The eight point release for Debian GNU/Linux 11 is now available.
Updated Debian 11: 11.8 released
The Debian project is pleased to announce the eighth update of its oldstable distribution Debian 11 (codename bullseye). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian 11 but only updates some of the packages included. There is no need to throw away old bullseye media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This oldstable update adds a few important corrections to the following packages:
Package Reason adduser Fix command injection vulnerability in deluser aide Fix handling of extended attributes on symlinks amd64-microcode Update included microcode, including fixes for AMD Inception on AMD Zen4 processors [CVE-2023-20569] appstream-glib Handle <em> and <code> tags in metadata asmtools Backport to bullseye for future openjdk-11 builds autofs Fix missing mutex unlock; do not use rpcbind for NFS4 mounts; fix regression determining reachability on dual-stack hosts base-files Update for the 11.8 point release batik Fix Server Side Request Forgery issues [CVE-2022-44729 CVE-2022-44730] bmake Conflict with bsdowl (<< 2.2.2-1.2~) to ensure smooth upgrades boxer-data Backport thunderbird compatibility fixes ca-certificates-java Work around unconfigured jre during new installations cairosvg Handle data: URLs in safe mode cargo-mozilla New upstream version, to support building newer firefox-esr versions clamav New upstream stable release; fix denial of service vulnerability via HFS+ parser [CVE-2023-20197] cpio Fix arbitrary code execution issue [CVE-2021-38185]; replace Suggests: on libarchive1 with libarchive-dev cryptmount Fix memory-initialization in command-line parser cups Fix heap-based buffer overflow issues [CVE-2023-4504 CVE-2023-32324], unauthenticated access issue [CVE-2023-32360], use-after-free issue [CVE-2023-34241] curl Fix code execution issues [CVE-2023-27533 CVE-2023-27534], information disclosure issues [CVE-2023-27535 CVE-2023-27536 CVE-2023-28322], inappropriate connection re-use issue [CVE-2023-27538], improper certificate validation issue [CVE-2023-28321] dbus New upstream stable release; fix denial of service issue [CVE-2023-34969] debian-design Rebuild using newer boxer-data debian-installer Increase Linux kernel ABI to 5.10.0-26; rebuild against proposed-updates debian-installer-netboot-images Rebuild against proposed-updates debian-parl Rebuild using newer boxer-data debian-security-support Set DEB_NEXT_VER_ID=12 as bookworm is the next release; security-support-limited: add gnupg1 distro-info-data Add Debian 14 forky; correct Ubuntu 23.04 release date; add Ubuntu 23.10 Mantic Minotaur; add the planned release date for Debian bookworm dkimpy New upstream bugfix release dpdk New upstream stable release dpkg Add support for loong64 CPU; handle missing Version when formatting source:Upstream-Version; fix varbuf memory leak in pkg_source_version() flameshot Disable uploads to imgur by default; fix name of d/NEWS file in previous upload ghostscript Fix buffer overflow issue [CVE-2023-38559]; try and secure the IJS server startup [CVE-2023-43115] gitit Rebuild against new pandoc grunt Fix race condition in symlink copying [CVE-2022-1537] gss Add Breaks+Replaces: libgss0 (<< 0.1) haskell-hakyll Rebuild against new pandoc haskell-pandoc-citeproc Rebuild against new pandoc hnswlib Fix double free in init_index when the M argument is a large integer [CVE-2023-37365] horizon Fix open redirect issue [CVE-2022-45582] inetutils Check return values for set*id() functions, avoiding potential security issues [CVE-2023-40303] krb5 Fix free of uninitialised pointer [CVE-2023-36054] kscreenlocker Fix authentication error when using PAM lacme Handle CA ready, processing and valid states correctly lapack Fix eigenvector matrix lemonldap-ng Fix open redirection when OIDC RP has no redirect URIs; fix Server Side Request Forgery issue [CVE-2023-44469]; fix open redirection due to incorrect escape handling libapache-mod-jk Remove implicit mapping functionality, which could lead to unintended exposure of the status worker and/or bypass of security constraints [CVE-2023-41081] libbsd Fix infinite loop in MD5File libclamunrar New upstream stable release libprelude Make Python module usable libreswan Fix denial of service issue [CVE-2023-30570] libsignal-protocol-c Fix integer overflow issue [CVE-2022-48468] linux New upstream stable release linux-signed-amd64 New upstream stable release linux-signed-arm64 New upstream stable release linux-signed-i386 New upstream stable release logrotate Avoid replacement of /dev/null with a regular file if used for the state file ltsp Avoid using mv on init symlink in order to work around overlayfs issue lttng-modules Fix build issues with newer kernel versions lua5.3 Fix use after free in lua_upvaluejoin (lapi.c) [CVE-2019-6706]; fix segmentation fault in getlocal and setlocal (ldebug.c) [CVE-2020-24370] mariadb-10.5 New upstream bugfix release [CVE-2022-47015] mujs Security fix ncurses Disallow loading of custom terminfo entries in setuid/setgid programs [CVE-2023-29491] node-css-what Fix regular expression-based denial of service issue [CVE-2022-21222 CVE-2021-33587] node-json5 Fix prototype pollution issue [CVE-2022-46175] node-tough-cookie Security fix: prototype pollution [CVE-2023-26136] nvidia-graphics-drivers New upstream release [CVE-2023-25515 CVE-2023-25516]; improve compatibility with recent kernels nvidia-graphics-drivers-tesla-450 New upstream release [CVE-2023-25515 CVE-2023-25516] nvidia-graphics-drivers-tesla-470 New upstream bugfix release [CVE-2023-25515 CVE-2023-25516] openblas Fix results of DGEMM on AVX512-capable hardware, when the package has been built on pre-AVX2 hardware openssh Fix remote code execution issue via a forwarded agent socket [CVE-2023-38408] openssl New upstream stable release; fix denial of service issues [CVE-2023-3446 CVE-2023-3817] org-mode Fix command injection vulnerability [CVE-2023-28617] pandoc Fix arbitrary file write issues [CVE-2023-35936 CVE-2023-38745] pev Fix buffer overflow issue [CVE-2021-45423] php-guzzlehttp-psr7 Fix improper input validation [CVE-2023-29197] php-nyholm-psr7 Fix improper input validation issue [CVE-2023-29197] postgis Fix axis order regression protobuf Security fixes: DoS in Java [CVE-2021-22569]; NULL pointer dereference [CVE-2021-22570]; memory DoS [CVE-2022-1941] python2.7 Fix parameter cloaking issue [CVE-2021-23336], URL injection issue [CVE-2022-0391], use-after-free issue [CVE-2022-48560], XML External Entity issue [CVE-2022-48565]; improve constant-time comparisons in compare_digest() [CVE-2022-48566]; improve URL parsing [CVE-2023-24329]; prevent reading unauthenticated data on an SSLSocket [CVE-2023-40217] qemu Fix infinite loop [CVE-2020-14394], NULL pointer dereference issue [CVE-2021-20196], integer overflow issue [CVE-2021-20203], buffer overflow issues [CVE-2021-3507 CVE-2023-3180], denial of service issues [CVE-2021-3930 CVE-2023-3301], use-after-free issue [CVE-2022-0216], possible stack overflow and use-after-free issues [CVE-2023-0330], out-of-bounds read issue [CVE-2023-1544] rar New upstream release; fix directory traversal issue [CVE-2022-30333]; fix arbitrary code execution issue [CVE-2023-40477] rhonabwy Fix aesgcm buffer overflow [CVE-2022-32096] roundcube New upstream stable release; fix cross-site scripting issue [CVE-2023-43770]; Enigma: Fix initial synchronization of private keys rust-cbindgen New upstream version, to support building newer firefox-esr versions rustc-mozilla New upstream version, to support building newer firefox-esr versions schleuder Add versioned dependency on ruby-activerecord sgt-puzzles Fix various security issues in game loading [CVE-2023-24283 CVE-2023-24284 CVE-2023-24285 CVE-2023-24287 CVE-2023-24288 CVE-2023-24291] spip Several security fixes; security fix for extended authentification data filtering spyder Fix broken patch in previous update systemd Udev: fix creating /dev/serial/by-id/ symlinks for USB devices; fix memory leak on daemon-reload; fix a calendar spec calculation hang on DST change if TZ=Europe/Dublin tang Fix race condition when creating/rotating keys; assert restrictive permissions on key directory [CVE-2023-1672]; make tangd-rotate-keys executable testng7 Backport to oldstable for future openjdk-17 builds tinyssh Work around incoming packets which don't honour max packet length unrar-nonfree Fix file overwrite issue [CVE-2022-48579]; fix remote code execution issue [CVE-2023-40477] xen New upstream stable release; fix security issues [CVE-2023-20593 CVE-2023-20569 CVE-2022-40982] yajl Memory leak security fix; security fixes: potential denial of service with crafted JSON file [CVE-2017-16516]; heap memory corruption when dealing with large (~2GB) inputs [CVE-2022-24795]; fix incomplete patch for CVE-2023-33460 Security Updates
This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
Package Reason atlas-cpp unstable upstream, unsuitable for Debian ember-media unstable upstream, unsuitable for Debian eris unstable upstream, unsuitable for Debian libwfut unstable upstream, unsuitable for Debian mercator unstable upstream, unsuitable for Debian nomad security fixes no longer available nomad-driver-lxc depends on to-be-removed nomad skstream unstable upstream, unsuitable for Debian varconf unstable upstream, unsuitable for Debian wfmath unstable upstream, unsuitable for Debian Debian Installer
The installer has been updated to include the fixes incorporated into oldstable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current oldstable distribution:
Proposed updates to the oldstable distribution:
oldstable distribution information (release notes, errata etc.):
Security announcements and information:
