----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 213-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
March 22nd, 2022
----------------------------------------------------------------------------
Upcoming Debian 10 Update (10.12)
An update to Debian 10 is scheduled for Saturday, March 26th, 2022. As of now
it will include the following bug fixes. They can be found in "buster-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "buster-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This oldstable update adds a few important corrections to the following
packages:
Package Reason
------- ------
apache-log4j1.2 Resolve security issues [CVE-2021-4104
CVE-2022-23302 CVE-2022-23305 CVE-2022-23307],
by removing support for the JMSSink,
JDBCAppender, JMSAppender and Apache Chainsaw
modules
apache-log4j2 Fix remote code execution issue
[CVE-2021-44832]
atftp Fix information leak issue [CVE-2021-46671]
base-files Update for the 10.12 point release
beads Rebuild against updated cimg to fix multiple
heap buffer overflows [CVE-2020-25693]
btrbk Fix regression in the update for CVE-2021-38173
cargo-mozilla New package, backported from Debian 11, to help
build new rust versions
chrony Allow reading the chronyd configuration file
that timemaster(8) generates
cimg Fix heap buffer overflow issues
[CVE-2020-25693]
clamav New upstream stable release; fix denial of
service issue [CVE-2022-20698]
cups Fix "an input validation issue might allow a
malicious application to read restricted
memory" [CVE-2020-10001]
detox Fix processing of large files on ARM
architectures
evolution-data-server Fix crash on malformed server reponse
[CVE-2020-16117]
flac Fix out of bounds read issue [CVE-2020-0499]
gerbv Fix code execution issue [CVE-2021-40391]
glibc Import several fixes from upstream's stable
branch; simplify the check for supported kernel
versions, as 2.x kernels are no longer
supported; support installation on kernels with
a release number greater than 255
gmp Fix integer and buffer overflow issue
[CVE-2021-43618]
graphicsmagick Fix buffer overflow issue [CVE-2020-12672]
htmldoc Fix out-of-bounds read issue [CVE-2022-0534],
buffer overflow issues [CVE-2021-43579
CVE-2021-40985]
http-parser Resolve inadvertent ABI break
icu Fix "pkgdata" utility
intel-microcode Update included microcode; mitigate some
security issues [CVE-2020-8694 CVE-2020-8695
CVE-2021-0127 CVE-2021-0145 CVE-2021-0146
CVE-2021-33120]
jbig2dec Fix buffer overflow issue [CVE-2020-12268]
jtharness New upstream version to support builds of newer
OpenJDK-11 versions
jtreg New upstream version to support builds of newer
OpenJDK-11 versions
lemonldap-ng Fix auth process in password-testing plugins
[CVE-2021-20874]; add recommends on gsfonts,
fixing captcha
leptonlib Fix denial of service issue [CVE-2020-36277],
buffer over-read issues [CVE-2020-36278
CVE-2020-36279 CVE-2020-36280 CVE-2020-36281]
libdatetime-timezone-perl Update included data
libencode-perl Fix a memory leak in Encode.xs
libetpan Fix STARTTLS response injection issue
[CVE-2020-15953]
libextractor Fix invalid read issue [CVE-2019-15531]
libjackson-json-java Fix code execution issues [CVE-2017-15095
CVE-2017-7525], XML external entity issues
[CVE-2019-10172]
libmodbus Fix out of bound read issues [CVE-2019-14462
CVE-2019-14463]
libpcap Check PHB header length before using it to
allocate memory [CVE-2019-15165]
libsdl1.2 Properly handle input focus events; fix buffer
overflow issues [CVE-2019-13616 CVE-2019-7637],
buffer over-read issues [CVE-2019-7572
CVE-2019-7573 CVE-2019-7574 CVE-2019-7575
CVE-2019-7576 CVE-2019-7577 CVE-2019-7578
CVE-2019-7635 CVE-2019-7636 CVE-2019-7638]
libxml2 Fix use-after-free issue [CVE-2022-23308]
linux New upstream stable release; [rt] Update to
4.19.233-rt105; increase ABI to 20
linux-latest Update to 4.19.0-20 ABI
linux-signed-amd64 New upstream stable release; [rt] Update to
4.19.233-rt105; increase ABI to 20
linux-signed-arm64 New upstream stable release; [rt] Update to
4.19.233-rt105; increase ABI to 20
linux-signed-i386 New upstream stable release; [rt] Update to
4.19.233-rt105; increase ABI to 20
llvm-toolchain-11 New package, backported from Debian 11, to help
build new rust versions
lxcfs Fix misreporting of swap usage
mailman Fix cross-site scripting issue
[CVE-2021-43331]; fix "a list moderator can
crack the list admin password encrypted in a
CSRF token" [CVE-2021-43332]; fix potential
CSRF attack against a list admin from a list
member or moderator [CVE-2021-44227]; fix
regressions in fixes for CVE-2021-42097 and
CVE-2021-44227
mariadb-10.3 New upstream stable release; security fixes
[CVE-2021-35604 CVE-2021-46659 CVE-2021-46661
CVE-2021-46662 CVE-2021-46663 CVE-2021-46664
CVE-2021-46665 CVE-2021-46667 CVE-2021-46668
CVE-2022-24048 CVE-2022-24050 CVE-2022-24051
CVE-2022-24052]
node-getobject Fix prototype pollution issue [CVE-2020-28282]
opensc Fix out-of-bounds access issues [CVE-2019-15945
CVE-2019-15946], crash due to read of unknown
memory [CVE-2019-19479], double free issue
[CVE-2019-20792], buffer overflow issues
[CVE-2020-26570 CVE-2020-26571 CVE-2020-26572]
openscad Fix buffer overflows in STL parser
[CVE-2020-28599 CVE-2020-28600]
openssl New upstream release
php-illuminate-database Fix query binding issue [CVE-2021-21263], SQL
injection issue when used with Microsoft SQL
Server
phpliteadmin Fix cross-site scripting issue [CVE-2021-46709]
plib Fix integer overflow issue [CVE-2021-38714]
privoxy Fix memory leak [CVE-2021-44540] and cross-site
scripting issue [CVE-2021-44543]
publicsuffix Update included data
python-virtualenv Avoid attempting to install pkg_resources from
PyPI
raptor2 Fix out of bounds array access issue
[CVE-2020-25713]
ros-ros-comm Fix denial of service issue [CVE-2021-37146]
rsyslog Fix heap overflow issues [CVE-2019-17041
CVE-2019-17042]
ruby-httpclient Use system certificate store
rust-cbindgen New upstream stable release to support building
of newer firefox-esr and thunderbird versions
rustc-mozilla New source package to support building of newer
firefox-esr and thunderbird versions; fix armel
build; fix i386 build by disabling Windows
build
spip Fix cross-site scripting issue
tzdata Update data for Fiji and Palestine
vim Fix ability to execute code while in restricted
mode [CVE-2019-20807], buffer overflow issues
[CVE-2021-3770 CVE-2021-3778 CVE-2021-3875],
use after free issue [CVE-2021-3796]; remove
accidentally included patch
wavpack Fix use of uninitialized vlaues
[CVE-2019-1010317 CVE-2019-1010319]
weechat Fix several denial of service issues
[CVE-2020-8955 CVE-2020-9759 CVE-2020-9760
CVE-2021-40516]
wireshark Fix several security issues in dissectors
[CVE-2021-22207 CVE-2021-22235 CVE-2021-39921
CVE-2021-39922 CVE-2021-39923 CVE-2021-39924
CVE-2021-39928 CVE-2021-39929]
xterm Fix buffer overflow issue [CVE-2022-24130]
zziplib Fix denial of service issue [CVE-2020-18442]
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/oldstable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
angular-maven-plugin No longer useful
minify-maven-plugin No longer useful
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part