diff options
author | Laura Arjona Reina <larjona@debian.org> | 2022-03-26 17:00:04 +0100 |
---|---|---|
committer | Laura Arjona Reina <larjona@debian.org> | 2022-03-26 17:00:04 +0100 |
commit | d673db021e55bd42a14712c110ed1253cd2c8b1e (patch) | |
tree | 4537150cd7e7f1f5c93b22dfaf1ffd1c310a6b7b | |
parent | ac148703cf6d900b36a19e182351940092bcb7ac (diff) |
Add 10.12 and 11.3 point release announcements (English)
-rw-r--r-- | english/News/2022/20220326.wml | 314 | ||||
-rw-r--r-- | english/News/2022/2022032602.wml | 310 |
2 files changed, 624 insertions, 0 deletions
diff --git a/english/News/2022/20220326.wml b/english/News/2022/20220326.wml new file mode 100644 index 00000000000..4c8327198c8 --- /dev/null +++ b/english/News/2022/20220326.wml @@ -0,0 +1,314 @@ +<define-tag pagetitle>Updated Debian 11: 11.3 released</define-tag> +<define-tag release_date>2022-03-26</define-tag> +#use wml::debian::news +# $Id: + +<define-tag release>11</define-tag> +<define-tag codename>bullseye</define-tag> +<define-tag revision>11.3</define-tag> + +<define-tag dsa> + <tr><td align="center"><a href="$(HOME)/security/%0/dsa-%1">DSA-%1</a></td> + <td align="center"><: + my @p = (); + for my $p (split (/,\s*/, "%2")) { + push (@p, sprintf ('<a href="https://packages.debian.org/src:%s">%s</a>', $p, $p)); + } + print join (", ", @p); +:></td></tr> +</define-tag> + +<define-tag correction> + <tr><td><a href="https://packages.debian.org/src:%0">%0</a></td> <td>%1</td></tr> +</define-tag> + +<define-tag srcpkg><a href="https://packages.debian.org/src:%0">%0</a></define-tag> + +<p>The Debian project is pleased to announce the third update of its +stable distribution Debian <release> (codename <q><codename></q>). +This point release mainly adds corrections for security issues, +along with a few adjustments for serious problems. Security advisories +have already been published separately and are referenced where available.</p> + +<p>Please note that the point release does not constitute a new version of Debian +<release> but only updates some of the packages included. There is +no need to throw away old <q><codename></q> media. After installation, +packages can be upgraded to the current versions using an up-to-date Debian +mirror.</p> + +<p>Those who frequently install updates from security.debian.org won't have +to update many packages, and most such updates are +included in the point release.</p> + +<p>New installation images will be available soon at the regular locations.</p> + +<p>Upgrading an existing installation to this revision can be achieved by +pointing the package management system at one of Debian's many HTTP mirrors. +A comprehensive list of mirrors is available at:</p> + +<div class="center"> + <a href="$(HOME)/mirror/list">https://www.debian.org/mirror/list</a> +</div> + + + + +<h2>Miscellaneous Bugfixes</h2> + +<p>This stable update adds a few important corrections to the following packages:</p> + +<table border=0> +<tr><th>Package</th> <th>Reason</th></tr> +<correction apache-log4j1.2 "Resolve security issues [CVE-2021-4104 CVE-2022-23302 CVE-2022-23305 CVE-2022-23307], by removing support for the JMSSink, JDBCAppender, JMSAppender and Apache Chainsaw modules"> +<correction apache-log4j2 "Fix remote code execution issue [CVE-2021-44832]"> +<correction apache2 "New upstream release; fix crash due to random memory read [CVE-2022-22719]; fix HTTP request smuggling issue [CVE-2022-22720]; fix out-of-bounds write issues [CVE-2022-22721 CVE-2022-23943]"> +<correction atftp "Fix information leak issue [CVE-2021-46671]"> +<correction base-files "Update for the 11.3 point release"> +<correction bible-kjv "Fix off-by-one-error in search"> +<correction chrony "Allow reading the chronyd configuration file that timemaster(8) generates"> +<correction cinnamon "Fix crash when adding an online account with login"> +<correction clamav "New upstream stable release; fix denial of service issue [CVE-2022-20698]"> +<correction cups-filters "Apparmor: allow reading from Debian Edu's cups-browsed configuration file"> +<correction dask.distributed "Fix undesired listening of workers on public interfaces [CVE-2021-42343]; fix compatibility with Python 3.9"> +<correction debian-installer "Rebuild against proposed-updates; update Linux kernel ABI to 5.10.0-13"> +<correction debian-installer-netboot-images "Rebuild against proposed-updates"> +<correction debian-ports-archive-keyring "Add <q>Debian Ports Archive Automatic Signing Key (2023)</q>; move the +2021 signing key to the removed keyring"> +<correction django-allauth "Fix OpenID support"> +<correction djbdns "Raise the axfrdns, dnscache, and tinydns data limit"> +<correction dpdk "New upstream stable release"> +<correction e2guardian "Fix missing SSL certificate validation issue [CVE-2021-44273]"> +<correction epiphany-browser "Work around a bug in GLib, fixing a UI process crash"> +<correction espeak-ng "Drop spurious 50ms delay while processing events"> +<correction espeakup "debian/espeakup.service: Protect espeakup from system overloads"> +<correction fcitx5-chinese-addons "fcitx5-table: add missing dependencies on fcitx5-module-pinyinhelper and fcitx5-module-punctuation"> +<correction flac "Fix out-of-bounds write issue [CVE-2021-0561]"> +<correction freerdp2 "Disable additional debug logging"> +<correction galera-3 "New upstream release"> +<correction galera-4 "New upstream release"> +<correction gbonds "Use Treasury API for redemption data"> +<correction glewlwyd "Fix possible privilege escalation"> +<correction glibc "Fix bad conversion from ISO-2022-JP-3 with iconv [CVE-2021-43396]; fix buffer overflow issues [CVE-2022-23218 CVE-2022-23219]; fix use-after-free issue [CVE-2021-33574]; stop replacing older versions of /etc/nsswitch.conf; simplify the check for supported kernel versions, as 2.x kernels are no longer supported; support installation on kernels with a release number greater than 255"> +<correction glx-alternatives "After initial setup of the diversions, install a minimal alternative to the diverted files so that libraries are not missing until glx-alternative-mesa processes its triggers"> +<correction gnupg2 "scd: Fix CCID driver for SCM SPR332/SPR532; avoid network interaction in generator, which can lead to hangs"> +<correction gnuplot "Fix division by zero [CVE-2021-44917]"> +<correction golang-1.15 "Fix IsOnCurve for big.Int values that are not valid coordinates [CVE-2022-23806]; math/big: prevent large memory consumption in Rat.SetString [CVE-2022-23772]; cmd/go: prevent branches from materializing into versions [CVE-2022-23773]; fix stack exhaustion compiling deeply nested expressions [CVE-2022-24921]"> +<correction golang-github-containers-common "Update seccomp support to enable use of newer kernel versions"> +<correction golang-github-opencontainers-specs "Update seccomp support to enable use of newer kernel versions"> +<correction gtk+3.0 "Fix missing search results when using NFS; prevent Wayland clipboard handling from locking up in certain corner cases; improve printing to mDNS-discovered printers"> +<correction heartbeat "Fix creation of /run/heartbeat on systems using systemd"> +<correction htmldoc "Fix out-of-bounds read issue [CVE-2022-0534]"> +<correction installation-guide "Update documentation and translations"> +<correction intel-microcode "Update included microcode; mitigate some security issues [CVE-2020-8694 CVE-2020-8695 CVE-2021-0127 CVE-2021-0145 CVE-2021-0146 CVE-2021-33120]"> +<correction ldap2zone "Use <q>mktemp</q> rather than the deprecated <q>tempfile</q>, avoiding warnings"> +<correction lemonldap-ng "Fix auth process in password-testing plugins [CVE-2021-40874]"> +<correction libarchive "Fix extracting hardlinks to symlinks; fix handling of symlink ACLs [CVE-2021-23177]; never follow symlinks when setting file flags [CVE-2021-31566]"> +<correction libdatetime-timezone-perl "Update included data"> +<correction libgdal-grass "Rebuild against grass 7.8.5-1+deb11u1"> +<correction libpod "Update seccomp support to enable use of newer kernel versions"> +<correction libxml2 "Fix use-after-free issue [CVE-2022-23308]"> +<correction linux "New upstream stable release; [rt] Update to 5.10.106-rt64; increase ABI to 13"> +<correction linux-signed-amd64 "New upstream stable release; [rt] Update to 5.10.106-rt64; increase ABI to 13"> +<correction linux-signed-arm64 "New upstream stable release; [rt] Update to 5.10.106-rt64; increase ABI to 13"> +<correction linux-signed-i386 "New upstream stable release; [rt] Update to 5.10.106-rt64; increase ABI to 13"> +<correction mariadb-10.5 "New upstream release; security fixes [CVE-2021-35604 CVE-2021-46659 CVE-2021-46661 CVE-2021-46662 CVE-2021-46663 CVE-2021-46664 CVE-2021-46665 CVE-2021-46667 CVE-2021-46668 CVE-2022-24048 CVE-2022-24050 CVE-2022-24051 CVE-2022-24052]"> +<correction mpich "Add Breaks: on older versions of libmpich1.0-dev, resolving some upgrade issues"> +<correction mujs "Fix buffer overflow issue [CVE-2021-45005]"> +<correction mutter "Backport various fixes from upstream's stable branch"> +<correction node-cached-path-relative "Fix prototype pollution issue [CVE-2021-23518]"> +<correction node-fetch "Don't forward secure headers to third party domains [CVE-2022-0235]"> +<correction node-follow-redirects "Don't send Cookie header across domains [CVE-2022-0155]; don't send confidential headers across schemes [CVE-2022-0536]"> +<correction node-markdown-it "Fix regular expression-based denial of service issue [CVE-2022-21670]"> +<correction node-nth-check "Fix regular expression-based denial of service issue [CVE-2021-3803]"> +<correction node-prismjs "Escape markup in command line output [CVE-2022-23647]; update minified files to ensure that Regular Expression Denial of Service issue is resolved [CVE-2021-3801]"> +<correction node-trim-newlines "Fix regular expression-based denial of service issue [CVE-2021-33623]"> +<correction nvidia-cuda-toolkit "cuda-gdb: Disable non-functional python support causing segmentation faults; use a snapshot of openjdk-8-jre (8u312-b07-1)"> +<correction nvidia-graphics-drivers-tesla-450 "New upstream release; fix denial of service issues [CVE-2022-21813 CVE-2022-21814]; nvidia-kernel-support: Provide /etc/modprobe.d/nvidia-options.conf as a template"> +<correction nvidia-modprobe "New upstream release"> +<correction openboard "Fix application icon"> +<correction openssl "New upstream release; fix armv8 pointer authentication"> +<correction openvswitch "Fix use-after-free issue [CVE-2021-36980]; fix installation of libofproto"> +<correction ostree "Fix compatibility with eCryptFS; avoid infinite recursion when recovering from certain errors; mark commits as partial before downloading; fix an assertion failure when using a backport or local build of GLib >= 2.71; fix the ability to fetch OSTree content from paths containing non-URI characters (such as backslashes) or non-ASCII"> +<correction pdb2pqr "Fix compatibility of propka with Python 3.8 or above"> +<correction php-crypt-gpg "Prevent additional options being passed to GPG [CVE-2022-24953]"> +<correction php-laravel-framework "Fix cross-site scripting issue [CVE-2021-43808], missing blocking of executable content upload [CVE-2021-43617]"> +<correction phpliteadmin "Fix cross-site scripting issue [CVE-2021-46709]"> +<correction prips "Fix infinite wrapping if a range reaches 255.255.255.255; fix CIDR output with addresses that differ in their first bit"> +<correction pypy3 "Fix build failures by removing extraneous #endif from import.h"> +<correction python-django "Fix denial of service issue [CVE-2021-45115], information disclosure issue [CVE-2021-45116], directory traversal issue [CVE-2021-45452]; fix a traceback around the handling of RequestSite/get_current_site() due to a circular import"> +<correction python-pip "Avoid a race-condition when using zip-imported dependencies"> +<correction rust-cbindgen "New upstream stable release to support builds of newer firefox-esr and thunderbird versions"> +<correction s390-dasd "Stop passing deprecated -f option to dasdfmt"> +<correction schleuder "Migrate boolean values to integers, if the ActiveRecord SQLite3 connection adapter is in use, restoring functionality"> +<correction sphinx-bootstrap-theme "Fix search functionality"> +<correction spip "Fix several cross-site scripting issues"> +<correction symfony "Fix CVE injection issue [CVE-2021-41270]"> +<correction systemd "Fix uncontrolled recursion in systemd-tmpfiles [CVE-2021-3997]; demote systemd-timesyncd from Depends to Recommends, removing a dependency cycle; fix failure to bind mount a directory into a container using machinectl; fix regression in udev resulting in long delays when processing partitions with the same label; fix a regression when using systemd-networkd in an unprivileged LXD container"> +<correction sysvinit "Fix parsing of <q>shutdown +0</q>; clarify that when called with a <q>time</q> shutdown will not exit"> +<correction tasksel "Install CUPS for all *-desktop tasks, as task-print-service no longer exists"> +<correction usb.ids "Update included data"> +<correction weechat "Fix denial of service issue [CVE-2021-40516]"> +<correction wolfssl "Fix several issues related to OCSP-handling [CVE-2021-3336 CVE-2021-37155 CVE-2021-38597] and TLS1.3 support [CVE-2021-44718 CVE-2022-25638 CVE-2022-25640]"> +<correction xserver-xorg-video-intel "Fix SIGILL crash on non-SSE2 CPUs"> +<correction xterm "Fix buffer overflow issue [CVE-2022-24130]"> +<correction zziplib "Fix denial of service issue [CVE-2020-18442]"> +</table> + + +<h2>Security Updates</h2> + + +<p>This revision adds the following security updates to the stable release. +The Security Team has already released an advisory for each of these +updates:</p> + +<table border=0> +<tr><th>Advisory ID</th> <th>Package</th></tr> +<dsa 2021 5000 openjdk-11> +<dsa 2021 5001 redis> +<dsa 2021 5012 openjdk-17> +<dsa 2021 5021 mediawiki> +<dsa 2021 5023 modsecurity-apache> +<dsa 2021 5024 apache-log4j2> +<dsa 2021 5025 tang> +<dsa 2021 5027 xorg-server> +<dsa 2021 5028 spip> +<dsa 2021 5029 sogo> +<dsa 2021 5030 webkit2gtk> +<dsa 2021 5031 wpewebkit> +<dsa 2021 5033 fort-validator> +<dsa 2022 5035 apache2> +<dsa 2022 5037 roundcube> +<dsa 2022 5038 ghostscript> +<dsa 2022 5039 wordpress> +<dsa 2022 5040 lighttpd> +<dsa 2022 5041 cfrpki> +<dsa 2022 5042 epiphany-browser> +<dsa 2022 5043 lxml> +<dsa 2022 5046 chromium> +<dsa 2022 5047 prosody> +<dsa 2022 5048 libreswan> +<dsa 2022 5049 flatpak-builder> +<dsa 2022 5049 flatpak> +<dsa 2022 5050 linux-signed-amd64> +<dsa 2022 5050 linux-signed-arm64> +<dsa 2022 5050 linux-signed-i386> +<dsa 2022 5050 linux> +<dsa 2022 5051 aide> +<dsa 2022 5052 usbview> +<dsa 2022 5053 pillow> +<dsa 2022 5054 chromium> +<dsa 2022 5055 util-linux> +<dsa 2022 5056 strongswan> +<dsa 2022 5057 openjdk-11> +<dsa 2022 5058 openjdk-17> +<dsa 2022 5059 policykit-1> +<dsa 2022 5060 webkit2gtk> +<dsa 2022 5061 wpewebkit> +<dsa 2022 5062 nss> +<dsa 2022 5063 uriparser> +<dsa 2022 5064 python-nbxmpp> +<dsa 2022 5065 ipython> +<dsa 2022 5067 ruby2.7> +<dsa 2022 5068 chromium> +<dsa 2022 5070 cryptsetup> +<dsa 2022 5071 samba> +<dsa 2022 5072 debian-edu-config> +<dsa 2022 5073 expat> +<dsa 2022 5075 minetest> +<dsa 2022 5076 h2database> +<dsa 2022 5077 librecad> +<dsa 2022 5078 zsh> +<dsa 2022 5079 chromium> +<dsa 2022 5080 snapd> +<dsa 2022 5081 redis> +<dsa 2022 5082 php7.4> +<dsa 2022 5083 webkit2gtk> +<dsa 2022 5084 wpewebkit> +<dsa 2022 5085 expat> +<dsa 2022 5087 cyrus-sasl2> +<dsa 2022 5088 varnish> +<dsa 2022 5089 chromium> +<dsa 2022 5091 containerd> +<dsa 2022 5092 linux-signed-amd64> +<dsa 2022 5092 linux-signed-arm64> +<dsa 2022 5092 linux-signed-i386> +<dsa 2022 5092 linux> +<dsa 2022 5093 spip> +<dsa 2022 5095 linux-signed-amd64> +<dsa 2022 5095 linux-signed-arm64> +<dsa 2022 5095 linux-signed-i386> +<dsa 2022 5095 linux> +<dsa 2022 5098 tryton-server> +<dsa 2022 5099 tryton-proteus> +<dsa 2022 5100 nbd> +<dsa 2022 5101 libphp-adodb> +<dsa 2022 5102 haproxy> +<dsa 2022 5103 openssl> +<dsa 2022 5104 chromium> +<dsa 2022 5105 bind9> +</table> + + +<h2>Removed packages</h2> + +<p>The following packages were removed due to circumstances beyond our control:</p> + +<table border=0> +<tr><th>Package</th> <th>Reason</th></tr> +<correction angular-maven-plugin "No longer useful"> +<correction minify-maven-plugin "No longer useful"> + +</table> + +<h2>Debian Installer</h2> +<p>The installer has been updated to include the fixes incorporated +into stable by the point release.</p> + +<h2>URLs</h2> + +<p>The complete lists of packages that have changed with this revision:</p> + +<div class="center"> + <url "https://deb.debian.org/debian/dists/<downcase <codename>>/ChangeLog"> +</div> + +<p>The current stable distribution:</p> + +<div class="center"> + <url "https://deb.debian.org/debian/dists/stable/"> +</div> + +<p>Proposed updates to the stable distribution:</p> + +<div class="center"> + <url "https://deb.debian.org/debian/dists/proposed-updates"> +</div> + +<p>stable distribution information (release notes, errata etc.):</p> + +<div class="center"> + <a + href="$(HOME)/releases/stable/">https://www.debian.org/releases/stable/</a> +</div> + +<p>Security announcements and information:</p> + +<div class="center"> + <a href="$(HOME)/security/">https://www.debian.org/security/</a> +</div> + +<h2>About Debian</h2> + +<p>The Debian Project is an association of Free Software developers who +volunteer their time and effort in order to produce the completely +free operating system Debian.</p> + +<h2>Contact Information</h2> + +<p>For further information, please visit the Debian web pages at +<a href="$(HOME)/">https://www.debian.org/</a>, send mail to +<press@debian.org>, or contact the stable release team at +<debian-release@lists.debian.org>.</p> + + diff --git a/english/News/2022/2022032602.wml b/english/News/2022/2022032602.wml new file mode 100644 index 00000000000..7bc7c5d8ecb --- /dev/null +++ b/english/News/2022/2022032602.wml @@ -0,0 +1,310 @@ +<define-tag pagetitle>Updated Debian 10: 10.12 released</define-tag> +<define-tag release_date>2022-03-26</define-tag> +#use wml::debian::news +# $Id: + +<define-tag release>10</define-tag> +<define-tag codename>buster</define-tag> +<define-tag revision>10.12</define-tag> + +<define-tag dsa> + <tr><td align="center"><a href="$(HOME)/security/%0/dsa-%1">DSA-%1</a></td> + <td align="center"><: + my @p = (); + for my $p (split (/,\s*/, "%2")) { + push (@p, sprintf ('<a href="https://packages.debian.org/src:%s">%s</a>', $p, $p)); + } + print join (", ", @p); +:></td></tr> +</define-tag> + +<define-tag correction> + <tr><td><a href="https://packages.debian.org/src:%0">%0</a></td> <td>%1</td></tr> +</define-tag> + +<define-tag srcpkg><a href="https://packages.debian.org/src:%0">%0</a></define-tag> + +<p>The Debian project is pleased to announce the twelvth update of its +oldstable distribution Debian <release> (codename <q><codename></q>). +This point release mainly adds corrections for security issues, +along with a few adjustments for serious problems. Security advisories +have already been published separately and are referenced where available.</p> + +<p>Please note that the point release does not constitute a new version of Debian +<release> but only updates some of the packages included. There is +no need to throw away old <q><codename></q> media. After installation, +packages can be upgraded to the current versions using an up-to-date Debian +mirror.</p> + +<p>Those who frequently install updates from security.debian.org won't have +to update many packages, and most such updates are +included in the point release.</p> + +<p>New installation images will be available soon at the regular locations.</p> + +<p>Upgrading an existing installation to this revision can be achieved by +pointing the package management system at one of Debian's many HTTP mirrors. +A comprehensive list of mirrors is available at:</p> + +<div class="center"> + <a href="$(HOME)/mirror/list">https://www.debian.org/mirror/list</a> +</div> + + + +<h2>OpenSSL signature algorithm check tightening</h2> + +<p>The OpenSSL update provided in this point release includes a +change to ensure that the requested signature algorithm is +supported by the active security level.</p> + +<p>Although this will not affect most use-cases, it could lead to +error messages being generated if a non-supported algorithm is +requested - for example, use of RSA+SHA1 signatures with the default +security level of 2.</p> + +<p>In such cases, the security level will need to be explicitly +lowered, either for individual requests or more globally. This +may require changes to the configuration of applications. For +OpenSSL itself, per-request lowering can be achieved using a +command-line option such as:</p> + +<p>-cipher <q>ALL:@SECLEVEL=1</q></p> + +<p>with the relevant system-level configuration being found in +/etc/ssl/openssl.cnf</p> + + +<h2>Miscellaneous Bugfixes</h2> + +<p>This oldstable update adds a few important corrections to the following packages:</p> + +<table border=0> +<tr><th>Package</th> <th>Reason</th></tr> +<correction apache-log4j1.2 "Resolve security issues [CVE-2021-4104 CVE-2022-23302 CVE-2022-23305 CVE-2022-23307], by removing support for the JMSSink, JDBCAppender, JMSAppender and Apache Chainsaw modules"> +<correction apache-log4j2 "Fix remote code execution issue [CVE-2021-44832]"> +<correction atftp "Fix information leak issue [CVE-2021-46671]"> +<correction base-files "Update for the 10.12 point release"> +<correction beads "Rebuild against updated cimg to fix multiple heap buffer overflows [CVE-2020-25693]"> +<correction btrbk "Fix regression in the update for CVE-2021-38173"> +<correction cargo-mozilla "New package, backported from Debian 11, to help build new rust versions"> +<correction chrony "Allow reading the chronyd configuration file that timemaster(8) generates"> +<correction cimg "Fix heap buffer overflow issues [CVE-2020-25693]"> +<correction clamav "New upstream stable release; fix denial of service issue [CVE-2022-20698]"> +<correction cups "Fix <q>an input validation issue might allow a malicious application to read restricted memory</q> [CVE-2020-10001]"> +<correction debian-installer "Rebuild against oldstable-proposed-updates; update kernel ABI to -20"> +<correction debian-installer-netboot-images "Rebuild against oldstable-proposed-updates"> +<correction detox "Fix processing of large files on ARM architectures"> +<correction evolution-data-server "Fix crash on malformed server reponse [CVE-2020-16117]"> +<correction flac "Fix out of bounds read issue [CVE-2020-0499]"> +<correction gerbv "Fix code execution issue [CVE-2021-40391]"> +<correction glibc "Import several fixes from upstream's stable branch; simplify the check for supported kernel versions, as 2.x kernels are no longer supported; support installation on kernels with a release number greater than 255"> +<correction gmp "Fix integer and buffer overflow issue [CVE-2021-43618]"> +<correction graphicsmagick "Fix buffer overflow issue [CVE-2020-12672]"> +<correction htmldoc "Fix out-of-bounds read issue [CVE-2022-0534], buffer overflow issues [CVE-2021-43579 CVE-2021-40985]"> +<correction http-parser "Resolve inadvertent ABI break"> +<correction icu "Fix <q>pkgdata</q> utility"> +<correction intel-microcode "Update included microcode; mitigate some security issues [CVE-2020-8694 CVE-2020-8695 CVE-2021-0127 CVE-2021-0145 CVE-2021-0146 CVE-2021-33120]"> +<correction jbig2dec "Fix buffer overflow issue [CVE-2020-12268]"> +<correction jtharness "New upstream version to support builds of newer OpenJDK-11 versions"> +<correction jtreg "New upstream version to support builds of newer OpenJDK-11 versions"> +<correction lemonldap-ng "Fix auth process in password-testing plugins [CVE-2021-20874]; add recommends on gsfonts, fixing captcha"> +<correction leptonlib "Fix denial of service issue [CVE-2020-36277], buffer over-read issues [CVE-2020-36278 CVE-2020-36279 CVE-2020-36280 CVE-2020-36281]"> +<correction libdatetime-timezone-perl "Update included data"> +<correction libencode-perl "Fix a memory leak in Encode.xs"> +<correction libetpan "Fix STARTTLS response injection issue [CVE-2020-15953]"> +<correction libextractor "Fix invalid read issue [CVE-2019-15531]"> +<correction libjackson-json-java "Fix code execution issues [CVE-2017-15095 CVE-2017-7525], XML external entity issues [CVE-2019-10172]"> +<correction libmodbus "Fix out of bound read issues [CVE-2019-14462 CVE-2019-14463]"> +<correction libpcap "Check PHB header length before using it to allocate memory [CVE-2019-15165]"> +<correction libsdl1.2 "Properly handle input focus events; fix buffer overflow issues [CVE-2019-13616 CVE-2019-7637], buffer over-read issues [CVE-2019-7572 CVE-2019-7573 CVE-2019-7574 CVE-2019-7575 CVE-2019-7576 CVE-2019-7577 CVE-2019-7578 CVE-2019-7635 CVE-2019-7636 CVE-2019-7638]"> +<correction libxml2 "Fix use-after-free issue [CVE-2022-23308]"> +<correction linux "New upstream stable release; [rt] Update to 4.19.233-rt105; increase ABI to 20"> +<correction linux-latest "Update to 4.19.0-20 ABI"> +<correction linux-signed-amd64 "New upstream stable release; [rt] Update to 4.19.233-rt105; increase ABI to 20"> +<correction linux-signed-arm64 "New upstream stable release; [rt] Update to 4.19.233-rt105; increase ABI to 20"> +<correction linux-signed-i386 "New upstream stable release; [rt] Update to 4.19.233-rt105; increase ABI to 20"> +<correction llvm-toolchain-11 "New package, backported from Debian 11, to help build new rust versions"> +<correction lxcfs "Fix misreporting of swap usage"> +<correction mailman "Fix cross-site scripting issue [CVE-2021-43331]; fix <q>a list moderator can crack the list admin password encrypted in a CSRF token</q> [CVE-2021-43332]; fix potential CSRF attack against a list admin from a list member or moderator [CVE-2021-44227]; fix regressions in fixes for CVE-2021-42097 and CVE-2021-44227"> +<correction mariadb-10.3 "New upstream stable release; security fixes [CVE-2021-35604 CVE-2021-46659 CVE-2021-46661 CVE-2021-46662 CVE-2021-46663 CVE-2021-46664 CVE-2021-46665 CVE-2021-46667 CVE-2021-46668 CVE-2022-24048 CVE-2022-24050 CVE-2022-24051 CVE-2022-24052]"> +<correction node-getobject "Fix prototype pollution issue [CVE-2020-28282]"> +<correction opensc "Fix out-of-bounds access issues [CVE-2019-15945 CVE-2019-15946], crash due to read of unknown memory [CVE-2019-19479], double free issue [CVE-2019-20792], buffer overflow issues [CVE-2020-26570 CVE-2020-26571 CVE-2020-26572]"> +<correction openscad "Fix buffer overflows in STL parser [CVE-2020-28599 CVE-2020-28600]"> +<correction openssl "New upstream release"> +<correction php-illuminate-database "Fix query binding issue [CVE-2021-21263], SQL injection issue when used with Microsoft SQL Server"> +<correction phpliteadmin "Fix cross-site scripting issue [CVE-2021-46709]"> +<correction plib "Fix integer overflow issue [CVE-2021-38714]"> +<correction privoxy "Fix memory leak [CVE-2021-44540] and cross-site scripting issue [CVE-2021-44543]"> +<correction publicsuffix "Update included data"> +<correction python-virtualenv "Avoid attempting to install pkg_resources from PyPI"> +<correction raptor2 "Fix out of bounds array access issue [CVE-2020-25713]"> +<correction ros-ros-comm "Fix denial of service issue [CVE-2021-37146]"> +<correction rsyslog "Fix heap overflow issues [CVE-2019-17041 CVE-2019-17042]"> +<correction ruby-httpclient "Use system certificate store"> +<correction rust-cbindgen "New upstream stable release to support builds of newer firefox-esr and thunderbird versions"> +<correction rustc-mozilla "New source package to support building of newer firefox-esr and thunderbird versions"> +<correction s390-dasd "Stop passing deprecated -f option to dasdfmt"> +<correction spip "Fix cross-site scripting issue"> +<correction tzdata "Update data for Fiji and Palestine"> +<correction vim "Fix ability to execute code while in restricted mode [CVE-2019-20807], buffer overflow issues [CVE-2021-3770 CVE-2021-3778 CVE-2021-3875], use after free issue [CVE-2021-3796]; remove accidentally included patch"> +<correction wavpack "Fix use of uninitialized values [CVE-2019-1010317 CVE-2019-1010319]"> +<correction weechat "Fix several denial of service issues [CVE-2020-8955 CVE-2020-9759 CVE-2020-9760 CVE-2021-40516]"> +<correction wireshark "Fix several security issues in dissectors [CVE-2021-22207 CVE-2021-22235 CVE-2021-39921 CVE-2021-39922 CVE-2021-39923 CVE-2021-39924 CVE-2021-39928 CVE-2021-39929]"> +<correction xterm "Fix buffer overflow issue [CVE-2022-24130]"> +<correction zziplib "Fix denial of service issue [CVE-2020-18442]"> +</table> + + +<h2>Security Updates</h2> + + +<p>This revision adds the following security updates to the oldstable release. +The Security Team has already released an advisory for each of these +updates:</p> + +<table border=0> +<tr><th>Advisory ID</th> <th>Package</th></tr> +<dsa 2019 4513 samba> +<dsa 2021 4982 apache2> +<dsa 2021 4983 neutron> +<dsa 2021 4985 wordpress> +<dsa 2021 4986 tomcat9> +<dsa 2021 4987 squashfs-tools> +<dsa 2021 4989 strongswan> +<dsa 2021 4990 ffmpeg> +<dsa 2021 4991 mailman> +<dsa 2021 4993 php7.3> +<dsa 2021 4994 bind9> +<dsa 2021 4995 webkit2gtk> +<dsa 2021 4997 tiff> +<dsa 2021 5000 openjdk-11> +<dsa 2021 5001 redis> +<dsa 2021 5004 libxstream-java> +<dsa 2021 5005 ruby-kaminari> +<dsa 2021 5006 postgresql-11> +<dsa 2021 5010 libxml-security-java> +<dsa 2021 5011 salt> +<dsa 2021 5013 roundcube> +<dsa 2021 5014 icu> +<dsa 2021 5015 samba> +<dsa 2021 5016 nss> +<dsa 2021 5018 python-babel> +<dsa 2021 5019 wireshark> +<dsa 2021 5020 apache-log4j2> +<dsa 2021 5021 mediawiki> +<dsa 2021 5022 apache-log4j2> +<dsa 2021 5023 modsecurity-apache> +<dsa 2021 5024 apache-log4j2> +<dsa 2021 5027 xorg-server> +<dsa 2021 5028 spip> +<dsa 2021 5029 sogo> +<dsa 2021 5030 webkit2gtk> +<dsa 2021 5032 djvulibre> +<dsa 2022 5035 apache2> +<dsa 2022 5036 sphinxsearch> +<dsa 2022 5037 roundcube> +<dsa 2022 5038 ghostscript> +<dsa 2022 5039 wordpress> +<dsa 2022 5040 lighttpd> +<dsa 2022 5043 lxml> +<dsa 2022 5047 prosody> +<dsa 2022 5051 aide> +<dsa 2022 5052 usbview> +<dsa 2022 5053 pillow> +<dsa 2022 5056 strongswan> +<dsa 2022 5057 openjdk-11> +<dsa 2022 5059 policykit-1> +<dsa 2022 5060 webkit2gtk> +<dsa 2022 5062 nss> +<dsa 2022 5063 uriparser> +<dsa 2022 5065 ipython> +<dsa 2022 5066 ruby2.5> +<dsa 2022 5071 samba> +<dsa 2022 5072 debian-edu-config> +<dsa 2022 5073 expat> +<dsa 2022 5075 minetest> +<dsa 2022 5076 h2database> +<dsa 2022 5078 zsh> +<dsa 2022 5081 redis> +<dsa 2022 5083 webkit2gtk> +<dsa 2022 5085 expat> +<dsa 2022 5087 cyrus-sasl2> +<dsa 2022 5088 varnish> +<dsa 2022 5093 spip> +<dsa 2022 5096 linux-latest> +<dsa 2022 5096 linux-signed-amd64> +<dsa 2022 5096 linux-signed-arm64> +<dsa 2022 5096 linux-signed-i386> +<dsa 2022 5096 linux> +<dsa 2022 5098 tryton-server> +<dsa 2022 5099 tryton-proteus> +<dsa 2022 5100 nbd> +<dsa 2022 5101 libphp-adodb> +<dsa 2022 5103 openssl> +<dsa 2022 5105 bind9> +</table> + + +<h2>Removed packages</h2> + +<p>The following packages were removed due to circumstances beyond our control:</p> + +<table border=0> +<tr><th>Package</th> <th>Reason</th></tr> +<correction angular-maven-plugin "No longer useful"> +<correction minify-maven-plugin "No longer useful"> + +</table> + +<h2>Debian Installer</h2> +<p>The installer has been updated to include the fixes incorporated +into oldstable by the point release.</p> + +<h2>URLs</h2> + +<p>The complete lists of packages that have changed with this revision:</p> + +<div class="center"> + <url "https://deb.debian.org/debian/dists/<downcase <codename>>/ChangeLog"> +</div> + +<p>The current oldstable distribution:</p> + +<div class="center"> + <url "https://deb.debian.org/debian/dists/oldstable/"> +</div> + +<p>Proposed updates to the oldstable distribution:</p> + +<div class="center"> + <url "https://deb.debian.org/debian/dists/oldstable-proposed-updates"> +</div> + +<p>oldstable distribution information (release notes, errata etc.):</p> + +<div class="center"> + <a + href="$(HOME)/releases/oldstable/">https://www.debian.org/releases/oldstable/</a> +</div> + +<p>Security announcements and information:</p> + +<div class="center"> + <a href="$(HOME)/security/">https://www.debian.org/security/</a> +</div> + +<h2>About Debian</h2> + +<p>The Debian Project is an association of Free Software developers who +volunteer their time and effort in order to produce the completely +free operating system Debian.</p> + +<h2>Contact Information</h2> + +<p>For further information, please visit the Debian web pages at +<a href="$(HOME)/">https://www.debian.org/</a>, send mail to +<press@debian.org>, or contact the stable release team at +<debian-release@lists.debian.org>.</p> + + |