[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 197-1] Upcoming Debian 10 Update (10.9)

Debian Stable Updates Announcement SUA 197-1         https://www.debian.org/
debian-release@lists.debian.org                              Adam D. Barratt
March 22nd, 2021

Upcoming Debian 10 Update (10.9)

An update to Debian 10 is scheduled for Saturday, March 27th, 2021. As o
now it will include the following bug fixes. They can be found in "buster-
proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "buster-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.

The point release will also include a rebuild of debian-installer.

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following

  Package                    Reason
  -------                    ------

  avahi                      Remove avahi-daemon-check-dns mechanism, no
                             longer needed

  base-files                 Update /etc/debian_version for the 10.9 point

  cloud-init                 Avoid logging generated passwords to world-
                             readable log files [CVE-2021-3429]

  debian-archive-keyring     Add bullseye keys; retire jessie keys

  debian-installer           Use 4.19.0-16 Linux kernel ABI

  exim4                      Fix use of concurrent TLS connections under
                             GnuTLS; fix TLS certificate verification with
                             CNAMEs; README.Debian: document the
                             limitation/extent of server certificate
                             verification in the default configuration

  fetchmail                  No longer report "System error during
                             SSL_connect(): Success"; remove OpenSSL version

  fwupd                      Add SBAT support

  fwupdate                   Add SBAT support

  gdnsd                      Fix stack overflow with overly-large IPv6
                             addresses [CVE-2019-13952]

  groff                      Rebuild against ghostscript 9.27

  hwloc-contrib              Enable support for ppc64el

  intel-microcode            Update various microcode

  iputils                    Fix ping rounding errors; fix tracepath target

  jquery                     Fix untrusted code execution vulnerabilities
                             [CVE-2020-11022 CVE-2020-11023]

  libbsd                     Fix out-of-bounds read issue [CVE-2019-20367]

  libpano13                  Fix format string vulnerability

  libreoffice                Do not load encodings.py from current directoy

  linux                      New upstream stable release; bump ABI to -16;
                             rotate secure boot signing keys

  linux-latest               Update to -16 kernel ABI

  lirc                       Normalize embedded ${DEB_HOST_MULTIARCH} value
                             in /etc/lirc/lirc_options.conf to find
                             unmodified configuration files on all
                             architectures; recommend gir1.2-vte-2.91
                             instead of non-existant gir1.2-vte

  m2crypto                   Fix test failure with recent OpenSSL

  openafs                    Fix outgoing connections after unix epoch time
                             0x60000000 (14 January 2021)

  portaudio19                Handle EPIPE from
                             alsa_snd_pcm_poll_descriptors, fixing crash

  postgresql-11              New upstream stable release; fix information
                             leakage in constraint-violation error messages
                             [CVE-2021-3393]; fix CREATE INDEX CONCURRENTLY
                             to wait for concurrent prepared transactions

  privoxy                    Security issues [CVE-2020-35502 CVE-2021-20209
                             CVE-2021-20210 CVE-2021-20211 CVE-2021-20212
                             CVE-2021-20213 CVE-2021-20214 CVE-2021-20215
                             CVE-2021-20216 CVE-2021-20217 CVE-2021-20272
                             CVE-2021-20273 CVE-2021-20275 CVE-2021-20276]

  python3.7                  Fix CRLF injection in http.client
                             [CVE-2020-26116]; fix buffer overflow in
                             PyCArg_repr in _ctypes/callproc.c

  redis                      Fix a series of integer overflow issues on
                             32-bit systems [CVE-2021-21309]

  ruby-mechanize             Fix command injection issue [CVE-2021-21289]

  systemd                    core: make sure to restore the control command
                             id, too, fixing a segfault; seccomp: allow
                             turning off of seccomp filtering via an
                             environment variable

  uim                        libuim-data: Perform symlink_to_dir conversion
                             of /usr/share/doc/libuim-data in the
                             resurrected package for clean upgrades from

  xcftools                   Fix integer overflow vulnerability
                             [CVE-2019-5086 CVE-2019-5087]

  xterm                      Correct upper-limit for selection buffer,
                             accounting for combining characters

A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:


If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: