Debian 10261 Published by

The Debian project has announced the second update of its stable distribution Debian 10. This update come with 66 bug fixes and 98 security updates.



------------------------------------------------------------------------
The Debian Project https://www.debian.org/
Updated Debian 10: 10.2 released press@debian.org
November 16th, 2019 https://www.debian.org/News/2019/20191116
------------------------------------------------------------------------

The Debian project is pleased to announce the second update of its stable distribution Debian 10 (codename "buster"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 10 but only updates some of the packages included. There is no need to throw away old "buster" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list


Miscellaneous Bugfixes
----------------------

This stable update adds a few important corrections to the following packages:

+---------------------------+-----------------------------------------+
| Package | Reason |
+---------------------------+-----------------------------------------+
aegisub [1] | Fix crash when selecting a language from the bottom of the "Spell checker language" list; fix crash when right-clicking in the subtitles text box  
akonadi [2] | Fix various crashes / deadlock issues 
base-files [3] | Update /etc/debian_version for the point release  
capistrano [4] | Fix failure to remove old releases when there were too many 
cron [5] | Stop using obsolete SELinux API
cyrus-imapd [6] | Fix data loss on upgrade from version 3.0.0 or earlier 
debian-edu-config [7] | Handle newer Firefox ESR configuration files; add post-up stanza to /etc/network/interfaces eth0 entry conditionally 
debian-installer [8] | Fix unreadable fonts on hidpi displays in netboot images booted with EFI 
debian-installer-netboot-images[9] | Rebuild against proposed-updates 
distro-info-data [10] | Add Ubuntu 20.04 LTS, Focal Fossa
dkimpy-milter [11] | New upstream stable release; fix sysvinit support; catch more ASCII encoding errors to improve resilience against bad data; fix message extraction so that signing in the same pass through the milter as verifying works correctly 
emacs [12] | Update the EPLA packaging key 
fence-agents [13] | Fix incomplete removal of fence_amt_ws |
flatpak [14] | New upstream stable release 
flightcrew [15] | Security fixes [CVE-2019-13032 CVE-2019-13241] 
fonts-noto-cjk [16] | Fix over-aggressive font selection of Noto CJK fonts in modern web browsers under Chinese locale 
freetype [17] | Properly handle phantom points for variable hinted fonts 
gdb [18] | Rebuild against new libbabeltrace, with higher version number to avoid conflict with earlier upload 
glib2.0 [19] | Ensure libdbus clients can authenticate with a GDBusServer like the one in ibus 
gnome-shell [20] | New upstream stable release; fix truncation of long messages in Shell-modal dialogs; avoid crash on  reallocation of dead actors 
gnome-sound-recorder [21] | Fix crash when selecting a recording 
gnustep-base [22] | Disable gdomap daemon that was accidentally enabled on upgrades from stretch 
graphite-web [23] | Remove unused "send_email" function [CVE-2017-18638]; avoid hourly error in  cron when there is no whisper database 
inn2 [24] | Fix negotiation of DHE ciphersuites  
libapache-mod-auth- | Fix use after free bug leading to crash 
kerb [25] 
perl [26] 
perl [27]  
libofx [28] Fix null pointer dereference issue [CVE-2019-9656] 
libreoffice [29] | Fix the postgresql driver with PostgreSQL 12 
libsixel [30] | Fix several security issues [CVE-2018-19756 CVE-2018-19757 CVE-2018-19759 CVE-2018-19761 CVE-2018-19762 CVE-2018-19763 CVE-2019-3573 CVE-2019-3574]
libxslt [31] | Fix dangling pointer in xsltCopyText [CVE-2019-18197]
lucene-solr [32] | Disable obsolete call to ContextHandler in solr-jetty9.xml; fix Jetty permissions on SOLR index  
mariadb-10.3 [33] | New upstream stable release
modsecurity-crs [34] | Fix PHP script upload rules [CVE-2019-13464] 
mutter [35] | New upstream stable release 
ncurses [36] | Fix several security issues [CVE-2019-17594 CVE-2019-17595] and other issues in tic 
ndppd [37] | Avoid world writable PID file, that was breaking daemon init scripts 
network-manager [38] | Fix file permissions for "/var/lib/NetworkManager/secret_key" and /var/lib/NetworkManager 
node-fstream [39] | Fix arbitrary file overwrite issue [CVE-2019-13173] 
node-set-value [40] | Fix prototype pollution [CVE-2019- 10747] 
node-yarnpkg [41] | Force using HTTPS for regular registries 
nx-libs [42] | Fix regressions introduced in previous upload, affecting x2go 
open-vm-tools [43] | Fix memory leaks and error handling 
openvswitch [44] | Update debian/ifupdown.sh to allow setting-up the MTU; fix Python dependencies to use Python 3
picard [45] | Update translations to fix crash with  Spanish locale plasma-applet-redshift- Fix manual mode when used with redshift 
control [46] | versions above 1.12
postfix [47] | New upstream stable release; work around poor TCP loopback performance 
python-cryptography [48] | Fix test suite failures when built against newer OpenSSL versions; fix a memory leak triggerable when parsing  x509 certificate extensions like AIA 
python-flask-rdf [49] | Add Depends on python{3,}-rdflib python- New upstream stable release; fix switch 
oslo.messaging [50] | connection destination when a rabbitmq cluster node disappears |
python-werkzeug [51] | Ensure Docker containers have unique debugger PINs [CVE-2019-14806] 
python2.7 [52] | Fix several security issues [CVE-2018-20852 CVE-2019-10160 CVE-2019-16056 CVE-2019-16935 CVE-2019-9740 CVE-2019-9947] 
quota [53] | Fix rpc.rquotad spinning at 100% CPU 
rpcbind [54] | Allow remote calls to be enabled at run-time 
shelldap [55] | Repair SASL authentications, add a  'sasluser' option 
sogo [56] | Fix display of PGP-signed e-mails 
spf-engine [57] | New upstream stable release; fix sysvinit support |
standardskriver [58] | Fix deprecation warning from config.RawConfigParser; use external "ip" command rather than deprecated "ifconfig" command 
swi-prolog [59] | Use HTTPS when contacting upstream pack servers 
systemd [60] | core: never propagate reload failure to service result; fix sync_file_range failures in nspawn containers on arm,  ppc; fix RootDirectory not working when used in combination with User; ensure that access controls on systemd-resolved's D-Bus interface are enforced correctly [CVE-2019-15718]; fix StopWhenUnneeded=true for mount units;  make MountFlags=shared work again 
tmpreaper [61] | Prevent breaking of systemd services that use PrivateTmp=true  trapperkeeper-webserver- | Restore SSL compatibility with newer 
jetty9-clojure [62] | Jetty versions 
tzdata [63] | New upstream release 
ublock-origin [64] | New upstream version, compatible with Firefox ESR68 
uim [65] | Resurrect libuim-data as a transitional package, fixing some issues after upgrades to buster 
vanguards [66] | New upstream stable release; prevent a reload of tor's configuration via SIGHUP causing a denial-of-service for vanguards protections  
+---------------------------+-----------------------------------------+

1: https://packages.debian.org/src:aegisub
2: https://packages.debian.org/src:akonadi
3: https://packages.debian.org/src:base-files
4: https://packages.debian.org/src:capistrano
5: https://packages.debian.org/src:cron
6: https://packages.debian.org/src:cyrus-imapd
7: https://packages.debian.org/src:debian-edu-config
8: https://packages.debian.org/src:debian-installer
9: https://packages.debian.org/src:debian-installer-netboot-images
10: https://packages.debian.org/src:distro-info-data
11: https://packages.debian.org/src:dkimpy-milter
12: https://packages.debian.org/src:emacs
13: https://packages.debian.org/src:fence-agents
14: https://packages.debian.org/src:flatpak
15: https://packages.debian.org/src:flightcrew
16: https://packages.debian.org/src:fonts-noto-cjk
17: https://packages.debian.org/src:freetype
18: https://packages.debian.org/src:gdb
19: https://packages.debian.org/src:glib2.0
20: https://packages.debian.org/src:gnome-shell
21: https://packages.debian.org/src:gnome-sound-recorder
22: https://packages.debian.org/src:gnustep-base
23: https://packages.debian.org/src:graphite-web
24: https://packages.debian.org/src:inn2
25: https://packages.debian.org/src:libapache-mod-auth-kerb
26: https://packages.debian.org/src:libdate-holidays-de-perl
27: https://packages.debian.org/src:libdatetime-timezone-perl
28: https://packages.debian.org/src:libofx
29: https://packages.debian.org/src:libreoffice
30: https://packages.debian.org/src:libsixel
31: https://packages.debian.org/src:libxslt
32: https://packages.debian.org/src:lucene-solr
33: https://packages.debian.org/src:mariadb-10.3
34: https://packages.debian.org/src:modsecurity-crs
35: https://packages.debian.org/src:mutter
36: https://packages.debian.org/src:ncurses
37: https://packages.debian.org/src:ndppd
38: https://packages.debian.org/src:network-manager
39: https://packages.debian.org/src:node-fstream
40: https://packages.debian.org/src:node-set-value
41: https://packages.debian.org/src:node-yarnpkg
42: https://packages.debian.org/src:nx-libs
43: https://packages.debian.org/src:open-vm-tools
44: https://packages.debian.org/src:openvswitch
45: https://packages.debian.org/src:picard
46: https://packages.debian.org/src:plasma-applet-redshift-control
47: https://packages.debian.org/src:postfix
48: https://packages.debian.org/src:python-cryptography
49: https://packages.debian.org/src:python-flask-rdf
50: https://packages.debian.org/src:python-oslo.messaging
51: https://packages.debian.org/src:python-werkzeug
52: https://packages.debian.org/src:python2.7
53: https://packages.debian.org/src:quota
54: https://packages.debian.org/src:rpcbind
55: https://packages.debian.org/src:shelldap
56: https://packages.debian.org/src:sogo
57: https://packages.debian.org/src:spf-engine
58: https://packages.debian.org/src:standardskriver
59: https://packages.debian.org/src:swi-prolog
60: https://packages.debian.org/src:systemd
61: https://packages.debian.org/src:tmpreaper
62:
https://packages.debian.org/src:trapperkeeper-webserver-jetty9-clojure
63: https://packages.debian.org/src:tzdata
64: https://packages.debian.org/src:ublock-origin
65: https://packages.debian.org/src:uim
66: https://packages.debian.org/src:vanguards

Security Updates
----------------

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

+----------------+-----------------------------+
| Advisory ID | Package |
+----------------+-----------------------------+
| DSA-4509 [67] | apache2 [68] |
| | |
| DSA-4511 [69] | nghttp2 [70] |
| | |
| DSA-4512 [71] | qemu [72] |
| | |
| DSA-4514 [73] | varnish [74] |
| | |
| DSA-4515 [75] | webkit2gtk [76] |
| | |
| DSA-4516 [77] | firefox-esr [78] |
| | |
| DSA-4517 [79] | exim4 [80] |
| | |
| DSA-4518 [81] | ghostscript [82] |
| | |
| DSA-4519 [83] | libreoffice [84] |
| | |
| DSA-4520 [85] | trafficserver [86] |
| | |
| DSA-4521 [87] | docker.io [88] |
| | |
| DSA-4523 [89] | thunderbird [90] |
| | |
| DSA-4524 [91] | dino-im [92] |
| | |
| DSA-4525 [93] | ibus [94] |
| | |
| DSA-4526 [95] | opendmarc [96] |
| | |
| DSA-4527 [97] | php7.3 [98] |
| | |
| DSA-4528 [99] | bird [100] |
| | |
| DSA-4530 [101] | expat [102] |
| | |
| DSA-4531 [103] | linux-signed-amd64 [104] |
| | |
| DSA-4531 [105] | linux-signed-i386 [106] |
| | |
| DSA-4531 [107] | linux [108] |
| | |
| DSA-4531 [109] | linux-signed-arm64 [110] |
| | |
| DSA-4532 [111] | spip [112] |
| | |
| DSA-4533 [113] | lemonldap-ng [114] |
| | |
| DSA-4534 [115] | golang-1.11 [116] |
| | |
| DSA-4535 [117] | e2fsprogs [118] |
| | |
| DSA-4536 [119] | exim4 [120] |
| | |
| DSA-4538 [121] | wpa [122] |
| | |
| DSA-4539 [123] | openssl [124] |
| | |
| DSA-4539 [125] | openssh [126] |
| | |
| DSA-4541 [127] | libapreq2 [128] |
| | |
| DSA-4542 [129] | jackson-databind [130] |
| | |
| DSA-4543 [131] | sudo [132] |
| | |
| DSA-4544 [133] | unbound [134] |
| | |
| DSA-4545 [135] | mediawiki [136] |
| | |
| DSA-4547 [137] | tcpdump [138] |
| | |
| DSA-4549 [139] | firefox-esr [140] |
| | |
| DSA-4550 [141] | file [142] |
| | |
| DSA-4551 [143] | golang-1.11 [144] |
| | |
| DSA-4553 [145] | php7.3 [146] |
| | |
| DSA-4554 [147] | ruby-loofah [148] |
| | |
| DSA-4555 [149] | pam-python [150] |
| | |
| DSA-4556 [151] | qtbase-opensource-src [152] |
| | |
| DSA-4557 [153] | libarchive [154] |
| | |
| DSA-4558 [155] | webkit2gtk [156] |
| | |
| DSA-4559 [157] | proftpd-dfsg [158] |
| | |
| DSA-4560 [159] | simplesamlphp [160] |
| | |
| DSA-4561 [161] | fribidi [162] |
| | |
| DSA-4562 [163] | chromium [164] |
| | |
+----------------+-----------------------------+

67: https://www.debian.org/security/2019/dsa-4509
68: https://packages.debian.org/src:apache2
69: https://www.debian.org/security/2019/dsa-4511
70: https://packages.debian.org/src:nghttp2
71: https://www.debian.org/security/2019/dsa-4512
72: https://packages.debian.org/src:qemu
73: https://www.debian.org/security/2019/dsa-4514
74: https://packages.debian.org/src:varnish
75: https://www.debian.org/security/2019/dsa-4515
76: https://packages.debian.org/src:webkit2gtk
77: https://www.debian.org/security/2019/dsa-4516
78: https://packages.debian.org/src:firefox-esr
79: https://www.debian.org/security/2019/dsa-4517
80: https://packages.debian.org/src:exim4
81: https://www.debian.org/security/2019/dsa-4518
82: https://packages.debian.org/src:ghostscript
83: https://www.debian.org/security/2019/dsa-4519
84: https://packages.debian.org/src:libreoffice
85: https://www.debian.org/security/2019/dsa-4520
86: https://packages.debian.org/src:trafficserver
87: https://www.debian.org/security/2019/dsa-4521
88: https://packages.debian.org/src:docker.io
89: https://www.debian.org/security/2019/dsa-4523
90: https://packages.debian.org/src:thunderbird
91: https://www.debian.org/security/2019/dsa-4524
92: https://packages.debian.org/src:dino-im
93: https://www.debian.org/security/2019/dsa-4525
94: https://packages.debian.org/src:ibus
95: https://www.debian.org/security/2019/dsa-4526
96: https://packages.debian.org/src:opendmarc
97: https://www.debian.org/security/2019/dsa-4527
98: https://packages.debian.org/src:php7.3
99: https://www.debian.org/security/2019/dsa-4528
100: https://packages.debian.org/src:bird
101: https://www.debian.org/security/2019/dsa-4530
102: https://packages.debian.org/src:expat
103: https://www.debian.org/security/2019/dsa-4531
104: https://packages.debian.org/src:linux-signed-amd64
105: https://www.debian.org/security/2019/dsa-4531
106: https://packages.debian.org/src:linux-signed-i386
107: https://www.debian.org/security/2019/dsa-4531
108: https://packages.debian.org/src:linux
109: https://www.debian.org/security/2019/dsa-4531
110: https://packages.debian.org/src:linux-signed-arm64
111: https://www.debian.org/security/2019/dsa-4532
112: https://packages.debian.org/src:spip
113: https://www.debian.org/security/2019/dsa-4533
114: https://packages.debian.org/src:lemonldap-ng
115: https://www.debian.org/security/2019/dsa-4534
116: https://packages.debian.org/src:golang-1.11
117: https://www.debian.org/security/2019/dsa-4535
118: https://packages.debian.org/src:e2fsprogs
119: https://www.debian.org/security/2019/dsa-4536
120: https://packages.debian.org/src:exim4
121: https://www.debian.org/security/2019/dsa-4538
122: https://packages.debian.org/src:wpa
123: https://www.debian.org/security/2019/dsa-4539
124: https://packages.debian.org/src:openssl
125: https://www.debian.org/security/2019/dsa-4539
126: https://packages.debian.org/src:openssh
127: https://www.debian.org/security/2019/dsa-4541
128: https://packages.debian.org/src:libapreq2
129: https://www.debian.org/security/2019/dsa-4542
130: https://packages.debian.org/src:jackson-databind
131: https://www.debian.org/security/2019/dsa-4543
132: https://packages.debian.org/src:sudo
133: https://www.debian.org/security/2019/dsa-4544
134: https://packages.debian.org/src:unbound
135: https://www.debian.org/security/2019/dsa-4545
136: https://packages.debian.org/src:mediawiki
137: https://www.debian.org/security/2019/dsa-4547
138: https://packages.debian.org/src:tcpdump
139: https://www.debian.org/security/2019/dsa-4549
140: https://packages.debian.org/src:firefox-esr
141: https://www.debian.org/security/2019/dsa-4550
142: https://packages.debian.org/src:file
143: https://www.debian.org/security/2019/dsa-4551
144: https://packages.debian.org/src:golang-1.11
145: https://www.debian.org/security/2019/dsa-4553
146: https://packages.debian.org/src:php7.3
147: https://www.debian.org/security/2019/dsa-4554
148: https://packages.debian.org/src:ruby-loofah
149: https://www.debian.org/security/2019/dsa-4555
150: https://packages.debian.org/src:pam-python
151: https://www.debian.org/security/2019/dsa-4556
152: https://packages.debian.org/src:qtbase-opensource-src
153: https://www.debian.org/security/2019/dsa-4557
154: https://packages.debian.org/src:libarchive
155: https://www.debian.org/security/2019/dsa-4558
156: https://packages.debian.org/src:webkit2gtk
157: https://www.debian.org/security/2019/dsa-4559
158: https://packages.debian.org/src:proftpd-dfsg
159: https://www.debian.org/security/2019/dsa-4560
160: https://packages.debian.org/src:simplesamlphp
161: https://www.debian.org/security/2019/dsa-4561
162: https://packages.debian.org/src:fribidi
163: https://www.debian.org/security/2019/dsa-4562
164: https://packages.debian.org/src:chromium

Removed packages
----------------

The following packages were removed due to circumstances beyond our control:

+-------------------+--------------------------------------------------+
| Package | Reason |
+-------------------+--------------------------------------------------+
| firefox-esr [165] | [armel] No longer supportable due to nodejs |
| | build-dependency |
| | |
+-------------------+--------------------------------------------------+

165: https://packages.debian.org/src:firefox-esr

Debian Installer
----------------

The installer has been updated to include the fixes incorporated into stable by the point release.


URLs
----

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/buster/ChangeLog


The current stable distribution:

http://ftp.debian.org/debian/dists/stable/


Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates


stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/


Security announcements and information:

https://www.debian.org/security/


About Debian
------------

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian. 

Buster