Miscellaneous Bugfixes
Release of Debian 12.8
The Debian project is pleased to announce the eighth update of its stable distribution Debian 12 (codename bookworm). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian 12 but only updates some of the packages included. There is no need to throw away old bookworm media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
https://www.debian.org/mirror/list
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following
- 7zip Fix heap buffer overflow in NTFS handler [CVE-2023-52168]; fix out-of-bounds read in NTFS handler [CVE-2023-52169]
- amanda Update incomplete fix for CVE-2022-37704, restoring operation with xfsdump
- apr Use 0600 perms for named shared mem consistently [CVE-2023-49582]
- base-files Update for the point release
- btrfs-progs Fix checksum calculation errors during volume conversion in btrfs-convert
- calamares-settings-debian Fix missing launcher on KDE desktops; fix btrfs mounts
- cjson Fix segmentation violation issue [CVE-2024-31755]
- clamav New upstream stable release; fix denial of service issue [CVE-2024-20505], file corruption issue [CVE-2024-20506]
- cloud-init Add support for multiple networkd Route sections
- cloud-initramfs-tools Add missing dependencies in the initramfs
- curl Fix incorrect handling of some OCSP responses [CVE-2024-8096]
- debian-installer Reinstate some armel netboot targets (openrd); increase Linux kernel ABI to 6.1.0-27; rebuild against proposed-updates
- debian-installer-netboot-images Rebuild against proposed-updates
- devscripts bts: always upgrade to STARTTLS on 587/tcp; build-rdeps: add support for non-free-firmware; chdist: update sources.list examples with non-free-firmware; build-rdeps: use all available distros by default
- diffoscope Fix build failure when processing a deliberately overlapping zip file in tests
- distro-info-data Add Ubuntu 25.04
- docker.io Fix bypassing of AuthZ plugins in some circumstances [CVE-2024-41110]
- dpdk New upstream stable release
- exim4 Fix crash in dbmnz when looking up keys with no content
- fcgiwrap Set proper ownership on repositories in git backend
- galera-4 New upstream stable release
- glib2.0 Provide libgio-2.0-dev from libglib2.0-dev, and libgio-2.0-dev-bin from libglib2.0-dev-bin
- glibc Change Croatian locale to use Euro as currency; revert upstream commit that modified the GLIBC_PRIVATE ABI, causing crashes with some static binaries on arm64; vfscanf(): fix matches longer than INT_MAX; ungetc(): fix uninitialized read when putting into unused streams, backup buffer leak on program exit; mremap(): fix support for the MREMAP_DONTUNMAP option; resolv: fix timeouts caused by short error responses or when single-request mode is enabled in resolv.conf
- gtk+3.0 Fix letting Orca announce initial focus
- ikiwiki-hosting Allow reading of all user repositories
- intel-microcode New upstream release; security fixes [CVE-2024-23984 CVE-2024-24968]
- ipmitool Fix a buffer overrun in open interface; fix lan print fails on unsupported parameters; fix reading of temperature sensors; fix using hex values when sending raw data
- iputils Fix incorrect handling of ICMP responses intended for other processes
- kexec-tools Mask kexec.service to prevent the init.d script handling kexec process on a systemd enabled system
- lemonldap-ng Fix cross-site scripting vulnerability on login page [CVE-2024-48933]
- lgogdownloader Fix parsing of Galaxy URLs
- libskk Prevent crash on invalid JSON escape
