----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 185-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
July 28th, 2020
----------------------------------------------------------------------------
Upcoming Debian 10 Update (10.5)
An update to Debian 10 is scheduled for Saturday, August 1st, 2020. As of now
it will include the following bug fixes. They can be found in "buster-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "buster-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
Several packages have been rebuilt as part of the point release as part of
a planned rollover of Debian's Secure Boot signing keys.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
appstream-glib Fix build failures in 2020 and later
asunder Use gnudb instead of freedb by default
b43-fwcutter Ensure removal succeeds under non-English
locales; do not fail removal if some files no
longer exist; fix missing dependencies on
pciutils and ca-certificates
balsa Provide server identity when validating
certificates, allowing successful validation
when using the glib-networking patch for
CVE-2020-13645
base-files Update for the point release
batik Fix server-side request forgery via xlink:href
attributes [CVE-2019-17566]
borgbackup Fix index corruption bug leading to data loss
bundler Update required version of ruby-molinillo
c-icap-modules Add support for ClamAV 0.102
ca-certificates Update Mozilla CA bundle to 2.40, blacklist
distrusted Symantec roots and expired "AddTrust
External Root"
cacti Fix issue where UNIX timestamps after September
13th 2020 were rejected as graph start / end;
fix remote code execution [CVE-2020-7237],
cross-site scripting [CVE-2020-7106], CSRF
issue [CVE-2020-13231]; disabling a user
account does not immediately invalidate
permissions [CVE-2020-13230]
calamares-settings-debian Enable displaymanager module, fixing autologin
options; use xdg-user-dir to specify Desktop
directory
clamav New upstream release; security fixes
[CVE-2020-3327 CVE-2020-3341 CVE-2020-3350
CVE-2020-3327 CVE-2020-3481]
cloud-init New upstream release
commons-configuration2 Prevent object creation when loading YAML files
[CVE-2020-1953]
confget Fix the Python module's handling of values
containing "="
dbus New upstream stable release; prevent a denial
of service issue [CVE-2020-12049]; prevent use-
after-free if two usernames share a uid
debian-edu-config Fix loss of dynamically allocated IPv4 address
debian-ports-archive- Increase the expiration date of the 2020 key
keyring (84C573CD4E1AFD6C) by one year; add "Debian
Ports Archive Automatic Signing Key (2021);
move the 2018 key (ID: 06AED62430CB581C) to the
removed keyring
debian-security-support Update support status of several packages
dpdk New upstream release
exiv2 Adjust overly restrictive security patch
[CVE-2018-10958 and CVE-2018-10999]; fix denial
of service issue [CVE-2018-16336]
fdroidserver Fix Litecoin address validation
file-roller Security fix [CVE-2020-11736]
freerdp2 Fix smartcard logins; security fixes
[CVE-2020-11521 CVE-2020-11522 CVE-2020-11523
CVE-2020-11524 CVE-2020-11525 CVE-2020-11526]
fwupd New upstream release; fix possible signature
verification issue [CVE-2020-10759]; use rotated
Debian signing keys
fwupd-amd64-signed New upstream release; fix possible signature
verification issue [CVE-2020-10759]; use rotated
Debian signing keys
fwupd-arm64-signed New upstream release; fix possible signature
verification issue [CVE-2020-10759]; use rotated
Debian signing keys
fwupd-armhf-signed New upstream release; fix possible signature
verification issue [CVE-2020-10759]; use rotated
Debian signing keys
fwupd-i386-signed New upstream release; fix possible signature
verification issue [CVE-2020-10759]; use rotated
Debian signing keys
fwupdate Use rotated Debian signing keys
fwupdate-amd64-signed Use rotated Debian signing keys
fwupdate-arm64-signed Use rotated Debian signing keys
fwupdate-armhf-signed Use rotated Debian signing keys
fwupdate-i386-signed Use rotated Debian signing keys
gist Avoid deprecated authorization API
glib-networking Return bad identity error if identity is unset
[CVE-2020-13645]; break balsa older than
2.5.6-2+deb10u1 as the fix for CVE-2020-13645
breaks balsa's certificate verification
gnutls28 Fix TL1.2 resumption errors; fix memory leak;
handle zero length session tickets, fixing
connection errors on TLS1.2 sessions to some
big hosting providers; fix verification error
with alternate chains
intel-microcode Downgrade some microcodes to previously issued
versions, working around hangs on boot on
Skylake-U/Y and Skylake Xeon E3
jackson-databind Fix multiple security issues affecting
BeanDeserializerFactory [CVE-2020-9548
CVE-2020-9547 CVE-2020-9546 CVE-2020-8840
CVE-2020-14195 CVE-2020-14062 CVE-2020-14061
CVE-2020-14060 CVE-2020-11620 CVE-2020-11619
CVE-2020-11113 CVE-2020-11112 CVE-2020-11111
CVE-2020-10969 CVE-2020-10968 CVE-2020-10673
CVE-2020-10672 CVE-2019-20330 CVE-2019-17531
CVE-2019-17267]
jameica Add mckoisqldb to classpath, allowing use of
SynTAX plugin
jigdo Fix HTTPS support in jigdo-lite and jigdo-
mirror
ksh Fix environment variable restriction issue
[CVE-2019-14868]
lemonldap-ng Fix nginx configuration regression introduced
by CVE-2019-19791 fix
libapache-mod-jk Rename Apache configuration file so it can be
automatically enabled and disabled
libclamunrar New upstream stable release; add an unversioned
meta-package
libembperl-perl Handle error pages from Apache >= 2.4.40
libexif Security fixes [CVE-2020-12767 CVE-2020-0093
CVE-2020-13112 CVE-2020-13113 CVE-2020-13114];
fix buffer overflow [CVE-2020-0182] and integer
overflow [CVE-2020-0198]
libinput Quirks: add trackpoint integration attribute
libntlm Fix buffer overflow [CVE-2019-17455]
libpam-radius-auth Fix buffer overflow in password field
[CVE-2015-9542]
libunwind Fix segfaults on mips; manually enable C++
exception support only on i386 and amd64
libyang Fix cache corruption crash, CVE-2019-19333,
CVE-2019-19334
linux New upstream stable release
linux-latest Update for 4.19.0-10 kernel ABI
linux-signed-amd64 New upstream stable release
linux-signed-arm64 New upstream stable release
linux-signed-i386 New upstream stable release
lirc Fix conffile management
mailutils maidag: drop setuid privileges for all delivery
operations but mda [CVE-2019-18862]
mariadb-10.3 New upstream stable release; security fixes
[CVE-2020-2752 CVE-2020-2760 CVE-2020-2812
CVE-2020-2814 CVE-2020-13249]; fix regression
in RocksDB ZSTD detection
mod-gnutls Fix a possible segfault on failed TLS
handshake; fix test failures
multipath-tools kpartx: use correct path to partx in udev rule
mutt Don't check IMAP PREAUTH encryption if $tunnel
is in use
mydumper Link against libm
nfs-utils statd: take user-id from /var/lib/nfs/sm
[CVE-2019-3689]; don't make /var/lib/nfs owned
by statd
nginx Fix error page request smuggling vulnerability
[CVE-2019-20372]
nmap Update default key size to 2048 bits
node-dot-prop Fix regression introduced in CVE-2020-8116 fix
node-handlebars Disallow calling "helperMissing" and
"blockHelperMissing" directly [CVE-2019-19919]
node-minimist Fix prototype pollution [CVE-2020-7598]
nvidia-graphics-drivers New upstream stable release; security fixes
[CVE-2020-5963 CVE-2020-5967]
nvidia-graphics-drivers- New upstream stable release; security fixes
legacy-s390xx [CVE-2020-5963 CVE-2020-5967]
openstack-debian-images Install resolvconf if installing cloud-init
pagekite Avoid issues with expiry of shipped SSL
certificates by using those from the ca-
certificates package
pdfchain Fix crash at startup
perl Fix multiple regular expression related
security issues [CVE-2020-10543 CVE-2020-10878
CVE-2020-12723]
php-horde Fix cross-site scripting vulnerability
[CVE-2020-8035]
php-horde-gollem Fix cross-site scripting vulnerability in
breadcrumb output [CVE-2020-8034]
pillow Fix multiple out-of-bounds read issues
[CVE-2020-11538 CVE-2020-10378 CVE-2020-10177]
policyd-rate-limit Fix issues in accounting due to socket reuse
postfix New upstream stable release; fix segfault in
the tlsproxy client role when the server role
was disabled; fix "maillog_file_rotate_suffix
default value used the minute instead of the
month"; fix several TLS related issues;
README.Debian fixes
python-markdown2 Fix cross-site scripting issue [CVE-2020-11888]
python3.7 Avoid infinite loop when reading specially
crafted TAR files using the tarfile module
[CVE-2019-20907]; resolve hash collisions for
IPv4Interface and IPv6Interface
[CVE-2020-14422]; fix denial of service issue
in urllib.request.AbstractBasicAuthHandler
[CVE-2020-8492]
qdirstat Fix saving of user configured MIME categories
raspi3-firmware Fix typo that could lead to unbootable systems
resource-agents IPsrcaddr: make proto optional to fix
regression when used without NetworkManager
ruby-json Fix unsafe object creation vulnerability
[CVE-2020-10663]
shim Use rotated Debian signing keys
shim-helpers-amd64-signed Use rotated Debian signing keys
shim-helpers-arm64-signed Use rotated Debian signing keys
shim-helpers-i386-signed Use rotated Debian signing keys
speedtest-cli Pass correct headers to fix upload speed test
ssvnc Fix out-of-bounds write [CVE-2018-20020],
infinite loop [CVE-2018-20021], improper
initialisation [CVE-2018-20022], potential
denial-of-service [CVE-2018-20024]
storebackup Fix possible privilege escalation vulnerability
[CVE-2020-7040]
suricata Fix dropping privileges in nflog runmode
tigervnc Don't use libunwind on armel, armhf or arm64
transmission Fix possible denial of service issue
[CVE-2018-10756]
wav2cdr Use C99 fixed-size integer types to fix runtime
assertion on 64bit architectures other than
amd64 and alpha
zipios++ Security fix [CVE-2019-13453]
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
janus Not supportable in stable
mathematica-fonts Relies on unavailable download location
selenium-firefoxdriver Incompatible with newer Firefox ESR versions
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part