----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 200-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
June 14th, 2021
----------------------------------------------------------------------------
Upcoming Debian 10 Update (10.10)
An update to Debian 10 is scheduled for Saturday, June 19th, 2021. As of now
it will include the following bug fixes. They can be found in "buster-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "buster-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
apt Accept suite name changes for repositories by
default (e.g. stable -> oldstable)
awstats Fix remote file access issues [CVE-2020-29600
CVE-2020-35176]
base-files Update /etc/debian_version for the 10.10 point
release
berusky2 Fix segfault at startup
clamav New upstream stable release; fix denial of
security issue [CVE-2021-1405]
clevis Fix support for TPMs that only support SHA256
connman dnsproxy: Check the length of buffers before
memcpy [CVE-2021-33833]
crmsh Fix code execution issue [CVE-2020-35459]
dnspython XFR: do not attempt to compare to a non-
existent "expiration" value
dput-ng Fix crash in the sftp uploader in case of
EACCES from the server; update codenames; make
"dcut dm" work for non-uploading DMs; fix a
TypeError in http upload exception handling;
don't try and construct uploader email from
system hostname in .dak-commands files
eterm Fix code execution issue [CVE-2021-33477]
exactimage Fix build with C++11 and OpenEXR 2.5.x
fig2dev Fix buffer overflow [CVE-2021-3561]; several
output fixes; rebuild testsuite during build
and in autopkgtest
fluidsynth Fix use-after-free issue [CVE-2021-28421]
freediameter Fix denial of service issue [CVE-2020-6098]
fwupd Fix generation of the vendor SBAT string; stop
using dpkg-dev in fwupd.preinst; new upstream
stable version
fwupd-amd64-signed Sync with fwupd
fwupd-arm64-signed Sync with fwupd
fwupd-armhf-signed Sync with fwupd
fwupd-i386-signed Sync with fwupd
fwupdate Improve SBAT support
fwupdate-amd64-signed Sync with fwupdate
fwupdate-arm64-signed Sync with fwupdate
fwupdate-armhf-signed Sync with fwupdate
fwupdate-i386-signed Sync with fwupdate
glib2.0 Fix several integer overflow issues
[CVE-2021-27218 CVE-2021-27219]; fix a symlink
attack affecting file-roller [CVE-2021-28153]
gnutls28 Fix null-pointer dereference issue
[CVE-2020-24659]; add several improvements to
memory reallocation
golang-github-docker- Fix double free issue [CVE-2019-1020014]
docker-credential-
helpers
htmldoc Fix buffer overflow issues [CVE-2019-19630
CVE-2021-20308]
ipmitool Fix buffer overflow issues [CVE-2020-5208]
ircii Fix denial of service issue [CVE-2021-29376]
isc-dhcp Fix buffer overrun issue [CVE-2021-25217]
isync Reject funny mailbox names from IMAP LIST/LSUB
[CVE-2021-20247]; fix handling of unexpected
APPENDUID response code [CVE-2021-3578]
jackson-databind Fix external entity expansion issue
[CVE-2020-25649] and several serialization-
related issues [CVE-2020-24616 CVE-2020-24750
CVE-2020-35490 CVE-2020-35491 CVE-2020-35728
CVE-2020-36179 CVE-2020-36180 CVE-2020-36181
CVE-2020-36182 CVE-2020-36183 CVE-2020-36184
CVE-2020-36185 CVE-2020-36186 CVE-2020-36187
CVE-2020-36188 CVE-2020-36189 CVE-2021-20190]
klibc malloc: Set errno on failure; fix several
overflow issues [CVE-2021-31873 CVE-2021-31870
CVE-2021-31872]; cpio: Fix possible crash on
64-bit systems [CVE-2021-31871]; {set,long}jmp
[s390x]: save/restore the correct FPU registers
libbusiness-us-usps- Update to new US-USPS API
webtools-perl
libgcrypt20 Fix weak ElGamal encryption with keys not
generated by GnuPG/libgcrypt [CVE-2021-33560]
libgetdata Fix use after free issue [CVE-2021-20204]
libmateweather Adapt to renaming of America/Godthab to
America/Nuuk in tzdata
libxml2 Fix out-of-bounds read in xmllint
[CVE-2020-24977]; fix use-after-free issues in
xmllint [CVE-2021-3516 CVE-2021-3518]; validate
UTF8 in xmlEncodeEntities [CVE-2021-3517];
propagate error in
xmlParseElementChildrenContentDeclPriv; fix
exponential entity expansion attack
[CVE-2021-3541]
liferea Fix compatibility with webkit2gtk >= 2.32
linux New upstream stable release; increase ABI to
17; [rt] Update to 4.19.193-rt81
linux-latest Update to 4.19.0-17 ABI
mariadb-10.3 New upstream release; security fixes
[CVE-2021-2154 CVE-2021-2166 CVE-2021-27928];
fix Innotop support; ship
caching_sha2_password.so
mqtt-client Fix denial of service issue [CVE-2019-0222]
mumble Fix remote code execution issue
[CVE-2021-27229]
mupdf Fix use-after-free issue [CVE-2020-16600] and
double free issue [CVE-2021-3407]
nmap Update included MAC prefix list
node-glob-parent Fix regular expression denial of service issue
[CVE-2020-28469]
node-handlebars Fix code execution issues [CVE-2019-20920
CVE-2021-23369]
node-hosted-git-info Fix regular expression denial of service issue
[CVE-2021-23362]
node-redis Fix regular expression denial of service issue
[CVE-2021-29469]
node-ws Fix regular expression-related denial of
service issue [CVE-2021-32640]
nvidia-graphics-drivers Fix improper access control vulnerability
[CVE-2021-1076]
nvidia-graphics-drivers- Fix improper access control vulnerability
legacy-390xx [CVE-2021-1076]; fix installation failure on
Linux 5.11 release candidates
opendmarc Fix heap overflow issue [CVE-2020-12460]
openvpn Fix "illegal client float" issue
[CVE-2020-11810]; ensure key state is
authenticated before sending push reply
[CVE-2020-15078]; increase listen() backlog
queue to 32
php-horde-text-filter Fix cross-site scripting issue [CVE-2021-26929]
plinth Use session to verify first boot welcome step
ruby-websocket-extensions Fix denial of service issue [CVE-2020-7663]
rust-rustyline Fix build with newer rustc; reset timestamp on
.cargo-vcs-info.json to avoid a lintian auto-
reject
rxvt-unicode Disable ESC G Q escape sequence
[CVE-2021-33477]
sabnzbdplus Fix code execution vulnerability
[CVE-2020-13124]
scrollz Fix denial of service issue [CVE-2021-29376]
shim New upstream release; add SBAT support; fix
i386 binary relocations; don't call
QueryVariableInfo() on EFI 1.10 machines (e.g.
older Intel Macs); fix handling of ignore_db
and user_insecure_mode; add maintainer scripts
to the template packages to manage installing
and removing fbXXX.efi and mmXXX.efi when we
install/remove the shim-helpers-$arch-signed
packages; exit cleanly if installed on a non-
EFI system; don't fail if debconf calls return
errors
shim-helpers-amd64-signed Sync with shim
shim-helpers-arm64-signed Sync with shim
shim-helpers-i386-signed Sync with shim
shim-signed Update for new shim; multiple bugfixes in
postinst and postrm handling; provide unsigned
binaries for arm64 (see NEWS.Debian); exit
cleanly if installed on a non-EFI system; don't
fail if debconf calls return errors; fix
documentation links; add explicit
dependency from shim-signed to shim-signed-
common
speedtest-cli Handle case where ignoreids is empty or
contains empty ids
tnef Fix buffer over-read issue [CVE-2019-18849]
uim libuim-data: Copy Breaks from uim-data, fixing
some upgrade scenarios
user-mode-linux Rebuild against Linux kernel 4.19.194-1
velocity Fix potential arbitrary code execution issue
[CVE-2020-13936]
wml Fix regression in Unicode handling
xfce4-weather-plugin Move to version 2.0 met.no API
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
sogo-connector Incompatible with current Thunderbird versions
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part