---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 186-1 https://www.debian.org/ debian-release@lists.debian.org Adam D. Barratt September 21st, 2020 ---------------------------------------------------------------------------- Upcoming Debian 10 Update (10.6) An update to Debian 10 is scheduled for Saturday, September 26th, 2020. As of now it will include the following bug fixes. They can be found in "buster- proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "buster-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: Package Reason ------- ------ arch-test Fix s390x detection sometimes failing asterisk Fix crash when negotiating for T.38 with a declined stream [CVE-2019-15297], "SIP request can change address of a SIP peer" [CVE-2019-18790], "AMI user could execute system commands" [CVE-2019-18610], segfault in pjsip show history with IPv6 peers bacula Fix "oversized digest strings allow a malicious client to cause a heap overflow in the director's memory" [CVE-2020-11061] base-files Update /etc/debian_version for the point release calamares-settings-debian Disable displaymanager module cargo New upstream version, to support upcoming Firefox ESR releases chocolate-doom Fix missing validation [CVE-2020-14983] chrony Prevent symlink race when writing to the PID file [CVE-2020-14367]; fix temperature reading diaspora-installer Use --frozen option to bundle install to use upstream Gemfile.lock; don't exclude Gemfile.lock during upgrades; don't overwrite config/oidc_key.pem during upgrades; make config/schedule.yml writeable dojo Fix prototype pollution in deepCopy method [CVE-2020-5258] and in jqMix method [CVE-2020-5259] dovecot Fix dsync sieve filter sync regression; userdb- passwd: Fix getpwent errno handling facter Change Google GCE Metadata endpoint from "v1beta1" to "v1" gnome-maps Fix an issue with misaligned shape layer rendering gnome-shell LoginDialog: Reset auth prompt on VT switch before fade in [CVE-2020-17489] gnome-weather Prevent a crash when the locations configured are invalid grunt Use safeLoad when loading YAML files [CVE-2020-7729] gssdp New upstream stable release gupnp New upstream stable release; prevent the "CallStranger" attack [CVE-2020-12695]; require GSSDP 1.0.5 haproxy logrotate.conf: use rsyslog helper instead of SysV init script; reject messages where "chunked" is missing from Transfer-Encoding [CVE-2019-18277] icinga2 Fix symlink attack [CVE-2020-14004] incron Fix cleanup of zombie processes inetutils Fix remote code execution issue [CVE-2020-10188] libcommons-compress-java Fix denial of service issue [CVE-2019-12402] libdbi-perl Fix memory corruption in XS functions when Perl stack is reallocated [CVE-2020-14392]; fix a buffer overflow on an overlong DBD class name [CVE-2020-14393]; fix a NULL profile dereference in dbi_profile() [CVE-2019-20919] libvncserver libvncclient: bail out if UNIX socket name would overflow [CVE-2019-20839]; fix pointer aliasing/alignment issue [CVE-2020-14399]; limit max textchat size [CVE-2020-14405]; libvncserver: add missing NULL pointer checks [CVE-2020-14397]; fix pointer aliasing/alignment issue [CVE-2020-14400]; scale: cast to 64 bit before shifting [CVE-2020-14401]; prevent OOB accesses [CVE-2020-14402 CVE-2020-14403 CVE-2020-14404] libx11 Security fixes [CVE-2020-14344 CVE-2020-14363] lighttpd Backport several usability and security fixes linux New upstream stable release; increase ABI to 11 linux-latest Update for -11 Linux kernel ABI linux-signed-amd64 New upstream stable release linux-signed-arm64 New upstream stable release linux-signed-i386 New upstream stable release llvm-toolchain-7 New upstream release, to support upcoming Firefox ESR releases; fix bugs affecting rustc build lucene-solr Fix security issue in DataImportHandler configuration handling [CVE-2019-0193] milkytracker Fix heap overflow [CVE-2019-14464], stack overflow [CVE-2019-14496], heap overflow [CVE-2019-14497], use after free [CVE-2020-15569] node-bl Fix over-read vulnerability [CVE-2020-8244] node-elliptic Prevent malleability and overflows [CVE-2020-13822] node-mysql Add localInfile option to control LOAD DATA LOCAL INFILE [CVE-2019-14939] node-url-parse Fix insufficient validation and sanitization of user input [CVE-2020-8124] npm Don't show password in logs [CVE-2020-15095] orocos-kdl Remove explicit inclusion of default include path, fixing issues with cmake < 3.16 postgresql-11 New upstream stable release; set a secure search_path in logical replication walsenders and apply workers [CVE-2020-14349]; make contrib modules' installation scripts more secure [CVE-2020-14350] postgresql-common Don't drop plpgsql before testing extensions pyzmq asyncio: wait for POLLOUT on sender in can_connect qt4-x11 Fix buffer overflow in XBM parser [CVE-2020-17507] qtbase-opensource-src Fix buffer overflow in XBM parser [CVE-2020-17507]; fix clipboard breaking when timer wraps after 50 days ros-actionlib Load YAML safely [CVE-2020-10289] ruby-ronn Fix handling of UTF-8 content in manpages rustc New upstream version, to support upcoming Firefox ESR releases rust-cbindgen New upstream version, to support upcoming Firefox ESR releases s390-tools Hardcode perl dependency instead of using ${perl:Depends}, fixing installation under debootstrap A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/stable.html> If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part