---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 175-1 https://www.debian.org/ debian-release@lists.debian.org Adam D. Barratt November 11th, 2019 ---------------------------------------------------------------------------- Upcoming Debian 10 Update (10.2) An update to Debian 10 is scheduled for Saturday, November 16th, 2019. As of now it will include the following bug fixes. They can be found in "buster- proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "buster-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: Package Reason ------- ------ aegisub Fix crash when selecting a language from the bottom of the "Spell checker language" list; fix crash when right-clicking in the subtitles text box akonadi Fix various crashes / deadlock issues base-files Update /etc/debian_version for the point release capistrano Fix failure to remove old releases when there were too many cron Stop using obsolete SELinux API cyrus-imapd Fix data loss on upgrade from version 3.0.0 or earlier debian-edu-config Handle newer Firefox ESR configuration files; add post-up stanza to /etc/network/interfaces eth0 entry conditionally distro-info-data Add Ubuntu 20.04 LTS, Focal Fossa dkimpy-milter New upstream stable release; fix sysvinit support; catch more ASCII encoding errors to improve resilience against bad data; fix message extraction so that signing in the same pass through the milter as verifying works correctly emacs Update the EPLA packaging key fence-agents Fix incomplete removal of fence_amt_ws flatpak New upstream stable release flightcrew Security fixes [CVE-2019-13032 CVE-2019-13241] fonts-noto-cjk Fix over-aggressive font selection of Noto CJK fonts in modern web browsers under Chinese locale freetype Properly handle phantom points for variable hinted fonts gdb Rebuild against new libbabeltrace, with higher version number to avoid conflict with earlier upload glib2.0 Ensure libdbus clients can authenticate with a GDBusServer like the one in ibus gnome-shell New upstream stable release; fix truncation of long messages in Shell-modal dialogs; avoid crash on reallocation of dead actors gnome-sound-recorder Fix crash when selecting a recording gnustep-base Disable gdomap daemon that was accidentally enabled on upgrades from stretch graphite-web Remove unused "send_email" function [CVE-2017-18638]; avoid hourly error from cron when there is no whisper database inn2 Fix negotiation of DHE ciphersuites libapache-mod-auth-kerb Fix use after free bug leading to crash libdate-holidays-de-perl Mark International Childrens Day (Sep 20th) as a holiday in Thuringia from 2019 onwards libdatetime-timezone-perl Update included data libofx Fix null pointer dereference issue [CVE-2019-9656] libreoffice Fix the postgresql driver with PostgreSQL 12 libsixel Fix several security issues [CVE-2018-19756 CVE-2018-19757 CVE-2018-19759 CVE-2018-19761 CVE-2018-19762 CVE-2018-19763 CVE-2019-3573 CVE-2019-3574] libxslt Fix dangling pointer in xsltCopyText [CVE-2019-18197] lucene-solr Disable obsolete call to ContextHandler in solr-jetty9.xml; fix Jetty permissions on SOLR index mariadb-10.3 New upstream stable release modsecurity-crs Fix PHP script upload rules [CVE-2019-13464] mutter New upstream stable release ncurses Fix several security issues [CVE-2019-17594 CVE-2019-17595] and other issues in tic ndppd Avoid world writable PID file, that was breaking daemon init scripts network-manager Fix file permissions for "/var/lib/NetworkManager/secret_key" and /var/lib/NetworkManager node-fstream Fix arbitrary file overwrite issue [CVE-2019-13173] node-set-value Fix prototype pollution [CVE-2019-10747] node-yarnpkg Force using HTTPS for regular registries nx-libs Fix regressions introduced in previous upload, affecting x2go open-vm-tools Fix memory leaks and error handling openvswitch Update debian/ifupdown.sh to allow setting-up the MTU; fix Python dependencies to use Python 3 picard Update translations to fix crash with Spanish locale plasma-applet-redshift- Fix manual mode when used with redshift control versions above 1.12 postfix New upstream stable release; work around poor TCP loopback performance python-cryptography Fix test suite failures when built against newer OpenSSL versions; fix a memory leak triggerable when parsing x509 certificate extensions like AIA python-flask-rdf Add Depends on python{3,}-rdflib python-oslo.messaging New upstream stable release; fix switch connection destination when a rabbitmq cluster node disappears python-werkzeug Ensure Docker containers have unique debugger PINs [CVE-2019-14806] python2.7 Fix several security issues [CVE-2018-20852 CVE-2019-10160 CVE-2019-16056 CVE-2019-16935 CVE-2019-9740 CVE-2019-9947] quota Fix rpc.rquotad spinning at 100% CPU rpcbind Allow remote calls to be enabled at run-time shelldap Repair SASL authentications, add a 'sasluser' option sogo Fix display of PGP-signed e-mails spf-engine New upstream stable release; fix sysvinit support standardskriver Fix deprecation warning from config.RawConfigParser; use external "ip" command rather than deprecated "ifconfig" command swi-prolog Use HTTPS when contacting upstream pack servers systemd core: never propagate reload failure to service result; fix sync_file_range failures in nspawn containers on arm, ppc; fix RootDirectory not working when used in combination with User; ensure that access controls on systemd- resolved's D-Bus interface are enforced correctly [CVE-2019-15718]; fix StopWhenUnneeded=true for mount units; make MountFlags=shared work again tmpreaper Add `--protect '/tmp/systemd-private*/*'` to cron job to prevent breaking systemd services that have PrivateTmp=true trapperkeeper-webserver- Restore SSL compatibility with newer Jetty jetty9-clojure tzdata New upstream release ublock-origin New upstream version, compatible with Firefox ESR68 uim Resurrect libuim-data as a transitional package, fixing some issues after upgrade to buster vanguards New upstream stable release; prevent a reload of tor's configuration via SIGHUP causing a denial-of-service for vanguards protections A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/stable.html> If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part