Debian 11.7 Arrived with 100+ Security Updates and 90+ Bug Fixes
The Debian Project has made an announcement about the release of Debian 11.7, which is now publicly available. This release marks the seventh ISO update to the Bullseye series of Debian GNU/Linux 11. The update for Debian 11.7 has arrived more than four months after Debian 11.6.
With the latest installation media, users who want to install the Debian GNU/Linux 11 “Bullseye” operating system on new computers do not have to worry about downloading numerous updates from the repositories post-installation.
Debian 11.7: Security Updates and Bug Fixes
Debian 11.7 contains all security and software updates that have been released since December 17th, 2022 (Debian GNU/Linux 11.6 released) up to the present time. In total, Debian 11.7 has 102 security updates and miscellaneous bug fixes for 92 packages.
This stable update addresses eight denials of service issues:
A vulnerability was found in the Avahi package in versions 0.6 up to 0.8. The event that signals the end of a client connection on the Avahi Unix socket is not properly managed in the client_work function. This can result in an infinite loop when triggered by a local attacker. The highest risk associated with this flaw is the unresponsiveness of the Avahi service after the vulnerability is triggered.
A vulnerability was discovered in the c-ares package where the ares_set_sortlist lacks proper checks for the validity of the input string, resulting in a possible arbitrary length stack overflow. This flaw may also cause a denial of service or a limited impact on confidentiality and integrity.
This is a vulnerability found in the containerd package when importing an OCI image. It is because prior to versions 1.6.18 and 1.5.18, there was no limit on the number of bytes read for specific files when importing an OCI image. As a result, a maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This flaw has been fixed in the containerd versions 1.6.18 and 1.5.18.
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS). This is because the package lacks a nested depth limitation for collections.
CVE-2022-38749, CVE-2022-38750, CVE-2022-38751
These flaws were also discovered in the snakeyaml package. snakeYAML may be vulnerable to Denial of Service (DOS) attacks when used to parse untrusted YAML files. If the parser is processing user-supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
An off-by-one Error issue was discovered in Systemd in the format_timespan() function of time-util.c
. As a result, an attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.
Visit the release announcement page for detailed information about all security updates and bug fixes.
Removed Packages in Debian 11.7
Some packages that have been removed in this update are:
- Bind-dyndb-ldap (Broken with newer bind9 versions)
- python-matrix-nio (Removed due to security issues)
- matrix-mirage (Depends on python-matrix-nio)
- pantalaimon (Depends on python-matrix-nio)
- matrix-mirage (Depends on python-matrix-nio)
- weechat-matrix (Depends on python-matrix-nio)
Conclusion
The Debian Project claims that this Debian Bullseye point release simply updates a few of the included packages and does not represent a new version of Debian GNU/Linux 11. Hence, Debian 11.7 is a maintenance release that brings a significant number of bug fixes (92) and security updates (102).
For those who are looking ahead to Debian 12 “Bookworm”, it is set to be released on June 10th. This new version is expected to include a refreshed set of software in its repositories, as well as Linux kernel 6.1 LTS and ongoing support until 2028.
As a system administrator, it becomes crucial to maintain kernel security and ensure 100% uptime of the system. So, TuxCare offers a KernelCare Enterprise solution that can live patch all popular enterprise distributions, including CentOS, AlmaLinux, Debian, Ubuntu, Oracle Linux, Red Hat, and more.
Learn more about how KernelCare’s live patching works.
The sources for this article include a story from 9to5Linux.