Uppdaterad Debian 12; 12.2 utgiven
7 oktober 2023
Debianprojektet presenterar stolt sin andra uppdatering till dess
stabila utgåva Debian 12 (med kodnamnet bookworm
).
Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem,
tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner
har redan publicerats separat och refereras när de finns tillgängliga.
Vänligen notera att punktutgåvan inte innebär en ny version av Debian
12 utan endast uppdaterar några av de inkluderade paketen. Det behövs
inte kastas bort gamla media av bookworm
. Efter installationen
kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad
Debianspegling..
De som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.
Nya installationsavbildningar kommer snart att finnas tillgängliga på de vanliga platserna.
En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:
Blandade felrättningar
Denna uppdatering av den stabila utgåvan lägger till några viktiga felrättningar till följande paket:
| Paket | Orsak |
|---|---|
| amd64-microcode | Update included microcode, including fixes for AMD Inceptionon AMD Zen4 processors [CVE-2023-20569] |
| arctica-greeter | Support configuring the onscreen keyboard theme via ArcticaGreeter's gsettings; use CompactOSK layout (instead of Small) which includes special keys such as German Umlauts; fix display of authentication failure messages; use active theme rather than emerald |
| autofs | Fix regression determining reachability on dual-stack hosts |
| base-files | Update for the 12.2 point release |
| batik | Fix Server Side Request Forgery issues [CVE-2022-44729 CVE-2022-44730] |
| boxer-data | No longer install https-everywhere for Firefox |
| brltty | xbrlapi: Do not try to start brltty with ba+a2 when unavailable; fix cursor routing and braille panning in Orca when xbrlapi is installed but the a2 screen driver is not |
| ca-certificates-java | Work around unconfigured JRE during new installations |
| cairosvg | Handle data: URLs in safe mode |
| calibre | Fix export feature |
| clamav | New upstream stable release; security fixes [CVE-2023-20197 CVE-2023-20212] |
| cryptmount | Avoid memory initialisation issues in command line parser |
| cups | Fix heap-based buffer overflow issue [CVE-2023-4504]; fix unauthenticated access issue [CVE-2023-32360] |
| curl | Build with OpenLDAP to correct improper fetch of binary LDAP attributes; fix excessive memory consumption issue [CVE-2023-38039] |
| cyrus-imapd | Ensure mailboxes are not lost on upgrades from bullseye |
| dar | Fix issues with creating isolated catalogs when dar was built using a recent gcc version |
| dbus | New upstream stable release; fix a dbus-daemon crash during policy reload if a connection belongs to a user account that has been deleted, or if a Name Service Switch plugin is broken, on kernels not supporting SO_PEERGROUPS; report the error correctly if getting the groups of a uid fails; dbus-user-session: Copy XDG_CURRENT_DESKTOP to activation environment |
| debian-archive-keyring | Clean up leftover keyrings in trusted.gpg.d |
| debian-edu-doc | Update Debian Edu Bookworm manual |
| debian-edu-install | New upstream release; adjust D-I auto-partitioning sizes |
| debian-installer | Increase Linux kernel ABI to 6.1.0-13; rebuild against proposed-updates |
| debian-installer-netboot-images | Rebuild against proposed-updates |
| debian-parl | Rebuild with newer boxer-data; no longer depend on webext-https-everywhere |
| debianutils | Fix duplicate entries in /etc/shells; manage /bin/sh in the state file; fix canonicalization of shells in aliased locations |
| dgit | Use the old /updates security map only for buster; prevent pushing older versions than are already in the archive |
| dhcpcd5 | Ease upgrades with leftovers from wheezy; drop deprecated ntpd integration; fix version in cleanup script |
| dpdk | New upstream stable release |
| dput-ng | Update permitted upload targets; fix failure to build from source |
| efibootguard | Fix Insufficient or missing validation and sanitization of input from untrustworthy bootloader environment files [CVE-2023-39950] |
| electrum | Fix a Lightning security issue |
| filezilla | Fix builds for 32-bit architectures; fix crash when removing filetypes from list |
| firewalld | Don't mix IPv4 and IPv6 addresses in a single nftables rule |
| flann | Drop extra -llz4 from flann.pc |
| foot | Ignore XTGETTCAP queries with invalid hex encodings |
| freedombox | Use n= in apt preferences for smooth upgrades |
| freeradius | Ensure TLS-Client-Cert-Common-Name contains correct data |
| ghostscript | Fix buffer overflow issue [CVE-2023-38559]; try and secure the IJS server startup [CVE-2023-43115] |
| gitit | Rebuild against new pandoc |
| gjs | Avoid infinite loops of idle callbacks if an idle handler is called during GC |
| glibc | Fix the value of F_GETLK/F_SETLK/F_SETLKW with __USE_FILE_OFFSET64 on ppc64el; fix a stack read overflow in getaddrinfo in no-aaaa mode [CVE-2023-4527]; fix use after free in getcanonname [CVE-2023-4806 CVE-2023-5156]; fix _dl_find_object to return correct values even during early startup |
| gosa-plugins-netgroups | Silence deprecation warnings in web interface |
| gosa-plugins-systems | Fix management of DHCP/DNS entries in default theme; fix adding (standalone) Network printersystems; fix generation of target DNs for various system types; fix icon rendering in DHCP servlet; enforce unqualified hostname for workstations |
| gtk+3.0 | New upstream stable release; fix several crashes; show more information in the inspectordebugging interface; silence GFileInfo warnings if used with a backported version of GLib; use a light colour for the caret in dark themes, making it much easier to see in some apps, in particular Evince |
| gtk4 | Fix truncation in places sidebar with large text accessibility setting |
| haskell-hakyll | Rebuild against new pandoc |
| highway | Fix support for armhf systems lacking NEON |
| hnswlib | Fix double free in init_index when the M argument is a large integer [CVE-2023-37365] |
| horizon | Fix open redirect issue [CVE-2022-45582] |
| icingaweb2 | Suppress undesirable deprecation notices |
| imlib2 | Fix preservation of alpha channel flag |
| indent | Fix out of buffer read; fix buffer overwrite [CVE-2023-40305] |
| inetutils | Check return values when dropping privileges [CVE-2023-40303] |
| inn2 | Fix nnrpd hangs when compression is enabled; add support for high-precision syslog timestamps; make inn-{radius,secrets}.conf not world readable |
| jekyll | Support YAML aliases |
| kernelshark | Fix segfault in libshark-tepdata; fix capturing when target directory contains a space |
| krb5 | Fix freeing of uninitialised pointer [CVE-2023-36054] |
| lemonldap-ng | Apply login control to auth-slave requests; fix open redirection due to incorrect escape handling; fix open redirection when OIDC RP has no redirect URIs; fix Server Side Request Forgery issue [CVE-2023-44469] |
| libapache-mod-jk | Remove implicit mapping functionality, which could lead to unintended exposure of the status worker and/or bypass of security constraints [CVE-2023-41081] |
| libclamunrar | New upstream stable release |
| libmatemixer | Fix heap corruptions / application crashes when removing audio devices |
| libpam-mklocaluser | pam-auth-update: ensure the module is ordered before other session type modules |
| libxnvctrl | New source package split from nvidia-settings |
| linux | New upstream stable release |
| linux-signed-amd64 | New upstream stable release |
| linux-signed-arm64 | New upstream stable release |
| linux-signed-i386 | New upstream stable release |
| llvm-defaults | Fix /usr/include/lld symlink; add Breaks against not co-installable packages for smoother upgrades from bullseye |
| ltsp | Avoid using mv on init symlink |
| lxc | Fix nftables syntax for IPv6 NAT |
| lxcfs | Fix CPU reporting within an arm32 container with large numbers of CPUs |
| marco | Only enable compositing if it is available |
| mariadb | New upstream bugfix release |
| mate-notification-daemon | Fix two memory leaks |
| mgba | Fix broken audio in libretro core; fix crash on hardware incapable of OpenGL 3.2 |
| modsecurity | Fix denial of service issue [CVE-2023-38285] |
| monitoring-plugins | check_disk: avoid mounting when searching for matching mount points, resolving a regression in speed from bullseye |
| mozjs102 | New upstream stable release; fix incorrect value used during WASM compilation[CVE-2023-4046], potential use after free issue [CVE-2023-37202], memory safety issues [CVE-2023-37211 CVE-2023-34416] |
| mutt | New upstream stable release |
| nco | Re-enable udunits2 support |
| nftables | Fix incorrect bytecode generation hit with new kernel check that rejects adding rules to bound chains |
| node-dottie | Security fix (prototype pollution) [CVE-2023-26132] |
| nvidia-settings | New upstream bugfix release |
| nvidia-settings-tesla | New upstream bugfix release |
| nx-libs | Fix missing symlink /usr/share/nx/fonts; fix manpage |
| open-ath9k-htc-firmware | Load correct firmware |
| openbsd-inetd | Fix memory handling issues |
| openrefine | Fix arbitrary code execution issue [CVE-2023-37476] |
| openscap | Fix dependencies of openscap-utils and python3-openscap |
| openssh | Fix remote code execution issue via a forwarded agent socket [CVE-2023-38408] |
| openssl | New upstream stable release; security fixes [CVE-2023-2975 CVE-2023-3446 CVE-2023-3817] |
| pam | Fix pam-auth-update --disable; update Turkish translation |
| pandoc | Fix arbitrary file write issue [CVE-2023-35936] |
| plasma-framework | Fix plasmashell crashes |
| plasma-workspace | Fix crash in krunner |
| python-git | Fix remote code execution issue [CVE-2023-40267], blind local file inclusion issue [CVE-2023-41040] |
| pywinrm | Fix compatibility with Python 3.11 |
| qemu | Update to upstream 7.2.5 tree; ui/vnc-clipboard: fix infinite loop in inflate_buffer [CVE-2023-3255]; fix NULL pointer dereference issue [CVE-2023-3354]; fix buffer overflow issue [CVE-2023-3180] |
| qtlocation-opensource-src | Fix freeze when loading map tiles |
| rar | Upstream bugfix release [CVE-2023-40477] |
| reprepro | Fix race condition when using external decompressors |
| rmlint | Fix error in other packages caused by invalid python package version; fix GUI startup failure with recent python3.11 |
| roundcube | New upstream stable release; fix OAuth2 authentication; fix cross site scripting issues [CVE-2023-43770] |
| runit-services | dhclient: don't hardcode use of eth1 |
| samba | New upstream stable release |
| sitesummary | New upstream release; fix installation of sitesummary-maintenance CRON/systemd-timerd script; fix insecure temporary file and directory creation |
| slbackup-php | Bug fixes: log remote commands to stderr; disable SSH known hosts files; PHP 8 compatibility |
| spamprobe | Fix crashes parsing JPEG attachments |
| stunnel4 | Fix handling of a peer closing TLS connection without proper shutdown messaging |
| systemd | New upstream stable release; fix minor security issue in arm64 and riscv64 systemd-boot (EFI) with device tree blobs loading |
| testng7 | Backport to stable for future openjdk-17 builds |
| timg | Fix buffer overflow vulnerability [CVE-2023-40968] |
| transmission | Replace openssl3 compat patch to fix memory leak |
| unbound | Fix error log flooding when using DNS over TLS with openssl 3.0 |
| unrar-nonfree | Fix remote code execution issue [CVE-2023-40477] |
| vorta | Handle ctime and mtime changes in diffs |
| vte2.91 | Invalidate ring view more often when necessary, fixing various assertion failures during event handling |
| x2goserver | x2goruncommand: add support for KDE Plasma 5; x2gostartagent: prevent logfile corruption; keystrokes.cfg: sync with nx-libs; fix encoding of Finnish translation |
Säkerhetsuppdateringar
Denna revision lägger till följande säkerhetsuppdateringar till den stabila utgåvan. Säkerhetsgruppen har redan släppt bulletiner för alla dessa uppdateringar:
Borttagna paket
Följande paket har tagits bort på grund av omständigheter utom vår kontroll:
| Paket | Orsak |
|---|---|
| https-everywhere | föråldrat, stora webbläsare erbjuder inbyggt stöd |
Debianinstalleraren
Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den stabila utgåvan med denna punktutgåva.
URLer
Den fullständiga listan på paket som har förändrats i denna revision:
Den aktuella stabila utgåvan:
Föreslagna uppdateringar till den stabila utgåvan:
Information om den stabila utgåvan (versionsfakta, kända problem osv.):
Säkerhetsbulletiner och information:
Om Debian
Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.
Kontaktinformation
För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <[email protected]>, eller kontakta gruppen för stabila utgåvor på <[email protected]>.