Debian 10226 Published by

The eleventh update of Debian GNU/Linux 10 is now available. This point release mainly adds corrections for security issues, along with a few important corrections for serious problems.



Updated Debian 10: 10.11 released

------------------------------------------------------------------------
The Debian Project https://www.debian.org/
Updated Debian 10: 10.11 released press@debian.org
October 9th, 2021 https://www.debian.org/News/2021/2021100902
------------------------------------------------------------------------

The Debian project is pleased to announce the eleventh update of its
oldstable distribution Debian 10 (codename "buster"). This point release
mainly adds corrections for security issues, along with a few
adjustments for serious problems. Security advisories have already been
published separately and are referenced where available.

Please note that the point release does not constitute a new version of
Debian 10 but only updates some of the packages included. There is no
need to throw away old "buster" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list


Miscellaneous Bugfixes
----------------------

This oldstable update adds a few important corrections to the following
packages:

+---------------------------+-----------------------------------------+
| Package | Reason |
+---------------------------+-----------------------------------------+
| atftp [1] | Fix buffer overflow [CVE-2021-41054] |
| | |
| base-files [2] | Update for the 10.11 point release |
| | |
| btrbk [3] | Fix arbitrary code execution issue |
| | [CVE-2021-38173] |
| | |
| clamav [4] | New upstream stable release; fix |
| | clamdscan segfaults when --fdpass and |
| | --multipass are used together with |
| | ExcludePath |
| | |
| commons-io [5] | Fix path traversal issue [CVE-2021- |
| | 29425] |
| | |
| cyrus-imapd [6] | Fix denial-of-service issue [CVE-2021- |
| | 33582] |
| | |
| debconf [7] | Check that whiptail or dialog is |
| | actually usable |
| | |
| debian-installer [8] | Rebuild against buster-proposed- |
| | updates; update Linux ABI to 4.19.0-18 |
| | |
| debian-installer-netboot- | Rebuild against buster-proposed-updates |
| images [9] | |
| | |
| distcc [10] | Fix GCC cross-compiler links in update- |
| | distcc-symlinks and add support for |
| | clang and CUDA (nvcc) |
| | |
| distro-info-data [11] | Update included data for several |
| | releases |
| | |
| dwarf-fortress [12] | Remove undistributable prebuilt shared |
| | libraries from the source tarball |
| | |
| espeak-ng [13] | Fix using espeak with mbrola-fr4 when |
| | mbrola-fr1 is not installed |
| | |
| gcc-mingw-w64 [14] | Fix gcov handling |
| | |
| gthumb [15] | Fix heap-based buffer overflow issue |
| | [CVE-2019-20326] |
| | |
| hg-git [16] | Fix test failures with recent git |
| | versions |
| | |
| htslib [17] | Fix autopkgtest on i386 |
| | |
| http-parser [18] | Fix HTTP request smuggling issue |
| | [CVE-2019-15605] |
| | |
| irssi [19] | Fix use after free issue when sending |
| | SASL login to the server [CVE-2019- |
| | 13045] |
| | |
| java-atk-wrapper [20] | Also use dbus to detect accessibility |
| | being enabled |
| | |
| krb5 [21] | Fix KDC null dereference crash on FAST |
| | request with no server field [CVE-2021- |
| | 37750]; fix memory leak in |
| | krb5_gss_inquire_cred |
| | |
| libdatetime-timezone-perl | New upstream stable release; update DST |
| [22] | rules for Samoa and Jordon; |
| | confirmation of no leap second on 2021- |
| | 12-31 |
| | |
| libpam-tacplus [23] | Prevent shared secrets from being added |
| | in plaintext to the system log |
| | [CVE-2020-13881] |
| | |
| linux [24] | "proc: Track /proc/$pid/attr/ opener |
| | mm_struct" , fixing issues with lxc- |
| | attach; new upstream stable release; |
| | increase ABI version to 18; [rt] Update |
| | to 4.19.207-rt88; usb: hso: fix error |
| | handling code of hso_create_net_device |
| | [CVE-2021-37159] |
| | |
| linux-latest [25] | Update to 4.19.0-18 kernel ABI |
| | |
| linux-signed-amd64 [26] | "proc: Track /proc/$pid/attr/ opener |
| | mm_struct" , fixing issues with lxc- |
| | attach; new upstream stable release; |
| | increase ABI version to 18; [rt] Update |
| | to 4.19.207-rt88; usb: hso: fix error |
| | handling code of hso_create_net_device |
| | [CVE-2021-37159] |
| | |
| linux-signed-arm64 [27] | "proc: Track /proc/$pid/attr/ opener |
| | mm_struct" , fixing issues with lxc- |
| | attach; new upstream stable release; |
| | increase ABI version to 18; [rt] Update |
| | to 4.19.207-rt88; usb: hso: fix error |
| | handling code of hso_create_net_device |
| | [CVE-2021-37159] |
| | |
| linux-signed-i386 [28] | "proc: Track /proc/$pid/attr/ opener |
| | mm_struct" , fixing issues with lxc- |
| | attach; new upstream stable release; |
| | increase ABI version to 18; [rt] Update |
| | to 4.19.207-rt88; usb: hso: fix error |
| | handling code of hso_create_net_device |
| | [CVE-2021-37159] |
| | |
| mariadb-10.3 [29] | New upstream stable release; security |
| | fixes [CVE-2021-2389 CVE-2021-2372]; |
| | fix Perl executable path in scripts |
| | |
| modsecurity-crs [30] | Fix request body bypass issue |
| | [CVE-2021-35368] |
| | |
| node-ansi-regex [31] | Fix regular expression-based denial of |
| | service issue [CVE-2021-3807] |
| | |
| node-axios [32] | Fix regular expression-based denial of |
| | service issue [CVE-2021-3749] |
| | |
| node-jszip [33] | Use a null prototype object for |
| | this.files [CVE-2021-23413] |
| | |
| node-tar [34] | Remove non-directory paths from the |
| | directory cache [CVE-2021-32803]; strip |
| | absolute paths more comprehensively |
| | [CVE-2021-32804] |
| | |
| nvidia-cuda-toolkit [35] | Fix setting of NVVMIR_LIBRARY_DIR on |
| | ppc64el |
| | |
| nvidia-graphics-drivers | New upstream stable release; fix denial |
| [36] | of service issues [CVE-2021-1093 |
| | CVE-2021-1094 CVE-2021-1095]; nvidia- |
| | driver-libs: Add Recommends: libnvidia- |
| | encode1 |
| | |
| nvidia-graphics-drivers- | New upstream stable release; fix denial |
| legacy-390xx [37] | of service issues [CVE-2021-1093 |
| | CVE-2021-1094 CVE-2021-1095]; nvidia- |
| | legacy-390xx-driver-libs: Add |
| | Recommends: libnvidia-legacy-390xx- |
| | encode1 |
| | |
| postgresql-11 [38] | New upstream stable release; fix mis- |
| | planning of repeated application of a |
| | projection step [CVE-2021-3677]; |
| | disallow SSL renegotiation more |
| | completely |
| | |
| proftpd-dfsg [39] | Fix "mod_radius leaks memory contents |
| | to radius server" , "cannot disable |
| | client-initiated renegotiation for |
| | FTPS" , navigation into symlinked |
| | directories, mod_sftp crash when using |
| | pubkey-auth with DSA keys |
| | |
| psmisc [40] | Fix regression in killall not matching |
| | process with names longer than 15 |
| | characters |
| | |
| python-uflash [41] | Update firmware URL |
| | |
| request-tracker4 [42] | Fix login timing side-channel attack |
| | issue [CVE-2021-38562] |
| | |
| ring [43] | Fix denial of service issue in the |
| | embedded copy of pjproject [CVE-2021- |
| | 21375] |
| | |
| sabnzbdplus [44] | Prevent directory escape in renamer |
| | function [CVE-2021-29488] |
| | |
| shim [45] | Add arm64 patch to tweak section layout |
| | and stop crashing problems; in insecure |
| | mode, don't abort if we can't create |
| | the MokListXRT variable; don't abort on |
| | grub installation failures; warn |
| | instead |
| | |
| shim-helpers-amd64-signed | Add arm64 patch to tweak section layout |
| [46] | and stop crashing problems; in insecure |
| | mode, don't abort if we can't create |
| | the MokListXRT variable; don't abort on |
| | grub installation failures; warn |
| | instead |
| | |
| shim-helpers-arm64-signed | Add arm64 patch to tweak section layout |
| [47] | and stop crashing problems; in insecure |
| | mode, don't abort if we can't create |
| | the MokListXRT variable; don't abort on |
| | grub installation failures; warn |
| | instead |
| | |
| shim-helpers-i386-signed | Add arm64 patch to tweak section layout |
| [48] | and stop crashing problems; in insecure |
| | mode, don't abort if we can't create |
| | the MokListXRT variable; don't abort on |
| | grub installation failures; warn |
| | instead |
| | |
| shim-signed [49] | Work around boot-breaking issues on |
| | arm64 by including an older known |
| | working version of unsigned shim on |
| | that platform; switch arm64 back to |
| | using a current unsigned build; add |
| | arm64 patch to tweak section layout and |
| | stop crashing problems; in insecure |
| | mode, don't abort if we can't create |
| | the MokListXRT variable; don't abort on |
| | grub installation failures; warn |
| | instead |
| | |
| shiro [50] | Fix authentication bypass issues |
| | [CVE-2020-1957 CVE-2020-11989 CVE-2020- |
| | 13933 CVE-2020-17510]; update Spring |
| | Framework compatibility patch; support |
| | Guice 4 |
| | |
| tzdata [51] | Update DST rules for Samoa and Jordan; |
| | confirm the absence of a leap second on |
| | 2021-12-31 |
| | |
| ublock-origin [52] | New upstream stable release; fix denial |
| | of service issue [CVE-2021-36773] |
| | |
| ulfius [53] | Ensure memory is initialised before use |
| | [CVE-2021-40540] |
| | |
| xmlgraphics-commons [54] | Fix Server-Side Request Forgery issue |
| | [CVE-2020-11988] |
| | |
| yubikey-manager [55] | Add missing dependency on python3-pkg- |
| | resources to yubikey-manager |
| | |
+---------------------------+-----------------------------------------+

1: https://packages.debian.org/src:atftp
2: https://packages.debian.org/src:base-files
3: https://packages.debian.org/src:btrbk
4: https://packages.debian.org/src:clamav
5: https://packages.debian.org/src:commons-io
6: https://packages.debian.org/src:cyrus-imapd
7: https://packages.debian.org/src:debconf
8: https://packages.debian.org/src:debian-installer
9: https://packages.debian.org/src:debian-installer-netboot-images
10: https://packages.debian.org/src:distcc
11: https://packages.debian.org/src:distro-info-data
12: https://packages.debian.org/src:dwarf-fortress
13: https://packages.debian.org/src:espeak-ng
14: https://packages.debian.org/src:gcc-mingw-w64
15: https://packages.debian.org/src:gthumb
16: https://packages.debian.org/src:hg-git
17: https://packages.debian.org/src:htslib
18: https://packages.debian.org/src:http-parser
19: https://packages.debian.org/src:irssi
20: https://packages.debian.org/src:java-atk-wrapper
21: https://packages.debian.org/src:krb5
22: https://packages.debian.org/src:libdatetime-timezone-perl
23: https://packages.debian.org/src:libpam-tacplus
24: https://packages.debian.org/src:linux
25: https://packages.debian.org/src:linux-latest
26: https://packages.debian.org/src:linux-signed-amd64
27: https://packages.debian.org/src:linux-signed-arm64
28: https://packages.debian.org/src:linux-signed-i386
29: https://packages.debian.org/src:mariadb-10.3
30: https://packages.debian.org/src:modsecurity-crs
31: https://packages.debian.org/src:node-ansi-regex
32: https://packages.debian.org/src:node-axios
33: https://packages.debian.org/src:node-jszip
34: https://packages.debian.org/src:node-tar
35: https://packages.debian.org/src:nvidia-cuda-toolkit
36: https://packages.debian.org/src:nvidia-graphics-drivers
37: https://packages.debian.org/src:nvidia-graphics-drivers-legacy-390xx
38: https://packages.debian.org/src:postgresql-11
39: https://packages.debian.org/src:proftpd-dfsg
40: https://packages.debian.org/src:psmisc
41: https://packages.debian.org/src:python-uflash
42: https://packages.debian.org/src:request-tracker4
43: https://packages.debian.org/src:ring
44: https://packages.debian.org/src:sabnzbdplus
45: https://packages.debian.org/src:shim
46: https://packages.debian.org/src:shim-helpers-amd64-signed
47: https://packages.debian.org/src:shim-helpers-arm64-signed
48: https://packages.debian.org/src:shim-helpers-i386-signed
49: https://packages.debian.org/src:shim-signed
50: https://packages.debian.org/src:shiro
51: https://packages.debian.org/src:tzdata
52: https://packages.debian.org/src:ublock-origin
53: https://packages.debian.org/src:ulfius
54: https://packages.debian.org/src:xmlgraphics-commons
55: https://packages.debian.org/src:yubikey-manager

Security Updates
----------------

This revision adds the following security updates to the oldstable
release. The Security Team has already released an advisory for each of
these updates:

+----------------+----------------------------+
| Advisory ID | Package |
+----------------+----------------------------+
| DSA-4842 [56] | thunderbird [57] |
| | |
| DSA-4866 [58] | thunderbird [59] |
| | |
| DSA-4876 [60] | thunderbird [61] |
| | |
| DSA-4897 [62] | thunderbird [63] |
| | |
| DSA-4927 [64] | thunderbird [65] |
| | |
| DSA-4931 [66] | xen [67] |
| | |
| DSA-4932 [68] | tor [69] |
| | |
| DSA-4933 [70] | nettle [71] |
| | |
| DSA-4934 [72] | intel-microcode [73] |
| | |
| DSA-4935 [74] | php7.3 [75] |
| | |
| DSA-4936 [76] | libuv1 [77] |
| | |
| DSA-4937 [78] | apache2 [79] |
| | |
| DSA-4938 [80] | linuxptp [81] |
| | |
| DSA-4939 [82] | firefox-esr [83] |
| | |
| DSA-4940 [84] | thunderbird [85] |
| | |
| DSA-4941 [86] | linux-signed-amd64 [87] |
| | |
| DSA-4941 [88] | linux-signed-arm64 [89] |
| | |
| DSA-4941 [90] | linux-signed-i386 [91] |
| | |
| DSA-4941 [92] | linux [93] |
| | |
| DSA-4942 [94] | systemd [95] |
| | |
| DSA-4943 [96] | lemonldap-ng [97] |
| | |
| DSA-4944 [98] | krb5 [99] |
| | |
| DSA-4945 [100] | webkit2gtk [101] |
| | |
| DSA-4946 [102] | openjdk-11-jre-dcevm [103] |
| | |
| DSA-4946 [104] | openjdk-11 [105] |
| | |
| DSA-4947 [106] | libsndfile [107] |
| | |
| DSA-4948 [108] | aspell [109] |
| | |
| DSA-4949 [110] | jetty9 [111] |
| | |
| DSA-4950 [112] | ansible [113] |
| | |
| DSA-4951 [114] | bluez [115] |
| | |
| DSA-4952 [116] | tomcat9 [117] |
| | |
| DSA-4953 [118] | lynx [119] |
| | |
| DSA-4954 [120] | c-ares [121] |
| | |
| DSA-4955 [122] | libspf2 [123] |
| | |
| DSA-4956 [124] | firefox-esr [125] |
| | |
| DSA-4957 [126] | trafficserver [127] |
| | |
| DSA-4958 [128] | exiv2 [129] |
| | |
| DSA-4959 [130] | thunderbird [131] |
| | |
| DSA-4961 [132] | tor [133] |
| | |
| DSA-4962 [134] | ledgersmb [135] |
| | |
| DSA-4963 [136] | openssl [137] |
| | |
| DSA-4964 [138] | grilo [139] |
| | |
| DSA-4967 [140] | squashfs-tools [141] |
| | |
| DSA-4969 [142] | firefox-esr [143] |
| | |
| DSA-4970 [144] | postorius [145] |
| | |
| DSA-4971 [146] | ntfs-3g [147] |
| | |
| DSA-4973 [148] | thunderbird [149] |
| | |
| DSA-4974 [150] | nextcloud-desktop [151] |
| | |
| DSA-4975 [152] | webkit2gtk [153] |
| | |
| DSA-4979 [154] | mediawiki [155] |
| | |
+----------------+----------------------------+

56: https://www.debian.org/security/2021/dsa-4842
57: https://packages.debian.org/src:thunderbird
58: https://www.debian.org/security/2021/dsa-4866
59: https://packages.debian.org/src:thunderbird
60: https://www.debian.org/security/2021/dsa-4876
61: https://packages.debian.org/src:thunderbird
62: https://www.debian.org/security/2021/dsa-4897
63: https://packages.debian.org/src:thunderbird
64: https://www.debian.org/security/2021/dsa-4927
65: https://packages.debian.org/src:thunderbird
66: https://www.debian.org/security/2021/dsa-4931
67: https://packages.debian.org/src:xen
68: https://www.debian.org/security/2021/dsa-4932
69: https://packages.debian.org/src:tor
70: https://www.debian.org/security/2021/dsa-4933
71: https://packages.debian.org/src:nettle
72: https://www.debian.org/security/2021/dsa-4934
73: https://packages.debian.org/src:intel-microcode
74: https://www.debian.org/security/2021/dsa-4935
75: https://packages.debian.org/src:php7.3
76: https://www.debian.org/security/2021/dsa-4936
77: https://packages.debian.org/src:libuv1
78: https://www.debian.org/security/2021/dsa-4937
79: https://packages.debian.org/src:apache2
80: https://www.debian.org/security/2021/dsa-4938
81: https://packages.debian.org/src:linuxptp
82: https://www.debian.org/security/2021/dsa-4939
83: https://packages.debian.org/src:firefox-esr
84: https://www.debian.org/security/2021/dsa-4940
85: https://packages.debian.org/src:thunderbird
86: https://www.debian.org/security/2021/dsa-4941
87: https://packages.debian.org/src:linux-signed-amd64
88: https://www.debian.org/security/2021/dsa-4941
89: https://packages.debian.org/src:linux-signed-arm64
90: https://www.debian.org/security/2021/dsa-4941
91: https://packages.debian.org/src:linux-signed-i386
92: https://www.debian.org/security/2021/dsa-4941
93: https://packages.debian.org/src:linux
94: https://www.debian.org/security/2021/dsa-4942
95: https://packages.debian.org/src:systemd
96: https://www.debian.org/security/2021/dsa-4943
97: https://packages.debian.org/src:lemonldap-ng
98: https://www.debian.org/security/2021/dsa-4944
99: https://packages.debian.org/src:krb5
100: https://www.debian.org/security/2021/dsa-4945
101: https://packages.debian.org/src:webkit2gtk
102: https://www.debian.org/security/2021/dsa-4946
103: https://packages.debian.org/src:openjdk-11-jre-dcevm
104: https://www.debian.org/security/2021/dsa-4946
105: https://packages.debian.org/src:openjdk-11
106: https://www.debian.org/security/2021/dsa-4947
107: https://packages.debian.org/src:libsndfile
108: https://www.debian.org/security/2021/dsa-4948
109: https://packages.debian.org/src:aspell
110: https://www.debian.org/security/2021/dsa-4949
111: https://packages.debian.org/src:jetty9
112: https://www.debian.org/security/2021/dsa-4950
113: https://packages.debian.org/src:ansible
114: https://www.debian.org/security/2021/dsa-4951
115: https://packages.debian.org/src:bluez
116: https://www.debian.org/security/2021/dsa-4952
117: https://packages.debian.org/src:tomcat9
118: https://www.debian.org/security/2021/dsa-4953
119: https://packages.debian.org/src:lynx
120: https://www.debian.org/security/2021/dsa-4954
121: https://packages.debian.org/src:c-ares
122: https://www.debian.org/security/2021/dsa-4955
123: https://packages.debian.org/src:libspf2
124: https://www.debian.org/security/2021/dsa-4956
125: https://packages.debian.org/src:firefox-esr
126: https://www.debian.org/security/2021/dsa-4957
127: https://packages.debian.org/src:trafficserver
128: https://www.debian.org/security/2021/dsa-4958
129: https://packages.debian.org/src:exiv2
130: https://www.debian.org/security/2021/dsa-4959
131: https://packages.debian.org/src:thunderbird
132: https://www.debian.org/security/2021/dsa-4961
133: https://packages.debian.org/src:tor
134: https://www.debian.org/security/2021/dsa-4962
135: https://packages.debian.org/src:ledgersmb
136: https://www.debian.org/security/2021/dsa-4963
137: https://packages.debian.org/src:openssl
138: https://www.debian.org/security/2021/dsa-4964
139: https://packages.debian.org/src:grilo
140: https://www.debian.org/security/2021/dsa-4967
141: https://packages.debian.org/src:squashfs-tools
142: https://www.debian.org/security/2021/dsa-4969
143: https://packages.debian.org/src:firefox-esr
144: https://www.debian.org/security/2021/dsa-4970
145: https://packages.debian.org/src:postorius
146: https://www.debian.org/security/2021/dsa-4971
147: https://packages.debian.org/src:ntfs-3g
148: https://www.debian.org/security/2021/dsa-4973
149: https://packages.debian.org/src:thunderbird
150: https://www.debian.org/security/2021/dsa-4974
151: https://packages.debian.org/src:nextcloud-desktop
152: https://www.debian.org/security/2021/dsa-4975
153: https://packages.debian.org/src:webkit2gtk
154: https://www.debian.org/security/2021/dsa-4979
155: https://packages.debian.org/src:mediawiki

Removed packages
----------------

The following packages were removed due to circumstances beyond our
control:

+-----------------------------+----------------------------------------+
| Package | Reason |
+-----------------------------+----------------------------------------+
| birdtray [156] | Incompatible with newer Thunderbird |
| | versions |
| | |
| libprotocol-acme-perl [157] | Only supports obsolete ACME version 1 |
| | |
+-----------------------------+----------------------------------------+

156: https://packages.debian.org/src:birdtray
157: https://packages.debian.org/src:libprotocol-acme-perl

Debian Installer
----------------

The installer has been updated to include the fixes incorporated into
oldstable by the point release.

URLs
----

The complete lists of packages that have changed with this revision:

https://deb.debian.org/debian/dists/buster/ChangeLog

The current oldstable distribution:

https://deb.debian.org/debian/dists/oldstable/

Proposed updates to the oldstable distribution:

https://deb.debian.org/debian/dists/oldstable-proposed-updates

oldstable distribution information (release notes, errata etc.):

https://www.debian.org/releases/oldstable/

Security announcements and information:

https://www.debian.org/security/


About Debian
------------

The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian.

Contact Information
-------------------

For further information, please visit the Debian web pages at
https://www.debian.org/, send mail to , or contact the
stable release team at .

Debianl10