----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 221-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
September 5th, 2022
----------------------------------------------------------------------------
Upcoming Debian 10 Update (10.13)
The final point release for Debian 10 is scheduled for Saturday, September
10th, 2022. As of now it will include the following bug fixes. They can be
found in "buster-proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "buster-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This oldstable update adds a few important corrections to the following
packages:
Package Reason
------- ------
adminer Fix open redirect issue, cross-site scripting
issues [CVE-2020-35572 CVE-2021-29625];
elasticsearch: Do not print response if HTTP
code is not 200 [CVE-2021-21311]; provide a
compiled version and configuration files
apache2 Fix denial of service issue [CVE-2022-22719],
HTTP request smuggling issue [CVE-2022-22720],
integer overflow issue [CVE-2022-22721], out-
of-bounds write issue [CVE-2022-23943], HTTP
request smuggling issue [CVE-2022-26377], out-
of-bounds read issues [CVE-2022-28614
CVE-2022-28615], denial of service issue
[CVE-2022-29404], out-of-bounds read issue
[CVE-2022-30556], possible IP-based
authentication bypass issue [CVE-2022-31813]
base-files Update for the 10.13 point release
cargo-mozilla New upstream version to support building of
newer firefox-esr and thunderbird versions
clamav New upstream stable release; security fixes
[CVE-2022-20770 CVE-2022-20771 CVE-2022-20785
CVE-2022-20792 CVE-2022-20796]
commons-daemon Fix JVM detection
composer Fix code injection vulnerability
[CVE-2022-24828]; update GitHub token pattern;
use Authorization header instead of deprecated
access_token query parameter
debian-security-support Update security status of various packages
debootstrap Ensure non-merged-usr chroots can continue to
be created for older releases and buildd
chroots
distro-info-data Add Ubuntu 22.04 LTS, Jammy Jellyfish and
Ubuntu 22.10, Kinetic Kudu
dropbear Fix possible username enumeration issue
[CVE-2019-12953]
eboard Fix segfault on engine selection
esorex Fix testsuite failures on armhf and ppc64el
caused by incorrect libffi usage
evemu Fix build failure with recent kernel versions
feature-check Fix some version comparisons
flac Fix out-of-bounds write issue [CVE-2021-0561]
foxtrotgps Fix build failure with newer imagemagick
versions
freeradius Fix side-channel leak where 1 in 2048
handshakes fail [CVE-2019-13456], denial of
service issue due to multithreaded BN_CTX
access [CVE-2019-17185], crash due to non-
thread safe memory allocation
freetype Fix buffer overflow issue [CVE-2022-27404]; fix
crashes [CVE-2022-27405 CVE-2022-27406]
fribidi Fix buffer overflow issues [CVE-2022-25308
CVE-2022-25309]; fix crash [CVE-2022-25310]
ftgl Don't try to convert PNG to EPS for latex, as
our imagemagick has EPS disabled for security
reasons
gif2apng Fix heap-based buffer overflows [CVE-2021-45909
CVE-2021-45910 CVE-2021-45911]
gnucash Fix build failure with recent tzdata
gnutls28 Fix test suite when combined with OpenSSL
1.1.1e or newer
golang-github-docker-go- Skip tests that use expired certificates
connections
golang-github-pkg-term Fix building on newer 4.19 kernels
golang-github- Fix NULL pointer dereference issue
russellhaering-goxmldsig [CVE-2020-7711]
grub-efi-amd64-signed New upstream release
grub-efi-arm64-signed New upstream release
grub-efi-ia32-signed New upstream release
grub2 New upstream release
htmldoc Fix infinite loop [CVE-2022-24191], integer
overflow issues [CVE-2022-27114] and heap
buffer overflow issue [CVE-2022-28085]
iptables-netflow Fix DKMS build failure regression caused by
Linux upstream changes in the 4.19.191 kernel
isync Fix buffer overflow issues [CVE-2021-3657]
kannel Fix build failure by disabling generation of
Postscript documentation
krb5 Use SHA256 as Pkinit CMS Digest
libapache2-mod-auth- Improve validation of the post-logout URL
openidc parameter on logout [CVE-2019-14857]
libdatetime-timezone-perl Update included data
libhttp-cookiejar-perl Fix build failure by increasing the expiry date
of a test cookie
libnet-freedb-perl Change the default host from the defunct
freedb.freedb.org to gnudb.gnudb.org
libnet-ssleay-perl Fix test failures with OpenSSL 1.1.1n
librose-db-object-perl Fix test failure after 6/6/2020
librsvg Fix denial of service via "billion laughs"
attack [CVE-2019-20446]
libvirt-php Fix segmentation fault in
libvirt_node_get_cpu_stats
llvm-toolchain-13 New source package to support building of newer
firefox-esr and thunderbird versions
minidlna Validate HTTP requests to protect against DNS
rebinding attacks [CVE-2022-26505]
mokutil New upstream version, to allow for SBAT
management
mutt Fix uudecode buffer overflow [CVE-2022-1328]
node-ejs Sanitize options and new objects
[CVE-2022-29078]
node-end-of-stream Work around test bug
node-minimist Fix prototype pollution issue [CVE-2021-44906]
node-node-forge Fix signature verification issues
[CVE-2022-24771 CVE-2022-24772 CVE-2022-24773]
node-require-from-string Fix test for nodejs >= 10.16
nvidia-graphics-drivers New upstream release
nvidia-graphics-drivers- New upstream release; fix out-of-bound write
legacy-390xx issues [CVE-2022-28181 CVE-2022-28185];
security fixes [CVE-2022-31607 CVE-2022-31608
CVE-2022-31615]
octavia Fix client certificate checks [CVE-2019-17134];
correctly detect that the agent is running on
Debian; fix template that generates vrrp check
script; add additional runtime dependencies;
ship additional configuration directly in the
agent package
orca Fix use with WebKitGTK 2.36
pacemaker Update relationship versions to fix upgrades
from stretch LTS
pglogical Fix build failure
php-guzzlehttp-psr7 Fix improper header parsing [CVE-2022-24775]
postfix New upstream stable release; do not override
user set default_transport; if-up.d: do not
error out if postfix can't send mail yet; fix
duplicate bounce_notice_recipient entries in
postconf output
postgresql-common pg_virtualenv: Write temporary password file
before chowning the file
postsrsd Fix potential denial of service issue when
Postfix sends certain long data fields such as
multiple concatenated email addresses
[CVE-2021-35525]
procmail Fix NULL pointer dereference
publicsuffix Updae included data
python-keystoneauth1 Update tests to fix build failure
python-scrapy Don't send authentication data with all
requests [CVE-2021-41125]; don't expose cookies
cross-domain when redirecting [CVE-2022-0577]
python-udatetime Properly link against libm library
qtbase-opensource-src Fix setTabOrder for compound widgets; add an
expansion limit for XML entities
[CVE-2015-9541]
ruby-activeldap Add missing dependency on ruby-builder
ruby-hiredis Skip some unreliable tests in order to fix
build failure
ruby-http-parser.rb Fix build failure when using http-parser
containing the fix for CVE-2019-15605
ruby-riddle Allow use of "LOAD DATA LOCAL INFILE"
rust-cbindgen New upstream version to support building of
newer firefox-esr and thunderbird versions
rustc-mozilla New upstream version to support building of
newer firefox-esr and thunderbird versions
sctk Use "pdftoppm" instead of "convert" to convert
PDF to JPEG as the latter fails with the
changed security policy of ImageMagick
shim New upstream release
shim-helpers-amd64-signed New upstream release
shim-helpers-arm64-signed New upstream release
shim-helpers-i386-signed New upstream release
twisted Fix incorrect URI and HTTP method validation
issue [CVE-2019-12387], incorrect certificate
validation in XMPP support [CVE-2019-12855],
HTTP/2 denial of service issues [CVE-2019-9511
CVE-2019-9514 CVE-2019-9515], HTTP request
smuggling issues [CVE-2020-10108 CVE-2020-10109
CVE-2022-24801], information disclosure issue
when following cross-domain redirects
[CVE-2022-21712], denial of service issue
during SSH handshake [CVE-2022-21716]
tzdata Update timezone data for Chile, Iran and
Palestine; update leap second list
ublock-origin New upstream stable release
unrar-nonfree Fix directory traversal issue [CVE-2022-30333]
wireshark Fix remote code execution issue
[CVE-2021-22191], denial of service issues
[CVE-2021-4181 CVE-2021-4184 CVE-2021-4185
CVE-2022-0581 CVE-2022-0582 CVE-2022-0583
CVE-2022-0585 CVE-2022-0586]
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/oldstable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
elog Unmaintained; security issues
libnet-amazon-perl Depends on removed API
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part