Updated Debian 10: 10.12 released
The Debian project is pleased to announce the twelfth update of its oldstable distribution Debian 10 (codename buster). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian 10 but only updates some of the packages included. There is no need to throw away old buster media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
OpenSSL signature algorithm check tightening
The OpenSSL update provided in this point release includes a change to ensure that the requested signature algorithm is supported by the active security level.
Although this will not affect most use-cases, it could lead to error messages being generated if a non-supported algorithm is requested - for example, use of RSA+SHA1 signatures with the default security level of 2.
In such cases, the security level will need to be explicitly lowered, either for individual requests or more globally. This may require changes to the configuration of applications. For OpenSSL itself, per-request lowering can be achieved using a command-line option such as:
-cipher ALL:@SECLEVEL=1
with the relevant system-level configuration being found in /etc/ssl/openssl.cnf
Miscellaneous Bugfixes
This oldstable update adds a few important corrections to the following packages:
Package Reason apache-log4j1.2 Resolve security issues [CVE-2021-4104 CVE-2022-23302 CVE-2022-23305 CVE-2022-23307], by removing support for the JMSSink, JDBCAppender, JMSAppender and Apache Chainsaw modules apache-log4j2 Fix remote code execution issue [CVE-2021-44832] atftp Fix information leak issue [CVE-2021-46671] base-files Update for the 10.12 point release beads Rebuild against updated cimg to fix multiple heap buffer overflows [CVE-2020-25693] btrbk Fix regression in the update for CVE-2021-38173 cargo-mozilla New package, backported from Debian 11, to help build new rust versions chrony Allow reading the chronyd configuration file that timemaster(8) generates cimg Fix heap buffer overflow issues [CVE-2020-25693] clamav New upstream stable release; fix denial of service issue [CVE-2022-20698] cups Fix an input validation issue might allow a malicious application to read restricted memory [CVE-2020-10001] debian-installer Rebuild against oldstable-proposed-updates; update kernel ABI to -20 debian-installer-netboot-images Rebuild against oldstable-proposed-updates detox Fix processing of large files on ARM architectures evolution-data-server Fix crash on malformed server reponse [CVE-2020-16117] flac Fix out of bounds read issue [CVE-2020-0499] gerbv Fix code execution issue [CVE-2021-40391] glibc Import several fixes from upstream's stable branch; simplify the check for supported kernel versions, as 2.x kernels are no longer supported; support installation on kernels with a release number greater than 255 gmp Fix integer and buffer overflow issue [CVE-2021-43618] graphicsmagick Fix buffer overflow issue [CVE-2020-12672] htmldoc Fix out-of-bounds read issue [CVE-2022-0534], buffer overflow issues [CVE-2021-43579 CVE-2021-40985] http-parser Resolve inadvertent ABI break icu Fix pkgdata utility intel-microcode Update included microcode; mitigate some security issues [CVE-2020-8694 CVE-2020-8695 CVE-2021-0127 CVE-2021-0145 CVE-2021-0146 CVE-2021-33120] jbig2dec Fix buffer overflow issue [CVE-2020-12268] jtharness New upstream version to support builds of newer OpenJDK-11 versions jtreg New upstream version to support builds of newer OpenJDK-11 versions lemonldap-ng Fix auth process in password-testing plugins [CVE-2021-20874]; add recommends on gsfonts, fixing captcha leptonlib Fix denial of service issue [CVE-2020-36277], buffer over-read issues [CVE-2020-36278 CVE-2020-36279 CVE-2020-36280 CVE-2020-36281] libdatetime-timezone-perl Update included data libencode-perl Fix a memory leak in Encode.xs libetpan Fix STARTTLS response injection issue [CVE-2020-15953] libextractor Fix invalid read issue [CVE-2019-15531] libjackson-json-java Fix code execution issues [CVE-2017-15095 CVE-2017-7525], XML external entity issues [CVE-2019-10172] libmodbus Fix out of bound read issues [CVE-2019-14462 CVE-2019-14463] libpcap Check PHB header length before using it to allocate memory [CVE-2019-15165] libsdl1.2 Properly handle input focus events; fix buffer overflow issues [CVE-2019-13616 CVE-2019-7637], buffer over-read issues [CVE-2019-7572 CVE-2019-7573 CVE-2019-7574 CVE-2019-7575 CVE-2019-7576 CVE-2019-7577 CVE-2019-7578 CVE-2019-7635 CVE-2019-7636 CVE-2019-7638] libxml2 Fix use-after-free issue [CVE-2022-23308] linux New upstream stable release; [rt] Update to 4.19.233-rt105; increase ABI to 20 linux-latest Update to 4.19.0-20 ABI linux-signed-amd64 New upstream stable release; [rt] Update to 4.19.233-rt105; increase ABI to 20 linux-signed-arm64 New upstream stable release; [rt] Update to 4.19.233-rt105; increase ABI to 20 linux-signed-i386 New upstream stable release; [rt] Update to 4.19.233-rt105; increase ABI to 20 llvm-toolchain-11 New package, backported from Debian 11, to help build new rust versions lxcfs Fix misreporting of swap usage mailman Fix cross-site scripting issue [CVE-2021-43331]; fix a list moderator can crack the list admin password encrypted in a CSRF token [CVE-2021-43332]; fix potential CSRF attack against a list admin from a list member or moderator [CVE-2021-44227]; fix regressions in fixes for CVE-2021-42097 and CVE-2021-44227 mariadb-10.3 New upstream stable release; security fixes [CVE-2021-35604 CVE-2021-46659 CVE-2021-46661 CVE-2021-46662 CVE-2021-46663 CVE-2021-46664 CVE-2021-46665 CVE-2021-46667 CVE-2021-46668 CVE-2022-24048 CVE-2022-24050 CVE-2022-24051 CVE-2022-24052] node-getobject Fix prototype pollution issue [CVE-2020-28282] opensc Fix out-of-bounds access issues [CVE-2019-15945 CVE-2019-15946], crash due to read of unknown memory [CVE-2019-19479], double free issue [CVE-2019-20792], buffer overflow issues [CVE-2020-26570 CVE-2020-26571 CVE-2020-26572] openscad Fix buffer overflows in STL parser [CVE-2020-28599 CVE-2020-28600] openssl New upstream release php-illuminate-database Fix query binding issue [CVE-2021-21263], SQL injection issue when used with Microsoft SQL Server phpliteadmin Fix cross-site scripting issue [CVE-2021-46709] plib Fix integer overflow issue [CVE-2021-38714] privoxy Fix memory leak [CVE-2021-44540] and cross-site scripting issue [CVE-2021-44543] publicsuffix Update included data python-virtualenv Avoid attempting to install pkg_resources from PyPI raptor2 Fix out of bounds array access issue [CVE-2020-25713] ros-ros-comm Fix denial of service issue [CVE-2021-37146] rsyslog Fix heap overflow issues [CVE-2019-17041 CVE-2019-17042] ruby-httpclient Use system certificate store rust-cbindgen New upstream stable release to support builds of newer firefox-esr and thunderbird versions rustc-mozilla New source package to support building of newer firefox-esr and thunderbird versions s390-dasd Stop passing deprecated -f option to dasdfmt spip Fix cross-site scripting issue tzdata Update data for Fiji and Palestine vim Fix ability to execute code while in restricted mode [CVE-2019-20807], buffer overflow issues [CVE-2021-3770 CVE-2021-3778 CVE-2021-3875], use after free issue [CVE-2021-3796]; remove accidentally included patch wavpack Fix use of uninitialized values [CVE-2019-1010317 CVE-2019-1010319] weechat Fix several denial of service issues [CVE-2020-8955 CVE-2020-9759 CVE-2020-9760 CVE-2021-40516] wireshark Fix several security issues in dissectors [CVE-2021-22207 CVE-2021-22235 CVE-2021-39921 CVE-2021-39922 CVE-2021-39923 CVE-2021-39924 CVE-2021-39928 CVE-2021-39929] xterm Fix buffer overflow issue [CVE-2022-24130] zziplib Fix denial of service issue [CVE-2020-18442] Security Updates
This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
Package Reason angular-maven-plugin No longer useful minify-maven-plugin No longer useful Debian Installer
The installer has been updated to include the fixes incorporated into oldstable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current oldstable distribution:
Proposed updates to the oldstable distribution:
oldstable distribution information (release notes, errata etc.):
Security announcements and information:
The twelfth update of Debian 10 is now available.
