Updated Debian 11: 11.1 released

October 9th, 2021

The Debian project is pleased to announce the first update of its stable distribution Debian 11 (codename bullseye). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 11 but only updates some of the packages included. There is no need to throw away old bullseye media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package	Reason
apr	Prevent out-of-bounds array dereference
atftp	Fix buffer overflow [CVE-2021-41054]
automysqlbackup	Fix crash when using LATEST=yes
base-files	Update for the 11.1 point release
clamav	New upstream stable release; fix clamdscan segfaults when --fdpass and --multipass are used together with ExcludePath
cloud-init	Avoid duplicate includedir in /etc/sudoers
cyrus-imapd	Fix denial-of-service issue [CVE-2021-33582]
dazzdb	Fix a use-after-free in DBstats
debian-edu-config	debian-edu-ltsp-install: extend main server related exclude list; add slapd and xrdp-sesman to the list of masked services
debian-installer	Rebuild against proposed updates; update Linux ABI to 5.10.0-9; use udebs from proposed-updates
debian-installer-netboot-images	Rebuild against proposed-updates; use udebs from proposed-updates and stable; use xz-compressed Packages files
detox	Fix handling of large files
devscripts	Make the --bpo option target bullseye-backports
dlt-viewer	Add missing qdlt/qdlt*.h header files to dev package
dpdk	New upstream stable release
fetchmail	Fix segmentation fault and security regression
flatpak	New upstream stable release; don't inherit an unusual $XDG_RUNTIME_DIR setting into the sandbox
freeradius	Fix thread crash and sample configuration
galera-3	New upstream stable release
galera-4	New upstream stable release; solve circular Conflicts with galera-3 by no longer providing a virtual galera package
glewlwyd	Fix possible buffer overflow during FIDO2 signature validation in webauthn registration [CVE-2021-40818]
glibc	Restart openssh-server even if it has been deconfigured during the upgrade; fix text fallback when debconf is unusable
gnome-maps	New upstream stable release; fix a crash when starting up with last-used map type being aerial, and no aerial tile definition is found; don't sometimes write broken last view position on exit; fix hang when dragging around route markers
gnome-shell	New upstream stable release; fix freeze after cancelling (some) system-modal dialogs; fix word suggestions in on-screen keyboard; fix crashes
hdf5	Adjust package dependencies to improve upgrade paths from older releases
iotop-c	Properly handle UTF-8 process names
jailkit	Fix creation of jails that need to use /dev; fix library presence check
java-atk-wrapper	Also use dbus to detect accessibility being enabled
krb5	Fix KDC null dereference crash on FAST request with no server field [CVE-2021-37750]; fix memory leak in krb5_gss_inquire_cred
libavif	Use correct libdir in libavif.pc pkgconfig file
libbluray	Switch to embedded libasm; the version from libasm-java is too new
libdatetime-timezone-perl	New upstream stable release; update DST rules for Samoa and Jordon; confirmation of no leap second on 2021-12-31
libslirp	Fix multiple buffer overflow issues [CVE-2021-3592 CVE-2021-3593 CVE-2021-3594 CVE-2021-3595]
linux	New upstream stable release; increase ABI to 9; [rt] Update to 5.10.65-rt53; [mipsel] bpf, mips: Validate conditional branch offsets [CVE-2021-38300]
linux-signed-amd64	New upstream stable release; increase ABI to 9; [rt] Update to 5.10.65-rt53; [mipsel] bpf, mips: Validate conditional branch offsets [CVE-2021-38300]
linux-signed-arm64	New upstream stable release; increase ABI to 9; [rt] Update to 5.10.65-rt53; [mipsel] bpf, mips: Validate conditional branch offsets [CVE-2021-38300]
linux-signed-i386	New upstream stable release; increase ABI to 9; [rt] Update to 5.10.65-rt53; [mipsel] bpf, mips: Validate conditional branch offsets [CVE-2021-38300]
mariadb-10.5	New upstream stable release; security fixes [CVE-2021-2372 CVE-2021-2389]
mbrola	Fix end of file detection
modsecurity-crs	Fix request body bypass issue [CVE-2021-35368]
mtr	Fix regression in JSON output
mutter	New upstream stable release; kms: Improve handling of common video modes that might exceed the possible bandwidth; ensure valid window texture size after viewport changes
nautilus	Avoid opening multiple selected files in multiple application instances; don't save window size and position when tiled; fix some memory leaks; update translations
node-ansi-regex	Fix regular expression-based denial of service issue [CVE-2021-3807]
node-axios	Fix regular expression-based denial of service issue [CVE-2021-3749]
node-object-path	Fix prototype pollution issues [CVE-2021-23434 CVE-2021-3805]
node-prismjs	Fix regular expression-based denial of service issue [CVE-2021-3801]
node-set-value	Fix prototype pollution [CVE-2021-23440]
node-tar	Remove non-directory paths from the directory cache [CVE-2021-32803]; strip absolute paths more comprehensively [CVE-2021-32804]
osmcoastline	Fix projections other than WGS84
osmpbf	Rebuild against protobuf 3.12.4
pam	Fix syntax error in libpam0g.postinst when a systemd unit fails
perl	Security update; fix a regular expression memory leak
pglogical	Update for PostgreSQL 13.4 snapshot handling fixes
pmdk	Fix missing barriers after non-temporal memcpy
postgresql-13	New upstream stable release; fix mis-planning of repeated application of a projection step [CVE-2021-3677]; disallow SSL renegotiation more completely
proftpd-dfsg	Fix mod_radius leaks memory contents to radius server and sftp connection aborts with Corrupted MAC on input; skip escaping of already-escaped SQL text
pyx3	Fix horizontal font alignment issue with texlive 2020
reportbug	Update suite names following bullseye release
request-tracker4	Fix login timing side-channel attack issue [CVE-2021-38562]
rhonabwy	Fix JWE CBC tag computation and JWS alg:none signature verification
rpki-trust-anchors	Add HTTPS URL to the LACNIC TAL
rsync	Re-add --copy-devices; fix regression in --delay-updates; fix edge case in --mkpath; fix rsync-ssl; fix --sparce and --inplace; update options available to rrsync; documentation fixes
ruby-rqrcode-rails3	Fix for ruby-rqrcode 1.0 compatibility
sabnzbdplus	Prevent directory escape in renamer function [CVE-2021-29488]
shellcheck	Fix rendering of long options in manpage
shiro	Fix authentication bypass issues [CVE-2020-1957 CVE-2020-11989 CVE-2020-13933 CVE-2020-17510]; update Spring Framework compatibility patch; support Guice 4
speech-dispatcher	Fix setting of voice name for the generic module
telegram-desktop	Avoid crash when auto-delete is enabled
termshark	Include themes in package
tmux	Fix a race condition which results in the config not being loaded if several clients are interacting with the server while it's initializing
txt2man	Fix regression in handling display blocks
tzdata	Update DST rules for Samoa and Jordan; confirm the absence of a leap second on 2021-12-31
ublock-origin	New upstream stable release; fix denial of service issue [CVE-2021-36773]
ulfius	Ensure memory is initialised before use [CVE-2021-40540]

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID	Package
DSA-4959	thunderbird
DSA-4960	haproxy
DSA-4961	tor
DSA-4962	ledgersmb
DSA-4963	openssl
DSA-4964	grilo
DSA-4965	libssh
DSA-4966	gpac
DSA-4967	squashfs-tools
DSA-4968	haproxy
DSA-4969	firefox-esr
DSA-4970	postorius
DSA-4971	ntfs-3g
DSA-4972	ghostscript
DSA-4973	thunderbird
DSA-4974	nextcloud-desktop
DSA-4975	webkit2gtk
DSA-4976	wpewebkit
DSA-4977	xen
DSA-4978	linux-signed-amd64
DSA-4978	linux-signed-arm64
DSA-4978	linux-signed-i386
DSA-4978	linux
DSA-4979	mediawiki

During the final stages of the bullseye freeze, some updates were released via the security archive but without an accompanying DSA. These updates are detailed below.

Package	Reason
apache2	Fix mod_proxy HTTP2 request line injection [CVE-2021-33193]
btrbk	Fix arbitrary code execution issue [CVE-2021-38173]
c-ares	Fix missing input validation on hostnames returned by DNS servers [CVE-2021-3672]
exiv2	Fix overflow issues [CVE-2021-29457 CVE-2021-31292]
firefox-esr	New upstream stable release [CVE-2021-29980 CVE-2021-29984 CVE-2021-29985 CVE-2021-29986 CVE-2021-29988 CVE-2021-29989]
libencode-perl	Encode: mitigate @INC pollution when loading ConfigLocal [CVE-2021-36770]
libspf2	spf_compile.c: Correct size of ds_avail [CVE-2021-20314]; fix reverse macro modifier
lynx	Fix leakage of credentials if SNI was used together with a URL containing credentials [CVE-2021-38165]
nodejs	New upstream stable release; fix use after free issue [CVE-2021-22930]
tomcat9	Fix authentication bypass issue [CVE-2021-30640] and request smuggling issue [CVE-2021-33037]
xmlgraphics-commons	Fix server side request forgery issue [CVE-2020-11988]

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

https://deb.debian.org/debian/dists/bullseye/ChangeLog

The current stable distribution:

https://deb.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

https://deb.debian.org/debian/dists/proposed-updates

stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/

Security announcements and information:

https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <[email protected]>, or contact the stable release team at <[email protected]>.