------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 10: 10.11 released press@debian.org October 9th, 2021 https://www.debian.org/News/2021/2021100902 ------------------------------------------------------------------------ The Debian project is pleased to announce the eleventh update of its oldstable distribution Debian 10 (codename "buster"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 10 but only updates some of the packages included. There is no need to throw away old "buster" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Miscellaneous Bugfixes ---------------------- This oldstable update adds a few important corrections to the following packages: +---------------------------+-----------------------------------------+ | Package | Reason | +---------------------------+-----------------------------------------+ | atftp [1] | Fix buffer overflow [CVE-2021-41054] | | | | | base-files [2] | Update for the 10.11 point release | | | | | btrbk [3] | Fix arbitrary code execution issue | | | [CVE-2021-38173] | | | | | clamav [4] | New upstream stable release; fix | | | clamdscan segfaults when --fdpass and | | | --multipass are used together with | | | ExcludePath | | | | | commons-io [5] | Fix path traversal issue [CVE-2021- | | | 29425] | | | | | cyrus-imapd [6] | Fix denial-of-service issue [CVE-2021- | | | 33582] | | | | | debconf [7] | Check that whiptail or dialog is | | | actually usable | | | | | debian-installer [8] | Rebuild against buster-proposed- | | | updates; update Linux ABI to 4.19.0-18 | | | | | debian-installer-netboot- | Rebuild against buster-proposed-updates | | images [9] | | | | | | distcc [10] | Fix GCC cross-compiler links in update- | | | distcc-symlinks and add support for | | | clang and CUDA (nvcc) | | | | | distro-info-data [11] | Update included data for several | | | releases | | | | | dwarf-fortress [12] | Remove undistributable prebuilt shared | | | libraries from the source tarball | | | | | espeak-ng [13] | Fix using espeak with mbrola-fr4 when | | | mbrola-fr1 is not installed | | | | | gcc-mingw-w64 [14] | Fix gcov handling | | | | | gthumb [15] | Fix heap-based buffer overflow issue | | | [CVE-2019-20326] | | | | | hg-git [16] | Fix test failures with recent git | | | versions | | | | | htslib [17] | Fix autopkgtest on i386 | | | | | http-parser [18] | Fix HTTP request smuggling issue | | | [CVE-2019-15605] | | | | | irssi [19] | Fix use after free issue when sending | | | SASL login to the server [CVE-2019- | | | 13045] | | | | | java-atk-wrapper [20] | Also use dbus to detect accessibility | | | being enabled | | | | | krb5 [21] | Fix KDC null dereference crash on FAST | | | request with no server field [CVE-2021- | | | 37750]; fix memory leak in | | | krb5_gss_inquire_cred | | | | | libdatetime-timezone-perl | New upstream stable release; update DST | | [22] | rules for Samoa and Jordon; | | | confirmation of no leap second on 2021- | | | 12-31 | | | | | libpam-tacplus [23] | Prevent shared secrets from being added | | | in plaintext to the system log | | | [CVE-2020-13881] | | | | | linux [24] | "proc: Track /proc/$pid/attr/ opener | | | mm_struct" , fixing issues with lxc- | | | attach; new upstream stable release; | | | increase ABI version to 18; [rt] Update | | | to 4.19.207-rt88; usb: hso: fix error | | | handling code of hso_create_net_device | | | [CVE-2021-37159] | | | | | linux-latest [25] | Update to 4.19.0-18 kernel ABI | | | | | linux-signed-amd64 [26] | "proc: Track /proc/$pid/attr/ opener | | | mm_struct" , fixing issues with lxc- | | | attach; new upstream stable release; | | | increase ABI version to 18; [rt] Update | | | to 4.19.207-rt88; usb: hso: fix error | | | handling code of hso_create_net_device | | | [CVE-2021-37159] | | | | | linux-signed-arm64 [27] | "proc: Track /proc/$pid/attr/ opener | | | mm_struct" , fixing issues with lxc- | | | attach; new upstream stable release; | | | increase ABI version to 18; [rt] Update | | | to 4.19.207-rt88; usb: hso: fix error | | | handling code of hso_create_net_device | | | [CVE-2021-37159] | | | | | linux-signed-i386 [28] | "proc: Track /proc/$pid/attr/ opener | | | mm_struct" , fixing issues with lxc- | | | attach; new upstream stable release; | | | increase ABI version to 18; [rt] Update | | | to 4.19.207-rt88; usb: hso: fix error | | | handling code of hso_create_net_device | | | [CVE-2021-37159] | | | | | mariadb-10.3 [29] | New upstream stable release; security | | | fixes [CVE-2021-2389 CVE-2021-2372]; | | | fix Perl executable path in scripts | | | | | modsecurity-crs [30] | Fix request body bypass issue | | | [CVE-2021-35368] | | | | | node-ansi-regex [31] | Fix regular expression-based denial of | | | service issue [CVE-2021-3807] | | | | | node-axios [32] | Fix regular expression-based denial of | | | service issue [CVE-2021-3749] | | | | | node-jszip [33] | Use a null prototype object for | | | this.files [CVE-2021-23413] | | | | | node-tar [34] | Remove non-directory paths from the | | | directory cache [CVE-2021-32803]; strip | | | absolute paths more comprehensively | | | [CVE-2021-32804] | | | | | nvidia-cuda-toolkit [35] | Fix setting of NVVMIR_LIBRARY_DIR on | | | ppc64el | | | | | nvidia-graphics-drivers | New upstream stable release; fix denial | | [36] | of service issues [CVE-2021-1093 | | | CVE-2021-1094 CVE-2021-1095]; nvidia- | | | driver-libs: Add Recommends: libnvidia- | | | encode1 | | | | | nvidia-graphics-drivers- | New upstream stable release; fix denial | | legacy-390xx [37] | of service issues [CVE-2021-1093 | | | CVE-2021-1094 CVE-2021-1095]; nvidia- | | | legacy-390xx-driver-libs: Add | | | Recommends: libnvidia-legacy-390xx- | | | encode1 | | | | | postgresql-11 [38] | New upstream stable release; fix mis- | | | planning of repeated application of a | | | projection step [CVE-2021-3677]; | | | disallow SSL renegotiation more | | | completely | | | | | proftpd-dfsg [39] | Fix "mod_radius leaks memory contents | | | to radius server" , "cannot disable | | | client-initiated renegotiation for | | | FTPS" , navigation into symlinked | | | directories, mod_sftp crash when using | | | pubkey-auth with DSA keys | | | | | psmisc [40] | Fix regression in killall not matching | | | process with names longer than 15 | | | characters | | | | | python-uflash [41] | Update firmware URL | | | | | request-tracker4 [42] | Fix login timing side-channel attack | | | issue [CVE-2021-38562] | | | | | ring [43] | Fix denial of service issue in the | | | embedded copy of pjproject [CVE-2021- | | | 21375] | | | | | sabnzbdplus [44] | Prevent directory escape in renamer | | | function [CVE-2021-29488] | | | | | shim [45] | Add arm64 patch to tweak section layout | | | and stop crashing problems; in insecure | | | mode, don't abort if we can't create | | | the MokListXRT variable; don't abort on | | | grub installation failures; warn | | | instead | | | | | shim-helpers-amd64-signed | Add arm64 patch to tweak section layout | | [46] | and stop crashing problems; in insecure | | | mode, don't abort if we can't create | | | the MokListXRT variable; don't abort on | | | grub installation failures; warn | | | instead | | | | | shim-helpers-arm64-signed | Add arm64 patch to tweak section layout | | [47] | and stop crashing problems; in insecure | | | mode, don't abort if we can't create | | | the MokListXRT variable; don't abort on | | | grub installation failures; warn | | | instead | | | | | shim-helpers-i386-signed | Add arm64 patch to tweak section layout | | [48] | and stop crashing problems; in insecure | | | mode, don't abort if we can't create | | | the MokListXRT variable; don't abort on | | | grub installation failures; warn | | | instead | | | | | shim-signed [49] | Work around boot-breaking issues on | | | arm64 by including an older known | | | working version of unsigned shim on | | | that platform; switch arm64 back to | | | using a current unsigned build; add | | | arm64 patch to tweak section layout and | | | stop crashing problems; in insecure | | | mode, don't abort if we can't create | | | the MokListXRT variable; don't abort on | | | grub installation failures; warn | | | instead | | | | | shiro [50] | Fix authentication bypass issues | | | [CVE-2020-1957 CVE-2020-11989 CVE-2020- | | | 13933 CVE-2020-17510]; update Spring | | | Framework compatibility patch; support | | | Guice 4 | | | | | tzdata [51] | Update DST rules for Samoa and Jordan; | | | confirm the absence of a leap second on | | | 2021-12-31 | | | | | ublock-origin [52] | New upstream stable release; fix denial | | | of service issue [CVE-2021-36773] | | | | | ulfius [53] | Ensure memory is initialised before use | | | [CVE-2021-40540] | | | | | xmlgraphics-commons [54] | Fix Server-Side Request Forgery issue | | | [CVE-2020-11988] | | | | | yubikey-manager [55] | Add missing dependency on python3-pkg- | | | resources to yubikey-manager | | | | +---------------------------+-----------------------------------------+ 1: https://packages.debian.org/src:atftp 2: https://packages.debian.org/src:base-files 3: https://packages.debian.org/src:btrbk 4: https://packages.debian.org/src:clamav 5: https://packages.debian.org/src:commons-io 6: https://packages.debian.org/src:cyrus-imapd 7: https://packages.debian.org/src:debconf 8: https://packages.debian.org/src:debian-installer 9: https://packages.debian.org/src:debian-installer-netboot-images 10: https://packages.debian.org/src:distcc 11: https://packages.debian.org/src:distro-info-data 12: https://packages.debian.org/src:dwarf-fortress 13: https://packages.debian.org/src:espeak-ng 14: https://packages.debian.org/src:gcc-mingw-w64 15: https://packages.debian.org/src:gthumb 16: https://packages.debian.org/src:hg-git 17: https://packages.debian.org/src:htslib 18: https://packages.debian.org/src:http-parser 19: https://packages.debian.org/src:irssi 20: https://packages.debian.org/src:java-atk-wrapper 21: https://packages.debian.org/src:krb5 22: https://packages.debian.org/src:libdatetime-timezone-perl 23: https://packages.debian.org/src:libpam-tacplus 24: https://packages.debian.org/src:linux 25: https://packages.debian.org/src:linux-latest 26: https://packages.debian.org/src:linux-signed-amd64 27: https://packages.debian.org/src:linux-signed-arm64 28: https://packages.debian.org/src:linux-signed-i386 29: https://packages.debian.org/src:mariadb-10.3 30: https://packages.debian.org/src:modsecurity-crs 31: https://packages.debian.org/src:node-ansi-regex 32: https://packages.debian.org/src:node-axios 33: https://packages.debian.org/src:node-jszip 34: https://packages.debian.org/src:node-tar 35: https://packages.debian.org/src:nvidia-cuda-toolkit 36: https://packages.debian.org/src:nvidia-graphics-drivers 37: https://packages.debian.org/src:nvidia-graphics-drivers-legacy-390xx 38: https://packages.debian.org/src:postgresql-11 39: https://packages.debian.org/src:proftpd-dfsg 40: https://packages.debian.org/src:psmisc 41: https://packages.debian.org/src:python-uflash 42: https://packages.debian.org/src:request-tracker4 43: https://packages.debian.org/src:ring 44: https://packages.debian.org/src:sabnzbdplus 45: https://packages.debian.org/src:shim 46: https://packages.debian.org/src:shim-helpers-amd64-signed 47: https://packages.debian.org/src:shim-helpers-arm64-signed 48: https://packages.debian.org/src:shim-helpers-i386-signed 49: https://packages.debian.org/src:shim-signed 50: https://packages.debian.org/src:shiro 51: https://packages.debian.org/src:tzdata 52: https://packages.debian.org/src:ublock-origin 53: https://packages.debian.org/src:ulfius 54: https://packages.debian.org/src:xmlgraphics-commons 55: https://packages.debian.org/src:yubikey-manager Security Updates ---------------- This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates: +----------------+----------------------------+ | Advisory ID | Package | +----------------+----------------------------+ | DSA-4842 [56] | thunderbird [57] | | | | | DSA-4866 [58] | thunderbird [59] | | | | | DSA-4876 [60] | thunderbird [61] | | | | | DSA-4897 [62] | thunderbird [63] | | | | | DSA-4927 [64] | thunderbird [65] | | | | | DSA-4931 [66] | xen [67] | | | | | DSA-4932 [68] | tor [69] | | | | | DSA-4933 [70] | nettle [71] | | | | | DSA-4934 [72] | intel-microcode [73] | | | | | DSA-4935 [74] | php7.3 [75] | | | | | DSA-4936 [76] | libuv1 [77] | | | | | DSA-4937 [78] | apache2 [79] | | | | | DSA-4938 [80] | linuxptp [81] | | | | | DSA-4939 [82] | firefox-esr [83] | | | | | DSA-4940 [84] | thunderbird [85] | | | | | DSA-4941 [86] | linux-signed-amd64 [87] | | | | | DSA-4941 [88] | linux-signed-arm64 [89] | | | | | DSA-4941 [90] | linux-signed-i386 [91] | | | | | DSA-4941 [92] | linux [93] | | | | | DSA-4942 [94] | systemd [95] | | | | | DSA-4943 [96] | lemonldap-ng [97] | | | | | DSA-4944 [98] | krb5 [99] | | | | | DSA-4945 [100] | webkit2gtk [101] | | | | | DSA-4946 [102] | openjdk-11-jre-dcevm [103] | | | | | DSA-4946 [104] | openjdk-11 [105] | | | | | DSA-4947 [106] | libsndfile [107] | | | | | DSA-4948 [108] | aspell [109] | | | | | DSA-4949 [110] | jetty9 [111] | | | | | DSA-4950 [112] | ansible [113] | | | | | DSA-4951 [114] | bluez [115] | | | | | DSA-4952 [116] | tomcat9 [117] | | | | | DSA-4953 [118] | lynx [119] | | | | | DSA-4954 [120] | c-ares [121] | | | | | DSA-4955 [122] | libspf2 [123] | | | | | DSA-4956 [124] | firefox-esr [125] | | | | | DSA-4957 [126] | trafficserver [127] | | | | | DSA-4958 [128] | exiv2 [129] | | | | | DSA-4959 [130] | thunderbird [131] | | | | | DSA-4961 [132] | tor [133] | | | | | DSA-4962 [134] | ledgersmb [135] | | | | | DSA-4963 [136] | openssl [137] | | | | | DSA-4964 [138] | grilo [139] | | | | | DSA-4967 [140] | squashfs-tools [141] | | | | | DSA-4969 [142] | firefox-esr [143] | | | | | DSA-4970 [144] | postorius [145] | | | | | DSA-4971 [146] | ntfs-3g [147] | | | | | DSA-4973 [148] | thunderbird [149] | | | | | DSA-4974 [150] | nextcloud-desktop [151] | | | | | DSA-4975 [152] | webkit2gtk [153] | | | | | DSA-4979 [154] | mediawiki [155] | | | | +----------------+----------------------------+ 56: https://www.debian.org/security/2021/dsa-4842 57: https://packages.debian.org/src:thunderbird 58: https://www.debian.org/security/2021/dsa-4866 59: https://packages.debian.org/src:thunderbird 60: https://www.debian.org/security/2021/dsa-4876 61: https://packages.debian.org/src:thunderbird 62: https://www.debian.org/security/2021/dsa-4897 63: https://packages.debian.org/src:thunderbird 64: https://www.debian.org/security/2021/dsa-4927 65: https://packages.debian.org/src:thunderbird 66: https://www.debian.org/security/2021/dsa-4931 67: https://packages.debian.org/src:xen 68: https://www.debian.org/security/2021/dsa-4932 69: https://packages.debian.org/src:tor 70: https://www.debian.org/security/2021/dsa-4933 71: https://packages.debian.org/src:nettle 72: https://www.debian.org/security/2021/dsa-4934 73: https://packages.debian.org/src:intel-microcode 74: https://www.debian.org/security/2021/dsa-4935 75: https://packages.debian.org/src:php7.3 76: https://www.debian.org/security/2021/dsa-4936 77: https://packages.debian.org/src:libuv1 78: https://www.debian.org/security/2021/dsa-4937 79: https://packages.debian.org/src:apache2 80: https://www.debian.org/security/2021/dsa-4938 81: https://packages.debian.org/src:linuxptp 82: https://www.debian.org/security/2021/dsa-4939 83: https://packages.debian.org/src:firefox-esr 84: https://www.debian.org/security/2021/dsa-4940 85: https://packages.debian.org/src:thunderbird 86: https://www.debian.org/security/2021/dsa-4941 87: https://packages.debian.org/src:linux-signed-amd64 88: https://www.debian.org/security/2021/dsa-4941 89: https://packages.debian.org/src:linux-signed-arm64 90: https://www.debian.org/security/2021/dsa-4941 91: https://packages.debian.org/src:linux-signed-i386 92: https://www.debian.org/security/2021/dsa-4941 93: https://packages.debian.org/src:linux 94: https://www.debian.org/security/2021/dsa-4942 95: https://packages.debian.org/src:systemd 96: https://www.debian.org/security/2021/dsa-4943 97: https://packages.debian.org/src:lemonldap-ng 98: https://www.debian.org/security/2021/dsa-4944 99: https://packages.debian.org/src:krb5 100: https://www.debian.org/security/2021/dsa-4945 101: https://packages.debian.org/src:webkit2gtk 102: https://www.debian.org/security/2021/dsa-4946 103: https://packages.debian.org/src:openjdk-11-jre-dcevm 104: https://www.debian.org/security/2021/dsa-4946 105: https://packages.debian.org/src:openjdk-11 106: https://www.debian.org/security/2021/dsa-4947 107: https://packages.debian.org/src:libsndfile 108: https://www.debian.org/security/2021/dsa-4948 109: https://packages.debian.org/src:aspell 110: https://www.debian.org/security/2021/dsa-4949 111: https://packages.debian.org/src:jetty9 112: https://www.debian.org/security/2021/dsa-4950 113: https://packages.debian.org/src:ansible 114: https://www.debian.org/security/2021/dsa-4951 115: https://packages.debian.org/src:bluez 116: https://www.debian.org/security/2021/dsa-4952 117: https://packages.debian.org/src:tomcat9 118: https://www.debian.org/security/2021/dsa-4953 119: https://packages.debian.org/src:lynx 120: https://www.debian.org/security/2021/dsa-4954 121: https://packages.debian.org/src:c-ares 122: https://www.debian.org/security/2021/dsa-4955 123: https://packages.debian.org/src:libspf2 124: https://www.debian.org/security/2021/dsa-4956 125: https://packages.debian.org/src:firefox-esr 126: https://www.debian.org/security/2021/dsa-4957 127: https://packages.debian.org/src:trafficserver 128: https://www.debian.org/security/2021/dsa-4958 129: https://packages.debian.org/src:exiv2 130: https://www.debian.org/security/2021/dsa-4959 131: https://packages.debian.org/src:thunderbird 132: https://www.debian.org/security/2021/dsa-4961 133: https://packages.debian.org/src:tor 134: https://www.debian.org/security/2021/dsa-4962 135: https://packages.debian.org/src:ledgersmb 136: https://www.debian.org/security/2021/dsa-4963 137: https://packages.debian.org/src:openssl 138: https://www.debian.org/security/2021/dsa-4964 139: https://packages.debian.org/src:grilo 140: https://www.debian.org/security/2021/dsa-4967 141: https://packages.debian.org/src:squashfs-tools 142: https://www.debian.org/security/2021/dsa-4969 143: https://packages.debian.org/src:firefox-esr 144: https://www.debian.org/security/2021/dsa-4970 145: https://packages.debian.org/src:postorius 146: https://www.debian.org/security/2021/dsa-4971 147: https://packages.debian.org/src:ntfs-3g 148: https://www.debian.org/security/2021/dsa-4973 149: https://packages.debian.org/src:thunderbird 150: https://www.debian.org/security/2021/dsa-4974 151: https://packages.debian.org/src:nextcloud-desktop 152: https://www.debian.org/security/2021/dsa-4975 153: https://packages.debian.org/src:webkit2gtk 154: https://www.debian.org/security/2021/dsa-4979 155: https://packages.debian.org/src:mediawiki Removed packages ---------------- The following packages were removed due to circumstances beyond our control: +-----------------------------+----------------------------------------+ | Package | Reason | +-----------------------------+----------------------------------------+ | birdtray [156] | Incompatible with newer Thunderbird | | | versions | | | | | libprotocol-acme-perl [157] | Only supports obsolete ACME version 1 | | | | +-----------------------------+----------------------------------------+ 156: https://packages.debian.org/src:birdtray 157: https://packages.debian.org/src:libprotocol-acme-perl Debian Installer ---------------- The installer has been updated to include the fixes incorporated into oldstable by the point release. URLs ---- The complete lists of packages that have changed with this revision: https://deb.debian.org/debian/dists/buster/ChangeLog The current oldstable distribution: https://deb.debian.org/debian/dists/oldstable/ Proposed updates to the oldstable distribution: https://deb.debian.org/debian/dists/oldstable-proposed-updates oldstable distribution information (release notes, errata etc.): https://www.debian.org/releases/oldstable/ Security announcements and information: https://www.debian.org/security/ About Debian ------------ The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian. Contact Information ------------------- For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.
Attachment:
signature.asc
Description: PGP signature