Announcement for the 12.2 bookworm and the bullseye point releases

2 files changed, 661 insertions, 0 deletions

diff --git a/english/News/2023/20231007.wml b/english/News/2023/20231007.wml
new file mode 100644
index 00000000000..c7d402af0c4
--- /dev/null
+++ b/english/News/2023/20231007.wml
@@ -0,0 +1,306 @@
+<define-tag pagetitle>Updated Debian 12: 12.2 released</define-tag>
+<define-tag release_date>2023-10-07</define-tag>
+#use wml::debian::news
+# $Id:
+
+<define-tag release>12</define-tag>
+<define-tag codename>bookworm</define-tag>
+<define-tag revision>12.2</define-tag>
+
+<define-tag dsa>
+    <tr><td align="center"><a href="$(HOME)/security/%0/dsa-%1">DSA-%1</a></td>
+        <td align="center"><:
+    my @p = ();
+    for my $p (split (/,\s*/, "%2")) {
+	push (@p, sprintf ('<a href="https://packages.debian.org/src:%s">%s</a>', $p, $p));
+    }
+    print join (", ", @p);
+:></td></tr>
+</define-tag>
+
+<define-tag correction>
+    <tr><td><a href="https://packages.debian.org/src:%0">%0</a></td>              <td>%1</td></tr>
+</define-tag>
+
+<define-tag srcpkg><a href="https://packages.debian.org/src:%0">%0</a></define-tag>
+
+<p>The Debian project is pleased to announce the second update of its
+stable distribution Debian <release> (codename <q><codename></q>). 
+This point release mainly adds corrections for security issues,
+along with a few adjustments for serious problems.  Security advisories
+have already been published separately and are referenced where available.</p>
+
+<p>Please note that the point release does not constitute a new version of Debian
+<release> but only updates some of the packages included.  There is
+no need to throw away old <q><codename></q> media. After installation,
+packages can be upgraded to the current versions using an up-to-date Debian
+mirror.</p>
+
+<p>Those who frequently install updates from security.debian.org won't have
+to update many packages, and most such updates are
+included in the point release.</p>
+
+<p>New installation images will be available soon at the regular locations.</p>
+
+<p>Upgrading an existing installation to this revision can be achieved by
+pointing the package management system at one of Debian's many HTTP mirrors.
+A comprehensive list of mirrors is available at:</p>
+
+<div class="center">
+  <a href="$(HOME)/mirror/list">https://www.debian.org/mirror/list</a>
+</div>
+
+
+
+
+<h2>Miscellaneous Bugfixes</h2>
+
+<p>This stable update adds a few important corrections to the following packages:</p>
+
+<table border=0>
+<tr><th>Package</th>               <th>Reason</th></tr>
+<correction amd64-microcode "Update included microcode, including fixes for <q>AMD Inception</q> on AMD Zen4 processors [CVE-2023-20569]">
+<correction arctica-greeter "Support configuring the onscreen keyboard theme via ArcticaGreeter's gsettings; use <q>Compact</q> OSK layout (instead of Small) which includes special keys such as German Umlauts; fix display of authentication failure messages; use active theme rather then emerald">
+<correction autofs "Fix regression determining reachability on dual-stack hosts">
+<correction base-files "Update for the 12.2 point release">
+<correction batik "Fix Server Side Request Forgery issues [CVE-2022-44729 CVE-2022-44730]">
+<correction boxer-data "No longer install https-everywhere for Firefox">
+<correction brltty "xbrlapi: Do not try to start brltty with ba+a2 when unavailable; fix cursor routing and braille panning in Orca when xbrlapi is installed but the a2 screen driver is not">
+<correction ca-certificates-java "Work around unconfigured JRE during new installations">
+<correction cairosvg "Handle data: URLs in safe mode">
+<correction calibre "Fix export feature">
+<correction clamav "New upstream stable release; security fixes [CVE-2023-20197 CVE-2023-20212]">
+<correction cryptmount "Avoid memory initialisation issues in command line parser">
+<correction cups "Fix heap-based buffer overflow issue [CVE-2023-4504]; fix unauthenticated access issue [CVE-2023-32360]">
+<correction curl "Build with OpenLDAP to correct improper fetch of binary LDAP attributes; fix excessive memory consumption issue [CVE-2023-38039]">
+<correction cyrus-imapd "Ensure mailboxes are not lost on upgrades from bullseye">
+<correction dar "Fix issues with creating isolated catalogs when dar was built using a recent gcc version">
+<correction dbus "New upstream stable release; fix a dbus-daemon crash during policy reload if a connection belongs to a user account that has been deleted, or if a Name Service Switch plugin is broken, on kernels not supporting SO_PEERGROUPS; report the error correctly if getting the groups of a uid fails; dbus-user-session: Copy XDG_CURRENT_DESKTOP to activation environment">
+<correction debian-archive-keyring "Clean up leftover keyrings in trusted.gpg.d">
+<correction debian-edu-doc "Update Debian Edu Bookworm manual">
+<correction debian-edu-install "New upstream release; adjust D-I auto-partitioning sizes">
+<correction debian-installer "Increase Linux kernel ABI to 6.1.0-13; rebuild against proposed-updates">
+<correction debian-installer-netboot-images "Rebuild against proposed-updates">
+<correction debian-parl "Rebuild with newer boxer-data; no longer depend on webext-https-everywhere">
+<correction debianutils "Fix duplicate entries in /etc/shells; manage /bin/sh in the state file; fix canonicalization of shells in aliased locations">
+<correction dgit "Use the old /updates security map only for buster; prevent pushing older versions than are already in the archive">
+<correction dhcpcd5 "Ease upgrades with leftovers from wheezy; drop deprecated ntpd integration; fix version in cleanup script">
+<correction dpdk "New upstream stable release">
+<correction dput-ng "Update permitted upload targets; fix failure to build from source">
+<correction efibootguard "Fix Insufficient or missing validation and sanitization of input from untrustworthy bootloader environment files [CVE-2023-39950]">
+<correction electrum "Fix a Lightning security issue">
+<correction filezilla "Fix builds for 32-bit architectures; fix crash when removing filetypes from list">
+<correction firewalld "Don't mix IPv4 and IPv6 addresses in a single nftables rule">
+<correction flann "Drop extra -llz4 from flann.pc">
+<correction foot "Ignore XTGETTCAP queries with invalid hex encodings">
+<correction freedombox "Use n= in apt preferences for smooth upgrades">
+<correction freeradius "Ensure TLS-Client-Cert-Common-Name contains correct data">
+<correction ghostscript "Fix buffer overflow issue [CVE-2023-38559]; try and secure the IJS server startup [CVE-2023-43115]">
+<correction gitit "Rebuild against new pandoc">
+<correction gjs "Avoid infinite loops of idle callbacks if an idle handler is called during GC">
+<correction glibc "Fix the value of F_GETLK/F_SETLK/F_SETLKW with __USE_FILE_OFFSET64 on ppc64el; fix a stack read overflow in getaddrinfo in no-aaaa mode [CVE-2023-4527]; fix use after free in getcanonname [CVE-2023-4806 CVE-2023-5156]; fix _dl_find_object to return correct values even during early startup">
+<correction gosa-plugins-netgroups "Silence deprecation warnings in web interface">
+<correction gosa-plugins-systems "Fix management of DHCP/DNS entries in default theme; fix adding (standalone) <q>Network printer</q> systems; fix generation of target DNs for various system types; fix icon rendering in DHCP servlet; enforce unqualified hostname for workstations">
+<correction gtk+3.0 "New upstream stable release; fix several crashes; show more information in the <q>inspector</q> debugging interface; silence GFileInfo warnings if used with a backported version of GLib; use a light colour for the caret in dark themes, making it much easier to see in some apps, in particular Evince">
+<correction gtk4 "Fix truncation in places sidebar with large text accessibility setting">
+<correction haskell-hakyll "Rebuild against new pandoc">
+<correction highway "Fix support for armhf systems lacking NEON">
+<correction hnswlib "Fix double free in init_index when the M argument is a large integer [CVE-2023-37365]">
+<correction horizon "Fix open redirect issue [CVE-2022-45582]">
+<correction icingaweb2 "Suppress undesirable deprecation notices">
+<correction imlib2 "Fix preservation of alpha channel flag">
+<correction indent "Fix out of buffer read; fix buffer overwrite [CVE-2023-40305]">
+<correction inetutils "Check return values when dropping privileges [CVE-2023-40303]">
+<correction inn2 "Fix nnrpd hangs when compression is enabled; add support for high-precision syslog timestamps; make inn-{radius,secrets}.conf not world readable">
+<correction jekyll "Support YAML aliases">
+<correction kernelshark "Fix segfault in libshark-tepdata; fix capturing when target directory contains a space">
+<correction krb5 "Fix freeing of uninitialised pointer [CVE-2023-36054]">
+<correction lemonldap-ng "Apply login control to auth-slave requests; fix open redirection due to incorrect escape handling; fix open redirection when OIDC RP has no redirect URIs; fix Server Side Request Forgery issue [CVE-2023-44469]">
+<correction libapache-mod-jk "Remove implicit mapping functionality, which could lead to unintended exposure of the status worker and/or bypass of security constraints [CVE-2023-41081]">
+<correction libclamunrar "New upstream stable release">
+<correction libmatemixer "Fix heap corruptions / application crashes when removing audio devices">
+<correction libpam-mklocaluser "pam-auth-update: ensure the module is ordered before other session type modules">
+<correction libxnvctrl "New source package split from nvidia-settings">
+<correction linux "New upstream stable release">
+<correction linux-signed-amd64 "New upstream stable release">
+<correction linux-signed-arm64 "New upstream stable release">
+<correction linux-signed-i386 "New upstream stable release">
+<correction llvm-defaults "Fix /usr/include/lld symlink; add Breaks against not co-installable packages for smoother upgrades from bullseye">
+<correction ltsp "Avoid using mv on init symlink">
+<correction lxc "Fix nftables syntax for IPv6 NAT">
+<correction lxcfs "Fix CPU reporting within an arm32 container with large numbers of CPUs">
+<correction marco "Only enable compositing if it is available">
+<correction mariadb "New upstream bugfix release">
+<correction mate-notification-daemon "Fix two memory leaks">
+<correction mgba "Fix broken audio in libretro core; fix crash on hardware incapable of OpenGL 3.2">
+<correction modsecurity "Fix denial of service issue [CVE-2023-38285]">
+<correction monitoring-plugins "check_disk: avoid mounting when searching for matching mount points, resolving a regression in speed from bullseye">
+<correction mozjs102 "New upstream stable release; fix <q>incorrect value used during WASM compilation</q> [CVE-2023-4046], potential use after free issue [CVE-2023-37202], memory safety issues [CVE-2023-37211 CVE-2023-34416]">
+<correction mutt "New upstream stable release">
+<correction nco "Re-enable udunits2 support">
+<correction nftables "Fix incorrect bytecode generation hit with new kernel check that rejects adding rules to bound chains">
+<correction node-dottie "Security fix (prototype pollution) [CVE-2023-26132]">
+<correction nvidia-settings "New upstream bugfix release">
+<correction nvidia-settings-tesla "New upstream bugfix release">
+<correction nx-libs "Fix missing symlink /usr/share/nx/fonts; fix manpage">
+<correction open-ath9k-htc-firmware "Load correct firmware">
+<correction openbsd-inetd "Fix memory handling issues">
+<correction openrefine "Fix arbitrary code execution issue [CVE-2023-37476]">
+<correction openscap "Fix dependencies of openscap-utils and python3-openscap">
+<correction openssh "Fix remote code execution issue via a forwarded agent socket [CVE-2023-38408]">
+<correction openssl "New upstream stable release; security fixes [CVE-2023-2975 CVE-2023-3446 CVE-2023-3817]">
+<correction pam "Fix pam-auth-update --disable; update Turkish translation">
+<correction pandoc "Fix arbitrary file write issue [CVE-2023-35936]">
+<correction plasma-framework "Fix plasmashell crashes">
+<correction plasma-workspace "Fix crash in krunner">
+<correction python-git "Fix remote code execution issue [CVE-2023-40267], blind local file inclusion issue [CVE-2023-41040]">
+<correction pywinrm "Fix compatibility with Python 3.11">
+<correction qemu "Update to upstream 7.2.5 tree; ui/vnc-clipboard: fix infinite loop in inflate_buffer [CVE-2023-3255]; fix NULL pointer dereference issue [CVE-2023-3354]; fix buffer overflow issue [CVE-2023-3180]">
+<correction qtlocation-opensource-src "Fix freeze when loading map tiles">
+<correction rar "Upstream bugfix release [CVE-2023-40477]">
+<correction reprepro "Fix race condition when using external decompressors">
+<correction rmlint "Fix error in other packages caused by invalid python package version; fix GUI startup failure with recent python3.11">
+<correction roundcube "New upstream stable release; fix OAuth2 authentication; fix cross site scripting issues [CVE-2023-43770]">
+<correction runit-services "dhclient: don't hardcode use of eth1">
+<correction samba "New upstream stable release">
+<correction sitesummary "New upstream release; fix installation of sitesummary-maintenance CRON/systemd-timerd script; fix insecure temporary file and directory creation">
+<correction slbackup-php "Bug fixes: log remote commands to stderr; disable SSH known hosts files; PHP 8 compatibility">
+<correction spamprobe "Fix crashes parsing JPEG attachments">
+<correction stunnel4 "Fix handling of a peer closing TLS connection without proper shutdown messaging">
+<correction systemd "New upstream stable release; fix minor security issue in arm64 and riscv64 systemd-boot (EFI) with device tree blobs loading">
+<correction testng7 "Backport to stable for future openjdk-17 builds">
+<correction timg "Fix buffer overflow vulnerability [CVE-2023-40968]">
+<correction transmission "Replace openssl3 compat patch to fix memory leak">
+<correction unbound "Fix error log flooding when using DNS over TLS with openssl 3.0">
+<correction unrar-nonfree "Fix remote code execution issue [CVE-2023-40477]">
+<correction vorta "Handle ctime and mtime changes in diffs">
+<correction vte2.91 "Invalidate ring view more often when necessary, fixing various assertion failures during event handling">
+<correction x2goserver "x2goruncommand: add support for KDE Plasma 5; x2gostartagent: prevent logfile corruption; keystrokes.cfg: sync with nx-libs; fix encoding of Finnish translation">
+</table>
+
+
+<h2>Security Updates</h2>
+
+
+<p>This revision adds the following security updates to the stable release.
+The Security Team has already released an advisory for each of these
+updates:</p>
+
+<table border=0>
+<tr><th>Advisory ID</th>  <th>Package</th></tr>
+<dsa 2023 5454 kanboard>
+<dsa 2023 5455 iperf3>
+<dsa 2023 5456 chromium>
+<dsa 2023 5457 webkit2gtk>
+<dsa 2023 5458 openjdk-17>
+<dsa 2023 5459 amd64-microcode>
+<dsa 2023 5460 curl>
+<dsa 2023 5462 linux-signed-amd64>
+<dsa 2023 5462 linux-signed-arm64>
+<dsa 2023 5462 linux-signed-i386>
+<dsa 2023 5462 linux>
+<dsa 2023 5463 thunderbird>
+<dsa 2023 5464 firefox-esr>
+<dsa 2023 5465 python-django>
+<dsa 2023 5466 ntpsec>
+<dsa 2023 5467 chromium>
+<dsa 2023 5468 webkit2gtk>
+<dsa 2023 5469 thunderbird>
+<dsa 2023 5471 libhtmlcleaner-java>
+<dsa 2023 5472 cjose>
+<dsa 2023 5473 orthanc>
+<dsa 2023 5474 intel-microcode>
+<dsa 2023 5475 linux-signed-amd64>
+<dsa 2023 5475 linux-signed-arm64>
+<dsa 2023 5475 linux-signed-i386>
+<dsa 2023 5475 linux>
+<dsa 2023 5476 gst-plugins-ugly1.0>
+<dsa 2023 5477 samba>
+<dsa 2023 5479 chromium>
+<dsa 2023 5481 fastdds>
+<dsa 2023 5482 tryton-server>
+<dsa 2023 5483 chromium>
+<dsa 2023 5484 librsvg>
+<dsa 2023 5485 firefox-esr>
+<dsa 2023 5487 chromium>
+<dsa 2023 5488 thunderbird>
+<dsa 2023 5491 chromium>
+<dsa 2023 5492 linux-signed-amd64>
+<dsa 2023 5492 linux-signed-arm64>
+<dsa 2023 5492 linux-signed-i386>
+<dsa 2023 5492 linux>
+<dsa 2023 5493 open-vm-tools>
+<dsa 2023 5494 mutt>
+<dsa 2023 5495 frr>
+<dsa 2023 5496 firefox-esr>
+<dsa 2023 5497 libwebp>
+<dsa 2023 5498 thunderbird>
+<dsa 2023 5501 gnome-shell>
+<dsa 2023 5504 bind9>
+<dsa 2023 5505 lldpd>
+<dsa 2023 5507 jetty9>
+<dsa 2023 5510 libvpx>
+</table>
+
+
+<h2>Removed packages</h2>
+
+<p>The following packages were removed due to circumstances beyond our control:</p>
+
+<table border=0>
+<tr><th>Package</th>               <th>Reason</th></tr>
+<correction https-everywhere "obsolete, major browsers offer native support">
+
+</table>
+
+<h2>Debian Installer</h2>
+<p>The installer has been updated to include the fixes incorporated
+into stable by the point release.</p>
+
+<h2>URLs</h2>
+
+<p>The complete lists of packages that have changed with this revision:</p>
+
+<div class="center">
+  <url "https://deb.debian.org/debian/dists/<downcase <codename>>/ChangeLog">
+</div>
+
+<p>The current stable distribution:</p>
+
+<div class="center">
+  <url "https://deb.debian.org/debian/dists/stable/">
+</div>
+
+<p>Proposed updates to the stable distribution:</p>
+
+<div class="center">
+  <url "https://deb.debian.org/debian/dists/proposed-updates">
+</div>
+
+<p>stable distribution information (release notes, errata etc.):</p>
+
+<div class="center">
+  <a
+  href="$(HOME)/releases/stable/">https://www.debian.org/releases/stable/</a>
+</div>
+
+<p>Security announcements and information:</p>
+
+<div class="center">
+  <a href="$(HOME)/security/">https://www.debian.org/security/</a>
+</div>
+
+<h2>About Debian</h2>
+
+<p>The Debian Project is an association of Free Software developers who
+volunteer their time and effort in order to produce the completely
+free operating system Debian.</p>
+
+<h2>Contact Information</h2>
+
+<p>For further information, please visit the Debian web pages at
+<a href="$(HOME)/">https://www.debian.org/</a>, send mail to
+&lt;press@debian.org&gt;, or contact the stable release team at
+&lt;debian-release@lists.debian.org&gt;.</p>
+
+
diff --git a/english/News/2023/2023100702.wml b/english/News/2023/2023100702.wml
new file mode 100644
index 00000000000..a0db8565172
--- /dev/null
+++ b/english/News/2023/2023100702.wml
@@ -0,0 +1,355 @@
+<define-tag pagetitle>Updated Debian 11: 11.8 released</define-tag>
+<define-tag release_date>2023-10-07</define-tag>
+#use wml::debian::news
+# $Id:
+
+<define-tag release>11</define-tag>
+<define-tag codename>bullseye</define-tag>
+<define-tag revision>11.8</define-tag>
+
+<define-tag dsa>
+    <tr><td align="center"><a href="$(HOME)/security/%0/dsa-%1">DSA-%1</a></td>
+        <td align="center"><:
+    my @p = ();
+    for my $p (split (/,\s*/, "%2")) {
+	push (@p, sprintf ('<a href="https://packages.debian.org/src:%s">%s</a>', $p, $p));
+    }
+    print join (", ", @p);
+:></td></tr>
+</define-tag>
+
+<define-tag correction>
+    <tr><td><a href="https://packages.debian.org/src:%0">%0</a></td>              <td>%1</td></tr>
+</define-tag>
+
+<define-tag srcpkg><a href="https://packages.debian.org/src:%0">%0</a></define-tag>
+
+<p>The Debian project is pleased to announce the eighth update of its
+oldstable distribution Debian <release> (codename <q><codename></q>). 
+This point release mainly adds corrections for security issues,
+along with a few adjustments for serious problems.  Security advisories
+have already been published separately and are referenced where available.</p>
+
+<p>Please note that the point release does not constitute a new version of Debian
+<release> but only updates some of the packages included.  There is
+no need to throw away old <q><codename></q> media. After installation,
+packages can be upgraded to the current versions using an up-to-date Debian
+mirror.</p>
+
+<p>Those who frequently install updates from security.debian.org won't have
+to update many packages, and most such updates are
+included in the point release.</p>
+
+<p>New installation images will be available soon at the regular locations.</p>
+
+<p>Upgrading an existing installation to this revision can be achieved by
+pointing the package management system at one of Debian's many HTTP mirrors.
+A comprehensive list of mirrors is available at:</p>
+
+<div class="center">
+  <a href="$(HOME)/mirror/list">https://www.debian.org/mirror/list</a>
+</div>
+
+
+
+
+<h2>Miscellaneous Bugfixes</h2>
+
+<p>This oldstable update adds a few important corrections to the following packages:</p>
+
+<table border=0>
+<tr><th>Package</th>               <th>Reason</th></tr>
+<correction adduser "Fix command injection vulnerability in deluser">
+<correction aide "Fix handling of extended attributes on symlinks">
+<correction amd64-microcode "Update included microcode, including fixes for <q>AMD Inception</q> on AMD Zen4 processors [CVE-2023-20569]">
+<correction appstream-glib "Handle &lt;em&gt; and &lt;code&gt; tags in metadata">
+<correction asmtools "Backport to bullseye for future openjdk-11 builds">
+<correction autofs "Fix missing mutex unlock; do not use rpcbind for NFS4 mounts; fix regression determining reachability on dual-stack hosts">
+<correction base-files "Update for the 11.8 point release">
+<correction batik "Fix Server Side Request Forgery issues [CVE-2022-44729 CVE-2022-44730]">
+<correction bmake "Conflict with bsdowl (&lt;&lt; 2.2.2-1.2~) to ensure smooth upgrades">
+<correction boxer-data "Backport thunderbird compatibility fixes">
+<correction ca-certificates-java "Work around unconfigured jre during new installations">
+<correction cairosvg "Handle data: URLs in safe mode">
+<correction cargo-mozilla "New <q>upstream</q> version, to support building newer firefox-esr versions">
+<correction clamav "New upstream stable release; fix denial of service vulnerability via HFS+ parser [CVE-2023-20197]">
+<correction cpio "Fix arbitrary code execution issue [CVE-2021-38185]; replace Suggests: on libarchive1 with libarchive-dev">
+<correction cryptmount "Fix memory-initialization in command-line parser">
+<correction cups "Fix heap-based buffer overflow issues [CVE-2023-4504 CVE-2023-32324], unauthenticated access issue [CVE-2023-32360], use-after-free issue [CVE-2023-34241]">
+<correction curl "Fix code execution issues [CVE-2023-27533 CVE-2023-27534], information disclosure issues [CVE-2023-27535 CVE-2023-27536 CVE-2023-28322], inappropriate connection re-use issue [CVE-2023-27538], improper certificate validation issue [CVE-2023-28321]">
+<correction dbus "New upstream stable release; fix denial of service issue [CVE-2023-34969]">
+<correction debian-design "Rebuild using newer boxer-data">
+<correction debian-installer "Increase Linux kernel ABI to 5.10.0-26; rebuild against proposed-updates">
+<correction debian-installer-netboot-images "Rebuild against proposed-updates">
+<correction debian-parl "Rebuild using newer boxer-data">
+<correction debian-security-support "Set DEB_NEXT_VER_ID=12 as bookworm is the next release; security-support-limited: add gnupg1">
+<correction distro-info-data "Add Debian 14 <q>forky</q>; correct Ubuntu 23.04 release date; add Ubuntu 23.10 Mantic Minotaur; add the planned release date for Debian bookworm">
+<correction dkimpy "New upstream bugfix release">
+<correction dpdk "New upstream stable release">
+<correction dpkg "Add support for loong64 CPU; handle missing Version when formatting source:Upstream-Version; fix varbuf memory leak in pkg_source_version()">
+<correction flameshot "Disable uploads to imgur by default; fix name of d/NEWS file in previous upload">
+<correction ghostscript "Fix buffer overflow issue [CVE-2023-38559]; try and secure the IJS server startup [CVE-2023-43115]">
+<correction gitit "Rebuild against new pandoc">
+<correction grunt "Fix race condition in symlink copying [CVE-2022-1537]">
+<correction gss "Add Breaks+Replaces: libgss0 (&lt;&lt; 0.1)">
+<correction haskell-hakyll "Rebuild against new pandoc">
+<correction haskell-pandoc-citeproc "Rebuild against new pandoc">
+<correction hnswlib "Fix double free in init_index when the M argument is a large integer [CVE-2023-37365]">
+<correction horizon "Fix open redirect issue [CVE-2022-45582]">
+<correction inetutils "Check return values for set*id() functions, avoiding potential security issues [CVE-2023-40303]">
+<correction krb5 "Fix free of uninitialised pointer [CVE-2023-36054]">
+<correction kscreenlocker "Fix authentication error when using PAM">
+<correction lacme "Handle CA ready, processing and valid states correctly">
+<correction lapack "Fix eigenvector matrix">
+<correction lemonldap-ng "Fix open redirection when OIDC RP has no redirect URIs; fix Server Side Request Forgery issue [CVE-2023-44469]; fix open redirection due to incorrect escape handling">
+<correction libapache-mod-jk "Remove implicit mapping functionality, which could lead to unintended exposure of the status worker and/or bypass of security constraints [CVE-2023-41081]">
+<correction libbsd "Fix infinite loop in MD5File">
+<correction libclamunrar "New upstream stable release">
+<correction libprelude "Make Python module usable">
+<correction libreswan "Fix denial of service issue [CVE-2023-30570]">
+<correction libsignal-protocol-c "Fix integer overflow issue [CVE-2022-48468]">
+<correction linux "New upstream stable release">
+<correction linux-signed-amd64 "New upstream stable release">
+<correction linux-signed-arm64 "New upstream stable release">
+<correction linux-signed-i386 "New upstream stable release">
+<correction logrotate "Avoid replacement of /dev/null with a regular file if used for the state file">
+<correction ltsp "Avoid using <q>mv</q> on init symlink in order to work around overlayfs issue">
+<correction lttng-modules "Fix build issues with newer kernel versions">
+<correction lua5.3 "Fix use after free in lua_upvaluejoin (lapi.c) [CVE-2019-6706]; fix segmentation fault in getlocal and setlocal (ldebug.c) [CVE-2020-24370]">
+<correction mariadb-10.5 "New upstream bugfix release [CVE-2022-47015]">
+<correction mujs "Security fix">
+<correction ncurses "Disallow loading of custom terminfo entries in setuid/setgid programs [CVE-2023-29491]">
+<correction node-css-what "Fix regular expression-based denial of service issue [CVE-2022-21222 CVE-2021-33587]">
+<correction node-json5 "Fix prototype pollution issue [CVE-2022-46175]">
+<correction node-tough-cookie "Security fix: prototype pollution [CVE-2023-26136]">
+<correction nvidia-graphics-drivers "New upstream release [CVE-2023-25515 CVE-2023-25516]; improve compatibility with recent kernels">
+<correction nvidia-graphics-drivers-tesla-450 "New upstream release [CVE-2023-25515 CVE-2023-25516]">
+<correction nvidia-graphics-drivers-tesla-470 "New upstream bugfix release [CVE-2023-25515 CVE-2023-25516]">
+<correction openblas "Fix results of DGEMM on AVX512-capable hardware, when the package has been built on pre-AVX2 hardware">
+<correction openssh "Fix remote code execution issue via a forwarded agent socket [CVE-2023-38408]">
+<correction openssl "New upstream stable release; fix denial of service issues [CVE-2023-3446 CVE-2023-3817]">
+<correction org-mode "Fix command injection vulnerability [CVE-2023-28617]">
+<correction pandoc "Fix arbitrary file write issues [CVE-2023-35936 CVE-2023-38745]">
+<correction pev "Fix buffer overflow issue [CVE-2021-45423]">
+<correction php-guzzlehttp-psr7 "Fix improper input validation [CVE-2023-29197]">
+<correction php-nyholm-psr7 "Fix improper input validation issue [CVE-2023-29197]">
+<correction postgis "Fix axis order regression">
+<correction protobuf "Security fixes: DoS in Java [CVE-2021-22569]; NULL pointer dereference [CVE-2021-22570]; memory DoS [CVE-2022-1941]">
+<correction python2.7 "Fix <q>parameter cloaking</q> issue [CVE-2021-23336], URL injection issue [CVE-2022-0391], use-after-free issue [CVE-2022-48560], XML External Entity issue [CVE-2022-48565]; improve constant-time comparisons in compare_digest() [CVE-2022-48566]; improve URL parsing [CVE-2023-24329]; prevent reading unauthenticated data on an SSLSocket [CVE-2023-40217]">
+<correction qemu "Fix infinite loop [CVE-2020-14394], NULL pointer dereference issue [CVE-2021-20196], integer overflow issue [CVE-2021-20203], buffer overflow issues [CVE-2021-3507 CVE-2023-3180], denial of service issues [CVE-2021-3930 CVE-2023-3301], use-after-free issue [CVE-2022-0216], possible stack overflow and use-after-free issues [CVE-2023-0330], out-of-bounds read issue [CVE-2023-1544]">
+<correction rar "New upstream release; fix directory traversal issue [CVE-2022-30333]; fix arbitrary code execution issue [CVE-2023-40477]">
+<correction rhonabwy "Fix aesgcm buffer overflow [CVE-2022-32096]">
+<correction roundcube "New upstream stable release; fix cross-site scripting issue [CVE-2023-43770]; Enigma: Fix initial synchronization of private keys">
+<correction rust-cbindgen "New <q>upstream</q> version, to support building newer firefox-esr versions">
+<correction rustc-mozilla "New <q>upstream</q> version, to support building newer firefox-esr versions">
+<correction schleuder "Add versioned dependency on ruby-activerecord">
+<correction sgt-puzzles "Fix various security issues in game loading [CVE-2023-24283 CVE-2023-24284 CVE-2023-24285 CVE-2023-24287 CVE-2023-24288 CVE-2023-24291]">
+<correction spip "Several security fixes; security fix for extended authentification data filtering">
+<correction spyder "Fix broken patch in previous update">
+<correction systemd "Udev: fix creating /dev/serial/by-id/ symlinks for USB devices; fix memory leak on daemon-reload; fix a calendar spec calculation hang on DST change if TZ=Europe/Dublin">
+<correction tang "Fix race condition when creating/rotating keys; assert restrictive permissions on key directory [CVE-2023-1672]; make tangd-rotate-keys executable">
+<correction testng7 "Backport to oldstable for future openjdk-17 builds">
+<correction tinyssh "Work around incoming packets which don't honour max packet length">
+<correction unrar-nonfree "Fix file overwrite issue [CVE-2022-48579]; fix remote code execution issue [CVE-2023-40477]">
+<correction xen "New upstream stable release; fix security issues [CVE-2023-20593 CVE-2023-20569 CVE-2022-40982]">
+<correction yajl "Memory leak security fix; security fixes: potential denial of service with crafted JSON file [CVE-2017-16516]; heap memory corruption when dealing with large (~2GB) inputs [CVE-2022-24795]; fix incomplete patch for CVE-2023-33460">
+</table>
+
+
+<h2>Security Updates</h2>
+
+
+<p>This revision adds the following security updates to the oldstable release.
+The Security Team has already released an advisory for each of these
+updates:</p>
+
+<table border=0>
+<tr><th>Advisory ID</th>  <th>Package</th></tr>
+<dsa 2023 5394 ffmpeg>
+<dsa 2023 5395 nodejs>
+<dsa 2023 5396 evolution>
+<dsa 2023 5396 webkit2gtk>
+<dsa 2023 5397 wpewebkit>
+<dsa 2023 5398 chromium>
+<dsa 2023 5399 odoo>
+<dsa 2023 5400 firefox-esr>
+<dsa 2023 5401 postgresql-13>
+<dsa 2023 5402 linux-signed-amd64>
+<dsa 2023 5402 linux-signed-arm64>
+<dsa 2023 5402 linux-signed-i386>
+<dsa 2023 5402 linux>
+<dsa 2023 5403 thunderbird>
+<dsa 2023 5404 chromium>
+<dsa 2023 5405 libapache2-mod-auth-openidc>
+<dsa 2023 5406 texlive-bin>
+<dsa 2023 5407 cups-filters>
+<dsa 2023 5408 libwebp>
+<dsa 2023 5409 libssh>
+<dsa 2023 5410 sofia-sip>
+<dsa 2023 5411 gpac>
+<dsa 2023 5412 libraw>
+<dsa 2023 5413 sniproxy>
+<dsa 2023 5414 docker-registry>
+<dsa 2023 5415 libreoffice>
+<dsa 2023 5416 connman>
+<dsa 2023 5417 openssl>
+<dsa 2023 5418 chromium>
+<dsa 2023 5419 c-ares>
+<dsa 2023 5420 chromium>
+<dsa 2023 5421 firefox-esr>
+<dsa 2023 5422 jupyter-core>
+<dsa 2023 5423 thunderbird>
+<dsa 2023 5424 php7.4>
+<dsa 2023 5426 owslib>
+<dsa 2023 5427 webkit2gtk>
+<dsa 2023 5428 chromium>
+<dsa 2023 5430 openjdk-17>
+<dsa 2023 5431 sofia-sip>
+<dsa 2023 5432 xmltooling>
+<dsa 2023 5433 libx11>
+<dsa 2023 5434 minidlna>
+<dsa 2023 5435 trafficserver>
+<dsa 2023 5436 hsqldb1.8.0>
+<dsa 2023 5437 hsqldb>
+<dsa 2023 5438 asterisk>
+<dsa 2023 5439 bind9>
+<dsa 2023 5440 chromium>
+<dsa 2023 5441 maradns>
+<dsa 2023 5442 flask>
+<dsa 2023 5443 gst-plugins-base1.0>
+<dsa 2023 5444 gst-plugins-bad1.0>
+<dsa 2023 5445 gst-plugins-good1.0>
+<dsa 2023 5446 ghostscript>
+<dsa 2023 5447 mediawiki>
+<dsa 2023 5449 webkit2gtk>
+<dsa 2023 5450 firefox-esr>
+<dsa 2023 5451 thunderbird>
+<dsa 2023 5452 gpac>
+<dsa 2023 5453 linux-signed-amd64>
+<dsa 2023 5453 linux-signed-arm64>
+<dsa 2023 5453 linux-signed-i386>
+<dsa 2023 5453 linux>
+<dsa 2023 5455 iperf3>
+<dsa 2023 5456 chromium>
+<dsa 2023 5457 webkit2gtk>
+<dsa 2023 5459 amd64-microcode>
+<dsa 2023 5461 linux-signed-amd64>
+<dsa 2023 5461 linux-signed-arm64>
+<dsa 2023 5461 linux-signed-i386>
+<dsa 2023 5461 linux>
+<dsa 2023 5463 thunderbird>
+<dsa 2023 5464 firefox-esr>
+<dsa 2023 5465 python-django>
+<dsa 2023 5467 chromium>
+<dsa 2023 5468 webkit2gtk>
+<dsa 2023 5470 python-werkzeug>
+<dsa 2023 5471 libhtmlcleaner-java>
+<dsa 2023 5472 cjose>
+<dsa 2023 5473 orthanc>
+<dsa 2023 5474 intel-microcode>
+<dsa 2023 5475 linux-signed-amd64>
+<dsa 2023 5475 linux-signed-arm64>
+<dsa 2023 5475 linux-signed-i386>
+<dsa 2023 5475 linux>
+<dsa 2023 5476 gst-plugins-ugly1.0>
+<dsa 2023 5478 openjdk-11>
+<dsa 2023 5479 chromium>
+<dsa 2023 5480 linux-signed-amd64>
+<dsa 2023 5480 linux-signed-arm64>
+<dsa 2023 5480 linux-signed-i386>
+<dsa 2023 5480 linux>
+<dsa 2023 5481 fastdds>
+<dsa 2023 5482 tryton-server>
+<dsa 2023 5483 chromium>
+<dsa 2023 5484 librsvg>
+<dsa 2023 5485 firefox-esr>
+<dsa 2023 5486 json-c>
+<dsa 2023 5487 chromium>
+<dsa 2023 5489 file>
+<dsa 2023 5490 aom>
+<dsa 2023 5491 chromium>
+<dsa 2023 5493 open-vm-tools>
+<dsa 2023 5494 mutt>
+<dsa 2023 5495 frr>
+<dsa 2023 5497 libwebp>
+<dsa 2023 5500 flac>
+<dsa 2023 5502 xorgxrdp>
+<dsa 2023 5502 xrdp>
+<dsa 2023 5503 netatalk>
+<dsa 2023 5504 bind9>
+<dsa 2023 5505 lldpd>
+<dsa 2023 5507 jetty9>
+<dsa 2023 5510 libvpx>
+</table>
+
+
+<h2>Removed packages</h2>
+
+<p>The following packages were removed due to circumstances beyond our control:</p>
+
+<table border=0>
+<tr><th>Package</th>               <th>Reason</th></tr>
+<correction atlas-cpp "unstable upstream, unsuitable for Debian">
+<correction ember-media "unstable upstream, unsuitable for Debian">
+<correction eris "unstable upstream, unsuitable for Debian">
+<correction libwfut "unstable upstream, unsuitable for Debian">
+<correction mercator "unstable upstream, unsuitable for Debian">
+<correction nomad "security fixes no longer available">
+<correction nomad-driver-lxc "depends on to-be-removed nomad">
+<correction skstream "unstable upstream, unsuitable for Debian">
+<correction varconf "unstable upstream, unsuitable for Debian">
+<correction wfmath "unstable upstream, unsuitable for Debian">
+
+</table>
+
+<h2>Debian Installer</h2>
+<p>The installer has been updated to include the fixes incorporated
+into oldstable by the point release.</p>
+
+<h2>URLs</h2>
+
+<p>The complete lists of packages that have changed with this revision:</p>
+
+<div class="center">
+  <url "https://deb.debian.org/debian/dists/<downcase <codename>>/ChangeLog">
+</div>
+
+<p>The current oldstable distribution:</p>
+
+<div class="center">
+  <url "https://deb.debian.org/debian/dists/oldstable/">
+</div>
+
+<p>Proposed updates to the oldstable distribution:</p>
+
+<div class="center">
+  <url "https://deb.debian.org/debian/dists/oldstable-proposed-updates">
+</div>
+
+<p>oldstable distribution information (release notes, errata etc.):</p>
+
+<div class="center">
+  <a
+  href="$(HOME)/releases/oldstable/">https://www.debian.org/releases/oldstable/</a>
+</div>
+
+<p>Security announcements and information:</p>
+
+<div class="center">
+  <a href="$(HOME)/security/">https://www.debian.org/security/</a>
+</div>
+
+<h2>About Debian</h2>
+
+<p>The Debian Project is an association of Free Software developers who
+volunteer their time and effort in order to produce the completely
+free operating system Debian.</p>
+
+<h2>Contact Information</h2>
+
+<p>For further information, please visit the Debian web pages at
+<a href="$(HOME)/">https://www.debian.org/</a>, send mail to
+&lt;press@debian.org&gt;, or contact the stable release team at
+&lt;debian-release@lists.debian.org&gt;.</p>
+
+