The sixth update of Debian GNU/Linux 10 is now available. This point release mainly adds corrections for security issues, along with a few adjustments for serious problems.
------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 10: 10.6 released press@debian.org September 26th, 2020 https://www.debian.org/News/2020/20200926 ------------------------------------------------------------------------ The Debian project is pleased to announce the sixth update of its stable distribution Debian 10 (codename "buster"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 10 but only updates some of the packages included. There is no need to throw away old "buster" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages. Note that, due to build issues, the updates for the cargo, rustc and rustc-bindgen packages are currently not available for the "armel" architecture. They may be added at a later date if the issues are resolved. +--------------------------+------------------------------------------+ | Package | Reason | +--------------------------+------------------------------------------+ | arch-test [1] | Fix detection of s390x sometimes failing | | | | | asterisk [2] | Fix crash when negotiating for T.38 with | | | a declined stream [CVE-2019-15297], | | | "SIP request can change address of a SIP | | | peer" [CVE-2019-18790], "AMI user | | | could execute system | | | commands" [CVE-2019-18610], segfault in | | | pjsip show history with IPv6 peers | | | | | bacula [3] | Fix "oversized digest strings allow a | | | malicious client to cause a heap | | | overflow in the director's | | | memory" [CVE-2020-11061] | | | | | base-files [4] | Update /etc/debian_version for the point | | | release | | | | | calamares-settings- | Disable displaymanager module | | debian [5] | | | | | | cargo [6] | New upstream release, to support | | | upcoming Firefox ESR versions | | | | | chocolate-doom [7] | Fix missing validation [CVE-2020-14983] | | | | | chrony [8] | Prevent symlink race when writing to the | | | PID file [CVE-2020-14367]; fix | | | temperature reading | | | | | debian-installer [9] | Update Linux ABI to 4.19.0-11 | | | | | debian-installer- | Rebuild against proposed-updates | | netboot-images [10] | | | | | | diaspora-installer [11] | Use --frozen option to bundle install to | | | use upstream Gemfile.lock; don't exclude | | | Gemfile.lock during upgrades; don't | | | overwrite config/oidc_key.pem during | | | upgrades; make config/schedule.yml | | | writeable | | | | | dojo [12] | Fix prototype pollution in deepCopy | | | method [CVE-2020-5258] and in jqMix | | | method [CVE-2020-5259] | | | | | dovecot [13] | Fix dsync sieve filter sync regression; | | | fix handling of getpwent result in | | | userdb-passwd | | | | | facter [14] | Change Google GCE Metadata endpoint from | | | "v1beta1" to "v1" | | | | | gnome-maps [15] | Fix an issue with misaligned shape layer | | | rendering | | | | | gnome-shell [16] | LoginDialog: Reset auth prompt on VT | | | switch before fade in [CVE-2020-17489] | | | | | gnome-weather [17] | Prevent a crash when the configured set | | | of locations are invalid | | | | | grunt [18] | Use safeLoad when loading YAML files | | | [CVE-2020-7729] | | | | | gssdp [19] | New upstream stable release | | | | | gupnp [20] | New upstream stable release; prevent the | | | "CallStranger" attack [CVE-2020-12695]; | | | require GSSDP 1.0.5 | | | | | haproxy [21] | logrotate.conf: use rsyslog helper | | | instead of SysV init script; reject | | | messages where "chunked" is missing | | | from Transfer-Encoding [CVE-2019-18277] | | | | | icinga2 [22] | Fix symlink attack [CVE-2020-14004] | | | | | incron [23] | Fix cleanup of zombie processes | | | | | inetutils [24] | Fix remote code execution issue | | | [CVE-2020-10188] | | | | | libcommons-compress- | Fix denial of service issue [CVE-2019- | | java [25] | 12402] | | | | | libdbi-perl [26] | Fix memory corruption in XS functions | | | when Perl stack is reallocated | | | [CVE-2020-14392]; fix a buffer overflow | | | on an overlong DBD class name [CVE-2020- | | | 14393]; fix a NULL profile dereference | | | in dbi_profile() [CVE-2019-20919] | | | | | libvncserver [27] | libvncclient: bail out if UNIX socket | | | name would overflow [CVE-2019-20839]; | | | fix pointer aliasing/alignment issue | | | [CVE-2020-14399]; limit max textchat | | | size [CVE-2020-14405]; libvncserver: add | | | missing NULL pointer checks [CVE-2020- | | | 14397]; fix pointer aliasing/alignment | | | issue [CVE-2020-14400]; scale: cast to | | | 64 bit before shifting [CVE-2020-14401]; | | | prevent OOB accesses [CVE-2020-14402 | | | CVE-2020-14403 CVE-2020-14404] | | | | | libx11 [28] | Fix integer overflows [CVE-2020-14344 | | | CVE-2020-14363] | | | | | lighttpd [29] | Backport several usability and security | | | fixes | | | | | linux [30] | New upstream stable release; increase | | | ABI to 11 | | | | | linux-latest [31] | Update for -11 Linux kernel ABI | | | | | linux-signed-amd64 [32] | New upstream stable release | | | | | linux-signed-arm64 [33] | New upstream stable release | | | | | linux-signed-i386 [34] | New upstream stable release | | | | | llvm-toolchain-7 [35] | New upstream release, to support | | | upcoming Firefox ESR versions; fix bugs | | | affecting rustc build | | | | | lucene-solr [36] | Fix security issue in DataImportHandler | | | configuration handling [CVE-2019-0193] | | | | | milkytracker [37] | Fix heap overflow [CVE-2019-14464], | | | stack overflow [CVE-2019-14496], heap | | | overflow [CVE-2019-14497], use after | | | free [CVE-2020-15569] | | | | | node-bl [38] | Fix over-read vulnerability [CVE-2020- | | | 8244] | | | | | node-elliptic [39] | Prevent malleability and overflows | | | [CVE-2020-13822] | | | | | node-mysql [40] | Add localInfile option to control LOAD | | | DATA LOCAL INFILE [CVE-2019-14939] | | | | | node-url-parse [41] | Fix insufficient validation and | | | sanitization of user input [CVE-2020- | | | 8124] | | | | | npm [42] | Don't show password in logs [CVE-2020- | | | 15095] | | | | | orocos-kdl [43] | Remove explicit inclusion of default | | | include path, fixing issues with cmake < | | | 3.16 | | | | | postgresql-11 [44] | New upstream stable release; set a | | | secure search_path in logical | | | replication walsenders and apply workers | | | [CVE-2020-14349]; make contrib modules' | | | installation scripts more secure | | | [CVE-2020-14350] | | | | | postgresql-common [45] | Don't drop plpgsql before testing | | | extensions | | | | | pyzmq [46] | Asyncio: wait for POLLOUT on sender in | | | can_connect | | | | | qt4-x11 [47] | Fix buffer overflow in XBM parser | | | [CVE-2020-17507] | | | | | qtbase-opensource- | Fix buffer overflow in XBM parser | | src [48] | [CVE-2020-17507]; fix clipboard breaking | | | when timer wraps after 50 days | | | | | ros-actionlib [49] | Load YAML safely [CVE-2020-10289] | | | | | rustc [50] | New upstream release, to support | | | upcoming Firefox ESR versions | | | | | rust-cbindgen [51] | New upstream release, to support | | | upcoming Firefox ESR versions | | | | | ruby-ronn [52] | Fix handling of UTF-8 content in | | | manpages | | | | | s390-tools [53] | Hardcode perl dependency instead of | | | using ${perl:Depends}, fixing | | | installation under debootstrap | | | | +--------------------------+------------------------------------------+ 1: https://packages.debian.org/src:arch-test 2: https://packages.debian.org/src:asterisk 3: https://packages.debian.org/src:bacula 4: https://packages.debian.org/src:base-files 5: https://packages.debian.org/src:calamares-settings-debian 6: https://packages.debian.org/src:cargo 7: https://packages.debian.org/src:chocolate-doom 8: https://packages.debian.org/src:chrony 9: https://packages.debian.org/src:debian-installer 10: https://packages.debian.org/src:debian-installer-netboot-images 11: https://packages.debian.org/src:diaspora-installer 12: https://packages.debian.org/src:dojo 13: https://packages.debian.org/src:dovecot 14: https://packages.debian.org/src:facter 15: https://packages.debian.org/src:gnome-maps 16: https://packages.debian.org/src:gnome-shell 17: https://packages.debian.org/src:gnome-weather 18: https://packages.debian.org/src:grunt 19: https://packages.debian.org/src:gssdp 20: https://packages.debian.org/src:gupnp 21: https://packages.debian.org/src:haproxy 22: https://packages.debian.org/src:icinga2 23: https://packages.debian.org/src:incron 24: https://packages.debian.org/src:inetutils 25: https://packages.debian.org/src:libcommons-compress-java 26: https://packages.debian.org/src:libdbi-perl 27: https://packages.debian.org/src:libvncserver 28: https://packages.debian.org/src:libx11 29: https://packages.debian.org/src:lighttpd 30: https://packages.debian.org/src:linux 31: https://packages.debian.org/src:linux-latest 32: https://packages.debian.org/src:linux-signed-amd64 33: https://packages.debian.org/src:linux-signed-arm64 34: https://packages.debian.org/src:linux-signed-i386 35: https://packages.debian.org/src:llvm-toolchain-7 36: https://packages.debian.org/src:lucene-solr 37: https://packages.debian.org/src:milkytracker 38: https://packages.debian.org/src:node-bl 39: https://packages.debian.org/src:node-elliptic 40: https://packages.debian.org/src:node-mysql 41: https://packages.debian.org/src:node-url-parse 42: https://packages.debian.org/src:npm 43: https://packages.debian.org/src:orocos-kdl 44: https://packages.debian.org/src:postgresql-11 45: https://packages.debian.org/src:postgresql-common 46: https://packages.debian.org/src:pyzmq 47: https://packages.debian.org/src:qt4-x11 48: https://packages.debian.org/src:qtbase-opensource-src 49: https://packages.debian.org/src:ros-actionlib 50: https://packages.debian.org/src:rustc 51: https://packages.debian.org/src:rust-cbindgen 52: https://packages.debian.org/src:ruby-ronn 53: https://packages.debian.org/src:s390-tools Security Updates ---------------- This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates: +----------------+--------------------+ | Advisory ID | Package | +----------------+--------------------+ | DSA-4662 [54] | openjdk-11 [55] | | | | | DSA-4734 [56] | openjdk-11 [57] | | | | | DSA-4736 [58] | firefox-esr [59] | | | | | DSA-4737 [60] | xrdp [61] | | | | | DSA-4738 [62] | ark [63] | | | | | DSA-4739 [64] | webkit2gtk [65] | | | | | DSA-4740 [66] | thunderbird [67] | | | | | DSA-4741 [68] | json-c [69] | | | | | DSA-4742 [70] | firejail [71] | | | | | DSA-4743 [72] | ruby-kramdown [73] | | | | | DSA-4744 [74] | roundcube [75] | | | | | DSA-4745 [76] | dovecot [77] | | | | | DSA-4746 [78] | net-snmp [79] | | | | | DSA-4747 [80] | icingaweb2 [81] | | | | | DSA-4748 [82] | ghostscript [83] | | | | | DSA-4749 [84] | firefox-esr [85] | | | | | DSA-4750 [86] | nginx [87] | | | | | DSA-4751 [88] | squid [89] | | | | | DSA-4752 [90] | bind9 [91] | | | | | DSA-4753 [92] | mupdf [93] | | | | | DSA-4754 [94] | thunderbird [95] | | | | | DSA-4755 [96] | openexr [97] | | | | | DSA-4756 [98] | lilypond [99] | | | | | DSA-4757 [100] | apache2 [101] | | | | | DSA-4758 [102] | xorg-server [103] | | | | | DSA-4759 [104] | ark [105] | | | | | DSA-4760 [106] | qemu [107] | | | | | DSA-4761 [108] | zeromq3 [109] | | | | | DSA-4762 [110] | lemonldap-ng [111] | | | | | DSA-4763 [112] | teeworlds [113] | | | | | DSA-4764 [114] | inspircd [115] | | | | | DSA-4765 [116] | modsecurity [117] | | | | +----------------+--------------------+ 54: https://www.debian.org/security/2020/dsa-4662 55: https://packages.debian.org/src:openjdk-11 56: https://www.debian.org/security/2020/dsa-4734 57: https://packages.debian.org/src:openjdk-11 58: https://www.debian.org/security/2020/dsa-4736 59: https://packages.debian.org/src:firefox-esr 60: https://www.debian.org/security/2020/dsa-4737 61: https://packages.debian.org/src:xrdp 62: https://www.debian.org/security/2020/dsa-4738 63: https://packages.debian.org/src:ark 64: https://www.debian.org/security/2020/dsa-4739 65: https://packages.debian.org/src:webkit2gtk 66: https://www.debian.org/security/2020/dsa-4740 67: https://packages.debian.org/src:thunderbird 68: https://www.debian.org/security/2020/dsa-4741 69: https://packages.debian.org/src:json-c 70: https://www.debian.org/security/2020/dsa-4742 71: https://packages.debian.org/src:firejail 72: https://www.debian.org/security/2020/dsa-4743 73: https://packages.debian.org/src:ruby-kramdown 74: https://www.debian.org/security/2020/dsa-4744 75: https://packages.debian.org/src:roundcube 76: https://www.debian.org/security/2020/dsa-4745 77: https://packages.debian.org/src:dovecot 78: https://www.debian.org/security/2020/dsa-4746 79: https://packages.debian.org/src:net-snmp 80: https://www.debian.org/security/2020/dsa-4747 81: https://packages.debian.org/src:icingaweb2 82: https://www.debian.org/security/2020/dsa-4748 83: https://packages.debian.org/src:ghostscript 84: https://www.debian.org/security/2020/dsa-4749 85: https://packages.debian.org/src:firefox-esr 86: https://www.debian.org/security/2020/dsa-4750 87: https://packages.debian.org/src:nginx 88: https://www.debian.org/security/2020/dsa-4751 89: https://packages.debian.org/src:squid 90: https://www.debian.org/security/2020/dsa-4752 91: https://packages.debian.org/src:bind9 92: https://www.debian.org/security/2020/dsa-4753 93: https://packages.debian.org/src:mupdf 94: https://www.debian.org/security/2020/dsa-4754 95: https://packages.debian.org/src:thunderbird 96: https://www.debian.org/security/2020/dsa-4755 97: https://packages.debian.org/src:openexr 98: https://www.debian.org/security/2020/dsa-4756 99: https://packages.debian.org/src:lilypond 100: https://www.debian.org/security/2020/dsa-4757 101: https://packages.debian.org/src:apache2 102: https://www.debian.org/security/2020/dsa-4758 103: https://packages.debian.org/src:xorg-server 104: https://www.debian.org/security/2020/dsa-4759 105: https://packages.debian.org/src:ark 106: https://www.debian.org/security/2020/dsa-4760 107: https://packages.debian.org/src:qemu 108: https://www.debian.org/security/2020/dsa-4761 109: https://packages.debian.org/src:zeromq3 110: https://www.debian.org/security/2020/dsa-4762 111: https://packages.debian.org/src:lemonldap-ng 112: https://www.debian.org/security/2020/dsa-4763 113: https://packages.debian.org/src:teeworlds 114: https://www.debian.org/security/2020/dsa-4764 115: https://packages.debian.org/src:inspircd 116: https://www.debian.org/security/2020/dsa-4765 117: https://packages.debian.org/src:modsecurity Debian Installer ---------------- The installer has been updated to include the fixes incorporated into stable by the point release. URLs ---- The complete lists of packages that have changed with this revision: http://ftp.debian.org/debian/dists/buster/ChangeLog The current stable distribution: http://ftp.debian.org/debian/dists/stable/ Proposed updates to the stable distribution: http://ftp.debian.org/debian/dists/proposed-updates stable distribution information (release notes, errata etc.): https://www.debian.org/releases/stable/ Security announcements and information: https://www.debian.org/security/ About Debian ------------ The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian. Contact Information ------------------- For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.
