------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 10: 10.7 released press@debian.org December 5th, 2020 https://www.debian.org/News/2020/20201205 ------------------------------------------------------------------------ The Debian project is pleased to announce the seventh update of its stable distribution Debian 10 (codename "buster"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 10 but only updates some of the packages included. There is no need to throw away old "buster" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: +-------------------------+-------------------------------------------+ | Package | Reason | +-------------------------+-------------------------------------------+ | base-files [1] | Update for the point release | | | | | choose-mirror [2] | Update mirror list | | | | | cups [3] | Fix 'printer-alert' invalid free | | | | | dav4tbsync [4] | New upstream release, compatible with | | | newer Thunderbird versions | | | | | debian-installer [5] | Use 4.19.0-13 Linux kernel ABI; add grub2 | | | to Built-Using | | | | | debian-installer- | Rebuild against proposed-updates | | netboot-images [6] | | | | | | distro-info-data [7] | Add Ubuntu 21.04, Hirsute Hippo | | | | | dpdk [8] | New upstream stable release; fix remote | | | code execution issue [CVE-2020-14374], | | | TOCTOU issues [CVE-2020-14375], buffer | | | overflow [CVE-2020-14376], buffer over | | | read [CVE-2020-14377] and integer | | | underflow [CVE-2020-14377]; fix armhf | | | build with NEON | | | | | eas4tbsync [9] | New upstream release, compatible with | | | newer Thunderbird versions | | | | | edk2 [10] | Fix integer overflow in | | | DxeImageVerificationHandler [CVE-2019- | | | 14562] | | | | | efivar [11] | Add support for nvme-fabrics and nvme- | | | subsystem devices; fix uninitialized | | | variable in parse_acpi_root, avoiding | | | possible segfault | | | | | enigmail [12] | Introduce migration assistant to | | | Thunderbird's built-in GPG support | | | | | espeak [13] | Fix using espeak with mbrola-fr4 when | | | mbrola-fr1 is not installed | | | | | fastd [14] | Fix memory leak when receiving too many | | | invalid packets [CVE-2020-27638] | | | | | fish [15] | Ensure TTY options are restored on exit | | | | | freecol [16] | Fix XML External Entity vulnerability | | | [CVE-2018-1000825] | | | | | gajim-omemo [17] | Use 12-byte IV, for better compatibility | | | with iOS clients | | | | | glances [18] | Listen only on localhost by default | | | | | iptables- | Don't force-load kernel modules; improve | | persistent [19] | rule flushing logic | | | | | lacme [20] | Use upstream certificate chain instead of | | | an hardcoded one, easing support for new | | | Let's Encrypt root and intermediate | | | certificates | | | | | libdatetime-timezone- | Update included data to tzdata 2020d | | perl [21] | | | | | | libimobiledevice [22] | Add partial support for iOS 14 | | | | | libjpeg-turbo [23] | Fix denial of service [CVE-2018-1152], | | | buffer over read [CVE-2018-14498], | | | possible remote code execution [CVE-2019- | | | 2201], buffer over read [CVE-2020-13790] | | | | | libxml2 [24] | Fix denial of service [CVE-2017-18258], | | | NULL pointer dereference [CVE-2018- | | | 14404], infinite loop [CVE-2018-14567], | | | memory leak [CVE-2019-19956 CVE-2019- | | | 20388], infinite loop [CVE-2020-7595] | | | | | linux [25] | New upstream stable release | | | | | linux-latest [26] | Update for 4.19.0-13 kernel ABI | | | | | linux-signed-amd64 [27] | New upstream stable release | | | | | linux-signed-arm64 [28] | New upstream stable release | | | | | linux-signed-i386 [29] | New upstream stable release | | | | | lmod [30] | Change architecture to "any" - required | | | due to LUA_PATH and LUA_CPATH being | | | determined at build time | | | | | mariadb-10.3 [31] | New upstream stable release; security | | | fixes [CVE-2020-14765 CVE-2020-14776 | | | CVE-2020-14789 CVE-2020-14812 CVE-2020- | | | 28912] | | | | | mutt [32] | Ensure IMAP connection is closed after a | | | connection error [CVE-2020-28896] | | | | | neomutt [33] | Ensure IMAP connection is