تحديث دبيان 11: الإصدار 11.4
09 يوليوز 2022
يسعد مشروع دبيان الإعلان عن التحديث الرابع لتوزيعته المستقرة دبيان 11 (الاسم الرمزي bullseye
).
بالإضافة إلى تسوية بعض المشكلات الحرجة يصلح هذا التحديث بالأساس مشاكلات الأمان. تنبيهات الأمان أعلنت بشكل منفصل ومشار إليها فقط في هذا الإعلان.
يرجى ملاحظة أن هذا التحديث لا يشكّل إصدار جديد لدبيان 11 بل فقط تحديثات لبعض الحزم المضمّنة
وبالتالي ليس بالضرورة رمي الوسائط القديمة للإصدار bullseye
، يمكن تحديث الحزم باستخدام مرآة دبيان محدّثة.
الذين يثبّتون التحديثات من security.debian.org باستمرار لن يكون عليهم تحديث العديد من الحزم، أغلب التحديثات مضمّنة في هذا التحديث.
صور جديدة لأقراص التثبيت ستكون متوفرة في موضعها المعتاد.
يمكن الترقية من تثبيت آنيّ إلى هذه المراجعة بتوجيه نظام إدارة الحزم إلى إحدى مرايا HTTP الخاصة بدبيان. قائمة شاملة لمرايا دبيان على المسار:
إصلاح العديد من العلاّت
أضاف هذا التحديث للإصدار المستقر بعض الإصلاحات المهمة للحزم التالية:
| الحزمة | السبب |
|---|---|
| apache2 | New upstream stable release; fix HTTP request smuggling issue [CVE-2022-26377], out-of-bounds read issues [CVE-2022-28330 CVE-2022-28614 CVE-2022-28615], denial of service issues [CVE-2022-29404 CVE-2022-30522], possible out-of-bounds read issue [CVE-2022-30556], possible IP-based authentication bypass issue [CVE-2022-31813] |
| base-files | Update /etc/debian_version for the 11.4 point release |
| bash | Fix 1-byte buffer overflow read, causing corrupted multibyte characters in command substitutions |
| clamav | New upstream stable release; security fixes [CVE-2022-20770 CVE-2022-20771 CVE-2022-20785 CVE-2022-20792 CVE-2022-20796] |
| clementine | Add missing dependency on libqt5sql5-sqlite |
| composer | Fix code injection issue [CVE-2022-24828]; update GitHub token pattern |
| cyrus-imapd | Ensure that all mailboxes have a uniqueidfield, fixing upgrades to version 3.6 |
| dbus-broker | Fix buffer overflow issue [CVE-2022-31212] |
| debian-edu-config | Accept mail from the local network sent to root@<mynetwork-names>; only create Kerberos host and service principals if they don't yet exist; ensure libsss-sudo is installed on Roaming Workstations; fix naming and visibility of print queues; support krb5i on Diskless Workstations; squid: prefer DNSv4 lookups over DNSv6 |
| debian-installer | Rebuild against proposed-updates; increase Linux kernel ABI to 16; reinstate some armel netboot targets (openrd) |
| debian-installer-netboot-images | Rebuild against proposed-updates; increase Linux kernel ABI to 16; reinstate some armel netboot targets (openrd) |
| distro-info-data | Add Ubuntu 22.10, Kinetic Kudu |
| docker.io | Order docker.service after containerd.service to fix shutdown of containers; explicitly pass the containerd socket path to dockerd to make sure it doesn't start containerd on its own |
| dpkg | dpkg-deb: Fix unexpected end of file conditions on .deb extract; libdpkg: Do not restrict source:* virtual fields to installed packages; Dpkg::Source::Package::V2: Always fix the permissions for upstream tarballs (regression from DSA-5147-1] |
| freetype | Fix buffer overflow issue [CVE-2022-27404]; fix crashes [CVE-2022-27405 CVE-2022-27406] |
| fribidi | Fix buffer overflow issues [CVE-2022-25308 CVE-2022-25309]; fix crash [CVE-2022-25310] |
| ganeti | New upstream release; fix several upgrade issues; fix live migration with QEMU 4 and security_modelof useror pool |
| geeqie | Fix Ctrl click inside of a block selection |
| gnutls28 | Fix SSSE3 SHA384 miscalculation; fix null pointer deference issue [CVE-2021-4209] |
| golang-github-russellhaering-goxmldsig | Fix null pointer dereference caused by crafted XML signatures [CVE-2020-7711] |
| grunt | Fix path traversal issue [CVE-2022-0436] |
| hdmi2usb-mode-switch | udev: Add a suffix to /dev/video device nodes to disambiguate them; move udev rules to priority 70, to come after 60-persistent-v4l.rules |
| hexchat | Add missing dependency on python3-cffi-backend |
| htmldoc | Fix infinite loop [CVE-2022-24191], integer overflow issues [CVE-2022-27114] and heap buffer overflow issue [CVE-2022-28085] |
| knot-resolver | Fix possible assertion failure in NSEC3 edge-case [CVE-2021-40083] |
| libapache2-mod-auth-openidc | New upstream stable release; fix open redirect issue [CVE-2021-39191]; fix crash on reload / restart |
| libintl-perl | Really install gettext_xs.pm |
| libsdl2 | Avoid out-of-bounds read while loading malformed BMP file [CVE-2021-33657], and during YUV to RGB conversion |
| libtgowt | New upstream stable release, to support newer telegram-desktop |
| linux | New upstream stable release; increase ABI to 16 |
| linux-signed-amd64 | New upstream stable release; increase ABI to 16 |
| linux-signed-arm64 | New upstream stable release; increase ABI to 16 |
| linux-signed-i386 | New upstream stable release; increase ABI to 16 |
| logrotate | Skip locking if state file is world-readable [CVE-2022-1348]; make configuration parsing stricter in order to avoid parsing foreign files such as core dumps |
| lxc | Update default GPG key server, fixing creating of containers using the downloadtemplate |
| minidlna | Validate HTTP requests to protect against DNS rebinding attacks [CVE-2022-26505] |
| mutt | Fix uudecode buffer overflow issue [CVE-2022-1328] |
| nano | Several bug fixes, including fixes for crashes |
| needrestart | Make cgroup detection for services and user sessions cgroup v2 aware |
| network-manager | New upstream stable release |
| nginx | Fix crash when libnginx-mod-http-lua is loaded and init_worker_by_lua* is used; mitigate application layer protocol content confusion attack in the Mail module [CVE-2021-3618] |
| node-ejs | Fix server-side template injection issue [CVE-2022-29078] |
| node-eventsource | Strip sensitive headers on redirect to different origin [CVE-2022-1650] |
| node-got | Don't allow redirection to Unix socket [CVE-2022-33987] |
| node-mermaid | Fix cross-site scripting issues [CVE-2021-23648 CVE-2021-43861] |
| node-minimist | Fix prototype pollution issue [CVE-2021-44906] |
| node-moment | Fix path traversal issue [CVE-2022-24785] |
| node-node-forge | Fix signature verification issues [CVE-2022-24771 CVE-2022-24772 CVE-2022-24773] |
| node-raw-body | Fix potential denial of service issue in node-express, by using node-iconv-lite rather than node-iconv |
| node-sqlite3 | Fix denial of service issue [CVE-2022-21227] |
| node-url-parse | Fix authentication bypass issues [CVE-2022-0686 CVE-2022-0691] |
| nvidia-cuda-toolkit | Use OpenJDK8 snapshots for amd64 and ppc64el; check usability of the java binary; nsight-compute: Move the 'sections' folder to a multiarch location; fix nvidia-openjdk-8-jre version ordering |
| nvidia-graphics-drivers | New upstream release; switch to upstream 470 tree; fix denial of service issues [CVE-2022-21813 CVE-2022-21814]; fix out-of-bounds write issue [CVE-2022-28181], out-of-bounds read issue [CVE-2022-28183], denial of service issues [CVE-2022-28184 CVE-2022-28191 CVE-2022-28192] |
| nvidia-graphics-drivers-legacy-390xx | New upstream release; fix out-of-bound write issues [CVE-2022-28181 CVE-2022-28185] |
| nvidia-graphics-drivers-tesla-418 | New upstream stable release |
| nvidia-graphics-drivers-tesla-450 | New upstream stable release; fix out-of-bounds write issues [CVE-2022-28181 CVE-2022-28185], denial of service issue [CVE-2022-28192] |
| nvidia-graphics-drivers-tesla-460 | New upstream stable release |
| nvidia-graphics-drivers-tesla-470 | New package, switching Tesla support to upstream 470 tree; fix out-of-bounds write issue [CVE-2022-28181], out-of-bounds read issue [CVE-2022-28183], denial of service issues [CVE-2022-28184 CVE-2022-28191 CVE-2022-28192] |
| nvidia-persistenced | New upstream release; switch to upstream 470 tree |
| nvidia-settings | New upstream release; switch to upstream 470 tree |
| nvidia-settings-tesla-470 | New package, switching Tesla support to upstream 470 tree |
| nvidia-xconfig | New upstream release |
| openssh | seccomp: add pselect6_time64 syscall on 32-bit architectures |
| orca | Fix usage with webkitgtk 2.36 |
| php-guzzlehttp-psr7 | Fix improper header parsing [CVE-2022-24775] |
| phpmyadmin | Fix some SQL queries generating a server error |
| postfix | New upstream stable release; do not override user set default_transport in postinst; if-up.d: do not error out if postfix can't send mail yet |
| procmail | Fix null pointer dereference |
| python-scrapy | Don't send authentication data with all requests [CVE-2021-41125]; don't expose cookies cross-domain when redirecting [CVE-2022-0577] |
| ruby-net-ssh | Fix authentication against systems using OpenSSH 8.8 |
| runc | Honour seccomp defaultErrnoRet; do not set inheritable capabilities [CVE-2022-29162] |
| samba | Fix winbind start failure when allow trusted domains = nois used; fix MIT Kerberos authentication; fix share escape issue via mkdir race condition [CVE-2021-43566]; fix possible serious data corruption issue due to Windows client cache poisoning; fix installation on non-systemd systems |
| tcpdump | Update AppArmor profile to allow access to *.cap files, and handle numerical suffix in filenames added by -W |
| telegram-desktop | New upstream stable release, restoring functionality |
| tigervnc | Fix GNOME desktop start up when using tigervncserver@.service; fix colour display when vncviewer and X11 server use different endianness |
| twisted | Fix information disclosure issue with cross-domain redirects [CVE-2022-21712], denial of service issue during SSH handshakes [CVE-2022-21716], HTTP request smuggling issues [CVE-2022-24801] |
| tzdata | Update timezone data for Palestine; update leap second list |
| ublock-origin | New upstream stable release |
| unrar-nonfree | Fix directory traversal issue [CVE-2022-30333] |
| usb.ids | New upstream release; update included data |
| wireless-regdb | New upstream release; remove diversion added by the installer, ensuring that files from the package are used |
تحديثات الأمان
أضافت هذه المراجعة تحديثات الأمان التالية للإصدار المستقر. سبق لفريق الأمان نشر تنبيه لكل تحديث:
الحزم المزالة
الحزم التالية أزيلت لأسباب خارجة عن سيطرتنا:
| الحزمة | السبب |
|---|---|
| elog | Unmaintained; security issues |
| python-hbmqtt | Unamintained and broken |
مُثبِّت دبيان
حدِّث المُثبِّت ليتضمن الإصلاحات المندرجة في هذا الإصدار المستقر.
المسارات
القائمة الكاملة للحزم المغيّرة في هذه المراجعة:
التوزيعة المستقرة الحالية:
التحديثات المقترحة للتوزيعة المستقرة:
معلومات حول التوزيعة المستقرة (ملاحظات الإصدار والأخطاء إلخ):
معلومات وإعلانات الأمان:
حول دبيان
مشروع دبيان هو اتحاد لمطوري البرمجيات الحرة تطوعوا بالوقت والمجهود لإنتاج نظام تشعيل دبيان حر بالكامل.
معلومات الاتصال
لمزيد من المعلومات يرجى زيارة موقع دبيان https://www.debian.org/ أو إرسال بريد إلكتروني إلى <press@debian.org> أو الاتصال بفريق إصدار المستقرة على <debian-release@lists.debian.org>.