---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 206-1 https://www.debian.org/ debian-release@lists.debian.org Adam D. Barratt October 4th, 2021 ---------------------------------------------------------------------------- Upcoming Debian 10 Update (10.11) An update to Debian 10 is scheduled for Saturday, October 9th, 2021. As of now it will include the following bug fixes. They can be found in "buster- proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "buster-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This oldstable update adds a few important corrections to the following packages: Package Reason ------- ------ atftp Fix buffer overflow [CVE-2021-41054] base-files Update for the 10.11 point release btrbk Fix arbitrary code execution issue [CVE-2021-38173] clamav New upstream stable release; fix clamdscan segfaults when --fdpass and --multipass are used together with ExcludePath commons-io Fix path traversal issue [CVE-2021-29425] cyrus-imapd Fix denial-of-service issue [CVE-2021-33582] debconf Check that whiptail or dialog is actually usable debian-installer Rebuild against buster-proposed-updates; update Linux ABI to 4.19.0-18 distcc Fix GCC cross-compiler links in update-distcc- symlinks and add support for clang and CUDA (nvcc) distro-info-data Update included data for several releases dwarf-fortress Remove undistributable prebuilt shared libraries from the source tarball espeak-ng Fix using espeak with mbrola-fr4 when mbrola- fr1 is not installed gcc-mingw-w64 Fix gcov handling gthumb Fix heap-based buffer overflow issue [CVE-2019-20326] hg-git Fix test failures with recent git versions htslib Fix autopkgtest on i386 http-parser Fix HTTP request smuggling issue [CVE-2019-15605] irssi Fix use after free issue when sending SASL login to the server [CVE-2019-13045] java-atk-wrapper Also use dbus to detect accessibility being enabled krb5 Fix KDC null dereference crash on FAST request with no server field [CVE-2021-37750]; fix memory leak in krb5_gss_inquire_cred libdatetime-timezone-perl New upstream stable release; update DST rules for Samoa and Jordon; confirmation of no leap second on 2021-12-31 libpam-tacplus Prevent shared secrets from being added in plaintext to the system log [CVE-2020-13881] linux "proc: Track /proc/$pid/attr/ opener mm_struct", fixing issues with lxc-attach; new upstream stable release; increase ABI version to 18; [rt] Update to 4.19.207-rt88; usb: hso: fix error handling code of hso_create_net_device [CVE-2021-37159] linux-latest Update to 4.19.0-18 kernel ABI mariadb-10.3 New upstream stable release; security fixes [CVE-2021-2389 CVE-2021-2372]; fix Perl executable path in scripts modsecurity-crs Fix request body bypass issue [CVE-2021-35368] node-ansi-regex Fix regular expression-based denial of service issue [CVE-2021-3807] node-axios Fix regular expression-based denial of service issue [CVE-2021-3749] node-jszip Use a null prototype object for this.files [CVE-2021-23413] node-tar Remove non-directory paths from the directory cache [CVE-2021-32803]; strip absolute paths more comprehensively [CVE-2021-32804] nvidia-cuda-toolkit Fix setting of NVVMIR_LIBRARY_DIR on ppc64el nvidia-graphics-drivers New upstream stable release; fix denial of service issues [CVE-2021-1093 CVE-2021-1094 CVE-2021-1095]; nvidia-driver-libs: Add Recommends: libnvidia-encode1 nvidia-graphics-drivers- New upstream stable release; fix denial of legacy-390xx service issues [CVE-2021-1093 CVE-2021-1094 CVE-2021-1095]; nvidia-legacy-390xx-driver- libs: Add Recommends: libnvidia-legacy-390xx- encode1 postgresql-11 New upstream stable release; fix mis-planning of repeated application of a projection step [CVE-2021-3677]; disallow SSL renegotiation more completely proftpd-dfsg Fix "mod_radius leaks memory contents to radius server", "cannot disable client-initiated renegotiation for FTPS", navigation into symlinked directories, mod_sftp crash when using pubkey-auth with DSA keys psmisc Fix regression in killall not matching process with names longer than 15 characters python-uflash Update firmware URL request-tracker4 Fix login timing side-channel attack issue [CVE-2021-38562] ring Fix denial of service issue in the embedded copy of pjproject [CVE-2021-21375] sabnzbdplus Prevent directory escape in renamer function [CVE-2021-29488] shim Add arm64 patch to tweak section layout and stop crashing problems; in insecure mode, don't abort if we can't create the MokListXRT variable; don't abort on grub installation failures; warn instead shim-helpers-amd64-signed Sync with shim shim-helpers-arm64-signed Sync with shim shim-helpers-i386-signed Sync with shim shim-signed Use unsigned build on arm64; add arm64 patch to tweak section layout and stop crashes; in insecure mode, don't abort if we can't create the MokListXRT variable; don't abort on grub installation failures; warn instead shiro Fix authentication bypass issues [CVE-2020-1957 CVE-2020-11989 CVE-2020-13933 CVE-2020-17510]; update Spring Framework compatibility patch; support Guice 4 tzdata Update DST rules for Samoa and Jordan; confirm the absence of a leap second on 2021-12-31 ublock-origin New upstream stable release; fix denial of service issue [CVE-2021-36773] ulfius Ensure memory is initialised before use [CVE-2021-40540] xmlgraphics-commons Fix Server-Side Request Forgery issue [CVE-2020-11988] yubikey-manager Add missing dependency on python3-pkg-resources to yubikey-manager A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/oldstable.html> Removed packages ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason ------- ------ birdtray Incompatible with newer Thunderbird versions libprotocol-acme-perl Only supports obsolete ACME version 1 If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part