[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 186-1] Upcoming Debian 10 Update (10.6)

Debian Stable Updates Announcement SUA 186-1         https://www.debian.org/
debian-release@lists.debian.org                              Adam D. Barratt
September 21st, 2020

Upcoming Debian 10 Update (10.6)

An update to Debian 10 is scheduled for Saturday, September 26th, 2020. As of
now it will include the following bug fixes. They can be found in "buster-
proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "buster-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.

The point release will also include a rebuild of debian-installer.

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following

  Package                    Reason
  -------                    ------

  arch-test                  Fix s390x detection sometimes failing

  asterisk                   Fix crash when negotiating for T.38 with a
                             declined stream [CVE-2019-15297], "SIP request
                             can change address of a SIP peer"
                             [CVE-2019-18790], "AMI user could execute
                             system commands" [CVE-2019-18610], segfault in
                             pjsip show history with IPv6 peers

  bacula                     Fix "oversized digest strings allow a malicious
                             client to cause a heap overflow in the
                             director's memory" [CVE-2020-11061]

  base-files                 Update /etc/debian_version for the point

  calamares-settings-debian  Disable displaymanager module

  cargo                      New upstream version, to support upcoming
                             Firefox ESR releases

  chocolate-doom             Fix missing validation [CVE-2020-14983]

  chrony                     Prevent symlink race when writing to the PID
                             file [CVE-2020-14367]; fix temperature reading

  diaspora-installer         Use --frozen option to bundle install to use
                             upstream Gemfile.lock; don't exclude
                             Gemfile.lock during upgrades; don't overwrite
                             config/oidc_key.pem during upgrades; make
                             config/schedule.yml writeable

  dojo                       Fix prototype pollution in deepCopy method
                             [CVE-2020-5258] and in jqMix method

  dovecot                    Fix dsync sieve filter sync regression; userdb-
                             passwd: Fix getpwent errno handling

  facter                     Change Google GCE Metadata endpoint from
                             "v1beta1" to "v1"

  gnome-maps                 Fix an issue with misaligned shape layer

  gnome-shell                LoginDialog: Reset auth prompt on VT switch
                             before fade in [CVE-2020-17489]

  gnome-weather              Prevent a crash when the locations configured
                             are invalid

  grunt                      Use safeLoad when loading YAML files

  gssdp                      New upstream stable release

  gupnp                      New upstream stable release; prevent the
                             "CallStranger" attack [CVE-2020-12695]; require
                             GSSDP 1.0.5

  haproxy                    logrotate.conf: use rsyslog helper instead of
                             SysV init script; reject messages where
                             "chunked" is missing from Transfer-Encoding

  icinga2                    Fix symlink attack [CVE-2020-14004]

  incron                     Fix cleanup of zombie processes

  inetutils                  Fix remote code execution issue

  libcommons-compress-java   Fix denial of service issue [CVE-2019-12402]

  libdbi-perl                Fix memory corruption in XS functions when Perl
                             stack is reallocated [CVE-2020-14392]; fix a
                             buffer overflow on an overlong DBD class name
                             [CVE-2020-14393]; fix a NULL profile
                             dereference in dbi_profile() [CVE-2019-20919]

  libvncserver               libvncclient: bail out if UNIX socket name
                             would overflow [CVE-2019-20839]; fix pointer
                             aliasing/alignment issue [CVE-2020-14399];
                             limit max textchat size [CVE-2020-14405];
                             libvncserver: add missing NULL pointer checks
                             [CVE-2020-14397]; fix pointer
                             aliasing/alignment issue [CVE-2020-14400];
                             scale: cast to 64 bit before shifting
                             [CVE-2020-14401]; prevent OOB accesses
                             [CVE-2020-14402 CVE-2020-14403 CVE-2020-14404]

  libx11                     Security fixes [CVE-2020-14344 CVE-2020-14363]

  lighttpd                   Backport several usability and security fixes

  linux                      New upstream stable release; increase ABI to 11

  linux-latest               Update for -11 Linux kernel ABI

  linux-signed-amd64         New upstream stable release

  linux-signed-arm64         New upstream stable release

  linux-signed-i386          New upstream stable release

  llvm-toolchain-7           New upstream release, to support upcoming
                             Firefox ESR releases; fix bugs affecting rustc

  lucene-solr                Fix security issue in DataImportHandler
                             configuration handling [CVE-2019-0193]

  milkytracker               Fix heap overflow [CVE-2019-14464], stack
                             overflow [CVE-2019-14496], heap overflow
                             [CVE-2019-14497], use after free

  node-bl                    Fix over-read vulnerability [CVE-2020-8244]

  node-elliptic              Prevent malleability and overflows

  node-mysql                 Add localInfile option to control LOAD DATA
                             LOCAL INFILE [CVE-2019-14939]

  node-url-parse             Fix insufficient validation and sanitization of
                             user input [CVE-2020-8124]

  npm                        Don't show password in logs [CVE-2020-15095]

  orocos-kdl                 Remove explicit inclusion of default include
                             path, fixing issues with cmake < 3.16

  postgresql-11              New upstream stable release; set a secure
                             search_path in logical replication walsenders
                             and apply workers [CVE-2020-14349]; make
                             contrib modules' installation scripts more
                             secure [CVE-2020-14350]

  postgresql-common          Don't drop plpgsql before testing extensions

  pyzmq                      asyncio: wait for POLLOUT on sender in

  qt4-x11                    Fix buffer overflow in XBM parser

  qtbase-opensource-src      Fix buffer overflow in XBM parser
                             [CVE-2020-17507]; fix clipboard breaking when
                             timer wraps after 50 days

  ros-actionlib              Load YAML safely [CVE-2020-10289]

  ruby-ronn                  Fix handling of UTF-8 content in manpages

  rustc                      New upstream version, to support upcoming
                             Firefox ESR releases

  rust-cbindgen              New upstream version, to support upcoming
                             Firefox ESR releases

  s390-tools                 Hardcode perl dependency instead of using
                             ${perl:Depends}, fixing installation under

A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:


If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: