Uppdaterad Debian 12; 12.9 utgiven
11 januari 2025
Debianprojektet presenterar stolt sin nionde uppdatering till dess
stabila utgåva Debian 12 (med kodnamnet bookworm
).
Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem,
tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner
har redan publicerats separat och refereras när de finns tillgängliga.
Vänligen notera att punktutgåvan inte innebär en ny version av Debian
12 utan endast uppdaterar några av de inkluderade paketen. Det behövs
inte kastas bort gamla media av bookworm
. Efter installationen
kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad
Debianspegling..
De som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.
Nya installationsavbildningar kommer snart att finnas tillgängliga på de vanliga platserna.
En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:
Blandade felrättningar
Denna uppdatering av den stabila utgåvan lägger till några viktiga felrättningar till följande paket:
| Paket | Orsak |
|---|---|
| allow-html-temp | Update for Thunderbird 128 compatibility |
| ansible-core | New upstream stable release; fix arbitrary code execution issue [CVE-2024-11079]; fix information disclosure issue [CVE-2024-8775]; fix file overwrite issue [CVE-2024-9902]; fix test failure |
| audiofile | Fix null pointer dereference issue [CVE-2019-13147]; fix information leak issue [CVE-2022-24599] |
| avahi | Fix denial of service issues [CVE-2023-38469 CVE-2023-38470 CVE-2023-38471 CVE-2023-38472 CVE-2023-38473]; fix browsing when invalid services are present |
| base-files | Update for the point release |
| bochs | Build BIOS images for i386 CPUs |
| cpuinfo | Make test failures during build non-fatal |
| criu | Dynamically handle different libc at runtime than compilation time |
| debian-installer | Increase Linux kernel ABI to 6.1.0-29; rebuild against proposed-updates |
| debian-installer-netboot-images | Rebuild against proposed-updates |
| debian-security-support | Update list of packages receiving limited support in bookworm |
| debootstrap | Do not pull in usr-is-merged in trixie/sid |
| dnsmasq | Fix denial of service issues [CVE-2023-50387 CVE-2023-50868]; set default maximum EDNS.0 UDP packet size to 1232 [CVE-2023-28450] |
| eas4tbsync | Update for Thunderbird 128 compatibility |
| espeak-ng | Fix dropping last byte of stdin input |
| geoclue-2.0 | Use beaconDB rather than the now retired Mozilla Location Service |
| glib2.0 | Fix buffer overflow when configured to use a SOCKS4a proxy with a very long username [CVE-2024-52533] |
| gnuchess | Fix arbitrary code execution issue [CVE-2021-30184] |
| grml-rescueboot | Update supported architectures from amd64/i386 to arm64/amd64 |
| gsl | Fix buffer overflow calculating the quantile value [CVE-2020-35357] |
| gst-plugins-base1.0 | Don't try parsing extended header if not enough data is available (id3v2) [CVE-2024-47542] |
| gunicorn | Prevent HTTP request smuggling [CVE-2024-1135] |
| icinga2 | Prevent TLS certificate bypass [CVE-2024-49369] |
| intel-microcode | New upstream security release [CVE-2024-21853 CVE-2024-23918 CVE-2024-24968 CVE-2024-23984] |
| jinja2 | Prevent HTML attribute injection [CVE-2024-22195 CVE-2024-34064] |
| lemonldap-ng | Fix privilege escalation when adaptive auth levels used [CVE-2024-52946]; fix XSS in upgrade plugin [CVE-2024-52947] |
| libebml | Fix buffer overflow issue [CVE-2023-52339] |
| libpgjava | Fix SQL injection issue [CVE-2024-1597] |
| libsoup2.4 | Prevent HTTP request smuggling [CVE-2024-52530]; fix buffer overflow in soup_header_parse_param_list_strict [CVE-2024-52531]; fix DoS reading from WebSocket clients [CVE-2024-52532] |
| libxstream-java | Fix denial of service issue [CVE-2024-47072] |
| linux | New upstream release; bump ABI to 29 |
| linux-signed-amd64 | New upstream release; bump ABI to 29 |
| linux-signed-arm64 | New upstream release; bump ABI to 29 |
| linux-signed-i386 | New upstream release; bump ABI to 29 |
| live-boot | Attempt DHCP on all connected interfaces |
| llvm-toolchain-19 | New source package, to support builds of chromium |
| lxc | Fix null pointer dereference when using a shared rootfs |
| mailmindr | Update for Thunderbird 128 compatibility |
| nfs-utils | Fix referrals when --enable-junction=no |
| nvidia-graphics-drivers | New upstream stable release [CVE-2024-0126] |
| nvidia-open-gpu-kernel-modules | New upstream LTS release [CVE-2024-0126] |
| oar | Add missing dependency on libcgi-fast-perl; fix oar user creation on new installations; fix SVG functions with PHP 8 |
| opensc | Fix data leak issue [CVE-2023-5992]; fix use-after-free issue [CVE-2024-1454]; fix missing initialisation issue [CVE-2024-45615]; fix various issues with APDU buffer handling [CVE-2024-45616]; fix missing or incorrect function return value checks [CVE-2024-45617 CVE-2024-45618]; fix incorrect handling of length of buffers or filesissues [CVE-2024-45619 CVE-2024-45620]; fix arbitary code execution issue [CVE-2024-8443] |
| openssh | Always use internal mkdtemp implementation; fix gssapi-keyex declaration; add ssh-gssapi automated test; don't prefer host-bound public key signatures if there was no initial host key; make sntrup761x25519-sha512 key exchange algorithm available without the @openssh.com suffix too |
| pgtcl | Install library in default Tcl auto_path |
| poco | Fix integer overflow issue [CVE-2023-52389] |
| prometheus-node-exporter-collectors | Reinstate missing `apt_package_cache_timestamp_andras` metrics; fix apt_upgrades_pending and apt_upgrades_held metrics; improve heuristic for apt update last run time |
| pypy3 | Fix email address parsing issue [CVE-2023-27043]; fix possible Server Side Request Forgery issue [CVE-2024-11168]; fix private IP address range parsing [CVE-2024-4032]; fix regular expression based Denial of Service issue [CVE-2024-6232]; fix header injection issue [CVE-2024-6923]; fix denial of service issue [CVE-2024-7592 CVE-2024-8088]; fix command injection issue [CVE-2024-9287] |
| python-asyncssh | Fix rogue extension negotiationissue [CVE-2023-46445]; fix rogue session attackissue [CVE-2023-46446] |
| python-tornado | Fix open redirect issue [CVE-2023-28370]; fix denial of service issue [CVE-2024-52804] |
| python-urllib3 | Fix possible information leak during cross-origin redirects [CVE-2023-43804]; fix request body not stripped after redirect from 303 status changes request method to GET[CVE-2023-45803]; fix Proxy-Authorization request header isn't stripped during cross-origin redirects[CVE-2024-37891] |
| python-werkzeug | Fix denial of service when file upload begins with CR or LF [CVE-2023-46136]; fix arbitrary code execution on developer's machine via the debugger [CVE-2024-34069]; fix denial of service when processing multipart/form-data requests [CVE-2024-49767] |
| python3.11 | Reject malformed addresses in email.parseaddr() [CVE-2023-27043]; encode newlines in headers in the email module [CVE-2024-6923]; fix quadratic complexity parsing cookies with backslashes [CVE-2024-7592]; fix venv activation scripts failure to quote paths [CVE-2024-9287]; fix improper validation of bracketed hosts in urllib functions [CVE-2024-11168] |
| qemu | New upstream bugfix release [CVE-2024-7409]; mark internal codegen helper symbols as hidden, fixing build failure on arm64 |
| quicktext | Update for Thunderbird 128 compatibility |
| redis | Fix denial of service with malformed ACL selectors [CVE-2024-31227]; fix denial of service through unbound pattern matching [CVE-2024-31228]; fix stack overflow [CVE-202431449] |
| renderdoc | Fix integer overflows [CVE-2023-33863 CVE-2023-33864]; fix symlink attack vector [CVE-2023-33865] |
| ruby-doorkeeper | Prevent skipping of authorization steps [CVE-2023-34246] |
| setuptools | Fix remote code execution issue [CVE-2024-6345] |
| sqlparse | Fix regular expression-related denial of service issue [CVE-2023-30608]; fix denial of service issue [CVE-2024-4340] |
| srt | Fix dependencies for consumers of the -dev packages |
| systemd | New upstream stable release |
| tango | Make the property_* tables compatible with MariaDB 10.11 at install time; add autopkgtest |
| tbsync | Update for Thunderbird 128 compatibility |
| texlive-bin | Fix data loss when using discretionaries with priorities; fix heap buffer overflow [CVE-2024-25262] |
| tiff | Fix buffer overflow issues [CVE-2023-25433 CVE-2023-26966]; fix use-after-free issue [CVE-2023-26965]; fix null pointer dereference issue [CVE-2023-2908]; fix denial of service issues [CVE-2023-3618 CVE-2023-52356 CVE-2024-7006] |
| tzdata | New upstream release: improve historical data for some zones; confirm lack of leap andra for 2024 |
| ucf | Initialise variable subsequently passed to eval |
| util-linux | Fix wider mitigation for CVE-2024-28085 |
| xsane | Add Recommends for firefox-esr as well as firefox |
| zfs-linux | Add missing symbols in libzfs4linux and libzpool5linux; fix dnode dirty test [CVE-2023-49298]; fix sharenfs IPv6 address parsing [CVE-2013-20001]; fixes related to NULL pointer, memory allocation, etc. |
| zookeeper | Fix information disclosure in persistent watchers handling [CVE-2024-23944] |
Säkerhetsuppdateringar
Denna revision lägger till följande säkerhetsuppdateringar till den stabila utgåvan. Säkerhetsgruppen har redan släppt bulletiner för alla dessa uppdateringar:
Borttagna paket
Följande paket har tagits bort på grund av omständigheter utom vår kontroll:
| Paket | Orsak |
|---|---|
| criu | [armhf] Misslyckas att byggas på arma64-värd |
| tk-html3 | Inte underhållen; säkerhetsproblem |
Debianinstalleraren
Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den stabila utgåvan med denna punktutgåva.
URLer
Den fullständiga listan på paket som har förändrats i denna revision:
Den aktuella stabila utgåvan:
Föreslagna uppdateringar till den stabila utgåvan:
Information om den stabila utgåvan (versionsfakta, kända problem osv.):
Säkerhetsbulletiner och information:
Om Debian
Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.
Kontaktinformation
För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org>, eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.