---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 200-1 https://www.debian.org/ debian-release@lists.debian.org Adam D. Barratt June 14th, 2021 ---------------------------------------------------------------------------- Upcoming Debian 10 Update (10.10) An update to Debian 10 is scheduled for Saturday, June 19th, 2021. As of now it will include the following bug fixes. They can be found in "buster- proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "buster-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: Package Reason ------- ------ apt Accept suite name changes for repositories by default (e.g. stable -> oldstable) awstats Fix remote file access issues [CVE-2020-29600 CVE-2020-35176] base-files Update /etc/debian_version for the 10.10 point release berusky2 Fix segfault at startup clamav New upstream stable release; fix denial of security issue [CVE-2021-1405] clevis Fix support for TPMs that only support SHA256 connman dnsproxy: Check the length of buffers before memcpy [CVE-2021-33833] crmsh Fix code execution issue [CVE-2020-35459] dnspython XFR: do not attempt to compare to a non- existent "expiration" value dput-ng Fix crash in the sftp uploader in case of EACCES from the server; update codenames; make "dcut dm" work for non-uploading DMs; fix a TypeError in http upload exception handling; don't try and construct uploader email from system hostname in .dak-commands files eterm Fix code execution issue [CVE-2021-33477] exactimage Fix build with C++11 and OpenEXR 2.5.x fig2dev Fix buffer overflow [CVE-2021-3561]; several output fixes; rebuild testsuite during build and in autopkgtest fluidsynth Fix use-after-free issue [CVE-2021-28421] freediameter Fix denial of service issue [CVE-2020-6098] fwupd Fix generation of the vendor SBAT string; stop using dpkg-dev in fwupd.preinst; new upstream stable version fwupd-amd64-signed Sync with fwupd fwupd-arm64-signed Sync with fwupd fwupd-armhf-signed Sync with fwupd fwupd-i386-signed Sync with fwupd fwupdate Improve SBAT support fwupdate-amd64-signed Sync with fwupdate fwupdate-arm64-signed Sync with fwupdate fwupdate-armhf-signed Sync with fwupdate fwupdate-i386-signed Sync with fwupdate glib2.0 Fix several integer overflow issues [CVE-2021-27218 CVE-2021-27219]; fix a symlink attack affecting file-roller [CVE-2021-28153] gnutls28 Fix null-pointer dereference issue [CVE-2020-24659]; add several improvements to memory reallocation golang-github-docker- Fix double free issue [CVE-2019-1020014] docker-credential- helpers htmldoc Fix buffer overflow issues [CVE-2019-19630 CVE-2021-20308] ipmitool Fix buffer overflow issues [CVE-2020-5208] ircii Fix denial of service issue [CVE-2021-29376] isc-dhcp Fix buffer overrun issue [CVE-2021-25217] isync Reject funny mailbox names from IMAP LIST/LSUB [CVE-2021-20247]; fix handling of unexpected APPENDUID response code [CVE-2021-3578] jackson-databind Fix external entity expansion issue [CVE-2020-25649] and several serialization- related issues [CVE-2020-24616 CVE-2020-24750 CVE-2020-35490 CVE-2020-35491 CVE-2020-35728 CVE-2020-36179 CVE-2020-36180 CVE-2020-36181 CVE-2020-36182 CVE-2020-36183 CVE-2020-36184 CVE-2020-36185 CVE-2020-36186 CVE-2020-36187 CVE-2020-36188 CVE-2020-36189 CVE-2021-20190] klibc malloc: Set errno on failure; fix several overflow issues [CVE-2021-31873 CVE-2021-31870 CVE-2021-31872]; cpio: Fix possible crash on 64-bit systems [CVE-2021-31871]; {set,long}jmp [s390x]: save/restore the correct FPU registers libbusiness-us-usps- Update to new US-USPS API webtools-perl libgcrypt20 Fix weak ElGamal encryption with keys not generated by GnuPG/libgcrypt [CVE-2021-33560] libgetdata Fix use after free issue [CVE-2021-20204] libmateweather Adapt to renaming of America/Godthab to America/Nuuk in tzdata libxml2 Fix out-of-bounds read in xmllint [CVE-2020-24977]; fix use-after-free issues in xmllint [CVE-2021-3516 CVE-2021-3518]; validate UTF8 in xmlEncodeEntities [CVE-2021-3517]; propagate error in xmlParseElementChildrenContentDeclPriv; fix exponential entity expansion attack [CVE-2021-3541] liferea Fix compatibility with webkit2gtk >= 2.32 linux New upstream stable release; increase ABI to 17; [rt] Update to 4.19.193-rt81 linux-latest Update to 4.19.0-17 ABI mariadb-10.3 New upstream release; security fixes [CVE-2021-2154 CVE-2021-2166 CVE-2021-27928]; fix Innotop support; ship caching_sha2_password.so mqtt-client Fix denial of service issue [CVE-2019-0222] mumble Fix remote code execution issue [CVE-2021-27229] mupdf Fix use-after-free issue [CVE-2020-16600] and double free issue [CVE-2021-3407] nmap Update included MAC prefix list node-glob-parent Fix regular expression denial of service issue [CVE-2020-28469] node-handlebars Fix code execution issues [CVE-2019-20920 CVE-2021-23369] node-hosted-git-info Fix regular expression denial of service issue [CVE-2021-23362] node-redis Fix regular expression denial of service issue [CVE-2021-29469] node-ws Fix regular expression-related denial of service issue [CVE-2021-32640] nvidia-graphics-drivers Fix improper access control vulnerability [CVE-2021-1076] nvidia-graphics-drivers- Fix improper access control vulnerability legacy-390xx [CVE-2021-1076]; fix installation failure on Linux 5.11 release candidates opendmarc Fix heap overflow issue [CVE-2020-12460] openvpn Fix "illegal client float" issue [CVE-2020-11810]; ensure key state is authenticated before sending push reply [CVE-2020-15078]; increase listen() backlog queue to 32 php-horde-text-filter Fix cross-site scripting issue [CVE-2021-26929] plinth Use session to verify first boot welcome step ruby-websocket-extensions Fix denial of service issue [CVE-2020-7663] rust-rustyline Fix build with newer rustc; reset timestamp on .cargo-vcs-info.json to avoid a lintian auto- reject rxvt-unicode Disable ESC G Q escape sequence [CVE-2021-33477] sabnzbdplus Fix code execution vulnerability [CVE-2020-13124] scrollz Fix denial of service issue [CVE-2021-29376] shim New upstream release; add SBAT support; fix i386 binary relocations; don't call QueryVariableInfo() on EFI 1.10 machines (e.g. older Intel Macs); fix handling of ignore_db and user_insecure_mode; add maintainer scripts to the template packages to manage installing and removing fbXXX.efi and mmXXX.efi when we install/remove the shim-helpers-$arch-signed packages; exit cleanly if installed on a non- EFI system; don't fail if debconf calls return errors shim-helpers-amd64-signed Sync with shim shim-helpers-arm64-signed Sync with shim shim-helpers-i386-signed Sync with shim shim-signed Update for new shim; multiple bugfixes in postinst and postrm handling; provide unsigned binaries for arm64 (see NEWS.Debian); exit cleanly if installed on a non-EFI system; don't fail if debconf calls return errors; fix documentation links; add explicit dependency from shim-signed to shim-signed- common speedtest-cli Handle case where ignoreids is empty or contains empty ids tnef Fix buffer over-read issue [CVE-2019-18849] uim libuim-data: Copy Breaks from uim-data, fixing some upgrade scenarios user-mode-linux Rebuild against Linux kernel 4.19.194-1 velocity Fix potential arbitrary code execution issue [CVE-2020-13936] wml Fix regression in Unicode handling xfce4-weather-plugin Move to version 2.0 met.no API A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/stable.html> Removed packages ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason ------- ------ sogo-connector Incompatible with current Thunderbird versions If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part