- libvirt Fix running i686 VMs with AppArmor on the host; prevent certain guests from becoming unbootable or disappearing during upgrade
- linux New upstream release; bump ABI to 27
- linux-signed-amd64 New upstream release; bump ABI to 27
- linux-signed-arm64 New upstream release; bump ABI to 27
- linux-signed-i386 New upstream release; bump ABI to 27
- llvm-toolchain-15 Architecture-specific rebuild on mips64el to sync version with other architectures
- nghttp2 Fix denial of service issue [CVE-2024-28182]
- ninja-build Support large inode numbers on 32-bit systems
- node-dompurify Fix prototype pollution issues [CVE-2024-45801 CVE-2024-48910]
- node-es-module-lexer Fix build failure
- node-globby Fix build failure
- node-mdn-browser-compat-data Fix build failure
- node-rollup-plugin-node-polyfills Fix build failure
- node-tap Fix build failure
- node-xterm Fix TypeScript declarations
- node-y-protocols Fix build failure
- node-y-websocket Fix build failure
- node-ytdl-core Fix build failure
- notify-osd Correct executable path in desktop launcher file
- ntfs-3g Fix use-after-free in ntfs-uppercase-mbs; re-classify fuse as Depends, not Pre-Depends
- openssl New upstream stable release; fix buffer overread issue [CVE-2024-5535], out of bounds memory access [CVE-2024-9143]
- ostree Prevent crashing libflatpak when using curl 8.10
- puppetserver Reinstate scheduled job to clean reports after 30 days, avoiding disk space exhaustion
- puredata Fix privilege escalation issue [CVE-2023-47480]
- python-cryptography Fix NULL dereference when loading PKCS7 certificates [CVE-2023-49083]; fix NULL dereference when PKCS#12 key and cert don't match [CVE-2024-26130]
- python3.11 Fix regression in zipfile.Path; prevent ReDoS vulnerability with crafted tar archives
- reprepro Prevent hangs when running unzstd
- sqlite3 Fix a buffer overread issue [CVE-2023-7104], a stack overflow issue and an integer overflow issue
- sumo Fix a race condition when building documentation
- systemd New upstream stable release
- tgt chap: Use proper entropy source [CVE-2024-45751]
- timeshift Add missing dependency on pkexec
- util-linux Allow lscpu to identify new Arm cores
- vmdb2 Set locale to UTF-8
- wireshark New upstream security release [CVE-2024-0208, CVE-2024-0209, CVE-2024-2955, CVE-2024-4853, CVE-2024-4854, CVE-2024-4855, CVE-2024-8250, CVE-2024-8645]
- xfpt Fix buffer overflow issue [CVE-2024-43700]
Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
- DSA-5729 apache2
- DSA-5733 thunderbird
- DSA-5744 thunderbird
- DSA-5758 trafficserver
- DSA-5759 python3.11
- DSA-5760 ghostscript
- DSA-5761 chromium
- DSA-5762 webkit2gtk
- DSA-5763 pymatgen
- DSA-5764 openssl
- DSA-5765 firefox-esr
- DSA-5766 chromium
- DSA-5767 thunderbird
- DSA-5768 chromium
- DSA-5769 git
- DSA-5770 expat
- DSA-5771 php-twig
- DSA-5772 libreoffice
- DSA-5773 chromium
- DSA-5774 ruby-saml
- DSA-5775 chromium
- DSA-5776 tryton-server
- DSA-5777 booth
- DSA-5778 cups-filters
- DSA-5779 cups
- DSA-5780 php8.2
- DSA-5781 chromium
- DSA-5782 linux-signed-amd64
- DSA-5782 linux-signed-arm64
- DSA-5782 linux-signed-i386
- DSA-5782 linux
- DSA-5783 firefox-esr
- DSA-5784 oath-toolkit
- DSA-5785 mediawiki
- DSA-5786 libgsf
- DSA-5787 chromium
- DSA-5788 firefox-esr
- DSA-5789 thunderbird
- DSA-5790 node-dompurify
- DSA-5791 python-reportlab
- DSA-5792 webkit2gtk
- DSA-5793 chromium
- DSA-5794 openjdk-17
- DSA-5795 python-sql
- DSA-5796 libheif
- DSA-5797 twisted
- DSA-5798 activemq
- DSA-5799 chromium
- DSA-5800 xorg-server
- DSA-5802 chromium