[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 167-1] Upcoming Debian 10 Update (10.1)

Debian Stable Updates Announcement SUA 167-1         https://www.debian.org/
debian-release@lists.debian.org                              Adam D. Barratt
September 3rd, 2019

Upcoming Debian 10 Update (10.1)

An update to Debian 10 is scheduled for Saturday, September 7th, 2019. As of now
it will include the following bug fixes. They can be found in "buster-
proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "buster-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.

The point release will also include a rebuild of debian-installer.

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following

  Package                    Reason
  -------                    ------

  acme-tiny                  Handle upcoming ACME protocol change

  android-sdk-meta           New upstream release; fix regex for adding
                             Debian version to binary packages

  apt-setup                  Stop using apt-key to add local repository keys

  asterisk                   Fix buffer overflow in res_pjsip_messaging
                             [AST-2019-002 / CVE-2019-12827]; fix remote
                             Crash Vulnerability in chan_sip [AST-2019-003 /

  babeltrace                 Bump ctf symbols depends to post merge version

  backup-manager             Fix purging of remote archives via FTP or SSH

  base-files                 Update for the point release

  basez                      Properly decode base64url encoded strings

  bro                        Security fixes [CVE-2018-16807 CVE-2018-17019]

  bzip2                      Fix regression uncompressing some files

  cacti                      Fix some issues upgrading from the version in

  calamares-settings-debian  Fix permissions for initramfs image when full-
                             disk encryption is enabled

  ceph                       Rebuild against new libbabeltrace

  clamav                     Prevent extraction of non-recursive zip bombs;
                             new upstream stable release with security fixes
                             - add scan time limit to mitigate against zip-
                             bombs [CVE-2019-12625]; fix out-of-bounds write
                             within the NSIS bzip2 library [CVE-2019-12900]

  cloudkitty                 Fix build failures with updated SQLAlchemy

  console-setup              Fix internationalization issues when switching
                             locales with Perl >= 5.28

  cryptsetup                 Fix support for LUKS2 headers without any bound
                             keyslot; fix mapped segments overflow on 32-bit

  cups                       Fix multiple security/disclosure issues - SNMP
                             buffer overflows [CVE-2019-8696 CVE-2019-8675],
                             IPP buffer overflow, Denial of Service and
                             memory disclosure issues in the scheduler

  dbconfig-common            Fix issue caused by change in bash POSIX

  debian-edu-config          Use PXE option 'ipappend 2' for LTSP client
                             boot; fix sudo-ldap configuration; fix loss of
                             dynamically allocated v4 IP address; several
                             fixes and improvements to debian-edu-

  debian-edu-doc             Update Debian Edu Buster and ITIL manuals and

  dehydrated                 Fix fetching of account information; followup
                             fixes for account ID handling and APIv1

  devscripts                 Debchange: target buster-backports with --bpo

  dma                        Don't limit TLS connections to TLS1.0

  dpdk                       New upstream stable release

  dput-ng                    Add buster-backports and stretch-backports-
                             sloppy codenames

  e2fsprogs                  Fix e4defrag crashes on 32-bit architectures

  enigmail                   New upstream release; security fixes

  epiphany-browser           Ensure that the web extension loads our bundled
                             copy of libdazzle

  erlang-p1-pkix             Fix handling of GnuTLS certificates

  facter                     Fix parsing of Linux route non-kv flags (e.g.

  fdroidserver               New upstream release

  fig2dev                    Do not segfault on circle/half circle
                             arrowheads with a magnification larger than 42

  firmware-nonfree           Atheros: Add Qualcomm Atheros QCA9377 rev 1.0
                             firmware version WLAN.TF.2.1-00021-QCARMSWP-1;
                             realtek: Add Realtek RTL8822CU Bluetooth
                             firmware; atheros: Revert change of QCA9377 rev
                             1.0 firmware in 20180518-1; misc-nonfree: add
                             firmware for MediaTek MT76x0/MT76x2u wireless
                             chips, MediaTek MT7622/MT7668 bluetooth chips,
                             GV100 signed firmware

  freeorion                  Fix crash when loading or saving game data

  fuse-emulator              Prefer the X11 backend over the Wayland one;
                             show the Fuse icon on the GTK window and About

  fusiondirectory            Stricter checks on LDAP lookups; fix missing
                             dependency on php-xml

  gcab                       Fix corruption when extracting

  gdb                        Rebuild against new libbabeltrace

  glib2.0                    Make GKeyFile settings backend create ~/.config
                             and configuration files with restrictive
                             permissions [CVE-2019-13012]

  gnome-bluetooth            Avoid GNOME Shell crashes when gnome-shell-
                             extension-bluetooth-quick-connect is used

  gnome-control-center       Fix crash when the Details -> Overview (info-
                             overview) panel is selected; fix memory leaks
                             in Universal Access panel; fix a regression
                             that caused the Universal Access -> Zoom mouse
                             tracking options to have no effect; updated
                             Icelandic and Japanese translations

  gnupg2                     Backport many bug fixes and stability patches
                             from upstream; use keys.openpgp.org as the
                             default keyserver; only import self-signatures
                             by default

  gnuplot                    Fix incomplete/unsafe initialization of ARGV

  gosa                       Stricter checks on LDAP lookups

  hfst                       Ensure smoother upgrades from stretch

  initramfs-tools            Disable resume when there are no suitable swap
                             devices; MODULES=most: include all keyboard
                             driver modules, cros_ec_spi and SPI drivers,
                             extcon-usbc-cros-ec; MODULES=dep: include
                             extcon drivers

  jython                     Preserve backward compatibility with Java 7

  lacme                      Update for removal of unauthenticated GET
                             support from the Let's Encrypt ACMEv2 API

  libblockdev                Use existing cryptsetup API for changing
                             keyslot passphrase

  libdatetime-timezone-perl  Update included data

  libjavascript-beautifier   Add missing "=>" operator

  libsdl2-image              Fix buffer overflows [CVE-2019-5058
                             CVE-2019-5052 CVE-2019-7635]; fix out of bounds
                             access in PCX handling [CVE-2019-12216
                             CVE-2019-12217 CVE-2019-12218 CVE-2019-12219
                             CVE-2019-12220 CVE-2019-12221 CVE-2019-12222

  libtk-img                  Stop using internal copies of Jpeg, Zlib and
                             PixarLog codecs, fixing crashes

  libxslt                    Fix security framework bypass [CVE-2019-11068],
                             uninitialized read of xsl:number token
                             [CVE-2019-13117] and uninitialized read with
                             UTF-8 grouping chars [CVE-2019-13118]

  linux                      New upstream stable release

  linux-latest               Update for 4.19.0-6 kernel ABI

  linux-signed-amd64         New upstream stable release

  linux-signed-arm64         New upstream stable release

  linux-signed-i386          New upstream stable release

  lttv                       Rebuild against new libbabeltrace

  mapproxy                   Fix WMS Capabilties with Python 3.7

  mariadb-10.3               New upstream stable release; security fixes
                             [CVE-2019-2737 CVE-2019-2739 CVE-2019-2740
                             CVE-2019-2758 CVE-2019-2805]; fix segfault on
                             'information_schema' access; rename
                             'mariadbcheck' to 'mariadb-check'

  musescore                  Disable webkit functionality

  ncbi-tools6                Repackage without non-free data/UniVec.*; fix
                             test-suite to handle UniVec removal

  ncurses                    Remove "rep" from xterm-new and derived
                             terminfo descriptions

  netdata                    Remove Google Analytics from generated
                             documentation; opt out of sending anonymous
                             statistics; remove "sign in" button

  newsboat                   Fix use after free issue

  nextcloud-desktop          Add missing dependency on nextcloud-desktop-
                             common to nextcloud-desktop-cmd

  node-lodash                Fix prototype pollution [CVE-2019-10744]

  node-mixin-deep            Fix prototype pollution issue

  nss                        Fix security issues [CVE-2019-11719
                             CVE-2019-11727 CVE-2019-11729]

  nx-libs                    Fix a number of memory leaks

  open-infrastructure        Fix container start
  open-vm-tools              Correctly handle OS versions of "X", rather
                             than "X.Y"

  openldap                   Security fixes

  osinfo-db                  Add buster 10.0 information; fix URLs for
                             stretch download; fix the name of the parameter
                             used to set the fullname when generating a
                             preseed file

  osmpbf                     Rebuild with protobuf 3.6.1

  pam-u2f                    Fix insecure debug file handling
                             [CVE-2019-12209]; fix debug file descriptor
                             leak [CVE-2019-12210]; fix out-of-bounds
                             access; fix segfault following a failure to
                             allocate a buffer

  passwordsafe               Install localisation files in correct directory

  piuparts                   Update configurations for the buster release;
                             fix spurious failure to remove packages with
                             names ending with '+'; generate separate
                             tarball names for --merged-usr chroots

  postgresql-common          Fix "pg_upgradecluster from postgresql-common
                             200, 200+deb10u1, 201, and 202 will corrupt the
                             data_directory setting when used *twice* to
                             upgrade a cluster (e.g. 9.6 -> 10 -> 11)"

  pulseaudio                 Fix mute state restoring

  puppet-module-cinder       Fix attempts to write to /etc/init

  python-autobahn            Fix pyqrcode build dependencies

  python-django              New upstream security release [CVE-2019-12781]

  raspi3-firmware            Add support for Raspberry Pi Compute Module 3
                             (CM3), Raspberry Pi Compute Module 3 Lite and
                             Raspberry Pi Compute Module IO Board V3

  reportbug                  Update release names, following Buster release;
                             re-enable stretch-pu requests; fix crashes with
                             package / version lookup; add missing
                             dependency on sensible-utils

  ruby-airbrussh             Don't throw exception on invalid UTF-8 SSH

  sdl-image1.2               Fix buffer overflows [CVE-2019-5052
                             CVE-2019-7635], out-of-bounds access
                             [CVE-2019-12216 CVE-2019-12217 CVE-2019-12218
                             CVE-2019-12219 CVE-2019-12220 CVE-2019-12221
                             CVE-2019-12222 CVE-2019-5051]

  sendmail                   Sendmail-bin.postinst, initscript: Let start-
                             stop-daemon match on pidfile and executable;
                             sendmail-bin.prerm: Stop sendmail before
                             removing the alternatives

  slirp4netns                New upstream stable release with security fixes
                             - check sscanf result when emulating ident
                             [CVE-2019-9824]; fixes heap overflow in
                             included libslirp [CVE-2019-14378]

  systemd                    Network: Fix failure to bring up interface with
                             Linux kernel 5.2; ask-password: Prevent buffer
                             overflow when reading from keyring; network:
                             Behave more gracefully when IPv6 has been

  tzdata                     New upstream release

  unzip                      Fix zip bomb issues [CVE-2019-13232]

  usb.ids                    Routine update of USB IDs

  warzone2100                Fix a segmentation fault when hosting a
                             multiplayer game

  webkit2gtk                 New upstream stable version; stop requiring
                             SSE2-capable CPUs

  win32-loader               Rebuild against current packages, particularly
                             debian-archive-keyring; fix build failure by
                             enforcing a POSIX locale

  xymon                      Fix several (server only) security issues
                             [CVE-2019-13273 CVE-2019-13274 CVE-2019-13451
                             CVE-2019-13452 CVE-2019-13455 CVE-2019-13484
                             CVE-2019-13485 CVE-2019-13486]

  yubikey-personalization    Backport additional security precautions

  z3                         Do not set the SONAME of libz3java.so to

A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:


Removed packages

The following packages will be removed due to circumstances beyond our

  Package                    Reason
  -------                    ------

  pump                       Unmaintained; security issues

  rustc                      Remove outdated rust-doc cruft

If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: