---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 167-1 https://www.debian.org/ debian-release@lists.debian.org Adam D. Barratt September 3rd, 2019 ---------------------------------------------------------------------------- Upcoming Debian 10 Update (10.1) An update to Debian 10 is scheduled for Saturday, September 7th, 2019. As of now it will include the following bug fixes. They can be found in "buster- proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "buster-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: Package Reason ------- ------ acme-tiny Handle upcoming ACME protocol change android-sdk-meta New upstream release; fix regex for adding Debian version to binary packages apt-setup Stop using apt-key to add local repository keys asterisk Fix buffer overflow in res_pjsip_messaging [AST-2019-002 / CVE-2019-12827]; fix remote Crash Vulnerability in chan_sip [AST-2019-003 / CVE-2019-13161] babeltrace Bump ctf symbols depends to post merge version backup-manager Fix purging of remote archives via FTP or SSH base-files Update for the point release basez Properly decode base64url encoded strings bro Security fixes [CVE-2018-16807 CVE-2018-17019] bzip2 Fix regression uncompressing some files cacti Fix some issues upgrading from the version in stretch calamares-settings-debian Fix permissions for initramfs image when full- disk encryption is enabled ceph Rebuild against new libbabeltrace clamav Prevent extraction of non-recursive zip bombs; new upstream stable release with security fixes - add scan time limit to mitigate against zip- bombs [CVE-2019-12625]; fix out-of-bounds write within the NSIS bzip2 library [CVE-2019-12900] cloudkitty Fix build failures with updated SQLAlchemy console-setup Fix internationalization issues when switching locales with Perl >= 5.28 cryptsetup Fix support for LUKS2 headers without any bound keyslot; fix mapped segments overflow on 32-bit architectures cups Fix multiple security/disclosure issues - SNMP buffer overflows [CVE-2019-8696 CVE-2019-8675], IPP buffer overflow, Denial of Service and memory disclosure issues in the scheduler dbconfig-common Fix issue caused by change in bash POSIX behaviour debian-edu-config Use PXE option 'ipappend 2' for LTSP client boot; fix sudo-ldap configuration; fix loss of dynamically allocated v4 IP address; several fixes and improvements to debian-edu- config.fetch-ldap-cert debian-edu-doc Update Debian Edu Buster and ITIL manuals and translations dehydrated Fix fetching of account information; followup fixes for account ID handling and APIv1 compatibility devscripts Debchange: target buster-backports with --bpo dma Don't limit TLS connections to TLS1.0 dpdk New upstream stable release dput-ng Add buster-backports and stretch-backports- sloppy codenames e2fsprogs Fix e4defrag crashes on 32-bit architectures enigmail New upstream release; security fixes [CVE-2019-12269] epiphany-browser Ensure that the web extension loads our bundled copy of libdazzle erlang-p1-pkix Fix handling of GnuTLS certificates facter Fix parsing of Linux route non-kv flags (e.g. onlink) fdroidserver New upstream release fig2dev Do not segfault on circle/half circle arrowheads with a magnification larger than 42 [CVE-2019-14275] firmware-nonfree Atheros: Add Qualcomm Atheros QCA9377 rev 1.0 firmware version WLAN.TF.2.1-00021-QCARMSWP-1; realtek: Add Realtek RTL8822CU Bluetooth firmware; atheros: Revert change of QCA9377 rev 1.0 firmware in 20180518-1; misc-nonfree: add firmware for MediaTek MT76x0/MT76x2u wireless chips, MediaTek MT7622/MT7668 bluetooth chips, GV100 signed firmware freeorion Fix crash when loading or saving game data fuse-emulator Prefer the X11 backend over the Wayland one; show the Fuse icon on the GTK window and About dialog fusiondirectory Stricter checks on LDAP lookups; fix missing dependency on php-xml gcab Fix corruption when extracting gdb Rebuild against new libbabeltrace glib2.0 Make GKeyFile settings backend create ~/.config and configuration files with restrictive permissions [CVE-2019-13012] gnome-bluetooth Avoid GNOME Shell crashes when gnome-shell- extension-bluetooth-quick-connect is used gnome-control-center Fix crash when the Details -> Overview (info- overview) panel is selected; fix memory leaks in Universal Access panel; fix a regression that caused the Universal Access -> Zoom mouse tracking options to have no effect; updated Icelandic and Japanese translations gnupg2 Backport many bug fixes and stability patches from upstream; use keys.openpgp.org as the default keyserver; only import self-signatures by default gnuplot Fix incomplete/unsafe initialization of ARGV array gosa Stricter checks on LDAP lookups hfst Ensure smoother upgrades from stretch initramfs-tools Disable resume when there are no suitable swap devices; MODULES=most: include all keyboard driver modules, cros_ec_spi and SPI drivers, extcon-usbc-cros-ec; MODULES=dep: include extcon drivers jython Preserve backward compatibility with Java 7 lacme Update for removal of unauthenticated GET support from the Let's Encrypt ACMEv2 API libblockdev Use existing cryptsetup API for changing keyslot passphrase libdatetime-timezone-perl Update included data libjavascript-beautifier Add missing "=>" operator -perl libsdl2-image Fix buffer overflows [CVE-2019-5058 CVE-2019-5052 CVE-2019-7635]; fix out of bounds access in PCX handling [CVE-2019-12216 CVE-2019-12217 CVE-2019-12218 CVE-2019-12219 CVE-2019-12220 CVE-2019-12221 CVE-2019-12222 CVE-2019-5051] libtk-img Stop using internal copies of Jpeg, Zlib and PixarLog codecs, fixing crashes libxslt Fix security framework bypass [CVE-2019-11068], uninitialized read of xsl:number token [CVE-2019-13117] and uninitialized read with UTF-8 grouping chars [CVE-2019-13118] linux New upstream stable release linux-latest Update for 4.19.0-6 kernel ABI linux-signed-amd64 New upstream stable release linux-signed-arm64 New upstream stable release linux-signed-i386 New upstream stable release lttv Rebuild against new libbabeltrace mapproxy Fix WMS Capabilties with Python 3.7 mariadb-10.3 New upstream stable release; security fixes [CVE-2019-2737 CVE-2019-2739 CVE-2019-2740 CVE-2019-2758 CVE-2019-2805]; fix segfault on 'information_schema' access; rename 'mariadbcheck' to 'mariadb-check' musescore Disable webkit functionality ncbi-tools6 Repackage without non-free data/UniVec.*; fix test-suite to handle UniVec removal ncurses Remove "rep" from xterm-new and derived terminfo descriptions netdata Remove Google Analytics from generated documentation; opt out of sending anonymous statistics; remove "sign in" button newsboat Fix use after free issue nextcloud-desktop Add missing dependency on nextcloud-desktop- common to nextcloud-desktop-cmd node-lodash Fix prototype pollution [CVE-2019-10744] node-mixin-deep Fix prototype pollution issue nss Fix security issues [CVE-2019-11719 CVE-2019-11727 CVE-2019-11729] nx-libs Fix a number of memory leaks open-infrastructure Fix container start -compute-tools open-vm-tools Correctly handle OS versions of "X", rather than "X.Y" openldap Security fixes osinfo-db Add buster 10.0 information; fix URLs for stretch download; fix the name of the parameter used to set the fullname when generating a preseed file osmpbf Rebuild with protobuf 3.6.1 pam-u2f Fix insecure debug file handling [CVE-2019-12209]; fix debug file descriptor leak [CVE-2019-12210]; fix out-of-bounds access; fix segfault following a failure to allocate a buffer passwordsafe Install localisation files in correct directory piuparts Update configurations for the buster release; fix spurious failure to remove packages with names ending with '+'; generate separate tarball names for --merged-usr chroots postgresql-common Fix "pg_upgradecluster from postgresql-common 200, 200+deb10u1, 201, and 202 will corrupt the data_directory setting when used *twice* to upgrade a cluster (e.g. 9.6 -> 10 -> 11)" pulseaudio Fix mute state restoring puppet-module-cinder Fix attempts to write to /etc/init python-autobahn Fix pyqrcode build dependencies python-django New upstream security release [CVE-2019-12781] raspi3-firmware Add support for Raspberry Pi Compute Module 3 (CM3), Raspberry Pi Compute Module 3 Lite and Raspberry Pi Compute Module IO Board V3 reportbug Update release names, following Buster release; re-enable stretch-pu requests; fix crashes with package / version lookup; add missing dependency on sensible-utils ruby-airbrussh Don't throw exception on invalid UTF-8 SSH output sdl-image1.2 Fix buffer overflows [CVE-2019-5052 CVE-2019-7635], out-of-bounds access [CVE-2019-12216 CVE-2019-12217 CVE-2019-12218 CVE-2019-12219 CVE-2019-12220 CVE-2019-12221 CVE-2019-12222 CVE-2019-5051] sendmail Sendmail-bin.postinst, initscript: Let start- stop-daemon match on pidfile and executable; sendmail-bin.prerm: Stop sendmail before removing the alternatives slirp4netns New upstream stable release with security fixes - check sscanf result when emulating ident [CVE-2019-9824]; fixes heap overflow in included libslirp [CVE-2019-14378] systemd Network: Fix failure to bring up interface with Linux kernel 5.2; ask-password: Prevent buffer overflow when reading from keyring; network: Behave more gracefully when IPv6 has been disabled tzdata New upstream release unzip Fix zip bomb issues [CVE-2019-13232] usb.ids Routine update of USB IDs warzone2100 Fix a segmentation fault when hosting a multiplayer game webkit2gtk New upstream stable version; stop requiring SSE2-capable CPUs win32-loader Rebuild against current packages, particularly debian-archive-keyring; fix build failure by enforcing a POSIX locale xymon Fix several (server only) security issues [CVE-2019-13273 CVE-2019-13274 CVE-2019-13451 CVE-2019-13452 CVE-2019-13455 CVE-2019-13484 CVE-2019-13485 CVE-2019-13486] yubikey-personalization Backport additional security precautions z3 Do not set the SONAME of libz3java.so to libz3.so.4 A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/stable.html> Removed packages ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason ------- ------ pump Unmaintained; security issues rustc Remove outdated rust-doc cruft If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part