---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 189-1 https://www.debian.org/ debian-release@lists.debian.org Adam D. Barratt November 30th, 2020 ---------------------------------------------------------------------------- Upcoming Debian 10 Update (10.7) An update to Debian 10 is scheduled for Saturday, December 5th, 2020. As of now it will include the following bug fixes. They can be found in "buster- proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "buster-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: Package Reason ------- ------ base-files Update for the point release choose-mirror Update mirror list cups Fix 'printer-alert' invalid free dav4tbsync New upstream release, compatible with newer Thunderbird versions debian-installer Use 4.19.0-13 Linux kernel ABI; add grub2 to Built-Using distro-info-data Add Ubuntu 21.04, Hirsute Hippo dpdk New upstream stable release; fix remote code execution issue [CVE-2020-14374], TOCTOU issues [CVE-2020-14375], buffer overflow [CVE-2020-14376], buffer over read [CVE-2020-14377] and integer underflow [CVE-2020-14377]; fix armhf build with NEON eas4tbsync New upstream release, compatible with newer Thunderbird versions edk2 Fix integer overflow in DxeImageVerificationHandler [CVE-2019-14562] efivar Add support for nvme-fabrics and nvme-subsystem devices; fix uninitialized variable in parse_acpi_root, avoiding possible segfault enigmail Introduce migration assistant to Thunderbird's built-in GPG support espeak Fix using espeak with mbrola-fr4 when mbrola- fr1 is not installed fastd Fix memory leak when receiving too many invalid packets [CVE-2020-27638] fish Ensure TTY options are restored on exit freecol Fix XML External Entity vulnerability [CVE-2018-1000825] gajim-omemo Use 12-byte IV, for better compatibility with iOS clients glances Listen only on localhost by default iptables-persistent Don't force-load kernel modules; improve rule flushing logic lacme Use upstream certificate chain instead of an hardcoded one, easing support for new Let's Encrypt root and intermediate certificates libdatetime-timezone-perl Update included data libimobiledevice Add partial support for iOS 14 libjpeg-turbo Fix denial of service [CVE-2018-1152], buffer over read [CVE-2018-14498], possible remote code execution [CVE-2019-2201], buffer over read [CVE-2020-13790] libxml2 Fix denial of service [CVE-2017-18258], NULL pointer dereference [CVE-2018-14404], infinite loop [CVE-2018-14567], memory leak [CVE-2019-19956 CVE-2019-20388], infinite loop [CVE-2020-7595] linux New upstream stable release linux-latest Update for 4.19.0-13 kernel ABI linux-signed-amd64 New upstream stable release linux-signed-arm64 New upstream stable release linux-signed-i386 New upstream stable release lmod Change architecture to "any" - required due to LUA_PATH and LUA_CPATH being determined at build time mariadb-10.3 New upstream stable release; security fixes [CVE-2020-14765 CVE-2020-14776 CVE-2020-14789 CVE-2020-14812 CVE-2020-28912] mutt Ensure IMAP connection is closed after a connection error [CVE-2020-28896] neomutt Ensure IMAP connection is closed after a connection error [CVE-2020-28896] node-object-path Fix prototype pollution in set() [CVE-2020-15256] node-pathval Fix prototype pollution [CVE-2020-7751] okular Fix code execution via action link [CVE-2020-9359] openjdk-11 New upstream release partman-auto Increase /boot sizes in most recipes to between 512 and 768M, to better handle kernel ABI changes and larger initramfses; cap RAM size as used for swap partition calculations, resolving issues on machines with more RAM than disk space pcaudiolib Cap cancellation latency to 10ms plinth Apache: Disable mod_status [CVE-2020-25073] puma Fix HTTP injection and HTTP smuggling issues [CVE-2020-5247 CVE-2020-5249 CVE-2020-11076 CVE-2020-11077] ros-ros-comm Fix integer overflow [CVE-2020-16124] ruby2.5 Fix potential HTTP request smuggling vulnerability in WEBrick [CVE-2020-25613] sleuthkit Fix stack buffer overflow in yaffsfs_istat [CVE-2020-10232] sqlite3 Fix division by zero [CVE-2019-16168], NULL pointer dereference [CVE-2019-19923], mishandling of NULL pathname during an update of a ZIP archive [CVE-2019-19925], mishandling of embedded NULs in filenames [CVE-2019-19959], possible crash with stacking unwinding [CVE-2019-20218], integer overflow [CVE-2020-13434], segmentation fault [CVE-2020-13435], use-after-free issue [CVE-2020-13630], NULL pointer dereference [CVE-2020-13632], heap overflow [CVE-2020-15358] systemd Basic/cap-list: parse/print numerical capabilities; recognise new capabilities from Linux kernel 5.8; networkd: do not generate MAC for bridge device tbsync New upstream release, compatible with newer Thunderbird versions tcpdump Fix untrusted input issue in the PPP printer [CVE-2020-8037] tigervnc Properly store certificate exceptions in native and java VNC viewer [CVE-2020-26117] tor New upstream stable release; multiple security, usability, portability, and reliability fixes transmission Fix memory leak tzdata New upstream release ublock-origin New upstream version; split plugin to browser- specific packages vips Fix use of uninitialised variable [CVE-2020-20739] A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/stable.html> Removed packages ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason ------- ------ browser-plugin-freshplayer- Unsupported by browsers; discontinued pepperflash upstream nostalgy Incompatible with newer Thunderbird versions sieve-extension Incompatible with newer Thunderbird versions If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part