[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 206-1] Upcoming Debian 10 Update (10.11)

Debian Stable Updates Announcement SUA 206-1         https://www.debian.org/
debian-release@lists.debian.org                              Adam D. Barratt
October 4th, 2021

Upcoming Debian 10 Update (10.11)

An update to Debian 10 is scheduled for Saturday, October 9th, 2021. As of now
it will include the following bug fixes. They can be found in "buster-
proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "buster-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.

The point release will also include a rebuild of debian-installer.

Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following

  Package                    Reason
  -------                    ------

  atftp                      Fix buffer overflow [CVE-2021-41054]

  base-files                 Update for the 10.11 point release

  btrbk                      Fix arbitrary code execution issue

  clamav                     New upstream stable release; fix clamdscan
                             segfaults when --fdpass and --multipass are
                             used together with ExcludePath

  commons-io                 Fix path traversal issue [CVE-2021-29425]

  cyrus-imapd                Fix denial-of-service issue [CVE-2021-33582]

  debconf                    Check that whiptail or dialog is actually

  debian-installer           Rebuild against buster-proposed-updates; update
                             Linux ABI to 4.19.0-18

  distcc                     Fix GCC cross-compiler links in update-distcc-
                             symlinks and add support for clang and CUDA

  distro-info-data           Update included data for several releases

  dwarf-fortress             Remove undistributable prebuilt shared
                             libraries from the source tarball

  espeak-ng                  Fix using espeak with mbrola-fr4 when mbrola-
                             fr1 is not installed

  gcc-mingw-w64              Fix gcov handling

  gthumb                     Fix heap-based buffer overflow issue

  hg-git                     Fix test failures with recent git versions

  htslib                     Fix autopkgtest on i386

  http-parser                Fix HTTP request smuggling issue

  irssi                      Fix use after free issue when sending SASL
                             login to the server [CVE-2019-13045]

  java-atk-wrapper           Also use dbus to detect accessibility being

  krb5                       Fix KDC null dereference crash on FAST request
                             with no server field [CVE-2021-37750]; fix
                             memory leak in krb5_gss_inquire_cred

  libdatetime-timezone-perl  New upstream stable release; update DST rules
                             for Samoa and Jordon; confirmation of no leap
                             second on 2021-12-31

  libpam-tacplus             Prevent shared secrets from being added in
                             plaintext to the system log [CVE-2020-13881]

  linux                      "proc: Track /proc/$pid/attr/ opener
                             mm_struct", fixing issues with lxc-attach; new
                             upstream stable release; increase ABI version
                             to 18; [rt] Update to 4.19.207-rt88; usb: hso:
                             fix error handling code of
                             hso_create_net_device [CVE-2021-37159]

  linux-latest               Update to 4.19.0-18 kernel ABI

  mariadb-10.3               New upstream stable release; security fixes
                             [CVE-2021-2389 CVE-2021-2372]; fix Perl
                             executable path in scripts

  modsecurity-crs            Fix request body bypass issue [CVE-2021-35368]

  node-ansi-regex            Fix regular expression-based denial of service
                             issue [CVE-2021-3807]

  node-axios                 Fix regular expression-based denial of service
                             issue [CVE-2021-3749]

  node-jszip                 Use a null prototype object for this.files

  node-tar                   Remove non-directory paths from the directory
                             cache [CVE-2021-32803]; strip absolute paths
                             more comprehensively [CVE-2021-32804]

  nvidia-cuda-toolkit        Fix setting of NVVMIR_LIBRARY_DIR on ppc64el

  nvidia-graphics-drivers    New upstream stable release; fix denial of
                             service issues [CVE-2021-1093 CVE-2021-1094
                             CVE-2021-1095]; nvidia-driver-libs: Add
                             Recommends: libnvidia-encode1

  nvidia-graphics-drivers-   New upstream stable release; fix denial of
      legacy-390xx           service issues [CVE-2021-1093 CVE-2021-1094
                             CVE-2021-1095]; nvidia-legacy-390xx-driver-
                             libs: Add Recommends: libnvidia-legacy-390xx-

  postgresql-11              New upstream stable release; fix mis-planning
                             of repeated application of a projection step
                             [CVE-2021-3677]; disallow SSL renegotiation
                             more completely

  proftpd-dfsg               Fix "mod_radius leaks memory contents to radius
                             server", "cannot disable client-initiated
                             renegotiation for FTPS", navigation into
                             symlinked directories, mod_sftp crash when
                             using pubkey-auth with DSA keys

  psmisc                     Fix regression in killall not matching process
                             with names longer than 15 characters

  python-uflash              Update firmware URL

  request-tracker4           Fix login timing side-channel attack issue

  ring                       Fix denial of service issue in the embedded
                             copy of pjproject [CVE-2021-21375]

  sabnzbdplus                Prevent directory escape in renamer function

  shim                       Add arm64 patch to tweak section layout and
                             stop crashing problems; in insecure mode, don't
                             abort if we can't create the MokListXRT
                             variable; don't abort on grub installation
                             failures; warn instead

  shim-helpers-amd64-signed  Sync with shim

  shim-helpers-arm64-signed  Sync with shim

  shim-helpers-i386-signed   Sync with shim

  shim-signed                Use unsigned build on arm64; add arm64 patch to
                             tweak section layout and stop crashes; in
                             insecure mode, don't abort if we can't create
                             the MokListXRT variable; don't abort on grub
                             installation failures; warn instead

  shiro                      Fix authentication bypass issues [CVE-2020-1957
                             CVE-2020-11989 CVE-2020-13933 CVE-2020-17510];
                             update Spring Framework compatibility patch;
                             support Guice 4

  tzdata                     Update DST rules for Samoa and Jordan; confirm
                             the absence of a leap second on 2021-12-31

  ublock-origin              New upstream stable release; fix denial of
                             service issue [CVE-2021-36773]

  ulfius                     Ensure memory is initialised before use

  xmlgraphics-commons        Fix Server-Side Request Forgery issue

  yubikey-manager            Add missing dependency on python3-pkg-resources
                             to yubikey-manager

A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:


Removed packages

The following packages will be removed due to circumstances beyond our

  Package                    Reason
  -------                    ------

  birdtray                   Incompatible with newer Thunderbird versions

  libprotocol-acme-perl      Only supports obsolete ACME version 1

If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: