----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 177-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
February 3rd, 2020
----------------------------------------------------------------------------
Upcoming Debian 10 Update (10.3)
An update to Debian 10 is scheduled for Saturday, February 8th, 2020. As
of now it will include the following bug fixes. They can be found in
"buster-proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "buster-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
alot Remove expiration time from test suite keys,
fixing build failure
atril Fix segfault when no document is loaded; fix
read of uninitialised memory [CVE-2019-11459]
base-files Update for the point release
beagle Provide wrapper script instead of symlinks to
JARs, making them work again
bgpdump Fix segmentation fault
boost1.67 Fix undefined behaviour leading to crashing
libboost-numpy
brightd Actually compare the value read out of
/sys/class/power_supply/AC/online with '0'
casacore-data-jplde Include tables up to 2040
clamav New upstream release; fix denial of service
issue [CVE-2019-15961]; remove ScanOnAccess
option, replacing with clamonacc
compactheader New upstream release compatible with
Thunderbird 68
console-common Fix regression that led to files not being
included
csh Fix segfault on eval
cups Fix memory leak in ppdOpen; fix validation of
default language in ippSetValuetag
[CVE-2019-2228]
cyrus-imapd Add BACKUP type to cyrus-upgrade-db, fixing
upgrade issues
debian-edu-config Keep proxy settings on client if wpad is
unreachable
debian-security-support Update security support status of several
packages
debos Rebuild against updated golang-github-go-debos-
fakemachine
dispmua New upstream release compatible with
Thunderbird 68
dkimpy New upstream stable release
dkimpy-milter Fix privilege managment at startup so Unix
sockets work
dpdk New upstream stable release
e2fsprogs Fix potential stack underflow in e2fsck
[CVE-2019-5188]; fix use after free in e2fsck
fig2dev Allow Fig v2 text strings ending with multiple
^A [CVE-2019-19555]; reject huge arrow types
causing integer overflow [CVE-2019-19746]; fix
several crashes [CVE-2019-19797]
freerdp2 Fix realloc return handling [CVE-2019-17177]
freetds Tds: Make sure UDT has varint set to 8
[CVE-2019-13508]
git-lfs Fix build issues with newer Go versions
gnubg Increase the size of static buffers used to
build messages during program start so that the
Spanish translation doesn't overflow a buffer
gnutls28 Fix interop problems with gnutls 2.x; fix
parsing of certificates using RegisteredID
gtk2-engines-murrine Fix co-installability with other themes
guile-2.2 Fix build failure
libburn Fix "cdrskin multi-track burning was slow and
stalled after track 1"
libcgns Fix build failure on ppc64el
libimobiledevice Properly handle partial SSL writes
libmatroska Bump shared library dependency to 1.4.7 since
that version introduced new symbols
libmysofa Security fixes [CVE-2019-16091 CVE-2019-16092
CVE-2019-16093 CVE-2019-16094 CVE-2019-16095]
libole-storage-lite-perl Fix interpretation of years from 2020 onwards
libparse-win32registry- Fix interpretation of years from 2020 onwards
perl
libperl4-corelibs-perl Fix interpretation of years from 2020 onwards
libsolv Fix heap buffer overflow [CVE-2019-20387]
libspreadsheet-wright-perl Fix previously unusable OpenDocument
spreadsheets and passing of JSON formatting
options
libtimedate-perl Fix interpretation of years from 2020 onwards
libvirt apparmor: Allow one to run pygrub; don't render
osxsave, ospke into QEMU comman line; this
helps newer QEMU with some configs generated by
virt-install
libvncserver rfbserver: don't leak stack memory to the
remote [CVE-2019-15681]; resolve a freeze
during connection closure and a segmentation
fault on multi-threaded VNC servers; fix issue
connecting to VMWare servers; fix crashing of
x11vnc when vncviewer connects
limnoria Fix remote information disclosure and possibly
remote code execution in the Math plugin
[CVE-2019-19010]
linux New upstream stable version; new upstream
stable release
linux-latest Update for -8 kernel ABI
linux-signed-amd64 New upstream stable release
linux-signed-arm64 New upstream stable release
linux-signed-i386 New upstream stable release
mariadb-10.3 New upstream stable release [CVE-2019-2938
CVE-2019-2974 CVE-2020-2574]
