Uppdaterad Debian 11; 11.10 utgiven

29 juni 2024

Debianprojektet presenterar stolt sin tionde uppdatering till dess gamla stabila utgåva Debian 11 (med kodnamnet bullseye). Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem, tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner har redan publicerats separat och refereras när de finns tillgängliga.

Vänligen notera att punktutgåvan inte innebär en ny version av Debian 11 utan endast uppdaterar några av de inkluderade paketen. Det behövs inte kastas bort gamla media av bullseye. Efter installationen kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad Debianspegling..

De som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.

Nya installationsavbildningar kommer snart att finnas tillgängliga på de vanliga platserna.

En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:

https://www.debian.org/mirror/list

Blandade felrättningar

Denna uppdatering av den gamla stabila utgåvan lägger till några viktiga felrättningar till följande paket:

Paket Orsak
allegro5 Fix buffer overflow issues [CVE-2021-36489]
amavisd-new Handle multiple boundary parameters that contain conflicting values [CVE-2024-28054]
bart Fix build test failures by relaxing a floating-point comparison
bart-cuda Fix build test failures by relaxing a floating-point comparison
base-files Update for the point release
cloud-init-22.4.2 Introduce later-versioned replacement for cloud-init package
cpu Provide exactly one definition of globalLdap in ldap plugin
curl Fix memory leak when HTTP/2 server push is aborted [CVE-2024-2398]
debian-installer Increase Linux kernel ABI to 5.10.0-30; rebuild against proposed-updates
debian-installer-netboot-images Rebuild against proposed-updates
debsig-verify Rebuild for outdated Built-Using
deets Rebuild for outdated Built-Using
distro-info-data Declare intentions for bullseye/bookworm; fix past data; add Ubuntu 24.10
django-mailman3 Scrub messages before archiving
dns-root-data Update root hints; update expired security information
emacs Protect against unsafe remote resources [CVE-2024-30203 CVE-2024-30204 CVE-2024-30205]; fix memory leak in patch for CVE-2022-48337
galera-4 New upstream bugfix release; update upstream release signing key; prevent date-related test failures
gdk-pixbuf ANI: Reject files with multiple anih chunks [CVE-2022-48622]; ANI: Reject files with multiple INAM or IART chunks; ANI: Validate anih chunk size
glib2.0 Fix a (rare) memory leak
gnutls28 Fix assertion failure verifying a certificate chain with a cycle of cross signatures [CVE-2024-0567]; fix timing side-channel attack inside RSA-PSK key exchange [CVE-2024-0553]
gross Fix stack-based buffer overflow [CVE-2023-52159]
hovercraft Depend on python3-setuptools
imlib2 Fix heap-buffer overflow vulnerability when using the tgaflip function in loader_tga.c [CVE-2024-25447 CVE-2024-25448 CVE-2024-25450]
intel-microcode Fixes for INTEL-SA-INTEL-SA-00972 [CVE-2023-39368], INTEL-SA-INTEL-SA-00982 [CVE-2023-38575], INTEL-SA-INTEL-SA-00898 [CVE-2023-28746], INTEL-SA-INTEL-SA-00960 [CVE-2023-22655] and INTEL-SA-INTEL-SA-01045 [CVE-2023-43490]; mitigate for INTEL-SA-01051 [CVE-2023-45733], INTEL-SA-01052 [CVE-2023-46103], INTEL-SA-01036 [CVE-2023-45745, CVE-2023-47855] and unspecified functional issues on various Intel processors
jose Fix potential denial-of-service issue [CVE-2023-50967]
json-smart Fix excessive recursion leading to stack overflow [CVE-2023-1370]; fix denial of service via crafted request [CVE-2021-31684]
lacme Fix post-issuance validation logic
libapache2-mod-auth-openidc Fix missing input validation leading to DoS [CVE-2024-24814]
libjwt Fix a timing side channel via strcmp() [CVE-2024-25189]
libkf5ksieve Prevent leaking passwords into server-side logs
libmicrohttpd Fix out of bounds read with crafted POST requests [CVE-2023-27371]
libssh2 Fix out of bounds memory check in _libssh2_packet_add [CVE-2020-22218]
links2 Rebuild for outdated Built-Using
nano Fix malicious symlink issue [CVE-2024-5742]
ngircd Respect SSLConnect option for incoming connections; server certificate validation on server links (S2S-TLS); METADATA: Fix unsetting cloakhost
nvidia-graphics-drivers End support for Tesla 450 drivers; build libnvidia-fbc1 for arm64; upstream security fixes [CVE-2022-42265 CVE-2024-0074 CVE-2024-0078]; new upstream stable release; security fixes [CVE-2024-0090 CVE-2024-0092]; fix build on ppc64el
nvidia-graphics-drivers-tesla-450 Convert to transitional packages
nvidia-graphics-drivers-tesla-470 New upstream LTS release [CVE-2024-0074 CVE-2024-0078 CVE-2022-42265 CVE-2024-0090 CVE-2024-0092]; fix build on ppc64el
nvidia-settings New upstream bugfix release; build for ppc64el
org-mode Protect against unsafe remote resources [CVE-2024-30203 CVE-2024-30204 CVE-2024-30205]
php-composer-xdebug-handler Force system dependency loading
php-doctrine-annotations Force system dependency loading
php-phpseclib Force system dependency loading; guard isPrime() and randomPrime() for BigInteger [CVE-2024-27354]; limit OID length in ASN1 [CVE-2024-27355]; fix BigInteger getLength()
php-proxy-manager Force system dependency loading
php-symfony-contracts Force system dependency loading
php-zend-code Force system dependency loading
phpseclib Force system dependency loading; guard isPrime() and randomPrime() for BigInteger [CVE-2024-27354]; limit OID length in ASN1 [CVE-2024-27355]; fix BigInteger getLength()
postfix Upstream bugfix release
postgresql-13 New upstream stable release
pypdf2 Fix quadratic runtime with malformed PDF missing xref marker [CVE-2023-36810]; fix infinite loop with crafted input [CVE-2022-24859]
python-aiosmtpd Fix SMTP smuggling issue [CVE-2024-27305]; fix STARTTLS unencrypted command injection issue [CVE-2024-34083]
python-dnslib Validate transaction ID in client.py
python-idna Fix denial of service issue [CVE-2024-3651]
python-stdnum Fix FTBFS when test date is not far enough in the future
qtbase-opensource-src Security fixes [CVE-2022-25255 CVE-2023-24607 CVE-2023-32762 CVE-2023-32763 CVE-2023-33285 CVE-2023-34410 CVE-2023-37369 CVE-2023-38197 CVE-2023-51714 CVE-2024-25580]
reportbug Fix suite name to codename mappings to reflect the bookworm release
rust-cbindgen-web New source package to support builds of newer Firefox ESR versions
rustc-web Support firefox-esr and thunderbird in bullseye for LTS
sendmail Fix SMTP smuggling issue [CVE-2023-51765]; add forgotten configuration for rejecting NUL by default
symfony Force system dependency loading; DateTypeTest: ensure submitted year is accepted choice
systemd Meson: drop arch filtering in syscall list; unset TZ before timezone-sensitive unit tests are run
wpa Fix authentication bypass issue [CVE-2023-52160]

Säkerhetsuppdateringar

Denna revision lägger till följande säkerhetsuppdateringar till den gamla stabila utgåvan. Säkerhetsgruppen har redan släppt bulletiner för alla dessa uppdateringar:

Bulletin-ID Paket
DSA-5146 puma
DSA-5360 emacs
DSA-5575 webkit2gtk
DSA-5580 webkit2gtk
DSA-5596 asterisk
DSA-5616 ruby-sanitize
DSA-5618 webkit2gtk
DSA-5619 libgit2
DSA-5620 unbound
DSA-5621 bind9
DSA-5622 postgresql-13
DSA-5624 edk2
DSA-5625 engrampa
DSA-5627 firefox-esr
DSA-5628 imagemagick
DSA-5630 thunderbird
DSA-5631 iwd
DSA-5632 composer
DSA-5635 yard
DSA-5637 squid
DSA-5638 libuv1
DSA-5640 openvswitch
DSA-5641 fontforge
DSA-5643 firefox-esr
DSA-5644 thunderbird
DSA-5645 firefox-esr
DSA-5646 cacti
DSA-5647 samba
DSA-5650 util-linux
DSA-5651 mediawiki
DSA-5652 py7zr
DSA-5653 gtkwave
DSA-5657 xorg-server
DSA-5659 trafficserver
DSA-5660 php7.4
DSA-5662 apache2
DSA-5663 firefox-esr
DSA-5664 jetty9
DSA-5666 flatpak
DSA-5667 tomcat9
DSA-5669 guix
DSA-5670 thunderbird
DSA-5671 openjdk-11
DSA-5672 openjdk-17
DSA-5673 glibc
DSA-5678 glibc
DSA-5679 less
DSA-5681 linux-signed-amd64
DSA-5681 linux-signed-arm64
DSA-5681 linux-signed-i386
DSA-5681 linux
DSA-5682 glib2.0
DSA-5682 gnome-shell
DSA-5684 webkit2gtk
DSA-5685 wordpress
DSA-5686 dav1d
DSA-5688 atril
DSA-5690 libreoffice
DSA-5691 firefox-esr
DSA-5692 ghostscript
DSA-5693 thunderbird
DSA-5695 webkit2gtk
DSA-5698 ruby-rack
DSA-5700 python-pymysql
DSA-5702 gst-plugins-base1.0
DSA-5703 linux-signed-amd64
DSA-5703 linux-signed-arm64
DSA-5703 linux-signed-i386
DSA-5703 linux
DSA-5704 pillow
DSA-5707 vlc
DSA-5709 firefox-esr
DSA-5711 thunderbird
DSA-5713 libndp
DSA-5714 roundcube
DSA-5715 composer

Borttagna paket

Följande paket har tagits bort på grund av omständigheter utom vår kontroll:

Paket Orsak
phppgadmin Security issues
pytest-salt-factories Only needed for to-be-removed salt
pytest-testinfra Only needed for to-be-removed salt
salt Unsupportable, unmaintained
snort Security concerns, unmaintained

Debianinstalleraren

Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den gamla stabila utgåvan med denna punktutgåva.

URLer

Den fullständiga listan på paket som har förändrats i denna revision:

https://deb.debian.org/debian/dists/bullseye/ChangeLog

Den aktuella gamla stabila utgåvan:

https://deb.debian.org/debian/dists/oldstable/

Föreslagna uppdateringar till den gamla stabila utgåvan:

https://deb.debian.org/debian/dists/oldstable-proposed-updates

Information om den gamla stabila utgåvan (versionsfakta, kända problem osv.):

https://www.debian.org/releases/oldstable/

Säkerhetsbulletiner och information:

https://www.debian.org/security/

Om Debian

Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.

Kontaktinformation

För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org>, eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.