Rilasciato aggiornamento di Debian 12: 12.4

10 Dicembre 2023

Attenzione: questo documento è stato aggiornato perché Debian 12.4 sostituisce Debian 12.3. Queste modifiche sono dovute ad un bollettino della sicurezza #1057843 a proposito di problemi con il linux-image-6.1.0-14 (6.1.64-1).

Debian 12.4 viene rilasciata con linux-image-6.1.0-15 (6.1.66-1), oltre ad alcune altre correzioni

Il progetto Debian è felice di annunciare il quarto aggiornamento della distribuzione stabile Debian 12 (nome in codice bookworm). Questo aggiornamento minore aggiunge soluzioni di problemi di sicurezza, oltre ad alcune correzioni per problemi seri. I bollettini della sicurezza sono già stati pubblicati separatamente e sono qui elencati dove possibile.

Notare che questo rilascio minore non è una nuova versione di Debian 12 ma solo un aggiornamento di alcuni pacchetti che ne fanno parte. Non è necessario buttare via il vecchio supporto di installazione di bookworm. Dopo l'installazione i pacchetti verranno aggiornati alle ultime versioni usando uno qualsiasi dei mirror Debian aggiornati.

Coloro che aggiornano il sistema frequentemente tramite security.debian.org non avranno molti pacchetti da aggiornare, e molti di questi sono inclusi nel rilascio minore.

Nuove immagini per l'installazione saranno presto disponibili nelle posizioni usuali.

Aggiornare una installazione esistente a questa revisione, può essere fatto configurando il sistema di gestione dei pacchetti per puntare ad uno dei tanti mirror HTTP Debian. Un elenco completo di questi mirror è disponibile qui:

https://www.debian.org/mirror/list

Risoluzione di problemi vari

Questo aggiornamento aggiunge alcune importanti correzioni ai seguenti pacchetti (in inglese):

Pacchetto Motivo
adequate Skip symbol-size-mismatch test on architectures where array symbols don't include a specific length; disable deprecation warnings about smartmatch, given, when in Perl 5.38; fix warnings from version comparison about smartmatch being experimental
amanda Fix local privilege escalation [CVE-2023-30577]
arctica-greeter Move logo away from border when greeting
awstats Avoid prompts on upgrade due to logrotate configuration cleanup
axis Filter out unsupported protocols in the client class ServiceFactory [CVE-2023-40743]
base-files Update for the 12.4 point release
ca-certificates-java Remove circular dependencies
calibre Fix crash in Get Books when regenerating UIC files
crun Fix containers with systemd as their init system, when using newer kernel versions
cups Take into account that on some printers the ColorModel option's choice for color printing is CMYK and not RGB
dav4tbsync New upstream version, restoring compatibility with newer Thunderbird versions
debian-edu-artwork Provide an Emerald theme based artwork for Debian Edu 12
debian-edu-config New upstream stable version; fix setting and changing of LDAP passwords
debian-edu-doc Update included documentation and translations
debian-edu-fai New upstream stable version
debian-edu-router Fix dnsmasq conf generation for networks over VLAN; only generate UIF filter rules for SSH if 'Uplink' interface is defined; update translations
debian-installer Increase Linux kernel ABI to 6.1.0-15; rebuild against proposed-updates
debian-installer-netboot-images Rebuild against proposed-updates
debootstrap Backport merged-/usr support changes from trixie: implement merged-/usr by post-merging, default to merged-/usr for suites newer than bookworm in all profiles
devscripts Debchange: Update to current Debian distributions
dhcpcd5 Change Breaks/Replaces dhcpcd5 to Conflicts
di-netboot-assistant Fix support for bookworm live ISO image
distro-info Update tests for distro-info-data 0.58+deb12u1, which adjusted Debian 7's EoL date
distro-info-data Add Ubuntu 24.04 LTS Noble Numbat; fix several End Of Life dates
eas4tbsync New upstream version, restoring compatibility with newer Thunderbird versions
exfatprogs Fix out-of-bounds memory access issues [CVE-2023-45897]
exim4 Fix security issues relating to the proxy protocol [CVE-2023-42117] and DNSDB lookups [CVE-2023-42119]; add hardening for SPF lookups; disallow UTF-16 surrogates from ${utf8clean:...}; fix crash with tls_dhparam = none; fix $recipients expansion when used within ${run...}; fix expiry date of auto-generated SSL certificates; fix crash induced by some combinations of zero-length strings and ${tr...}
fonts-noto-color-emoji Add support for Unicode 15.1
gimp Add Conflicts and Replaces: gimp-dds to remove old versions of this plugin shipped by gimp itself since 2.10.10
gnome-characters Add support for Unicode 15.1
gnome-session Open text files in gnome-text-editor if gedit is not installed
gnome-shell New upstream stable release; allow notifications to be dismissed with backspace key in addition to the delete key; fix duplicate devices shown when reconnecting to PulseAudio; fix possible use-after-free crashes on PulseAudio/Pipewire restart; avoid sliders in quick settings (volume, etc.) being reported to accessibility tools as their own parent object; align scrolled viewports to the pixel grid to avoid jitter visible during scrolling
gnutls28 Fix timing sidechannel issue [CVE-2023-5981]
gosa New upstream stable release
gosa-plugins-sudo Fix uninitialised variable
hash-slinger Fix generation of TLSA records
intel-graphics-compiler Fix compatibility with stable's intel-vc-intrinsics version
iotop-c Fix the logic in only option; fix busy loop when ESC is pressed; fix ASCII graph rendering
jdupes Update prompts to help avoid choices that could lead to unexpected data loss
lastpass-cli New upstream stable release; update certificate hashes; add support for reading encrypted URLs
libapache2-mod-python Ensure binNMU versions are PEP-440-compliant
libde265 Fix segmentation violation issue [CVE-2023-27102], buffer overflow issues [CVE-2023-27103 CVE-2023-47471], buffer over-read issue [CVE-2023-43887]
libervia-backend Fix start failure without pre-existing configuration; make exec path absolute in dbus service file; fix dependencies on python3-txdbus/python3-dbus
libmateweather Locations: add San Miguel de Tucuman (Argentina); update forecast zones for Chicago; update data server URL; fix some location names
libsolv Enable support for zstd compression
linux Update to upstream stable release 6.1.66; update ABI to 15; [rt] Update to 6.1.59-rt16; enable X86_PLATFORM_DRIVERS_HP; nvmet: nul-terminate the NQNs passed in the connect command [CVE-2023-6121]
linux-signed-amd64 Update to upstream stable release 6.1.66; update ABI to 15; [rt] Update to 6.1.59-rt16; enable X86_PLATFORM_DRIVERS_HP; nvmet: nul-terminate the NQNs passed in the connect command [CVE-2023-6121]
linux-signed-arm64 Update to upstream stable release 6.1.66; update ABI to 15; [rt] Update to 6.1.59-rt16; enable X86_PLATFORM_DRIVERS_HP; nvmet: nul-terminate the NQNs passed in the connect command [CVE-2023-6121]
linux-signed-i386 Update to upstream stable release 6.1.66; update ABI to 15; [rt] Update to 6.1.59-rt16; enable X86_PLATFORM_DRIVERS_HP; nvmet: nul-terminate the NQNs passed in the connect command [CVE-2023-6121]
llvm-toolchain-16 New backported package to support builds of newer chromium versions
lxc Fix creating of ephemeral copies
mda-lv2 Fix LV2 plugin installation location
midge Remove non-free example files
minizip Fix integer and heap overflow issues [CVE-2023-45853]
mrtg Handle relocated configuration file; translation updates
mutter New upstream stable release; fix the ability to drag libdecor windows by their title bar on touchscreens; fix flickering and rendering artifacts when using software rendering; improve GNOME Shell app grid performance by avoiding repainting monitors other than the one it is displayed on
nagios-plugins-contrib Fix on-disk kernel version detection
network-manager-openconnect Add User Agent to Openconnect VPN for NetworkManager
node-undici Delete cookie and host headers on cross-origin redirect [CVE-2023-45143]
nvidia-graphics-drivers New upstream release; fix null pointer dereference issue [CVE-2023-31022]
nvidia-graphics-drivers-tesla New upstream release; fix null pointer dereference issue [CVE-2023-31022]
nvidia-graphics-drivers-tesla-470 New upstream release; fix null pointer dereference issue [CVE-2023-31022]
nvidia-open-gpu-kernel-modules New upstream release; fix null pointer dereference issue [CVE-2023-31022]
opendkim Fix removal of incoming Authentication-Results: headers [CVE-2022-48521]
openrefine Fix remote code execution vulnerability [CVE-2023-41887 CVE-2023-41886]
opensc Fix out-of-bounds read issue [CVE-2023-4535], potential PIN bypass [CVE-2023-40660], memory-handling issues [CVE-2023-40661]
oscrypto Fix OpenSSL version parsing; fix autopkgtest
pcs Fix resource move
perl Fix buffer overrun issue [CVE-2023-47038]
php-phpseclib3 Fix denial of service issue [CVE-2023-49316]
postgresql-15 New upstream stable release; fix SQL injection issue [CVE-2023-39417]; fix MERGE to enforce row security policies properly [CVE-2023-39418]
proftpd-dfsg Fix size of SSH key exchange buffers
python-cogent Only skip tests that require multiple CPUs when running on a single CPU system
python3-onelogin-saml2 Fix expired test payloads
pyzoltan Support building on single core systems
qbittorrent Disable UPnP for web UI by default in qbittorrent-nox
qemu Update to upstream stable release 7.2.7; hw/scsi/scsi-disk: Disallow block sizes smaller than 512 [CVE-2023-42467]
qpdf Fix data loss issue with some quoted octal strings
redis Drop ProcSubset=pid hardening flag from the systemd unit due to it causing crashes
rust-sd Ensure binary package versions sorts correctly relative to older releases (where it was built from a different source package)
sitesummary Use systemd timer for running sitesummary-client if available
speech-dispatcher-contrib Enable voxin on armhf and arm64
spyder Fix interface language auto-configuration
symfony Fix session fixation issue [CVE-2023-46733]; add missing escaping [CVE-2023-46734]
systemd New upstream stable release
tbsync New upstream version, restoring compatibility with newer Thunderbird versions
toil Only request a single core for tests
tzdata Update leap second list
unadf Fix buffer overflow issue [CVE-2016-1243]; fix code execution issue [CVE-2016-1244]
vips Fix null pointer dereference issue [CVE-2023-40032]
weborf Fix denial of service issue
wormhole-william Disable flaky tests, fixing build failures
xen New upstream stable update; fix several security issues [CVE-2022-40982 CVE-2023-20569 CVE-2023-20588 CVE-2023-20593 CVE-2023-34320 CVE-2023-34321 CVE-2023-34322 CVE-2023-34323 CVE-2023-34325 CVE-2023-34326 CVE-2023-34327 CVE-2023-34328 CVE-2023-46835 CVE-2023-46836]
yuzu Strip :native from glslang-tools build dependency, fixing build failure

Aggiornamenti della sicurezza

Questa revisione contiene i seguenti aggiornamenti per la sicurezza del rilascio stabile. Il gruppo della sicurezza ha già rilasciato i bollettini per ciascuno di questi aggionamenti:

Numero del bollettino Pacchetto
DSA-5499 chromium
DSA-5506 firefox-esr
DSA-5508 chromium
DSA-5511 mosquitto
DSA-5512 exim4
DSA-5513 thunderbird
DSA-5514 glibc
DSA-5515 chromium
DSA-5516 libxpm
DSA-5517 libx11
DSA-5518 libvpx
DSA-5519 grub-efi-amd64-signed
DSA-5519 grub-efi-arm64-signed
DSA-5519 grub-efi-ia32-signed
DSA-5519 grub2
DSA-5520 mediawiki
DSA-5521 tomcat10
DSA-5523 curl
DSA-5524 libcue
DSA-5525 samba
DSA-5526 chromium
DSA-5527 webkit2gtk
DSA-5528 node-babel7
DSA-5529 slurm-wlm-contrib
DSA-5529 slurm-wlm
DSA-5531 roundcube
DSA-5532 openssl
DSA-5533 gst-plugins-bad1.0
DSA-5534 xorg-server
DSA-5535 firefox-esr
DSA-5536 chromium
DSA-5538 thunderbird
DSA-5539 node-browserify-sign
DSA-5540 jetty9
DSA-5541 request-tracker5
DSA-5542 request-tracker4
DSA-5543 open-vm-tools
DSA-5544 zookeeper
DSA-5545 vlc
DSA-5546 chromium
DSA-5547 pmix
DSA-5548 jtreg6
DSA-5548 openjdk-17
DSA-5549 trafficserver
DSA-5550 cacti
DSA-5551 chromium
DSA-5552 ffmpeg
DSA-5553 postgresql-15
DSA-5555 openvpn
DSA-5556 chromium
DSA-5557 webkit2gtk
DSA-5558 netty
DSA-5559 wireshark
DSA-5560 strongswan
DSA-5561 firefox-esr
DSA-5562 tor
DSA-5563 intel-microcode
DSA-5564 gimp
DSA-5565 gst-plugins-bad1.0
DSA-5566 thunderbird
DSA-5567 tiff
DSA-5568 fastdds
DSA-5569 chromium
DSA-5570 nghttp2
DSA-5571 rabbitmq-server

Pacchetti rimossi

I seguenti pacchetti sono stati rimossi per motivi indipendenti da noi:

Pacchetto Motivo
gimp-dds No longer required; integrated into GIMP

Istallatore Debian

La procedura di installazione è stata aggiornata per includere le correzioni presenti in questo rilascio minore.

URL

L'elenco completo dei pacchetti cambiati in questa revisione:

https://deb.debian.org/debian/dists/bookworm/ChangeLog

La distribuzione stabile attuale:

https://deb.debian.org/debian/dists/stable/

Aggiornamenti proposti per la distribuzione stabile:

https://deb.debian.org/debian/dists/proposed-updates

Informazioni sulla distribuzione stabile (note di rilascio, errata, etc.):

https://www.debian.org/releases/stable/

Annunci e informazioni della sicurezza:

https://www.debian.org/security/

Su Debian

Il progetto Debian è una associazione di sviluppatori di software libero che volontariamente offrono il loro tempo e il loro lavoro per produrre il sistema operativo completamente libero Debian.

Contatti

Per maggiori informazioni visitare le pagine web Debian https://www.debian.org/, mandare un email a <[email protected]> o contattare il gruppo del rilascio stabile a <[email protected]>.