Updated Debian 12: 12.8 released
November 9th, 2024
The Debian project is pleased to announce the eighth update of its
stable distribution Debian 12 (codename bookworm
).
This point release mainly adds corrections for security issues,
along with a few adjustments for serious problems. Security advisories
have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian
12 but only updates some of the packages included. There is
no need to throw away old bookworm
media. After installation,
packages can be upgraded to the current versions using an up-to-date Debian
mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
| Package | Reason |
|---|---|
| 7zip | Fix heap buffer overflow in NTFS handler [CVE-2023-52168]; fix out-of-bounds read in NTFS handler [CVE-2023-52169] |
| amanda | Update incomplete fix for CVE-2022-37704, restoring operation with xfsdump |
| apr | Use 0600 perms for named shared mem consistently [CVE-2023-49582] |
| base-files | Update for the point release |
| btrfs-progs | Fix checksum calculation errors during volume conversion in btrfs-convert |
| calamares-settings-debian | Fix missing launcher on KDE desktops; fix btrfs mounts |
| cjson | Fix segmentation violation issue [CVE-2024-31755] |
| clamav | New upstream stable release; fix denial of service issue [CVE-2024-20505], file corruption issue [CVE-2024-20506] |
| cloud-init | Add support for multiple networkd Route sections |
| cloud-initramfs-tools | Add missing dependencies in the initramfs |
| curl | Fix incorrect handling of some OCSP responses [CVE-2024-8096] |
| debian-installer | Reinstate some armel netboot targets (openrd); increase Linux kernel ABI to 6.1.0-27; rebuild against proposed-updates |
| debian-installer-netboot-images | Rebuild against proposed-updates |
| devscripts | bts: always upgrade to STARTTLS on 587/tcp; build-rdeps: add support for non-free-firmware; chdist: update sources.list examples with non-free-firmware; build-rdeps: use all available distros by default |
| diffoscope | Fix build failure when processing a deliberately overlapping zip file in tests |
| distro-info-data | Add Ubuntu 25.04 |
| docker.io | Fix bypassing of AuthZ plugins in some circumstances [CVE-2024-41110] |
| dpdk | New upstream stable release |
| exim4 | Fix crash in dbmnz when looking up keys with no content |
| fcgiwrap | Set proper ownership on repositories in git backend |
| galera-4 | New upstream stable release |
| glib2.0 | Provide libgio-2.0-dev from libglib2.0-dev, and libgio-2.0-dev-bin from libglib2.0-dev-bin |
| glibc | Change Croatian locale to use Euro as currency; revert upstream commit that modified the GLIBC_PRIVATE ABI, causing crashes with some static binaries on arm64; vfscanf(): fix matches longer than INT_MAX; ungetc(): fix uninitialized read when putting into unused streams, backup buffer leak on program exit; mremap(): fix support for the MREMAP_DONTUNMAP option; resolv: fix timeouts caused by short error responses or when single-request mode is enabled in resolv.conf |
| gtk+3.0 | Fix letting Orca announce initial focus |
| ikiwiki-hosting | Allow reading of all user repositories |
| intel-microcode | New upstream release; security fixes [CVE-2024-23984 CVE-2024-24968] |
| ipmitool | Fix a buffer overrun in openinterface; fix lan print fails on unsupported parameters; fix reading of temperature sensors; fix using hex values when sending raw data |
| iputils | Fix incorrect handling of ICMP responses intended for other processes |
| kexec-tools | Mask kexec.service to prevent the init.d script handling kexec process on a systemd enabled system |
| lemonldap-ng | Fix cross-site scripting vulnerability on login page [CVE-2024-48933] |
| lgogdownloader | Fix parsing of Galaxy URLs |
| libskk | Prevent crash on invalid JSON escape |
| libvirt | Fix running i686 VMs with AppArmor on the host; prevent certain guests from becoming unbootable or disappearing during upgrade |
| linux | New upstream release; bump ABI to 27 |
| linux-signed-amd64 | New upstream release; bump ABI to 27 |
| linux-signed-arm64 | New upstream release; bump ABI to 27 |
| linux-signed-i386 | New upstream release; bump ABI to 27 |
| llvm-toolchain-15 | Architecture-specific rebuild on mips64el to sync version with other architectures |
| nghttp2 | Fix denial of service issue [CVE-2024-28182] |
| ninja-build | Support large inode numbers on 32-bit systems |
| node-dompurify | Fix prototype pollution issues [CVE-2024-45801 CVE-2024-48910] |
| node-es-module-lexer | Fix build failure |
| node-globby | Fix build failure |
| node-mdn-browser-compat-data | Fix build failure |
| node-rollup-plugin-node-polyfills | Fix build failure |
| node-tap | Fix build failure |
| node-xterm | Fix TypeScript declarations |
| node-y-protocols | Fix build failure |
| node-y-websocket | Fix build failure |
| node-ytdl-core | Fix build failure |
| notify-osd | Correct executable path in desktop launcher file |
| ntfs-3g | Fix use-after-free in ntfs-uppercase-mbs; re-classify fuse as Depends, not Pre-Depends |
| openssl | New upstream stable release; fix buffer overread issue [CVE-2024-5535], out of bounds memory access [CVE-2024-9143] |
| ostree | Prevent crashing libflatpak when using curl 8.10 |
| puppetserver | Reinstate scheduled job to clean reports after 30 days, avoiding disk space exhaustion |
| puredata | Fix privilege escalation issue [CVE-2023-47480] |
| python-cryptography | Fix NULL dereference when loading PKCS7 certificates [CVE-2023-49083]; fix NULL dereference when PKCS#12 key and cert don't match [CVE-2024-26130] |
| python3.11 | Fix regression in zipfile.Path; prevent ReDoS vulnerability with crafted tar archives |
| reprepro | Prevent hangs when running unzstd |
| sqlite3 | Fix a buffer overread issue [CVE-2023-7104], a stack overflow issue and an integer overflow issue |
| sumo | Fix a race condition when building documentation |
| systemd | New upstream stable release |
| tgt | chap: Use proper entropy source [CVE-2024-45751] |
| timeshift | Add missing dependency on pkexec |
| util-linux | Allow lscpu to identify new Arm cores |
| vmdb2 | Set locale to UTF-8 |
| wireshark | New upstream security release [CVE-2024-0208, CVE-2024-0209, CVE-2024-2955, CVE-2024-4853, CVE-2024-4854, CVE-2024-4855, CVE-2024-8250, CVE-2024-8645] |
| xfpt | Fix buffer overflow issue [CVE-2024-43700] |
Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Debian Installer
The installer has been updated to include the fixes incorporated into stable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current stable distribution:
Proposed updates to the stable distribution:
stable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <[email protected]>, or contact the stable release team at <[email protected]>.