Aggiornata Debian 12: rilascio di 12.6
29 Giugno 2024
Il progetto Debian è felice di annunciare il sesto aggiornamento della
distribuzione stabile Debian 12 (nome in codice bookworm
).
Questo aggiornamento minore aggiunge principalmente soluzioni a problemi di
sicurezza, oltre ad alcune correzioni a problemi seri. I bollettini di sicurezza
sono già stati pubblicati separatamente e sono elencati ove
possibile.
Si prega di notare che questo aggiornamento minore non è una nuova
versione di Debian 12 ma solo un aggiornamento dei pacchetti che ne fanno
parte. Non è necessario buttar via il vecchio supporto di installazione
di bookworm
. Dopo l'installazione, i pacchetti saranno aggiornati alle
ultime versioni usando uno qualsiasi dei mirror Debian aggiornati.
Coloro che aggiornano il sistema frequentemente tramite security.debian.org non avranno molti pacchetti da aggiornare, e molti di questi sono inclusi nel rilascio minore.
Le nuove immagini di installazione saranno presto disponibili nelle posizioni usuali.
Aggiornare un'installazione esistente a questa revisione, può essere fatto configurando il sistema di gestione di pacchetti facendolo puntare a uno dei tanti mirror HTTP Debian. Una lista completa dei mirror è disponibile qui:
Risoluzione di problemi vari
Questo aggiornamento aggiunge importanti correzioni ai seguenti pacchetti (in inglese):
| Pacchetto | Motivo |
|---|---|
| aide | Fix concurrent reading of extended attributes |
| amavisd-new | Handle multiple boundary parameters that contain conflicting values [CVE-2024-28054]; fix race condition in postinst |
| archlinux-keyring | Switch to pre-built keyrings; sync with upstream |
| base-files | Update for the 12.6 point release |
| bash | Rebuild to fix outdated Built-Using |
| bioawk | Disable parallel builds to fix random failures |
| bluez | Fix remote code execution issues [CVE-2023-27349 CVE-2023-50229 CVE-2023-50230] |
| cdo | Disable hirlam-extensions to avoid causing issues with ICON data files |
| chkrootkit | Rebuild to fix outdated Built-Using |
| cjson | Fix missing NULL checks [CVE-2023-50471 CVE-2023-50472] |
| clamav | New upstream stable release; fix possible heap overflow issue [CVE-2024-20290], possible command injection issue [CVE-2024-20328] |
| cloud-init | Declare conflicts/replaces on versioned package introduced for bullseye |
| comitup | Ensure service is unmasked in post install |
| cpu | Provide exactly one definition of globalLdap in LDAP plugin |
| crmsh | Create log directory and file on installation |
| crowdsec-custom-bouncer | Rebuild to fix outdated Built-Using |
| crowdsec-firewall-bouncer | Rebuild against golang-github-google-nftables version with fixed little-endian architecture support |
| curl | Do not keep default protocols when deselected [CVE-2024-2004]; fix memory leak [CVE-2024-2398] |
| dar | Rebuild to fix outdated Built-Using |
| dcmtk | Clean up properly on purge |
| debian-installer | Increase Linux kernel ABI to 6.1.0-22; rebuild against proposed-updates |
| debian-installer-netboot-images | Rebuild against proposed-updates |
| debvm | debvm-create: do install login; bin/debvm-waitssh: make --timeout=N work; bin/debvm-run: allow being run in environments without TERM set; fix resolv.conf in stretch |
| dhcpcd5 | privsep: Allow zero length messages through; fix server not being restarted correctly during upgrades |
| distro-info-data | Declare intentions for bullseye/bookworm; fix past data; add Ubuntu 24.10 |
| djangorestframework | Reinstate missing static files |
| dm-writeboost | Fix build error with 6.9 kernel and backports |
| dns-root-data | Update root hints; update expired security information |
| dpdk | New upstream stable release |
| ebook-speaker | Support username over 8 characters when enumerating groups |
| emacs | Security fixes [CVE-2024-30202 CVE-2024-30203 CVE-2024-30204 CVE-2024-30205]; replace expired package-keyring.gpg with a current version |
| extrepo-data | Update repository information |
| flatpak | New upstream stable release |
| fpga-icestorm | Restore compatibility with yosys |
| freetype | Disable COLRv1 support, which was unintentionally enabled by upstream; fix function existence check when calling get_colr_glyph_paint() |
| galera-4 | New upstream bugfix release; update upstream release signing key; prevent date-related test failures |
| gdk-pixbuf | ANI: Reject files with multiple anih chunks [CVE-2022-48622]; ANI: Reject files with multiple INAM or IART chunks; ANI: Validate anih chunk size |
| glewlwyd | Fix potential buffer overflow during FIDO2 credential validation [CVE-2023-49208]; fix open redirection via redirect_uri [CVE-2024-25715] |
| glib2.0 | Fix a (rare) memory leak |
| glibc | Revert fix to always call destructors in reverse constructor order due to unforeseen application compatibility issues; fix a DTV corruption due to a reuse of a TLS module ID following dlclose with unused TLS |
| gnutls28 | Fix certtool crash when verifying a certificate chain with more than 16 certificates [CVE-2024-28835]; fix side-channel in the deterministic ECDSA [CVE-2024-28834]; fix a memory leak; fix two segfault issues |
| golang-github-containers-storage | Rebuild for outdated Built-Using |
| golang-github-google-nftables | Fix AddSet() function on little-endian architectures |
| golang-github-openshift-imagebuilder | Rebuild for outdated Built-Using |
| gosu | Rebuild for outdated Built-Using |
| gpaste | Fix conflict with older libpgpaste6 |
| gross | Fix stack-based buffer overflow [CVE-2023-52159] |
| hovercraft | Depend on python3-setuptools |
| icinga2 | Fix segmentation fault on ppc64el |
| igtf-policy-bundle | Address CAB Forum S/MIME policy change; apply accumulated updates to trust anchors |
| intel-microcode | Security mitigations [CVE-2023-22655 CVE-2023-28746 CVE-2023-38575 CVE-2023-39368 CVE-2023-43490]; mitigate for INTEL-SA-01051 [CVE-2023-45733], INTEL-SA-01052 [CVE-2023-46103], INTEL-SA-01036 [CVE-2023-45745, CVE-2023-47855] and unspecified functional issues on various Intel processors |
| jose | Fix potential denial-of-service issue [CVE-2023-50967] |
| json-smart | Fix excessive recursion leading to stack overflow [CVE-2023-1370]; fix denial of service via crafted request [CVE-2021-31684] |
| kio | Fix file loss and potential locking issues on CIFS |
| lacme | Fix post-issuance validation logic |
| libapache2-mod-auth-openidc | Fix mising input validation leading to DoS [CVE-2024-24814] |
| libesmtp | Break and replace older library versions |
| libimage-imlib2-perl | Fix package build |
| libjwt | Fix timing side channel attack [CVE-2024-25189] |
| libkf5ksieve | Prevent leaking passwords into server-side logs |
| libmail-dkim-perl | Add dependency on libgetopt-long-descriptive-perl |
| libpod | Handle removed containers properly |
| libreoffice | Fix backup copy creation for files on mounted samba shares; don't remove libforuilo.so in -core-nogui |
| libseccomp | Add support for syscalls up to Linux 6.7 |
| libtommath | Fix integer overflow [CVE-2023-36328] |
| libtool | Conflict with libltdl3-dev; fix check for += operator in func_append |
| libxml-stream-perl | Fix compatibility with IO::Socket::SSL >= 2.078 |
| linux | New upstream stable release; increase ABI to 22 |
| linux-signed-amd64 | New upstream stable release; increase ABI to 22 |
| linux-signed-arm64 | New upstream stable release; increase ABI to 22 |
| linux-signed-i386 | New upstream stable release; increase ABI to 22 |
| lua5.4 | debian/version-script: Export additional missing symbols for lua 5.4.4 |
| lxc-templates | Fix the mirroroption of lxc-debian |
| mailman3 | Depend alternatively on cron-daemon; fix postgresql:// url in post-installation script |
| mksh | Handle merged /usr in /etc/shells; fix crash with nested bashism; fix arguments to the dot command; distinguish unset and empty in `typeset -p` |
| mobian-keyring | Update Mobian archive key |
| ms-gsl | Mark not_null constructors as noexcept |
| nano | Fix format string issues; fix with --cutfromcursor, undoing a justification can eat a line; fix malicious symlink issue; fix example bindings in nanorc |
| netcfg | Handle routing for single-address netmasks |
| ngircd | Respect SSLConnectoption for incoming connections; server certificate validation on server links (S2S-TLS); METADATA: Fix unsetting cloakhost |
| node-babel7 | Fix building against nodejs 18.19.0+dfsg-6~deb12u1; add Breaks/Replaces against obsolete node-babel-* packages |
| node-undici | Properly export typescript types |
| node-v8-compile-cache | Fix tests when a newer nodejs version is used |
| node-zx | Fix flaky test |
| nodejs | Skip flaky tests for mipsel/mips64el |
| nsis | Don't allow unprivileged users to delete the uninstaller directory [CVE-2023-37378]; fix regression in disabling stub relocations; build reproducibly for arm64 |
| nvidia-graphics-drivers | Restore compatibility with newer Linux kernel builds; take over packages from nvidia-graphics-drivers-tesla; add new nvidia-suspend-common package; relax dh-dkms build-dependency for compatibility with bookworm; new upstream stable release [CVE-2023-0180 CVE-2023-0183 CVE-2023-0184 CVE-2023-0185 CVE-2023-0187 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199 CVE-2023-25515 CVE-2023-25516 CVE-2023-31022 CVE-2024-0074 CVE-2024-0075 CVE-2024-0078 CVE-2024-0090 CVE-2024-0092] |
| nvidia-graphics-drivers-tesla | Restore compatibility with newer Linux kernel builds |
| nvidia-graphics-drivers-tesla-470 | Restore compatibility with newer Linux kernel builds; stop building nvidia-cuda-mps; new upstream stable release; security fixes [CVE-2022-42265 CVE-2024-0074 CVE-2024-0078 CVE-2024-0090 CVE-2024-0092] |
| nvidia-modprobe | Prepare to switch to 535 series LTS drivers |
| nvidia-open-gpu-kernel-modules | Update to 535 series LTS drivers [CVE-2023-0180 CVE-2023-0183 CVE-2023-0184 CVE-2023-0185 CVE-2023-0187 CVE-2023-0188 CVE-2023-0189 CVE-2023-0190 CVE-2023-0191 CVE-2023-0194 CVE-2023-0195 CVE-2023-0198 CVE-2023-0199 CVE-2023-25515 CVE-2023-25516 CVE-2023-31022 CVE-2024-0074 CVE-2024-0075 CVE-2024-0078 CVE-2024-0090 CVE-2024-0092] |
| nvidia-persistenced | Switch to 535 series LTS drivers; update list of supported drivers |
| nvidia-settings | Also build for ppc64el; new upstream LTS release |
| nvidia-xconfig | New upstream LTS release |
| openrc | Ignore non-executable scripts in /etc/init.d |
| openssl | New upstream stable release; fix excessive time taken issues [CVE-2023-5678 CVE-2023-6237], vector register corruption issue on PowerPC [CVE-2023-6129], PKCS12 Decoding crashes [CVE-2024-0727] |
| openvpn-dco-dkms | Build for Linux >= 6.5; install compat-include directory; fix refcount imbalance |
| orthanc-dicomweb | Rebuild to fix outdated Built-Using |
| orthanc-gdcm | Rebuild to fix outdated Built-Using |
| orthanc-mysql | Rebuild to fix outdated Built-Using |
| orthanc-neuro | Rebuild to fix outdated Built-Using |
| orthanc-postgresql | Rebuild to fix outdated Built-Using |
| orthanc-python | Rebuild to fix outdated Built-Using |
| orthanc-webviewer | Rebuild to fix outdated Built-Using |
| orthanc-wsi | Rebuild to fix outdated Built-Using |
| ovn | New upstream stable version; fix insufficient validation of incoming BFD packets [CVE-2024-2182] |
| pdudaemon | Depend on python3-aiohttp |
| php-composer-class-map-generator | Force system dependency loading |
| php-composer-pcre | Add missing Breaks+Replaces: on composer (<< 2.2) |
| php-composer-xdebug-handler | Force system dependency loading |
| php-doctrine-annotations | Force system dependency loading |
| php-doctrine-deprecations | Force system dependency loading |
| php-doctrine-lexer | Force system dependency loading |
| php-phpseclib | Guard isPrime() and randomPrime() for BigInteger [CVE-2024-27354]; limit OID length in ASN1 [CVE-2024-27355]; fix BigInteger getLength(); remove visibitility modifiers from static variables |
| php-phpseclib3 | Force system dependency loading; guard isPrime() and randomPrime() for BigInteger [CVE-2024-27354]; limit OID length in ASN1 [CVE-2024-27355]; fix BigInteger getLength() |
| php-proxy-manager | Force system dependency loading |
| php-symfony-contracts | Force system dependency loading |
| php-zend-code | Force system dependency loading |
| phpldapadmin | Fix compatbility with PHP 8.1+ |
| phpseclib | Force system dependency loading; guard isPrime() and randomPrime() for BigInteger [CVE-2024-27354]; limit OID length in ASN1 [CVE-2024-27355]; fix BigInteger getLength() |
| postfix | New upstream stable release |
| postgresql-15 | New upstream stable release; restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner [CVE-2024-4317] |
| prometheus-node-exporter-collectors | Do not adversely affect mirror network; fix deadlock with other apt update runs |
| pymongo | Fix out-of-bounds read issue [CVE-2024-5629] |
| pypy3 | Strip C0 control and space characters in urlsplit [CVE-2023-24329]; avoid bypass of TLS handshake protections on closed sockets [CVE-2023-40217]; tempfile.TemporaryDirectory: fix symlink bug in cleanup [CVE-2023-6597]; protect zipfile from quoted-overlapzipbomb [CVE-2024-0450] |
| python-aiosmtpd | Fix SMTP smuggling issue [CVE-2024-27305]; fix STARTTLS unencrypted command injection issue [CVE-2024-34083] |
| python-asdf | Remove unnecessary dependency on asdf-unit-schemas |
| python-channels-redis | Ensure pools are closed on loop close in core |
| python-idna | Fix denial of service issue [CVE-2024-3651] |
| python-jwcrypto | Fix denial of service issue [CVE-2024-28102] |
| python-xapian-haystack | Drop dependency on django.utils.six |
| python3.11 | Fix use-after-free crash when deallocating a frame object; protect zipfile from quoted-overlapzipbomb [CVE-2024-0450]; tempfile.TemporaryDirectory: fix symlink bug in cleanup [CVE-2023-6597]; fix os.path.normpath(): Path truncation at null bytes[CVE-2023-41105]; avoid bypass of TLS handshake protections on closed sockets [CVE-2023-40217]; strip C0 control and space characters in urlsplit [CVE-2023-24329]; avoid a potential null pointer dereference in filleutils |
| qemu | New upstream stable release; security fixes [CVE-2024-26327 CVE-2024-26328 CVE-2024-3446 CVE-2024-3447] |
| qtbase-opensource-src | Fix regression in patch for CVE-2023-24607; avoid using system CA certificates when not wanted [CVE-2023-34410]; fix buffer overflow [CVE-2023-37369]; fix infinite loop in XML recursive entity expansion [CVE-2023-38197]; fix buffer overflow with crafted KTX image file [CVE-2024-25580]; fix HPack integer overflow check [CVE-2023-51714] |
| rails | Declare breaks and replaces on obsolete ruby-arel package |
| riseup-vpn | Use system certificate bundle by default, restoring ability to connect to an endpoint using LetsEncrypt certificate |
| ruby-aws-partitions | Ensure binary package includes partitions.json and partitions-metadata.json files |
| ruby-premailer-rails | Remove build-dependency on obsolete ruby-arel |
| rust-cbindgen-web | New source package to support builds of newer Firefox ESR versions |
| rustc-web | New source package to support builds of web browsers |
| schleuder | Fix argument parsing insufficient validation; fix importing keys from attachments sent by Thunderbird and handle mails without further content; look for keywords only at the start of mail; validate downcased email addresses when checking subscribers; consider From header for finding reply addresses |
| sendmail | Fix SMTP smuggling issue [CVE-2023-51765] |
| skeema | Rebuild for outdated Built-Using |
| skopeo | Rebuild for outdated Built-Using |
| software-properties | software-properties-qt: Add Conflicts+Replaces: on software-properties-kde for smoother upgrades from bullseye |
| supermin | Rebuild to fix outdated Built-Using |
| symfony | Force system dependency loading; DateTypTest: ensure submitted year is accepted choice |
| systemd | New upstream stable release; fix denial of service issues [CVE-2023-50387 CVE-2023-50868]; libnss-myhostname.nss: Install after files; libnss-mymachines.nss: Install before resolveand dns |
| termshark | Rebuild to fix outdated Built-Using |
| tripwire | Rebuild to fix outdated Built-Using |
| tryton-client | Only send compressed content in authenticated sessions |
| tryton-server | Prevent zip-bombattacks from unauthenticated sources |
| u-boot | Fix orion-timer for booting sheevaplug and related platforms |
| uif | Support VLAN interface names |
| umoci | Rebuild for outdated Built-Using |
| user-mode-linux | Rebuilt to fix outdated Built-Using |
| wayfire | Add missing dependencies |
| what-is-python | Declare breaks and replaces on python-dev-is-python2; fix version mangling in build rules |
| wpa | Fix authentication bypass issue [CVE-2023-52160] |
| xscreensaver | Disable warning about old versions |
| yapet | Do not call EVP_CIPHER_CTX_set_key_length() in crypt/blowfish and crypt/aes |
| zsh | Rebuild to fix outdated Built-Using |
Aggiornamenti della sicurezza
Questa revisione aggiunge i seguenti aggiornamenti di sicurezza al rilascio stabile. Il Team di Sicurezza ha già rilasciato bollettini per ognuno di essi:
Pacchetti rimossi
I seguenti pacchetti sono stati rimossi a causa di circostanze fuori dal nostro controllo:
| Package | Reason |
|---|---|
| phppgadmin | Security issues; incompatible with bookworm's PostgreSQL version |
| pytest-salt-factories | Only needed for salt, which is not part of bookworm |
| ruby-arel | Obsolete, integrated into ruby-activerecord, incompatible with ruby-activerecord 6.1.x |
| spip | Incompatible with bookworm's PHP version |
| vasttrafik-cli | API withdrawn |
Installatore Debian
L'installatore è stato aggiornato per includere le correzioni di questo aggiornamento minore.
URL
La lista completa dei pacchetti modificati in questa revisione:
La distribuzione stabile attuale:
Aggiornamenti proposti per la distribuzione stabile:
Informazioni sulla distribuzione stabile (note di rilascio, errata, ecc.):
Annunci e informazioni della sicurezza:
Su Debian
Il Progetto Debian è un'associazione di sviluppatori di software libero che volontariamente offrono il loro tempo libero e il loro lavoro per produrre il sistema operativo libero Debian.
Contatti
Per maggiori informazioni si prega di visitare il sito web https://www.debian.org/, mandare un'e-mail a <press@debian.org>, o contattare il Team di rilascio stabile all'indirizzo <debian-release@lists.debian.org>