The seventh point release for Debian GNU/Linux 11 is now available.
Updated Debian 11: 11.7 released
The Debian project is pleased to announce the seventh update of its stable distribution Debian 11 (codename bullseye). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian 11 but only updates some of the packages included. There is no need to throw away old bullseye media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
Package Reason akregator Fix validity checks, including fixing deletion of feeds and folders apache2 Don't automatically enable apache2-doc.conf; fix regressions in http2 and mod_rewrite introduced in 2.4.56 at-spi2-core Set stop timeout to 5 seconds, so as not to needlessly block system shutdowns avahi Fix local denial of service issue [CVE-2021-3468] base-files Update for the 11.7 point release c-ares Prevent stack overflow and denial of service [CVE-2022-4904] clamav New upstream stable release; fix possible remote code execution issue in the HFS+ file parser [CVE-2023-20032], possible information leak in the DMG file parser [CVE-2023-20052] command-not-found Add new non-free-firmware component, fixing upgrades to bookworm containerd Fix denial of service issue [CVE-2023-25153]; fix possible privilege escalation via incorrect setup of supplementary groups [CVE-2023-25173] crun Fix capability escalation issue due to containers being incorrectly started with non-empty default permissions [CVE-2022-27650] cwltool Add missing dependency on python3-distutils debian-archive-keyring Add bookworm keys; move stretch keys to the removed keyring debian-installer Increase Linux kernel ABI to 5.10.0-22; rebuild against proposed-updates debian-installer-netboot-images Rebuild against proposed-updates debian-ports-archive-keyring Extend the 2023 signing key's expiration by one year; add 2024 signing key; move 2022 signing key to the removed keyring dpdk New upstream stable release duktape Fix crash issue [CVE-2021-46322] e2tools Fix build failure by adding build dependency on e2fsprogs erlang Fix client authentication bypass issue [CVE-2022-37026]; use -O1 optimization for armel because -O2 makes erl segfault on certain platforms, e.g. Marvell exiv2 Security fixes [CVE-2021-29458 CVE-2021-29463 CVE-2021-29464 CVE-2021-29470 CVE-2021-29473 CVE-2021-29623 CVE-2021-32815 CVE-2021-34334 CVE-2021-34335 CVE-2021-3482 CVE-2021-37615 CVE-2021-37616 CVE-2021-37618 CVE-2021-37619 CVE-2021-37620 CVE-2021-37621 CVE-2021-37622 CVE-2021-37623] flask-security Fix open redirect vulnerability [CVE-2021-23385] flatpak New upstream stable release; escape special characters when displaying permissions and metadata [CVE-2023-28101]; don't allow copy/paste via the TIOCLINUX ioctl when running in a Linux virtual console [CVE-2023-28100] galera-3 New upstream stable release ghostscript Fix path for PostScript helper file in ps2epsi glibc Fix memory leak in printf-family functions with long multibyte strings; fix crash in printf-family due to width/precision-dependent allocations; fix segfault in printf handling thousands separator; fix overflow in the AVX2 implementation of wcsnlen when crossing pages golang-github-containers-common Fix parsing of DBUS_SESSION_BUS_ADDRESS golang-github-containers-psgo Do not enter the process user namespace [CVE-2022-1227] golang-github-containers-storage Make previously internal functions publicly accessible, required to allow fixing CVE-2022-1227 in other packages golang-github-prometheus-exporter-toolkit Patch tests to avoid race condition; fix authentication cache poisoning issue [CVE-2022-46146] grep Fix incorrect matching when the last of multiple patterns includes a backreference gtk+3.0 Fix Wayland + EGL on GLES-only platforms guix Fix build failure due to expired keys used in test suite intel-microcode New upstream bug-fix release isc-dhcp Fix IPv6 address lifetime handling jersey1 Fix build failure with libjettison-java 1.5.3 joblib Fix arbitrary code execution issue [CVE-2022-21797] lemonldap-ng Fix URL validation bypass issue; fix 2FA issue when using AuthBasic handler [CVE-2023-28862] libapache2-mod-auth-openidc Fix open redirect issue [CVE-2022-23527] libapreq2 Fix buffer overflow issue [CVE-2022-22728] libdatetime-timezone-perl Update included data libexplain Enhance compatibility with newer kernel versions - Linux 5.11 no longer has if_frad.h, termiox removed since kernel 5.12 libgit2 Enable SSH key verification by default [CVE-2023-22742] libpod Fix privilege escalation issue [CVE-2022-1227]; fix capability escalation issue due to containers being incorrectly started with non-empty default permissions [CVE-2022-27649]; fix parsing of DBUS_SESSION_BUS_ADDRESS libreoffice Change Croatia's default currency to Euro; avoid empty -Djava.class.path= [CVE-2022-38745] libvirt Fix container reboot-related issues; fix test failures when combined with newer Xen versions libxpm Fix infinite loop issues [CVE-2022-44617 CVE-2022-46285]; fix double free issue in error handling code; fix compression commands depend on PATH [CVE-2022-4883] libzen Fix null pointer dereference issue [CVE-2020-36646] linux New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86 linux-signed-amd64 New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86 linux-signed-arm64 New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86 linux-signed-i386 New upstream stable release; increase ABI to 22; [rt] update to 5.10.176-rt86 lxc Fix file existence oracle [CVE-2022-47952] macromoleculebuilder Fix build failure by adding build dependency on docbook-xsl mariadb-10.5 New upstream stable release; revert upstream libmariadb API change mono Remove desktop file ncurses Guard against corrupt terminfo data [CVE-2022-29458]; fix tic crash on very long tc/use clauses needrestart Fix warnings when using -b option node-cookiejar Guard against maliciously-sized cookies [CVE-2022-25901] node-webpack Avoid cross-realm object access [CVE-2023-28154] nvidia-graphics-drivers New upstream release; security fixes [CVE-2023-0180 CVE-2023-0184 CVE-2023-0185 CVE-2023-0187 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199] nvidia-graphics-drivers-tesla-450 New upstream release; security fixes [CVE-2023-0180 CVE-2023-0184 CVE-2023-0185 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199] nvidia-graphics-drivers-tesla-470 New upstream release; security fixes [CVE-2023-0180 CVE-2023-0184 CVE-2023-0185 CVE-2023-0187 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199] nvidia-modprobe New upstream release openvswitch Fix openvswitch-switch update leaves interfaces down passenger Fix compatibility with more recent NodeJS versions phyx Remove unnecessary build dependency on libatlas-cpp postfix New upstream stable release postgis Fix wrong Polar stereographic axis order postgresql-13 New upstream stable release; fix client memory disclosure issue [CVE-2022-41862] python-acme Fix version of created CSRs, to prevent problems with strictly RFC-complying implementations of the ACME API ruby-aws-sdk-core Fix generation of version file ruby-cfpropertylist Fix some functionality by dropping compatibility with Ruby 1.8 shim New upstream release; new upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4 shim-helpers-amd64-signed New upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4 shim-helpers-arm64-signed New upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4 shim-helpers-i386-signed New upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4 shim-signed New upstream stable release; enable NX support at build time; block Debian grub binaries with sbat < 4 snakeyaml Fix denial of service issues [CVE-2022-25857 CVE-2022-38749 CVE-2022-38750 CVE-2022-38751]; add documentation regarding security support / issues spyder Fix duplication of code when saving symfony Remove private headers before storing responses with HttpCache [CVE-2022-24894]; remove CSRF tokens from storage on successful login [CVE-2022-24895] systemd Fix information leak issue [CVE-2022-4415], denial of service issue [CVE-2022-3821]; ata_id: fix getting Response Code from SCSI Sense Data; logind: fix getting property OnExternalPower via D-Bus; fix crash in systemd-machined tomcat9 Add OpenJDK 17 support to JDK detection traceroute Interpret v4mapped-IPv6 addresses as IPv4 tzdata Update included data unbound Fix Non-Responsive Delegation Attack [CVE-2022-3204]; fix ghost domain names issue [CVE-2022-30698 CVE-2022-30699] usb.ids Update included data vagrant Add support for VirtualBox 7.0 voms-api-java Fix build failures by disabling some non-working tests w3m Fix out-of-bounds write issue [CVE-2022-38223] x4d-icons Fix build failure with newer imagemagick versions xapian-core Prevent database corruption on disk exhaustion zfs-linux Add several stability improvements Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
Package Reason bind-dyndb-ldap Broken with newer bind9 versions; unsupportable in stable matrix-mirage Depends on to-be-removed python-matrix-nio pantalaimon Depends on to-be-removed python-matrix-nio python-matrix-nio Security issues; doesn't work with current Matrix servers weechat-matrix Depends on to-be-removed python-matrix-nio Debian Installer
The installer has been updated to include the fixes incorporated into stable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current stable distribution:
Proposed updates to the stable distribution:
stable distribution information (release notes, errata etc.):
Security announcements and information:
