----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 167-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
September 3rd, 2019
----------------------------------------------------------------------------
Upcoming Debian 10 Update (10.1)
An update to Debian 10 is scheduled for Saturday, September 7th, 2019. As of now
it will include the following bug fixes. They can be found in "buster-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "buster-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
acme-tiny Handle upcoming ACME protocol change
android-sdk-meta New upstream release; fix regex for adding
Debian version to binary packages
apt-setup Stop using apt-key to add local repository keys
asterisk Fix buffer overflow in res_pjsip_messaging
[AST-2019-002 / CVE-2019-12827]; fix remote
Crash Vulnerability in chan_sip [AST-2019-003 /
CVE-2019-13161]
babeltrace Bump ctf symbols depends to post merge version
backup-manager Fix purging of remote archives via FTP or SSH
base-files Update for the point release
basez Properly decode base64url encoded strings
bro Security fixes [CVE-2018-16807 CVE-2018-17019]
bzip2 Fix regression uncompressing some files
cacti Fix some issues upgrading from the version in
stretch
calamares-settings-debian Fix permissions for initramfs image when full-
disk encryption is enabled
ceph Rebuild against new libbabeltrace
clamav Prevent extraction of non-recursive zip bombs;
new upstream stable release with security fixes
- add scan time limit to mitigate against zip-
bombs [CVE-2019-12625]; fix out-of-bounds write
within the NSIS bzip2 library [CVE-2019-12900]
cloudkitty Fix build failures with updated SQLAlchemy
console-setup Fix internationalization issues when switching
locales with Perl >= 5.28
cryptsetup Fix support for LUKS2 headers without any bound
keyslot; fix mapped segments overflow on 32-bit
architectures
cups Fix multiple security/disclosure issues - SNMP
buffer overflows [CVE-2019-8696 CVE-2019-8675],
IPP buffer overflow, Denial of Service and
memory disclosure issues in the scheduler
dbconfig-common Fix issue caused by change in bash POSIX
behaviour
debian-edu-config Use PXE option 'ipappend 2' for LTSP client
boot; fix sudo-ldap configuration; fix loss of
dynamically allocated v4 IP address; several
fixes and improvements to debian-edu-
config.fetch-ldap-cert
debian-edu-doc Update Debian Edu Buster and ITIL manuals and
translations
dehydrated Fix fetching of account information; followup
fixes for account ID handling and APIv1
compatibility
devscripts Debchange: target buster-backports with --bpo
dma Don't limit TLS connections to TLS1.0
dpdk New upstream stable release
dput-ng Add buster-backports and stretch-backports-
sloppy codenames
e2fsprogs Fix e4defrag crashes on 32-bit architectures
enigmail New upstream release; security fixes
[CVE-2019-12269]
epiphany-browser Ensure that the web extension loads our bundled
copy of libdazzle
erlang-p1-pkix Fix handling of GnuTLS certificates
facter Fix parsing of Linux route non-kv flags (e.g.
onlink)
fdroidserver New upstream release
fig2dev Do not segfault on circle/half circle
arrowheads with a magnification larger than 42
[CVE-2019-14275]
firmware-nonfree Atheros: Add Qualcomm Atheros QCA9377 rev 1.0
firmware version WLAN.TF.2.1-00021-QCARMSWP-1;
realtek: Add Realtek RTL8822CU Bluetooth
firmware; atheros: Revert change of QCA9377 rev
1.0 firmware in 20180518-1; misc-nonfree: add
firmware for MediaTek MT76x0/MT76x2u wireless
chips, MediaTek MT7622/MT7668 bluetooth chips,
GV100 signed firmware
freeorion Fix crash when loading or saving game data
fuse-emulator Prefer the X11 backend over the Wayland one;
show the Fuse icon on the GTK window and About
dialog
fusiondirectory Stricter checks on LDAP lookups; fix missing
dependency on php-xml
gcab Fix corruption when extracting
gdb Rebuild against new libbabeltrace
glib2.0 Make GKeyFile settings backend create ~/.config
and configuration files with restrictive
permissions [CVE-2019-13012]
gnome-bluetooth Avoid GNOME Shell crashes when gnome-shell-
extension-bluetooth-quick-connect is used
gnome-control-center Fix crash when the Details -> Overview (info-
overview) panel is selected; fix memory leaks
in Universal Access panel; fix a regression
that caused the Universal Access -> Zoom mouse
tracking options to have no effect; updated
Icelandic and Japanese translations
gnupg2 Backport many bug fixes and stability patches
from upstream; use keys.openpgp.org as the
default keyserver; only import self-signatures
by default
gnuplot Fix incomplete/unsafe initialization of ARGV
array
gosa Stricter checks on LDAP lookups
hfst Ensure smoother upgrades from stretch
initramfs-tools Disable resume when there are no suitable swap
devices; MODULES=most: include all keyboard
driver modules, cros_ec_spi and SPI drivers,
extcon-usbc-cros-ec; MODULES=dep: include
extcon drivers
jython Preserve backward compatibility with Java 7
lacme Update for removal of unauthenticated GET
support from the Let's Encrypt ACMEv2 API
libblockdev Use existing cryptsetup API for changing
keyslot passphrase
libdatetime-timezone-perl Update included data
libjavascript-beautifier Add missing "=>" operator
-perl
libsdl2-image Fix buffer overflows [CVE-2019-5058
CVE-2019-5052 CVE-2019-7635]; fix out of bounds
access in PCX handling [CVE-2019-12216
CVE-2019-12217 CVE-2019-12218 CVE-2019-12219
CVE-2019-12220 CVE-2019-12221 CVE-2019-12222
CVE-2019-5051]
libtk-img Stop using internal copies of Jpeg, Zlib and
PixarLog codecs, fixing crashes
libxslt Fix security framework bypass [CVE-2019-11068],
uninitialized read of xsl:number token
[CVE-2019-13117] and uninitialized read with
UTF-8 grouping chars [CVE-2019-13118]
linux New upstream stable release
linux-latest Update for 4.19.0-6 kernel ABI
linux-signed-amd64 New upstream stable release
linux-signed-arm64 New upstream stable release
linux-signed-i386 New upstream stable release
lttv Rebuild against new libbabeltrace
mapproxy Fix WMS Capabilties with Python 3.7
mariadb-10.3 New upstream stable release; security fixes
[CVE-2019-2737 CVE-2019-2739 CVE-2019-2740
CVE-2019-2758 CVE-2019-2805]; fix segfault on
'information_schema' access; rename
'mariadbcheck' to 'mariadb-check'
musescore Disable webkit functionality
ncbi-tools6 Repackage without non-free data/UniVec.*; fix
test-suite to handle UniVec removal
ncurses Remove "rep" from xterm-new and derived
terminfo descriptions
netdata Remove Google Analytics from generated
documentation; opt out of sending anonymous
statistics; remove "sign in" button
newsboat Fix use after free issue
nextcloud-desktop Add missing dependency on nextcloud-desktop-
common to nextcloud-desktop-cmd
node-lodash Fix prototype pollution [CVE-2019-10744]
node-mixin-deep Fix prototype pollution issue
nss Fix security issues [CVE-2019-11719
CVE-2019-11727 CVE-2019-11729]
nx-libs Fix a number of memory leaks
open-infrastructure Fix container start
-compute-tools
open-vm-tools Correctly handle OS versions of "X", rather
than "X.Y"
openldap Security fixes
osinfo-db Add buster 10.0 information; fix URLs for
stretch download; fix the name of the parameter
used to set the fullname when generating a
preseed file
osmpbf Rebuild with protobuf 3.6.1
pam-u2f Fix insecure debug file handling
[CVE-2019-12209]; fix debug file descriptor
leak [CVE-2019-12210]; fix out-of-bounds
access; fix segfault following a failure to
allocate a buffer
passwordsafe Install localisation files in correct directory
piuparts Update configurations for the buster release;
fix spurious failure to remove packages with
names ending with '+'; generate separate
tarball names for --merged-usr chroots
postgresql-common Fix "pg_upgradecluster from postgresql-common
200, 200+deb10u1, 201, and 202 will corrupt the
data_directory setting when used *twice* to
upgrade a cluster (e.g. 9.6 -> 10 -> 11)"
pulseaudio Fix mute state restoring
puppet-module-cinder Fix attempts to write to /etc/init
python-autobahn Fix pyqrcode build dependencies
python-django New upstream security release [CVE-2019-12781]
raspi3-firmware Add support for Raspberry Pi Compute Module 3
(CM3), Raspberry Pi Compute Module 3 Lite and
Raspberry Pi Compute Module IO Board V3
reportbug Update release names, following Buster release;
re-enable stretch-pu requests; fix crashes with
package / version lookup; add missing
dependency on sensible-utils
ruby-airbrussh Don't throw exception on invalid UTF-8 SSH
output
sdl-image1.2 Fix buffer overflows [CVE-2019-5052
CVE-2019-7635], out-of-bounds access
[CVE-2019-12216 CVE-2019-12217 CVE-2019-12218
CVE-2019-12219 CVE-2019-12220 CVE-2019-12221
CVE-2019-12222 CVE-2019-5051]
sendmail Sendmail-bin.postinst, initscript: Let start-
stop-daemon match on pidfile and executable;
sendmail-bin.prerm: Stop sendmail before
removing the alternatives
slirp4netns New upstream stable release with security fixes
- check sscanf result when emulating ident
[CVE-2019-9824]; fixes heap overflow in
included libslirp [CVE-2019-14378]
systemd Network: Fix failure to bring up interface with
Linux kernel 5.2; ask-password: Prevent buffer
overflow when reading from keyring; network:
Behave more gracefully when IPv6 has been
disabled
tzdata New upstream release
unzip Fix zip bomb issues [CVE-2019-13232]
usb.ids Routine update of USB IDs
warzone2100 Fix a segmentation fault when hosting a
multiplayer game
webkit2gtk New upstream stable version; stop requiring
SSE2-capable CPUs
win32-loader Rebuild against current packages, particularly
debian-archive-keyring; fix build failure by
enforcing a POSIX locale
xymon Fix several (server only) security issues
[CVE-2019-13273 CVE-2019-13274 CVE-2019-13451
CVE-2019-13452 CVE-2019-13455 CVE-2019-13484
CVE-2019-13485 CVE-2019-13486]
yubikey-personalization Backport additional security precautions
z3 Do not set the SONAME of libz3java.so to
libz3.so.4
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
pump Unmaintained; security issues
rustc Remove outdated rust-doc cruft
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part