Sumari
De vegades, els canvis introduïts en un nou llançament poden tenir efectes col·laterals que no podem evitar raonablement, o exposen errors en un altre lloc. Aquesta secció documenta els problemes dels tenim coneixement. Llegiu també l'errata, la documentació dels paquets, els informes d'error i altra informació que s'esmenta a Secció 6.1, «Llegir més».
Aquesta secció inclou elements relacionats amb l'actualització de buster a bullseye.
Support for the barrier
and nobarrier
mount options has been removed from the XFS file system. It is recommended
to check /etc/fstab
for the presence of either keyword
and remove it. Partitions using these options will fail to mount.
For bullseye, the security suite is now named
bullseye-security
instead of
and users
should adapt their APT source-list files accordingly when upgrading.
codename
/updates
The security line in your APT configuration may look like:
deb https://deb.debian.org/debian-security bullseye-security main contrib
If your APT configuration also involves pinning or
APT::Default-Release
, it is likely to require adjustments
as the codename of the security archive no longer matches that of the
regular archive. An example of a working
APT::Default-Release
line for bullseye looks like:
APT::Default-Release "/^bullseye(|-security|-updates)$/";
which takes advantage of APT's support for regular expressions (inside
/
).
The default password hash for local system accounts has been changed from SHA-512 to yescrypt (see crypt(5)). This is expected to provide improved security against dictionary-based password guessing attacks, in terms of both the space and time complexity of the attack.
To take advantage of this improved security, change local passwords; for example use the passwd command.
Old passwords will continue to work using whatever password hash was used to create them.
Yescrypt is not supported by Debian 10 (buster). As a result, shadow
password files (/etc/shadow
) cannot be copied from a
bullseye system back to a buster system. If these files are copied,
passwords that have been changed on the bullseye system will not work on the
buster system. Similarly, password hashes cannot be cut&pasted from a
bullseye to a buster system.
If compatibility is required for password hashes between bullseye and
buster, modify /etc/pam.d/common-password
. Find the
line that looks like:
password [success=1 default=ignore] pam_unix.so obscure yescrypt
and replace yescrypt
with sha512
.
NSS NIS and NIS+ support has been
moved to separate packages called libnss-nis
and libnss-nisplus
. Unfortunately, glibc
can't depend on those packages, so they
are now only recommended.
On systems using NIS or NIS+, it is therefore recommended to check that those packages are correctly installed after the upgrade.
The DNS resolver unbound
has changed
the way it handles configuration file fragments. If you are relying on an
include:
directive to merge several fragments into a
valid configuration, you should read the NEWS
file.
The rsync
parameter
--noatime
has been renamed
--open-noatime
. The old form is no longer supported; if
you are using it you should see the
NEWS file. Transfer processes between systems running different
Debian releases may require the buster side to be upgraded to a version of
rsync
from the backports repository. The
version of rsync
in the initial
release of bullseye also deprecated --copy-devices
in
favor of --write-devices
, but version 3.2.3-4+deb11u1
(included in bullseye point release 11.1) reverts this deprecation and
supports both options.
The addons for vim
historically
provided by vim-scripts
are now
managed by Vim's native «package» functionality rather than by
vim-addon-manager
. Vim users should
prepare before upgrading by following the instructions in the
NEWS file.
OpenStack Victoria (released in bullseye) requires cgroup v1 for block
device QoS. Since bullseye also changes to using cgroupv2 by default (see
Secció 2.2.4, «Control groups v2»), the sysfs tree in
/sys/fs/cgroup
will not include cgroup v1 features such
as /sys/fs/cgroup/blkio
, and as a result
cgcreate -g blkio:foo will fail. For OpenStack nodes
running nova-compute
or cinder-volume
, it is strongly advised to add the
parameters systemd.unified_cgroup_hierarchy=false
and
systemd.legacy_systemd_cgroup_controller=false
to the
kernel command line in order to override the default and restore the old
cgroup hierarchy.
Following upstream's recommendations, OpenStack Victoria as released in
bullseye switches the OpenStack API to use the new YAML format. As a result,
most OpenStack services, including Nova, Glance, and Keystone, appear broken
with all of the API policies written explicitly in the
policy.json
files. Therefore, packages now come with a
folder /etc/PROJECT/policy.d
containing a file
00_default_policy.yaml
, with all of the policies
commented out by default.
To avoid the old policy.json
file staying active, the
Debian OpenStack packages now rename that file as
disabled.policy.json.old
. In some cases where nothing
better could be done in time for the release the
policy.json
is even simply deleted. So before
upgrading, it is strongly advised to back up the
policy.json
files of your deployments.
More details are available in the upstream documentation.
In contrast to normal upgrades of sendmail
, during the upgrade of buster to
bullseye the sendmail service will be stopped, causing more downtime than
usual. For generic advice on reducing downtime see Secció 4.1.3, «Prepare for downtime on services».
Some packages including gvfs-fuse
,
kio-fuse
, and sshfs
have switched to FUSE 3. During upgrades,
this will cause fuse3
to be
installed and fuse
to be removed.
In some exceptional circumstances, e.g., when performing the upgrade by only
running apt-get dist-upgrade instead of the recommended
upgrade steps from Capítol 4, Upgrades from Debian 10 (buster), packages depending on
fuse3
might be kept back during
upgrades. Running the steps discussed in Secció 4.4.5, «Upgrading the system»
again with bullseye's apt
or
upgrading them manually will resolve the situation.
Starting with version 2.2.27-1, per-user configuration of the
GnuPG
suite has completely moved to
~/.gnupg/gpg.conf
, and
~/.gnupg/options
is no longer in use. Please rename
the file if necessary, or move its contents to the new location.
From Linux
5.10, all users are allowed to create user
namespaces by default. This will allow programs such as web browsers and
container managers to create more restricted sandboxes for untrusted or
less-trusted code, without the need to run as root or to use a setuid-root
helper.
The previous Debian default was to restrict this feature to processes running as root, because it exposed more security issues in the kernel. However, as the implementation of this feature has matured, we are now confident that the risk of enabling it is outweighed by the security benefits it provides.
If you prefer to keep this feature restricted, set the sysctl:
user.max_user_namespaces = 0
Note that various desktop and container features will not work with this
restriction in place, including web browsers, WebKitGTK
,
Flatpak
and GNOME
thumbnailing.
The Debian-specific sysctl
kernel.unprivileged_userns_clone=0
has a similar effect,
but is deprecated.
From Linux
5.10, Debian disables unprivileged calls to
bpf() by default. However, an admin can still change this setting later on,
if needed, by writing 0 or 1 to the
kernel.unprivileged_bpf_disabled
sysctl.
If you prefer to keep unprivileged calls to bpf() enabled, set the sysctl:
kernel.unprivileged_bpf_disabled = 0
For background on the change as default in Debian see bug 990411 for the change request.
The package redmine
is not provided
in bullseye, as it was too late migrating over from the old version of
rails
which is at the end of
upstream support (receiving fixes for severe security bugs only) to the
version which is in bullseye. The Ruby Extras
Maintainers
are following upstream closely and will be releasing a version via backports as soon as it is
released and they have working packages. If you can't wait for this to
happen before upgrading, you can use a VM or container running buster to
isolate this specific application.
Please consider the version of Exim in bullseye a major
Exim upgrade. It introduces the concept of tainted data read from untrusted
sources, like e.g. message sender or recipient. This tainted data (e.g.
$local_part
or $domain
) cannot be
used among other things as a file or directory name or command name.
This will break configurations which are not updated accordingly. Old Debian Exim configuration files also will not work unmodified; the new configuration needs to be installed with local modifications merged in.
Typical nonworking examples include:
Delivery to /var/mail/$local_part
. Use
$local_part_data
in combination with
check_local_user
.
Using
data = ${lookup{$local_part}lsearch{/some/path/$domain/aliases}}
instead of
data = ${lookup{$local_part}lsearch{/some/path/$domain_data/aliases}}
for a virtual domain alias file.
The basic strategy for dealing with this change is to use the result of a lookup in further processing instead of the original (remote provided) value.
To ease upgrading there is a new main configuration option to temporarily downgrade taint errors to warnings, letting the old configuration work with the newer Exim. To make use of this feature add
.ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA allow_insecure_tainted_data = yes .endif
to the Exim configuration (e.g. to
/etc/exim4/exim4.conf.localmacros
)
before upgrading and check the logfile for taint
warnings. This is a temporary workaround which is already marked for removal
on introduction.
Due to changes in the Linux kernel, the probing of SCSI devices is no longer
deterministic. This could be an issue for installations that rely on the
disk probing order. Two possible alternatives using links in
/dev/disk/by-path
or a udev
rule are suggested in this
mailing list post.
The network protocol of versions 1 and 2 of rdiff-backup
are incompatible. This means that
you must be running the same version (either 1 or 2) of rdiff-backup
locally and remotely. Since buster
ships version 1.2.8 and bullseye ships version 2.0.5, upgrading only the
local system or only the remote system from buster to bullseye will break
rdiff-backup
runs between the two.
Version 2.0.5 of rdiff-backup
is
available in the buster-backports archive, see backports. This enables users to
first upgrade only the rdiff-backup
package on their buster systems, and then independently upgrade systems to
bullseye at their convenience.
The intel-microcode
package
currently in bullseye and buster-security (see DSA-4934-1) is
known to contain two significant bugs. For some CoffeeLake CPUs this update
may
break network interfaces that use firmware-iwlwifi
, and for some Skylake R0/D0
CPUs on systems using a very outdated firmware/BIOS, the
system may hang on boot.
If you held back the update from DSA-4934-1 due to either of these issues,
or do not have the security archive enabled, be aware that upgrading to the
intel-microcode
package in bullseye
may cause your system to hang on boot or break iwlwifi. In that case, you
can recover by disabling microcode loading on boot; see the instructions in
the DSA, which are also in the intel-microcode
README.Debian
.
Packages that depend on libgc1c2
in
buster (e.g. guile-2.2-libs
) may be
held back during the first full upgrade run to bullseye. Doing a second
upgrade normally solves the issue. The background of the issue can be found
in bug #988963.
The fail2ban
package can be
configured to send out e-mail notifications. It does that using
mail, which is provided by multiple packages in Debian. A
security update (needed on systems that use mail from
mailutils
) just before the release
of bullseye broke this functionality for systems that have
mail provided by bsd-mailx
. Users of
fail2ban
in combination with
bsd-mailx
who wish
fail2ban
to send out e-mail should either switch to
a different provider for mail or manually unapply the
upstream commit (which inserted the string "-E 'set
escape'
" in multiple places under
/etc/fail2ban/action.d/
).
Although existing Secure Shell (SSH) connections should continue to work
through the upgrade as usual, due to unfortunate circumstances the period
when new SSH connections cannot be established is longer than usual. If the
upgrade is being carried out over an SSH connection which might be
interrupted, it's recommended to upgrade openssh-server
before upgrading the full system.
The openvswitch
upgrade may fail to
recover bridges after boot. The workaround is:
sed -i s/^allow-ovs/auto/ /etc/network/interfaces
For more info, see bug #989720.
Hi ha alguns paquets pels quals Debian no pot prometre proveir els requisits mínims de seguretat via backports. Aquests paquets s'esmenten a les subseccions següents.
Nota | |
---|---|
El paquet |
Debian 11 includes several browser engines which are affected by a steady stream of security vulnerabilities. The high rate of vulnerabilities and partial lack of upstream support in the form of long term branches make it very difficult to support these browsers and engines with backported security fixes. Additionally, library interdependencies make it extremely difficult to update to newer upstream releases. Therefore, browsers built upon e.g. the webkit and khtml engines[6] are included in bullseye, but not covered by security support. These browsers should not be used against untrusted websites. The webkit2gtk and wpewebkit engines are covered by security support.
Per l'ús generalitzat del navegador web recomanem Firefox o Chromium. Aquests s'actualitzaran re-construint els llançaments ESR actuals per al llançament estable. La mateixa estratègia serà aplicada a Thunderbird.
Debian bullseye comes with an early access version of OpenJDK
17
(the next expected OpenJDK LTS
version after
OpenJDK 11
), to avoid the rather tedious bootstrap
process. The plan is for OpenJDK 17
to receive an update
in bullseye to the final upstream release announced for October 2021,
followed by security updates on a best effort basis, but users should not
expect to see updates for every quarterly upstream security update.
The Debian infrastructure currently has problems with rebuilding packages of types that systematically use static linking. Before buster this wasn't a problem in practice, but with the growth of the Go ecosystem it means that Go-based packages will be covered by limited security support until the infrastructure is improved to deal with them maintainably.
If updates are warranted for Go development libraries, they can only come via regular point releases, which may be slow in arriving.
Sense un dispositiu de punter, no hi ha manera directa de canviar la
configuració de l'aplicació de configuració de GNOME proveïda pel paquet
gnome-control-center
. Com a
sol·lució temporal, podeu navegar amb la barra lateral al contingut
principal pressionant la tecla Right Arrow dues
vegades. Per tornar a la barra lateral, podeu començar una cerca amb
Ctrl+F,
teclegeu alguna cosa, aleshores premeu Esc per a cancel·lar
la cerca. Ara podeu utilitzar les tecles Up Arrow i
Down Arrow per a navegar la barra lateral. No és possible
seleccionar els resultats de la cerca amb el teclat.
With the implementation of sulogin
used since buster,
booting with the rescue
option always requires the root
password. If one has not been set, this makes the rescue mode effectively
unusable. However it is still possible to boot using the kernel parameter
init=/sbin/sulogin --force
To configure systemd to do the equivalent of this whenever it boots into rescue mode (also known as single mode: see systemd(1)), run sudo systemctl edit rescue.service and create a file saying just:
[Service] Environment=SYSTEMD_SULOGIN_FORCE=1
It might also (or instead) be useful to do this for the
emergency.service
unit, which is started
automatically in the case of certain errors (see systemd.special(7)),
or if emergency
is added to the kernel command line
(e.g. if the system can't be recovered by using the rescue mode).
For background and a discussion on the security implications see #802211.
The Linux kernel (from version 5.9) no longer supports 32-bit xen
virtual machines using PV
mode. Such virtual machines need to be converted to the
64-bit PC architecture.
You can check which mode a Xen guest is running (inside the virtual machine):
$ cat /sys/hypervisor/guest_type PV
Virtual machines that return, for example, PVH
or
HVM
are not affected.
La següent llista de paquets notablement coneguts han sigut descatalogats (vegeu Secció 4.8, «Paquets obsolets» per a una descripció).
La llista de paquets obsolets inclou:
The lilo
package has been removed
from bullseye. The successor of lilo as boot loader is grub2
.
The Mailman mailing list manager suite version 3 is the only available
version of Mailman in this release. Mailman has been split up into various
components; the core is available in the package mailman3
and the full suite can be obtained via
the mailman3-full
metapackage.
The legacy Mailman version 2.1 is no longer available (this used to be the
package mailman
). This branch
depends on Python 2 which is no longer available in Debian.
For upgrading instructions, please see the project's migration documentation.
The Linux kernel no longer provides isdn4linux
(i4l)
support. Consequently, the related userland packages isdnutils
, isdnactivecards
, drdsl
and ibod
have been removed from the archives.
The deprecated libappindicator libraries are no longer provided. As a
result, the related packages libappindicator1
, libappindicator3-1
and libappindicator-dev
are no longer
available. This is expected to cause dependency errors for third-party
software that still depends on libappindicator to provide system tray and
indicator support.
Debian is using libayatana-appindicator
as the successor of
libappindicator. For technical background see this
announcement.
Debian no longer provides chef
. If
you use Chef for configuration management, the best upgrade path is probably
to switch to using the packages provided by Chef Inc.
For background on the removal, see the removal request.
Python 2 is already beyond its End Of Life, and will receive no security
updates. It is not supported for running applications, and packages relying
on it have either been switched to Python 3 or removed. However, Debian
bullseye does still include a version of Python 2.7, as well as a small
number of Python 2 build tools such as python-setuptools
. These are present only
because they are required for a few application build processes that have
not yet been converted to Python 3.
The aufs-dkms
package is not part of
bullseye. Most aufs-dkms
users
should be able to switch to overlayfs
, which provides
similar functionality with kernel support. However, it's possible to have a
Debian installation on a filesystem that is not compatible with
overlayfs
, e.g. xfs
without
d_type
. Users of aufs-dkms
are advised to migrate away from
aufs-dkms
before upgrading to
bullseye.
The network connection manager wicd
will no longer be available after the upgrade, so to avoid the danger of
losing connectivity users are recommended to switch before the upgrade to an
alternative such as network-manager
or connman
.
Al proper llançament de Debian 12 (anomenada bookworm) algunes de les funcionalitats quedaran desfasades. Els usuaris hauran de migrar a altres alternatives per tal d'evitar problemes a l'hora d'actualitzar a Debian 12.
Això inclou les funcionalitats següents:
The historical justifications for the filesystem layout with
/bin
, /sbin
, and
/lib
directories separate from their equivalents under
/usr
no longer apply today; see the Freedesktop.org
summary. Debian bullseye will be the last Debian release that
supports the non-merged-usr layout; for systems with a legacy layout that
have been upgraded without a reinstall, the usrmerge
package exists to do the conversion if
desired.
bullseye is the final Debian release to ship
apt-key. Keys should be managed by dropping files into
/etc/apt/trusted.gpg.d
instead, in binary format as
created by gpg --export with a .gpg
extension, or ASCII armored with a .asc
extension.
A replacement for apt-key list to manually investigate the keyring is planned, but work has not started yet.
The slapd
database backends slapd-bdb(5),
slapd-hdb(5),
and slapd-shell(5)
are being retired and will not be included in Debian 12. LDAP
databases using the bdb
or hdb
backends should be migrated to the slapd-mdb(5)
backend.
Additionally, the slapd-perl(5) and slapd-sql(5) backends are deprecated and may be removed in a future release.
The OpenLDAP Project does not support retired or deprecated backends. Support for these backends in Debian 11 is on a best effort basis.
Although Debian releases when it's ready, that unfortunately doesn't mean there are no known bugs. As part of the release process all the bugs of severity serious or higher are actively tracked by the Release Team, so an overview of those bugs that were tagged to be ignored in the last part of releasing bullseye can be found in the Debian Bug Tracking System. The following bugs were affecting bullseye at the time of the release and worth mentioning in this document:
Bug number | Package (source or binary) | Description |
---|---|---|
922981 | ca-certificates-java | ca-certificates-java: /etc/ca-certificates/update.d/jks-keystore doesn't update /etc/ssl/certs/java/cacerts |
990026 | cron | cron: Reduced charset in MAILTO causes breakage |
991081 | gir1.2-diodon-1.0 | gir1.2-diodon-1.0 lacks dependencies |
990318 | python-pkg-resources | python-pkg-resources: please add Breaks against the unversioned python packages |
991449 | fail2ban | fix for CVE-2021-32749 breaks systems with mail from bsd-mailx |
990708 | mariadb-server-10.5,galera-4 | mariadb-server-10.5: upgrade problems due to galera-3 -> galera-4 switch |
980429 | src:gcc-10 | g++-10: spurious c++17 mode segmentation fault in append_to_statement_list_1 (tree-iterator.c:65) |
980609 | src:gcc-10 | missing i386-cpuinfo.h |
984574 | gcc-10-base | gcc-10-base: please add Breaks: gcc-8-base (<< 8.4) |
984931 | git-el | git-el,elpa-magit: fails to install: /usr/lib/emacsen-common/packages/install/git emacs failed at /usr/lib/emacsen-common/lib.pl line 19, <TSORT> line 7. |
987264 | git-el | git-el: fails to install with xemacs21 |
991082 | gir1.2-gtd-1.0 | gir1.2-gtd-1.0 has empty Depends |
948739 | gparted | gparted should not mask .mount units |
984714 | gparted | gparted should suggest exfatprogs and backport the commit that rejects exfat-utils |
968368 | ifenslave | ifenslave: Option bond-master fails to add interface to bond |
990428 | ifenslave | ifenslave: Bonding not working on bullseye (using bond-slaves config) |
991113 | libpam-chroot | libpam-chroot installs pam_chroot.so into the wrong directory |
989545 | src:llvm-toolchain-11 | libgl1-mesa-dri: si_texture.c:1727 si_texture_transfer_map - failed to create temporary texture to hold untiled copy |
982459 | mdadm | mdadm --examine in chroot without /proc,/dev,/sys mounted corrupts host's filesystem |
981054 | openipmi | openipmi: Missing dependency on kmod |
948318 | openssh-server | openssh-server: Unable to restart sshd restart after upgrade to version 8.1p1-2 |
991151 | procps | procps: dropped the reload option from the init script, breaking corekeeper |
989103 | pulseaudio | pulseaudio regressed on control=Wave configuration |
984580 | libpython3.9-dev | libpython3.9-dev: missing dependency on zlib1g-dev |
990417 | src:qemu | openjdk-11-jre-headless: running java in qemu s390 gives a SIGILL at C [linux-vdso64.so.1+0x6f8] __kernel_getcpu+0x8 |
859926 | speech-dispatcher | breaks with pulse-audio as output when spawned by speechd-up from init system |
932501 | src:squid-deb-proxy | squid-deb-proxy: daemon does not start due to the conf file not being allowed by apparmor |
991588 | tpm2-abrmd | tpm2-abrmd should not use Requires=systemd-udev-settle.service in its unit |
991939 | libjs-bootstrap4 | libjs-bootstrap4: broken symlinks: /usr/share/javascript/bootstrap4/css/bootstrap*.css.map -> ../../../nodejs/bootstrap/dist/css/bootstrap*.css.map |
991822 | src:wine | src:wine: dh_auto_clean deletes unrelated files outside of package source |
988477 | src:xen | xen-hypervisor-4.14-amd64: xen dmesg shows (XEN) AMD-Vi: IO_PAGE_FAULT on sata pci device |
991788 | xfce4-settings | xfce4-settings: black screen after suspend when laptop lid is closed and re-opened |
[6] These engines are shipped in a number of different source packages and the concern applies to all packages shipping them. The concern also extends to web rendering engines not explicitly mentioned here, with the exception of webkit2gtk and the new wpewebkit.