[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 177-1] Upcoming Debian 10 Update (10.3)

Debian Stable Updates Announcement SUA 177-1         https://www.debian.org/
debian-release@lists.debian.org                              Adam D. Barratt
February 3rd, 2020

Upcoming Debian 10 Update (10.3)

An update to Debian 10 is scheduled for Saturday, February 8th, 2020. As 
of now it will include the following bug fixes. They can be found in 
"buster-proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "buster-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.

The point release will also include a rebuild of debian-installer.

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following

  Package                    Reason
  -------                    ------

  alot                       Remove expiration time from test suite keys,
                             fixing build failure

  atril                      Fix segfault when no document is loaded; fix
                             read of uninitialised memory [CVE-2019-11459]

  base-files                 Update for the point release

  beagle                     Provide wrapper script instead of symlinks to
                             JARs, making them work again

  bgpdump                    Fix segmentation fault

  boost1.67                  Fix undefined behaviour leading to crashing

  brightd                    Actually compare the value read out of
                             /sys/class/power_supply/AC/online with '0'

  casacore-data-jplde        Include tables up to 2040

  clamav                     New upstream release; fix denial of service
                             issue [CVE-2019-15961]; remove ScanOnAccess
                             option, replacing with clamonacc

  compactheader              New upstream release compatible with
                             Thunderbird 68

  console-common             Fix regression that led to files not being

  csh                        Fix segfault on eval

  cups                       Fix memory leak in ppdOpen; fix validation of
                             default language in ippSetValuetag

  cyrus-imapd                Add BACKUP type to cyrus-upgrade-db, fixing
                             upgrade issues

  debian-edu-config          Keep proxy settings on client if wpad is

  debian-security-support    Update security support status of several

  debos                      Rebuild against updated golang-github-go-debos-

  dispmua                    New upstream release compatible with
                             Thunderbird 68

  dkimpy                     New upstream stable release

  dkimpy-milter              Fix privilege managment at startup so Unix
                             sockets work

  dpdk                       New upstream stable release

  e2fsprogs                  Fix potential stack underflow in e2fsck
                             [CVE-2019-5188]; fix use after free in e2fsck

  fig2dev                    Allow Fig v2 text strings ending with multiple
                             ^A [CVE-2019-19555]; reject huge arrow types
                             causing integer overflow [CVE-2019-19746]; fix
                             several crashes [CVE-2019-19797]

  freerdp2                   Fix realloc return handling [CVE-2019-17177]

  freetds                    Tds: Make sure UDT has varint set to 8

  git-lfs                    Fix build issues with newer Go versions

  gnubg                      Increase the size of static buffers used to
                             build messages during program start so that the
                             Spanish translation doesn't overflow a buffer

  gnutls28                   Fix interop problems with gnutls 2.x; fix
                             parsing of certificates using RegisteredID

  gtk2-engines-murrine       Fix co-installability with other themes

  guile-2.2                  Fix build failure

  libburn                    Fix "cdrskin multi-track burning was slow and
                             stalled after track 1"

  libcgns                    Fix build failure on ppc64el

  libimobiledevice           Properly handle partial SSL writes

  libmatroska                Bump shared library dependency to 1.4.7 since
                             that version introduced new symbols

  libmysofa                  Security fixes [CVE-2019-16091 CVE-2019-16092
                             CVE-2019-16093 CVE-2019-16094 CVE-2019-16095]

  libole-storage-lite-perl   Fix interpretation of years from 2020 onwards

  libparse-win32registry-    Fix interpretation of years from 2020 onwards

  libperl4-corelibs-perl     Fix interpretation of years from 2020 onwards

  libsolv                    Fix heap buffer overflow [CVE-2019-20387]

  libspreadsheet-wright-perl Fix previously unusable OpenDocument
                             spreadsheets and passing of JSON formatting

  libtimedate-perl           Fix interpretation of years from 2020 onwards

  libvirt                    apparmor: Allow one to run pygrub; don't render
                             osxsave, ospke into QEMU comman line; this
                             helps newer QEMU with some configs generated by

  libvncserver               rfbserver: don't leak stack memory to the
                             remote [CVE-2019-15681]; resolve a freeze
                             during connection closure and a segmentation
                             fault on multi-threaded VNC servers; fix issue
                             connecting to VMWare servers; fix crashing of
                             x11vnc when vncviewer connects

  limnoria                   Fix remote information disclosure and possibly
                             remote code execution in the Math plugin

  linux                      New upstream stable version; new upstream
                             stable release

  linux-latest               Update for -8 kernel ABI

  linux-signed-amd64         New upstream stable release

  linux-signed-arm64         New upstream stable release

  linux-signed-i386          New upstream stable release

  mariadb-10.3               New upstream stable release [CVE-2019-2938
                             CVE-2019-2974 CVE-2020-2574]

  mesa                       Call shmget() with permission 0600 instead of
                             0777 [CVE-2019-5068]

  mnemosyne                  Add missing dependency on PIL

  modsecurity                Fix cookie header parsing bug [CVE-2019-19886]

  node-handlebars            Disallow calling "helperMissing" and
                             "blockHelperMissing" directly [CVE-2019-19919]

  node-kind-of               Fix type checking vulnerability in ctorName()

  ntpsec                     Fix slow DNS retries; fix ntpdate -s (syslog)
                             to fix the if-up hook; documentation fixes

  numix-gtk-theme            Fix co-installability with other themes

  nvidia-graphics-drivers-   New upstream stable release

  nyancat                    Rebuild in a clean environment to add the
                             systemd unit for nyancat-server

  openjpeg2                  Fix heap overflow [CVE-2018-21010] and integer
                             overflow [CVE-2018-20847]

  opensmtpd                  Warn users of change of smtpd.conf syntax (in
                             earlier versions); install smtpctl setgid
                             opensmtpq; handle non-zero exit code from
                             hostname during config phase

  openssh                    Deny (non-fatally) ipc in the seccomp sandbox,
                             fixing failures with OpenSSL 1.1.1d and Linux <
                             3.19 on some architectures

  php-horde                  Fix stored cross-site scripting issue in Horde
                             Cloud Block [CVE-2019-12095]

  php-horde-text-filter      Fix invalid regular expressions

  postfix                    New upstream stable release

  postgresql-11              New upstream stable release

  print-manager              Fix crash if CUPS returns the same ID for
                             multiple print jobs

  proftpd-dfsg               Fix CRL issues [CVE-2019-19270 CVE-2019-19269]

  pykaraoke                  Fix path to fonts

  python-evtx                Fix import of "hexdump"

  python-internetarchive     Close file after getting hash, avoiding file
                             descriptor exhaustion

  python3.7                  Security fixes [CVE-2019-9740 CVE-2019-9947
                             CVE-2019-9948 CVE-2019-10160 CVE-2019-16056

  qtbase-opensource-src      Add support for non-PPD printers and avoid
                             silent fallback to a printer supporting PPD;
                             fix crash when using QLabels with rich text;
                             fix graphics tablet hover events

  qtwebengine-opensource-src Fix PDF parsing; disable executable stack

  quassel                    Fix quasselcore AppArmor denials when the
                             config is saved; correct default channel for
                             Debian; fix quasselcore AppArmor denials when
                             the config is saved; correct default channel
                             for Debian; remove unnecessary NEWS file

  qwinff                     Fix crash due to incorrect file detection

  raspi3-firmware            Fix detection of serial console with kernel 5.x

  ros-ros-comm               Fix security issues [CVE-2019-13566
                             CVE-2019-13465 CVE-2019-13445]

  roundcube                  New upstream stable release; fix insecure
                             permissions in enigma plugin [CVE-2018-1000071]

  schleuder                  Fix recognizing keywords in mails with
                             "protected headers" and empty subject; strip
                             non-self-signatures when refreshing or fetching
                             keys; error if the argument provided to
                             `refresh_keys` is not an existing list; add
                             missing List-Id header to notification mails
                             sent to admins; handle decryption problems
                             gracefully; default to ASCII-8BIT encoding

  simplesamlphp              Fix incompatibility with PHP 7.3

  sogo-connector             New upstream release compatible with
                             Thunderbird 68

  spf-engine                 Fix privilege managment at startup so Unix
                             sockets work; update documentation for TestOnly

  sudo                       Fix a buffer overflow when pwfeedback is
                             enabled and input is a not a tty

  systemd                    Set fs.file-max sysctl to LONG_MAX rather than
                             ULONG_MAX; change ownership/mode of the
                             execution directories also for static users,
                             ensuring that execution directories like
                             CacheDirectory and StateDirectory are properly
                             chowned to the user specified in User= before
                             launching the service

  tifffile                   Fix wrapper script

  tigervnc                   Security fixes [CVE-2019-15691 CVE-2019-15692
                             CVE-2019-15693 CVE-2019-15694 CVE-2019-15695]

  tightvnc                   Security fixes [CVE-2014-6053 CVE-2019-8287
                             CVE-2018-20021 CVE-2018-20022 CVE-2018-20748
                             CVE-2018-7225 CVE-2019-15678 CVE-2019-15679
                             CVE-2019-15680 CVE-2019-15681]

  uif                        Fix paths to ip(6)tables-restore in light of
                             the migration to nftables

  unhide                     Fix stack exhaustion

  x2goclient                 Strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/}
                             from destination paths in scp mode; fixes
                             regression with newer libssh versions with
                             fixes for CVE-2019-14889 applied

  xmltooling                 Fix race condition that could lead to crash
                             under load

A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:


Removed packages

The following packages will be removed due to circumstances beyond our

  Package                    Reason
  -------                    ------

  caml-crush [armel]         Unbuildable due to lack of ocaml-native-

  firetray                   Incompatible with current Thunderbird versions

  koji                       Security issues

  python-lamson              Broken by changes in python-daemon

If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: