Updated Debian 12: 12.2 released

October 7th, 2023

The Debian project is pleased to announce the second update of its stable distribution Debian 12 (codename bookworm). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 12 but only updates some of the packages included. There is no need to throw away old bookworm media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package	Reason
amd64-microcode	Update included microcode, including fixes for AMD Inception on AMD Zen4 processors [CVE-2023-20569]
arctica-greeter	Support configuring the onscreen keyboard theme via ArcticaGreeter's gsettings; use Compact OSK layout (instead of Small) which includes special keys such as German Umlauts; fix display of authentication failure messages; use active theme rather than emerald
autofs	Fix regression determining reachability on dual-stack hosts
base-files	Update for the 12.2 point release
batik	Fix Server Side Request Forgery issues [CVE-2022-44729 CVE-2022-44730]
boxer-data	No longer install https-everywhere for Firefox
brltty	xbrlapi: Do not try to start brltty with ba+a2 when unavailable; fix cursor routing and braille panning in Orca when xbrlapi is installed but the a2 screen driver is not
ca-certificates-java	Work around unconfigured JRE during new installations
cairosvg	Handle data: URLs in safe mode
calibre	Fix export feature
clamav	New upstream stable release; security fixes [CVE-2023-20197 CVE-2023-20212]
cryptmount	Avoid memory initialisation issues in command line parser
cups	Fix heap-based buffer overflow issue [CVE-2023-4504]; fix unauthenticated access issue [CVE-2023-32360]
curl	Build with OpenLDAP to correct improper fetch of binary LDAP attributes; fix excessive memory consumption issue [CVE-2023-38039]
cyrus-imapd	Ensure mailboxes are not lost on upgrades from bullseye
dar	Fix issues with creating isolated catalogs when dar was built using a recent gcc version
dbus	New upstream stable release; fix a dbus-daemon crash during policy reload if a connection belongs to a user account that has been deleted, or if a Name Service Switch plugin is broken, on kernels not supporting SO_PEERGROUPS; report the error correctly if getting the groups of a uid fails; dbus-user-session: Copy XDG_CURRENT_DESKTOP to activation environment
debian-archive-keyring	Clean up leftover keyrings in trusted.gpg.d
debian-edu-doc	Update Debian Edu Bookworm manual
debian-edu-install	New upstream release; adjust D-I auto-partitioning sizes
debian-installer	Increase Linux kernel ABI to 6.1.0-13; rebuild against proposed-updates
debian-installer-netboot-images	Rebuild against proposed-updates
debian-parl	Rebuild with newer boxer-data; no longer depend on webext-https-everywhere
debianutils	Fix duplicate entries in /etc/shells; manage /bin/sh in the state file; fix canonicalization of shells in aliased locations
dgit	Use the old /updates security map only for buster; prevent pushing older versions than are already in the archive
dhcpcd5	Ease upgrades with leftovers from wheezy; drop deprecated ntpd integration; fix version in cleanup script
dpdk	New upstream stable release
dput-ng	Update permitted upload targets; fix failure to build from source
efibootguard	Fix Insufficient or missing validation and sanitization of input from untrustworthy bootloader environment files [CVE-2023-39950]
electrum	Fix a Lightning security issue
filezilla	Fix builds for 32-bit architectures; fix crash when removing filetypes from list
firewalld	Don't mix IPv4 and IPv6 addresses in a single nftables rule
flann	Drop extra -llz4 from flann.pc
foot	Ignore XTGETTCAP queries with invalid hex encodings
freedombox	Use n= in apt preferences for smooth upgrades
freeradius	Ensure TLS-Client-Cert-Common-Name contains correct data
ghostscript	Fix buffer overflow issue [CVE-2023-38559]; try and secure the IJS server startup [CVE-2023-43115]
gitit	Rebuild against new pandoc
gjs	Avoid infinite loops of idle callbacks if an idle handler is called during GC
glibc	Fix the value of F_GETLK/F_SETLK/F_SETLKW with __USE_FILE_OFFSET64 on ppc64el; fix a stack read overflow in getaddrinfo in no-aaaa mode [CVE-2023-4527]; fix use after free in getcanonname [CVE-2023-4806 CVE-2023-5156]; fix _dl_find_object to return correct values even during early startup
gosa-plugins-netgroups	Silence deprecation warnings in web interface
gosa-plugins-systems	Fix management of DHCP/DNS entries in default theme; fix adding (standalone) Network printer systems; fix generation of target DNs for various system types; fix icon rendering in DHCP servlet; enforce unqualified hostname for workstations
gtk+3.0	New upstream stable release; fix several crashes; show more information in the inspector debugging interface; silence GFileInfo warnings if used with a backported version of GLib; use a light colour for the caret in dark themes, making it much easier to see in some apps, in particular Evince
gtk4	Fix truncation in places sidebar with large text accessibility setting
haskell-hakyll	Rebuild against new pandoc
highway	Fix support for armhf systems lacking NEON
hnswlib	Fix double free in init_index when the M argument is a large integer [CVE-2023-37365]
horizon	Fix open redirect issue [CVE-2022-45582]
icingaweb2	Suppress undesirable deprecation notices
imlib2	Fix preservation of alpha channel flag
indent	Fix out of buffer read; fix buffer overwrite [CVE-2023-40305]
inetutils	Check return values when dropping privileges [CVE-2023-40303]
inn2	Fix nnrpd hangs when compression is enabled; add support for high-precision syslog timestamps; make inn-{radius,secrets}.conf not world readable
jekyll	Support YAML aliases
kernelshark	Fix segfault in libshark-tepdata; fix capturing when target directory contains a space
krb5	Fix freeing of uninitialised pointer [CVE-2023-36054]
lemonldap-ng	Apply login control to auth-slave requests; fix open redirection due to incorrect escape handling; fix open redirection when OIDC RP has no redirect URIs; fix Server Side Request Forgery issue [CVE-2023-44469]
libapache-mod-jk	Remove implicit mapping functionality, which could lead to unintended exposure of the status worker and/or bypass of security constraints [CVE-2023-41081]
libclamunrar	New upstream stable release
libmatemixer	Fix heap corruptions / application crashes when removing audio devices
libpam-mklocaluser	pam-auth-update: ensure the module is ordered before other session type modules
libxnvctrl	New source package split from nvidia-settings
linux	New upstream stable release
linux-signed-amd64	New upstream stable release
linux-signed-arm64	New upstream stable release
linux-signed-i386	New upstream stable release
llvm-defaults	Fix /usr/include/lld symlink; add Breaks against not co-installable packages for smoother upgrades from bullseye
ltsp	Avoid using mv on init symlink
lxc	Fix nftables syntax for IPv6 NAT
lxcfs	Fix CPU reporting within an arm32 container with large numbers of CPUs
marco	Only enable compositing if it is available
mariadb	New upstream bugfix release
mate-notification-daemon	Fix two memory leaks
mgba	Fix broken audio in libretro core; fix crash on hardware incapable of OpenGL 3.2
modsecurity	Fix denial of service issue [CVE-2023-38285]
monitoring-plugins	check_disk: avoid mounting when searching for matching mount points, resolving a regression in speed from bullseye
mozjs102	New upstream stable release; fix incorrect value used during WASM compilation [CVE-2023-4046], potential use after free issue [CVE-2023-37202], memory safety issues [CVE-2023-37211 CVE-2023-34416]
mutt	New upstream stable release
nco	Re-enable udunits2 support
nftables	Fix incorrect bytecode generation hit with new kernel check that rejects adding rules to bound chains
node-dottie	Security fix (prototype pollution) [CVE-2023-26132]
nvidia-settings	New upstream bugfix release
nvidia-settings-tesla	New upstream bugfix release
nx-libs	Fix missing symlink /usr/share/nx/fonts; fix manpage
open-ath9k-htc-firmware	Load correct firmware
openbsd-inetd	Fix memory handling issues
openrefine	Fix arbitrary code execution issue [CVE-2023-37476]
openscap	Fix dependencies of openscap-utils and python3-openscap
openssh	Fix remote code execution issue via a forwarded agent socket [CVE-2023-38408]
openssl	New upstream stable release; security fixes [CVE-2023-2975 CVE-2023-3446 CVE-2023-3817]
pam	Fix pam-auth-update --disable; update Turkish translation
pandoc	Fix arbitrary file write issue [CVE-2023-35936]
plasma-framework	Fix plasmashell crashes
plasma-workspace	Fix crash in krunner
python-git	Fix remote code execution issue [CVE-2023-40267], blind local file inclusion issue [CVE-2023-41040]
pywinrm	Fix compatibility with Python 3.11
qemu	Update to upstream 7.2.5 tree; ui/vnc-clipboard: fix infinite loop in inflate_buffer [CVE-2023-3255]; fix NULL pointer dereference issue [CVE-2023-3354]; fix buffer overflow issue [CVE-2023-3180]
qtlocation-opensource-src	Fix freeze when loading map tiles
rar	Upstream bugfix release [CVE-2023-40477]
reprepro	Fix race condition when using external decompressors
rmlint	Fix error in other packages caused by invalid python package version; fix GUI startup failure with recent python3.11
roundcube	New upstream stable release; fix OAuth2 authentication; fix cross site scripting issues [CVE-2023-43770]
runit-services	dhclient: don't hardcode use of eth1
samba	New upstream stable release
sitesummary	New upstream release; fix installation of sitesummary-maintenance CRON/systemd-timerd script; fix insecure temporary file and directory creation
slbackup-php	Bug fixes: log remote commands to stderr; disable SSH known hosts files; PHP 8 compatibility
spamprobe	Fix crashes parsing JPEG attachments
stunnel4	Fix handling of a peer closing TLS connection without proper shutdown messaging
systemd	New upstream stable release; fix minor security issue in arm64 and riscv64 systemd-boot (EFI) with device tree blobs loading
testng7	Backport to stable for future openjdk-17 builds
timg	Fix buffer overflow vulnerability [CVE-2023-40968]
transmission	Replace openssl3 compat patch to fix memory leak
unbound	Fix error log flooding when using DNS over TLS with openssl 3.0
unrar-nonfree	Fix remote code execution issue [CVE-2023-40477]
vorta	Handle ctime and mtime changes in diffs
vte2.91	Invalidate ring view more often when necessary, fixing various assertion failures during event handling
x2goserver	x2goruncommand: add support for KDE Plasma 5; x2gostartagent: prevent logfile corruption; keystrokes.cfg: sync with nx-libs; fix encoding of Finnish translation

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID	Package
DSA-5454	kanboard
DSA-5455	iperf3
DSA-5456	chromium
DSA-5457	webkit2gtk
DSA-5458	openjdk-17
DSA-5459	amd64-microcode
DSA-5460	curl
DSA-5462	linux-signed-amd64
DSA-5462	linux-signed-arm64
DSA-5462	linux-signed-i386
DSA-5462	linux
DSA-5463	thunderbird
DSA-5464	firefox-esr
DSA-5465	python-django
DSA-5466	ntpsec
DSA-5467	chromium
DSA-5468	webkit2gtk
DSA-5469	thunderbird
DSA-5471	libhtmlcleaner-java
DSA-5472	cjose
DSA-5473	orthanc
DSA-5474	intel-microcode
DSA-5475	linux-signed-amd64
DSA-5475	linux-signed-arm64
DSA-5475	linux-signed-i386
DSA-5475	linux
DSA-5476	gst-plugins-ugly1.0
DSA-5477	samba
DSA-5479	chromium
DSA-5481	fastdds
DSA-5482	tryton-server
DSA-5483	chromium
DSA-5484	librsvg
DSA-5485	firefox-esr
DSA-5487	chromium
DSA-5488	thunderbird
DSA-5491	chromium
DSA-5492	linux-signed-amd64
DSA-5492	linux-signed-arm64
DSA-5492	linux-signed-i386
DSA-5492	linux
DSA-5493	open-vm-tools
DSA-5494	mutt
DSA-5495	frr
DSA-5496	firefox-esr
DSA-5497	libwebp
DSA-5498	thunderbird
DSA-5501	gnome-shell
DSA-5504	bind9
DSA-5505	lldpd
DSA-5507	jetty9
DSA-5510	libvpx

Removed packages

The following packages were removed due to circumstances beyond our control:

Package	Reason
https-everywhere	obsolete, major browsers offer native support

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

https://deb.debian.org/debian/dists/bookworm/ChangeLog

The current stable distribution:

https://deb.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

https://deb.debian.org/debian/dists/proposed-updates

stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/

Security announcements and information:

https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <[email protected]>, or contact the stable release team at <[email protected]>.