The fifth update of Debian GNU/Linux 11 is now available. This point release mainly adds corrections for security issues, along with a few important corrections for serious problems.
Updated Debian 11: 11.5 released
The Debian project is pleased to announce the fifth update of its stable distribution Debian 11 (codename bullseye). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian 11 but only updates some of the packages included. There is no need to throw away old bullseye media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
Package Reason avahi Fix display of URLs containing '&' in avahi-discover; do not disable timeout cleanup on watch cleanup; fix NULL pointer crashes when trying to resolve badly-formatted hostnames [CVE-2021-3502] base-files Update /etc/debian_version for the 11.5 point release cargo-mozilla New source package to support building of newer firefox-esr and thunderbird versions clamav New upstream stable release commons-daemon Fix JVM detection curl Reject cookies with control bytes [CVE-2022-35252] dbus-broker Fix assertion failure when disconnecting peer groups; fix memory leak; fix null pointer dereference [CVE-2022-31213] debian-installer Rebuild against proposed-updates; increase Linux kernel ABI to 5.10.0-18 debian-installer-netboot-images Rebuild against proposed-updates; increase Linux kernel ABI to 5.10.0-18 debian-security-support Update support status of various packages debootstrap Ensure non-merged-usr chroots can continue to be created for older releases and buildd chroots dlt-daemon Fix double free issue [CVE-2022-31291] dnsproxy Listen on localhost by default, rather than the possibly unavailable 192.168.168.1 dovecot Fix possible security issues when two passdb configuration entries exist with the same driver and args settings [CVE-2022-30550] dpkg Fix conffile removal-on-upgrade handling, memory leak in remove-on-upgrade handling; Dpkg::Shlibs::Objdump: Fix apply_relocations to work with versioned symbols; add support for ARCv2 CPU; several updates and fixes to dpkg-fsys-usrunmess fig2dev Fix double free issue [CVE-2021-37529], denial of service issue [CVE-2021-37530]; stop misplacement of embedded eps images foxtrotgps Fix crash by ensuring that threads are always unreferenced gif2apng Fix heap-based buffer overflows [CVE-2021-45909 CVE-2021-45910 CVE-2021-45911] glibc Fix an off-by-one buffer overflow/underflow in getcwd() [CVE-2021-3999]; fix several overflows in wide character functions; add a few EVEX optimized string functions to fix a performance issue (up to 40%) with Skylake-X processors; make grantpt usable after multi-threaded fork; ensure that libio vtable protection is enabled golang-github-pkg-term Fix building on newer Linux kernels gri Use ps2pdf instead of convert for converting from PS to PDF grub-efi-amd64-signed New upstream release grub-efi-arm64-signed New upstream release grub-efi-ia32-signed New upstream release grub2 New upstream release http-parser Unset F_CHUNKED on new Transfer-Encoding, fixing possible HTTP request smuggling issue [CVE-2020-8287] ifenslave Fix bonded interface configurations inetutils Fix buffer overflow issue [CVE-2019-0053], stack exhaustion issue, handling of FTP PASV responses [CVE-2021-40491], denial of service issue [CVE-2022-39028] knot Fix IXFR to AXFR fallback with dnsmasq krb5 Use SHA256 as Pkinit CMS Digest libayatana-appindicator Provide compatibility for software that depends on libappindicator libdatetime-timezone-perl Update included data libhttp-daemon-perl Improve handling of Content-Length header [CVE-2022-31081] libreoffice Support EUR in .hr locale; add HRK<->EUR conversion rate to Calc and the Euro Wizard; security fixes [CVE-2021-25636 CVE-2022-26305 CVE-2022-26306 CVE-2022-26307]; fix hang accessing Evolution address books linux New upstream stable release linux-signed-amd64 New upstream stable release linux-signed-arm64 New upstream stable release linux-signed-i386 New upstream stable release llvm-toolchain-13 New source package to support building of newer firefox-esr and thunderbird versions lwip Fix buffer overflow issues [CVE-2020-22283 CVE-2020-22284] mokutil New upstream version, to allow for SBAT management node-log4js Do not create world-readable files by default [CVE-2022-21704] node-moment Fix regular expression-based denial of service issue [CVE-2022-31129] nvidia-graphics-drivers New upstream release; security fixes [CVE-2022-31607 CVE-2022-31608 CVE-2022-31615] nvidia-graphics-drivers-legacy-390xx New upstream release; security fixes [CVE-2022-31607 CVE-2022-31608 CVE-2022-31615] nvidia-graphics-drivers-tesla-450 New upstream release; security fixes [CVE-2022-31607 CVE-2022-31608 CVE-2022-31615] nvidia-graphics-drivers-tesla-470 New upstream release; security fixes [CVE-2022-31607 CVE-2022-31608 CVE-2022-31615] nvidia-settings New upstream release; fix cross-building nvidia-settings-tesla-470 New upstream release; fix cross-building pcre2 Fix out-of-bounds read issues [CVE-2022-1586 CVE-2022-1587] postgresql-13 Do not let extension scripts replace objects not already belonging to the extension [CVE-2022-2625] publicsuffix Update included data rocksdb Fix illegal instruction on arm64 sbuild Buildd::Mail: support MIME encoded Subject: header, also copy the Content-Type: header when forwarding mail systemd Drop bundled copy of linux/if_arp.h, fixing build failures with newer kernel headers; support detection for ARM64 Hyper-V guests; detect OpenStack instance as KVM on arm twitter-bootstrap4 Actually install CSS map files tzdata Update timezone data for Iran and Chile xtables-addons Support both old and new versions of security_skb_classify_flow() Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
Package Reason evenement Unmaintained; only needed for already-removed movim php-cocur-slugify Unmaintained; only needed for already-removed movim php-defuse-php-encryption Unmaintained; only needed for already-removed movim php-dflydev-fig-cookies Unmaintained; only needed for already-removed movim php-embed Unmaintained; only needed for already-removed movim php-fabiang-sasl Unmaintained; only needed for already-removed movim php-markdown Unmaintained; only needed for already-removed movim php-raintpl Unmaintained; only needed for already-removed movim php-react-child-process Unmaintained; only needed for already-removed movim php-react-http Unmaintained; only needed for already-removed movim php-respect-validation Unmaintained; only needed for already-removed movim php-robmorgan-phinx Unmaintained; only needed for already-removed movim ratchet-pawl Unmaintained; only needed for already-removed movim ratchet-rfc6455 Unmaintained; only needed for already-removed movim ratchetphp Unmaintained; only needed for already-removed movim reactphp-cache Unmaintained; only needed for already-removed movim reactphp-dns Unmaintained; only needed for already-removed movim reactphp-event-loop Unmaintained; only needed for already-removed movim reactphp-promise-stream Unmaintained; only needed for already-removed movim reactphp-promise-timer Unmaintained; only needed for already-removed movim reactphp-socket Unmaintained; only needed for already-removed movim reactphp-stream Unmaintained; only needed for already-removed movim Debian Installer
The installer has been updated to include the fixes incorporated into stable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current stable distribution:
Proposed updates to the stable distribution:
stable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
