Upgrade Debian from bullseye to bookworm 12.4

what

Upgrade Debian bullseye 11 to bookworm 12.4
Switch from netcat to netcat-openbsd because bookworm repo forces a choice
Convert syslog-ng.conf to 3.38
Address some vulnerabilities

Image	Total	Unk	Low	Medium	High	Critical
geodesic/debian:buster	1254	0	806	178	259	11
geodesic/debian:bookworm	738	1	481	173	80	3

Findings according to trivy image Version: 0.49.1 VulnDB 2 2024-02-11 06:13:14.955337702 +0000 UTC

Unknown introduced is CVE-2024-24860 "A race condition was found in the Linux kernel's bluetooth" which has not yet been rated

why

Remove 9, adds 1 security vulnerabilities rated as Critical
Remove 208 security vulnerabilities, added 19 new vulnerabilities rated as High
Remove 5 Medium and 325 Low vulnerabilities - stats per trivy image

references

915 prepares for, and is included in, this PR; apply #915 first, and update this PR as needed

critical vulnerabilities removed/discovered in the update image

+/-	CVE Number	Software	Vulnerability Summary
+	CVE-2023-5841	libopenexr-3-1-30	OpenEXR: Heap Overflow in Scanline Deep Data Parsing
-	CVE-2023-23914	curl	curl: HSTS ignored on multiple requests
-	CVE-2023-23914	libcurl3-gnutls	curl: HSTS ignored on multiple requests
-	CVE-2023-23914	libcurl4	curl: HSTS ignored on multiple requests
-	CVE-2019-8457	libdb5.3	heap out-of-bound read in function rtreenode()
-	CVE-2021-29921	libpython3.9	python-ipaddress: Improper input validation of octal strings
-	CVE-2021-29921	libpython3.9-minimal	python-ipaddress: Improper input validation of octal strings
-	CVE-2021-29921	libpython3.9-stdlib	python-ipaddress: Improper input validation of octal strings
-	CVE-2021-29921	python3.9	python-ipaddress: Improper input validation of octal strings
-	CVE-2021-29921	python3.9-minimal	python-ipaddress: Improper input validation of octal strings

high vulnerabilities removed/discovered in the update image

+/-	CVE Number	Software	Vulnerability Summary
-	CVE-2015-20107	libpython3.9	python: mailcap: findmatch() function does not sanitize the
-	CVE-2015-20107	libpython3.9-minimal	python: mailcap: findmatch() function does not sanitize the
-	CVE-2015-20107	libpython3.9-stdlib	python: mailcap: findmatch() function does not sanitize the
-	CVE-2015-20107	python3.9	python: mailcap: findmatch() function does not sanitize the
-	CVE-2015-20107	python3.9-minimal	python: mailcap: findmatch() function does not sanitize the
-	CVE-2020-10735		python: int() type in PyLong_FromString() does not limit
-	CVE-2020-10735		python: int() type in PyLong_FromString() does not limit
-	CVE-2020-10735		python: int() type in PyLong_FromString() does not limit
-	CVE-2020-10735		python: int() type in PyLong_FromString() does not limit
-	CVE-2020-10735		python: int() type in PyLong_FromString() does not limit
-	CVE-2020-16156	libperl5.32	perl-CPAN: Bypass of verification of signatures in CHECKSUMS
-	CVE-2020-16156	perl	perl-CPAN: Bypass of verification of signatures in CHECKSUMS
-	CVE-2020-16156	perl-base	perl-CPAN: Bypass of verification of signatures in CHECKSUMS
-	CVE-2020-16156	perl-modules-5.32	perl-CPAN: Bypass of verification of signatures in CHECKSUMS
-	CVE-2020-19861	ldnsutils	ldns: Heap out-of-bound read vulnerability in
-	CVE-2020-19861	libldns3	ldns: Heap out-of-bound read vulnerability in
-	CVE-2020-22218	libssh2-1	libssh2: use-of-uninitialized-value in
-	CVE-2021-20312	imagemagick	ImageMagick: Integer overflow in WriteTHUMBNAILImage of
-	CVE-2021-20312	imagemagick-6-common	ImageMagick: Integer overflow in WriteTHUMBNAILImage of
-	CVE-2021-20312	imagemagick-6.q16	ImageMagick: Integer overflow in WriteTHUMBNAILImage of
-	CVE-2021-20312	libmagickcore-6.q16-6	ImageMagick: Integer overflow in WriteTHUMBNAILImage of
-	CVE-2021-20312	libmagickcore-6.q16-6-extra	ImageMagick: Integer overflow in WriteTHUMBNAILImage of
-	CVE-2021-20312	libmagickwand-6.q16-6	ImageMagick: Integer overflow in WriteTHUMBNAILImage of
-	CVE-2021-20313		ImageMagick: Cipher leak when the calculating signatures in
-	CVE-2021-20313		ImageMagick: Cipher leak when the calculating signatures in
-	CVE-2021-20313		ImageMagick: Cipher leak when the calculating signatures in
-	CVE-2021-20313		ImageMagick: Cipher leak when the calculating signatures in
-	CVE-2021-20313		ImageMagick: Cipher leak when the calculating signatures in
-	CVE-2021-20313		ImageMagick: Cipher leak when the calculating signatures in
-	CVE-2021-31239	libsqlite3-0	sqlite: denial of service via the appendvfs.c function
-	CVE-2021-32050	libbson-1.0-0	Some MongoDB Drivers may erroneously publish events
-	CVE-2021-32050	libmongoc-1.0-0	Some MongoDB Drivers may erroneously publish events
-	CVE-2021-33560	libgcrypt20	mishandles ElGamal encryption because it lacks exponent
-	CVE-2021-3737		HTTP client possible infinite loop on a 100 Continue
-	CVE-2021-3737		HTTP client possible infinite loop on a 100 Continue
-	CVE-2021-3737		HTTP client possible infinite loop on a 100 Continue
-	CVE-2021-3737		HTTP client possible infinite loop on a 100 Continue
-	CVE-2021-3737		HTTP client possible infinite loop on a 100 Continue
-	CVE-2021-38371	exim4-base	The STARTTLS feature in Exim through 4.94.2 allows response
-	CVE-2021-38371	exim4-config	The STARTTLS feature in Exim through 4.94.2 allows response
-	CVE-2021-38371	exim4-daemon-light	The STARTTLS feature in Exim through 4.94.2 allows response
-	CVE-2021-3872	vim	vim: heap-based buffer overflow in win_redr_status() in
-	CVE-2021-3872	vim-common	vim: heap-based buffer overflow in win_redr_status() in
-	CVE-2021-3872	vim-runtime	vim: heap-based buffer overflow in win_redr_status() in
-	CVE-2021-3872	xxd	vim: heap-based buffer overflow in win_redr_status() in
-	CVE-2021-4019		vim: heap-based buffer overflow in find_help_tags() in
-	CVE-2021-4019		vim: heap-based buffer overflow in find_help_tags() in
-	CVE-2021-4019		vim: heap-based buffer overflow in find_help_tags() in
-	CVE-2021-4019		vim: heap-based buffer overflow in find_help_tags() in
-	CVE-2021-40211		ImageMagick: Division by zero in ReadEnhMetaFile lead to DoS
-	CVE-2021-40211		ImageMagick: Division by zero in ReadEnhMetaFile lead to DoS
-	CVE-2021-40211		ImageMagick: Division by zero in ReadEnhMetaFile lead to DoS
-	CVE-2021-40211		ImageMagick: Division by zero in ReadEnhMetaFile lead to DoS
-	CVE-2021-40211		ImageMagick: Division by zero in ReadEnhMetaFile lead to DoS
-	CVE-2021-40211		ImageMagick: Division by zero in ReadEnhMetaFile lead to DoS
-	CVE-2021-4173		use-after-free with nested :def function
-	CVE-2021-4173		use-after-free with nested :def function
-	CVE-2021-4173		use-after-free with nested :def function
-	CVE-2021-4173		use-after-free with nested :def function
-	CVE-2021-4187		use-after-free vulnerability
-	CVE-2021-4187		use-after-free vulnerability
-	CVE-2021-4187		use-after-free vulnerability
-	CVE-2021-4187		use-after-free vulnerability
-	CVE-2022-0261		vim: Heap-based buffer overflow in block_insert() in
-	CVE-2022-0261		vim: Heap-based buffer overflow in block_insert() in
-	CVE-2022-0261		vim: Heap-based buffer overflow in block_insert() in
-	CVE-2022-0261		vim: Heap-based buffer overflow in block_insert() in
-	CVE-2022-0351		vim: access of memory location before start of buffer
-	CVE-2022-0351		vim: access of memory location before start of buffer
-	CVE-2022-0351		vim: access of memory location before start of buffer
-	CVE-2022-0351		vim: access of memory location before start of buffer
-	CVE-2022-0359		vim: Heap-based buffer overflow in init_ccline() in
-	CVE-2022-0359		vim: Heap-based buffer overflow in init_ccline() in
-	CVE-2022-0359		vim: Heap-based buffer overflow in init_ccline() in
-	CVE-2022-0359		vim: Heap-based buffer overflow in init_ccline() in
-	CVE-2022-0361		vim: Illegal memory access when copying lines in visual mode
-	CVE-2022-0361		vim: Illegal memory access when copying lines in visual mode
-	CVE-2022-0361		vim: Illegal memory access when copying lines in visual mode
-	CVE-2022-0361		vim: Illegal memory access when copying lines in visual mode
-	CVE-2022-0391		python: urllib.parse does not sanitize URLs containing ASCII
-	CVE-2022-0391		python: urllib.parse does not sanitize URLs containing ASCII
-	CVE-2022-0391		python: urllib.parse does not sanitize URLs containing ASCII
-	CVE-2022-0391		python: urllib.parse does not sanitize URLs containing ASCII
-	CVE-2022-0391		python: urllib.parse does not sanitize URLs containing ASCII
-	CVE-2022-0392		vim: Heap-based buffer overflow in getexmodeline() in
-	CVE-2022-0392		vim: Heap-based buffer overflow in getexmodeline() in
-	CVE-2022-0392		vim: Heap-based buffer overflow in getexmodeline() in
-	CVE-2022-0392		vim: Heap-based buffer overflow in getexmodeline() in
-	CVE-2022-0417		heap-based-buffer-overflow in ex_retab() of src/indent.c
-	CVE-2022-0417		heap-based-buffer-overflow in ex_retab() of src/indent.c
-	CVE-2022-0417		heap-based-buffer-overflow in ex_retab() of src/indent.c
-	CVE-2022-0417		heap-based-buffer-overflow in ex_retab() of src/indent.c
-	CVE-2022-0572		heap overflow in ex_retab() may lead to crash
-	CVE-2022-0572		heap overflow in ex_retab() may lead to crash
-	CVE-2022-0572		heap overflow in ex_retab() may lead to crash
-	CVE-2022-0572		heap overflow in ex_retab() may lead to crash
-	CVE-2022-1304	e2fsprogs	e2fsprogs: out-of-bounds read/write via crafted filesystem
-	CVE-2022-1304	libcom-err2	e2fsprogs: out-of-bounds read/write via crafted filesystem
-	CVE-2022-1304	libext2fs2	e2fsprogs: out-of-bounds read/write via crafted filesystem
-	CVE-2022-1304	libss2	e2fsprogs: out-of-bounds read/write via crafted filesystem
-	CVE-2022-1304	logsave	e2fsprogs: out-of-bounds read/write via crafted filesystem
-	CVE-2022-1616		vim: heap-buffer-overflow in append_command of
-	CVE-2022-1616		vim: heap-buffer-overflow in append_command of
-	CVE-2022-1616		vim: heap-buffer-overflow in append_command of
-	CVE-2022-1616		vim: heap-buffer-overflow in append_command of
-	CVE-2022-1785		vim: Out-of-bounds Write
-	CVE-2022-1785		vim: Out-of-bounds Write
-	CVE-2022-1785		vim: Out-of-bounds Write
-	CVE-2022-1785		vim: Out-of-bounds Write
-	CVE-2022-1897		vim: out-of-bounds write in vim_regsub_both() in regexp.c
-	CVE-2022-1897		vim: out-of-bounds write in vim_regsub_both() in regexp.c
-	CVE-2022-1897		vim: out-of-bounds write in vim_regsub_both() in regexp.c
-	CVE-2022-1897		vim: out-of-bounds write in vim_regsub_both() in regexp.c
-	CVE-2022-1942		vim: out of bounds write in vim_regsub_both()
-	CVE-2022-1942		vim: out of bounds write in vim_regsub_both()
-	CVE-2022-1942		vim: out of bounds write in vim_regsub_both()
-	CVE-2022-1942		vim: out of bounds write in vim_regsub_both()
-	CVE-2022-2000		vim: out-of-bounds write in function append_command
-	CVE-2022-2000		vim: out-of-bounds write in function append_command
-	CVE-2022-2000		vim: out-of-bounds write in function append_command
-	CVE-2022-2000		vim: out-of-bounds write in function append_command
-	CVE-2022-2129		out of bounds write in vim_regsub_both()
-	CVE-2022-2129		out of bounds write in vim_regsub_both()
-	CVE-2022-2129		out of bounds write in vim_regsub_both()
-	CVE-2022-2129		out of bounds write in vim_regsub_both()
-	CVE-2022-2304		stack buffer overflow in spell_dump_compl() at spell.c
-	CVE-2022-2304		stack buffer overflow in spell_dump_compl() at spell.c
-	CVE-2022-2304		stack buffer overflow in spell_dump_compl() at spell.c
-	CVE-2022-2304		stack buffer overflow in spell_dump_compl() at spell.c
-	CVE-2022-2309	libxml2	lxml: NULL Pointer Dereference in lxml
-	CVE-2022-2881	bind9-dnsutils	bind: buffer overread in statistics channel code
-	CVE-2022-2881	dnsutils	bind: buffer overread in statistics channel code
-	CVE-2022-3099		Use After Free in do_cmdline() in ex_docmd.c
-	CVE-2022-3099		Use After Free in do_cmdline() in ex_docmd.c
-	CVE-2022-3099		Use After Free in do_cmdline() in ex_docmd.c
-	CVE-2022-3099		Use After Free in do_cmdline() in ex_docmd.c
-	CVE-2022-3134		heap use-after-free in do_tag() at src/tag.c
-	CVE-2022-3134		heap use-after-free in do_tag() at src/tag.c
-	CVE-2022-3134		heap use-after-free in do_tag() at src/tag.c
-	CVE-2022-3134		heap use-after-free in do_tag() at src/tag.c
-	CVE-2022-32547		ImageMagick: load of misaligned address at
-	CVE-2022-32547		ImageMagick: load of misaligned address at
-	CVE-2022-32547		ImageMagick: load of misaligned address at
-	CVE-2022-32547		ImageMagick: load of misaligned address at
-	CVE-2022-32547		ImageMagick: load of misaligned address at
-	CVE-2022-32547		ImageMagick: load of misaligned address at
-	CVE-2022-3324		stack buffer overflow in win_redr_ruler() at drawscreen.c
-	CVE-2022-3324		stack buffer overflow in win_redr_ruler() at drawscreen.c
-	CVE-2022-3324		stack buffer overflow in win_redr_ruler() at drawscreen.c
-	CVE-2022-3324		stack buffer overflow in win_redr_ruler() at drawscreen.c
-	CVE-2022-3534	libbpf0	Kernel: use-after-free in btf_dump_name_dups in
-	CVE-2022-3559		A vulnerability was found in Exim and classified as
-	CVE-2022-3559		A vulnerability was found in Exim and classified as
-	CVE-2022-3559		A vulnerability was found in Exim and classified as
-	CVE-2022-39377	sysstat	arithmetic overflow in allocate_structures() on 32 bit
-	CVE-2022-4141		invalid memory access in substitute with function
-	CVE-2022-4141		invalid memory access in substitute with function
-	CVE-2022-4141		invalid memory access in substitute with function
-	CVE-2022-4141		invalid memory access in substitute with function
-	CVE-2022-42916	curl	HSTS bypass via IDN
-	CVE-2022-42916	libcurl3-gnutls	HSTS bypass via IDN
-	CVE-2022-42916	libcurl4	HSTS bypass via IDN
-	CVE-2022-42919		local privilege escalation via the multiprocessing
-	CVE-2022-42919		local privilege escalation via the multiprocessing
-	CVE-2022-42919		local privilege escalation via the multiprocessing
-	CVE-2022-42919		local privilege escalation via the multiprocessing
-	CVE-2022-42919		local privilege escalation via the multiprocessing
-	CVE-2022-43551		curl: HSTS bypass via IDN
-	CVE-2022-43551		curl: HSTS bypass via IDN
-	CVE-2022-43551		curl: HSTS bypass via IDN
-	CVE-2022-45061		python: CPU denial of service via inefficient IDNA decoder
-	CVE-2022-45061		python: CPU denial of service via inefficient IDNA decoder
-	CVE-2022-45061		python: CPU denial of service via inefficient IDNA decoder
-	CVE-2022-45061		python: CPU denial of service via inefficient IDNA decoder
-	CVE-2022-45061		python: CPU denial of service via inefficient IDNA decoder
-	CVE-2022-4899	libzstd1	zstd: mysql: buffer overrun in util.c
-	CVE-2023-0054		out-of-bounds write in do_string_sub() in eval.c
-	CVE-2023-0054		out-of-bounds write in do_string_sub() in eval.c
-	CVE-2023-0054		out-of-bounds write in do_string_sub() in eval.c
-	CVE-2023-0054		out-of-bounds write in do_string_sub() in eval.c
-	CVE-2023-0996	libheif1	There is a vulnerability in the strided image data parsing
-	CVE-2023-2603	libcap2	libcap: Integer Overflow in _libcap_strdup()
-	CVE-2023-2603	libpam-cap	libcap: Integer Overflow in _libcap_strdup()
-	CVE-2023-28617	emacs-bin-common	emacs: command injection vulnerability in org-mode
-	CVE-2023-42117		Improper Neutralization of Special Elements Remote Code
-	CVE-2023-42117		Improper Neutralization of Special Elements Remote Code
-	CVE-2023-42117		Improper Neutralization of Special Elements Remote Code
-	CVE-2024-0567	libgnutls-dane0	gnutls: rejects certificate chain with distributed trust
+	CVE-2013-7445	linux-libc-dev	kernel: memory exhaustion via crafted Graphics Execution
+	CVE-2019-19449		kernel: mounting a crafted f2fs filesystem image can lead to
+	CVE-2019-19814		kernel: out-of-bounds write in __remove_dirty_segment in
+	CVE-2021-3847		low-privileged user privileges escalation
+	CVE-2021-3864		descendant's dumpable setting with certain SUID binaries
+	CVE-2023-2176		kernel: Slab-out-of-bound read in compare_netdev_and_ip
+	CVE-2023-33204	sysstat	sysstat: check_overflow() function can work incorrectly that
+	CVE-2023-3640		Kernel: x86/mm: a per-cpu entry area leak was identified
+	CVE-2023-39616	libaom3	AOMedia v3.0.0 to v3.5.0 was discovered to contain an
+	CVE-2023-41105		python: file path truncation at \0 characters
+	CVE-2023-41105		python: file path truncation at \0 characters
+	CVE-2023-41105		python: file path truncation at \0 characters
+	CVE-2023-41105		python: file path truncation at \0 characters
+	CVE-2023-41105		python: file path truncation at \0 characters
+	CVE-2023-6270		kernel: AoE: improper reference count leads to
+	CVE-2024-0841		kernel: hugetlbfs: Null pointer dereference in
+	CVE-2024-21803		kernel: bluetooth: use-after-free vulnerability in
+	CVE-2024-23307		Integer Overflow or Wraparound vulnerability in Linux Linux

cloudposse / geodesic

Upgrade Debian from bullseye to bookworm 12.4 #916

what

why

references

915 prepares for, and is included in, this PR; apply #915 first, and update this PR as needed

critical vulnerabilities removed/discovered in the update image

high vulnerabilities removed/discovered in the update image