Debian 10216 Published by

The Debian project has released the second update for Debian GNU/Linux 12 Bookworm, which includes security updates and a few fixes for serious issues.



Updated Debian 12: 12.2 released

The Debian project is pleased to announce the second update of its stable distribution Debian 12 (codename bookworm). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 12 but only updates some of the packages included. There is no need to throw away old bookworm media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

Debian_12

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

PackageReason
amd64-microcodeUpdate included microcode, including fixes for AMD Inception on AMD Zen4 processors [CVE-2023-20569]
arctica-greeterSupport configuring the onscreen keyboard theme via ArcticaGreeter's gsettings; use Compact OSK layout (instead of Small) which includes special keys such as German Umlauts; fix display of authentication failure messages; use active theme rather then emerald
autofsFix regression determining reachability on dual-stack hosts
base-filesUpdate for the 12.2 point release
batikFix Server Side Request Forgery issues [CVE-2022-44729 CVE-2022-44730]
boxer-dataNo longer install https-everywhere for Firefox
brlttyxbrlapi: Do not try to start brltty with ba+a2 when unavailable; fix cursor routing and braille panning in Orca when xbrlapi is installed but the a2 screen driver is not
ca-certificates-javaWork around unconfigured JRE during new installations
cairosvgHandle data: URLs in safe mode
calibreFix export feature
clamavNew upstream stable release; security fixes [CVE-2023-20197 CVE-2023-20212]
cryptmountAvoid memory initialisation issues in command line parser
cupsFix heap-based buffer overflow issue [CVE-2023-4504]; fix unauthenticated access issue [CVE-2023-32360]
curlBuild with OpenLDAP to correct improper fetch of binary LDAP attributes; fix excessive memory consumption issue [CVE-2023-38039]
cyrus-imapdEnsure mailboxes are not lost on upgrades from bullseye
darFix issues with creating isolated catalogs when dar was built using a recent gcc version
dbusNew upstream stable release; fix a dbus-daemon crash during policy reload if a connection belongs to a user account that has been deleted, or if a Name Service Switch plugin is broken, on kernels not supporting SO_PEERGROUPS; report the error correctly if getting the groups of a uid fails; dbus-user-session: Copy XDG_CURRENT_DESKTOP to activation environment
debian-archive-keyringClean up leftover keyrings in trusted.gpg.d
debian-edu-docUpdate Debian Edu Bookworm manual
debian-edu-installNew upstream release; adjust D-I auto-partitioning sizes
debian-installerIncrease Linux kernel ABI to 6.1.0-13; rebuild against proposed-updates
debian-installer-netboot-imagesRebuild against proposed-updates
debian-parlRebuild with newer boxer-data; no longer depend on webext-https-everywhere
debianutilsFix duplicate entries in /etc/shells; manage /bin/sh in the state file; fix canonicalization of shells in aliased locations
dgitUse the old /updates security map only for buster; prevent pushing older versions than are already in the archive
dhcpcd5Ease upgrades with leftovers from wheezy; drop deprecated ntpd integration; fix version in cleanup script
dpdkNew upstream stable release
dput-ngUpdate permitted upload targets; fix failure to build from source
efibootguardFix Insufficient or missing validation and sanitization of input from untrustworthy bootloader environment files [CVE-2023-39950]
electrumFix a Lightning security issue
filezillaFix builds for 32-bit architectures; fix crash when removing filetypes from list
firewalldDon't mix IPv4 and IPv6 addresses in a single nftables rule
flannDrop extra -llz4 from flann.pc
footIgnore XTGETTCAP queries with invalid hex encodings
freedomboxUse n= in apt preferences for smooth upgrades
freeradiusEnsure TLS-Client-Cert-Common-Name contains correct data
ghostscriptFix buffer overflow issue [CVE-2023-38559]; try and secure the IJS server startup [CVE-2023-43115]
gititRebuild against new pandoc
gjsAvoid infinite loops of idle callbacks if an idle handler is called during GC
glibcFix the value of F_GETLK/F_SETLK/F_SETLKW with __USE_FILE_OFFSET64 on ppc64el; fix a stack read overflow in getaddrinfo in no-aaaa mode [CVE-2023-4527]; fix use after free in getcanonname [CVE-2023-4806 CVE-2023-5156]; fix _dl_find_object to return correct values even during early startup
gosa-plugins-netgroupsSilence deprecation warnings in web interface
gosa-plugins-systemsFix management of DHCP/DNS entries in default theme; fix adding (standalone) Network printer systems; fix generation of target DNs for various system types; fix icon rendering in DHCP servlet; enforce unqualified hostname for workstations
gtk+3.0New upstream stable release; fix several crashes; show more information in the inspector debugging interface; silence GFileInfo warnings if used with a backported version of GLib; use a light colour for the caret in dark themes, making it much easier to see in some apps, in particular Evince
gtk4Fix truncation in places sidebar with large text accessibility setting
haskell-hakyllRebuild against new pandoc
highwayFix support for armhf systems lacking NEON
hnswlibFix double free in init_index when the M argument is a large integer [CVE-2023-37365]
horizonFix open redirect issue [CVE-2022-45582]
icingaweb2Suppress undesirable deprecation notices
imlib2Fix preservation of alpha channel flag
indentFix out of buffer read; fix buffer overwrite [CVE-2023-40305]
inetutilsCheck return values when dropping privileges [CVE-2023-40303]
inn2Fix nnrpd hangs when compression is enabled; add support for high-precision syslog timestamps; make inn-{radius,secrets}.conf not world readable
jekyllSupport YAML aliases
kernelsharkFix segfault in libshark-tepdata; fix capturing when target directory contains a space
krb5Fix freeing of uninitialised pointer [CVE-2023-36054]
lemonldap-ngApply login control to auth-slave requests; fix open redirection due to incorrect escape handling; fix open redirection when OIDC RP has no redirect URIs; fix Server Side Request Forgery issue [CVE-2023-44469]
libapache-mod-jkRemove implicit mapping functionality, which could lead to unintended exposure of the status worker and/or bypass of security constraints [CVE-2023-41081]
libclamunrarNew upstream stable release
libmatemixerFix heap corruptions / application crashes when removing audio devices
libpam-mklocaluserpam-auth-update: ensure the module is ordered before other session type modules
libxnvctrlNew source package split from nvidia-settings
linuxNew upstream stable release
linux-signed-amd64New upstream stable release
linux-signed-arm64New upstream stable release
linux-signed-i386New upstream stable release
llvm-defaultsFix /usr/include/lld symlink; add Breaks against not co-installable packages for smoother upgrades from bullseye
ltspAvoid using mv on init symlink
lxcFix nftables syntax for IPv6 NAT
lxcfsFix CPU reporting within an arm32 container with large numbers of CPUs
marcoOnly enable compositing if it is available
mariadbNew upstream bugfix release
mate-notification-daemonFix two memory leaks
mgbaFix broken audio in libretro core; fix crash on hardware incapable of OpenGL 3.2
modsecurityFix denial of service issue [CVE-2023-38285]
monitoring-pluginscheck_disk: avoid mounting when searching for matching mount points, resolving a regression in speed from bullseye
mozjs102New upstream stable release; fix incorrect value used during WASM compilation [CVE-2023-4046], potential use after free issue [CVE-2023-37202], memory safety issues [CVE-2023-37211 CVE-2023-34416]
muttNew upstream stable release
ncoRe-enable udunits2 support
nftablesFix incorrect bytecode generation hit with new kernel check that rejects adding rules to bound chains
node-dottieSecurity fix (prototype pollution) [CVE-2023-26132]
nvidia-settingsNew upstream bugfix release
nvidia-settings-teslaNew upstream bugfix release
nx-libsFix missing symlink /usr/share/nx/fonts; fix manpage
open-ath9k-htc-firmwareLoad correct firmware
openbsd-inetdFix memory handling issues
openrefineFix arbitrary code execution issue [CVE-2023-37476]
openscapFix dependencies of openscap-utils and python3-openscap
opensshFix remote code execution issue via a forwarded agent socket [CVE-2023-38408]
opensslNew upstream stable release; security fixes [CVE-2023-2975 CVE-2023-3446 CVE-2023-3817]
pamFix pam-auth-update --disable; update Turkish translation
pandocFix arbitrary file write issue [CVE-2023-35936]
plasma-frameworkFix plasmashell crashes
plasma-workspaceFix crash in krunner
python-gitFix remote code execution issue [CVE-2023-40267], blind local file inclusion issue [CVE-2023-41040]
pywinrmFix compatibility with Python 3.11
qemuUpdate to upstream 7.2.5 tree; ui/vnc-clipboard: fix infinite loop in inflate_buffer [CVE-2023-3255]; fix NULL pointer dereference issue [CVE-2023-3354]; fix buffer overflow issue [CVE-2023-3180]
qtlocation-opensource-srcFix freeze when loading map tiles
rarUpstream bugfix release [CVE-2023-40477]
repreproFix race condition when using external decompressors
rmlintFix error in other packages caused by invalid python package version; fix GUI startup failure with recent python3.11
roundcubeNew upstream stable release; fix OAuth2 authentication; fix cross site scripting issues [CVE-2023-43770]
runit-servicesdhclient: don't hardcode use of eth1
sambaNew upstream stable release
sitesummaryNew upstream release; fix installation of sitesummary-maintenance CRON/systemd-timerd script; fix insecure temporary file and directory creation
slbackup-phpBug fixes: log remote commands to stderr; disable SSH known hosts files; PHP 8 compatibility
spamprobeFix crashes parsing JPEG attachments
stunnel4Fix handling of a peer closing TLS connection without proper shutdown messaging
systemdNew upstream stable release; fix minor security issue in arm64 and riscv64 systemd-boot (EFI) with device tree blobs loading
testng7Backport to stable for future openjdk-17 builds
timgFix buffer overflow vulnerability [CVE-2023-40968]
transmissionReplace openssl3 compat patch to fix memory leak
unboundFix error log flooding when using DNS over TLS with openssl 3.0
unrar-nonfreeFix remote code execution issue [CVE-2023-40477]
vortaHandle ctime and mtime changes in diffs
vte2.91Invalidate ring view more often when necessary, fixing various assertion failures during event handling
x2goserverx2goruncommand: add support for KDE Plasma 5; x2gostartagent: prevent logfile corruption; keystrokes.cfg: sync with nx-libs; fix encoding of Finnish translation

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory IDPackage
DSA-5454 kanboard
DSA-5455 iperf3
DSA-5456 chromium
DSA-5457 webkit2gtk
DSA-5458 openjdk-17
DSA-5459 amd64-microcode
DSA-5460 curl
DSA-5462 linux-signed-amd64
DSA-5462 linux-signed-arm64
DSA-5462 linux-signed-i386
DSA-5462 linux
DSA-5463 thunderbird
DSA-5464 firefox-esr
DSA-5465 python-django
DSA-5466 ntpsec
DSA-5467 chromium
DSA-5468 webkit2gtk
DSA-5469 thunderbird
DSA-5471 libhtmlcleaner-java
DSA-5472 cjose
DSA-5473 orthanc
DSA-5474 intel-microcode
DSA-5475 linux-signed-amd64
DSA-5475 linux-signed-arm64
DSA-5475 linux-signed-i386
DSA-5475 linux
DSA-5476 gst-plugins-ugly1.0
DSA-5477 samba
DSA-5479 chromium
DSA-5481 fastdds
DSA-5482 tryton-server
DSA-5483 chromium
DSA-5484 librsvg
DSA-5485 firefox-esr
DSA-5487 chromium
DSA-5488 thunderbird
DSA-5491 chromium
DSA-5492 linux-signed-amd64
DSA-5492 linux-signed-arm64
DSA-5492 linux-signed-i386
DSA-5492 linux
DSA-5493 open-vm-tools
DSA-5494 mutt
DSA-5495 frr
DSA-5496 firefox-esr
DSA-5497 libwebp
DSA-5498 thunderbird
DSA-5501 gnome-shell
DSA-5504 bind9
DSA-5505 lldpd
DSA-5507 jetty9
DSA-5510 libvpx

Removed packages

The following packages were removed due to circumstances beyond our control:

PackageReason
https-everywhereobsolete, major browsers offer native support

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

The current stable distribution:

Proposed updates to the stable distribution:

stable distribution information (release notes, errata etc.):

Security announcements and information: