[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 200-1] Upcoming Debian 10 Update (10.10)

Debian Stable Updates Announcement SUA 200-1         https://www.debian.org/
debian-release@lists.debian.org                              Adam D. Barratt
June 14th, 2021

Upcoming Debian 10 Update (10.10)

An update to Debian 10 is scheduled for Saturday, June 19th, 2021. As of now
it will include the following bug fixes. They can be found in "buster-
proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "buster-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.

The point release will also include a rebuild of debian-installer.

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following

  Package                    Reason
  -------                    ------

  apt                        Accept suite name changes for repositories by
                             default (e.g. stable -> oldstable)

  awstats                    Fix remote file access issues [CVE-2020-29600

  base-files                 Update /etc/debian_version for the 10.10 point

  berusky2                   Fix segfault at startup

  clamav                     New upstream stable release; fix denial of
                             security issue [CVE-2021-1405]

  clevis                     Fix support for TPMs that only support SHA256

  connman                    dnsproxy: Check the length of buffers before
                             memcpy [CVE-2021-33833]

  crmsh                      Fix code execution issue [CVE-2020-35459]

  dnspython                  XFR: do not attempt to compare to a non-
                             existent "expiration" value

  dput-ng                    Fix crash in the sftp uploader in case of
                             EACCES from the server; update codenames; make
                             "dcut dm" work for non-uploading DMs; fix a
                             TypeError in http upload exception handling;
                             don't try and construct uploader email from
                             system hostname in .dak-commands files

  eterm                      Fix code execution issue [CVE-2021-33477]

  exactimage                 Fix build with C++11 and OpenEXR 2.5.x

  fig2dev                    Fix buffer overflow [CVE-2021-3561]; several
                             output fixes; rebuild testsuite during build
                             and in autopkgtest

  fluidsynth                 Fix use-after-free issue [CVE-2021-28421]

  freediameter               Fix denial of service issue [CVE-2020-6098]

  fwupd                      Fix generation of the vendor SBAT string; stop
                             using dpkg-dev in fwupd.preinst; new upstream
                             stable version

  fwupd-amd64-signed         Sync with fwupd

  fwupd-arm64-signed         Sync with fwupd

  fwupd-armhf-signed         Sync with fwupd

  fwupd-i386-signed          Sync with fwupd

  fwupdate                   Improve SBAT support

  fwupdate-amd64-signed      Sync with fwupdate

  fwupdate-arm64-signed      Sync with fwupdate

  fwupdate-armhf-signed      Sync with fwupdate

  fwupdate-i386-signed       Sync with fwupdate

  glib2.0                    Fix several integer overflow issues
                             [CVE-2021-27218 CVE-2021-27219]; fix a symlink
                             attack affecting file-roller [CVE-2021-28153]

  gnutls28                   Fix null-pointer dereference issue
                             [CVE-2020-24659]; add several improvements to
                             memory reallocation

  golang-github-docker-      Fix double free issue [CVE-2019-1020014]

  htmldoc                    Fix buffer overflow issues [CVE-2019-19630

  ipmitool                   Fix buffer overflow issues [CVE-2020-5208]

  ircii                      Fix denial of service issue [CVE-2021-29376]

  isc-dhcp                   Fix buffer overrun issue [CVE-2021-25217]

  isync                      Reject funny mailbox names from IMAP LIST/LSUB
                             [CVE-2021-20247]; fix handling of unexpected
                             APPENDUID response code [CVE-2021-3578]

  jackson-databind           Fix external entity expansion issue
                             [CVE-2020-25649] and several serialization-
                             related issues [CVE-2020-24616 CVE-2020-24750
                             CVE-2020-35490 CVE-2020-35491 CVE-2020-35728
                             CVE-2020-36179 CVE-2020-36180 CVE-2020-36181
                             CVE-2020-36182 CVE-2020-36183 CVE-2020-36184
                             CVE-2020-36185 CVE-2020-36186 CVE-2020-36187
                             CVE-2020-36188 CVE-2020-36189 CVE-2021-20190]

  klibc                      malloc: Set errno on failure; fix several
                             overflow issues [CVE-2021-31873 CVE-2021-31870
                             CVE-2021-31872]; cpio: Fix possible crash on
                             64-bit systems [CVE-2021-31871]; {set,long}jmp
                             [s390x]: save/restore the correct FPU registers

  libbusiness-us-usps-       Update to new US-USPS API

  libgcrypt20                Fix weak ElGamal encryption with keys not
                             generated by GnuPG/libgcrypt [CVE-2021-33560]

  libgetdata                 Fix use after free issue [CVE-2021-20204]

  libmateweather             Adapt to renaming of America/Godthab to
                             America/Nuuk in tzdata

  libxml2                    Fix out-of-bounds read in xmllint
                             [CVE-2020-24977]; fix use-after-free issues in
                             xmllint [CVE-2021-3516 CVE-2021-3518]; validate
                             UTF8 in xmlEncodeEntities [CVE-2021-3517];
                             propagate error in
                             xmlParseElementChildrenContentDeclPriv; fix
                             exponential entity expansion attack

  liferea                    Fix compatibility with webkit2gtk >= 2.32

  linux                      New upstream stable release; increase ABI to
                             17; [rt] Update to 4.19.193-rt81

  linux-latest               Update to 4.19.0-17 ABI

  mariadb-10.3               New upstream release; security fixes
                             [CVE-2021-2154 CVE-2021-2166 CVE-2021-27928];
                             fix Innotop support; ship

  mqtt-client                Fix denial of service issue [CVE-2019-0222]

  mumble                     Fix remote code execution issue

  mupdf                      Fix use-after-free issue [CVE-2020-16600] and
                             double free issue [CVE-2021-3407]

  nmap                       Update included MAC prefix list

  node-glob-parent           Fix regular expression denial of service issue

  node-handlebars            Fix code execution issues [CVE-2019-20920

  node-hosted-git-info       Fix regular expression denial of service issue

  node-redis                 Fix regular expression denial of service issue

  node-ws                    Fix regular expression-related denial of
                             service issue [CVE-2021-32640]

  nvidia-graphics-drivers    Fix improper access control vulnerability

  nvidia-graphics-drivers-   Fix improper access control vulnerability
    legacy-390xx             [CVE-2021-1076]; fix installation failure on
                             Linux 5.11 release candidates

  opendmarc                  Fix heap overflow issue [CVE-2020-12460]

  openvpn                    Fix "illegal client float" issue
                             [CVE-2020-11810]; ensure key state is
                             authenticated before sending push reply
                             [CVE-2020-15078]; increase listen() backlog
                             queue to 32

  php-horde-text-filter      Fix cross-site scripting issue [CVE-2021-26929]

  plinth                     Use session to verify first boot welcome step

  ruby-websocket-extensions  Fix denial of service issue [CVE-2020-7663]

  rust-rustyline             Fix build with newer rustc; reset timestamp on
                             .cargo-vcs-info.json to avoid a lintian auto-

  rxvt-unicode               Disable ESC G Q escape sequence

  sabnzbdplus                Fix code execution vulnerability

  scrollz                    Fix denial of service issue [CVE-2021-29376]

  shim                       New upstream release; add SBAT support; fix
                             i386 binary relocations; don't call
                             QueryVariableInfo() on EFI 1.10 machines (e.g.
                             older Intel Macs); fix handling of ignore_db
                             and user_insecure_mode; add maintainer scripts
                             to the template packages to manage installing
                             and removing fbXXX.efi and mmXXX.efi when we
                             install/remove the shim-helpers-$arch-signed
                             packages; exit cleanly if installed on a non-
                             EFI system; don't fail if debconf calls return

  shim-helpers-amd64-signed  Sync with shim

  shim-helpers-arm64-signed  Sync with shim

  shim-helpers-i386-signed   Sync with shim

  shim-signed                Update for new shim; multiple bugfixes in
                             postinst and postrm handling; provide unsigned
                             binaries for arm64 (see NEWS.Debian); exit
                             cleanly if installed on a non-EFI system; don't
                             fail if debconf calls return errors; fix
                             documentation links; add explicit
                             dependency from shim-signed to shim-signed-

  speedtest-cli              Handle case where ignoreids is empty or
                             contains empty ids

  tnef                       Fix buffer over-read issue [CVE-2019-18849]

  uim                        libuim-data: Copy Breaks from uim-data, fixing
                             some upgrade scenarios

  user-mode-linux            Rebuild against Linux kernel 4.19.194-1

  velocity                   Fix potential arbitrary code execution issue

  wml                        Fix regression in Unicode handling

  xfce4-weather-plugin       Move to version 2.0 met.no API

A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:


Removed packages

The following packages will be removed due to circumstances beyond our

  Package                    Reason
  -------                    ------

  sogo-connector             Incompatible with current Thunderbird versions

If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: