Table of Contents
Sometimes, changes introduced in a new release have side-effects we cannot reasonably avoid, or they expose bugs somewhere else. This section documents issues we are aware of. Please also read the errata, the relevant packages' documentation, bug reports, and other information mentioned in Section 6.1, “Further reading”.
This section covers items related to the upgrade from buster to bullseye.
For Intel GPUs available with Broadwell and newer, the Video Acceleration
API (VA-API) implementation now defaults to
intel-media-va-driver
for hardware
accelerated video decoding. Systems which have
va-driver-all
installed will
automatically be upgraded to the new driver.
The legacy driver package i965-va-driver
is still available and offers support up to the Cannon Lake micro
architecture. To prefer the legacy driver over the new default one, set
the environment variable LIBVA_DRIVER_NAME
to
i965
, for instance by setting the variable in
/etc/environment
. For more information, please see
the Wiki's page on
hardware
video acceleration.
Support for the barrier
and
nobarrier
mount options has been removed from
the XFS file system. It is recommended to check
/etc/fstab
for the presence of either
keyword and remove it. Partitions using these options will fail
to mount.
For bullseye, the security suite is now named
bullseye-security
instead of
and users should adapt their APT source-list files accordingly
when upgrading.
codename
/updates
The security line in your APT configuration may look like:
deb https://deb.debian.org/debian-security bullseye-security main contrib
If your APT configuration also involves pinning or
APT::Default-Release
, it is likely to
require adjustments as the codename of the security archive no
longer matches that of the regular archive. An example of a
working APT::Default-Release
line for
bullseye looks like:
APT::Default-Release "/^bullseye(|-security|-updates)$/";
which takes advantage of APT's support for regular expressions
(inside /
).
The default password hash for local system accounts has been changed from SHA-512 to yescrypt (see crypt(5)). This is expected to provide improved security against dictionary-based password guessing attacks, in terms of both the space and time complexity of the attack.
To take advantage of this improved security, change local passwords; for example use the passwd command.
Old passwords will continue to work using whatever password hash was used to create them.
Yescrypt is not supported by Debian 10 (buster). As a result,
shadow password files (/etc/shadow
) cannot be
copied from a bullseye system back to a buster system. If these
files are copied, passwords that have been changed on the bullseye
system will not work on the buster system. Similarly, password
hashes cannot be cut&pasted from a bullseye to a buster system.
If compatibility is required for password hashes between bullseye
and buster, modify
/etc/pam.d/common-password
. Find the line
that looks like:
password [success=1 default=ignore] pam_unix.so obscure yescrypt
and replace yescrypt
with sha512
.
NSS NIS and NIS+ support
has been moved to separate packages called libnss-nis
and libnss-nisplus
. Unfortunately,
glibc
can't depend on
those packages, so they are now only recommended.
On systems using NIS or NIS+, it is therefore recommended to check that those packages are correctly installed after the upgrade.
The DNS resolver unbound
has changed the way it handles configuration file fragments. If
you are relying on an include:
directive to
merge several fragments into a valid configuration, you should
read the
NEWS file.
The rsync
parameter
--noatime
has been renamed
--open-noatime
. The old form is no longer
supported; if you are using it you should see the
NEWS file. Transfer processes between systems running different
Debian releases may require the buster side to be upgraded to a version
of rsync
from the backports
repository. The version of rsync
in the initial release of
bullseye also deprecated --copy-devices
in
favor of --write-devices
, but version
3.2.3-4+deb11u1 (included in bullseye point release 11.1)
reverts this deprecation and supports both options.
The addons for vim
historically provided by vim-scripts
are now managed by Vim's
native “package” functionality rather than by
vim-addon-manager
. Vim
users should prepare before upgrading by following the
instructions in the
NEWS file.
OpenStack Victoria (released in bullseye) requires cgroup v1 for
block device QoS. Since bullseye also changes to using cgroupv2
by default (see Section 2.2.4, “Control groups v2”), the sysfs tree in
/sys/fs/cgroup
will not include cgroup v1
features such as /sys/fs/cgroup/blkio
, and
as a result cgcreate -g blkio:foo will
fail. For OpenStack nodes running nova-compute
or cinder-volume
, it is strongly
advised to add the parameters
systemd.unified_cgroup_hierarchy=false
and
systemd.legacy_systemd_cgroup_controller=false
to the kernel command line in order to override the default and
restore the old cgroup hierarchy.
Following upstream's recommendations, OpenStack Victoria as
released in bullseye switches the OpenStack API to use the new
YAML format. As a result, most OpenStack services, including
Nova, Glance, and Keystone, appear broken with all of the API
policies written explicitly in the policy.json
files. Therefore, packages now come with a folder
/etc/PROJECT/policy.d
containing a file 00_default_policy.yaml
,
with all of the policies commented out by default.
To avoid the old policy.json
file staying
active, the Debian OpenStack packages now rename that file as
disabled.policy.json.old
. In some cases
where nothing better could be done in time for the release the
policy.json
is even simply deleted. So
before upgrading, it is strongly advised to back up the
policy.json
files of your deployments.
More details are available in the upstream documentation.
In contrast to normal upgrades of sendmail
, during the upgrade of
buster to bullseye the sendmail service will be stopped, causing
more downtime than usual. For generic advice on reducing
downtime see Section 4.1.3, “Prepare for downtime on services”.
Some packages including gvfs-fuse
,
kio-fuse
, and
sshfs
have switched to FUSE 3.
During upgrades, this will cause fuse3
to be installed and fuse
to be removed.
In some exceptional circumstances, e.g., when performing the upgrade by
only running apt-get dist-upgrade instead of the
recommended upgrade steps from Chapter 4, Upgrades from Debian 10 (buster), packages
depending on fuse3
might be
kept back during upgrades. Running the steps discussed in Section 4.4.5, “Upgrading the system” again with bullseye's
apt
or upgrading them manually will resolve the situation.
Starting with version 2.2.27-1, per-user configuration of the
GnuPG
suite has completely moved to
~/.gnupg/gpg.conf
, and
~/.gnupg/options
is no longer in use.
Please rename the file if necessary, or move its contents to
the new location.
From Linux
5.10, all users are allowed to
create user namespaces by default. This will allow programs
such as web browsers and container managers to create more
restricted sandboxes for untrusted or less-trusted code,
without the need to run as root or to use a setuid-root
helper.
The previous Debian default was to restrict this feature to processes running as root, because it exposed more security issues in the kernel. However, as the implementation of this feature has matured, we are now confident that the risk of enabling it is outweighed by the security benefits it provides.
If you prefer to keep this feature restricted, set the sysctl:
user.max_user_namespaces = 0
Note that various desktop and container features will not work
with this restriction in place, including web browsers,
WebKitGTK
, Flatpak
and
GNOME
thumbnailing.
The Debian-specific sysctl
kernel.unprivileged_userns_clone=0
has a similar effect, but is deprecated.
From Linux
5.10, Debian disables unprivileged
calls to bpf() by default. However, an admin can still change this
setting later on, if needed, by writing 0 or 1 to the
kernel.unprivileged_bpf_disabled
sysctl.
If you prefer to keep unprivileged calls to bpf() enabled, set the sysctl:
kernel.unprivileged_bpf_disabled = 0
For background on the change as default in Debian see bug 990411 for the change request.
The package redmine
is
not provided in bullseye, as it was too late migrating over
from the old version of rails
which is at the end of
upstream support (receiving fixes for severe security bugs
only) to the version which is in bullseye. The Ruby
Extras
Maintainers are following upstream closely
and will be releasing a version via backports
as soon as it is released and they have working packages. If
you can't wait for this to happen before upgrading, you can
use a VM or container running buster to isolate this specific
application.
Please consider the version of Exim in bullseye a
major Exim upgrade. It introduces the
concept of tainted data read from untrusted sources, like e.g.
message sender or recipient. This tainted data (e.g.
$local_part
or $domain
)
cannot be used among other things as a file or directory name or
command name.
This will break configurations which are not updated accordingly. Old Debian Exim configuration files also will not work unmodified; the new configuration needs to be installed with local modifications merged in.
Typical nonworking examples include:
Delivery to /var/mail/$local_part
. Use
$local_part_data
in combination with
check_local_user
.
Using
data = ${lookup{$local_part}lsearch{/some/path/$domain/aliases}}
instead of
data = ${lookup{$local_part}lsearch{/some/path/$domain_data/aliases}}
for a virtual domain alias file.
The basic strategy for dealing with this change is to use the result of a lookup in further processing instead of the original (remote provided) value.
To ease upgrading there is a new main configuration option to temporarily downgrade taint errors to warnings, letting the old configuration work with the newer Exim. To make use of this feature add
.ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA allow_insecure_tainted_data = yes .endif
to the Exim configuration (e.g. to
/etc/exim4/exim4.conf.localmacros
)
before upgrading and check the logfile for
taint warnings. This is a temporary workaround which is already
marked for removal on introduction.
Due to changes in the Linux kernel, the probing of SCSI devices
is no longer deterministic. This could be an issue for
installations that rely on the disk probing order. Two possible
alternatives using links in
/dev/disk/by-path
or a udev
rule are suggested in this
mailing list post.
The network protocol of versions 1 and 2 of rdiff-backup
are incompatible. This
means that you must be running the same version (either 1 or 2)
of rdiff-backup
locally
and remotely. Since buster ships version 1.2.8 and bullseye
ships version 2.0.5, upgrading only the local system or only the
remote system from buster to bullseye will break rdiff-backup
runs between the two.
Version 2.0.5 of rdiff-backup
is available in the
buster-backports archive, see backports. This
enables users to first upgrade only the rdiff-backup
package on their buster
systems, and then independently upgrade systems to bullseye at
their convenience.
The intel-microcode
package
currently in bullseye and buster-security (see DSA-4934-1)
is known to contain two significant bugs. For some CoffeeLake CPUs this
update may
break network interfaces that use firmware-iwlwifi
, and for some Skylake
R0/D0 CPUs on systems using a very outdated firmware/BIOS, the
system may hang on boot.
If you held back the update from DSA-4934-1 due to either of these
issues, or do not have the security archive enabled, be aware that
upgrading to the intel-microcode
package in bullseye may
cause your system to hang on boot or break iwlwifi. In that case, you
can recover by disabling microcode loading on boot; see the
instructions in the DSA, which are also in the intel-microcode
README.Debian
.
Packages that depend on libgc1c2
in buster (e.g. guile-2.2-libs
) may be held back
during the first full upgrade run to bullseye. Doing a second
upgrade normally solves the issue. The background of the issue
can be found in bug
#988963.
The fail2ban
package can
be configured to send out e-mail notifications. It does that
using mail, which is provided by multiple
packages in Debian. A security update (needed on systems that
use mail from mailutils
) just before the release
of bullseye broke this functionality for systems that have
mail provided by bsd-mailx
. Users of
fail2ban
in combination with
bsd-mailx
who wish
fail2ban
to send out e-mail should
either switch to a different provider for
mail or manually unapply the
upstream commit (which inserted the string "-E
'set escape'
" in multiple places under
/etc/fail2ban/action.d/
).
Although existing Secure Shell (SSH) connections should continue to
work through the upgrade as usual, due to unfortunate circumstances
the period when new SSH connections cannot be established is longer
than usual. If the upgrade is being carried out over an SSH
connection which might be interrupted, it's recommended to upgrade
openssh-server
before
upgrading the full system.
The openvswitch
upgrade
may fail to recover bridges after boot. The workaround is:
sed -i s/^allow-ovs/auto/ /etc/network/interfaces
For more info, see bug #989720.
There are some packages where Debian cannot promise to provide minimal backports for security issues. These are covered in the following subsections.
Note | |
---|---|
The package |
Debian 11 includes several browser engines which are affected by a steady stream of security vulnerabilities. The high rate of vulnerabilities and partial lack of upstream support in the form of long term branches make it very difficult to support these browsers and engines with backported security fixes. Additionally, library interdependencies make it extremely difficult to update to newer upstream releases. Therefore, browsers built upon e.g. the webkit and khtml engines[6] are included in bullseye, but not covered by security support. These browsers should not be used against untrusted websites. The webkit2gtk and wpewebkit engines are covered by security support.
For general web browser use we recommend Firefox or Chromium. They will be kept up-to-date by rebuilding the current ESR releases for stable. The same strategy will be applied for Thunderbird.
Debian bullseye comes with an early access version of
OpenJDK 17
(the next expected
OpenJDK LTS
version after OpenJDK
11
), to avoid the rather tedious bootstrap
process. The plan is for OpenJDK 17
to
receive an update in bullseye to the final upstream release
announced for October 2021, followed by security updates on a
best effort basis, but users should not expect to see updates
for every quarterly upstream security update.
The Debian infrastructure currently has problems with rebuilding packages of types that systematically use static linking. Before buster this wasn't a problem in practice, but with the growth of the Go ecosystem it means that Go-based packages will be covered by limited security support until the infrastructure is improved to deal with them maintainably.
If updates are warranted for Go development libraries, they can only come via regular point releases, which may be slow in arriving.
Without a pointing device, there is no direct way to change settings in
the GNOME Settings app provided by gnome-control-center
. As a work-around, you
can navigate from the sidebar to the main content by pressing the
Right Arrow twice. To get back to the sidebar, you can
start a search with Ctrl+F, type
something, then hit Esc to cancel the search. Now you
can use the Up Arrow and Down Arrow to
navigate the sidebar. It is not possible to select search results with
the keyboard.
With the implementation of sulogin
used since
buster, booting with the rescue
option always
requires the root password. If one has not been set, this makes
the rescue mode effectively unusable. However it is still
possible to boot using the kernel parameter
init=/sbin/sulogin --force
To configure systemd to do the equivalent of this whenever it boots into rescue mode (also known as single mode: see systemd(1)), run sudo systemctl edit rescue.service and create a file saying just:
[Service] Environment=SYSTEMD_SULOGIN_FORCE=1
It might also (or instead) be useful to do this for the
emergency.service
unit, which is started
automatically in the case of certain errors
(see systemd.special(7)),
or if emergency
is added to the kernel
command line (e.g. if the system can't be recovered by using the
rescue mode).
For background and a discussion on the security implications see #802211.
The Linux kernel (from version 5.9) no longer supports 32-bit
xen
virtual machines
using PV
mode. Such virtual machines need to be converted to
the 64-bit PC architecture.
You can check which mode a Xen guest is running (inside the virtual machine):
$ cat /sys/hypervisor/guest_type PV
Virtual machines that return, for example, PVH
or
HVM
are not affected.
The following is a list of known and noteworthy obsolete packages (see Section 4.8, “Obsolete packages” for a description).
The list of obsolete packages includes:
The lilo
package
has been removed from bullseye. The successor of lilo as
boot loader is grub2
.
The Mailman mailing list manager suite version 3 is the only available
version of Mailman in this release. Mailman has been split up into
various components; the core is available in the package mailman3
and the full suite can be
obtained via the mailman3-full
metapackage.
The legacy Mailman version 2.1 is no longer available (this used to be
the package mailman
). This branch
depends on Python 2 which is no longer available in Debian.
For upgrading instructions, please see the project's migration documentation.
The Linux kernel no longer provides
isdn4linux
(i4l) support.
Consequently, the related userland packages isdnutils
, isdnactivecards
, drdsl
and ibod
have been removed from
the archives.
The deprecated libappindicator libraries are no longer
provided. As a result, the related packages libappindicator1
, libappindicator3-1
and
libappindicator-dev
are no
longer available. This is expected to cause dependency
errors for third-party software that still depends on
libappindicator to provide system tray and indicator
support.
Debian is using libayatana-appindicator
as the
successor of libappindicator. For technical background see
this
announcement.
Debian no longer provides chef
. If you use Chef for configuration
management, the best upgrade path is probably to switch to using
the packages provided by Chef
Inc.
For background on the removal, see the removal request.
Python 2 is already beyond its End Of Life, and will receive
no security updates. It is not supported for running
applications, and packages relying on it have either been
switched to Python 3 or removed. However, Debian bullseye
does still include a version of Python 2.7, as well as a
small number of Python 2 build tools such as python-setuptools
. These are
present only because they are required for a few application
build processes that have not yet been converted to Python
3.
The aufs-dkms
package is not part of bullseye. Most aufs-dkms
users should be
able to switch to overlayfs
, which
provides similar functionality with kernel
support. However, it's possible to have a Debian
installation on a filesystem that is not compatible with
overlayfs
,
e.g. xfs
without
d_type
. Users of aufs-dkms
are advised to
migrate away from aufs-dkms
before upgrading
to bullseye.
The network connection manager wicd
will no longer be
available after the upgrade, so to avoid the danger of
losing connectivity users are recommended to switch
before the upgrade to an alternative such as network-manager
or
connman
.
With the next release of Debian 12 (codenamed bookworm) some features will be deprecated. Users will need to migrate to other alternatives to prevent trouble when updating to Debian 12.
This includes the following features:
The historical justifications for the filesystem layout with
/bin
, /sbin
, and
/lib
directories separate from their
equivalents under /usr
no longer apply
today; see the Freedesktop.org
summary. Debian bullseye will be the last Debian
release that supports the non-merged-usr layout; for systems
with a legacy layout that have been upgraded without a
reinstall, the usrmerge
package exists to do
the conversion if desired.
bullseye is the final Debian release to ship
apt-key. Keys should be managed by
dropping files into
/etc/apt/trusted.gpg.d
instead, in
binary format as created by gpg --export
with a .gpg
extension, or ASCII armored
with a .asc
extension.
A replacement for apt-key list to manually investigate the keyring is planned, but work has not started yet.
The slapd
database backends
slapd-bdb(5),
slapd-hdb(5), and
slapd-shell(5)
are being retired and will not be included in Debian 12.
LDAP databases using the bdb
or
hdb
backends should be migrated to the
slapd-mdb(5)
backend.
Additionally, the slapd-perl(5) and slapd-sql(5) backends are deprecated and may be removed in a future release.
The OpenLDAP Project does not support retired or deprecated backends. Support for these backends in Debian 11 is on a best effort basis.
Although Debian releases when it's ready, that unfortunately doesn't mean there are no known bugs. As part of the release process all the bugs of severity serious or higher are actively tracked by the Release Team, so an overview of those bugs that were tagged to be ignored in the last part of releasing bullseye can be found in the Debian Bug Tracking System. The following bugs were affecting bullseye at the time of the release and worth mentioning in this document:
Bug number | Package (source or binary) | Description |
---|---|---|
922981 | ca-certificates-java | ca-certificates-java: /etc/ca-certificates/update.d/jks-keystore doesn't update /etc/ssl/certs/java/cacerts |
990026 | cron | cron: Reduced charset in MAILTO causes breakage |
991081 | gir1.2-diodon-1.0 | gir1.2-diodon-1.0 lacks dependencies |
990318 | python-pkg-resources | python-pkg-resources: please add Breaks against the unversioned python packages |
991449 | fail2ban | fix for CVE-2021-32749 breaks systems with mail from bsd-mailx |
990708 | mariadb-server-10.5,galera-4 | mariadb-server-10.5: upgrade problems due to galera-3 -> galera-4 switch |
980429 | src:gcc-10 | g++-10: spurious c++17 mode segmentation fault in append_to_statement_list_1 (tree-iterator.c:65) |
980609 | src:gcc-10 | missing i386-cpuinfo.h |
984574 | gcc-10-base | gcc-10-base: please add Breaks: gcc-8-base (<< 8.4) |
984931 | git-el | git-el,elpa-magit: fails to install: /usr/lib/emacsen-common/packages/install/git emacs failed at /usr/lib/emacsen-common/lib.pl line 19, <TSORT> line 7. |
987264 | git-el | git-el: fails to install with xemacs21 |
991082 | gir1.2-gtd-1.0 | gir1.2-gtd-1.0 has empty Depends |
948739 | gparted | gparted should not mask .mount units |
984714 | gparted | gparted should suggest exfatprogs and backport the commit that rejects exfat-utils |
984760 | grub-efi-amd64 | grub-efi-amd64: upgrade works, boot fails (error: symbol `grub_is_lockdown` not found) |
968368 | ifenslave | ifenslave: Option bond-master fails to add interface to bond |
990428 | ifenslave | ifenslave: Bonding not working on bullseye (using bond-slaves config) |
991113 | libpam-chroot | libpam-chroot installs pam_chroot.so into the wrong directory |
989545 | src:llvm-toolchain-11 | libgl1-mesa-dri: si_texture.c:1727 si_texture_transfer_map - failed to create temporary texture to hold untiled copy |
982459 | mdadm | mdadm --examine in chroot without /proc,/dev,/sys mounted corrupts host's filesystem |
981054 | openipmi | openipmi: Missing dependency on kmod |
948318 | openssh-server | openssh-server: Unable to restart sshd restart after upgrade to version 8.1p1-2 |
991151 | procps | procps: dropped the reload option from the init script, breaking corekeeper |
989103 | pulseaudio | pulseaudio regressed on control=Wave configuration |
984580 | libpython3.9-dev | libpython3.9-dev: missing dependency on zlib1g-dev |
990417 | src:qemu | openjdk-11-jre-headless: running java in qemu s390 gives a SIGILL at C [linux-vdso64.so.1+0x6f8] __kernel_getcpu+0x8 |
859926 | speech-dispatcher | breaks with pulse-audio as output when spawned by speechd-up from init system |
932501 | src:squid-deb-proxy | squid-deb-proxy: daemon does not start due to the conf file not being allowed by apparmor |
991588 | tpm2-abrmd | tpm2-abrmd should not use Requires=systemd-udev-settle.service in its unit |
991939 | libjs-bootstrap4 | libjs-bootstrap4: broken symlinks: /usr/share/javascript/bootstrap4/css/bootstrap*.css.map -> ../../../nodejs/bootstrap/dist/css/bootstrap*.css.map |
991822 | src:wine | src:wine: dh_auto_clean deletes unrelated files outside of package source |
988477 | src:xen | xen-hypervisor-4.14-amd64: xen dmesg shows (XEN) AMD-Vi: IO_PAGE_FAULT on sata pci device |
991788 | xfce4-settings | xfce4-settings: black screen after suspend when laptop lid is closed and re-opened |
[6] These engines are shipped in a number of different source packages and the concern applies to all packages shipping them. The concern also extends to web rendering engines not explicitly mentioned here, with the exception of webkit2gtk and the new wpewebkit.