Updated Debian 12: 12.7 released
August 31st, 2024
The Debian project is pleased to announce the seventh update of its
stable distribution Debian 12 (codename bookworm
).
This point release mainly adds corrections for security issues,
along with a few adjustments for serious problems. Security advisories
have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian
12 but only updates some of the packages included. There is
no need to throw away old bookworm
media. After installation,
packages can be upgraded to the current versions using an up-to-date Debian
mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
Secure Boot and other operating systems
Users who boot other operating systems on the same hardware, and who have Secure Boot enabled, should be aware that shim 15.8 (included with Debian 12.7) revokes signatures across older versions of shim in the UEFI firmware. This may leave other operating systems using shim before 15.8 unable to boot.
Affected users can temporarily disable Secure Boot before updating other operating systems.
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
| Package | Reason |
|---|---|
| amd64-microcode | New upstream release; security fixes [CVE-2023-31315]; SEV firmware fixes [CVE-2023-20584 CVE-2023-31356] |
| ansible | New upstream stable release; fix key leakage issue [CVE-2023-4237] |
| ansible-core | New upstream stable release; fix information disclosure issue [CVE-2024-0690]; fix template injection issue [CVE-2023-5764]; fix path traversal issue [CVE-2023-5115] |
| apache2 | New upstream stable release; fix content disclosure issue [CVE-2024-40725] |
| base-files | Update for the point release |
| cacti | Fix remote code execution issues [CVE-2024-25641 CVE-2024-31459], cross site scripting issues [CVE-2024-29894 CVE-2024-31443 CVE-2024-31444], SQL injection issues [CVE-2024-31445 CVE-2024-31458 CVE-2024-31460], type jugglingissue [CVE-2024-34340]; fix autopkgtest failure |
| calamares-settings-debian | Fix Xfce launcher permission issue |
| calibre | Fix remote code execution issue [CVE-2024-6782, cross site scripting issue [CVE-2024-7008], SQL injection issue [CVE-2024-7009] |
| choose-mirror | Update list of available mirrors |
| cockpit | Fix denial of service issue [CVE-2024-6126] |
| cups | Fix issues with domain socket handling [CVE-2024-35235] |
| curl | Fix ASN.1 date parser overread issue [CVE-2024-7264] |
| cyrus-imapd | Fix regression introduced in CVE-2024-34055 fix |
| dcm2niix | Fix potential code execution issue [CVE-2024-27629] |
| debian-installer | Increase Linux kernel ABI to 6.1.0-25; rebuild against proposed-updates |
| debian-installer-netboot-images | Rebuild against proposed-updates |
| dmitry | Security fixes [CVE-2024-31837 CVE-2020-14931 CVE-2017-7938] |
| dropbear | Fix noremotetcpbehaviour of keepalive packets in combination with the no-port-forwardingauthorized_keys(5) restriction |
| gettext.js | Fix server side request forgery issue [CVE-2024-43370] |
| glibc | Fix freeing uninitialized memory in libc_freeres_fn(); fix several performance issues and possible crashses |
| glogic | Require Gtk 3.0 and PangoCairo 1.0 |
| graphviz | Fix broken scale |
| gtk+2.0 | Avoid looking for modules in the current working directory [CVE-2024-6655] |
| gtk+3.0 | Avoid looking for modules in the current working directory [CVE-2024-6655] |
| imagemagick | Fix segmentation fault issue; fix incomplete fix for CVE-2023-34151 |
| initramfs-tools | hook_functions: Fix copy_file with source including a directory symlink; hook-functions: copy_file: Canonicalise target filename; install hid-multitouch module for Surface Pro 4 Keyboard; add hyper-keyboard module, needed to enter LUKS password in Hyper-V; auto_add_modules: Add onboard_usb_hub, onboard_usb_dev |
| intel-microcode | New upstream release; security fixes [CVE-2023-42667 CVE-2023-49141 CVE-2024-24853 CVE-2024-24980 CVE-2024-25939] |
| ipmitool | Add missing enterprise-numbers.txt file |
| libapache2-mod-auth-openidc | Avoid crash when the Forwarded header is not present but OIDCXForwardedHeaders is configured for it |
| libnvme | Fix buffer overflow during scanning devices that do not support sub-4k reads |
| libvirt | birsh: Make domif-setlink work more than once; qemu: domain: Fix logic when tainting domain; fix denial of service issues [CVE-2023-3750 CVE-2024-1441 CVE-2024-2494 CVE-2024-2496] |
| linux | New upstream release; bump ABI to 25 |
| linux-signed-amd64 | New upstream release; bump ABI to 25 |
| linux-signed-arm64 | New upstream release; bump ABI to 25 |
| linux-signed-i386 | New upstream release; bump ABI to 25 |
| newlib | Fix buffer overflow issue [CVE-2021-3420] |
| numpy | Conflict with python-numpy |
| openssl | New upstream stable release; fix denial of service issues [CVE-2024-2511 CVE-2024-4603]; fix use after free issue [CVE-2024-4741] |
| poe.app | Make comment cells editable; fix drawing when an NSActionCell in the preferences is acted on to change state |
| putty | Fix weak ECDSA nonce generation allowing secret key recovery [CVE-2024-31497] |
| qemu | New upstream stable release; fix denial of service issue [CVE-2024-4467] |
| riemann-c-client | Prevent malformed payload in GnuTLS send/receive operations |
| rustc-web | New upstream stable release, to support building new chromium and firefox-esr versions |
| shim | New upstream release |
| shim-helpers-amd64-signed | Rebuild against shim 15.8.1 |
| shim-helpers-arm64-signed | Rebuild against shim 15.8.1 |
| shim-helpers-i386-signed | Rebuild against shim 15.8.1 |
| shim-signed | New upstream stable release |
| systemd | New upstream stable release; update hwdb |
| usb.ids | Update included data list |
| xmedcon | Fix buffer overflow issue [CVE-2024-29421] |
Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
| Package | Reason |
|---|---|
| bcachefs-tools | Buggy; obsolete |
Debian Installer
The installer has been updated to include the fixes incorporated into stable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current stable distribution:
Proposed updates to the stable distribution:
stable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <[email protected]>, or contact the stable release team at <[email protected]>.