----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 186-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
September 21st, 2020
----------------------------------------------------------------------------
Upcoming Debian 10 Update (10.6)
An update to Debian 10 is scheduled for Saturday, September 26th, 2020. As of
now it will include the following bug fixes. They can be found in "buster-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "buster-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
arch-test Fix s390x detection sometimes failing
asterisk Fix crash when negotiating for T.38 with a
declined stream [CVE-2019-15297], "SIP request
can change address of a SIP peer"
[CVE-2019-18790], "AMI user could execute
system commands" [CVE-2019-18610], segfault in
pjsip show history with IPv6 peers
bacula Fix "oversized digest strings allow a malicious
client to cause a heap overflow in the
director's memory" [CVE-2020-11061]
base-files Update /etc/debian_version for the point
release
calamares-settings-debian Disable displaymanager module
cargo New upstream version, to support upcoming
Firefox ESR releases
chocolate-doom Fix missing validation [CVE-2020-14983]
chrony Prevent symlink race when writing to the PID
file [CVE-2020-14367]; fix temperature reading
diaspora-installer Use --frozen option to bundle install to use
upstream Gemfile.lock; don't exclude
Gemfile.lock during upgrades; don't overwrite
config/oidc_key.pem during upgrades; make
config/schedule.yml writeable
dojo Fix prototype pollution in deepCopy method
[CVE-2020-5258] and in jqMix method
[CVE-2020-5259]
dovecot Fix dsync sieve filter sync regression; userdb-
passwd: Fix getpwent errno handling
facter Change Google GCE Metadata endpoint from
"v1beta1" to "v1"
gnome-maps Fix an issue with misaligned shape layer
rendering
gnome-shell LoginDialog: Reset auth prompt on VT switch
before fade in [CVE-2020-17489]
gnome-weather Prevent a crash when the locations configured
are invalid
grunt Use safeLoad when loading YAML files
[CVE-2020-7729]
gssdp New upstream stable release
gupnp New upstream stable release; prevent the
"CallStranger" attack [CVE-2020-12695]; require
GSSDP 1.0.5
haproxy logrotate.conf: use rsyslog helper instead of
SysV init script; reject messages where
"chunked" is missing from Transfer-Encoding
[CVE-2019-18277]
icinga2 Fix symlink attack [CVE-2020-14004]
incron Fix cleanup of zombie processes
inetutils Fix remote code execution issue
[CVE-2020-10188]
libcommons-compress-java Fix denial of service issue [CVE-2019-12402]
libdbi-perl Fix memory corruption in XS functions when Perl
stack is reallocated [CVE-2020-14392]; fix a
buffer overflow on an overlong DBD class name
[CVE-2020-14393]; fix a NULL profile
dereference in dbi_profile() [CVE-2019-20919]
libvncserver libvncclient: bail out if UNIX socket name
would overflow [CVE-2019-20839]; fix pointer
aliasing/alignment issue [CVE-2020-14399];
limit max textchat size [CVE-2020-14405];
libvncserver: add missing NULL pointer checks
[CVE-2020-14397]; fix pointer
aliasing/alignment issue [CVE-2020-14400];
scale: cast to 64 bit before shifting
[CVE-2020-14401]; prevent OOB accesses
[CVE-2020-14402 CVE-2020-14403 CVE-2020-14404]
libx11 Security fixes [CVE-2020-14344 CVE-2020-14363]
lighttpd Backport several usability and security fixes
linux New upstream stable release; increase ABI to 11
linux-latest Update for -11 Linux kernel ABI
linux-signed-amd64 New upstream stable release
linux-signed-arm64 New upstream stable release
linux-signed-i386 New upstream stable release
llvm-toolchain-7 New upstream release, to support upcoming
Firefox ESR releases; fix bugs affecting rustc
build
lucene-solr Fix security issue in DataImportHandler
configuration handling [CVE-2019-0193]
milkytracker Fix heap overflow [CVE-2019-14464], stack
overflow [CVE-2019-14496], heap overflow
[CVE-2019-14497], use after free
[CVE-2020-15569]
node-bl Fix over-read vulnerability [CVE-2020-8244]
node-elliptic Prevent malleability and overflows
[CVE-2020-13822]
node-mysql Add localInfile option to control LOAD DATA
LOCAL INFILE [CVE-2019-14939]
node-url-parse Fix insufficient validation and sanitization of
user input [CVE-2020-8124]
npm Don't show password in logs [CVE-2020-15095]
orocos-kdl Remove explicit inclusion of default include
path, fixing issues with cmake < 3.16
postgresql-11 New upstream stable release; set a secure
search_path in logical replication walsenders
and apply workers [CVE-2020-14349]; make
contrib modules' installation scripts more
secure [CVE-2020-14350]
postgresql-common Don't drop plpgsql before testing extensions
pyzmq asyncio: wait for POLLOUT on sender in
can_connect
qt4-x11 Fix buffer overflow in XBM parser
[CVE-2020-17507]
qtbase-opensource-src Fix buffer overflow in XBM parser
[CVE-2020-17507]; fix clipboard breaking when
timer wraps after 50 days
ros-actionlib Load YAML safely [CVE-2020-10289]
ruby-ronn Fix handling of UTF-8 content in manpages
rustc New upstream version, to support upcoming
Firefox ESR releases
rust-cbindgen New upstream version, to support upcoming
Firefox ESR releases
s390-tools Hardcode perl dependency instead of using
${perl:Depends}, fixing installation under
debootstrap
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part