diff options
author | Jean-Pierre Giraud <jean-pierregiraud@neuf.fr> | 2023-10-07 14:15:37 +0200 |
---|---|---|
committer | Jean-Pierre Giraud <jean-pierregiraud@neuf.fr> | 2023-10-07 14:15:37 +0200 |
commit | 7e9ce6b3f7065fbbce6287410a40acb00b516392 (patch) | |
tree | 8f69244b218dc1f9eea9c1c806468c537a945442 /english/News | |
parent | 8c28711f6382cc0c4459ddfc8eec23dec8746d3f (diff) |
Announcement for the 12.2 bookworm and the bullseye point releases
Diffstat (limited to 'english/News')
-rw-r--r-- | english/News/2023/20231007.wml | 306 | ||||
-rw-r--r-- | english/News/2023/2023100702.wml | 355 |
2 files changed, 661 insertions, 0 deletions
diff --git a/english/News/2023/20231007.wml b/english/News/2023/20231007.wml new file mode 100644 index 00000000000..c7d402af0c4 --- /dev/null +++ b/english/News/2023/20231007.wml @@ -0,0 +1,306 @@ +<define-tag pagetitle>Updated Debian 12: 12.2 released</define-tag> +<define-tag release_date>2023-10-07</define-tag> +#use wml::debian::news +# $Id: + +<define-tag release>12</define-tag> +<define-tag codename>bookworm</define-tag> +<define-tag revision>12.2</define-tag> + +<define-tag dsa> + <tr><td align="center"><a href="$(HOME)/security/%0/dsa-%1">DSA-%1</a></td> + <td align="center"><: + my @p = (); + for my $p (split (/,\s*/, "%2")) { + push (@p, sprintf ('<a href="https://packages.debian.org/src:%s">%s</a>', $p, $p)); + } + print join (", ", @p); +:></td></tr> +</define-tag> + +<define-tag correction> + <tr><td><a href="https://packages.debian.org/src:%0">%0</a></td> <td>%1</td></tr> +</define-tag> + +<define-tag srcpkg><a href="https://packages.debian.org/src:%0">%0</a></define-tag> + +<p>The Debian project is pleased to announce the second update of its +stable distribution Debian <release> (codename <q><codename></q>). +This point release mainly adds corrections for security issues, +along with a few adjustments for serious problems. Security advisories +have already been published separately and are referenced where available.</p> + +<p>Please note that the point release does not constitute a new version of Debian +<release> but only updates some of the packages included. There is +no need to throw away old <q><codename></q> media. After installation, +packages can be upgraded to the current versions using an up-to-date Debian +mirror.</p> + +<p>Those who frequently install updates from security.debian.org won't have +to update many packages, and most such updates are +included in the point release.</p> + +<p>New installation images will be available soon at the regular locations.</p> + +<p>Upgrading an existing installation to this revision can be achieved by +pointing the package management system at one of Debian's many HTTP mirrors. +A comprehensive list of mirrors is available at:</p> + +<div class="center"> + <a href="$(HOME)/mirror/list">https://www.debian.org/mirror/list</a> +</div> + + + + +<h2>Miscellaneous Bugfixes</h2> + +<p>This stable update adds a few important corrections to the following packages:</p> + +<table border=0> +<tr><th>Package</th> <th>Reason</th></tr> +<correction amd64-microcode "Update included microcode, including fixes for <q>AMD Inception</q> on AMD Zen4 processors [CVE-2023-20569]"> +<correction arctica-greeter "Support configuring the onscreen keyboard theme via ArcticaGreeter's gsettings; use <q>Compact</q> OSK layout (instead of Small) which includes special keys such as German Umlauts; fix display of authentication failure messages; use active theme rather then emerald"> +<correction autofs "Fix regression determining reachability on dual-stack hosts"> +<correction base-files "Update for the 12.2 point release"> +<correction batik "Fix Server Side Request Forgery issues [CVE-2022-44729 CVE-2022-44730]"> +<correction boxer-data "No longer install https-everywhere for Firefox"> +<correction brltty "xbrlapi: Do not try to start brltty with ba+a2 when unavailable; fix cursor routing and braille panning in Orca when xbrlapi is installed but the a2 screen driver is not"> +<correction ca-certificates-java "Work around unconfigured JRE during new installations"> +<correction cairosvg "Handle data: URLs in safe mode"> +<correction calibre "Fix export feature"> +<correction clamav "New upstream stable release; security fixes [CVE-2023-20197 CVE-2023-20212]"> +<correction cryptmount "Avoid memory initialisation issues in command line parser"> +<correction cups "Fix heap-based buffer overflow issue [CVE-2023-4504]; fix unauthenticated access issue [CVE-2023-32360]"> +<correction curl "Build with OpenLDAP to correct improper fetch of binary LDAP attributes; fix excessive memory consumption issue [CVE-2023-38039]"> +<correction cyrus-imapd "Ensure mailboxes are not lost on upgrades from bullseye"> +<correction dar "Fix issues with creating isolated catalogs when dar was built using a recent gcc version"> +<correction dbus "New upstream stable release; fix a dbus-daemon crash during policy reload if a connection belongs to a user account that has been deleted, or if a Name Service Switch plugin is broken, on kernels not supporting SO_PEERGROUPS; report the error correctly if getting the groups of a uid fails; dbus-user-session: Copy XDG_CURRENT_DESKTOP to activation environment"> +<correction debian-archive-keyring "Clean up leftover keyrings in trusted.gpg.d"> +<correction debian-edu-doc "Update Debian Edu Bookworm manual"> +<correction debian-edu-install "New upstream release; adjust D-I auto-partitioning sizes"> +<correction debian-installer "Increase Linux kernel ABI to 6.1.0-13; rebuild against proposed-updates"> +<correction debian-installer-netboot-images "Rebuild against proposed-updates"> +<correction debian-parl "Rebuild with newer boxer-data; no longer depend on webext-https-everywhere"> +<correction debianutils "Fix duplicate entries in /etc/shells; manage /bin/sh in the state file; fix canonicalization of shells in aliased locations"> +<correction dgit "Use the old /updates security map only for buster; prevent pushing older versions than are already in the archive"> +<correction dhcpcd5 "Ease upgrades with leftovers from wheezy; drop deprecated ntpd integration; fix version in cleanup script"> +<correction dpdk "New upstream stable release"> +<correction dput-ng "Update permitted upload targets; fix failure to build from source"> +<correction efibootguard "Fix Insufficient or missing validation and sanitization of input from untrustworthy bootloader environment files [CVE-2023-39950]"> +<correction electrum "Fix a Lightning security issue"> +<correction filezilla "Fix builds for 32-bit architectures; fix crash when removing filetypes from list"> +<correction firewalld "Don't mix IPv4 and IPv6 addresses in a single nftables rule"> +<correction flann "Drop extra -llz4 from flann.pc"> +<correction foot "Ignore XTGETTCAP queries with invalid hex encodings"> +<correction freedombox "Use n= in apt preferences for smooth upgrades"> +<correction freeradius "Ensure TLS-Client-Cert-Common-Name contains correct data"> +<correction ghostscript "Fix buffer overflow issue [CVE-2023-38559]; try and secure the IJS server startup [CVE-2023-43115]"> +<correction gitit "Rebuild against new pandoc"> +<correction gjs "Avoid infinite loops of idle callbacks if an idle handler is called during GC"> +<correction glibc "Fix the value of F_GETLK/F_SETLK/F_SETLKW with __USE_FILE_OFFSET64 on ppc64el; fix a stack read overflow in getaddrinfo in no-aaaa mode [CVE-2023-4527]; fix use after free in getcanonname [CVE-2023-4806 CVE-2023-5156]; fix _dl_find_object to return correct values even during early startup"> +<correction gosa-plugins-netgroups "Silence deprecation warnings in web interface"> +<correction gosa-plugins-systems "Fix management of DHCP/DNS entries in default theme; fix adding (standalone) <q>Network printer</q> systems; fix generation of target DNs for various system types; fix icon rendering in DHCP servlet; enforce unqualified hostname for workstations"> +<correction gtk+3.0 "New upstream stable release; fix several crashes; show more information in the <q>inspector</q> debugging interface; silence GFileInfo warnings if used with a backported version of GLib; use a light colour for the caret in dark themes, making it much easier to see in some apps, in particular Evince"> +<correction gtk4 "Fix truncation in places sidebar with large text accessibility setting"> +<correction haskell-hakyll "Rebuild against new pandoc"> +<correction highway "Fix support for armhf systems lacking NEON"> +<correction hnswlib "Fix double free in init_index when the M argument is a large integer [CVE-2023-37365]"> +<correction horizon "Fix open redirect issue [CVE-2022-45582]"> +<correction icingaweb2 "Suppress undesirable deprecation notices"> +<correction imlib2 "Fix preservation of alpha channel flag"> +<correction indent "Fix out of buffer read; fix buffer overwrite [CVE-2023-40305]"> +<correction inetutils "Check return values when dropping privileges [CVE-2023-40303]"> +<correction inn2 "Fix nnrpd hangs when compression is enabled; add support for high-precision syslog timestamps; make inn-{radius,secrets}.conf not world readable"> +<correction jekyll "Support YAML aliases"> +<correction kernelshark "Fix segfault in libshark-tepdata; fix capturing when target directory contains a space"> +<correction krb5 "Fix freeing of uninitialised pointer [CVE-2023-36054]"> +<correction lemonldap-ng "Apply login control to auth-slave requests; fix open redirection due to incorrect escape handling; fix open redirection when OIDC RP has no redirect URIs; fix Server Side Request Forgery issue [CVE-2023-44469]"> +<correction libapache-mod-jk "Remove implicit mapping functionality, which could lead to unintended exposure of the status worker and/or bypass of security constraints [CVE-2023-41081]"> +<correction libclamunrar "New upstream stable release"> +<correction libmatemixer "Fix heap corruptions / application crashes when removing audio devices"> +<correction libpam-mklocaluser "pam-auth-update: ensure the module is ordered before other session type modules"> +<correction libxnvctrl "New source package split from nvidia-settings"> +<correction linux "New upstream stable release"> +<correction linux-signed-amd64 "New upstream stable release"> +<correction linux-signed-arm64 "New upstream stable release"> +<correction linux-signed-i386 "New upstream stable release"> +<correction llvm-defaults "Fix /usr/include/lld symlink; add Breaks against not co-installable packages for smoother upgrades from bullseye"> +<correction ltsp "Avoid using mv on init symlink"> +<correction lxc "Fix nftables syntax for IPv6 NAT"> +<correction lxcfs "Fix CPU reporting within an arm32 container with large numbers of CPUs"> +<correction marco "Only enable compositing if it is available"> +<correction mariadb "New upstream bugfix release"> +<correction mate-notification-daemon "Fix two memory leaks"> +<correction mgba "Fix broken audio in libretro core; fix crash on hardware incapable of OpenGL 3.2"> +<correction modsecurity "Fix denial of service issue [CVE-2023-38285]"> +<correction monitoring-plugins "check_disk: avoid mounting when searching for matching mount points, resolving a regression in speed from bullseye"> +<correction mozjs102 "New upstream stable release; fix <q>incorrect value used during WASM compilation</q> [CVE-2023-4046], potential use after free issue [CVE-2023-37202], memory safety issues [CVE-2023-37211 CVE-2023-34416]"> +<correction mutt "New upstream stable release"> +<correction nco "Re-enable udunits2 support"> +<correction nftables "Fix incorrect bytecode generation hit with new kernel check that rejects adding rules to bound chains"> +<correction node-dottie "Security fix (prototype pollution) [CVE-2023-26132]"> +<correction nvidia-settings "New upstream bugfix release"> +<correction nvidia-settings-tesla "New upstream bugfix release"> +<correction nx-libs "Fix missing symlink /usr/share/nx/fonts; fix manpage"> +<correction open-ath9k-htc-firmware "Load correct firmware"> +<correction openbsd-inetd "Fix memory handling issues"> +<correction openrefine "Fix arbitrary code execution issue [CVE-2023-37476]"> +<correction openscap "Fix dependencies of openscap-utils and python3-openscap"> +<correction openssh "Fix remote code execution issue via a forwarded agent socket [CVE-2023-38408]"> +<correction openssl "New upstream stable release; security fixes [CVE-2023-2975 CVE-2023-3446 CVE-2023-3817]"> +<correction pam "Fix pam-auth-update --disable; update Turkish translation"> +<correction pandoc "Fix arbitrary file write issue [CVE-2023-35936]"> +<correction plasma-framework "Fix plasmashell crashes"> +<correction plasma-workspace "Fix crash in krunner"> +<correction python-git "Fix remote code execution issue [CVE-2023-40267], blind local file inclusion issue [CVE-2023-41040]"> +<correction pywinrm "Fix compatibility with Python 3.11"> +<correction qemu "Update to upstream 7.2.5 tree; ui/vnc-clipboard: fix infinite loop in inflate_buffer [CVE-2023-3255]; fix NULL pointer dereference issue [CVE-2023-3354]; fix buffer overflow issue [CVE-2023-3180]"> +<correction qtlocation-opensource-src "Fix freeze when loading map tiles"> +<correction rar "Upstream bugfix release [CVE-2023-40477]"> +<correction reprepro "Fix race condition when using external decompressors"> +<correction rmlint "Fix error in other packages caused by invalid python package version; fix GUI startup failure with recent python3.11"> +<correction roundcube "New upstream stable release; fix OAuth2 authentication; fix cross site scripting issues [CVE-2023-43770]"> +<correction runit-services "dhclient: don't hardcode use of eth1"> +<correction samba "New upstream stable release"> +<correction sitesummary "New upstream release; fix installation of sitesummary-maintenance CRON/systemd-timerd script; fix insecure temporary file and directory creation"> +<correction slbackup-php "Bug fixes: log remote commands to stderr; disable SSH known hosts files; PHP 8 compatibility"> +<correction spamprobe "Fix crashes parsing JPEG attachments"> +<correction stunnel4 "Fix handling of a peer closing TLS connection without proper shutdown messaging"> +<correction systemd "New upstream stable release; fix minor security issue in arm64 and riscv64 systemd-boot (EFI) with device tree blobs loading"> +<correction testng7 "Backport to stable for future openjdk-17 builds"> +<correction timg "Fix buffer overflow vulnerability [CVE-2023-40968]"> +<correction transmission "Replace openssl3 compat patch to fix memory leak"> +<correction unbound "Fix error log flooding when using DNS over TLS with openssl 3.0"> +<correction unrar-nonfree "Fix remote code execution issue [CVE-2023-40477]"> +<correction vorta "Handle ctime and mtime changes in diffs"> +<correction vte2.91 "Invalidate ring view more often when necessary, fixing various assertion failures during event handling"> +<correction x2goserver "x2goruncommand: add support for KDE Plasma 5; x2gostartagent: prevent logfile corruption; keystrokes.cfg: sync with nx-libs; fix encoding of Finnish translation"> +</table> + + +<h2>Security Updates</h2> + + +<p>This revision adds the following security updates to the stable release. +The Security Team has already released an advisory for each of these +updates:</p> + +<table border=0> +<tr><th>Advisory ID</th> <th>Package</th></tr> +<dsa 2023 5454 kanboard> +<dsa 2023 5455 iperf3> +<dsa 2023 5456 chromium> +<dsa 2023 5457 webkit2gtk> +<dsa 2023 5458 openjdk-17> +<dsa 2023 5459 amd64-microcode> +<dsa 2023 5460 curl> +<dsa 2023 5462 linux-signed-amd64> +<dsa 2023 5462 linux-signed-arm64> +<dsa 2023 5462 linux-signed-i386> +<dsa 2023 5462 linux> +<dsa 2023 5463 thunderbird> +<dsa 2023 5464 firefox-esr> +<dsa 2023 5465 python-django> +<dsa 2023 5466 ntpsec> +<dsa 2023 5467 chromium> +<dsa 2023 5468 webkit2gtk> +<dsa 2023 5469 thunderbird> +<dsa 2023 5471 libhtmlcleaner-java> +<dsa 2023 5472 cjose> +<dsa 2023 5473 orthanc> +<dsa 2023 5474 intel-microcode> +<dsa 2023 5475 linux-signed-amd64> +<dsa 2023 5475 linux-signed-arm64> +<dsa 2023 5475 linux-signed-i386> +<dsa 2023 5475 linux> +<dsa 2023 5476 gst-plugins-ugly1.0> +<dsa 2023 5477 samba> +<dsa 2023 5479 chromium> +<dsa 2023 5481 fastdds> +<dsa 2023 5482 tryton-server> +<dsa 2023 5483 chromium> +<dsa 2023 5484 librsvg> +<dsa 2023 5485 firefox-esr> +<dsa 2023 5487 chromium> +<dsa 2023 5488 thunderbird> +<dsa 2023 5491 chromium> +<dsa 2023 5492 linux-signed-amd64> +<dsa 2023 5492 linux-signed-arm64> +<dsa 2023 5492 linux-signed-i386> +<dsa 2023 5492 linux> +<dsa 2023 5493 open-vm-tools> +<dsa 2023 5494 mutt> +<dsa 2023 5495 frr> +<dsa 2023 5496 firefox-esr> +<dsa 2023 5497 libwebp> +<dsa 2023 5498 thunderbird> +<dsa 2023 5501 gnome-shell> +<dsa 2023 5504 bind9> +<dsa 2023 5505 lldpd> +<dsa 2023 5507 jetty9> +<dsa 2023 5510 libvpx> +</table> + + +<h2>Removed packages</h2> + +<p>The following packages were removed due to circumstances beyond our control:</p> + +<table border=0> +<tr><th>Package</th> <th>Reason</th></tr> +<correction https-everywhere "obsolete, major browsers offer native support"> + +</table> + +<h2>Debian Installer</h2> +<p>The installer has been updated to include the fixes incorporated +into stable by the point release.</p> + +<h2>URLs</h2> + +<p>The complete lists of packages that have changed with this revision:</p> + +<div class="center"> + <url "https://deb.debian.org/debian/dists/<downcase <codename>>/ChangeLog"> +</div> + +<p>The current stable distribution:</p> + +<div class="center"> + <url "https://deb.debian.org/debian/dists/stable/"> +</div> + +<p>Proposed updates to the stable distribution:</p> + +<div class="center"> + <url "https://deb.debian.org/debian/dists/proposed-updates"> +</div> + +<p>stable distribution information (release notes, errata etc.):</p> + +<div class="center"> + <a + href="$(HOME)/releases/stable/">https://www.debian.org/releases/stable/</a> +</div> + +<p>Security announcements and information:</p> + +<div class="center"> + <a href="$(HOME)/security/">https://www.debian.org/security/</a> +</div> + +<h2>About Debian</h2> + +<p>The Debian Project is an association of Free Software developers who +volunteer their time and effort in order to produce the completely +free operating system Debian.</p> + +<h2>Contact Information</h2> + +<p>For further information, please visit the Debian web pages at +<a href="$(HOME)/">https://www.debian.org/</a>, send mail to +<press@debian.org>, or contact the stable release team at +<debian-release@lists.debian.org>.</p> + + diff --git a/english/News/2023/2023100702.wml b/english/News/2023/2023100702.wml new file mode 100644 index 00000000000..a0db8565172 --- /dev/null +++ b/english/News/2023/2023100702.wml @@ -0,0 +1,355 @@ +<define-tag pagetitle>Updated Debian 11: 11.8 released</define-tag> +<define-tag release_date>2023-10-07</define-tag> +#use wml::debian::news +# $Id: + +<define-tag release>11</define-tag> +<define-tag codename>bullseye</define-tag> +<define-tag revision>11.8</define-tag> + +<define-tag dsa> + <tr><td align="center"><a href="$(HOME)/security/%0/dsa-%1">DSA-%1</a></td> + <td align="center"><: + my @p = (); + for my $p (split (/,\s*/, "%2")) { + push (@p, sprintf ('<a href="https://packages.debian.org/src:%s">%s</a>', $p, $p)); + } + print join (", ", @p); +:></td></tr> +</define-tag> + +<define-tag correction> + <tr><td><a href="https://packages.debian.org/src:%0">%0</a></td> <td>%1</td></tr> +</define-tag> + +<define-tag srcpkg><a href="https://packages.debian.org/src:%0">%0</a></define-tag> + +<p>The Debian project is pleased to announce the eighth update of its +oldstable distribution Debian <release> (codename <q><codename></q>). +This point release mainly adds corrections for security issues, +along with a few adjustments for serious problems. Security advisories +have already been published separately and are referenced where available.</p> + +<p>Please note that the point release does not constitute a new version of Debian +<release> but only updates some of the packages included. There is +no need to throw away old <q><codename></q> media. After installation, +packages can be upgraded to the current versions using an up-to-date Debian +mirror.</p> + +<p>Those who frequently install updates from security.debian.org won't have +to update many packages, and most such updates are +included in the point release.</p> + +<p>New installation images will be available soon at the regular locations.</p> + +<p>Upgrading an existing installation to this revision can be achieved by +pointing the package management system at one of Debian's many HTTP mirrors. +A comprehensive list of mirrors is available at:</p> + +<div class="center"> + <a href="$(HOME)/mirror/list">https://www.debian.org/mirror/list</a> +</div> + + + + +<h2>Miscellaneous Bugfixes</h2> + +<p>This oldstable update adds a few important corrections to the following packages:</p> + +<table border=0> +<tr><th>Package</th> <th>Reason</th></tr> +<correction adduser "Fix command injection vulnerability in deluser"> +<correction aide "Fix handling of extended attributes on symlinks"> +<correction amd64-microcode "Update included microcode, including fixes for <q>AMD Inception</q> on AMD Zen4 processors [CVE-2023-20569]"> +<correction appstream-glib "Handle <em> and <code> tags in metadata"> +<correction asmtools "Backport to bullseye for future openjdk-11 builds"> +<correction autofs "Fix missing mutex unlock; do not use rpcbind for NFS4 mounts; fix regression determining reachability on dual-stack hosts"> +<correction base-files "Update for the 11.8 point release"> +<correction batik "Fix Server Side Request Forgery issues [CVE-2022-44729 CVE-2022-44730]"> +<correction bmake "Conflict with bsdowl (<< 2.2.2-1.2~) to ensure smooth upgrades"> +<correction boxer-data "Backport thunderbird compatibility fixes"> +<correction ca-certificates-java "Work around unconfigured jre during new installations"> +<correction cairosvg "Handle data: URLs in safe mode"> +<correction cargo-mozilla "New <q>upstream</q> version, to support building newer firefox-esr versions"> +<correction clamav "New upstream stable release; fix denial of service vulnerability via HFS+ parser [CVE-2023-20197]"> +<correction cpio "Fix arbitrary code execution issue [CVE-2021-38185]; replace Suggests: on libarchive1 with libarchive-dev"> +<correction cryptmount "Fix memory-initialization in command-line parser"> +<correction cups "Fix heap-based buffer overflow issues [CVE-2023-4504 CVE-2023-32324], unauthenticated access issue [CVE-2023-32360], use-after-free issue [CVE-2023-34241]"> +<correction curl "Fix code execution issues [CVE-2023-27533 CVE-2023-27534], information disclosure issues [CVE-2023-27535 CVE-2023-27536 CVE-2023-28322], inappropriate connection re-use issue [CVE-2023-27538], improper certificate validation issue [CVE-2023-28321]"> +<correction dbus "New upstream stable release; fix denial of service issue [CVE-2023-34969]"> +<correction debian-design "Rebuild using newer boxer-data"> +<correction debian-installer "Increase Linux kernel ABI to 5.10.0-26; rebuild against proposed-updates"> +<correction debian-installer-netboot-images "Rebuild against proposed-updates"> +<correction debian-parl "Rebuild using newer boxer-data"> +<correction debian-security-support "Set DEB_NEXT_VER_ID=12 as bookworm is the next release; security-support-limited: add gnupg1"> +<correction distro-info-data "Add Debian 14 <q>forky</q>; correct Ubuntu 23.04 release date; add Ubuntu 23.10 Mantic Minotaur; add the planned release date for Debian bookworm"> +<correction dkimpy "New upstream bugfix release"> +<correction dpdk "New upstream stable release"> +<correction dpkg "Add support for loong64 CPU; handle missing Version when formatting source:Upstream-Version; fix varbuf memory leak in pkg_source_version()"> +<correction flameshot "Disable uploads to imgur by default; fix name of d/NEWS file in previous upload"> +<correction ghostscript "Fix buffer overflow issue [CVE-2023-38559]; try and secure the IJS server startup [CVE-2023-43115]"> +<correction gitit "Rebuild against new pandoc"> +<correction grunt "Fix race condition in symlink copying [CVE-2022-1537]"> +<correction gss "Add Breaks+Replaces: libgss0 (<< 0.1)"> +<correction haskell-hakyll "Rebuild against new pandoc"> +<correction haskell-pandoc-citeproc "Rebuild against new pandoc"> +<correction hnswlib "Fix double free in init_index when the M argument is a large integer [CVE-2023-37365]"> +<correction horizon "Fix open redirect issue [CVE-2022-45582]"> +<correction inetutils "Check return values for set*id() functions, avoiding potential security issues [CVE-2023-40303]"> +<correction krb5 "Fix free of uninitialised pointer [CVE-2023-36054]"> +<correction kscreenlocker "Fix authentication error when using PAM"> +<correction lacme "Handle CA ready, processing and valid states correctly"> +<correction lapack "Fix eigenvector matrix"> +<correction lemonldap-ng "Fix open redirection when OIDC RP has no redirect URIs; fix Server Side Request Forgery issue [CVE-2023-44469]; fix open redirection due to incorrect escape handling"> +<correction libapache-mod-jk "Remove implicit mapping functionality, which could lead to unintended exposure of the status worker and/or bypass of security constraints [CVE-2023-41081]"> +<correction libbsd "Fix infinite loop in MD5File"> +<correction libclamunrar "New upstream stable release"> +<correction libprelude "Make Python module usable"> +<correction libreswan "Fix denial of service issue [CVE-2023-30570]"> +<correction libsignal-protocol-c "Fix integer overflow issue [CVE-2022-48468]"> +<correction linux "New upstream stable release"> +<correction linux-signed-amd64 "New upstream stable release"> +<correction linux-signed-arm64 "New upstream stable release"> +<correction linux-signed-i386 "New upstream stable release"> +<correction logrotate "Avoid replacement of /dev/null with a regular file if used for the state file"> +<correction ltsp "Avoid using <q>mv</q> on init symlink in order to work around overlayfs issue"> +<correction lttng-modules "Fix build issues with newer kernel versions"> +<correction lua5.3 "Fix use after free in lua_upvaluejoin (lapi.c) [CVE-2019-6706]; fix segmentation fault in getlocal and setlocal (ldebug.c) [CVE-2020-24370]"> +<correction mariadb-10.5 "New upstream bugfix release [CVE-2022-47015]"> +<correction mujs "Security fix"> +<correction ncurses "Disallow loading of custom terminfo entries in setuid/setgid programs [CVE-2023-29491]"> +<correction node-css-what "Fix regular expression-based denial of service issue [CVE-2022-21222 CVE-2021-33587]"> +<correction node-json5 "Fix prototype pollution issue [CVE-2022-46175]"> +<correction node-tough-cookie "Security fix: prototype pollution [CVE-2023-26136]"> +<correction nvidia-graphics-drivers "New upstream release [CVE-2023-25515 CVE-2023-25516]; improve compatibility with recent kernels"> +<correction nvidia-graphics-drivers-tesla-450 "New upstream release [CVE-2023-25515 CVE-2023-25516]"> +<correction nvidia-graphics-drivers-tesla-470 "New upstream bugfix release [CVE-2023-25515 CVE-2023-25516]"> +<correction openblas "Fix results of DGEMM on AVX512-capable hardware, when the package has been built on pre-AVX2 hardware"> +<correction openssh "Fix remote code execution issue via a forwarded agent socket [CVE-2023-38408]"> +<correction openssl "New upstream stable release; fix denial of service issues [CVE-2023-3446 CVE-2023-3817]"> +<correction org-mode "Fix command injection vulnerability [CVE-2023-28617]"> +<correction pandoc "Fix arbitrary file write issues [CVE-2023-35936 CVE-2023-38745]"> +<correction pev "Fix buffer overflow issue [CVE-2021-45423]"> +<correction php-guzzlehttp-psr7 "Fix improper input validation [CVE-2023-29197]"> +<correction php-nyholm-psr7 "Fix improper input validation issue [CVE-2023-29197]"> +<correction postgis "Fix axis order regression"> +<correction protobuf "Security fixes: DoS in Java [CVE-2021-22569]; NULL pointer dereference [CVE-2021-22570]; memory DoS [CVE-2022-1941]"> +<correction python2.7 "Fix <q>parameter cloaking</q> issue [CVE-2021-23336], URL injection issue [CVE-2022-0391], use-after-free issue [CVE-2022-48560], XML External Entity issue [CVE-2022-48565]; improve constant-time comparisons in compare_digest() [CVE-2022-48566]; improve URL parsing [CVE-2023-24329]; prevent reading unauthenticated data on an SSLSocket [CVE-2023-40217]"> +<correction qemu "Fix infinite loop [CVE-2020-14394], NULL pointer dereference issue [CVE-2021-20196], integer overflow issue [CVE-2021-20203], buffer overflow issues [CVE-2021-3507 CVE-2023-3180], denial of service issues [CVE-2021-3930 CVE-2023-3301], use-after-free issue [CVE-2022-0216], possible stack overflow and use-after-free issues [CVE-2023-0330], out-of-bounds read issue [CVE-2023-1544]"> +<correction rar "New upstream release; fix directory traversal issue [CVE-2022-30333]; fix arbitrary code execution issue [CVE-2023-40477]"> +<correction rhonabwy "Fix aesgcm buffer overflow [CVE-2022-32096]"> +<correction roundcube "New upstream stable release; fix cross-site scripting issue [CVE-2023-43770]; Enigma: Fix initial synchronization of private keys"> +<correction rust-cbindgen "New <q>upstream</q> version, to support building newer firefox-esr versions"> +<correction rustc-mozilla "New <q>upstream</q> version, to support building newer firefox-esr versions"> +<correction schleuder "Add versioned dependency on ruby-activerecord"> +<correction sgt-puzzles "Fix various security issues in game loading [CVE-2023-24283 CVE-2023-24284 CVE-2023-24285 CVE-2023-24287 CVE-2023-24288 CVE-2023-24291]"> +<correction spip "Several security fixes; security fix for extended authentification data filtering"> +<correction spyder "Fix broken patch in previous update"> +<correction systemd "Udev: fix creating /dev/serial/by-id/ symlinks for USB devices; fix memory leak on daemon-reload; fix a calendar spec calculation hang on DST change if TZ=Europe/Dublin"> +<correction tang "Fix race condition when creating/rotating keys; assert restrictive permissions on key directory [CVE-2023-1672]; make tangd-rotate-keys executable"> +<correction testng7 "Backport to oldstable for future openjdk-17 builds"> +<correction tinyssh "Work around incoming packets which don't honour max packet length"> +<correction unrar-nonfree "Fix file overwrite issue [CVE-2022-48579]; fix remote code execution issue [CVE-2023-40477]"> +<correction xen "New upstream stable release; fix security issues [CVE-2023-20593 CVE-2023-20569 CVE-2022-40982]"> +<correction yajl "Memory leak security fix; security fixes: potential denial of service with crafted JSON file [CVE-2017-16516]; heap memory corruption when dealing with large (~2GB) inputs [CVE-2022-24795]; fix incomplete patch for CVE-2023-33460"> +</table> + + +<h2>Security Updates</h2> + + +<p>This revision adds the following security updates to the oldstable release. +The Security Team has already released an advisory for each of these +updates:</p> + +<table border=0> +<tr><th>Advisory ID</th> <th>Package</th></tr> +<dsa 2023 5394 ffmpeg> +<dsa 2023 5395 nodejs> +<dsa 2023 5396 evolution> +<dsa 2023 5396 webkit2gtk> +<dsa 2023 5397 wpewebkit> +<dsa 2023 5398 chromium> +<dsa 2023 5399 odoo> +<dsa 2023 5400 firefox-esr> +<dsa 2023 5401 postgresql-13> +<dsa 2023 5402 linux-signed-amd64> +<dsa 2023 5402 linux-signed-arm64> +<dsa 2023 5402 linux-signed-i386> +<dsa 2023 5402 linux> +<dsa 2023 5403 thunderbird> +<dsa 2023 5404 chromium> +<dsa 2023 5405 libapache2-mod-auth-openidc> +<dsa 2023 5406 texlive-bin> +<dsa 2023 5407 cups-filters> +<dsa 2023 5408 libwebp> +<dsa 2023 5409 libssh> +<dsa 2023 5410 sofia-sip> +<dsa 2023 5411 gpac> +<dsa 2023 5412 libraw> +<dsa 2023 5413 sniproxy> +<dsa 2023 5414 docker-registry> +<dsa 2023 5415 libreoffice> +<dsa 2023 5416 connman> +<dsa 2023 5417 openssl> +<dsa 2023 5418 chromium> +<dsa 2023 5419 c-ares> +<dsa 2023 5420 chromium> +<dsa 2023 5421 firefox-esr> +<dsa 2023 5422 jupyter-core> +<dsa 2023 5423 thunderbird> +<dsa 2023 5424 php7.4> +<dsa 2023 5426 owslib> +<dsa 2023 5427 webkit2gtk> +<dsa 2023 5428 chromium> +<dsa 2023 5430 openjdk-17> +<dsa 2023 5431 sofia-sip> +<dsa 2023 5432 xmltooling> +<dsa 2023 5433 libx11> +<dsa 2023 5434 minidlna> +<dsa 2023 5435 trafficserver> +<dsa 2023 5436 hsqldb1.8.0> +<dsa 2023 5437 hsqldb> +<dsa 2023 5438 asterisk> +<dsa 2023 5439 bind9> +<dsa 2023 5440 chromium> +<dsa 2023 5441 maradns> +<dsa 2023 5442 flask> +<dsa 2023 5443 gst-plugins-base1.0> +<dsa 2023 5444 gst-plugins-bad1.0> +<dsa 2023 5445 gst-plugins-good1.0> +<dsa 2023 5446 ghostscript> +<dsa 2023 5447 mediawiki> +<dsa 2023 5449 webkit2gtk> +<dsa 2023 5450 firefox-esr> +<dsa 2023 5451 thunderbird> +<dsa 2023 5452 gpac> +<dsa 2023 5453 linux-signed-amd64> +<dsa 2023 5453 linux-signed-arm64> +<dsa 2023 5453 linux-signed-i386> +<dsa 2023 5453 linux> +<dsa 2023 5455 iperf3> +<dsa 2023 5456 chromium> +<dsa 2023 5457 webkit2gtk> +<dsa 2023 5459 amd64-microcode> +<dsa 2023 5461 linux-signed-amd64> +<dsa 2023 5461 linux-signed-arm64> +<dsa 2023 5461 linux-signed-i386> +<dsa 2023 5461 linux> +<dsa 2023 5463 thunderbird> +<dsa 2023 5464 firefox-esr> +<dsa 2023 5465 python-django> +<dsa 2023 5467 chromium> +<dsa 2023 5468 webkit2gtk> +<dsa 2023 5470 python-werkzeug> +<dsa 2023 5471 libhtmlcleaner-java> +<dsa 2023 5472 cjose> +<dsa 2023 5473 orthanc> +<dsa 2023 5474 intel-microcode> +<dsa 2023 5475 linux-signed-amd64> +<dsa 2023 5475 linux-signed-arm64> +<dsa 2023 5475 linux-signed-i386> +<dsa 2023 5475 linux> +<dsa 2023 5476 gst-plugins-ugly1.0> +<dsa 2023 5478 openjdk-11> +<dsa 2023 5479 chromium> +<dsa 2023 5480 linux-signed-amd64> +<dsa 2023 5480 linux-signed-arm64> +<dsa 2023 5480 linux-signed-i386> +<dsa 2023 5480 linux> +<dsa 2023 5481 fastdds> +<dsa 2023 5482 tryton-server> +<dsa 2023 5483 chromium> +<dsa 2023 5484 librsvg> +<dsa 2023 5485 firefox-esr> +<dsa 2023 5486 json-c> +<dsa 2023 5487 chromium> +<dsa 2023 5489 file> +<dsa 2023 5490 aom> +<dsa 2023 5491 chromium> +<dsa 2023 5493 open-vm-tools> +<dsa 2023 5494 mutt> +<dsa 2023 5495 frr> +<dsa 2023 5497 libwebp> +<dsa 2023 5500 flac> +<dsa 2023 5502 xorgxrdp> +<dsa 2023 5502 xrdp> +<dsa 2023 5503 netatalk> +<dsa 2023 5504 bind9> +<dsa 2023 5505 lldpd> +<dsa 2023 5507 jetty9> +<dsa 2023 5510 libvpx> +</table> + + +<h2>Removed packages</h2> + +<p>The following packages were removed due to circumstances beyond our control:</p> + +<table border=0> +<tr><th>Package</th> <th>Reason</th></tr> +<correction atlas-cpp "unstable upstream, unsuitable for Debian"> +<correction ember-media "unstable upstream, unsuitable for Debian"> +<correction eris "unstable upstream, unsuitable for Debian"> +<correction libwfut "unstable upstream, unsuitable for Debian"> +<correction mercator "unstable upstream, unsuitable for Debian"> +<correction nomad "security fixes no longer available"> +<correction nomad-driver-lxc "depends on to-be-removed nomad"> +<correction skstream "unstable upstream, unsuitable for Debian"> +<correction varconf "unstable upstream, unsuitable for Debian"> +<correction wfmath "unstable upstream, unsuitable for Debian"> + +</table> + +<h2>Debian Installer</h2> +<p>The installer has been updated to include the fixes incorporated +into oldstable by the point release.</p> + +<h2>URLs</h2> + +<p>The complete lists of packages that have changed with this revision:</p> + +<div class="center"> + <url "https://deb.debian.org/debian/dists/<downcase <codename>>/ChangeLog"> +</div> + +<p>The current oldstable distribution:</p> + +<div class="center"> + <url "https://deb.debian.org/debian/dists/oldstable/"> +</div> + +<p>Proposed updates to the oldstable distribution:</p> + +<div class="center"> + <url "https://deb.debian.org/debian/dists/oldstable-proposed-updates"> +</div> + +<p>oldstable distribution information (release notes, errata etc.):</p> + +<div class="center"> + <a + href="$(HOME)/releases/oldstable/">https://www.debian.org/releases/oldstable/</a> +</div> + +<p>Security announcements and information:</p> + +<div class="center"> + <a href="$(HOME)/security/">https://www.debian.org/security/</a> +</div> + +<h2>About Debian</h2> + +<p>The Debian Project is an association of Free Software developers who +volunteer their time and effort in order to produce the completely +free operating system Debian.</p> + +<h2>Contact Information</h2> + +<p>For further information, please visit the Debian web pages at +<a href="$(HOME)/">https://www.debian.org/</a>, send mail to +<press@debian.org>, or contact the stable release team at +<debian-release@lists.debian.org>.</p> + + |