[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 189-1] Upcoming Debian 10 Update (10.7)

Debian Stable Updates Announcement SUA 189-1         https://www.debian.org/
debian-release@lists.debian.org                              Adam D. Barratt
November 30th, 2020

Upcoming Debian 10 Update (10.7)

An update to Debian 10 is scheduled for Saturday, December 5th, 2020. As of
now it will include the following bug fixes. They can be found in "buster-
proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "buster-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.

The point release will also include a rebuild of debian-installer.

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following

  Package                    Reason
  -------                    ------

  base-files                 Update for the point release

  choose-mirror              Update mirror list

  cups                       Fix 'printer-alert' invalid free

  dav4tbsync                 New upstream release, compatible with newer
                             Thunderbird versions

  debian-installer           Use 4.19.0-13 Linux kernel ABI; add grub2 to

  distro-info-data           Add Ubuntu 21.04, Hirsute Hippo

  dpdk                       New upstream stable release; fix remote code
                             execution issue [CVE-2020-14374], TOCTOU issues
                             [CVE-2020-14375], buffer overflow
                             [CVE-2020-14376], buffer over read
                             [CVE-2020-14377] and integer underflow
                             [CVE-2020-14377]; fix armhf build with NEON

  eas4tbsync                 New upstream release, compatible with newer
                             Thunderbird versions

  edk2                       Fix integer overflow in
                             DxeImageVerificationHandler [CVE-2019-14562]

  efivar                     Add support for nvme-fabrics and nvme-subsystem
                             devices; fix uninitialized variable in
                             parse_acpi_root, avoiding possible segfault

  enigmail                   Introduce migration assistant to Thunderbird's
                             built-in GPG support

  espeak                     Fix using espeak with mbrola-fr4 when mbrola-
                             fr1 is not installed

  fastd                      Fix memory leak when receiving too many invalid
                             packets [CVE-2020-27638]

  fish                       Ensure TTY options are restored on exit

  freecol                    Fix XML External Entity vulnerability

  gajim-omemo                Use 12-byte IV, for better compatibility with
                             iOS clients

  glances                    Listen only on localhost by default

  iptables-persistent        Don't force-load kernel modules; improve rule
                             flushing logic

  lacme                      Use upstream certificate chain instead of an
                             hardcoded one, easing support for new Let's
                             Encrypt root and intermediate certificates

  libdatetime-timezone-perl  Update included data

  libimobiledevice           Add partial support for iOS 14

  libjpeg-turbo              Fix denial of service [CVE-2018-1152], buffer
                             over read [CVE-2018-14498], possible remote
                             code execution [CVE-2019-2201], buffer over
                             read [CVE-2020-13790]

  libxml2                    Fix denial of service [CVE-2017-18258], NULL
                             pointer dereference [CVE-2018-14404], infinite
                             loop [CVE-2018-14567], memory leak
                             [CVE-2019-19956 CVE-2019-20388], infinite loop

  linux                      New upstream stable release

  linux-latest               Update for 4.19.0-13 kernel ABI

  linux-signed-amd64         New upstream stable release

  linux-signed-arm64         New upstream stable release

  linux-signed-i386          New upstream stable release

  lmod                       Change architecture to "any" - required due to
                             LUA_PATH and LUA_CPATH being determined at build

  mariadb-10.3               New upstream stable release; security fixes
                             [CVE-2020-14765 CVE-2020-14776 CVE-2020-14789
                             CVE-2020-14812 CVE-2020-28912]

  mutt                       Ensure IMAP connection is closed after a
                             connection error [CVE-2020-28896]

  neomutt                    Ensure IMAP connection is closed after a
                             connection error [CVE-2020-28896]

  node-object-path           Fix prototype pollution in set()

  node-pathval               Fix prototype pollution [CVE-2020-7751]

  okular                     Fix code execution via action link

  openjdk-11                 New upstream release

  partman-auto               Increase /boot sizes in most recipes to between
                             512 and 768M, to better handle kernel ABI
                             changes and larger initramfses; cap RAM size as
                             used for swap partition calculations, resolving
                             issues on machines with more RAM than disk

  pcaudiolib                 Cap cancellation latency to 10ms

  plinth                     Apache: Disable mod_status [CVE-2020-25073]

  puma                       Fix HTTP injection and HTTP smuggling issues
                             [CVE-2020-5247 CVE-2020-5249 CVE-2020-11076

  ros-ros-comm               Fix integer overflow [CVE-2020-16124]

  ruby2.5                    Fix potential HTTP request smuggling
                             vulnerability in WEBrick [CVE-2020-25613]

  sleuthkit                  Fix stack buffer overflow in yaffsfs_istat

  sqlite3                    Fix division by zero [CVE-2019-16168], NULL
                             pointer dereference [CVE-2019-19923],
                             mishandling of NULL pathname during an update
                             of a ZIP archive [CVE-2019-19925], mishandling
                             of embedded NULs in filenames [CVE-2019-19959],
                             possible crash with stacking unwinding
                             [CVE-2019-20218], integer overflow
                             [CVE-2020-13434], segmentation fault
                             [CVE-2020-13435], use-after-free issue
                             [CVE-2020-13630], NULL pointer dereference
                             [CVE-2020-13632], heap overflow

  systemd                    Basic/cap-list: parse/print numerical
                             capabilities; recognise new capabilities from
                             Linux kernel 5.8; networkd: do not generate MAC
                             for bridge device

  tbsync                     New upstream release, compatible with newer
                             Thunderbird versions

  tcpdump                    Fix untrusted input issue in the PPP printer

  tigervnc                   Properly store certificate exceptions in native
                             and java VNC viewer [CVE-2020-26117]

  tor                        New upstream stable release; multiple security,
                             usability, portability, and reliability fixes

  transmission               Fix memory leak

  tzdata                     New upstream release

  ublock-origin              New upstream version; split plugin to browser-
                             specific packages

  vips                       Fix use of uninitialised variable

A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:


Removed packages

The following packages will be removed due to circumstances beyond our

  Package                      Reason
  -------                      ------

  browser-plugin-freshplayer-  Unsupported by browsers; discontinued
    pepperflash                upstream

  nostalgy                     Incompatible with newer Thunderbird versions

  sieve-extension              Incompatible with newer Thunderbird versions

If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: