The seventh update of Debian GNU/Linux 10 is now available. This point release mainly adds corrections for security issues, along with a few adjustments for serious problems.
The Debian project is pleased to announce the seventh update of its stable distribution Debian 10 (codename buster). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian 10 but only updates some of the packages included. There is no need to throw away old buster media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
Package Reason base-files Update for the point release choose-mirror Update mirror list cups Fix 'printer-alert' invalid free dav4tbsync New upstream release, compatible with newer Thunderbird versions debian-installer Use 4.19.0-13 Linux kernel ABI; add grub2 to Built-Using debian-installer-netboot-images Rebuild against proposed-updates distro-info-data Add Ubuntu 21.04, Hirsute Hippo dpdk New upstream stable release; fix remote code execution issue [CVE-2020-14374], TOCTOU issues [CVE-2020-14375], buffer overflow [CVE-2020-14376], buffer over read [CVE-2020-14377] and integer underflow [CVE-2020-14377]; fix armhf build with NEON eas4tbsync New upstream release, compatible with newer Thunderbird versions edk2 Fix integer overflow in DxeImageVerificationHandler [CVE-2019-14562] efivar Add support for nvme-fabrics and nvme-subsystem devices; fix uninitialized variable in parse_acpi_root, avoiding possible segfault enigmail Introduce migration assistant to Thunderbird's built-in GPG support espeak Fix using espeak with mbrola-fr4 when mbrola-fr1 is not installed fastd Fix memory leak when receiving too many invalid packets [CVE-2020-27638] fish Ensure TTY options are restored on exit freecol Fix XML External Entity vulnerability [CVE-2018-1000825] gajim-omemo Use 12-byte IV, for better compatibility with iOS clients glances Listen only on localhost by default iptables-persistent Don't force-load kernel modules; improve rule flushing logic lacme Use upstream certificate chain instead of an hardcoded one, easing support for new Let's Encrypt root and intermediate certificates libdatetime-timezone-perl Update included data to tzdata 2020d libimobiledevice Add partial support for iOS 14 libjpeg-turbo Fix denial of service [CVE-2018-1152], buffer over read [CVE-2018-14498], possible remote code execution [CVE-2019-2201], buffer over read [CVE-2020-13790] libxml2 Fix denial of service [CVE-2017-18258], NULL pointer dereference [CVE-2018-14404], infinite loop [CVE-2018-14567], memory leak [CVE-2019-19956 CVE-2019-20388], infinite loop [CVE-2020-7595] linux New upstream stable release linux-latest Update for 4.19.0-13 kernel ABI linux-signed-amd64 New upstream stable release linux-signed-arm64 New upstream stable release linux-signed-i386 New upstream stable release lmod Change architecture to any - required due to LUA_PATH and LUA_CPATH being determined at build time mariadb-10.3 New upstream stable release; security fixes [CVE-2020-14765 CVE-2020-14776 CVE-2020-14789 CVE-2020-14812 CVE-2020-28912] mutt Ensure IMAP connection is closed after a connection error [CVE-2020-28896] neomutt Ensure IMAP connection is closed after a connection error [CVE-2020-28896] node-object-path Fix prototype pollution in set() [CVE-2020-15256] node-pathval Fix prototype pollution [CVE-2020-7751] okular Fix code execution via action link [CVE-2020-9359] openjdk-11 New upstream release; fix JVM crash partman-auto Increase /boot sizes in most recipes to between 512 and 768M, to better handle kernel ABI changes and larger initramfses; cap RAM size as used for swap partition calculations, resolving issues on machines with more RAM than disk space pcaudiolib Cap cancellation latency to 10ms plinth Apache: Disable mod_status [CVE-2020-25073] puma Fix HTTP injection and HTTP smuggling issues [CVE-2020-5247 CVE-2020-5249 CVE-2020-11076 CVE-2020-11077] ros-ros-comm Fix integer overflow [CVE-2020-16124] ruby2.5 Fix potential HTTP request smuggling vulnerability in WEBrick [CVE-2020-25613] sleuthkit Fix stack buffer overflow in yaffsfs_istat [CVE-2020-10232] sqlite3 Fix division by zero [CVE-2019-16168], NULL pointer dereference [CVE-2019-19923], mishandling of NULL pathname during an update of a ZIP archive [CVE-2019-19925], mishandling of embedded NULs in filenames [CVE-2019-19959], possible crash (unwinding WITH stack) [CVE-2019-20218], integer overflow [CVE-2020-13434], segmentation fault [CVE-2020-13435], use-after-free issue [CVE-2020-13630], NULL pointer dereference [CVE-2020-13632], heap overflow [CVE-2020-15358] systemd Basic/cap-list: parse/print numerical capabilities; recognise new capabilities from Linux kernel 5.8; networkd: do not generate MAC for bridge device tbsync New upstream release, compatible with newer Thunderbird versions tcpdump Fix untrusted input issue in the PPP printer [CVE-2020-8037] tigervnc Properly store certificate exceptions in native and java VNC viewer [CVE-2020-26117] tor New upstream stable release; multiple security, usability, portability, and reliability fixes transmission Fix memory leak tzdata New upstream release ublock-origin New upstream version; split plugin to browser-specific packages vips Fix use of uninitialised variable [CVE-2020-20739] Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
Package Reason freshplayerplugin Unsupported by browsers; discontinued upstream nostalgy Incompatible with newer Thunderbird versions sieve-extension Incompatible with newer Thunderbird versions Debian Installer
The installer has been updated to include the fixes incorporated into stable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current stable distribution:
Proposed updates to the stable distribution:
stable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
