Debian 11.3 with codename “bullseye” have officially been released on late last month, exactly in 26 Marc 2022. It’s long-term support (LTS) stable version of Debian-based distros with version number 11.3. The Debian Project as the open-source software community, foundation, and an association of Free Software developers behind all project of Debian operating system is happy to officially announce the general availability of Debian 11.3 codename “bullseye” with some security updates, security advisor and bugfixes. Debian 11.0 was first released on August 14, 2021 which included many major changes from the previous release of Debian 10 “buster”.
It’s very stable distribution system with long-term support (LTS) until 5 years, and can extend until 10 years (maybe with paid support). Of course, it become a successor for the Debian 10 “Buster” which is still be actively supported and maintenanced by the Official Debian Team, and also Debian 9 “Stretch” which will reach its End Of Life (EOL) in June 30, 2022. As you know that out there many Linux distribution system is actually based on Debian operating system, including Ubuntu, Linux Mint, Parrot OS, and Kali Linux (Offensive Security) which is designed exclusively for penetration testing and digital forensics.
According to the Official Debian Team, Debian 11.3 is shipped with many corrections for security issues as its main point release, as well as adjustments to fixes some serious problems. Debian team have already been release a Security Advisory separately with official referenced if available. However, the point release is not mark a new version of Debian 11, but only updates some of the available packages or software. So, users is no need to remove away their old bullseye media. In addition, the packages can also be upgraded to the current versions using an up-to-date Debian mirror after installation proccess is completed.
Most such updates are included in the point release, so they who are frequently install updates from security.debian.org won’t have to update many packages. While the new installation images will still be available in regular locations. You can also upgrade the existing installation into this revision which can be achieved by pointing the package management system at one of Debian’s many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list
Debian 11.3 GNU/Linux codename “Bullseye” comes with 92 Bug Fixes and 83 Security Updates Released.
Miscellaneous Bugfixes on Debian 11.3 “bullseye”
The stable update of Debian 11.3 adds a few important corrections for the following packages:
Package Reason
* apache-log4j1.2 Resolve security issues [CVE-2021-4104 CVE-2022-23302 CVE-2022-23305 CVE-2022-23307], by removing support for the JMSSink, JDBCAppender, JMSAppender and Apache Chainsaw modules
* apache-log4j2 Fix remote code execution issue [CVE-2021-44832]
* apache2 New upstream release; fix crash due to random memory read [CVE-2022-22719]; fix HTTP request smuggling issue [CVE-2022-22720]; fix out-of-bounds write issues [CVE-2022-22721 CVE-2022-23943]
* atftp Fix information leak issue [CVE-2021-46671]
* base-files Update for the 11.3 point release
* bible-kjv Fix off-by-one-error in search
* chrony Allow reading the chronyd configuration file that timemaster(8) generates
* cinnamon Fix crash when adding an online account with login
* clamav New upstream stable release; fix denial of service issue [CVE-2022-20698]
* cups-filters Apparmor: allow reading from Debian Edu's cups-browsed configuration file
* dask.distributed Fix undesired listening of workers on public interfaces [CVE-2021-42343]; fix compatibility with Python 3.9
* debian-installer Rebuild against proposed-updates; update Linux kernel ABI to 5.10.0-13
* debian-installer-netboot-images Rebuild against proposed-updates
* debian-ports-archive-keyring Add Debian Ports Archive Automatic Signing Key (2023); move the 2021 signing key to the removed keyring
* django-allauth Fix OpenID support
* djbdns Raise the axfrdns, dnscache, and tinydns data limit
* dpdk New upstream stable release
* e2guardian Fix missing SSL certificate validation issue [CVE-2021-44273]
* epiphany-browser Work around a bug in GLib, fixing a UI process crash
* espeak-ng Drop spurious 50ms delay while processing events
* espeakup debian/espeakup.service: Protect espeakup from system overloads
* fcitx5-chinese-addons fcitx5-table: add missing dependencies on fcitx5-module-pinyinhelper and fcitx5-module-punctuation
* flac Fix out-of-bounds write issue [CVE-2021-0561]
* freerdp2 Disable additional debug logging
* galera-3 New upstream release
* galera-4 New upstream release
* gbonds Use Treasury API for redemption data
* glewlwyd Fix possible privilege escalation
* glibc Fix bad conversion from ISO-2022-JP-3 with iconv [CVE-2021-43396]; fix buffer overflow issues [CVE-2022-23218 CVE-2022-23219]; fix use-after-free issue [CVE-2021-33574]; stop replacing older versions of /etc/nsswitch.conf; simplify the check for supported kernel versions, as 2.x kernels are no longer supported; support installation on kernels with a release number greater than 255
* glx-alternatives After initial setup of the diversions, install a minimal alternative to the diverted files so that libraries are not missing until glx-alternative-mesa processes its triggers
* gnupg2 scd: Fix CCID driver for SCM SPR332/SPR532; avoid network interaction in generator, which can lead to hangs
* gnuplot Fix division by zero [CVE-2021-44917]
* golang-1.15 Fix IsOnCurve for big.Int values that are not valid coordinates [CVE-2022-23806]; math/big: prevent large memory consumption in Rat.SetString [CVE-2022-23772]; cmd/go: prevent branches from materializing into versions [CVE-2022-23773]; fix stack exhaustion compiling deeply nested expressions [CVE-2022-24921]
* golang-github-containers-common Update seccomp support to enable use of newer kernel versions
* golang-github-opencontainers-specs Update seccomp support to enable use of newer kernel versions
* gtk+3.0 Fix missing search results when using NFS; prevent Wayland clipboard handling from locking up in certain corner cases; improve printing to mDNS-discovered printers
* heartbeat Fix creation of /run/heartbeat on systems using systemd
* htmldoc Fix out-of-bounds read issue [CVE-2022-0534]
* installation-guide Update documentation and translations
* intel-microcode Update included microcode; mitigate some security issues [CVE-2020-8694 CVE-2020-8695 CVE-2021-0127 CVE-2021-0145 CVE-2021-0146 CVE-2021-33120]
* ldap2zone Use mktemp rather than the deprecated tempfile, avoiding warnings
* lemonldap-ng Fix auth process in password-testing plugins [CVE-2021-40874]
* libarchive Fix extracting hardlinks to symlinks; fix handling of symlink ACLs [CVE-2021-23177]; never follow symlinks when setting file flags [CVE-2021-31566]
* libdatetime-timezone-perl Update included data
* libgdal-grass Rebuild against grass 7.8.5-1+deb11u1
* libpod Update seccomp support to enable use of newer kernel versions
* libxml2 Fix use-after-free issue [CVE-2022-23308]
* linux New upstream stable release; [rt] Update to 5.10.106-rt64; increase ABI to 13
* linux-signed-amd64 New upstream stable release; [rt] Update to 5.10.106-rt64; increase ABI to 13
* linux-signed-arm64 New upstream stable release; [rt] Update to 5.10.106-rt64; increase ABI to 13
* linux-signed-i386 New upstream stable release; [rt] Update to 5.10.106-rt64; increase ABI to 13
* mariadb-10.5 New upstream release; security fixes [CVE-2021-35604 CVE-2021-46659 CVE-2021-46661 CVE-2021-46662 CVE-2021-46663 CVE-2021-46664 CVE-2021-46665 CVE-2021-46667 CVE-2021-46668 CVE-2022-24048 CVE-2022-24050 CVE-2022-24051 CVE-2022-24052]
* mpich Add Breaks: on older versions of libmpich1.0-dev, resolving some upgrade issues
* mujs Fix buffer overflow issue [CVE-2021-45005]
* mutter Backport various fixes from upstream's stable branch
* node-cached-path-relative Fix prototype pollution issue [CVE-2021-23518]
* node-fetch Don't forward secure headers to third party domains [CVE-2022-0235]
* node-follow-redirects Don't send Cookie header across domains [CVE-2022-0155]; don't send confidential headers across schemes [CVE-2022-0536]
* node-markdown-it Fix regular expression-based denial of service issue [CVE-2022-21670]
* node-nth-check Fix regular expression-based denial of service issue [CVE-2021-3803]
* node-prismjs Escape markup in command line output [CVE-2022-23647]; update minified files to ensure that Regular Expression Denial of Service issue is resolved [CVE-2021-3801]
* node-trim-newlines Fix regular expression-based denial of service issue [CVE-2021-33623]
* nvidia-cuda-toolkit cuda-gdb: Disable non-functional python support causing segmentation faults; use a snapshot of openjdk-8-jre (8u312-b07-1)
* nvidia-graphics-drivers-tesla-450 New upstream release; fix denial of service issues [CVE-2022-21813 CVE-2022-21814]; nvidia-kernel-support: Provide /etc/modprobe.d/nvidia-options.conf as a template
* nvidia-modprobe New upstream release
* openboard Fix application icon
* openssl New upstream release; fix armv8 pointer authentication
* openvswitch Fix use-after-free issue [CVE-2021-36980]; fix installation of libofproto
* ostree Fix compatibility with eCryptFS; avoid infinite recursion when recovering from certain errors; mark commits as partial before downloading; fix an assertion failure when using a backport or local build of GLib >= 2.71; fix the ability to fetch OSTree content from paths containing non-URI characters (such as backslashes) or non-ASCII
* pdb2pqr Fix compatibility of propka with Python 3.8 or above
* php-crypt-gpg Prevent additional options being passed to GPG [CVE-2022-24953]
* php-laravel-framework Fix cross-site scripting issue [CVE-2021-43808], missing blocking of executable content upload [CVE-2021-43617]
* phpliteadmin Fix cross-site scripting issue [CVE-2021-46709]
* prips Fix infinite wrapping if a range reaches 255.255.255.255; fix CIDR output with addresses that differ in their first bit
* pypy3 Fix build failures by removing extraneous #endif from import.h
* python-django Fix denial of service issue [CVE-2021-45115], information disclosure issue [CVE-2021-45116], directory traversal issue [CVE-2021-45452]; fix a traceback around the handling of RequestSite/get_current_site() due to a circular import
* python-pip Avoid a race-condition when using zip-imported dependencies
* rust-cbindgen New upstream stable release to support builds of newer firefox-esr and thunderbird versions
* s390-dasd Stop passing deprecated -f option to dasdfmt
* schleuder Migrate boolean values to integers, if the ActiveRecord SQLite3 connection adapter is in use, restoring functionality
* sphinx-bootstrap-theme Fix search functionality
* spip Fix several cross-site scripting issues
* symfony Fix CVE injection issue [CVE-2021-41270]
* systemd Fix uncontrolled recursion in systemd-tmpfiles [CVE-2021-3997]; demote systemd-timesyncd from Depends to Recommends, removing a dependency cycle; fix failure to bind mount a directory into a container using machinectl; fix regression in udev resulting in long delays when processing partitions with the same label; fix a regression when using systemd-networkd in an unprivileged LXD container
* sysvinit Fix parsing of shutdown +0; clarify that when called with a time shutdown will not exit
* tasksel Install CUPS for all *-desktop tasks, as task-print-service no longer exists
* usb.ids Update included data
* weechat Fix denial of service issue [CVE-2021-40516]
* wolfssl Fix several issues related to OCSP-handling [CVE-2021-3336 CVE-2021-37155 CVE-2021-38597] and TLS1.3 support [CVE-2021-44718 CVE-2022-25638 CVE-2022-25640]
* xserver-xorg-video-intel Fix SIGILL crash on non-SSE2 CPUs
* xterm Fix buffer overflow issue [CVE-2022-24130]
* zziplib Fix denial of service issue [CVE-2020-18442]
Security Updates for Debian 11.3 “bullseye”
The revision adds the following security updates to the stable release of the Debian 11.3 “bullseye”. The Security Team has already released an advisory for each of the following updates:
Advisory ID Package
* DSA-5000 openjdk-11
* DSA-5001 redis
* DSA-5012 openjdk-17
* DSA-5021 mediawiki
* DSA-5023 modsecurity-apache
* DSA-5024 apache-log4j2
* DSA-5025 tang
* DSA-5027 xorg-server
* DSA-5028 spip
* DSA-5029 sogo
* DSA-5030 webkit2gtk
* DSA-5031 wpewebkit
* DSA-5033 fort-validator
* DSA-5035 apache2
* DSA-5037 roundcube
* DSA-5038 ghostscript
* DSA-5039 wordpress
* DSA-5040 lighttpd
* DSA-5041 cfrpki
* DSA-5042 epiphany-browser
* DSA-5043 lxml
* DSA-5046 chromium
* DSA-5047 prosody
* DSA-5048 libreswan
* DSA-5049 flatpak-builder
* DSA-5049 flatpak
* DSA-5050 linux-signed-amd64
* DSA-5050 linux-signed-arm64
* DSA-5050 linux-signed-i386
* DSA-5050 linux
* DSA-5051 aide
* DSA-5052 usbview
* DSA-5053 pillow
* DSA-5054 chromium
* DSA-5055 util-linux
* DSA-5056 strongswan
* DSA-5057 openjdk-11
* DSA-5058 openjdk-17
* DSA-5059 policykit-1
* DSA-5060 webkit2gtk
* DSA-5061 wpewebkit
* DSA-5062 nss
* DSA-5063 uriparser
* DSA-5064 python-nbxmpp
* DSA-5065 ipython
* DSA-5067 ruby2.7
* DSA-5068 chromium
* DSA-5070 cryptsetup
* DSA-5071 samba
* DSA-5072 debian-edu-config
* DSA-5073 expat
* DSA-5075 minetest
* DSA-5076 h2database
* DSA-5077 librecad
* DSA-5078 zsh
* DSA-5079 chromium
* DSA-5080 snapd
* DSA-5081 redis
* DSA-5082 php7.4
* DSA-5083 webkit2gtk
* DSA-5084 wpewebkit
* DSA-5085 expat
* DSA-5087 cyrus-sasl2
* DSA-5088 varnish
* DSA-5089 chromium
* DSA-5091 containerd
* DSA-5092 linux-signed-amd64
* DSA-5092 linux-signed-arm64
* DSA-5092 linux-signed-i386
* DSA-5092 linux
* DSA-5093 spip
* DSA-5095 linux-signed-amd64
* DSA-5095 linux-signed-arm64
* DSA-5095 linux-signed-i386
* DSA-5095 linux
* DSA-5098 tryton-server
* DSA-5099 tryton-proteus
* DSA-5100 nbd
* DSA-5101 libphp-adodb
* DSA-5102 haproxy
* DSA-5103 openssl
* DSA-5104 chromium
* DSA-5105 bind9
Removed packages from Debian 11 “bullseye”.
The following packages were removed from the Debian 11 due to circumstances beyond our control:
Package Reason
* angular-maven-plugin No longer useful
* minify-maven-plugin No longer useful