mesa Call shmget() with permission 0600 instead of
0777 [CVE-2019-5068]
mnemosyne Add missing dependency on PIL
modsecurity Fix cookie header parsing bug [CVE-2019-19886]
node-handlebars Disallow calling "helperMissing" and
"blockHelperMissing" directly [CVE-2019-19919]
node-kind-of Fix type checking vulnerability in ctorName()
[CVE-2019-20149]
ntpsec Fix slow DNS retries; fix ntpdate -s (syslog)
to fix the if-up hook; documentation fixes
numix-gtk-theme Fix co-installability with other themes
nvidia-graphics-drivers- New upstream stable release
legacy-340xx
nyancat Rebuild in a clean environment to add the
systemd unit for nyancat-server
openjpeg2 Fix heap overflow [CVE-2018-21010] and integer
overflow [CVE-2018-20847]
opensmtpd Warn users of change of smtpd.conf syntax (in
earlier versions); install smtpctl setgid
opensmtpq; handle non-zero exit code from
hostname during config phase
openssh Deny (non-fatally) ipc in the seccomp sandbox,
fixing failures with OpenSSL 1.1.1d and Linux <
3.19 on some architectures
php-horde Fix stored cross-site scripting issue in Horde
Cloud Block [CVE-2019-12095]
php-horde-text-filter Fix invalid regular expressions
postfix New upstream stable release
postgresql-11 New upstream stable release
print-manager Fix crash if CUPS returns the same ID for
multiple print jobs
proftpd-dfsg Fix CRL issues [CVE-2019-19270 CVE-2019-19269]
pykaraoke Fix path to fonts
python-evtx Fix import of "hexdump"
python-internetarchive Close file after getting hash, avoiding file
descriptor exhaustion
python3.7 Security fixes [CVE-2019-9740 CVE-2019-9947
CVE-2019-9948 CVE-2019-10160 CVE-2019-16056
CVE-2019-16935]
qtbase-opensource-src Add support for non-PPD printers and avoid
silent fallback to a printer supporting PPD;
fix crash when using QLabels with rich text;
fix graphics tablet hover events
qtwebengine-opensource-src Fix PDF parsing; disable executable stack
quassel Fix quasselcore AppArmor denials when the
config is saved; correct default channel for
Debian; fix quasselcore AppArmor denials when
the config is saved; correct default channel
for Debian; remove unnecessary NEWS file
qwinff Fix crash due to incorrect file detection
raspi3-firmware Fix detection of serial console with kernel 5.x
ros-ros-comm Fix security issues [CVE-2019-13566
CVE-2019-13465 CVE-2019-13445]
roundcube New upstream stable release; fix insecure
permissions in enigma plugin [CVE-2018-1000071]
schleuder Fix recognizing keywords in mails with
"protected headers" and empty subject; strip
non-self-signatures when refreshing or fetching
keys; error if the argument provided to
`refresh_keys` is not an existing list; add
missing List-Id header to notification mails
sent to admins; handle decryption problems
gracefully; default to ASCII-8BIT encoding
simplesamlphp Fix incompatibility with PHP 7.3
sogo-connector New upstream release compatible with
Thunderbird 68
spf-engine Fix privilege managment at startup so Unix
sockets work; update documentation for TestOnly
sudo Fix a buffer overflow when pwfeedback is
enabled and input is a not a tty
[CVE-2019-18634]
systemd Set fs.file-max sysctl to LONG_MAX rather than
ULONG_MAX; change ownership/mode of the
execution directories also for static users,
ensuring that execution directories like
CacheDirectory and StateDirectory are properly
chowned to the user specified in User= before
launching the service
tifffile Fix wrapper script
tigervnc Security fixes [CVE-2019-15691 CVE-2019-15692
CVE-2019-15693 CVE-2019-15694 CVE-2019-15695]
tightvnc Security fixes [CVE-2014-6053 CVE-2019-8287
CVE-2018-20021 CVE-2018-20022 CVE-2018-20748
CVE-2018-7225 CVE-2019-15678 CVE-2019-15679
CVE-2019-15680 CVE-2019-15681]
uif Fix paths to ip(6)tables-restore in light of
the migration to nftables
unhide Fix stack exhaustion
x2goclient Strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/}
from destination paths in scp mode; fixes
regression with newer libssh versions with
fixes for CVE-2019-14889 applied
xmltooling Fix race condition that could lead to crash
under load
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
caml-crush [armel] Unbuildable due to lack of ocaml-native-
compilers
firetray Incompatible with current Thunderbird versions
koji Security issues
python-lamson Broken by changes in python-daemon
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".