Updated Debian 10: 10.1 released

September 7th, 2019

The Debian project is pleased to announce the first update of its stable distribution Debian 10 (codename buster). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 10 but only updates some of the packages included. There is no need to throw away old buster media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package Reason
acme-tiny Handle upcoming ACME protocol change
android-sdk-meta New upstream release; fix regex for adding Debian version to binary packages
apt-setup Fix preseeding of Secure Apt for local repositories via apt-setup/localX/
asterisk Fix buffer overflow in res_pjsip_messaging [AST-2019-002 / CVE-2019-12827]; fix remote Crash Vulnerability in chan_sip [AST-2019-003 / CVE-2019-13161]
babeltrace Bump ctf symbols depends to post merge version
backup-manager Fix purging of remote archives via FTP or SSH
base-files Update for the point release
basez Properly decode base64url encoded strings
bro Security fixes [CVE-2018-16807 CVE-2018-17019]
bzip2 Fix regression uncompressing some files
cacti Fix some issues upgrading from the version in stretch
calamares-settings-debian Fix permissions for initramfs image when full-disk encryption is enabled [CVE-2019-13179]
ceph Rebuild against new libbabeltrace
clamav Prevent extraction of non-recursive zip bombs; new upstream stable release with security fixes - add scan time limit to mitigate against zip-bombs [CVE-2019-12625]; fix out-of-bounds write within the NSIS bzip2 library [CVE-2019-12900]
cloudkitty Fix build failures with updated SQLAlchemy
console-setup Fix internationalization issues when switching locales with Perl >= 5.28
cryptsetup Fix support for LUKS2 headers without any bound keyslot; fix mapped segments overflow on 32-bit architectures
cups Fix multiple security/disclosure issues - SNMP buffer overflows [CVE-2019-8696 CVE-2019-8675], IPP buffer overflow, Denial of Service and memory disclosure issues in the scheduler
dbconfig-common Fix issue caused by change in bash POSIX behaviour
debian-edu-config Use PXE option ipappend 2 for LTSP client boot; fix sudo-ldap configuration; fix loss of dynamically allocated v4 IP address; several fixes and improvements to debian-edu-config.fetch-ldap-cert
debian-edu-doc Update Debian Edu Buster and ITIL manuals and translations
dehydrated Fix fetching of account information; follow-up fixes for account ID handling and APIv1 compatibility
devscripts debchange: target buster-backports with --bpo option
dma Do not limit TLS connections to using TLS 1.0
dpdk New upstream stable release
dput-ng Add buster-backports and stretch-backports-sloppy codenames
e2fsprogs Fix e4defrag crashes on 32-bit architectures
enigmail New upstream release; security fixes [CVE-2019-12269]
epiphany-browser Ensure that the web extension uses the bundled copy of libdazzle
erlang-p1-pkix Fix handling of GnuTLS certificates
facter Fix parsing of Linux route non-key/value flags (e.g. onlink)
fdroidserver New upstream release
fig2dev Do not segfault on circle/half circle arrowheads with a magnification larger than 42 [CVE-2019-14275]
firmware-nonfree atheros: Add Qualcomm Atheros QCA9377 rev 1.0 firmware version WLAN.TF.2.1-00021-QCARMSWP-1; realtek: Add Realtek RTL8822CU Bluetooth firmware; atheros: Revert change of QCA9377 rev 1.0 firmware in 20180518-1; misc-nonfree: add firmware for MediaTek MT76x0/MT76x2u wireless chips, MediaTek MT7622/MT7668 bluetooth chips, GV100 signed firmware
freeorion Fix crash when loading or saving game data
fuse-emulator Prefer the X11 backend over the Wayland one; show the Fuse icon on the GTK window and About dialog
fusiondirectory Stricter checks on LDAP lookups; add missing dependency on php-xml
gcab Fix corruption when extracting
gdb Rebuild against new libbabeltrace
glib2.0 Make GKeyFile settings backend create ~/.config and configuration files with restrictive permissions [CVE-2019-13012]
gnome-bluetooth Avoid GNOME Shell crashes when gnome-shell-extension-bluetooth-quick-connect is used
gnome-control-center Fix crash when the Details -> Overview (info-overview) panel is selected; fix memory leaks in Universal Access panel; fix a regression that caused the Universal Access -> Zoom mouse tracking options to have no effect; updated Icelandic and Japanese translations
gnupg2 Backport many bug fixes and stability patches from upstream; use keys.openpgp.org as the default keyserver; only import self-signatures by default
gnuplot Fix incomplete/unsafe initialization of ARGV array
gosa Stricter checks on LDAP lookups
hfst Ensure smoother upgrades from stretch
initramfs-tools Disable resume when there are no suitable swap devices; MODULES=most: include all keyboard driver modules, cros_ec_spi and SPI drivers, extcon-usbc-cros-ec; MODULES=dep: include extcon drivers
jython Preserve backward compatibility with Java 7
lacme Update for removal of unauthenticated GET support from the Let's Encrypt ACMEv2 API
libblockdev Use existing cryptsetup API for changing keyslot passphrase
libdatetime-timezone-perl Update included data
libjavascript-beautifier-perl Add support for => operator
libsdl2-image Fix buffer overflows [CVE-2019-5058 CVE-2019-5052 CVE-2019-7635]; fix out of bounds access in PCX handling [CVE-2019-12216 CVE-2019-12217 CVE-2019-12218 CVE-2019-12219 CVE-2019-12220 CVE-2019-12221 CVE-2019-12222 CVE-2019-5051]
libtk-img Stop using internal copies of JPEG, Zlib and PixarLog codecs, fixing crashes
libxslt Fix security framework bypass [CVE-2019-11068], uninitialized read of xsl:number token [CVE-2019-13117] and uninitialized read with UTF-8 grouping chars [CVE-2019-13118]
linux New upstream stable release
linux-latest Update for 4.19.0-6 kernel ABI
linux-signed-amd64 New upstream stable release
linux-signed-arm64 New upstream stable release
linux-signed-i386 New upstream stable release
lttv Rebuild against new libbabeltrace
mapproxy Fix WMS Capabilities with Python 3.7
mariadb-10.3 New upstream stable release; security fixes [CVE-2019-2737 CVE-2019-2739 CVE-2019-2740 CVE-2019-2758 CVE-2019-2805]; fix segfault on 'information_schema' access; rename 'mariadbcheck' to 'mariadb-check'
musescore Disable webkit functionality
ncbi-tools6 Repackage without non-free data/UniVec.*
ncurses Remove rep from xterm-new and derived terminfo descriptions
netdata Remove Google Analytics from generated documentation; opt out of sending anonymous statistics; remove sign in button
newsboat Fix use after free issue
nextcloud-desktop Add missing dependency on nextcloud-desktop-common to nextcloud-desktop-cmd
node-lodash Fix prototype pollution [CVE-2019-10744]
node-mixin-deep Fix prototype pollution issue
nss Fix security issues [CVE-2019-11719 CVE-2019-11727 CVE-2019-11729]
nx-libs Fix a number of memory leaks
open-infrastructure-compute-tools Fix container start
open-vm-tools Correctly handle OS versions of the form X, rather than X.Y
openldap Restrict rootDN proxyauthz to its own databases [CVE-2019-13057]; enforce sasl_ssf ACL statement on every connection [CVE-2019-13565]; fix slapo-rwm to not free original filter when rewritten filter is invalid
osinfo-db Add buster 10.0 information; fix URLs for stretch download; fix the name of the parameter used to set the fullname when generating a preseed file
osmpbf Rebuild with protobuf 3.6.1
pam-u2f Fix insecure debug file handling [CVE-2019-12209]; fix debug file descriptor leak [CVE-2019-12210]; fix out-of-bounds access; fix segfault following a failure to allocate a buffer
passwordsafe Install localisation files in the correct directory
piuparts Update configurations for the buster release; fix spurious failure to remove packages with names ending with '+'; generate separate tarball names for --merged-usr chroots
postgresql-common Fix pg_upgradecluster from postgresql-common 200, 200+deb10u1, 201, and 202 will corrupt the data_directory setting when used *twice* to upgrade a cluster (e.g. 9.6 -> 10 -> 11)
pulseaudio Fix mute state restoring
puppet-module-cinder Fix attempts to write to /etc/init
python-autobahn Fix pyqrcode build dependencies
python-django New upstream security release [CVE-2019-12781]
raspi3-firmware Add support for Raspberry Pi Compute Module 3 (CM3), Raspberry Pi Compute Module 3 Lite and Raspberry Pi Compute Module IO Board V3
reportbug Update release names, following buster release; re-enable stretch-pu requests; fix crashes with package / version lookup; add missing dependency on sensible-utils
ruby-airbrussh Don't throw exception on invalid UTF-8 SSH output
sdl-image1.2 Fix buffer overflows [CVE-2019-5052 CVE-2019-7635], out-of-bounds access [CVE-2019-12216 CVE-2019-12217 CVE-2019-12218 CVE-2019-12219 CVE-2019-12220 CVE-2019-12221 CVE-2019-12222 CVE-2019-5051]
sendmail sendmail-bin.postinst, initscript: Let start-stop-daemon match on pidfile and executable; sendmail-bin.prerm: Stop sendmail before removing the alternatives
slirp4netns New upstream stable release with security fixes - check sscanf result when emulating ident [CVE-2019-9824]; fixes heap overflow in included libslirp [CVE-2019-14378]
systemd Network: Fix failure to bring up interface with Linux kernel 5.2; ask-password: Prevent buffer overflow when reading from keyring; network: Behave more gracefully when IPv6 has been disabled
tzdata New upstream release
unzip Fix zip bomb issues [CVE-2019-13232]
usb.ids Routine update of USB IDs
warzone2100 Fix a segmentation fault when hosting a multiplayer game
webkit2gtk New upstream stable version; stop requiring SSE2-capable CPUs
win32-loader Rebuild against current packages, particularly debian-archive-keyring; fix build failure by enforcing a POSIX locale
xymon Fix several (server only) security issues [CVE-2019-13273 CVE-2019-13274 CVE-2019-13451 CVE-2019-13452 CVE-2019-13455 CVE-2019-13484 CVE-2019-13485 CVE-2019-13486]
yubikey-personalization Backport additional security precautions
z3 Do not set the SONAME of libz3java.so to libz3.so.4

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package
DSA-4477 zeromq3
DSA-4478 dosbox
DSA-4479 firefox-esr
DSA-4480 redis
DSA-4481 ruby-mini-magick
DSA-4482 thunderbird
DSA-4483 libreoffice
DSA-4484 linux
DSA-4484 linux-signed-i386
DSA-4484 linux-signed-arm64
DSA-4484 linux-signed-amd64
DSA-4486 openjdk-11
DSA-4488 exim4
DSA-4489 patch
DSA-4490 subversion
DSA-4491 proftpd-dfsg
DSA-4493 postgresql-11
DSA-4494 kconfig
DSA-4495 linux-signed-amd64
DSA-4495 linux-signed-arm64
DSA-4495 linux
DSA-4495 linux-signed-i386
DSA-4496 pango1.0
DSA-4498 python-django
DSA-4499 ghostscript
DSA-4501 libreoffice
DSA-4502 ffmpeg
DSA-4503 golang-1.11
DSA-4504 vlc
DSA-4505 nginx
DSA-4507 squid
DSA-4508 h2o
DSA-4509 apache2
DSA-4510 dovecot

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
pump Unmaintained; security issues
rustc Remove outdated rust-doc cruft

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/buster/ChangeLog

The current stable distribution:

http://ftp.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates

stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/

Security announcements and information:

https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.