----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 179-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
May 4th, 2020
----------------------------------------------------------------------------
Upcoming Debian 10 Update (10.4)
An update to Debian 10 is scheduled for Saturday, May 9th, 2020. As of now
it will include the following bug fixes. They can be found in "buster-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "buster-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
apt-cacher-ng Enforce secured call to the server in maint job
triggering [CVE-2020-5202]; allow .zst
compression for tarballs; incrase size of the
decompression line buffer for config file
reading
backuppc Pass the username to start-stop-daemon when
reloading, preventing reload failures
base-files Update for the point release
brltty Reduce severity of log message to avoid
generating too many messages when used with new
Orca versions
checkstyle Fix XML External Entity injection issue
[CVE-2019-9658 CVE-2019-10782]
choose-mirror Update included mirror list
clamav New upstream release [CVE-2020-3123]
corosync totemsrp: Reduce MTU to avoid generating
oversized packets
corosync-qdevice Fix startup of corosync-qdevice
csync2 Fail HELLO command when SSL is required
cups Fix heap buffer overflow [CVE-2020-3898] and
"the `ippReadIO` function may under-read an
extension field" [CVE-2019-8842]
dav4tbsync New upstream release, restoring compatibility
with newer Thunderbird versions
debian-edu-config Add policy files for Firefox-ESR and
Thunderbird to fix the TLS/SSL setup
debian-security-support New upstream stable release; update status of
several packages; use "runuser" rather than
"su"
distro-info-data Add Ubuntu 20.10, and likely EoL date for
stretch
dojo Fix improper regular expression usage
[CVE-2019-10785]
dpdk New upstream stable release
dtv-scan-tables New upstream snapshot; add all current German
DVB-T2 muxes and the Eutelsat-5-West-A
satellite
eas4tbsync New upstream release, restoring compatibility
with newer Thunderbird versions
edk2 Security fixes [CVE-2019-14558 CVE-2019-14559
CVE-2019-14563 CVE-2019-14575 CVE-2019-14586
CVE-2019-14587]
el-api Fix stretch to buster upgrades that involve
Tomcat 8
fex Security update
filezilla Fix untrusted search path vulnerability
[CVE-2019-5429]
frr Fix extended next hop capability
fuse Drop outdated udevadm commands from postinst;
don't explicitly remove fuse.conf on purge
fuse3 Drop outdated udevadm commands from postinst;
don't explicitly remove fuse.conf on purge; fix
memory leak in fuse_session_new()
golang-github-prometheus- Extend validity of test certificates
common
gosa Replace (un)serialize with
json_encode/json_decode to mitigate PHP object
injection [CVE-2019-14466]
hbci4java Support EU directive on payment services (PSD2)
hibiscus Support EU directive on payment services (PSD2)
iputils Correct an issue in which ping would improperly
exit with a failure code when there were
untried addresses still available in the
getaddrinfo() library call return value
ircd-hybrid Use dhparam.pem to avoid segfault on startup
jekyll Allow use of ruby-i18n 0.x and 1.x
jsp-api Fix stretch to buster upgrades that involve
Tomcat 8
lemonldap-ng Prevent unwanted access to admin endpoints
[CVE-2019-19791]; fix the GrantSession plugin
which could not prohibit logon when a 2FA was
used; fix arbitrary redirects with OIDC if
redirect_uri was not used
libdatetime-timezone-perl New upstream release
libreoffice Fix opengl slide transitions
libssh Fix possible DoS in client and server when
handling AES-CTR keys with OpenSSL
[CVE-2020-1730]
libvncserver Fix heap overflow [CVE-2019-15690]
linux New upstream stable release; [s390x] mm: fix
page table upgrade vs 2ndary address mode
accesses [CVE-2020-11884]
linux-latest Update kernel ABI to 4.19.0-9
linux-signed-amd64 New upstream stable release
linux-signed-arm64 New upstream stable release
linux-signed-i386 New upstream stable release
lwip Security fix [CVE-2020-8597]
lxc-templates New upstream stable release; handle languages
that are only UTF-8 encoded
manila Fix misisng access permissions check
[CVE-2020-9543]
megatools Add support for the new format of mega.nz links
mew Fix server SSL certificate validity checking
mew-beta Fix server SSL certificate validity checking
mkvtoolnix Rebuild to tighten libmatroska6v5 dependency
ncbi-blast+ Disable SSE4.2 support
node-anymatch Remove unnecessary dependencies
node-dot Prevent code execution after prototype
pollution [CVE-2020-8141]
node-dot-prop Fix prototype pollution [CVE-2020-8116]
node-knockout Fix escaping with older Internet Explorer
versions [CVE-2019-14862]
node-mongodb Reject invalid _bsontypes [CVE-2019-2391
CVE-2020-7610]
node-yargs-parser Fix prototype pollution [CVE-2020-7608]
npm Fix arbitrary path access [CVE-2019-16775,
CVE-2019-16776, CVE-2019-16777]
nvidia-graphics-drivers New upstream stable release
nvidia-graphics-drivers- New upstream stable release
legacy-390xx
nvidia-settings-legacy- New upstream release
340xx
oar Revert to stretch behavior for Storable::dclone
perl function, fixing recursion depth issues
opam Prefer mccs over aspcud
openvswitch Fix vswitchd abort when a port is added and the
controller is down
orocos-kdl Fix string conversion with Python 3
owfs Remove broken Python 3 packages
pango1.0 Fix crash in pango_fc_font_key_get_variations()
when key is null
pgcli Add dependency on python3-pkg-resources
php-horde-data Fix authenticated remote code execution
vulnerability [CVE-2020-8518]
php-horde-form Fix authenticated remote code execution
vulnerability [CVE-2020-8866]
php-horde-trean Fix authenticated remote code execution
vulnerability [CVE-2020-8865]
postfix Fix panic with Postfix multi-Milter
configuration during MAIL FROM; new upstream
stable release; fix d/init.d running change so
it works with multi-instance again
proftpd-dfsg Fix memory access issue in keyboard-interative
code in mod_sftp; properly handle DEBUG,
IGNORE, DISCONNECT, and UNIMPLEMENTED messages
in keyboard-interactive mode
puma Fix Denial of Service issue [CVE-2019-16770]
purple-discord Fix crashes in ssl_nss_read
python-oslo.utils Fix leak of sensitive information via mistral
logs [CVE-2019-3866]
rails Fix possible cross-site scripting via
Javascript escape helper [CVE-2020-5267]
rake Fix command injection vulnerability
[CVE-2020-8130]
raspi3-firmware Fix dtb names mismatch in z50-raspi-firmware;
fix boot on RPi families 1 and 0
resource-agents Fix "ethmonitor does not list interfaces
without assigned IP address"; remove no longer
required xen-toolstack patch; fix non-standard
usage in ZFS agent
rootskel Disable multiple console support if preseeding
is in use
ruby-i18n Fix gemspec generation
rubygems-integration Avoid deprecation warnings when users install a
newer version of Rubygems via `gem update
--system`
schleuder Improve patch to handle encoding errors
introduced in the previous version; switch
default encoding to UTF-8; let x-add-key handle
mails with attached, quoted-printable encoded
keys; fix x-attach-listkey with mails created
by Thunderbird that include protected headers
scilab Fix library loading with OpenJDK 11.0.7
serverspec-runner Support Ruby 2.5
softflowd Fix broken flow aggregation which might result
in flow table overflow and 100% CPU usage
speech-dispatcher Fix default pulseaudio latency which triggers
scratchy output
spl-linux Fix deadlock
sssd Fix sssd_be busy-looping when LDAP connection
is intermittent
systemd Polkit: when authorizing via PolicyKit re-
resolve callback/userdata instead of caching it
[CVE-2020-1712]; install 60-block.rules in
udev-udeb and initramfs-tools
taglib Fix corruption issues with OGG files
tbsync New upstream release, restoring compatibility
with newer Thunderbird versions
timeshift Fix predictable temporary directory use
[CVE-2020-10174]
tinyproxy Only set PIDDIR, if PIDFILE is a non-zero
length string
tzdata New upstream stable release
uim Libuim-data.postinst: unregister not-installed
modules, fixing regression in previous upload
user-mode-linux Fix build failure with current stable kernels
vite Fix crash when there are more than 32 elements
waagent New upstream release; support co-installation
with cloud-init
websocket-api Fix stretch to buster upgrades that involve
Tomcat 8
wpa Do not try to detect PSK mismatch during PTK
rekeying; check for FT support when selecting
FT suites; fix MAC randomisation issue with
some cards
xdg-utils xdg-open: fix pacman check and handling of
directories with spaces in their names; xdg-
screensaver: Sanitise window name before
sending it over D-Bus; xdg-mime: Create config
directory if it does not exist yet
xtrlock Fix blocking of (some) multitouch devices while
locked [CVE-2016-10894]
zfs-linux Fix potential deadlock issues
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
getlive Broken due to Hotmail changes
gplaycli Broken by Google API changes
kerneloops Upstream service no longer available
lambda-align2 [!amd64] Broken on non-amd64 architectures
libmicrodns Security issues
libperlspeak-perl Security issues; unmaintained
quotecolors Incompatible with newer Thunderbird versions
torbirdy Incompatible with newer Thunderbird versions
ugene Non-free; fails to build
yahoo2mbox Broken for several years
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part