----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 197-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
March 22nd, 2021
----------------------------------------------------------------------------
Upcoming Debian 10 Update (10.9)
An update to Debian 10 is scheduled for Saturday, March 27th, 2021. As o
now it will include the following bug fixes. They can be found in "buster-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "buster-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
avahi Remove avahi-daemon-check-dns mechanism, no
longer needed
base-files Update /etc/debian_version for the 10.9 point
release
cloud-init Avoid logging generated passwords to world-
readable log files [CVE-2021-3429]
debian-archive-keyring Add bullseye keys; retire jessie keys
debian-installer Use 4.19.0-16 Linux kernel ABI
exim4 Fix use of concurrent TLS connections under
GnuTLS; fix TLS certificate verification with
CNAMEs; README.Debian: document the
limitation/extent of server certificate
verification in the default configuration
fetchmail No longer report "System error during
SSL_connect(): Success"; remove OpenSSL version
check
fwupd Add SBAT support
fwupdate Add SBAT support
gdnsd Fix stack overflow with overly-large IPv6
addresses [CVE-2019-13952]
groff Rebuild against ghostscript 9.27
hwloc-contrib Enable support for ppc64el
intel-microcode Update various microcode
iputils Fix ping rounding errors; fix tracepath target
corruption
jquery Fix untrusted code execution vulnerabilities
[CVE-2020-11022 CVE-2020-11023]
libbsd Fix out-of-bounds read issue [CVE-2019-20367]
libpano13 Fix format string vulnerability
libreoffice Do not load encodings.py from current directoy
linux New upstream stable release; bump ABI to -16;
rotate secure boot signing keys
linux-latest Update to -16 kernel ABI
lirc Normalize embedded ${DEB_HOST_MULTIARCH} value
in /etc/lirc/lirc_options.conf to find
unmodified configuration files on all
architectures; recommend gir1.2-vte-2.91
instead of non-existant gir1.2-vte
m2crypto Fix test failure with recent OpenSSL
openafs Fix outgoing connections after unix epoch time
0x60000000 (14 January 2021)
portaudio19 Handle EPIPE from
alsa_snd_pcm_poll_descriptors, fixing crash
postgresql-11 New upstream stable release; fix information
leakage in constraint-violation error messages
[CVE-2021-3393]; fix CREATE INDEX CONCURRENTLY
to wait for concurrent prepared transactions
privoxy Security issues [CVE-2020-35502 CVE-2021-20209
CVE-2021-20210 CVE-2021-20211 CVE-2021-20212
CVE-2021-20213 CVE-2021-20214 CVE-2021-20215
CVE-2021-20216 CVE-2021-20217 CVE-2021-20272
CVE-2021-20273 CVE-2021-20275 CVE-2021-20276]
python3.7 Fix CRLF injection in http.client
[CVE-2020-26116]; fix buffer overflow in
PyCArg_repr in _ctypes/callproc.c
[CVE-2021-3177]
redis Fix a series of integer overflow issues on
32-bit systems [CVE-2021-21309]
ruby-mechanize Fix command injection issue [CVE-2021-21289]
systemd core: make sure to restore the control command
id, too, fixing a segfault; seccomp: allow
turning off of seccomp filtering via an
environment variable
uim libuim-data: Perform symlink_to_dir conversion
of /usr/share/doc/libuim-data in the
resurrected package for clean upgrades from
stretch
xcftools Fix integer overflow vulnerability
[CVE-2019-5086 CVE-2019-5087]
xterm Correct upper-limit for selection buffer,
accounting for combining characters
[CVE-2021-27135]
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".