----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 175-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
November 11th, 2019
----------------------------------------------------------------------------
Upcoming Debian 10 Update (10.2)
An update to Debian 10 is scheduled for Saturday, November 16th, 2019. As of
now it will include the following bug fixes. They can be found in "buster-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "buster-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
aegisub Fix crash when selecting a language from the
bottom of the "Spell checker language" list;
fix crash when right-clicking in the subtitles
text box
akonadi Fix various crashes / deadlock issues
base-files Update /etc/debian_version for the point
release
capistrano Fix failure to remove old releases when there
were too many
cron Stop using obsolete SELinux API
cyrus-imapd Fix data loss on upgrade from version 3.0.0 or
earlier
debian-edu-config Handle newer Firefox ESR configuration files;
add post-up stanza to /etc/network/interfaces
eth0 entry conditionally
distro-info-data Add Ubuntu 20.04 LTS, Focal Fossa
dkimpy-milter New upstream stable release; fix sysvinit
support; catch more ASCII encoding errors to
improve resilience against bad data; fix
message extraction so that signing in the same
pass through the milter as verifying works
correctly
emacs Update the EPLA packaging key
fence-agents Fix incomplete removal of fence_amt_ws
flatpak New upstream stable release
flightcrew Security fixes [CVE-2019-13032 CVE-2019-13241]
fonts-noto-cjk Fix over-aggressive font selection of Noto CJK
fonts in modern web browsers under Chinese
locale
freetype Properly handle phantom points for variable
hinted fonts
gdb Rebuild against new libbabeltrace, with higher
version number to avoid conflict with earlier
upload
glib2.0 Ensure libdbus clients can authenticate with a
GDBusServer like the one in ibus
gnome-shell New upstream stable release; fix truncation of
long messages in Shell-modal dialogs; avoid
crash on reallocation of dead actors
gnome-sound-recorder Fix crash when selecting a recording
gnustep-base Disable gdomap daemon that was accidentally
enabled on upgrades from stretch
graphite-web Remove unused "send_email" function
[CVE-2017-18638]; avoid hourly error from cron
when there is no whisper database
inn2 Fix negotiation of DHE ciphersuites
libapache-mod-auth-kerb Fix use after free bug leading to crash
libdate-holidays-de-perl Mark International Childrens Day (Sep 20th) as
a holiday in Thuringia from 2019 onwards
libdatetime-timezone-perl Update included data
libofx Fix null pointer dereference issue
[CVE-2019-9656]
libreoffice Fix the postgresql driver with PostgreSQL 12
libsixel Fix several security issues [CVE-2018-19756
CVE-2018-19757 CVE-2018-19759 CVE-2018-19761
CVE-2018-19762 CVE-2018-19763 CVE-2019-3573
CVE-2019-3574]
libxslt Fix dangling pointer in xsltCopyText
[CVE-2019-18197]
lucene-solr Disable obsolete call to ContextHandler in
solr-jetty9.xml; fix Jetty permissions on SOLR
index
mariadb-10.3 New upstream stable release
modsecurity-crs Fix PHP script upload rules [CVE-2019-13464]
mutter New upstream stable release
ncurses Fix several security issues [CVE-2019-17594
CVE-2019-17595] and other issues in tic
ndppd Avoid world writable PID file, that was
breaking daemon init scripts
network-manager Fix file permissions for
"/var/lib/NetworkManager/secret_key" and
/var/lib/NetworkManager
node-fstream Fix arbitrary file overwrite issue
[CVE-2019-13173]
node-set-value Fix prototype pollution [CVE-2019-10747]
node-yarnpkg Force using HTTPS for regular registries
nx-libs Fix regressions introduced in previous upload,
affecting x2go
open-vm-tools Fix memory leaks and error handling
openvswitch Update debian/ifupdown.sh to allow setting-up
the MTU; fix Python dependencies to use Python
3
picard Update translations to fix crash with Spanish
locale
plasma-applet-redshift- Fix manual mode when used with redshift
control versions above 1.12
postfix New upstream stable release; work around poor
TCP loopback performance
python-cryptography Fix test suite failures when built against
newer OpenSSL versions; fix a memory leak
triggerable when parsing x509 certificate
extensions like AIA
python-flask-rdf Add Depends on python{3,}-rdflib
python-oslo.messaging New upstream stable release; fix switch
connection destination when a rabbitmq cluster
node disappears
python-werkzeug Ensure Docker containers have unique debugger
PINs [CVE-2019-14806]
python2.7 Fix several security issues [CVE-2018-20852
CVE-2019-10160 CVE-2019-16056 CVE-2019-16935
CVE-2019-9740 CVE-2019-9947]
quota Fix rpc.rquotad spinning at 100% CPU
rpcbind Allow remote calls to be enabled at run-time
shelldap Repair SASL authentications, add a 'sasluser'
option
sogo Fix display of PGP-signed e-mails
spf-engine New upstream stable release; fix sysvinit
support
standardskriver Fix deprecation warning from
config.RawConfigParser; use external "ip"
command rather than deprecated "ifconfig"
command
swi-prolog Use HTTPS when contacting upstream pack servers
systemd core: never propagate reload failure to service
result; fix sync_file_range failures in nspawn
containers on arm, ppc; fix RootDirectory not
working when used in combination with User;
ensure that access controls on systemd-
resolved's D-Bus interface are enforced
correctly [CVE-2019-15718]; fix
StopWhenUnneeded=true for mount units; make
MountFlags=shared work again
tmpreaper Add `--protect '/tmp/systemd-private*/*'` to
cron job to prevent breaking systemd services
that have PrivateTmp=true
trapperkeeper-webserver- Restore SSL compatibility with newer Jetty
jetty9-clojure
tzdata New upstream release
ublock-origin New upstream version, compatible with Firefox
ESR68
uim Resurrect libuim-data as a transitional
package, fixing some issues after upgrade to
buster
vanguards New upstream stable release; prevent a reload
of tor's configuration via SIGHUP causing a
denial-of-service for vanguards protections
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part