The update includes several major bugfixes, including buffer overflow concerns, dealing with multiple border parameters, bart , base-files, cloud-init-22.4.2, cpu, curl, debian-installer, debsig-verify, deets, distro-info-data, django-mailman3, dns-root-data, emacs, galera-4, gdk-pixbuf, glib2.0, gnutls28, gross, hovercraft, imlib2, intel-microcode, jose, json-smart, lacme, libapache2-mod-auth-openidc, libjwt, libkf5ksieve, links php-composer-xdebug-handler, php-doctrine-annotations, PHP-phpseclib, php-proxy-manager php-symfony-contracts, php-zend-code, php-stdnum, qtbase-opensource-src, reportbug, and rust-cbindgen-src.
Updated Debian 11: 11.10 released
The Debian project is pleased to announce the tenth update of its oldstable distribution Debian 11 (codename bullseye). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian 11 but only updates some of the packages included. There is no need to throw away old bullseye media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This oldstable update adds a few important corrections to the following packages:
Package Reason allegro5 Fix buffer overflow issues [CVE-2021-36489] amavisd-new Handle multiple boundary parameters that contain conflicting values [CVE-2024-28054] bart Fix build test failures by relaxing a floating-point comparison bart-cuda Fix build test failures by relaxing a floating-point comparison base-files Update for the point release cloud-init-22.4.2 Introduce later-versioned replacement for cloud-init package cpu Provide exactly one definition of globalLdap in ldap plugin curl Fix memory leak when HTTP/2 server push is aborted [CVE-2024-2398] debian-installer Increase Linux kernel ABI to 5.10.0-30; rebuild against proposed-updates debian-installer-netboot-images Rebuild against proposed-updates debsig-verify Rebuild for outdated Built-Using deets Rebuild for outdated Built-Using distro-info-data Declare intentions for bullseye/bookworm; fix past data; add Ubuntu 24.10 django-mailman3 Scrub messages before archiving dns-root-data Update root hints; update expired security information emacs Protect against unsafe remote resources [CVE-2024-30203 CVE-2024-30204 CVE-2024-30205]; fix memory leak in patch for CVE-2022-48337 galera-4 New upstream bugfix release; update upstream release signing key; prevent date-related test failures gdk-pixbuf ANI: Reject files with multiple anih chunks [CVE-2022-48622]; ANI: Reject files with multiple INAM or IART chunks; ANI: Validate anih chunk size glib2.0 Fix a (rare) memory leak gnutls28 Fix assertion failure verifying a certificate chain with a cycle of cross signatures [CVE-2024-0567]; fix timing side-channel attack inside RSA-PSK key exchange [CVE-2024-0553] gross Fix stack-based buffer overflow [CVE-2023-52159] hovercraft Depend on python3-setuptools imlib2 Fix heap-buffer overflow vulnerability when using the tgaflip function in loader_tga.c [CVE-2024-25447 CVE-2024-25448 CVE-2024-25450] intel-microcode Fixes for INTEL-SA-INTEL-SA-00972 [CVE-2023-39368], INTEL-SA-INTEL-SA-00982 [CVE-2023-38575], INTEL-SA-INTEL-SA-00898 [CVE-2023-28746], INTEL-SA-INTEL-SA-00960 [CVE-2023-22655] and INTEL-SA-INTEL-SA-01045 [CVE-2023-43490]; mitigate for INTEL-SA-01051 [CVE-2023-45733], INTEL-SA-01052 [CVE-2023-46103], INTEL-SA-01036 [CVE-2023-45745, CVE-2023-47855] and unspecified functional issues on various Intel processors jose Fix potential denial-of-service issue [CVE-2023-50967] json-smart Fix excessive recursion leading to stack overflow [CVE-2023-1370]; fix denial of service via crafted request [CVE-2021-31684] lacme Fix post-issuance validation logic libapache2-mod-auth-openidc Fix mising input validation leading to DoS [CVE-2024-24814] libjwt Fix a timing side channel via strcmp() [CVE-2024-25189] libkf5ksieve Prevent leaking passwords into server-side logs libmicrohttpd Fix out of bounds read with crafted POST requests [CVE-2023-27371] libssh2 Fix out of bounds memory check in _libssh2_packet_add [CVE-2020-22218] links2 Rebuild for outdated Built-Using nano Fix malicious symlink issue [CVE-2024-5742] ngircd Respect SSLConnect option for incoming connections; server certificate validation on server links (S2S-TLS); METADATA: Fix unsetting cloakhost nvidia-graphics-drivers End support for Tesla 450 drivers; build libnvidia-fbc1 for arm64; upstream security fixes [CVE-2022-42265 CVE-2024-0074 CVE-2024-0078]; new upstream stable release; security fixes [CVE-2024-0090 CVE-2024-0092]; fix build on ppc64el nvidia-graphics-drivers-tesla-450 Convert to transitional packages nvidia-graphics-drivers-tesla-470 New upstream LTS release [CVE-2024-0074 CVE-2024-0078 CVE-2022-42265 CVE-2024-0090 CVE-2024-0092]; fix build on ppc64el nvidia-settings New upstream bugfix release; build for ppc64el org-mode Protect against unsafe remote resources [CVE-2024-30203 CVE-2024-30204 CVE-2024-30205] php-composer-xdebug-handler Force system dependency loading php-doctrine-annotations Force system dependency loading php-phpseclib Force system dependency loading; guard isPrime() and randomPrime() for BigInteger [CVE-2024-27354]; limit OID length in ASN1 [CVE-2024-27355]; fix BigInteger getLength() php-proxy-manager Force system dependency loading php-symfony-contracts Force system dependency loading php-zend-code Force system dependency loading phpseclib Force system dependency loading; guard isPrime() and randomPrime() for BigInteger [CVE-2024-27354]; limit OID length in ASN1 [CVE-2024-27355]; fix BigInteger getLength() postfix Upstream bugfix release postgresql-13 New upstream stable release pypdf2 Fix quadratic runtime with malformed PDF missing xref marker [CVE-2023-36810]; fix infinite loop with crafted input [CVE-2022-24859] python-aiosmtpd Fix SMTP smuggling issue [CVE-2024-27305]; fix STARTTLS unencrypted command injection issue [CVE-2024-34083] python-dnslib Validate transaction ID in client.py python-idna Fix denial of service issue [CVE-2024-3651] python-stdnum Fix FTBFS when test date is not far enough in the future qtbase-opensource-src Security fixes [CVE-2022-25255 CVE-2023-24607 CVE-2023-32762 CVE-2023-32763 CVE-2023-33285 CVE-2023-34410 CVE-2023-37369 CVE-2023-38197 CVE-2023-51714 CVE-2024-25580] reportbug Fix suite name to codename mappings to reflect the bookworm release rust-cbindgen-web New source package to support builds of newer Firefox ESR versions rustc-web Support firefox-esr and thunderbird in bullseye for LTS sendmail Fix SMTP smuggling issue [CVE-2023-51765]; add forgotten configuration for rejecting NUL by defualt symfony Force system dependency loading; DateTypeTest: ensure submitted year is accepted choice systemd Meson: drop arch filtering in syscall list; unset TZ before timezone-sensitive unit tests are run wpa Fix authentication bypass issue [CVE-2023-52160] Security Updates
This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
Package Reason phppgadmin Security issues pytest-salt-factories Only needed for to-be-removed salt pytest-testinfra Only needed for to-be-removed salt salt Unsupportable, unmaintained snort Security concerns, unmaintained Debian Installer
The installer has been updated to include the fixes incorporated into oldstable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current oldstable distribution:
Proposed updates to the oldstable distribution:
oldstable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
