1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
|
#use wml::debian::translation-check translation="e381a4552e96e017684cf783d08d728d9ad833af" maintainer="galaxico"
<define-tag pagetitle>Updated Debian 10: 10.10 released</define-tag>
<define-tag release_date>2021-06-19</define-tag>
#use wml::debian::news
<define-tag release>10</define-tag>
<define-tag codename>buster</define-tag>
<define-tag revision>10.10</define-tag>
<define-tag dsa>
<tr><td align="center"><a href="$(HOME)/security/%0/dsa-%1">DSA-%1</a></td>
<td align="center"><:
my @p = ();
for my $p (split (/,\s*/, "%2")) {
push (@p, sprintf ('<a href="https://packages.debian.org/src:%s">%s</a>', $p, $p));
}
print join (", ", @p);
:></td></tr>
</define-tag>
<define-tag correction>
<tr><td><a href="https://packages.debian.org/src:%0">%0</a></td> <td>%1</td></tr>
</define-tag>
<define-tag srcpkg><a href="https://packages.debian.org/src:%0">%0</a></define-tag>
<p>The Debian project is pleased to announce the tenth update of its
stable distribution Debian <release> (codename <q><codename></q>).
This point release mainly adds corrections for security issues,
along with a few adjustments for serious problems. Security advisories
have already been published separately and are referenced where available.</p>
<p>Please note that the point release does not constitute a new version of Debian
<release> but only updates some of the packages included. There is
no need to throw away old <q><codename></q> media. After installation,
packages can be upgraded to the current versions using an up-to-date Debian
mirror.</p>
<p>Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are
included in the point release.</p>
<p>New installation images will be available soon at the regular locations.</p>
<p>Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP mirrors.
A comprehensive list of mirrors is available at:</p>
<div class="center">
<a href="$(HOME)/mirror/list">https://www.debian.org/mirror/list</a>
</div>
<h2>Miscellaneous Bugfixes</h2>
<p>This stable update adds a few important corrections to the following packages:</p>
<table border=0>
<tr><th>Package</th> <th>Reason</th></tr>
<correction apt "Accept suite name changes for repositories by default (e.g. stable -> oldstable)">
<correction awstats "Fix remote file access issues [CVE-2020-29600 CVE-2020-35176]">
<correction base-files "Update /etc/debian_version for the 10.10 point release">
<correction berusky2 "Fix segfault at startup">
<correction clamav "New upstream stable release; fix denial of security issue [CVE-2021-1405]">
<correction clevis "Fix support for TPMs that only support SHA256">
<correction connman "dnsproxy: Check the length of buffers before memcpy [CVE-2021-33833]">
<correction crmsh "Fix code execution issue [CVE-2020-35459]">
<correction debian-installer "Use 4.19.0-17 Linux kernel ABI">
<correction debian-installer-netboot-images "Rebuild against proposed-updates">
<correction dnspython "XFR: do not attempt to compare to a non-existent <q>expiration</q> value">
<correction dput-ng "Fix crash in the sftp uploader in case of EACCES from the server; update codenames; make <q>dcut dm</q> work for non-uploading DDs; fix a TypeError in http upload exception handling; don't try and construct uploader email from system hostname in .dak-commands files">
<correction eterm "Fix code execution issue [CVE-2021-33477]">
<correction exactimage "Fix build with C++11 and OpenEXR 2.5.x">
<correction fig2dev "Fix buffer overflow [CVE-2021-3561]; several output fixes; rebuild testsuite during build and in autopkgtest">
<correction fluidsynth "Fix use-after-free issue [CVE-2021-28421]">
<correction freediameter "Fix denial of service issue [CVE-2020-6098]">
<correction fwupd "Fix generation of the vendor SBAT string; stop using dpkg-dev in fwupd.preinst; new upstream stable version">
<correction fwupd-amd64-signed "Sync with fwupd">
<correction fwupd-arm64-signed "Sync with fwupd">
<correction fwupd-armhf-signed "Sync with fwupd">
<correction fwupd-i386-signed "Sync with fwupd">
<correction fwupdate "Improve SBAT support">
<correction fwupdate-amd64-signed "Sync with fwupdate">
<correction fwupdate-arm64-signed "Sync with fwupdate">
<correction fwupdate-armhf-signed "Sync with fwupdate">
<correction fwupdate-i386-signed "Sync with fwupdate">
<correction glib2.0 "Fix several integer overflow issues [CVE-2021-27218 CVE-2021-27219]; fix a symlink attack affecting file-roller [CVE-2021-28153]">
<correction gnutls28 "Fix null-pointer dereference issue [CVE-2020-24659]; add several improvements to memory reallocation">
<correction golang-github-docker-docker-credential-helpers "Fix double free issue [CVE-2019-1020014]">
<correction htmldoc "Fix buffer overflow issues [CVE-2019-19630 CVE-2021-20308]">
<correction ipmitool "Fix buffer overflow issues [CVE-2020-5208]">
<correction ircii "Fix denial of service issue [CVE-2021-29376]">
<correction isc-dhcp "Fix buffer overrun issue [CVE-2021-25217]">
<correction isync "Reject <q>funny</q> mailbox names from IMAP LIST/LSUB [CVE-2021-20247]; fix handling of unexpected APPENDUID response code [CVE-2021-3578]">
<correction jackson-databind "Fix external entity expansion issue [CVE-2020-25649] and several serialization-related issues [CVE-2020-24616 CVE-2020-24750 CVE-2020-35490 CVE-2020-35491 CVE-2020-35728 CVE-2020-36179 CVE-2020-36180 CVE-2020-36181 CVE-2020-36182 CVE-2020-36183 CVE-2020-36184 CVE-2020-36185 CVE-2020-36186 CVE-2020-36187 CVE-2020-36188 CVE-2020-36189 CVE-2021-20190]">
<correction klibc "malloc: Set errno on failure; fix several overflow issues [CVE-2021-31873 CVE-2021-31870 CVE-2021-31872]; cpio: Fix possible crash on 64-bit systems [CVE-2021-31871]; {set,long}jmp [s390x]: save/restore the correct FPU registers">
<correction libbusiness-us-usps-webtools-perl "Update to new US-USPS API">
<correction libgcrypt20 "Fix weak ElGamal encryption with keys not generated by GnuPG/libgcrypt [CVE-2021-33560]">
<correction libgetdata "Fix use after free issue [CVE-2021-20204]">
<correction libmateweather "Adapt to renaming of America/Godthab to America/Nuuk in tzdata">
<correction libxml2 "Fix out-of-bounds read in xmllint [CVE-2020-24977]; fix use-after-free issues in xmllint [CVE-2021-3516 CVE-2021-3518]; validate UTF8 in xmlEncodeEntities [CVE-2021-3517]; propagate error in xmlParseElementChildrenContentDeclPriv; fix exponential entity expansion attack [CVE-2021-3541]">
<correction liferea "Fix compatibility with webkit2gtk >= 2.32">
<correction linux "New upstream stable release; increase ABI to 17; [rt] Update to 4.19.193-rt81">
<correction linux-latest "Update to 4.19.0-17 ABI">
<correction linux-signed-amd64 "New upstream stable release; increase ABI to 17; [rt] Update to 4.19.193-rt81">
<correction linux-signed-arm64 "New upstream stable release; increase ABI to 17; [rt] Update to 4.19.193-rt81">
<correction linux-signed-i386 "New upstream stable release; increase ABI to 17; [rt] Update to 4.19.193-rt81">
<correction mariadb-10.3 "New upstream release; security fixes [CVE-2021-2154 CVE-2021-2166 CVE-2021-27928]; fix Innotop support; ship caching_sha2_password.so">
<correction mqtt-client "Fix denial of service issue [CVE-2019-0222]">
<correction mumble "Fix remote code execution issue [CVE-2021-27229]">
<correction mupdf "Fix use-after-free issue [CVE-2020-16600] and double free issue [CVE-2021-3407]">
<correction nmap "Update included MAC prefix list">
<correction node-glob-parent "Fix regular expression denial of service issue [CVE-2020-28469]">
<correction node-handlebars "Fix code execution issues [CVE-2019-20920 CVE-2021-23369]">
<correction node-hosted-git-info "Fix regular expression denial of service issue [CVE-2021-23362]">
<correction node-redis "Fix regular expression denial of service issue [CVE-2021-29469]">
<correction node-ws "Fix regular expression-related denial of service issue [CVE-2021-32640]">
<correction nvidia-graphics-drivers "Fix improper access control vulnerability [CVE-2021-1076]">
<correction nvidia-graphics-drivers-legacy-390xx "Fix improper access control vulnerability [CVE-2021-1076]; fix installation failure on Linux 5.11 release candidates">
<correction opendmarc "Fix heap overflow issue [CVE-2020-12460]">
<correction openvpn "Fix <q>illegal client float</q> issue [CVE-2020-11810]; ensure key state is authenticated before sending push reply [CVE-2020-15078]; increase listen() backlog queue to 32">
<correction php-horde-text-filter "Fix cross-site scripting issue [CVE-2021-26929]">
<correction plinth "Use session to verify first boot welcome step">
<correction ruby-websocket-extensions "Fix denial of service issue [CVE-2020-7663]">
<correction rust-rustyline "Fix build with newer rustc">
<correction rxvt-unicode "Disable ESC G Q escape sequence [CVE-2021-33477]">
<correction sabnzbdplus "Fix code execution vulnerability [CVE-2020-13124]">
<correction scrollz "Fix denial of service issue [CVE-2021-29376]">
<correction shim "New upstream release; add SBAT support; fix i386 binary relocations; don't call QueryVariableInfo() on EFI 1.10 machines (e.g. older Intel Macs); fix handling of ignore_db and user_insecure_mode; add maintainer scripts to the template packages to manage installing and removing fbXXX.efi and mmXXX.efi when we install/remove the shim-helpers-$arch-signed packages; exit cleanly if installed on a non-EFI system; don't fail if debconf calls return errors">
<correction shim-helpers-amd64-signed "Sync with shim">
<correction shim-helpers-arm64-signed "Sync with shim">
<correction shim-helpers-i386-signed "Sync with shim">
<correction shim-signed "Update for new shim; multiple bugfixes in postinst and postrm handling; provide unsigned binaries for arm64 (see NEWS.Debian); exit cleanly if installed on a non-EFI system; don't fail if debconf calls return errors; fix documentation links; build against shim-unsigned 15.4-5~deb10u1; add explicit dependency from shim-signed to shim-signed-common">
<correction speedtest-cli "Handle case where <q>ignoreids</q> is empty or contains empty ids">
<correction tnef "Fix buffer over-read issue [CVE-2019-18849]">
<correction uim "libuim-data: Copy <q>Breaks</q> from uim-data, fixing some upgrade scenarios">
<correction user-mode-linux "Rebuild against Linux kernel 4.19.194-1">
<correction velocity "Fix potential arbitrary code execution issue [CVE-2020-13936]">
<correction wml "Fix regression in Unicode handling">
<correction xfce4-weather-plugin "Move to version 2.0 met.no API">
</table>
<h2>Security Updates</h2>
<p>This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:</p>
<table border=0>
<tr><th>Advisory ID</th> <th>Package</th></tr>
<dsa 2021 4848 golang-1.11>
<dsa 2021 4865 docker.io>
<dsa 2021 4873 squid>
<dsa 2021 4874 firefox-esr>
<dsa 2021 4875 openssl>
<dsa 2021 4877 webkit2gtk>
<dsa 2021 4878 pygments>
<dsa 2021 4879 spamassassin>
<dsa 2021 4880 lxml>
<dsa 2021 4881 curl>
<dsa 2021 4882 openjpeg2>
<dsa 2021 4883 underscore>
<dsa 2021 4884 ldb>
<dsa 2021 4885 netty>
<dsa 2021 4886 chromium>
<dsa 2021 4887 lib3mf>
<dsa 2021 4888 xen>
<dsa 2021 4889 mediawiki>
<dsa 2021 4890 ruby-kramdown>
<dsa 2021 4891 tomcat9>
<dsa 2021 4892 python-bleach>
<dsa 2021 4893 xorg-server>
<dsa 2021 4894 php-pear>
<dsa 2021 4895 firefox-esr>
<dsa 2021 4896 wordpress>
<dsa 2021 4898 wpa>
<dsa 2021 4899 openjdk-11-jre-dcevm>
<dsa 2021 4899 openjdk-11>
<dsa 2021 4900 gst-plugins-good1.0>
<dsa 2021 4901 gst-libav1.0>
<dsa 2021 4902 gst-plugins-bad1.0>
<dsa 2021 4903 gst-plugins-base1.0>
<dsa 2021 4904 gst-plugins-ugly1.0>
<dsa 2021 4905 shibboleth-sp>
<dsa 2021 4907 composer>
<dsa 2021 4908 libhibernate3-java>
<dsa 2021 4909 bind9>
<dsa 2021 4910 libimage-exiftool-perl>
<dsa 2021 4912 exim4>
<dsa 2021 4913 hivex>
<dsa 2021 4914 graphviz>
<dsa 2021 4915 postgresql-11>
<dsa 2021 4916 prosody>
<dsa 2021 4918 ruby-rack-cors>
<dsa 2021 4919 lz4>
<dsa 2021 4920 libx11>
<dsa 2021 4921 nginx>
<dsa 2021 4922 hyperkitty>
<dsa 2021 4923 webkit2gtk>
<dsa 2021 4924 squid>
<dsa 2021 4925 firefox-esr>
<dsa 2021 4926 lasso>
<dsa 2021 4928 htmldoc>
<dsa 2021 4929 rails>
<dsa 2021 4930 libwebp>
</table>
<h2>Removed packages</h2>
<p>The following packages were removed due to circumstances beyond our control:</p>
<table border=0>
<tr><th>Package</th> <th>Reason</th></tr>
<correction sogo-connector "Incompatible with current Thunderbird versions">
</table>
<h2>Debian Installer</h2>
<p>The installer has been updated to include the fixes incorporated
into stable by the point release.</p>
<h2>URLs</h2>
<p>The complete lists of packages that have changed with this revision:</p>
<div class="center">
<url "http://ftp.debian.org/debian/dists/<downcase <codename>>/ChangeLog">
</div>
<p>The current stable distribution:</p>
<div class="center">
<url "http://ftp.debian.org/debian/dists/stable/">
</div>
<p>Proposed updates to the stable distribution:</p>
<div class="center">
<url "http://ftp.debian.org/debian/dists/proposed-updates">
</div>
<p>stable distribution information (release notes, errata etc.):</p>
<div class="center">
<a
href="$(HOME)/releases/stable/">https://www.debian.org/releases/stable/</a>
</div>
<p>Security announcements and information:</p>
<div class="center">
<a href="$(HOME)/security/">https://www.debian.org/security/</a>
</div>
<h2>About Debian</h2>
<p>The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely
free operating system Debian.</p>
<h2>Contact Information</h2>
<p>For further information, please visit the Debian web pages at
<a href="$(HOME)/">https://www.debian.org/</a>, send mail to
<press@debian.org>, or contact the stable release team at
<debian-release@lists.debian.org>.</p>
|
