---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 177-1 https://www.debian.org/ debian-release@lists.debian.org Adam D. Barratt February 3rd, 2020 ---------------------------------------------------------------------------- Upcoming Debian 10 Update (10.3) An update to Debian 10 is scheduled for Saturday, February 8th, 2020. As of now it will include the following bug fixes. They can be found in "buster-proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "buster-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: Package Reason ------- ------ alot Remove expiration time from test suite keys, fixing build failure atril Fix segfault when no document is loaded; fix read of uninitialised memory [CVE-2019-11459] base-files Update for the point release beagle Provide wrapper script instead of symlinks to JARs, making them work again bgpdump Fix segmentation fault boost1.67 Fix undefined behaviour leading to crashing libboost-numpy brightd Actually compare the value read out of /sys/class/power_supply/AC/online with '0' casacore-data-jplde Include tables up to 2040 clamav New upstream release; fix denial of service issue [CVE-2019-15961]; remove ScanOnAccess option, replacing with clamonacc compactheader New upstream release compatible with Thunderbird 68 console-common Fix regression that led to files not being included csh Fix segfault on eval cups Fix memory leak in ppdOpen; fix validation of default language in ippSetValuetag [CVE-2019-2228] cyrus-imapd Add BACKUP type to cyrus-upgrade-db, fixing upgrade issues debian-edu-config Keep proxy settings on client if wpad is unreachable debian-security-support Update security support status of several packages debos Rebuild against updated golang-github-go-debos- fakemachine dispmua New upstream release compatible with Thunderbird 68 dkimpy New upstream stable release dkimpy-milter Fix privilege managment at startup so Unix sockets work dpdk New upstream stable release e2fsprogs Fix potential stack underflow in e2fsck [CVE-2019-5188]; fix use after free in e2fsck fig2dev Allow Fig v2 text strings ending with multiple ^A [CVE-2019-19555]; reject huge arrow types causing integer overflow [CVE-2019-19746]; fix several crashes [CVE-2019-19797] freerdp2 Fix realloc return handling [CVE-2019-17177] freetds Tds: Make sure UDT has varint set to 8 [CVE-2019-13508] git-lfs Fix build issues with newer Go versions gnubg Increase the size of static buffers used to build messages during program start so that the Spanish translation doesn't overflow a buffer gnutls28 Fix interop problems with gnutls 2.x; fix parsing of certificates using RegisteredID gtk2-engines-murrine Fix co-installability with other themes guile-2.2 Fix build failure libburn Fix "cdrskin multi-track burning was slow and stalled after track 1" libcgns Fix build failure on ppc64el libimobiledevice Properly handle partial SSL writes libmatroska Bump shared library dependency to 1.4.7 since that version introduced new symbols libmysofa Security fixes [CVE-2019-16091 CVE-2019-16092 CVE-2019-16093 CVE-2019-16094 CVE-2019-16095] libole-storage-lite-perl Fix interpretation of years from 2020 onwards libparse-win32registry- Fix interpretation of years from 2020 onwards perl libperl4-corelibs-perl Fix interpretation of years from 2020 onwards libsolv Fix heap buffer overflow [CVE-2019-20387] libspreadsheet-wright-perl Fix previously unusable OpenDocument spreadsheets and passing of JSON formatting options libtimedate-perl Fix interpretation of years from 2020 onwards libvirt apparmor: Allow one to run pygrub; don't render osxsave, ospke into QEMU comman line; this helps newer QEMU with some configs generated by virt-install libvncserver rfbserver: don't leak stack memory to the remote [CVE-2019-15681]; resolve a freeze during connection closure and a segmentation fault on multi-threaded VNC servers; fix issue connecting to VMWare servers; fix crashing of x11vnc when vncviewer connects limnoria Fix remote information disclosure and possibly remote code execution in the Math plugin [CVE-2019-19010] linux New upstream stable version; new upstream stable release linux-latest Update for -8 kernel ABI linux-signed-amd64 New upstream stable release linux-signed-arm64 New upstream stable release linux-signed-i386 New upstream stable release mariadb-10.3 New upstream stable release [CVE-2019-2938 CVE-2019-2974 CVE-2020-2574] mesa Call shmget() with permission 0600 instead of 0777 [CVE-2019-5068] mnemosyne Add missing dependency on PIL modsecurity Fix cookie header parsing bug [CVE-2019-19886] node-handlebars Disallow calling "helperMissing" and "blockHelperMissing" directly [CVE-2019-19919] node-kind-of Fix type checking vulnerability in ctorName() [CVE-2019-20149] ntpsec Fix slow DNS retries; fix ntpdate -s (syslog) to fix the if-up hook; documentation fixes numix-gtk-theme Fix co-installability with other themes nvidia-graphics-drivers- New upstream stable release legacy-340xx nyancat Rebuild in a clean environment to add the systemd unit for nyancat-server openjpeg2 Fix heap overflow [CVE-2018-21010] and integer overflow [CVE-2018-20847] opensmtpd Warn users of change of smtpd.conf syntax (in earlier versions); install smtpctl setgid opensmtpq; handle non-zero exit code from hostname during config phase openssh Deny (non-fatally) ipc in the seccomp sandbox, fixing failures with OpenSSL 1.1.1d and Linux < 3.19 on some architectures php-horde Fix stored cross-site scripting issue in Horde Cloud Block [CVE-2019-12095] php-horde-text-filter Fix invalid regular expressions postfix New upstream stable release postgresql-11 New upstream stable release print-manager Fix crash if CUPS returns the same ID for multiple print jobs proftpd-dfsg Fix CRL issues [CVE-2019-19270 CVE-2019-19269] pykaraoke Fix path to fonts python-evtx Fix import of "hexdump" python-internetarchive Close file after getting hash, avoiding file descriptor exhaustion python3.7 Security fixes [CVE-2019-9740 CVE-2019-9947 CVE-2019-9948 CVE-2019-10160 CVE-2019-16056 CVE-2019-16935] qtbase-opensource-src Add support for non-PPD printers and avoid silent fallback to a printer supporting PPD; fix crash when using QLabels with rich text; fix graphics tablet hover events qtwebengine-opensource-src Fix PDF parsing; disable executable stack quassel Fix quasselcore AppArmor denials when the config is saved; correct default channel for Debian; fix quasselcore AppArmor denials when the config is saved; correct default channel for Debian; remove unnecessary NEWS file qwinff Fix crash due to incorrect file detection raspi3-firmware Fix detection of serial console with kernel 5.x ros-ros-comm Fix security issues [CVE-2019-13566 CVE-2019-13465 CVE-2019-13445] roundcube New upstream stable release; fix insecure permissions in enigma plugin [CVE-2018-1000071] schleuder Fix recognizing keywords in mails with "protected headers" and empty subject; strip non-self-signatures when refreshing or fetching keys; error if the argument provided to `refresh_keys` is not an existing list; add missing List-Id header to notification mails sent to admins; handle decryption problems gracefully; default to ASCII-8BIT encoding simplesamlphp Fix incompatibility with PHP 7.3 sogo-connector New upstream release compatible with Thunderbird 68 spf-engine Fix privilege managment at startup so Unix sockets work; update documentation for TestOnly sudo Fix a buffer overflow when pwfeedback is enabled and input is a not a tty [CVE-2019-18634] systemd Set fs.file-max sysctl to LONG_MAX rather than ULONG_MAX; change ownership/mode of the execution directories also for static users, ensuring that execution directories like CacheDirectory and StateDirectory are properly chowned to the user specified in User= before launching the service tifffile Fix wrapper script tigervnc Security fixes [CVE-2019-15691 CVE-2019-15692 CVE-2019-15693 CVE-2019-15694 CVE-2019-15695] tightvnc Security fixes [CVE-2014-6053 CVE-2019-8287 CVE-2018-20021 CVE-2018-20022 CVE-2018-20748 CVE-2018-7225 CVE-2019-15678 CVE-2019-15679 CVE-2019-15680 CVE-2019-15681] uif Fix paths to ip(6)tables-restore in light of the migration to nftables unhide Fix stack exhaustion x2goclient Strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths in scp mode; fixes regression with newer libssh versions with fixes for CVE-2019-14889 applied xmltooling Fix race condition that could lead to crash under load A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/stable.html> Removed packages ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason ------- ------ caml-crush [armel] Unbuildable due to lack of ocaml-native- compilers firetray Incompatible with current Thunderbird versions koji Security issues python-lamson Broken by changes in python-daemon If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part