------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 10: 10.8 released press@debian.org February 6th, 2021 https://www.debian.org/News/2021/20210206 ------------------------------------------------------------------------ The Debian project is pleased to announce the eighth update of its stable distribution Debian 10 (codename "buster"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 10 but only updates some of the packages included. There is no need to throw away old "buster" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: +---------------------------+-----------------------------------------+ | Package | Reason | +---------------------------+-----------------------------------------+ | atftp [1] | Fix denial of service issue [CVE-2020- | | | 6097] | | | | | base-files [2] | Update /etc/debian_version for the 10.8 | | | point release | | | | | ca-certificates [3] | Update Mozilla CA bundle to 2.40, | | | blacklist expired "AddTrust External | | | Root" | | | | | cacti [4] | Fix SQL injection issue [CVE-2020- | | | 35701] and stored XSS issue | | | | | cairo [5] | Fix mask usage in image-compositor | | | [CVE-2020-35492] | | | | | choose-mirror [6] | Update mirror list | | | | | cjson [7] | Fix infinite loop in cJSON_Minify | | | | | clevis [8] | Fix initramfs creation; clevis-dracut: | | | Trigger initramfs creation upon | | | installation | | | | | cyrus-imapd [9] | Fix version comparison in cron script | | | | | debian-edu-config [10] | Move host keytabs cleanup code out of | | | gosa-modify-host into a standalone | | | script, reducing LDAP calls to a single | | | query | | | | | debian-installer [11] | Use 4.19.0-14 Linux kernel ABI; rebuild | | | against proposed-updates | | | | | debian-installer-netboot- | Rebuild against proposed-updates | | images [12] | | | | | | debian-installer- | Support partitions on USB UAS devices | | utils [13] | | | | | | device-tree-compiler [14] | Fix segfault on "dtc -I fs /proc/ | | | device-tree" | | | | | didjvu [15] | Add missing build-dependency on tzdata | | | | | dovecot [16] | Fix crash when searching mailboxes | | | containing malformed MIME messages | | | | | dpdk [17] | New upstream stable release | | | | | edk2 [18] | CryptoPkg/BaseCryptLib: fix NULL | | | dereference [CVE-2019-14584] | | | | | emacs [19] | Don't crash with OpenPGP User IDs with | | | no e-mail address | | | | | fcitx [20] | Fix input method support in Flatpaks | | | | | file [21] | Increase name recursion depth to 50 by | | | default | | | | | geoclue-2.0 [22] | Check the maximum allowed accuracy | | | level even for system applications; | | | make the Mozilla API key configurable | | | and use a Debian-specific key by | | | default; fix display of the usage | | | indicator | | | | | gnutls28 [23] | Fix test suite error caused by expired | | | certificate | | | | | grub2 [24] | When upgrading grub-pc | | | noninteractively, bail out if grub- | | | install fails; explicitly check whether | | | the target device exists before running | | | grub-install; grub-install: Add backup | | | and restore; don't call grub-install on | | | fresh install of grub-pc | | | | | highlight.js [25] | Fix prototype pollution [CVE-2020- | | | 26237] | | | | | intel-microcode [26] | Update various microcode | | | | | iproute2 [27] | Fix bugs in JSON output; fix race | | | condition that DOSes the system when | | | using ip netns add at boot | | | | | irssi-plugin-xmpp [28] | Do not trigger the irssi core connect | | | timeout prematurely, thus fixing | | | STARTTLS connections | | | | | libdatetime-timezone- | Update for new tzdata version | | perl [29] | | | | | | libdbd-csv-perl [30] | Fix test failure with libdbi-perl | | | 1.642-1+deb10u2 | | | | | libdbi-perl [31] | Security fix [CVE-2014-10402] | | | | | libmaxminddb [32] | Fix heap-based buffer over-read | | | [CVE-2020-28241] | | | | | lttng-modules [33] | Fix build on kernel versions >= 4.19.0- | | | 10 | | | | | m2crypto [34] | Fix compatibility with OpenSSL 1.1.1i | | | and newer | | | | | mini-buildd [35] | builder.py: sbuild call: set '--no- | | | arch-all' explicitly | | | | | net-snmp [36] | snmpd: Add cacheTime and execType flags | | | to EXTEND-MIB | | | | | node-ini [37] | Do not allow invalid hazardous string | | | as section name [CVE-2020-7788] | | | | | node-y18n [38] | Fix prototype pollution issue | | | [CVE-2020-7774] | | | | | nvidia-graphics- | New upstream release; fix possible | | drivers [39] | denial of service and information | | | disclosure [CVE-2021-1056] | | | | | nvidia-graphics-drivers- | New upstream release; fix possible | | legacy-390xx [40] | denial of service and information | | | disclosure [CVE-2021-1056] | | | | | pdns [41] | Security fixes [CVE-2019-10203 | | | CVE-2020-17482] | | | | | pepperflashplugin- | Turn into a dummy package taking care | | nonfree [42] | of removing the previously installed | | | plugin (no longer functional nor | | | supported) | | | | | pngcheck [43] | Fix buffer overflow [CVE-2020-27818] | | | | | postgresql-11 [44] | New upstream stable release; security | | | fixes [CVE-2020-25694 CVE-2020-25695 | | | CVE-2020-25696] | | | | | postsrsd [45] | Ensure timestamp tags aren't too long | | | before trying to decode them [CVE-2020- | | | 35573] | | | | | python-bottle [46] | Stop allowing ";" as a query-string | | | separator [CVE-2020-28473] | | | | | python-certbot [47] | Automatically use ACMEv2 API for | | | renewals, to avoid issues with ACMEv1 | | | API removal | | | | | qxmpp [48] | Fix potential SEGFAULT on connection | | | error | | | | | silx [49] | python(3)-silx: Add dependency on | | | python(3)-scipy | | | | | slirp [50] | Fix buffer overflows [CVE-2020-7039 | | | CVE-2020-8608] | | | | | steam [51] | New upstream release | | | | | systemd [52] | journal: do not trigger assertion when | | | journal_file_close() is passed NULL | | | | | tang [53] | Avoid race condition between keygen and | | | update | | | | | tzdata [54] | New upstream release; update included | | | timezone data | | | | | unzip [55] | Apply further fixes for CVE-2019-13232 | | | | | wireshark [56] | Fix various crashes, infinite loops and | | | memory leaks [CVE-2019-16319 CVE-2019- | | | 19553 CVE-2020-11647 CVE-2020-13164 | | | CVE-2020-15466 CVE-2020-25862 CVE-2020- | | | 25863 CVE-2020-26418 CVE-2020-26421 | | | CVE-2020-26575 CVE-2020-28030 CVE-2020- | | | 7045 CVE-2020-9428 CVE-2020-9430 | | | CVE-2020-9431] | | | | +---------------------------+-----------------------------------------+ 1: https://packages.debian.org/src:atftp 2: https://packages.debian.org/src:base-files 3: https://packages.debian.org/src:ca-certificates 4: https://packages.debian.org/src:cacti 5: https://packages.debian.org/src:cairo 6: https://packages.debian.org/src:choose-mirror 7: https://packages.debian.org/src:cjson 8: https://packages.debian.org/src:clevis 9: https://packages.debian.org/src:cyrus-imapd 10: https://packages.debian.org/src:debian-edu-config 11: https://packages.debian.org/src:debian-installer 12: https://packages.debian.org/src:debian-installer-netboot-images 13: https://packages.debian.org/src:debian-installer-utils 14: https://packages.debian.org/src:device-tree-compiler 15: https://packages.debian.org/src:didjvu 16: https://packages.debian.org/src:dovecot 17: https://packages.debian.org/src:dpdk 18: https://packages.debian.org/src:edk2 19: https://packages.debian.org/src:emacs 20: https://packages.debian.org/src:fcitx 21: https://packages.debian.org/src:file 22: https://packages.debian.org/src:geoclue-2.0 23: https://packages.debian.org/src:gnutls28 24: https://packages.debian.org/src:grub2 25: https://packages.debian.org/src:highlight.js 26: https://packages.debian.org/src:intel-microcode 27: https://packages.debian.org/src:iproute2 28: https://packages.debian.org/src:irssi-plugin-xmpp 29: https://packages.debian.org/src:libdatetime-timezone-perl 30: https://packages.debian.org/src:libdbd-csv-perl 31: https://packages.debian.org/src:libdbi-perl 32: https://packages.debian.org/src:libmaxminddb 33: https://packages.debian.org/src:lttng-modules 34: https://packages.debian.org/src:m2crypto 35: https://packages.debian.org/src:mini-buildd 36: https://packages.debian.org/src:net-snmp 37: https://packages.debian.org/src:node-ini 38: https://packages.debian.org/src:node-y18n 39: https://packages.debian.org/src:nvidia-graphics-drivers 40: https://packages.debian.org/src:nvidia-graphics-drivers-legacy-390xx 41: https://packages.debian.org/src:pdns 42: https://packages.debian.org/src:pepperflashplugin-nonfree 43: https://packages.debian.org/src:pngcheck 44: https://packages.debian.org/src:postgresql-11 45: https://packages.debian.org/src:postsrsd 46: https://packages.debian.org/src:python-bottle 47: https://packages.debian.org/src:python-certbot 48: https://packages.debian.org/src:qxmpp 49: https://packages.debian.org/src:silx 50: https://packages.debian.org/src:slirp 51: https://packages.debian.org/src:steam 52: https://packages.debian.org/src:systemd 53: https://packages.debian.org/src:tang 54: https://packages.debian.org/src:tzdata 55: https://packages.debian.org/src:unzip 56: https://packages.debian.org/src:wireshark Security Updates ---------------- This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates: +----------------+--------------------------+ | Advisory ID | Package | +----------------+--------------------------+ | DSA-4797 [57] | webkit2gtk [58] | | | | | DSA-4801 [59] | brotli [60] | | | | | DSA-4802 [61] | thunderbird [62] | | | | | DSA-4803 [63] | xorg-server [64] | | | | | DSA-4804 [65] | xen [66] | | | | | DSA-4805 [67] | trafficserver [68] | | | | | DSA-4806 [69] | minidlna [70] | | | | | DSA-4807 [71] | openssl [72] | | | | | DSA-4808 [73] | apt [74] | | | | | DSA-4809 [75] | python-apt [76] | | | | | DSA-4810 [77] | lxml [78] | | | | | DSA-4811 [79] | libxstream-java [80] | | | | | DSA-4812 [81] | xen [82] | | | | | DSA-4813 [83] | firefox-esr [84] | | | | | DSA-4814 [85] | xerces-c [86] | | | | | DSA-4815 [87] | thunderbird [88] | | | | | DSA-4816 [89] | mediawiki [90] | | | | | DSA-4817 [91] | php-pear [92] | | | | | DSA-4818 [93] | sympa [94] | | | | | DSA-4819 [95] | kitty [96] | | | | | DSA-4820 [97] | horizon [98] | | | | | DSA-4821 [99] | roundcube [100] | | | | | DSA-4822 [101] | p11-kit [102] | | | | | DSA-4823 [103] | influxdb [104] | | | | | DSA-4824 [105] | chromium [106] | | | | | DSA-4825 [107] | dovecot [108] | | | | | DSA-4827 [109] | firefox-esr [110] | | | | | DSA-4828 [111] | libxstream-java [112] | | | | | DSA-4829 [113] | coturn [114] | | | | | DSA-4830 [115] | flatpak [116] | | | | | DSA-4831 [117] | ruby-redcarpet [118] | | | | | DSA-4832 [119] | chromium [120] | | | | | DSA-4833 [121] | gst-plugins-bad1.0 [122] | | | | | DSA-4834 [123] | vlc [124] | | | | | DSA-4835 [125] | tomcat9 [126] | | | | | DSA-4837 [127] | salt [128] | | | | | DSA-4838 [129] | mutt [130] | | | | | DSA-4839 [131] | sudo [132] | | | | | DSA-4840 [133] | firefox-esr [134] | | | | | DSA-4841 [135] | slurm-llnl [136] | | | | | DSA-4843 [137] | linux-latest [138] | | | | | DSA-4843 [139] | linux-signed-amd64 [140] | | | | | DSA-4843 [141] | linux-signed-arm64 [142] | | | | | DSA-4843 [143] | linux-signed-i386 [144] | | | | | DSA-4843 [145] | linux [146] | | | | +----------------+--------------------------+ 57: https://www.debian.org/security/2020/dsa-4797 58: https://packages.debian.org/src:webkit2gtk 59: https://www.debian.org/security/2020/dsa-4801 60: https://packages.debian.org/src:brotli 61: https://www.debian.org/security/2020/dsa-4802 62: https://packages.debian.org/src:thunderbird 63: https://www.debian.org/security/2020/dsa-4803 64: https://packages.debian.org/src:xorg-server 65: https://www.debian.org/security/2020/dsa-4804 66: https://packages.debian.org/src:xen 67: https://www.debian.org/security/2020/dsa-4805 68: https://packages.debian.org/src:trafficserver 69: https://www.debian.org/security/2021/dsa-4806 70: https://packages.debian.org/src:minidlna 71: https://www.debian.org/security/2020/dsa-4807 72: https://packages.debian.org/src:openssl 73: https://www.debian.org/security/2020/dsa-4808 74: https://packages.debian.org/src:apt 75: https://www.debian.org/security/2020/dsa-4809 76: https://packages.debian.org/src:python-apt 77: https://www.debian.org/security/2020/dsa-4810 78: https://packages.debian.org/src:lxml 79: https://www.debian.org/security/2020/dsa-4811 80: https://packages.debian.org/src:libxstream-java 81: https://www.debian.org/security/2020/dsa-4812 82: https://packages.debian.org/src:xen 83: https://www.debian.org/security/2020/dsa-4813 84: https://packages.debian.org/src:firefox-esr 85: https://www.debian.org/security/2020/dsa-4814 86: https://packages.debian.org/src:xerces-c 87: https://www.debian.org/security/2020/dsa-4815 88: https://packages.debian.org/src:thunderbird 89: https://www.debian.org/security/2020/dsa-4816 90: https://packages.debian.org/src:mediawiki 91: https://www.debian.org/security/2020/dsa-4817 92: https://packages.debian.org/src:php-pear 93: https://www.debian.org/security/2020/dsa-4818 94: https://packages.debian.org/src:sympa 95: https://www.debian.org/security/2020/dsa-4819 96: https://packages.debian.org/src:kitty 97: https://www.debian.org/security/2020/dsa-4820 98: https://packages.debian.org/src:horizon 99: https://www.debian.org/security/2020/dsa-4821 100: https://packages.debian.org/src:roundcube 101: https://www.debian.org/security/2021/dsa-4822 102: https://packages.debian.org/src:p11-kit 103: https://www.debian.org/security/2021/dsa-4823 104: https://packages.debian.org/src:influxdb 105: https://www.debian.org/security/2021/dsa-4824 106: https://packages.debian.org/src:chromium 107: https://www.debian.org/security/2021/dsa-4825 108: https://packages.debian.org/src:dovecot 109: https://www.debian.org/security/2021/dsa-4827 110: https://packages.debian.org/src:firefox-esr 111: https://www.debian.org/security/2021/dsa-4828 112: https://packages.debian.org/src:libxstream-java 113: https://www.debian.org/security/2021/dsa-4829 114: https://packages.debian.org/src:coturn 115: https://www.debian.org/security/2021/dsa-4830 116: https://packages.debian.org/src:flatpak 117: https://www.debian.org/security/2021/dsa-4831 118: https://packages.debian.org/src:ruby-redcarpet 119: https://www.debian.org/security/2021/dsa-4832 120: https://packages.debian.org/src:chromium 121: https://www.debian.org/security/2021/dsa-4833 122: https://packages.debian.org/src:gst-plugins-bad1.0 123: https://www.debian.org/security/2021/dsa-4834 124: https://packages.debian.org/src:vlc 125: https://www.debian.org/security/2021/dsa-4835 126: https://packages.debian.org/src:tomcat9 127: https://www.debian.org/security/2021/dsa-4837 128: https://packages.debian.org/src:salt 129: https://www.debian.org/security/2021/dsa-4838 130: https://packages.debian.org/src:mutt 131: https://www.debian.org/security/2021/dsa-4839 132: https://packages.debian.org/src:sudo 133: https://www.debian.org/security/2021/dsa-4840 134: https://packages.debian.org/src:firefox-esr 135: https://www.debian.org/security/2021/dsa-4841 136: https://packages.debian.org/src:slurm-llnl 137: https://www.debian.org/security/2021/dsa-4843 138: https://packages.debian.org/src:linux-latest 139: https://www.debian.org/security/2021/dsa-4843 140: https://packages.debian.org/src:linux-signed-amd64 141: https://www.debian.org/security/2021/dsa-4843 142: https://packages.debian.org/src:linux-signed-arm64 143: https://www.debian.org/security/2021/dsa-4843 144: https://packages.debian.org/src:linux-signed-i386 145: https://www.debian.org/security/2021/dsa-4843 146: https://packages.debian.org/src:linux Removed packages ---------------- The following packages were removed due to circumstances beyond our control: +---------------------+------------------------------------------------+ | Package | Reason | +---------------------+------------------------------------------------+ | compactheader [147] | Incompatible with current Thunderbird versions | | | | +---------------------+------------------------------------------------+ 147: https://packages.debian.org/src:compactheader Debian Installer ---------------- The installer has been updated to include the fixes incorporated into stable by the point release. URLs ---- The complete lists of packages that have changed with this revision: http://ftp.debian.org/debian/dists/buster/ChangeLog The current stable distribution: http://ftp.debian.org/debian/dists/stable/ Proposed updates to the stable distribution: http://ftp.debian.org/debian/dists/proposed-updates stable distribution information (release notes, errata etc.): https://www.debian.org/releases/stable/ Security announcements and information: https://www.debian.org/security/ About Debian ------------ The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian. Contact Information ------------------- For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature