Debian 10260 Published by

The Debian project has released the seventh version of its stable distribution, Debian 12, which includes security fixes and changes to major vulnerabilities. 



Updated Debian 12: 12.7 released

The Debian project is pleased to announce the seventh update of its stable distribution Debian 12 (codename bookworm). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 12 but only updates some of the packages included. There is no need to throw away old bookworm media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

Debian_12

Secure Boot and other operating systems

Users who boot other operating systems on the same hardware, and who have Secure Boot enabled, should be aware that shim 15.8 (included with Debian 12.7) revokes signatures across older versions of shim in the UEFI firmware. This may leave other operating systems using shim before 15.8 unable to boot.

Affected users can temporarily disable Secure Boot before updating other operating systems.

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

PackageReason
amd64-microcodeNew upstream release; security fixes [CVE-2023-31315]; SEV firmware fixes [CVE-2023-20584 CVE-2023-31356]
ansibleNew upstream stable release; fix key leakage issue [CVE-2023-4237]
ansible-coreNew upstream stable release; fix information disclosure issue [CVE-2024-0690]; fix template injection issue [CVE-2023-5764]; fix path traversal issue [CVE-2023-5115]
apache2New upstream stable release; fix content disclosure issue [CVE-2024-40725]
base-filesUpdate for the point release
cactiFix remote code execution issues [CVE-2024-25641 CVE-2024-31459], cross site scripting issues [CVE-2024-29894 CVE-2024-31443 CVE-2024-31444], SQL injection issues [CVE-2024-31445 CVE-2024-31458 CVE-2024-31460], type juggling issue [CVE-2024-34340]; fix autopkgtest failure
calamares-settings-debianFix Xfce launcher permission issue
calibreFix remote code execution issue [CVE-2024-6782, cross site scripting issue [CVE-2024-7008], SQL injection issue [CVE-2024-7009]
choose-mirrorUpdate list of available mirrors
cockpitFix denial of service issue [CVE-2024-6126]
cupsFix issues with domain socket handling [CVE-2024-35235]
curlFix ASN.1 date parser overread issue [CVE-2024-7264]
cyrus-imapdFix regression introduced in CVE-2024-34055 fix
dcm2niixFix potential code execution issue [CVE-2024-27629]
debian-installerIncrease Linux kernel ABI to 6.1.0-25; rebuild against proposed-updates
debian-installer-netboot-imagesRebuild against proposed-updates
dmitrySecurity fixes [CVE-2024-31837 CVE-2020-14931 CVE-2017-7938]
dropbearFix noremotetcp behaviour of keepalive packets in combination with the no-port-forwarding authorized_keys(5) restriction
gettext.jsFix server side request forgery issue [CVE-2024-43370]
glibcFix freeing uninitialized memory in libc_freeres_fn(); fix several performance issues and possible crashses
glogicRequire Gtk 3.0 and PangoCairo 1.0
graphvizFix broken scale
gtk+2.0Avoid looking for modules in the current working directory [CVE-2024-6655]
gtk+3.0Avoid looking for modules in the current working directory [CVE-2024-6655]
imagemagickFix segmentation fault issue; fix incomplete fix for CVE-2023-34151
initramfs-toolshook_functions: Fix copy_file with source including a directory symlink; hook-functions: copy_file: Canonicalise target filename; install hid-multitouch module for Surface Pro 4 Keyboard; add hyper-keyboard module, needed to enter LUKS password in Hyper-V; auto_add_modules: Add onboard_usb_hub, onboard_usb_dev
intel-microcodeNew upstream release; security fixes [CVE-2023-42667 CVE-2023-49141 CVE-2024-24853 CVE-2024-24980 CVE-2024-25939]
ipmitoolAdd missing enterprise-numbers.txt file
libapache2-mod-auth-openidcAvoid crash when the Forwarded header is not present but OIDCXForwardedHeaders is configured for it
libnvmeFix buffer overflow during scanning devices that do not support sub-4k reads
libvirtbirsh: Make domif-setlink work more than once; qemu: domain: Fix logic when tainting domain; fix denial of service issues [CVE-2023-3750 CVE-2024-1441 CVE-2024-2494 CVE-2024-2496]
linuxNew upstream release; bump ABI to 25
linux-signed-amd64New upstream release; bump ABI to 25
linux-signed-arm64New upstream release; bump ABI to 25
linux-signed-i386New upstream release; bump ABI to 25
newlibFix buffer overflow issue [CVE-2021-3420]
numpyConflict with python-numpy
opensslNew upstream stable release; fix denial of service issues [CVE-2024-2511 CVE-2024-4603]; fix use after free issue [CVE-2024-4741]
poe.appMake comment cells editable; fix drawing when an NSActionCell in the preferences is acted on to change state
puttyFix weak ECDSA nonce generation allowing secret key recovery [CVE-2024-31497]
qemuNew upstream stable release; fix denial of service issue [CVE-2024-4467]
riemann-c-clientPrevent malformed payload in GnuTLS send/receive operations
rustc-webNew upstream stable release, to support building new chromium and firefox-esr versions
shimNew upstream release
shim-helpers-amd64-signedRebuild against shim 15.8.1
shim-helpers-arm64-signedRebuild against shim 15.8.1
shim-helpers-i386-signedRebuild against shim 15.8.1
shim-signedNew upstream stable release
systemdNew upstream stable release; update hwdb
usb.idsUpdate included data list
xmedconFix buffer overflow issue [CVE-2024-29421]

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory IDPackage
DSA-5617 chromium
DSA-5629 chromium
DSA-5634 chromium
DSA-5636 chromium
DSA-5639 chromium
DSA-5648 chromium
DSA-5654 chromium
DSA-5656 chromium
DSA-5668 chromium
DSA-5675 chromium
DSA-5676 chromium
DSA-5683 chromium
DSA-5687 chromium
DSA-5689 chromium
DSA-5694 chromium
DSA-5696 chromium
DSA-5697 chromium
DSA-5701 chromium
DSA-5710 chromium
DSA-5716 chromium
DSA-5719 emacs
DSA-5720 chromium
DSA-5722 libvpx
DSA-5723 plasma-workspace
DSA-5724 openssh
DSA-5725 znc
DSA-5726 krb5
DSA-5727 firefox-esr
DSA-5728 exim4
DSA-5729 apache2
DSA-5731 linux-signed-amd64
DSA-5731 linux-signed-arm64
DSA-5731 linux-signed-i386
DSA-5731 linux
DSA-5732 chromium
DSA-5734 bind9
DSA-5735 chromium
DSA-5737 libreoffice
DSA-5738 openjdk-17
DSA-5739 wpa
DSA-5740 firefox-esr
DSA-5741 chromium
DSA-5743 roundcube
DSA-5745 postgresql-15
DSA-5748 ffmpeg
DSA-5749 bubblewrap
DSA-5749 flatpak
DSA-5750 python-asyncssh
DSA-5751 squid
DSA-5752 dovecot
DSA-5753 aom
DSA-5754 cinder
DSA-5755 glance
DSA-5756 nova
DSA-5757 chromium

Removed packages

The following packages were removed due to circumstances beyond our control:

PackageReason
bcachefs-toolsBuggy; obsolete

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

The current stable distribution:

Proposed updates to the stable distribution:

stable distribution information (release notes, errata etc.):

Security announcements and information:

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.