----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 206-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
October 4th, 2021
----------------------------------------------------------------------------
Upcoming Debian 10 Update (10.11)
An update to Debian 10 is scheduled for Saturday, October 9th, 2021. As of now
it will include the following bug fixes. They can be found in "buster-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "buster-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This oldstable update adds a few important corrections to the following
packages:
Package Reason
------- ------
atftp Fix buffer overflow [CVE-2021-41054]
base-files Update for the 10.11 point release
btrbk Fix arbitrary code execution issue
[CVE-2021-38173]
clamav New upstream stable release; fix clamdscan
segfaults when --fdpass and --multipass are
used together with ExcludePath
commons-io Fix path traversal issue [CVE-2021-29425]
cyrus-imapd Fix denial-of-service issue [CVE-2021-33582]
debconf Check that whiptail or dialog is actually
usable
debian-installer Rebuild against buster-proposed-updates; update
Linux ABI to 4.19.0-18
distcc Fix GCC cross-compiler links in update-distcc-
symlinks and add support for clang and CUDA
(nvcc)
distro-info-data Update included data for several releases
dwarf-fortress Remove undistributable prebuilt shared
libraries from the source tarball
espeak-ng Fix using espeak with mbrola-fr4 when mbrola-
fr1 is not installed
gcc-mingw-w64 Fix gcov handling
gthumb Fix heap-based buffer overflow issue
[CVE-2019-20326]
hg-git Fix test failures with recent git versions
htslib Fix autopkgtest on i386
http-parser Fix HTTP request smuggling issue
[CVE-2019-15605]
irssi Fix use after free issue when sending SASL
login to the server [CVE-2019-13045]
java-atk-wrapper Also use dbus to detect accessibility being
enabled
krb5 Fix KDC null dereference crash on FAST request
with no server field [CVE-2021-37750]; fix
memory leak in krb5_gss_inquire_cred
libdatetime-timezone-perl New upstream stable release; update DST rules
for Samoa and Jordon; confirmation of no leap
second on 2021-12-31
libpam-tacplus Prevent shared secrets from being added in
plaintext to the system log [CVE-2020-13881]
linux "proc: Track /proc/$pid/attr/ opener
mm_struct", fixing issues with lxc-attach; new
upstream stable release; increase ABI version
to 18; [rt] Update to 4.19.207-rt88; usb: hso:
fix error handling code of
hso_create_net_device [CVE-2021-37159]
linux-latest Update to 4.19.0-18 kernel ABI
mariadb-10.3 New upstream stable release; security fixes
[CVE-2021-2389 CVE-2021-2372]; fix Perl
executable path in scripts
modsecurity-crs Fix request body bypass issue [CVE-2021-35368]
node-ansi-regex Fix regular expression-based denial of service
issue [CVE-2021-3807]
node-axios Fix regular expression-based denial of service
issue [CVE-2021-3749]
node-jszip Use a null prototype object for this.files
[CVE-2021-23413]
node-tar Remove non-directory paths from the directory
cache [CVE-2021-32803]; strip absolute paths
more comprehensively [CVE-2021-32804]
nvidia-cuda-toolkit Fix setting of NVVMIR_LIBRARY_DIR on ppc64el
nvidia-graphics-drivers New upstream stable release; fix denial of
service issues [CVE-2021-1093 CVE-2021-1094
CVE-2021-1095]; nvidia-driver-libs: Add
Recommends: libnvidia-encode1
nvidia-graphics-drivers- New upstream stable release; fix denial of
legacy-390xx service issues [CVE-2021-1093 CVE-2021-1094
CVE-2021-1095]; nvidia-legacy-390xx-driver-
libs: Add Recommends: libnvidia-legacy-390xx-
encode1
postgresql-11 New upstream stable release; fix mis-planning
of repeated application of a projection step
[CVE-2021-3677]; disallow SSL renegotiation
more completely
proftpd-dfsg Fix "mod_radius leaks memory contents to radius
server", "cannot disable client-initiated
renegotiation for FTPS", navigation into
symlinked directories, mod_sftp crash when
using pubkey-auth with DSA keys
psmisc Fix regression in killall not matching process
with names longer than 15 characters
python-uflash Update firmware URL
request-tracker4 Fix login timing side-channel attack issue
[CVE-2021-38562]
ring Fix denial of service issue in the embedded
copy of pjproject [CVE-2021-21375]
sabnzbdplus Prevent directory escape in renamer function
[CVE-2021-29488]
shim Add arm64 patch to tweak section layout and
stop crashing problems; in insecure mode, don't
abort if we can't create the MokListXRT
variable; don't abort on grub installation
failures; warn instead
shim-helpers-amd64-signed Sync with shim
shim-helpers-arm64-signed Sync with shim
shim-helpers-i386-signed Sync with shim
shim-signed Use unsigned build on arm64; add arm64 patch to
tweak section layout and stop crashes; in
insecure mode, don't abort if we can't create
the MokListXRT variable; don't abort on grub
installation failures; warn instead
shiro Fix authentication bypass issues [CVE-2020-1957
CVE-2020-11989 CVE-2020-13933 CVE-2020-17510];
update Spring Framework compatibility patch;
support Guice 4
tzdata Update DST rules for Samoa and Jordan; confirm
the absence of a leap second on 2021-12-31
ublock-origin New upstream stable release; fix denial of
service issue [CVE-2021-36773]
ulfius Ensure memory is initialised before use
[CVE-2021-40540]
xmlgraphics-commons Fix Server-Side Request Forgery issue
[CVE-2020-11988]
yubikey-manager Add missing dependency on python3-pkg-resources
to yubikey-manager
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/oldstable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
birdtray Incompatible with newer Thunderbird versions
libprotocol-acme-perl Only supports obsolete ACME version 1
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part