closed after a | | | connection error [CVE-2020-28896] | | | | | node-object-path [34] | Fix prototype pollution in set() | | | [CVE-2020-15256] | | | | | node-pathval [35] | Fix prototype pollution [CVE-2020-7751] | | | | | okular [36] | Fix code execution via action link | | | [CVE-2020-9359] | | | | | openjdk-11 [37] | New upstream release; fix JVM crash | | | | | partman-auto [38] | Increase /boot sizes in most recipes to | | | between 512 and 768M, to better handle | | | kernel ABI changes and larger | | | initramfses; cap RAM size as used for | | | swap partition calculations, resolving | | | issues on machines with more RAM than | | | disk space | | | | | pcaudiolib [39] | Cap cancellation latency to 10ms | | | | | plinth [40] | Apache: Disable mod_status [CVE-2020- | | | 25073] | | | | | puma [41] | Fix HTTP injection and HTTP smuggling | | | issues [CVE-2020-5247 CVE-2020-5249 | | | CVE-2020-11076 CVE-2020-11077] | | | | | ros-ros-comm [42] | Fix integer overflow [CVE-2020-16124] | | | | | ruby2.5 [43] | Fix potential HTTP request smuggling | | | vulnerability in WEBrick [CVE-2020-25613] | | | | | sleuthkit [44] | Fix stack buffer overflow in | | | yaffsfs_istat [CVE-2020-10232] | | | | | sqlite3 [45] | Fix division by zero [CVE-2019-16168], | | | NULL pointer dereference [CVE-2019- | | | 19923], mishandling of NULL pathname | | | during an update of a ZIP archive | | | [CVE-2019-19925], mishandling of embedded | | | NULs in filenames [CVE-2019-19959], | | | possible crash (unwinding WITH stack) | | | [CVE-2019-20218], integer overflow | | | [CVE-2020-13434], segmentation fault | | | [CVE-2020-13435], use-after-free issue | | | [CVE-2020-13630], NULL pointer | | | dereference [CVE-2020-13632], heap | | | overflow [CVE-2020-15358] | | | | | systemd [46] | Basic/cap-list: parse/print numerical | | | capabilities; recognise new capabilities | | | from Linux kernel 5.8; networkd: do not | | | generate MAC for bridge device | | | | | tbsync [47] | New upstream release, compatible with | | | newer Thunderbird versions | | | | | tcpdump [48] | Fix untrusted input issue in the PPP | | | printer [CVE-2020-8037] | | | | | tigervnc [49] | Properly store certificate exceptions in | | | native and java VNC viewer [CVE-2020- | | | 26117] | | | | | tor [50] | New upstream stable release; multiple | | | security, usability, portability, and | | | reliability fixes | | | | | transmission [51] | Fix memory leak | | | | | tzdata [52] | New upstream release | | | | | ublock-origin [53] | New upstream version; split plugin to | | | browser-specific packages | | | | | vips [54] | Fix use of uninitialised variable | | | [CVE-2020-20739] | | | | +-------------------------+-------------------------------------------+ 1: https://packages.debian.org/src:base-files 2: https://packages.debian.org/src:choose-mirror 3: https://packages.debian.org/src:cups 4: https://packages.debian.org/src:dav4tbsync 5: https://packages.debian.org/src:debian-installer 6: https://packages.debian.org/src:debian-installer-netboot-images 7: https://packages.debian.org/src:distro-info-data 8: https://packages.debian.org/src:dpdk 9: https://packages.debian.org/src:eas4tbsync 10: https://packages.debian.org/src:edk2 11: https://packages.debian.org/src:efivar 12: https://packages.debian.org/src:enigmail 13: https://packages.debian.org/src:espeak 14: https://packages.debian.org/src:fastd 15: https://packages.debian.org/src:fish 16: https://packages.debian.org/src:freecol 17: https://packages.debian.org/src:gajim-omemo 18: https://packages.debian.org/src:glances 19: https://packages.debian.org/src:iptables-persistent 20: https://packages.debian.org/src:lacme 21: https://packages.debian.org/src:libdatetime-timezone-perl 22: https://packages.debian.org/src:libimobiledevice 23: https://packages.debian.org/src:libjpeg-turbo 24: https://packages.debian.org/src:libxml2 25: https://packages.debian.org/src:linux 26: https://packages.debian.org/src:linux-latest 27: https://packages.debian.org/src:linux-signed-amd64 28: https://packages.debian.org/src:linux-signed-arm64 29: https://packages.debian.org/src:linux-signed-i386 30: https://packages.debian.org/src:lmod 31: https://packages.debian.org/src:mariadb-10.3 32: https://packages.debian.org/src:mutt 33: https://packages.debian.org/src:neomutt 34: https://packages.debian.org/src:node-object-path 35: https://packages.debian.org/src:node-pathval 36: https://packages.debian.org/src:okular 37: https://packages.debian.org/src:openjdk-11 38: https://packages.debian.org/src:partman-auto 39: https://packages.debian.org/src:pcaudiolib 40: https://packages.debian.org/src:plinth 41: https://packages.debian.org/src:puma 42: https://packages.debian.org/src:ros-ros-comm 43: https://packages.debian.org/src:ruby2.5 44: https://packages.debian.org/src:sleuthkit 45: https://packages.debian.org/src:sqlite3 46: https://packages.debian.org/src:systemd 47: https://packages.debian.org/src:tbsync 48: https://packages.debian.org/src:tcpdump 49: https://packages.debian.org/src:tigervnc 50: https://packages.debian.org/src:tor 51: https://packages.debian.org/src:transmission 52: https://packages.debian.org/src:tzdata 53: https://packages.debian.org/src:ublock-origin 54: https://packages.debian.org/src:vips Security Updates ---------------- This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates: +----------------+----------------------------+ | Advisory ID | Package | +----------------+----------------------------+ | DSA-4766 [55] | rails [56] | | | | | DSA-4767 [57] | mediawiki [58] | | | | | DSA-4768 [59] | firefox-esr [60] | | | | | DSA-4769 [61] | xen [62] | | | | | DSA-4770 [63] | thunderbird [64] | | | | | DSA-4771 [65] | spice [66] | | | | | DSA-4772 [67] | httpcomponents-client [68] | | | | | DSA-4773 [69] | yaws [70] | | | | | DSA-4774 [71] | linux-latest [72] | | | | | DSA-4774 [73] | linux-signed-amd64 [74] | | | | | DSA-4774 [75] | linux-signed-arm64 [76] | | | | | DSA-4774 [77] | linux-signed-i386 [78] | | | | | DSA-4774 [79] | linux [80] | | | | | DSA-4775 [81] | python-flask-cors [82] | | | | | DSA-4776 [83] | mariadb-10.3 [84] | | | | | DSA-4777 [85] | freetype [86] | | | | | DSA-4778 [87] | firefox-esr [88] | | | | | DSA-4779 [89] | openjdk-11 [90] | | | | | DSA-4780 [91] | thunderbird [92] | | | | | DSA-4781 [93] | blueman [94] | | | | | DSA-4782 [95] | openldap [96] | | | | | DSA-4783 [97] | sddm [98] | | | | | DSA-4784 [99] | wordpress [100] | | | | | DSA-4785 [101] | raptor2 [102] | | | | | DSA-4786 [103] | libexif [104] | | | | | DSA-4787 [105] | moin [106] | | | | | DSA-4788 [107] | firefox-esr [108] | | | | | DSA-4789 [109] | codemirror-js [110] | | | | | DSA-4790 [111] | thunderbird [112] | | | | | DSA-4791 [113] | pacemaker [114] | | | | | DSA-4792 [115] | openldap [116] | | | | | DSA-4793 [117] | firefox-esr [118] | | | | | DSA-4794 [119] | mupdf [120] | | | | | DSA-4795 [121] | krb5 [122] | | | | | DSA-4796 [123] | thunderbird [124] | | | | | DSA-4798 [125] | spip [126] | | | | | DSA-4799 [127] | x11vnc [128] | | | | | DSA-4800 [129] | libproxy [130] | | | | +----------------+----------------------------+ 55: https://www.debian.org/security/2020/dsa-4766 56: https://packages.debian.org/src:rails 57: https://www.debian.org/security/2020/dsa-4767 58: https://packages.debian.org/src:mediawiki 59: https://www.debian.org/security/2020/dsa-4768 60: https://packages.debian.org/src:firefox-esr 61: https://www.debian.org/security/2020/dsa-4769 62: https://packages.debian.org/src:xen 63: https://www.debian.org/security/2020/dsa-4770 64: https://packages.debian.org/src:thunderbird 65: https://www.debian.org/security/2020/dsa-4771 66: https://packages.debian.org/src:spice 67: https://www.debian.org/security/2020/dsa-4772 68: https://packages.debian.org/src:httpcomponents-client 69: https://www.debian.org/security/2020/dsa-4773 70: https://packages.debian.org/src:yaws 71: https://www.debian.org/security/2020/dsa-4774 72: https://packages.debian.org/src:linux-latest 73: https://www.debian.org/security/2020/dsa-4774 74: https://packages.debian.org/src:linux-signed-amd64 75: https://www.debian.org/security/2020/dsa-4774 76: https://packages.debian.org/src:linux-signed-arm64 77: https://www.debian.org/security/2020/dsa-4774 78: https://packages.debian.org/src:linux-signed-i386 79: https://www.debian.org/security/2020/dsa-4774 80: https://packages.debian.org/src:linux 81: https://www.debian.org/security/2020/dsa-4775 82: https://packages.debian.org/src:python-flask-cors 83: https://www.debian.org/security/2020/dsa-4776 84: https://packages.debian.org/src:mariadb-10.3 85: https://www.debian.org/security/2020/dsa-4777 86: https://packages.debian.org/src:freetype 87: https://www.debian.org/security/2020/dsa-4778 88: https://packages.debian.org/src:firefox-esr 89: https://www.debian.org/security/2020/dsa-4779 90: https://packages.debian.org/src:openjdk-11 91: https://www.debian.org/security/2020/dsa-4780 92: https://packages.debian.org/src:thunderbird 93: https://www.debian.org/security/2020/dsa-4781 94: https://packages.debian.org/src:blueman 95: https://www.debian.org/security/2020/dsa-4782 96: https://packages.debian.org/src:openldap 97: https://www.debian.org/security/2020/dsa-4783 98: https://packages.debian.org/src:sddm 99: https://www.debian.org/security/2020/dsa-4784 100: https://packages.debian.org/src:wordpress 101: https://www.debian.org/security/2020/dsa-4785 102: https://packages.debian.org/src:raptor2 103: https://www.debian.org/security/2020/dsa-4786 104: https://packages.debian.org/src:libexif 105: https://www.debian.org/security/2020/dsa-4787 106: https://packages.debian.org/src:moin 107: https://www.debian.org/security/2020/dsa-4788 108: https://packages.debian.org/src:firefox-esr 109: https://www.debian.org/security/2020/dsa-4789 110: https://packages.debian.org/src:codemirror-js 111: https://www.debian.org/security/2020/dsa-4790 112: https://packages.debian.org/src:thunderbird 113: https://www.debian.org/security/2020/dsa-4791 114: https://packages.debian.org/src:pacemaker 115: https://www.debian.org/security/2020/dsa-4792 116: https://packages.debian.org/src:openldap 117: https://www.debian.org/security/2020/dsa-4793 118: https://packages.debian.org/src:firefox-esr 119: https://www.debian.org/security/2020/dsa-4794 120: https://packages.debian.org/src:mupdf 121: https://www.debian.org/security/2020/dsa-4795 122: https://packages.debian.org/src:krb5 123: https://www.debian.org/security/2020/dsa-4796 124: https://packages.debian.org/src:thunderbird 125: https://www.debian.org/security/2020/dsa-4798 126: https://packages.debian.org/src:spip 127: https://www.debian.org/security/2020/dsa-4799 128: https://packages.debian.org/src:x11vnc 129: https://www.debian.org/security/2020/dsa-4800 130: https://packages.debian.org/src:libproxy Removed packages ---------------- The following packages were removed due to circumstances beyond our control: +-------------------------+--------------------------------------------+ | Package | Reason | +-------------------------+--------------------------------------------+ | freshplayerplugin [131] | Unsupported by browsers; discontinued | | | upstream | | | | | nostalgy [132] | Incompatible with newer Thunderbird | | | versions | | | | | sieve-extension [133] | Incompatible with newer Thunderbird | | | versions | | | | +-------------------------+--------------------------------------------+ 131: https://packages.debian.org/src:freshplayerplugin 132: https://packages.debian.org/src:nostalgy 133: https://packages.debian.org/src:sieve-extension Debian Installer ---------------- The installer has been updated to include the fixes incorporated into stable by the point release. URLs ---- The complete lists of packages that have changed with this revision: http://ftp.debian.org/debian/dists/buster/ChangeLog The current stable distribution: http://ftp.debian.org/debian/dists/stable/ Proposed updates to the stable distribution: http://ftp.debian.org/debian/dists/proposed-updates stable distribution information (release notes, errata etc.): https://www.debian.org/releases/stable/ Security announcements and information: https://www.debian.org/security/ About Debian ------------ The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian. Contact Information ------------------- For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature