Debian GNU/Linux 11 Bullseye's sixth update is now available. With a few significant adjustments for critical vulnerabilities, this point release primarily incorporates security-related fixes.
Updated Debian 11: 11.6 released
The Debian project is pleased to announce the sixth update of its stable distribution Debian 11 (codename bullseye). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian 11 but only updates some of the packages included. There is no need to throw away old bullseye media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
Package Reason awstats Fix cross site scripting issue [CVE-2022-46391] base-files Update /etc/debian_version for the 11.6 point release binfmt-support Run binfmt-support.service after systemd-binfmt.service clickhouse Fix out-of-bounds read issues [CVE-2021-42387 CVE-2021-42388], buffer overflow issues [CVE-2021-43304 CVE-2021-43305] containerd CRI plugin: Fix goroutine leak during Exec [CVE-2022-23471] core-async-clojure Fix build failures in test suite dcfldd Fix SHA1 output on big-endian architectures debian-installer Rebuild against proposed-updates; increase Linux kernel ABI to 5.10.0-20 debian-installer-netboot-images Rebuild against proposed-updates debmirror Add non-free-firmware to the default section list distro-info-data Add Ubuntu 23.04, Lunar Lobster; update Debian ELTS end dates; correct Debian 8 (jessie) release date dojo Fix prototype pollution issue [CVE-2021-23450] dovecot-fts-xapian Generate dependency on dovecot ABI version in use during build efitools Fix intermittent build failure due to incorrect dependency in makefile evolution Move Google Contacts addressbooks to CalDAV since the Google Contacts API has been turned off evolution-data-server Move Google Contacts addressbooks to CalDAV since the Google Contacts API has been turned off; fix compatibility with Gmail OAuth changes evolution-ews Fix retrieval of user certificates belonging to contacts g810-led Control device access with uaccess instead of making everything world-writable [CVE-2022-46338] glibc Fix regression in wmemchr and wcslen on CPUs that have AVX2 but not BMI2 (e.g. Intel Haswell) golang-github-go-chef-chef Fix intermittent test failure grub-efi-amd64-signed Don't strip Xen binaries, so they work again; include fonts in the memdisk build for EFI images; fix bug in core file code so errors are handled better; bump Debian SBAT level to 4 grub-efi-arm64-signed Don't strip Xen binaries, so they work again; include fonts in the memdisk build for EFI images; fix bug in core file code so errors are handled better; bump Debian SBAT level to 4 grub-efi-ia32-signed Don't strip Xen binaries, so they work again; include fonts in the memdisk build for EFI images; fix bug in core file code so errors are handled better; bump Debian SBAT level to 4 grub2 Don't strip Xen binaries, so they work again; include fonts in the memdisk build for EFI images; fix bug in core file code so errors are handled better; bump Debian SBAT level to 4 hydrapaper Add missing dependeny on python3-pil isoquery Fix test failure caused by a French translation change in the iso-codes package jtreg6 New package, required to build newer openjdk-11 versions lemonldap-ng Improve session destroy propagation [CVE-2022-37186] leptonlib Fix divide-by-zero [CVE-2022-38266] libapache2-mod-auth-mellon Fix open redirect issue [CVE-2021-3639] libbluray Fix BD-J support with recent Oracle Java updates libconfuse Fix a heap-based buffer over-read in cfg_tilde_expand [CVE-2022-40320] libdatetime-timezone-perl Update included data libtasn1-6 Fix out-of-bounds read issue [CVE-2021-46848] libvncserver Fix memory leak [CVE-2020-29260]; support larger screen sizes linux New upstream stable release; increase ABI to 20; [rt] Update to 5.10.158-rt77 linux-signed-amd64 New upstream stable release; increase ABI to 20; [rt] Update to 5.10.158-rt77 linux-signed-arm64 New upstream stable release; increase ABI to 20; [rt] Update to 5.10.158-rt77 linux-signed-i386 New upstream stable release; increase ABI to 20; [rt] Update to 5.10.158-rt77 mariadb-10.5 New upstream stable release; security fixes [CVE-2018-25032 CVE-2021-46669 CVE-2022-27376 CVE-2022-27377 CVE-2022-27378 CVE-2022-27379 CVE-2022-27380 CVE-2022-27381 CVE-2022-27382 CVE-2022-27383 CVE-2022-27384 CVE-2022-27386 CVE-2022-27387 CVE-2022-27444 CVE-2022-27445 CVE-2022-27446 CVE-2022-27447 CVE-2022-27448 CVE-2022-27449 CVE-2022-27451 CVE-2022-27452 CVE-2022-27455 CVE-2022-27456 CVE-2022-27457 CVE-2022-27458 CVE-2022-32081 CVE-2022-32082 CVE-2022-32083 CVE-2022-32084 CVE-2022-32085 CVE-2022-32086 CVE-2022-32087 CVE-2022-32088 CVE-2022-32089 CVE-2022-32091] mod-wsgi Drop X-Client-IP header when it is not a trusted header [CVE-2022-2255] mplayer Fix several security issues [CVE-2022-38850 CVE-2022-38851 CVE-2022-38855 CVE-2022-38858 CVE-2022-38860 CVE-2022-38861 CVE-2022-38863 CVE-2022-38864 CVE-2022-38865 CVE-2022-38866] mutt Fix gpgme crash when listing keys in a public key block, and public key block listing for old versions of gpgme nano Fix crashes and a potential data loss issue nftables Fix off-by-one / double free error node-hawk Parse URLs using stdlib [CVE-2022-29167] node-loader-utils Fix prototype pollution issue [CVE-2022-37599 CVE-2022-37601], regular expression-based denial of service issue [CVE-2022-37603] node-minimatch Improve protection against regular expression-based denial of service [CVE-2022-3517]; fix regression in patch for CVE-2022-3517 node-qs Fix prototype pollution issue [CVE-2022-24999] node-xmldom Fix prototype pollution issue [CVE-2022-37616]; prevent insertion of non-well-formed nodes [CVE-2022-39353] nvidia-graphics-drivers New upstream release; security fixes [CVE-2022-34670 CVE-2022-34674 CVE-2022-34675 CVE-2022-34677 CVE-2022-34679 CVE-2022-34680 CVE-2022-34682 CVE-2022-42254 CVE-2022-42255 CVE-2022-42256 CVE-2022-42257 CVE-2022-42258 CVE-2022-42259 CVE-2022-42260 CVE-2022-42261 CVE-2022-42262 CVE-2022-42263 CVE-2022-42264] nvidia-graphics-drivers-legacy-390xx New upstream release; security fixes [CVE-2022-34670 CVE-2022-34674 CVE-2022-34675 CVE-2022-34677 CVE-2022-34680 CVE-2022-42257 CVE-2022-42258 CVE-2022-42259] nvidia-graphics-drivers-tesla-450 New upstream release; security fixes [CVE-2022-34670 CVE-2022-34674 CVE-2022-34675 CVE-2022-34677 CVE-2022-34679 CVE-2022-34680 CVE-2022-34682 CVE-2022-42254 CVE-2022-42256 CVE-2022-42257 CVE-2022-42258 CVE-2022-42259 CVE-2022-42260 CVE-2022-42261 CVE-2022-42262 CVE-2022-42263 CVE-2022-42264] nvidia-graphics-drivers-tesla-470 New upstream release; security fixes [CVE-2022-34670 CVE-2022-34674 CVE-2022-34675 CVE-2022-34677 CVE-2022-34679 CVE-2022-34680 CVE-2022-34682 CVE-2022-42254 CVE-2022-42255 CVE-2022-42256 CVE-2022-42257 CVE-2022-42258 CVE-2022-42259 CVE-2022-42260 CVE-2022-42261 CVE-2022-42262 CVE-2022-42263 CVE-2022-42264] omnievents Add missing dependency on libjs-jquery to the omnievents-doc package onionshare Fix denial of service issue [CVE-2022-21689], HTML injection issue [CVE-2022-21690] openvpn-auth-radius Support verify-client-cert directive postfix New upstream stable release postgresql-13 New upstream stable release powerline-gitstatus Fix command injection via malicious repository config [CVE-2022-42906] pysubnettree Fix module build speech-dispatcher Reduce espeak buffer size to avoid synth artifacts spf-engine Fix pyspf-milter failing to start due to an invalid import statement tinyexr Fix heap overflow issues [CVE-2022-34300 CVE-2022-38529] tinyxml Fix infinite loop [CVE-2021-42260] tzdata Update data for Fiji, Mexico and Palestine; update leap seconds list virglrenderer Fix out-of-bounds write issue [CVE-2022-0135] x2gothinclient Make the x2gothinclient-minidesktop package provide the lightdm-greeter virtual package xfig Fix buffer overflow issue [CVE-2021-40241] Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Debian Installer
The installer has been updated to include the fixes incorporated into stable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current stable distribution:
Proposed updates to the stable distribution:
stable distribution information (release notes, errata etc.):
Security announcements and information:
About DebianThe Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
