------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 10: 10.2 released press@debian.org November 16th, 2019 https://www.debian.org/News/2019/20191116 ------------------------------------------------------------------------ The Debian project is pleased to announce the second update of its stable distribution Debian 10 (codename "buster"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 10 but only updates some of the packages included. There is no need to throw away old "buster" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: +---------------------------+-----------------------------------------+ | Package | Reason | +---------------------------+-----------------------------------------+ | aegisub [1] | Fix crash when selecting a language | | | from the bottom of the "Spell checker | | | language" list; fix crash when right- | | | clicking in the subtitles text box | | | | | akonadi [2] | Fix various crashes / deadlock issues | | | | | base-files [3] | Update /etc/debian_version for the | | | point release | | | | | capistrano [4] | Fix failure to remove old releases when | | | there were too many | | | | | cron [5] | Stop using obsolete SELinux API | | | | | cyrus-imapd [6] | Fix data loss on upgrade from version | | | 3.0.0 or earlier | | | | | debian-edu-config [7] | Handle newer Firefox ESR configuration | | | files; add post-up stanza to /etc/ | | | network/interfaces eth0 entry | | | conditionally | | | | | debian-installer [8] | Fix unreadable fonts on hidpi displays | | | in netboot images booted with EFI | | | | | debian-installer-netboot- | Rebuild against proposed-updates | | images [9] | | | | | | distro-info-data [10] | Add Ubuntu 20.04 LTS, Focal Fossa | | | | | dkimpy-milter [11] | New upstream stable release; fix | | | sysvinit support; catch more ASCII | | | encoding errors to improve resilience | | | against bad data; fix message | | | extraction so that signing in the same | | | pass through the milter as verifying | | | works correctly | | | | | emacs [12] | Update the EPLA packaging key | | | | | fence-agents [13] | Fix incomplete removal of fence_amt_ws | | | | | flatpak [14] | New upstream stable release | | | | | flightcrew [15] | Security fixes [CVE-2019-13032 | | | CVE-2019-13241] | | | | | fonts-noto-cjk [16] | Fix over-aggressive font selection of | | | Noto CJK fonts in modern web browsers | | | under Chinese locale | | | | | freetype [17] | Properly handle phantom points for | | | variable hinted fonts | | | | | gdb [18] | Rebuild against new libbabeltrace, with | | | higher version number to avoid conflict | | | with earlier upload | | | | | glib2.0 [19] | Ensure libdbus clients can authenticate | | | with a GDBusServer like the one in ibus | | | | | gnome-shell [20] | New upstream stable release; fix | | | truncation of long messages in Shell- | | | modal dialogs; avoid crash on | | | reallocation of dead actors | | | | | gnome-sound-recorder [21] | Fix crash when selecting a recording | | | | | gnustep-base [22] | Disable gdomap daemon that was | | | accidentally enabled on upgrades from | | | stretch | | | | | graphite-web [23] | Remove unused "send_email" function | | | [CVE-2017-18638]; avoid hourly error in | | | cron when there is no whisper database | | | | | inn2 [24] | Fix negotiation of DHE ciphersuites | | | | | libapache-mod-auth- | Fix use after free bug leading to crash | | kerb [25] | | | | | | libdate-holidays-de- | Mark International Childrens Day (Sep | | perl [26] | 20th) as a holiday in Thuringia from | | | 2019 onwards | | | | | libdatetime-timezone- | Update included data | | perl [27] | | | | | | libofx [28] | Fix null pointer dereference issue | | | [CVE-2019-9656] | | | | | libreoffice [29] | Fix the postgresql driver with | | | PostgreSQL 12 | | | | | libsixel [30] | Fix several security issues [CVE-2018- | | | 19756 CVE-2018-19757 CVE-2018-19759 | | | CVE-2018-19761 CVE-2018-19762 CVE-2018- | | | 19763 CVE-2019-3573 CVE-2019-3574] | | | | | libxslt [31] | Fix dangling pointer in xsltCopyText | | | [CVE-2019-18197] | | | | | lucene-solr [32] | Disable obsolete call to ContextHandler | | | in solr-jetty9.xml; fix Jetty | | | permissions on SOLR index | | | | | mariadb-10.3 [33] | New upstream stable release | | | | | modsecurity-crs [34] | Fix PHP script upload rules [CVE-2019- | | | 13464] | | | | | mutter [35] | New upstream stable release | | | | | ncurses [36] | Fix several security issues [CVE-2019- | | | 17594 CVE-2019-17595] and other issues | | | in tic | | | | | ndppd [37] | Avoid world writable PID file, that was | | | breaking daemon init scripts | | | | | network-manager [38] | Fix file permissions for "/var/lib/ | | | NetworkManager/secret_key" and /var/ | | | lib/NetworkManager | | | | | node-fstream [39] | Fix arbitrary file overwrite issue | | | [CVE-2019-13173] | | | | | node-set-value [40] | Fix prototype pollution [CVE-2019- | | | 10747] | | | | | node-yarnpkg [41] | Force using HTTPS for regular | | | registries | | | | | nx-libs [42] | Fix regressions introduced in previous | | | upload, affecting x2go | | | | | open-vm-tools [43] | Fix memory leaks and error handling | | | | | openvswitch [44] | Update debian/ifupdown.sh to allow | | | setting-up the MTU; fix Python | | | dependencies to use Python 3 | | | | | picard [45] | Update translations to fix crash with | | | Spanish locale | | | | | plasma-applet-redshift- | Fix manual mode when used with redshift | | control [46] | versions above 1.12 | | | | | postfix [47] | New upstream stable release; work | | | around poor TCP loopback performance | | | | | python-cryptography [48] | Fix test suite failures when built | | | against newer OpenSSL versions; fix a | | | memory leak triggerable when parsing | | | x509 certificate extensions like AIA | | | | | python-flask-rdf [49] | Add Depends on python{3,}-rdflib | | | | | python- | New upstream stable release; fix switch | | oslo.messaging [50] | connection destination when a rabbitmq | | | cluster node disappears | | | | | python-werkzeug [51] | Ensure Docker containers have unique | | | debugger PINs [CVE-2019-14806] | | | | | python2.7 [52] | Fix several security issues [CVE-2018- | | | 20852 CVE-2019-10160 CVE-2019-16056 | | | CVE-2019-16935 CVE-2019-9740 CVE-2019- | | | 9947] | | | | | quota [53] | Fix rpc.rquotad spinning at 100% CPU | | | | | rpcbind [54] | Allow remote calls to be enabled at | | | run-time | | | | | shelldap [55] | Repair SASL authentications, add a | | | 'sasluser' option | | | | | sogo [56] | Fix display of PGP-signed e-mails | | | | | spf-engine [57] | New upstream stable release; fix | | | sysvinit support | | | | | standardskriver [58] | Fix deprecation warning from | | | config.RawConfigParser; use external | | | "ip" command rather than deprecated | | | "ifconfig" command | | | | | swi-prolog [59] | Use HTTPS when contacting upstream pack | | | servers | | | | | systemd [60] | core: never propagate reload failure to | | | service result; fix sync_file_range | | | failures in nspawn containers on arm, | | | ppc; fix RootDirectory not working when | | | used in combination with User; ensure | | | that access controls on systemd- | | | resolved's D-Bus interface are enforced | | | correctly [CVE-2019-15718]; fix | | | StopWhenUnneeded=true for mount units; | | | make MountFlags=shared work again | | | | | tmpreaper [61] | Prevent breaking of systemd services | | | that use PrivateTmp=true | | | | | trapperkeeper-webserver- | Restore SSL compatibility with newer | | jetty9-clojure [62] | Jetty versions | | | | | tzdata [63] | New upstream release | | | | | ublock-origin [64] | New upstream version, compatible with | | | Firefox ESR68 | | | | | uim [65] | Resurrect libuim-data as a transitional | | | package, fixing some issues after | | | upgrades to buster | | | | | vanguards [66] | New upstream stable release; prevent a | | | reload of tor's configuration via | | | SIGHUP causing a denial-of-service for | | | vanguards protections | | | | +---------------------------+-----------------------------------------+ 1: https://packages.debian.org/src:aegisub 2: https://packages.debian.org/src:akonadi 3: https://packages.debian.org/src:base-files 4: https://packages.debian.org/src:capistrano 5: https://packages.debian.org/src:cron 6: https://packages.debian.org/src:cyrus-imapd 7: https://packages.debian.org/src:debian-edu-config 8: https://packages.debian.org/src:debian-installer 9: https://packages.debian.org/src:debian-installer-netboot-images 10: https://packages.debian.org/src:distro-info-data 11: https://packages.debian.org/src:dkimpy-milter 12: https://packages.debian.org/src:emacs 13: https://packages.debian.org/src:fence-agents 14: https://packages.debian.org/src:flatpak 15: https://packages.debian.org/src:flightcrew 16: https://packages.debian.org/src:fonts-noto-cjk 17: https://packages.debian.org/src:freetype 18: https://packages.debian.org/src:gdb 19: https://packages.debian.org/src:glib2.0 20: https://packages.debian.org/src:gnome-shell 21: https://packages.debian.org/src:gnome-sound-recorder 22: https://packages.debian.org/src:gnustep-base 23: https://packages.debian.org/src:graphite-web 24: https://packages.debian.org/src:inn2 25: https://packages.debian.org/src:libapache-mod-auth-kerb 26: https://packages.debian.org/src:libdate-holidays-de-perl 27: https://packages.debian.org/src:libdatetime-timezone-perl 28: https://packages.debian.org/src:libofx 29: https://packages.debian.org/src:libreoffice 30: https://packages.debian.org/src:libsixel 31: https://packages.debian.org/src:libxslt 32: https://packages.debian.org/src:lucene-solr 33: https://packages.debian.org/src:mariadb-10.3 34: https://packages.debian.org/src:modsecurity-crs 35: https://packages.debian.org/src:mutter 36: https://packages.debian.org/src:ncurses 37: https://packages.debian.org/src:ndppd 38: https://packages.debian.org/src:network-manager 39: https://packages.debian.org/src:node-fstream 40: https://packages.debian.org/src:node-set-value 41: https://packages.debian.org/src:node-yarnpkg 42: https://packages.debian.org/src:nx-libs 43: https://packages.debian.org/src:open-vm-tools 44: https://packages.debian.org/src:openvswitch 45: https://packages.debian.org/src:picard 46: https://packages.debian.org/src:plasma-applet-redshift-control 47: https://packages.debian.org/src:postfix 48: https://packages.debian.org/src:python-cryptography 49: https://packages.debian.org/src:python-flask-rdf 50: https://packages.debian.org/src:python-oslo.messaging 51: https://packages.debian.org/src:python-werkzeug 52: https://packages.debian.org/src:python2.7 53: https://packages.debian.org/src:quota 54: https://packages.debian.org/src:rpcbind 55: https://packages.debian.org/src:shelldap 56: https://packages.debian.org/src:sogo 57: https://packages.debian.org/src:spf-engine 58: https://packages.debian.org/src:standardskriver 59: https://packages.debian.org/src:swi-prolog 60: https://packages.debian.org/src:systemd 61: https://packages.debian.org/src:tmpreaper 62: https://packages.debian.org/src:trapperkeeper-webserver-jetty9-clojure 63: https://packages.debian.org/src:tzdata 64: https://packages.debian.org/src:ublock-origin 65: https://packages.debian.org/src:uim 66: https://packages.debian.org/src:vanguards Security Updates ---------------- This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates: +----------------+-----------------------------+ | Advisory ID | Package | +----------------+-----------------------------+ | DSA-4509 [67] | apache2 [68] | | | | | DSA-4511 [69] | nghttp2 [70] | | | | | DSA-4512 [71] | qemu [72] | | | | | DSA-4514 [73] | varnish [74] | | | | | DSA-4515 [75] | webkit2gtk [76] | | | | | DSA-4516 [77] | firefox-esr [78] | | | | | DSA-4517 [79] | exim4 [80] | | | | | DSA-4518 [81] | ghostscript [82] | | | | | DSA-4519 [83] | libreoffice [84] | | | | | DSA-4520 [85] | trafficserver [86] | | | | | DSA-4521 [87] | docker.io [88] | | | | | DSA-4523 [89] | thunderbird [90] | | | | | DSA-4524 [91] | dino-im [92] | | | | | DSA-4525 [93] | ibus [94] | | | | | DSA-4526 [95] | opendmarc [96] | | | | | DSA-4527 [97] | php7.3 [98] | | | | | DSA-4528 [99] | bird [100] | | | | | DSA-4530 [101] | expat [102] | | | | | DSA-4531 [103] | linux-signed-amd64 [104] | | | | | DSA-4531 [105] | linux-signed-i386 [106] | | | | | DSA-4531 [107] | linux [108] | | | | | DSA-4531 [109] | linux-signed-arm64 [110] | | | | | DSA-4532 [111] | spip [112] | | | | | DSA-4533 [113] | lemonldap-ng [114] | | | | | DSA-4534 [115] | golang-1.11 [116] | | | | | DSA-4535 [117] | e2fsprogs [118] | | | | | DSA-4536 [119] | exim4 [120] | | | | | DSA-4538 [121] | wpa [122] | | | | | DSA-4539 [123] | openssl [124] | | | | | DSA-4539 [125] | openssh [126] | | | | | DSA-4541 [127] | libapreq2 [128] | | | | | DSA-4542 [129] | jackson-databind [130] | | | | | DSA-4543 [131] | sudo [132] | | | | | DSA-4544 [133] | unbound [134] | | | | | DSA-4545 [135] | mediawiki [136] | | | | | DSA-4547 [137] | tcpdump [138] | | | | | DSA-4549 [139] | firefox-esr [140] | | | | | DSA-4550 [141] | file [142] | | | | | DSA-4551 [143] | golang-1.11 [144] | | | | | DSA-4553 [145] | php7.3 [146] | | | | | DSA-4554 [147] | ruby-loofah [148] | | | | | DSA-4555 [149] | pam-python [150] | | | | | DSA-4556 [151] | qtbase-opensource-src [152] | | | | | DSA-4557 [153] | libarchive [154] | | | | | DSA-4558 [155] | webkit2gtk [156] | | | | | DSA-4559 [157] | proftpd-dfsg [158] | | | | | DSA-4560 [159] | simplesamlphp [160] | | | | | DSA-4561 [161] | fribidi [162] | | | | | DSA-4562 [163] | chromium [164] | | | | +----------------+-----------------------------+ 67: https://www.debian.org/security/2019/dsa-4509 68: https://packages.debian.org/src:apache2 69: https://www.debian.org/security/2019/dsa-4511 70: https://packages.debian.org/src:nghttp2 71: https://www.debian.org/security/2019/dsa-4512 72: https://packages.debian.org/src:qemu 73: https://www.debian.org/security/2019/dsa-4514 74: https://packages.debian.org/src:varnish 75: https://www.debian.org/security/2019/dsa-4515 76: https://packages.debian.org/src:webkit2gtk 77: https://www.debian.org/security/2019/dsa-4516 78: https://packages.debian.org/src:firefox-esr 79: https://www.debian.org/security/2019/dsa-4517 80: https://packages.debian.org/src:exim4 81: https://www.debian.org/security/2019/dsa-4518 82: https://packages.debian.org/src:ghostscript 83: https://www.debian.org/security/2019/dsa-4519 84: https://packages.debian.org/src:libreoffice 85: https://www.debian.org/security/2019/dsa-4520 86: https://packages.debian.org/src:trafficserver 87: https://www.debian.org/security/2019/dsa-4521 88: https://packages.debian.org/src:docker.io 89: https://www.debian.org/security/2019/dsa-4523 90: https://packages.debian.org/src:thunderbird 91: https://www.debian.org/security/2019/dsa-4524 92: https://packages.debian.org/src:dino-im 93: https://www.debian.org/security/2019/dsa-4525 94: https://packages.debian.org/src:ibus 95: https://www.debian.org/security/2019/dsa-4526 96: https://packages.debian.org/src:opendmarc 97: https://www.debian.org/security/2019/dsa-4527 98: https://packages.debian.org/src:php7.3 99: https://www.debian.org/security/2019/dsa-4528 100: https://packages.debian.org/src:bird 101: https://www.debian.org/security/2019/dsa-4530 102: https://packages.debian.org/src:expat 103: https://www.debian.org/security/2019/dsa-4531 104: https://packages.debian.org/src:linux-signed-amd64 105: https://www.debian.org/security/2019/dsa-4531 106: https://packages.debian.org/src:linux-signed-i386 107: https://www.debian.org/security/2019/dsa-4531 108: https://packages.debian.org/src:linux 109: https://www.debian.org/security/2019/dsa-4531 110: https://packages.debian.org/src:linux-signed-arm64 111: https://www.debian.org/security/2019/dsa-4532 112: https://packages.debian.org/src:spip 113: https://www.debian.org/security/2019/dsa-4533 114: https://packages.debian.org/src:lemonldap-ng 115: https://www.debian.org/security/2019/dsa-4534 116: https://packages.debian.org/src:golang-1.11 117: https://www.debian.org/security/2019/dsa-4535 118: https://packages.debian.org/src:e2fsprogs 119: https://www.debian.org/security/2019/dsa-4536 120: https://packages.debian.org/src:exim4 121: https://www.debian.org/security/2019/dsa-4538 122: https://packages.debian.org/src:wpa 123: https://www.debian.org/security/2019/dsa-4539 124: https://packages.debian.org/src:openssl 125: https://www.debian.org/security/2019/dsa-4539 126: https://packages.debian.org/src:openssh 127: https://www.debian.org/security/2019/dsa-4541 128: https://packages.debian.org/src:libapreq2 129: https://www.debian.org/security/2019/dsa-4542 130: https://packages.debian.org/src:jackson-databind 131: https://www.debian.org/security/2019/dsa-4543 132: https://packages.debian.org/src:sudo 133: https://www.debian.org/security/2019/dsa-4544 134: https://packages.debian.org/src:unbound 135: https://www.debian.org/security/2019/dsa-4545 136: https://packages.debian.org/src:mediawiki 137: https://www.debian.org/security/2019/dsa-4547 138: https://packages.debian.org/src:tcpdump 139: https://www.debian.org/security/2019/dsa-4549 140: https://packages.debian.org/src:firefox-esr 141: https://www.debian.org/security/2019/dsa-4550 142: https://packages.debian.org/src:file 143: https://www.debian.org/security/2019/dsa-4551 144: https://packages.debian.org/src:golang-1.11 145: https://www.debian.org/security/2019/dsa-4553 146: https://packages.debian.org/src:php7.3 147: https://www.debian.org/security/2019/dsa-4554 148: https://packages.debian.org/src:ruby-loofah 149: https://www.debian.org/security/2019/dsa-4555 150: https://packages.debian.org/src:pam-python 151: https://www.debian.org/security/2019/dsa-4556 152: https://packages.debian.org/src:qtbase-opensource-src 153: https://www.debian.org/security/2019/dsa-4557 154: https://packages.debian.org/src:libarchive 155: https://www.debian.org/security/2019/dsa-4558 156: https://packages.debian.org/src:webkit2gtk 157: https://www.debian.org/security/2019/dsa-4559 158: https://packages.debian.org/src:proftpd-dfsg 159: https://www.debian.org/security/2019/dsa-4560 160: https://packages.debian.org/src:simplesamlphp 161: https://www.debian.org/security/2019/dsa-4561 162: https://packages.debian.org/src:fribidi 163: https://www.debian.org/security/2019/dsa-4562 164: https://packages.debian.org/src:chromium Removed packages ---------------- The following packages were removed due to circumstances beyond our control: +-------------------+--------------------------------------------------+ | Package | Reason | +-------------------+--------------------------------------------------+ | firefox-esr [165] | [armel] No longer supportable due to nodejs | | | build-dependency | | | | +-------------------+--------------------------------------------------+ 165: https://packages.debian.org/src:firefox-esr Debian Installer ---------------- The installer has been updated to include the fixes incorporated into stable by the point release. URLs ---- The complete lists of packages that have changed with this revision: http://ftp.debian.org/debian/dists/buster/ChangeLog The current stable distribution: http://ftp.debian.org/debian/dists/stable/ Proposed updates to the stable distribution: http://ftp.debian.org/debian/dists/proposed-updates stable distribution information (release notes, errata etc.): https://www.debian.org/releases/stable/ Security announcements and information: https://www.debian.org/security/ About Debian ------------ The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian. Contact Information ------------------- For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.
Attachment:
signature.asc
Description: OpenPGP digital signature