Updated Debian 11: 11.11 released
The Debian project is pleased to announce the eleventh and final update of its oldstable distribution Debian 11 (codename bullseye). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian 11 but only updates some of the packages included. There is no need to throw away old bullseye media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
Secure Boot and other operating systems
Users who boot other operating systems on the same hardware, and who have Secure Boot enabled, should be aware that shim 15.8 (included with Debian 11.11) revokes signatures across older versions of shim in the UEFI firmware. This may leave other operating systems using shim before 15.8 unable to boot.
Affected users can temporarily disable Secure Boot before updating other operating systems.
Miscellaneous Bugfixes
This oldstable update adds a few important corrections to the following packages:
Package Reason amd64-microcode New upstream release; security fixes [CVE-2023-31315]; SEV firmware fixes [CVE-2023-20584 CVE-2023-31356] ansible New usptream stable release; fix template injection issue [CVE-2021-3583], information disclosure issue [CVE-2021-3620], file overwrite issue [CVE-2023-5115], template injection issue [CVE-2023-5764], information disclosure issues [CVE-2024-0690 CVE-2022-3697]; document workaround for ec2 private key leak [CVE-2023-4237] apache2 New upstream stable release; fix content disclosure issue [CVE-2024-40725] base-files Update for the point release bind9 Allow the limits introduced to fix CVE-2024-1737 to be configured calibre Fix cross site scripting issue [CVE-2024-7008], SQL injection issue [CVE-2024-7009] choose-mirror Update list of available mirrors cjson Add NULL checks to cJSON_SetValuestring and cJSON_InsertItemInArray [CVE-2023-50472 CVE-2023-50471 CVE-2024-31755] cups Fix issues with domain socket handling [CVE-2024-35235]; fix regression when domain sockets only are used curl Fix ASN.1 date parser overread issue [CVE-2024-7264] debian-installer Increase Linux kernel ABI to 5.10.0-32; rebuild against proposed-updates debian-installer-netboot-images Rebuild against proposed-updates dropbear Fix noremotetcp behaviour of keepalive packets in combination with the no-port-forwarding authorized_keys(5) restriction fusiondirectory Backport compatibility with php-cas version addressing CVE 2022-39369; fix improper session handling issue [CVE-2022-36179]; fix cross site scripting issue [CVE-2022-36180] gettext.js Fix server side request forgery issue [CVE-2024-43370] glewlwyd Fix buffer overflow during webauthn signature assertion [CVE-2022-27240]; prevent directory traversal in static_compressed_inmemory_website_callback.c [CVE-2022-29967]; copy bootstrap, jquery, fork-awesome instead of linking them; buffer overflow during FIDO2 signature validation [CVE-2023-49208] glibc Fix ffsll() performance issue depending on code alignment; performance improvements for memcpy() on arm64; fix y2038 regression in nscd following CVE-2024-33601 and CVE-2024-33602 fix graphviz Fix broken scaling gtk+2.0 Avoid looking for modules in current working directory [CVE-2024-6655] gtk+3.0 Avoid looking for modules in current working directory [CVE-2024-6655] healpix-java Fix build failure imagemagick Fix divide by zero issues [CVE-2021-20312 CVE-2021-20313]; fix incomplete fix for CVE-2023-34151 indent Reinstate ROUND_UP macro and adjust the initial buffer size to fix memory handling problems; fix out-of-buffer read in search_brace()/lexi(); fix heap buffer overwrite in search_brace() [CVE-2023-40305]; heap buffer underread in set_buf_break() [CVE-2024-0911] intel-microcode New upstream release; security fixes [CVE-2023-42667 CVE-2023-49141 CVE-2024-24853 CVE-2024-24980 CVE-2024-25939] libvirt Fix sVirt confinement issue [CVE-2021-3631], use after free issue [CVE-2021-3975], denial of service issues [CVE-2021-3667 CVE-2021-4147 CVE-2022-0897 CVE-2024-1441 CVE-2024-2494 CVE-2024-2496] midge Exclude examples/covers/* for DFSG-compliance; add build-arch/build-indep build targets; use quilt (3.0) source package format mlpost Fix build failure with newer ImageMagick versions net-tools Drop build-dependency on libdnet-dev nfs-utils Pass all valid export flags to nfsd ntfs-3g Fix use-after-free in ntfs_uppercase_mbs [CVE-2023-52890] nvidia-graphics-drivers-tesla-418 Fix use of GPL-only symbols causing build failures nvidia-graphics-drivers-tesla-450 New upstream stable release nvidia-graphics-drivers-tesla-460 New upstream stable release ocsinventory-server Backport compatibility with php-cas version addressing CVE 2022-39369 onionshare Demote obfs4proxy dependency to Recommends, to allow removal of obfs4proxy php-cas Fix Service Hostname Discovery Exploitation issue [CVE-2022-39369] poe.app Make comment cells editable; fix drawing when an NSActionCell in the preferences is acted on to change state putty Fix weak ECDSA nonce generation allowing secret key recovery [CVE-2024-31497] riemann-c-client Prevent malformed payload in GnuTLS send/receive operations runc Fix busybox tarball url; prevent buffer overflow writing netlink messages [CVE-2021-43784]; fix tests on newer kernels; prevent write access to user-owned cgroup hierarchy /sys/fs/cgroup/user.slice/... [CVE-2023-25809]; fix access control regression [CVE-2023-27561 CVE-2023-28642] rustc-web New upstream stable release, to support building new chromium and firefox-esr versions shim New upstream release shim-helpers-amd64-signed Rebuild against shim 15.8.1 shim-helpers-arm64-signed Rebuild against shim 15.8.1 shim-helpers-i386-signed Rebuild against shim 15.8.1 shim-signed New upstream stable release symfony Fix autoloading of HttpClient trinity Fix build failure by dropping support for DECNET usb.ids Update included data list xmedcon Fix heap overflow [CVE-2024-29421] Security Updates
This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
Package Reason bcachefs-tools Buggy, obsolete dnprogs Buggy, obsolete iotjs Unmaintained, security concerns obfs4proxy Security issues Debian Installer
The installer has been updated to include the fixes incorporated into oldstable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current oldstable distribution:
Proposed updates to the oldstable distribution:
oldstable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
The Debian project has released the eleventh and final update of their oldstable distribution, Debian 11, which includes security fixes and changes to major issues.
