diff options
author | Laura Arjona Reina <larjona@debian.org> | 2020-05-09 14:17:44 +0200 |
---|---|---|
committer | Laura Arjona Reina <larjona@debian.org> | 2020-05-09 14:17:44 +0200 |
commit | 6547bb7720bfba1c2481b95c44642a4a6d3df030 (patch) | |
tree | 54325f8dbf744100d1a69ba0525a35f90d98149e /english | |
parent | 0c45c9ed51689249d28ab5675cefa3a6c3c97dae (diff) |
Add English announcement for point release 10.3
Diffstat (limited to 'english')
-rw-r--r-- | english/News/2020/20200509.wml | 307 |
1 files changed, 307 insertions, 0 deletions
diff --git a/english/News/2020/20200509.wml b/english/News/2020/20200509.wml new file mode 100644 index 00000000000..4cad9514b20 --- /dev/null +++ b/english/News/2020/20200509.wml @@ -0,0 +1,307 @@ +<define-tag pagetitle>Updated Debian 10: 10.4 released</define-tag> +<define-tag release_date>2020-05-09</define-tag> +#use wml::debian::news +# $Id: + +<define-tag release>10</define-tag> +<define-tag codename>buster</define-tag> +<define-tag revision>10.4</define-tag> + +<define-tag dsa> + <tr><td align="center"><a href="$(HOME)/security/%0/dsa-%1">DSA-%1</a></td> + <td align="center"><: + my @p = (); + for my $p (split (/,\s*/, "%2")) { + push (@p, sprintf ('<a href="https://packages.debian.org/src:%s">%s</a>', $p, $p)); + } + print join (", ", @p); +:></td></tr> +</define-tag> + +<define-tag correction> + <tr><td><a href="https://packages.debian.org/src:%0">%0</a></td> <td>%1</td></tr> +</define-tag> + +<define-tag srcpkg><a href="https://packages.debian.org/src:%0">%0</a></define-tag> + +<p>The Debian project is pleased to announce the fourth update of its +stable distribution Debian <release> (codename <q><codename></q>). +This point release mainly adds corrections for security issues, +along with a few adjustments for serious problems. Security advisories +have already been published separately and are referenced where available.</p> + +<p>Please note that the point release does not constitute a new version of Debian +<release> but only updates some of the packages included. There is +no need to throw away old <q><codename></q> media. After installation, +packages can be upgraded to the current versions using an up-to-date Debian +mirror.</p> + +<p>Those who frequently install updates from security.debian.org won't have +to update many packages, and most such updates are +included in the point release.</p> + +<p>New installation images will be available soon at the regular locations.</p> + +<p>Upgrading an existing installation to this revision can be achieved by +pointing the package management system at one of Debian's many HTTP mirrors. +A comprehensive list of mirrors is available at:</p> + +<div class="center"> + <a href="$(HOME)/mirror/list">https://www.debian.org/mirror/list</a> +</div> + + + + +<h2>Miscellaneous Bugfixes</h2> + +<p>This stable update adds a few important corrections to the following packages:</p> + +<table border=0> +<tr><th>Package</th> <th>Reason</th></tr> +<correction apt-cacher-ng "Enforce secured call to the server in maintenance job triggering [CVE-2020-5202]; allow .zst compression for tarballs; increase size of the decompression line buffer for configuration file reading"> +<correction backuppc "Pass the username to start-stop-daemon when reloading, preventing reload failures"> +<correction base-files "Update for the point release"> +<correction brltty "Reduce severity of log message to avoid generating too many messages when used with new Orca versions"> +<correction checkstyle "Fix XML External Entity injection issue [CVE-2019-9658 CVE-2019-10782]"> +<correction choose-mirror "Update included mirror list"> +<correction clamav "New upstream release [CVE-2020-3123]"> +<correction corosync "totemsrp: Reduce MTU to avoid generating oversized packets"> +<correction corosync-qdevice "Fix service startup"> +<correction csync2 "Fail HELLO command when SSL is required"> +<correction cups "Fix heap buffer overflow [CVE-2020-3898] and <q>the `ippReadIO` function may under-read an extension field</q> [CVE-2019-8842]"> +<correction dav4tbsync "New upstream release, restoring compatibility with newer Thunderbird versions"> +<correction debian-edu-config "Add policy files for Firefox ESR and Thunderbird to fix the TLS/SSL setup"> +<correction debian-installer "Update for the 4.19.0-9 kernel ABI"> +<correction debian-installer-netboot-images "Rebuild against proposed-updates"> +<correction debian-security-support "New upstream stable release; update status of several packages; use <q>runuser</q> rather than <q>su</q>"> +<correction distro-info-data "Add Ubuntu 20.10, and likely end of support date for stretch"> +<correction dojo "Fix improper regular expression usage [CVE-2019-10785]"> +<correction dpdk "New upstream stable release"> +<correction dtv-scan-tables "New upstream snapshot; add all current German DVB-T2 muxes and the Eutelsat-5-West-A satellite"> +<correction eas4tbsync "New upstream release, restoring compatibility with newer Thunderbird versions"> +<correction edk2 "Security fixes [CVE-2019-14558 CVE-2019-14559 CVE-2019-14563 CVE-2019-14575 CVE-2019-14586 CVE-2019-14587]"> +<correction el-api "Fix stretch to buster upgrades that involve Tomcat 8"> +<correction fex "Fix a potential security issue in fexsrv"> +<correction filezilla "Fix untrusted search path vulnerability [CVE-2019-5429]"> +<correction frr "Fix extended next hop capability"> +<correction fuse "Remove outdated udevadm commands from post-install scripts; don't explicitly remove fuse.conf on purge"> +<correction fuse3 "Remove outdated udevadm commands from post-install scripts; don't explicitly remove fuse.conf on purge; fix memory leak in fuse_session_new()"> +<correction golang-github-prometheus-common "Extend validity of test certificates"> +<correction gosa "Replace (un)serialize with json_encode/json_decode to mitigate PHP object injection [CVE-2019-14466]"> +<correction hbci4java "Support EU directive on payment services (PSD2)"> +<correction hibiscus "Support EU directive on payment services (PSD2)"> +<correction iputils "Correct an issue in which ping would improperly exit with a failure code when there were untried addresses still available in the getaddrinfo() library call return value"> +<correction ircd-hybrid "Use dhparam.pem to avoid crash on startup"> +<correction jekyll "Allow use of ruby-i18n 0.x and 1.x"> +<correction jsp-api "Fix stretch to buster upgrades that involve Tomcat 8"> +<correction lemonldap-ng "Prevent unwanted access to administration endpoints [CVE-2019-19791]; fix the GrantSession plugin which could not prohibit logon when two factor authentication was used; fix arbitrary redirects with OIDC if redirect_uri was not used"> +<correction libdatetime-timezone-perl "Update included data"> +<correction libreoffice "Fix OpenGL slide transitions"> +<correction libssh "Fix possible denial of service issue when handling AES-CTR keys with OpenSSL [CVE-2020-1730]"> +<correction libvncserver "Fix heap overflow [CVE-2019-15690]"> +<correction linux "New upstream stable release"> +<correction linux-latest "Update kernel ABI to 4.19.0-9"> +<correction linux-signed-amd64 "New upstream stable release"> +<correction linux-signed-arm64 "New upstream stable release"> +<correction linux-signed-i386 "New upstream stable release"> +<correction lwip "Fix buffer overflow [CVE-2020-8597]"> +<correction lxc-templates "New upstream stable release; handle languages that are only UTF-8 encoded"> +<correction manila "Fix missing access permissions check [CVE-2020-9543]"> +<correction megatools "Add support for the new format of mega.nz links"> +<correction mew "Fix server SSL certificate validity checking"> +<correction mew-beta "Fix server SSL certificate validity checking"> +<correction mkvtoolnix "Rebuild to tighten libmatroska6v5 dependency"> +<correction ncbi-blast+ "Disable SSE4.2 support"> +<correction node-anymatch "Remove unnecessary dependencies"> +<correction node-dot "Prevent code execution after prototype pollution [CVE-2020-8141]"> +<correction node-dot-prop "Fix prototype pollution [CVE-2020-8116]"> +<correction node-knockout "Fix escaping with older Internet Explorer versions [CVE-2019-14862]"> +<correction node-mongodb "Reject invalid _bsontypes [CVE-2019-2391 CVE-2020-7610]"> +<correction node-yargs-parser "Fix prototype pollution [CVE-2020-7608]"> +<correction npm "Fix arbitrary path access [CVE-2019-16775 CVE-2019-16776 CVE-2019-16777]"> +<correction nvidia-graphics-drivers "New upstream stable release"> +<correction nvidia-graphics-drivers-legacy-390xx "New upstream stable release"> +<correction nvidia-settings-legacy-340xx "New upstream release"> +<correction oar "Revert to stretch behavior for Storable::dclone perl function, fixing recursion depth issues"> +<correction opam "Prefer mccs over aspcud"> +<correction openvswitch "Fix vswitchd abort when a port is added and the controller is down"> +<correction orocos-kdl "Fix string conversion with Python 3"> +<correction owfs "Remove broken Python 3 packages"> +<correction pango1.0 "Fix crash in pango_fc_font_key_get_variations() when key is null"> +<correction pgcli "Add missing dependency on python3-pkg-resources"> +<correction php-horde-data "Fix authenticated remote code execution vulnerability [CVE-2020-8518]"> +<correction php-horde-form "Fix authenticated remote code execution vulnerability [CVE-2020-8866]"> +<correction php-horde-trean "Fix authenticated remote code execution vulnerability [CVE-2020-8865]"> +<correction postfix "New upstream stable release; fix panic with Postfix multi-Milter configuration during MAIL FROM; fix d/init.d running change so it works with multi-instance again"> +<correction proftpd-dfsg "Fix memory access issue in keyboard-interative code in mod_sftp; properly handle DEBUG, IGNORE, DISCONNECT, and UNIMPLEMENTED messages in keyboard-interactive mode"> +<correction puma "Fix Denial of Service issue [CVE-2019-16770]"> +<correction purple-discord "Fix crashes in ssl_nss_read"> +<correction python-oslo.utils "Fix leak of sensitive information via mistral logs [CVE-2019-3866]"> +<correction rails "Fix possible cross-site scripting via Javascript escape helper [CVE-2020-5267]"> +<correction rake "Fix command injection vulnerability [CVE-2020-8130]"> +<correction raspi3-firmware "Fix dtb names mismatch in z50-raspi-firmware; fix boot on Raspberry Pi families 1 and 0"> +<correction resource-agents "Fix <q>ethmonitor does not list interfaces without assigned IP address</q>; remove no longer required xen-toolstack patch; fix non-standard usage in ZFS agent"> +<correction rootskel "Disable multiple console support if preseeding is in use"> +<correction ruby-i18n "Fix gemspec generation"> +<correction rubygems-integration "Avoid deprecation warnings when users install a newer version of Rubygems via <q>gem update --system</q>"> +<correction schleuder "Improve patch to handle encoding errors introduced in the previous version; switch default encoding to UTF-8; let x-add-key handle mails with attached, quoted-printable encoded keys; fix x-attach-listkey with mails created by Thunderbird that include protected headers"> +<correction scilab "Fix library loading with OpenJDK 11.0.7"> +<correction serverspec-runner "Support Ruby 2.5"> +<correction softflowd "Fix broken flow aggregation which might result in flow table overflow and 100% CPU usage"> +<correction speech-dispatcher "Fix default pulseaudio latency which triggers <q>scratchy</q> output"> +<correction spl-linux "Fix deadlock"> +<correction sssd "Fix sssd_be busy-looping when LDAP connection is intermittent"> +<correction systemd "when authorizing via PolicyKit re-resolve callback/userdata instead of caching it [CVE-2020-1712]; install 60-block.rules in udev-udeb and initramfs-tools"> +<correction taglib "Fix corruption issues with OGG files"> +<correction tbsync "New upstream release, restoring compatibility with newer Thunderbird versions"> +<correction timeshift "Fix predictable temporary directory use [CVE-2020-10174]"> +<correction tinyproxy "Only set PIDDIR, if PIDFILE is a non-zero length string"> +<correction tzdata "New upstream stable release"> +<correction uim "unregister modules that are not installed, fixing a regression in the previous upload"> +<correction user-mode-linux "Fix build failure with current stable kernels"> +<correction vite "Fix crash when there are more than 32 elements"> +<correction waagent "New upstream release; support co-installation with cloud-init"> +<correction websocket-api "Fix stretch to buster upgrades that involve Tomcat 8"> +<correction wpa "Do not try to detect PSK mismatch during PTK rekeying; check for FT support when selecting FT suites; fix MAC randomisation issue with some cards"> +<correction xdg-utils "xdg-open: fix pcmanfm check and handling of directories with spaces in their names; xdg-screensaver: Sanitise window name before sending it over D-Bus; xdg-mime: Create config directory if it does not exist yet"> +<correction xtrlock "Fix blocking of (some) multitouch devices while locked [CVE-2016-10894]"> +<correction zfs-linux "Fix potential deadlock issues"> +</table> + + +<h2>Security Updates</h2> + + +<p>This revision adds the following security updates to the stable release. +The Security Team has already released an advisory for each of these +updates:</p> + +<table border=0> +<tr><th>Advisory ID</th> <th>Package</th></tr> +<dsa 2020 4616 qemu> +<dsa 2020 4617 qtbase-opensource-src> +<dsa 2020 4618 libexif> +<dsa 2020 4619 libxmlrpc3-java> +<dsa 2020 4620 firefox-esr> +<dsa 2020 4623 postgresql-11> +<dsa 2020 4624 evince> +<dsa 2020 4625 thunderbird> +<dsa 2020 4627 webkit2gtk> +<dsa 2020 4629 python-django> +<dsa 2020 4630 python-pysaml2> +<dsa 2020 4631 pillow> +<dsa 2020 4632 ppp> +<dsa 2020 4633 curl> +<dsa 2020 4634 opensmtpd> +<dsa 2020 4635 proftpd-dfsg> +<dsa 2020 4636 python-bleach> +<dsa 2020 4637 network-manager-ssh> +<dsa 2020 4638 chromium> +<dsa 2020 4639 firefox-esr> +<dsa 2020 4640 graphicsmagick> +<dsa 2020 4641 webkit2gtk> +<dsa 2020 4642 thunderbird> +<dsa 2020 4643 python-bleach> +<dsa 2020 4644 tor> +<dsa 2020 4645 chromium> +<dsa 2020 4646 icu> +<dsa 2020 4647 bluez> +<dsa 2020 4648 libpam-krb5> +<dsa 2020 4649 haproxy> +<dsa 2020 4650 qbittorrent> +<dsa 2020 4651 mediawiki> +<dsa 2020 4652 gnutls28> +<dsa 2020 4653 firefox-esr> +<dsa 2020 4654 chromium> +<dsa 2020 4655 firefox-esr> +<dsa 2020 4656 thunderbird> +<dsa 2020 4657 git> +<dsa 2020 4658 webkit2gtk> +<dsa 2020 4659 git> +<dsa 2020 4660 awl> +<dsa 2020 4661 openssl> +<dsa 2020 4663 python-reportlab> +<dsa 2020 4664 mailman> +<dsa 2020 4665 qemu> +<dsa 2020 4666 openldap> +<dsa 2020 4667 linux-signed-amd64> +<dsa 2020 4667 linux-signed-arm64> +<dsa 2020 4667 linux-signed-i386> +<dsa 2020 4667 linux> +<dsa 2020 4669 nodejs> +<dsa 2020 4671 vlc> +<dsa 2020 4672 trafficserver> +</table> + + +<h2>Removed packages</h2> + +<p>The following packages were removed due to circumstances beyond our control:</p> + +<table border=0> +<tr><th>Package</th> <th>Reason</th></tr> +<correction getlive "Broken due to Hotmail changes"> +<correction gplaycli "Broken by Google API changes"> +<correction kerneloops "Upstream service no longer available"> +<correction lambda-align2 "[arm64 armel armhf i386 mips64el ppc64el s390x] Broken on non-amd64 architectures"> +<correction libmicrodns "Security issues"> +<correction libperlspeak-perl "Security issues; unmaintained"> +<correction quotecolors "Incompatible with newer Thunderbird versions"> +<correction torbirdy "Incompatible with newer Thunderbird versions"> +<correction ugene "Non-free; fails to build"> +<correction yahoo2mbox "Broken for several years"> + +</table> + +<h2>Debian Installer</h2> +<p>The installer has been updated to include the fixes incorporated +into stable by the point release.</p> + +<h2>URLs</h2> + +<p>The complete lists of packages that have changed with this revision:</p> + +<div class="center"> + <url "http://ftp.debian.org/debian/dists/<downcase <codename>>/ChangeLog"> +</div> + +<p>The current stable distribution:</p> + +<div class="center"> + <url "http://ftp.debian.org/debian/dists/stable/"> +</div> + +<p>Proposed updates to the stable distribution:</p> + +<div class="center"> + <url "http://ftp.debian.org/debian/dists/proposed-updates"> +</div> + +<p>stable distribution information (release notes, errata etc.):</p> + +<div class="center"> + <a + href="$(HOME)/releases/stable/">https://www.debian.org/releases/stable/</a> +</div> + +<p>Security announcements and information:</p> + +<div class="center"> + <a href="$(HOME)/security/">https://www.debian.org/security/</a> +</div> + +<h2>About Debian</h2> + +<p>The Debian Project is an association of Free Software developers who +volunteer their time and effort in order to produce the completely +free operating system Debian.</p> + +<h2>Contact Information</h2> + +<p>For further information, please visit the Debian web pages at +<a href="$(HOME)/">https://www.debian.org/</a>, send mail to +<press@debian.org>, or contact the stable release team at +<debian-release@lists.debian.org>.</p> + + |