---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 250-1 https://www.debian.org/ debian-release@lists.debian.org Adam D. Barratt February 5th, 2024 ---------------------------------------------------------------------------- Upcoming Debian 12 Update (12.5) An update to Debian 12 is scheduled for Saturday, February 10th, 2024. As of now it will include the following bug fixes. They can be found in "bookworm- proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "bookworm-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: Package Reason ------- ------ apktool Prevent arbitrary file writes with malicious resource names [CVE-2024-21633] atril Fix crash when opening some epub files; fix index loading for certain epub documents; add fallback for malformed epub files in check_mime_type; use libarchive instead of external command for extracing documents [CVE-2023-51698] base-files Update for the 12.5 point release caja Fix desktop rendering artifacts after resolution changes; fix use of "informal" date format calibre Fix "HTML Input: Don't add resources that exist outside the folder hierarchy rooted at the parent folder of the input HTML file by default" [CVE-2023-46303] compton Remove recommendation of picom cryptsetup cryptsetup-initramfs: Add support for compressed kernel modules; cryptsetup-suspend- wrapper: Don't error out on missing /lib/systemd/system-sleep directory; add_modules(): Change suffix drop logic to match initramfs-tools debian-edu-artwork Provide an Emerald theme based artwork for Debian Edu 12 debian-edu-config New upstream release debian-edu-doc Update included documentation and translations debian-edu-fai New upstream release debian-edu-install New upstream release; fix security sources.list debian-installer Increase Linux kernel ABI to 6.1.0-18; rebuild against proposed-updates debian-ports-archive- Add Debian Ports Archive Automatic Signing Key keyring (2025) dpdk New upstream stable release dropbear Fix "terrapin attack" [CVE-2023-48795] engrampa Fix several memory leaks; fix archive "save as" functionality espeak-ng Fix buffer overflow issues [CVE-2023-49990 CVE-2023-49992 CVE-2023-49993], buffer underflow issue [CVE-2023-49991], floating point exception issue [CVE-2023-49994] filezilla Prevent 'Terrapin' exploit [CVE-2023-48795] fish Handle Unicode non-printing characters safely when given as command substitution [CVE-2023-49284] fssync Disable flaky tests gnutls28 Fix assertion failure when verifying a certificate chain with a cycle of cross signatures [CVE-2024-0567]; fix timing side- channel issue [CVE-2024-0553] indent Fix buffer under read issue [CVE-2024-0911] isl Fix use on older CPUs jtreg7 New source package to support builds of openjdk-17 libdatetime-timezone-perl Update included timezone data libde265 Fix buffer overflow issues [CVE-2023-49465 CVE-2023-49467 CVE-2023-49468] libfirefox-marionette-perl Fix compatibility with newer firefox-esr versions libmateweather Fix URL for aviationweather.gov libspreadsheet-parsexlsx- Fix possible memory bomb [CVE-2024-22368]; fix perl XML External Entity issue [CVE-2024-23525] linux New upstream stable release; bump ABI to 18 localslackirc Send authorization and cookie headers to the websocket mariadb New upstream stable release; fix denial of service issue [CVE-2023-22084] mate-screensaver Fix memory leaks mate-settings-daemon Fix memory leaks; relax High DPI limits; fix handling of multiple rfkill events mate-utils Fix various memory leaks monitoring-plugins Fix check_http plugin when "--no-body" is used and the upstream response is chunked needrestart Fix microcode check regression on AMD CPUs netplan.io Fix autopkgtests with newer systemd versions nextcloud-desktop Fix "fails to sync files with special chars like ':'"; fix two-factor authentication notifications node-yarnpkg Fix use with Commander 8 onionprobe Fix initialisation of Tor if using hashed passwords pipewire Use malloc_trim() when available to release memory pluma Fix memory leak issues; fix double activation of extensions postfix New upstream stable release; address SMTP smuggling issue [CVE-2023-51764] proftpd-dfsg Implement fix for the Terrapin attack [CVE-2023-48795]; fix out-of-bounds read issue [CVE-2023-51713] proftpd-mod-proxy Implement fix for the Terrapin attack [CVE-2023-48795] pypdf Fix infinite loop issue [CVE-2023-36464] pypdf2 Fix infinite loop issue [CVE-2023-36464] pypy3 Avoid an rpython assertion error in the JIT if integer ranges don't overlap in a loop qemu New upstream stable release; virtio-net: correctly copy vnet header when flushing TX [CVE-2023-6693]; fix null pointer dereference issue [CVE-2023-6683] rpm Enable the read-only BerkeleyDB backend rss-glx Install screensavers into /usr/libexec/xscreensaver; call GLFinish() prior to glXSwapBuffers() spip Fix two cross-site scripting issues swupdate Prevent acquiring root privileges through inappropriate socket mode systemd New upstream stable release; fix missing verification issue in systemd-resolved [CVE-2023-7008] tar Fix boundary checking in base-256 decoder [CVE-2022-48303], handling of extended header prefixes [CVE-2023-39804] tinyxml Fix assertion issue [CVE-2023-34194] tzdata New upstream stable release usb.ids Update included data list usbutils Fix usb-devices not printing all devices usrmerge Clean up biarch directories when not needed; don't run convert-etc-shells again on converted systems; handle mounted /lib/modules on Xen systems; improve error reporting; add versioned conflicts with libc-bin, dhcpcd, libparted1.8-10 and lustre-utils wolfssl Fix security issue when client sent neither PSK nor KSE extensions [CVE-2023-3724] xen New upstream stable release; security fixes [CVE-2023-46837 CVE-2023-46839 CVE-2023-46840] A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/stable.html> If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part