[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 185-1] Upcoming Debian 10 Update (10.5)

Debian Stable Updates Announcement SUA 185-1         https://www.debian.org/
debian-release@lists.debian.org                              Adam D. Barratt
July 28th, 2020

Upcoming Debian 10 Update (10.5)

An update to Debian 10 is scheduled for Saturday, August 1st, 2020. As of now
it will include the following bug fixes. They can be found in "buster-
proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "buster-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.

Several packages have been rebuilt as part of the point release as part of
a planned rollover of Debian's Secure Boot signing keys.

The point release will also include a rebuild of debian-installer.

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following

  Package                    Reason
  -------                    ------

  appstream-glib             Fix build failures in 2020 and later

  asunder                    Use gnudb instead of freedb by default

  b43-fwcutter               Ensure removal succeeds under non-English
                             locales; do not fail removal if some files no
                             longer exist; fix missing dependencies on
                             pciutils and ca-certificates

  balsa                      Provide server identity when validating
                             certificates, allowing successful validation
                             when using the glib-networking patch for

  base-files                 Update for the point release

  batik                      Fix server-side request forgery via xlink:href
                             attributes [CVE-2019-17566]

  borgbackup                 Fix index corruption bug leading to data loss

  bundler                    Update required version of ruby-molinillo

  c-icap-modules             Add support for ClamAV 0.102

  ca-certificates            Update Mozilla CA bundle to 2.40, blacklist
                             distrusted Symantec roots and expired "AddTrust
                             External Root"

  cacti                      Fix issue where UNIX timestamps after September
                             13th 2020 were rejected as graph start / end;
                             fix remote code execution [CVE-2020-7237],
                             cross-site scripting [CVE-2020-7106], CSRF
                             issue [CVE-2020-13231]; disabling a user
                             account does not immediately invalidate
                             permissions [CVE-2020-13230]

  calamares-settings-debian  Enable displaymanager module, fixing autologin
                             options; use xdg-user-dir to specify Desktop

  clamav                     New upstream release; security fixes
                             [CVE-2020-3327 CVE-2020-3341 CVE-2020-3350
                             CVE-2020-3327 CVE-2020-3481]

  cloud-init                 New upstream release

  commons-configuration2     Prevent object creation when loading YAML files

  confget                    Fix the Python module's handling of values
                             containing "="

  dbus                       New upstream stable release; prevent a denial
                             of service issue [CVE-2020-12049]; prevent use-
                             after-free if two usernames share a uid

  debian-edu-config          Fix loss of dynamically allocated IPv4 address

  debian-ports-archive-      Increase the expiration date of the 2020 key
    keyring                  (84C573CD4E1AFD6C) by one year; add "Debian
                             Ports Archive Automatic Signing Key (2021);
                             move the 2018 key (ID: 06AED62430CB581C) to the
                             removed keyring

  debian-security-support    Update support status of several packages

  dpdk                       New upstream release

  exiv2                      Adjust overly restrictive security patch
                             [CVE-2018-10958 and CVE-2018-10999]; fix denial
                             of service issue [CVE-2018-16336]

  fdroidserver               Fix Litecoin address validation

  file-roller                Security fix [CVE-2020-11736]

  freerdp2                   Fix smartcard logins; security fixes
                             [CVE-2020-11521 CVE-2020-11522 CVE-2020-11523
                             CVE-2020-11524 CVE-2020-11525 CVE-2020-11526]

  fwupd                      New upstream release; fix possible signature
                             verification issue [CVE-2020-10759]; use rotated
                             Debian signing keys

  fwupd-amd64-signed         New upstream release; fix possible signature
                             verification issue [CVE-2020-10759]; use rotated
                             Debian signing keys

  fwupd-arm64-signed         New upstream release; fix possible signature
                             verification issue [CVE-2020-10759]; use rotated
                             Debian signing keys

  fwupd-armhf-signed         New upstream release; fix possible signature
                             verification issue [CVE-2020-10759]; use rotated
                             Debian signing keys

  fwupd-i386-signed          New upstream release; fix possible signature
                             verification issue [CVE-2020-10759]; use rotated
                             Debian signing keys

  fwupdate                   Use rotated Debian signing keys

  fwupdate-amd64-signed      Use rotated Debian signing keys

  fwupdate-arm64-signed      Use rotated Debian signing keys

  fwupdate-armhf-signed      Use rotated Debian signing keys

  fwupdate-i386-signed       Use rotated Debian signing keys

  gist                       Avoid deprecated authorization API

  glib-networking            Return bad identity error if identity is unset
                             [CVE-2020-13645]; break balsa older than
                             2.5.6-2+deb10u1 as the fix for CVE-2020-13645
                             breaks balsa's certificate verification

  gnutls28                   Fix TL1.2 resumption errors; fix memory leak;
                             handle zero length session tickets, fixing
                             connection errors on TLS1.2 sessions to some
                             big hosting providers; fix verification error
                             with alternate chains

  intel-microcode            Downgrade some microcodes to previously issued
                             versions, working around hangs on boot on
                             Skylake-U/Y and Skylake Xeon E3

  jackson-databind           Fix multiple security issues affecting
                             BeanDeserializerFactory [CVE-2020-9548
                             CVE-2020-9547 CVE-2020-9546 CVE-2020-8840
                             CVE-2020-14195 CVE-2020-14062 CVE-2020-14061
                             CVE-2020-14060 CVE-2020-11620 CVE-2020-11619
                             CVE-2020-11113 CVE-2020-11112 CVE-2020-11111
                             CVE-2020-10969 CVE-2020-10968 CVE-2020-10673
                             CVE-2020-10672 CVE-2019-20330 CVE-2019-17531

  jameica                    Add mckoisqldb to classpath, allowing use of
                             SynTAX plugin

  jigdo                      Fix HTTPS support in jigdo-lite and jigdo-

  ksh                        Fix environment variable restriction issue

  lemonldap-ng               Fix nginx configuration regression introduced
                             by CVE-2019-19791 fix

  libapache-mod-jk           Rename Apache configuration file so it can be
                             automatically enabled and disabled

  libclamunrar               New upstream stable release; add an unversioned

  libembperl-perl            Handle error pages from Apache >= 2.4.40

  libexif                    Security fixes [CVE-2020-12767 CVE-2020-0093
                             CVE-2020-13112 CVE-2020-13113 CVE-2020-13114];
                             fix buffer overflow [CVE-2020-0182] and integer
                             overflow [CVE-2020-0198]

  libinput                   Quirks: add trackpoint integration attribute

  libntlm                    Fix buffer overflow [CVE-2019-17455]

  libpam-radius-auth         Fix buffer overflow in password field

  libunwind                  Fix segfaults on mips; manually enable C++
                             exception support only on i386 and amd64

  libyang                    Fix cache corruption crash, CVE-2019-19333,

  linux                      New upstream stable release

  linux-latest               Update for 4.19.0-10 kernel ABI

  linux-signed-amd64         New upstream stable release

  linux-signed-arm64         New upstream stable release

  linux-signed-i386          New upstream stable release

  lirc                       Fix conffile management

  mailutils                  maidag: drop setuid privileges for all delivery
                             operations but mda [CVE-2019-18862]

  mariadb-10.3               New upstream stable release; security fixes
                             [CVE-2020-2752 CVE-2020-2760 CVE-2020-2812
                             CVE-2020-2814 CVE-2020-13249]; fix regression
                             in RocksDB ZSTD detection

  mod-gnutls                 Fix a possible segfault on failed TLS
                             handshake; fix test failures

  multipath-tools            kpartx: use correct path to partx in udev rule

  mutt                       Don't check IMAP PREAUTH encryption if $tunnel
                             is in use

  mydumper                   Link against libm

  nfs-utils                  statd: take user-id from /var/lib/nfs/sm
                             [CVE-2019-3689]; don't make /var/lib/nfs owned
                             by statd

  nginx                      Fix error page request smuggling vulnerability

  nmap                       Update default key size to 2048 bits

  node-dot-prop              Fix regression introduced in CVE-2020-8116 fix

  node-handlebars            Disallow calling "helperMissing" and
                             "blockHelperMissing" directly [CVE-2019-19919]

  node-minimist              Fix prototype pollution [CVE-2020-7598]

  nvidia-graphics-drivers    New upstream stable release; security fixes
                             [CVE-2020-5963 CVE-2020-5967]

  nvidia-graphics-drivers-   New upstream stable release; security fixes
    legacy-s390xx            [CVE-2020-5963 CVE-2020-5967]

  openstack-debian-images    Install resolvconf if installing cloud-init

  pagekite                   Avoid issues with expiry of shipped SSL
                             certificates by using those from the ca-
                             certificates package

  pdfchain                   Fix crash at startup

  perl                       Fix multiple regular expression related
                             security issues [CVE-2020-10543 CVE-2020-10878

  php-horde                  Fix cross-site scripting vulnerability

  php-horde-gollem           Fix cross-site scripting vulnerability in
                             breadcrumb output [CVE-2020-8034]

  pillow                     Fix multiple out-of-bounds read issues
                             [CVE-2020-11538 CVE-2020-10378 CVE-2020-10177]

  policyd-rate-limit         Fix issues in accounting due to socket reuse

  postfix                    New upstream stable release; fix segfault in
                             the tlsproxy client role when the server role
                             was disabled; fix "maillog_file_rotate_suffix
                             default value used the minute instead of the
                             month"; fix several TLS related issues;
                             README.Debian fixes

  python-markdown2           Fix cross-site scripting issue [CVE-2020-11888]

  python3.7                  Avoid infinite loop when reading specially
                             crafted TAR files using the tarfile module
                             [CVE-2019-20907]; resolve hash collisions for
                             IPv4Interface and IPv6Interface
                             [CVE-2020-14422]; fix denial of service issue
                             in urllib.request.AbstractBasicAuthHandler

  qdirstat                   Fix saving of user configured MIME categories

  raspi3-firmware            Fix typo that could lead to unbootable systems

  resource-agents            IPsrcaddr: make proto optional to fix
                             regression when used without NetworkManager

  ruby-json                  Fix unsafe object creation vulnerability

  shim                       Use rotated Debian signing keys

  shim-helpers-amd64-signed  Use rotated Debian signing keys

  shim-helpers-arm64-signed  Use rotated Debian signing keys

  shim-helpers-i386-signed   Use rotated Debian signing keys

  speedtest-cli              Pass correct headers to fix upload speed test

  ssvnc                      Fix out-of-bounds write [CVE-2018-20020],
                             infinite loop [CVE-2018-20021], improper
                             initialisation [CVE-2018-20022], potential
                             denial-of-service [CVE-2018-20024]

  storebackup                Fix possible privilege escalation vulnerability

  suricata                   Fix dropping privileges in nflog runmode

  tigervnc                   Don't use libunwind on armel, armhf or arm64

  transmission               Fix possible denial of service issue

  wav2cdr                    Use C99 fixed-size integer types to fix runtime
                             assertion on 64bit architectures other than
                             amd64 and alpha

  zipios++                   Security fix [CVE-2019-13453]

A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:


Removed packages

The following packages will be removed due to circumstances beyond our

  Package                    Reason
  -------                    ------

  janus                      Not supportable in stable

  mathematica-fonts          Relies on unavailable download location

  selenium-firefoxdriver     Incompatible with newer Firefox ESR versions

If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: