----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 189-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
November 30th, 2020
----------------------------------------------------------------------------
Upcoming Debian 10 Update (10.7)
An update to Debian 10 is scheduled for Saturday, December 5th, 2020. As of
now it will include the following bug fixes. They can be found in "buster-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "buster-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
base-files Update for the point release
choose-mirror Update mirror list
cups Fix 'printer-alert' invalid free
dav4tbsync New upstream release, compatible with newer
Thunderbird versions
debian-installer Use 4.19.0-13 Linux kernel ABI; add grub2 to
Built-Using
distro-info-data Add Ubuntu 21.04, Hirsute Hippo
dpdk New upstream stable release; fix remote code
execution issue [CVE-2020-14374], TOCTOU issues
[CVE-2020-14375], buffer overflow
[CVE-2020-14376], buffer over read
[CVE-2020-14377] and integer underflow
[CVE-2020-14377]; fix armhf build with NEON
eas4tbsync New upstream release, compatible with newer
Thunderbird versions
edk2 Fix integer overflow in
DxeImageVerificationHandler [CVE-2019-14562]
efivar Add support for nvme-fabrics and nvme-subsystem
devices; fix uninitialized variable in
parse_acpi_root, avoiding possible segfault
enigmail Introduce migration assistant to Thunderbird's
built-in GPG support
espeak Fix using espeak with mbrola-fr4 when mbrola-
fr1 is not installed
fastd Fix memory leak when receiving too many invalid
packets [CVE-2020-27638]
fish Ensure TTY options are restored on exit
freecol Fix XML External Entity vulnerability
[CVE-2018-1000825]
gajim-omemo Use 12-byte IV, for better compatibility with
iOS clients
glances Listen only on localhost by default
iptables-persistent Don't force-load kernel modules; improve rule
flushing logic
lacme Use upstream certificate chain instead of an
hardcoded one, easing support for new Let's
Encrypt root and intermediate certificates
libdatetime-timezone-perl Update included data
libimobiledevice Add partial support for iOS 14
libjpeg-turbo Fix denial of service [CVE-2018-1152], buffer
over read [CVE-2018-14498], possible remote
code execution [CVE-2019-2201], buffer over
read [CVE-2020-13790]
libxml2 Fix denial of service [CVE-2017-18258], NULL
pointer dereference [CVE-2018-14404], infinite
loop [CVE-2018-14567], memory leak
[CVE-2019-19956 CVE-2019-20388], infinite loop
[CVE-2020-7595]
linux New upstream stable release
linux-latest Update for 4.19.0-13 kernel ABI
linux-signed-amd64 New upstream stable release
linux-signed-arm64 New upstream stable release
linux-signed-i386 New upstream stable release
lmod Change architecture to "any" - required due to
LUA_PATH and LUA_CPATH being determined at build
time
mariadb-10.3 New upstream stable release; security fixes
[CVE-2020-14765 CVE-2020-14776 CVE-2020-14789
CVE-2020-14812 CVE-2020-28912]
mutt Ensure IMAP connection is closed after a
connection error [CVE-2020-28896]
neomutt Ensure IMAP connection is closed after a
connection error [CVE-2020-28896]
node-object-path Fix prototype pollution in set()
[CVE-2020-15256]
node-pathval Fix prototype pollution [CVE-2020-7751]
okular Fix code execution via action link
[CVE-2020-9359]
openjdk-11 New upstream release
partman-auto Increase /boot sizes in most recipes to between
512 and 768M, to better handle kernel ABI
changes and larger initramfses; cap RAM size as
used for swap partition calculations, resolving
issues on machines with more RAM than disk
space
pcaudiolib Cap cancellation latency to 10ms
plinth Apache: Disable mod_status [CVE-2020-25073]
puma Fix HTTP injection and HTTP smuggling issues
[CVE-2020-5247 CVE-2020-5249 CVE-2020-11076
CVE-2020-11077]
ros-ros-comm Fix integer overflow [CVE-2020-16124]
ruby2.5 Fix potential HTTP request smuggling
vulnerability in WEBrick [CVE-2020-25613]
sleuthkit Fix stack buffer overflow in yaffsfs_istat
[CVE-2020-10232]
sqlite3 Fix division by zero [CVE-2019-16168], NULL
pointer dereference [CVE-2019-19923],
mishandling of NULL pathname during an update
of a ZIP archive [CVE-2019-19925], mishandling
of embedded NULs in filenames [CVE-2019-19959],
possible crash with stacking unwinding
[CVE-2019-20218], integer overflow
[CVE-2020-13434], segmentation fault
[CVE-2020-13435], use-after-free issue
[CVE-2020-13630], NULL pointer dereference
[CVE-2020-13632], heap overflow
[CVE-2020-15358]
systemd Basic/cap-list: parse/print numerical
capabilities; recognise new capabilities from
Linux kernel 5.8; networkd: do not generate MAC
for bridge device
tbsync New upstream release, compatible with newer
Thunderbird versions
tcpdump Fix untrusted input issue in the PPP printer
[CVE-2020-8037]
tigervnc Properly store certificate exceptions in native
and java VNC viewer [CVE-2020-26117]
tor New upstream stable release; multiple security,
usability, portability, and reliability fixes
transmission Fix memory leak
tzdata New upstream release
ublock-origin New upstream version; split plugin to browser-
specific packages
vips Fix use of uninitialised variable
[CVE-2020-20739]
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
browser-plugin-freshplayer- Unsupported by browsers; discontinued
pepperflash upstream
nostalgy Incompatible with newer Thunderbird versions
sieve-extension Incompatible with newer Thunderbird versions
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part