---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 179-1 https://www.debian.org/ debian-release@lists.debian.org Adam D. Barratt May 4th, 2020 ---------------------------------------------------------------------------- Upcoming Debian 10 Update (10.4) An update to Debian 10 is scheduled for Saturday, May 9th, 2020. As of now it will include the following bug fixes. They can be found in "buster- proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "buster-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: Package Reason ------- ------ apt-cacher-ng Enforce secured call to the server in maint job triggering [CVE-2020-5202]; allow .zst compression for tarballs; incrase size of the decompression line buffer for config file reading backuppc Pass the username to start-stop-daemon when reloading, preventing reload failures base-files Update for the point release brltty Reduce severity of log message to avoid generating too many messages when used with new Orca versions checkstyle Fix XML External Entity injection issue [CVE-2019-9658 CVE-2019-10782] choose-mirror Update included mirror list clamav New upstream release [CVE-2020-3123] corosync totemsrp: Reduce MTU to avoid generating oversized packets corosync-qdevice Fix startup of corosync-qdevice csync2 Fail HELLO command when SSL is required cups Fix heap buffer overflow [CVE-2020-3898] and "the `ippReadIO` function may under-read an extension field" [CVE-2019-8842] dav4tbsync New upstream release, restoring compatibility with newer Thunderbird versions debian-edu-config Add policy files for Firefox-ESR and Thunderbird to fix the TLS/SSL setup debian-security-support New upstream stable release; update status of several packages; use "runuser" rather than "su" distro-info-data Add Ubuntu 20.10, and likely EoL date for stretch dojo Fix improper regular expression usage [CVE-2019-10785] dpdk New upstream stable release dtv-scan-tables New upstream snapshot; add all current German DVB-T2 muxes and the Eutelsat-5-West-A satellite eas4tbsync New upstream release, restoring compatibility with newer Thunderbird versions edk2 Security fixes [CVE-2019-14558 CVE-2019-14559 CVE-2019-14563 CVE-2019-14575 CVE-2019-14586 CVE-2019-14587] el-api Fix stretch to buster upgrades that involve Tomcat 8 fex Security update filezilla Fix untrusted search path vulnerability [CVE-2019-5429] frr Fix extended next hop capability fuse Drop outdated udevadm commands from postinst; don't explicitly remove fuse.conf on purge fuse3 Drop outdated udevadm commands from postinst; don't explicitly remove fuse.conf on purge; fix memory leak in fuse_session_new() golang-github-prometheus- Extend validity of test certificates common gosa Replace (un)serialize with json_encode/json_decode to mitigate PHP object injection [CVE-2019-14466] hbci4java Support EU directive on payment services (PSD2) hibiscus Support EU directive on payment services (PSD2) iputils Correct an issue in which ping would improperly exit with a failure code when there were untried addresses still available in the getaddrinfo() library call return value ircd-hybrid Use dhparam.pem to avoid segfault on startup jekyll Allow use of ruby-i18n 0.x and 1.x jsp-api Fix stretch to buster upgrades that involve Tomcat 8 lemonldap-ng Prevent unwanted access to admin endpoints [CVE-2019-19791]; fix the GrantSession plugin which could not prohibit logon when a 2FA was used; fix arbitrary redirects with OIDC if redirect_uri was not used libdatetime-timezone-perl New upstream release libreoffice Fix opengl slide transitions libssh Fix possible DoS in client and server when handling AES-CTR keys with OpenSSL [CVE-2020-1730] libvncserver Fix heap overflow [CVE-2019-15690] linux New upstream stable release; [s390x] mm: fix page table upgrade vs 2ndary address mode accesses [CVE-2020-11884] linux-latest Update kernel ABI to 4.19.0-9 linux-signed-amd64 New upstream stable release linux-signed-arm64 New upstream stable release linux-signed-i386 New upstream stable release lwip Security fix [CVE-2020-8597] lxc-templates New upstream stable release; handle languages that are only UTF-8 encoded manila Fix misisng access permissions check [CVE-2020-9543] megatools Add support for the new format of mega.nz links mew Fix server SSL certificate validity checking mew-beta Fix server SSL certificate validity checking mkvtoolnix Rebuild to tighten libmatroska6v5 dependency ncbi-blast+ Disable SSE4.2 support node-anymatch Remove unnecessary dependencies node-dot Prevent code execution after prototype pollution [CVE-2020-8141] node-dot-prop Fix prototype pollution [CVE-2020-8116] node-knockout Fix escaping with older Internet Explorer versions [CVE-2019-14862] node-mongodb Reject invalid _bsontypes [CVE-2019-2391 CVE-2020-7610] node-yargs-parser Fix prototype pollution [CVE-2020-7608] npm Fix arbitrary path access [CVE-2019-16775, CVE-2019-16776, CVE-2019-16777] nvidia-graphics-drivers New upstream stable release nvidia-graphics-drivers- New upstream stable release legacy-390xx nvidia-settings-legacy- New upstream release 340xx oar Revert to stretch behavior for Storable::dclone perl function, fixing recursion depth issues opam Prefer mccs over aspcud openvswitch Fix vswitchd abort when a port is added and the controller is down orocos-kdl Fix string conversion with Python 3 owfs Remove broken Python 3 packages pango1.0 Fix crash in pango_fc_font_key_get_variations() when key is null pgcli Add dependency on python3-pkg-resources php-horde-data Fix authenticated remote code execution vulnerability [CVE-2020-8518] php-horde-form Fix authenticated remote code execution vulnerability [CVE-2020-8866] php-horde-trean Fix authenticated remote code execution vulnerability [CVE-2020-8865] postfix Fix panic with Postfix multi-Milter configuration during MAIL FROM; new upstream stable release; fix d/init.d running change so it works with multi-instance again proftpd-dfsg Fix memory access issue in keyboard-interative code in mod_sftp; properly handle DEBUG, IGNORE, DISCONNECT, and UNIMPLEMENTED messages in keyboard-interactive mode puma Fix Denial of Service issue [CVE-2019-16770] purple-discord Fix crashes in ssl_nss_read python-oslo.utils Fix leak of sensitive information via mistral logs [CVE-2019-3866] rails Fix possible cross-site scripting via Javascript escape helper [CVE-2020-5267] rake Fix command injection vulnerability [CVE-2020-8130] raspi3-firmware Fix dtb names mismatch in z50-raspi-firmware; fix boot on RPi families 1 and 0 resource-agents Fix "ethmonitor does not list interfaces without assigned IP address"; remove no longer required xen-toolstack patch; fix non-standard usage in ZFS agent rootskel Disable multiple console support if preseeding is in use ruby-i18n Fix gemspec generation rubygems-integration Avoid deprecation warnings when users install a newer version of Rubygems via `gem update --system` schleuder Improve patch to handle encoding errors introduced in the previous version; switch default encoding to UTF-8; let x-add-key handle mails with attached, quoted-printable encoded keys; fix x-attach-listkey with mails created by Thunderbird that include protected headers scilab Fix library loading with OpenJDK 11.0.7 serverspec-runner Support Ruby 2.5 softflowd Fix broken flow aggregation which might result in flow table overflow and 100% CPU usage speech-dispatcher Fix default pulseaudio latency which triggers scratchy output spl-linux Fix deadlock sssd Fix sssd_be busy-looping when LDAP connection is intermittent systemd Polkit: when authorizing via PolicyKit re- resolve callback/userdata instead of caching it [CVE-2020-1712]; install 60-block.rules in udev-udeb and initramfs-tools taglib Fix corruption issues with OGG files tbsync New upstream release, restoring compatibility with newer Thunderbird versions timeshift Fix predictable temporary directory use [CVE-2020-10174] tinyproxy Only set PIDDIR, if PIDFILE is a non-zero length string tzdata New upstream stable release uim Libuim-data.postinst: unregister not-installed modules, fixing regression in previous upload user-mode-linux Fix build failure with current stable kernels vite Fix crash when there are more than 32 elements waagent New upstream release; support co-installation with cloud-init websocket-api Fix stretch to buster upgrades that involve Tomcat 8 wpa Do not try to detect PSK mismatch during PTK rekeying; check for FT support when selecting FT suites; fix MAC randomisation issue with some cards xdg-utils xdg-open: fix pacman check and handling of directories with spaces in their names; xdg- screensaver: Sanitise window name before sending it over D-Bus; xdg-mime: Create config directory if it does not exist yet xtrlock Fix blocking of (some) multitouch devices while locked [CVE-2016-10894] zfs-linux Fix potential deadlock issues A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/stable.html> Removed packages ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason ------- ------ getlive Broken due to Hotmail changes gplaycli Broken by Google API changes kerneloops Upstream service no longer available lambda-align2 [!amd64] Broken on non-amd64 architectures libmicrodns Security issues libperlspeak-perl Security issues; unmaintained quotecolors Incompatible with newer Thunderbird versions torbirdy Incompatible with newer Thunderbird versions ugene Non-free; fails to build yahoo2mbox Broken for several years If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part