---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 185-1 https://www.debian.org/ debian-release@lists.debian.org Adam D. Barratt July 28th, 2020 ---------------------------------------------------------------------------- Upcoming Debian 10 Update (10.5) An update to Debian 10 is scheduled for Saturday, August 1st, 2020. As of now it will include the following bug fixes. They can be found in "buster- proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "buster-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. Several packages have been rebuilt as part of the point release as part of a planned rollover of Debian's Secure Boot signing keys. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: Package Reason ------- ------ appstream-glib Fix build failures in 2020 and later asunder Use gnudb instead of freedb by default b43-fwcutter Ensure removal succeeds under non-English locales; do not fail removal if some files no longer exist; fix missing dependencies on pciutils and ca-certificates balsa Provide server identity when validating certificates, allowing successful validation when using the glib-networking patch for CVE-2020-13645 base-files Update for the point release batik Fix server-side request forgery via xlink:href attributes [CVE-2019-17566] borgbackup Fix index corruption bug leading to data loss bundler Update required version of ruby-molinillo c-icap-modules Add support for ClamAV 0.102 ca-certificates Update Mozilla CA bundle to 2.40, blacklist distrusted Symantec roots and expired "AddTrust External Root" cacti Fix issue where UNIX timestamps after September 13th 2020 were rejected as graph start / end; fix remote code execution [CVE-2020-7237], cross-site scripting [CVE-2020-7106], CSRF issue [CVE-2020-13231]; disabling a user account does not immediately invalidate permissions [CVE-2020-13230] calamares-settings-debian Enable displaymanager module, fixing autologin options; use xdg-user-dir to specify Desktop directory clamav New upstream release; security fixes [CVE-2020-3327 CVE-2020-3341 CVE-2020-3350 CVE-2020-3327 CVE-2020-3481] cloud-init New upstream release commons-configuration2 Prevent object creation when loading YAML files [CVE-2020-1953] confget Fix the Python module's handling of values containing "=" dbus New upstream stable release; prevent a denial of service issue [CVE-2020-12049]; prevent use- after-free if two usernames share a uid debian-edu-config Fix loss of dynamically allocated IPv4 address debian-ports-archive- Increase the expiration date of the 2020 key keyring (84C573CD4E1AFD6C) by one year; add "Debian Ports Archive Automatic Signing Key (2021); move the 2018 key (ID: 06AED62430CB581C) to the removed keyring debian-security-support Update support status of several packages dpdk New upstream release exiv2 Adjust overly restrictive security patch [CVE-2018-10958 and CVE-2018-10999]; fix denial of service issue [CVE-2018-16336] fdroidserver Fix Litecoin address validation file-roller Security fix [CVE-2020-11736] freerdp2 Fix smartcard logins; security fixes [CVE-2020-11521 CVE-2020-11522 CVE-2020-11523 CVE-2020-11524 CVE-2020-11525 CVE-2020-11526] fwupd New upstream release; fix possible signature verification issue [CVE-2020-10759]; use rotated Debian signing keys fwupd-amd64-signed New upstream release; fix possible signature verification issue [CVE-2020-10759]; use rotated Debian signing keys fwupd-arm64-signed New upstream release; fix possible signature verification issue [CVE-2020-10759]; use rotated Debian signing keys fwupd-armhf-signed New upstream release; fix possible signature verification issue [CVE-2020-10759]; use rotated Debian signing keys fwupd-i386-signed New upstream release; fix possible signature verification issue [CVE-2020-10759]; use rotated Debian signing keys fwupdate Use rotated Debian signing keys fwupdate-amd64-signed Use rotated Debian signing keys fwupdate-arm64-signed Use rotated Debian signing keys fwupdate-armhf-signed Use rotated Debian signing keys fwupdate-i386-signed Use rotated Debian signing keys gist Avoid deprecated authorization API glib-networking Return bad identity error if identity is unset [CVE-2020-13645]; break balsa older than 2.5.6-2+deb10u1 as the fix for CVE-2020-13645 breaks balsa's certificate verification gnutls28 Fix TL1.2 resumption errors; fix memory leak; handle zero length session tickets, fixing connection errors on TLS1.2 sessions to some big hosting providers; fix verification error with alternate chains intel-microcode Downgrade some microcodes to previously issued versions, working around hangs on boot on Skylake-U/Y and Skylake Xeon E3 jackson-databind Fix multiple security issues affecting BeanDeserializerFactory [CVE-2020-9548 CVE-2020-9547 CVE-2020-9546 CVE-2020-8840 CVE-2020-14195 CVE-2020-14062 CVE-2020-14061 CVE-2020-14060 CVE-2020-11620 CVE-2020-11619 CVE-2020-11113 CVE-2020-11112 CVE-2020-11111 CVE-2020-10969 CVE-2020-10968 CVE-2020-10673 CVE-2020-10672 CVE-2019-20330 CVE-2019-17531 CVE-2019-17267] jameica Add mckoisqldb to classpath, allowing use of SynTAX plugin jigdo Fix HTTPS support in jigdo-lite and jigdo- mirror ksh Fix environment variable restriction issue [CVE-2019-14868] lemonldap-ng Fix nginx configuration regression introduced by CVE-2019-19791 fix libapache-mod-jk Rename Apache configuration file so it can be automatically enabled and disabled libclamunrar New upstream stable release; add an unversioned meta-package libembperl-perl Handle error pages from Apache >= 2.4.40 libexif Security fixes [CVE-2020-12767 CVE-2020-0093 CVE-2020-13112 CVE-2020-13113 CVE-2020-13114]; fix buffer overflow [CVE-2020-0182] and integer overflow [CVE-2020-0198] libinput Quirks: add trackpoint integration attribute libntlm Fix buffer overflow [CVE-2019-17455] libpam-radius-auth Fix buffer overflow in password field [CVE-2015-9542] libunwind Fix segfaults on mips; manually enable C++ exception support only on i386 and amd64 libyang Fix cache corruption crash, CVE-2019-19333, CVE-2019-19334 linux New upstream stable release linux-latest Update for 4.19.0-10 kernel ABI linux-signed-amd64 New upstream stable release linux-signed-arm64 New upstream stable release linux-signed-i386 New upstream stable release lirc Fix conffile management mailutils maidag: drop setuid privileges for all delivery operations but mda [CVE-2019-18862] mariadb-10.3 New upstream stable release; security fixes [CVE-2020-2752 CVE-2020-2760 CVE-2020-2812 CVE-2020-2814 CVE-2020-13249]; fix regression in RocksDB ZSTD detection mod-gnutls Fix a possible segfault on failed TLS handshake; fix test failures multipath-tools kpartx: use correct path to partx in udev rule mutt Don't check IMAP PREAUTH encryption if $tunnel is in use mydumper Link against libm nfs-utils statd: take user-id from /var/lib/nfs/sm [CVE-2019-3689]; don't make /var/lib/nfs owned by statd nginx Fix error page request smuggling vulnerability [CVE-2019-20372] nmap Update default key size to 2048 bits node-dot-prop Fix regression introduced in CVE-2020-8116 fix node-handlebars Disallow calling "helperMissing" and "blockHelperMissing" directly [CVE-2019-19919] node-minimist Fix prototype pollution [CVE-2020-7598] nvidia-graphics-drivers New upstream stable release; security fixes [CVE-2020-5963 CVE-2020-5967] nvidia-graphics-drivers- New upstream stable release; security fixes legacy-s390xx [CVE-2020-5963 CVE-2020-5967] openstack-debian-images Install resolvconf if installing cloud-init pagekite Avoid issues with expiry of shipped SSL certificates by using those from the ca- certificates package pdfchain Fix crash at startup perl Fix multiple regular expression related security issues [CVE-2020-10543 CVE-2020-10878 CVE-2020-12723] php-horde Fix cross-site scripting vulnerability [CVE-2020-8035] php-horde-gollem Fix cross-site scripting vulnerability in breadcrumb output [CVE-2020-8034] pillow Fix multiple out-of-bounds read issues [CVE-2020-11538 CVE-2020-10378 CVE-2020-10177] policyd-rate-limit Fix issues in accounting due to socket reuse postfix New upstream stable release; fix segfault in the tlsproxy client role when the server role was disabled; fix "maillog_file_rotate_suffix default value used the minute instead of the month"; fix several TLS related issues; README.Debian fixes python-markdown2 Fix cross-site scripting issue [CVE-2020-11888] python3.7 Avoid infinite loop when reading specially crafted TAR files using the tarfile module [CVE-2019-20907]; resolve hash collisions for IPv4Interface and IPv6Interface [CVE-2020-14422]; fix denial of service issue in urllib.request.AbstractBasicAuthHandler [CVE-2020-8492] qdirstat Fix saving of user configured MIME categories raspi3-firmware Fix typo that could lead to unbootable systems resource-agents IPsrcaddr: make proto optional to fix regression when used without NetworkManager ruby-json Fix unsafe object creation vulnerability [CVE-2020-10663] shim Use rotated Debian signing keys shim-helpers-amd64-signed Use rotated Debian signing keys shim-helpers-arm64-signed Use rotated Debian signing keys shim-helpers-i386-signed Use rotated Debian signing keys speedtest-cli Pass correct headers to fix upload speed test ssvnc Fix out-of-bounds write [CVE-2018-20020], infinite loop [CVE-2018-20021], improper initialisation [CVE-2018-20022], potential denial-of-service [CVE-2018-20024] storebackup Fix possible privilege escalation vulnerability [CVE-2020-7040] suricata Fix dropping privileges in nflog runmode tigervnc Don't use libunwind on armel, armhf or arm64 transmission Fix possible denial of service issue [CVE-2018-10756] wav2cdr Use C99 fixed-size integer types to fix runtime assertion on 64bit architectures other than amd64 and alpha zipios++ Security fix [CVE-2019-13453] A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/stable.html> Removed packages ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason ------- ------ janus Not supportable in stable mathematica-fonts Relies on unavailable download location selenium-firefoxdriver Incompatible with newer Firefox ESR versions If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part