocating a frame object; protect zipfile from quoted-overlapzipbomb [CVE-2024-0450]; tempfile.TemporaryDirectory: fix symlink bug in cleanup [CVE-2023-6597]; fix os.path.normpath(): Path truncation at null bytes[CVE-2023-41105]; avoid bypass of TLS handshake protections on closed sockets [CVE-2023-40217]; strip C0 control and space characters in urlsplit [CVE-2023-24329]; avoid a potential null pointer dereference in filleutils |
| qemu | New upstream stable release; security fixes [CVE-2024-26327 CVE-2024-26328 CVE-2024-3446 CVE-2024-3447] |
| qtbase-opensource-src | Fix regression in patch for CVE-2023-24607; avoid using system CA certificates when not wanted [CVE-2023-34410]; fix buffer overflow [CVE-2023-37369]; fix infinite loop in XML recursive entity expansion [CVE-2023-38197]; fix buffer overflow with crafted KTX image file [CVE-2024-25580]; fix HPack integer overflow check [CVE-2023-51714] |
| rails | Declare breaks and replaces on obsolete ruby-arel package |
| riseup-vpn | Use system certificate bundle by default, restoring ability to connect to an endpoint using LetsEncrypt certificate |
| ruby-aws-partitions | Ensure binary package includes partitions.json and partitions-metadata.json files |
| ruby-premailer-rails | Remove build-dependency on obsolete ruby-arel |
| rust-cbindgen-web | New source package to support builds of newer Firefox ESR versions |
| rustc-web | New source package to support builds of web browsers |
| schleuder | Fix argument parsing insufficient validation; fix importing keys from attachments sent by Thunderbird and handle mails without further content; look for keywords only at the start of mail; validate downcased email addresses when checking subscribers; consider From header for finding reply addresses |
| sendmail | Fix SMTP smuggling issue [CVE-2023-51765] |
| skeema | Rebuild for outdated Built-Using |
| skopeo | Rebuild for outdated Built-Using |
| software-properties | software-properties-qt: Add Conflicts+Replaces: on software-properties-kde for smoother upgrades from bullseye |
| supermin | Rebuild to fix outdated Built-Using |
| symfony | Force system dependency loading; DateTypTest: ensure submitted year is accepted choice |
| systemd | New upstream stable release; fix denial of service issues [CVE-2023-50387 CVE-2023-50868]; libnss-myhostname.nss: Install after files; libnss-mymachines.nss: Install before resolveand dns |
| termshark | Rebuild to fix outdated Built-Using |
| tripwire | Rebuild to fix outdated Built-Using |
| tryton-client | Only send compressed content in authenticated sessions |
| tryton-server | Prevent zip-bombattacks from unauthenticated sources |
| u-boot | Fix orion-timer for booting sheevaplug and related platforms |
| uif | Support VLAN interface names |
| umoci | Rebuild for outdated Built-Using |
| user-mode-linux | Rebuilt to fix outdated Built-Using |
| wayfire | Add missing dependencies |
| what-is-python | Declare breaks and replaces on python-dev-is-python2; fix version mangling in build rules |
| wpa | Fix authentication bypass issue [CVE-2023-52160] |
| xscreensaver | Disable warning about old versions |
| yapet | Do not call EVP_CIPHER_CTX_set_key_length() in crypt/blowfish and crypt/aes |
| zsh | Rebuild to fix outdated Built-Using |
Säkerhetsuppdateringar
Denna revision lägger till följande säkerhetsuppdateringar till den stabila utgåvan. Säkerhetsgruppen har redan släppt bulletiner för alla dessa uppdateringar:
Borttagna paket
Följande paket har tagits bort på grund av omständigheter utom vår kontroll:
| Paket | Orsak |
|---|---|
| phppgadmin | Security issues; incompatible with bookworm's PostgreSQL version |
| pytest-salt-factories | Only needed for salt, which is not part of bookworm |
| ruby-arel | Obsolete, integrated into ruby-activerecord, incompatible with ruby-activerecord 6.1.x |
| spip | Incompatible with bookworm's PHP version |
| vasttrafik-cli | API withdrawn |
Debianinstalleraren
Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den stabila utgåvan med denna punktutgåva.
URLer
Den fullständiga listan på paket som har förändrats i denna revision:
Den aktuella stabila utgåvan:
Föreslagna uppdateringar till den stabila utgåvan:
Information om den stabila utgåvan (versionsfakta, kända problem osv.):
Säkerhetsbulletiner och information:
Om Debian
Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.
Kontaktinformation
För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org>, eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.