Uppdaterad Debian 10; 10.1 utgiven
7 september 2019
Debianprojektet presenterar stolt sin första uppdatering till dess
stabila utgåva Debian 10 (med kodnamnet buster
).
Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem,
tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner
har redan publicerats separat och refereras när de finns tillgängliga.
Vänligen notera att punktutgåvan inte innebär en ny version av Debian
10 utan endast uppdaterar några av de inkluderade paketen. Det behövs
inte kastas bort gamla media av buster
. Efter installationen
kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad
Debianspegling..
De som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.
Nya installationsavbildningar kommer snart att finnas tillgängliga på de vanliga platserna.
En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:
Blandade felrättningar
Denna uppdatering av den stabila utgåvan lägger till några viktiga felrättningar till följande paket:
Paket | Orsak |
---|---|
acme-tiny | Handle upcoming ACME protocol change |
android-sdk-meta | New upstream release; fix regex for adding Debian version to binary packages |
apt-setup | Fix preseeding of Secure Apt for local repositories via apt-setup/localX/ |
asterisk | Fix buffer overflow in res_pjsip_messaging [AST-2019-002 / CVE-2019-12827]; fix remote Crash Vulnerability in chan_sip [AST-2019-003 / CVE-2019-13161] |
babeltrace | Bump ctf symbols depends to post merge version |
backup-manager | Fix purging of remote archives via FTP or SSH |
base-files | Update for the point release |
basez | Properly decode base64url encoded strings |
bro | Security fixes [CVE-2018-16807 CVE-2018-17019] |
bzip2 | Fix regression uncompressing some files |
cacti | Fix some issues upgrading from the version in stretch |
calamares-settings-debian | Fix permissions for initramfs image when full-disk encryption is enabled [CVE-2019-13179] |
ceph | Rebuild against new libbabeltrace |
clamav | Prevent extraction of non-recursive zip bombs; new upstream stable release with security fixes - add scan time limit to mitigate against zip-bombs [CVE-2019-12625]; fix out-of-bounds write within the NSIS bzip2 library [CVE-2019-12900] |
cloudkitty | Fix build failures with updated SQLAlchemy |
console-setup | Fix internationalization issues when switching locales with Perl >= 5.28 |
cryptsetup | Fix support for LUKS2 headers without any bound keyslot; fix mapped segments overflow on 32-bit architectures |
cups | Fix multiple security/disclosure issues - SNMP buffer overflows [CVE-2019-8696 CVE-2019-8675], IPP buffer overflow, Denial of Service and memory disclosure issues in the scheduler |
dbconfig-common | Fix issue caused by change in bash POSIX behaviour |
debian-edu-config | Use PXE option ipappend 2for LTSP client boot; fix sudo-ldap configuration; fix loss of dynamically allocated v4 IP address; several fixes and improvements to debian-edu-config.fetch-ldap-cert |
debian-edu-doc | Update Debian Edu Buster and ITIL manuals and translations |
dehydrated | Fix fetching of account information; follow-up fixes for account ID handling and APIv1 compatibility |
devscripts | debchange: target buster-backports with --bpo option |
dma | Do not limit TLS connections to using TLS 1.0 |
dpdk | New upstream stable release |
dput-ng | Add buster-backports and stretch-backports-sloppy codenames |
e2fsprogs | Fix e4defrag crashes on 32-bit architectures |
enigmail | New upstream release; security fixes [CVE-2019-12269] |
epiphany-browser | Ensure that the web extension uses the bundled copy of libdazzle |
erlang-p1-pkix | Fix handling of GnuTLS certificates |
facter | Fix parsing of Linux route non-key/value flags (e.g. onlink) |
fdroidserver | New upstream release |
fig2dev | Do not segfault on circle/half circle arrowheads with a magnification larger than 42 [CVE-2019-14275] |
firmware-nonfree | atheros: Add Qualcomm Atheros QCA9377 rev 1.0 firmware version WLAN.TF.2.1-00021-QCARMSWP-1; realtek: Add Realtek RTL8822CU Bluetooth firmware; atheros: Revert change of QCA9377 rev 1.0 firmware in 20180518-1; misc-nonfree: add firmware for MediaTek MT76x0/MT76x2u wireless chips, MediaTek MT7622/MT7668 bluetooth chips, GV100 signed firmware |
freeorion | Fix crash when loading or saving game data |
fuse-emulator | Prefer the X11 backend over the Wayland one; show the Fuse icon on the GTK window and About dialog |
fusiondirectory | Stricter checks on LDAP lookups; add missing dependency on php-xml |
gcab | Fix corruption when extracting |
gdb | Rebuild against new libbabeltrace |
glib2.0 | Make GKeyFile settings backend create ~/.config and configuration files with restrictive permissions [CVE-2019-13012] |
gnome-bluetooth | Avoid GNOME Shell crashes when gnome-shell-extension-bluetooth-quick-connect is used |
gnome-control-center | Fix crash when the Details -> Overview (info-overview) panel is selected; fix memory leaks in Universal Access panel; fix a regression that caused the Universal Access -> Zoom mouse tracking options to have no effect; updated Icelandic and Japanese translations |
gnupg2 | Backport many bug fixes and stability patches from upstream; use keys.openpgp.org as the default keyserver; only import self-signatures by default |
gnuplot | Fix incomplete/unsafe initialization of ARGV array |
gosa | Stricter checks on LDAP lookups |
hfst | Ensure smoother upgrades from stretch |
initramfs-tools | Disable resume when there are no suitable swap devices; MODULES=most: include all keyboard driver modules, cros_ec_spi and SPI drivers, extcon-usbc-cros-ec; MODULES=dep: include extcon drivers |
jython | Preserve backward compatibility with Java 7 |
lacme | Update for removal of unauthenticated GET support from the Let's Encrypt ACMEv2 API |
libblockdev | Use existing cryptsetup API for changing keyslot passphrase |
libdatetime-timezone-perl | Update included data |
libjavascript-beautifier-perl | Add support for =>operator |
libsdl2-image | Fix buffer overflows [CVE-2019-5058 CVE-2019-5052 CVE-2019-7635]; fix out of bounds access in PCX handling [CVE-2019-12216 CVE-2019-12217 CVE-2019-12218 CVE-2019-12219 CVE-2019-12220 CVE-2019-12221 CVE-2019-12222 CVE-2019-5051] |
libtk-img | Stop using internal copies of JPEG, Zlib and PixarLog codecs, fixing crashes |
libxslt | Fix security framework bypass [CVE-2019-11068], uninitialized read of xsl:number token [CVE-2019-13117] and uninitialized read with UTF-8 grouping chars [CVE-2019-13118] |
linux | New upstream stable release |
linux-latest | Update for 4.19.0-6 kernel ABI |
linux-signed-amd64 | New upstream stable release |
linux-signed-arm64 | New upstream stable release |
linux-signed-i386 | New upstream stable release |
lttv | Rebuild against new libbabeltrace |
mapproxy | Fix WMS Capabilities with Python 3.7 |
mariadb-10.3 | New upstream stable release; security fixes [CVE-2019-2737 CVE-2019-2739 CVE-2019-2740 CVE-2019-2758 CVE-2019-2805]; fix segfault on 'information_schema' access; rename 'mariadbcheck' to 'mariadb-check' |
musescore | Disable webkit functionality |
ncbi-tools6 | Repackage without non-free data/UniVec.* |
ncurses | Remove repfrom xterm-new and derived terminfo descriptions |
netdata | Remove Google Analytics from generated documentation; opt out of sending anonymous statistics; remove sign inbutton |
newsboat | Fix use after free issue |
nextcloud-desktop | Add missing dependency on nextcloud-desktop-common to nextcloud-desktop-cmd |
node-lodash | Fix prototype pollution [CVE-2019-10744] |
node-mixin-deep | Fix prototype pollution issue |
nss | Fix security issues [CVE-2019-11719 CVE-2019-11727 CVE-2019-11729] |
nx-libs | Fix a number of memory leaks |
open-infrastructure-compute-tools | Fix container start |
open-vm-tools | Correctly handle OS versions of the form X, rather than X.Y |
openldap | Restrict rootDN proxyauthz to its own databases [CVE-2019-13057]; enforce sasl_ssf ACL statement on every connection [CVE-2019-13565]; fix slapo-rwm to not free original filter when rewritten filter is invalid |
osinfo-db | Add buster 10.0 information; fix URLs for stretch download; fix the name of the parameter used to set the fullname when generating a preseed file |
osmpbf | Rebuild with protobuf 3.6.1 |
pam-u2f | Fix insecure debug file handling [CVE-2019-12209]; fix debug file descriptor leak [CVE-2019-12210]; fix out-of-bounds access; fix segfault following a failure to allocate a buffer |
passwordsafe | Install localisation files in the correct directory |
piuparts | Update configurations for the buster release; fix spurious failure to remove packages with names ending with '+'; generate separate tarball names for --merged-usr chroots |
postgresql-common | Fix pg_upgradecluster from postgresql-common 200, 200+deb10u1, 201, and 202 will corrupt the data_directory setting when used *twice* to upgrade a cluster (e.g. 9.6 -> 10 -> 11) |
pulseaudio | Fix mute state restoring |
puppet-module-cinder | Fix attempts to write to /etc/init |
python-autobahn | Fix pyqrcode build dependencies |
python-django | New upstream security release [CVE-2019-12781] |
raspi3-firmware | Add support for Raspberry Pi Compute Module 3 (CM3), Raspberry Pi Compute Module 3 Lite and Raspberry Pi Compute Module IO Board V3 |
reportbug | Update release names, following buster release; re-enable stretch-pu requests; fix crashes with package / version lookup; add missing dependency on sensible-utils |
ruby-airbrussh | Don't throw exception on invalid UTF-8 SSH output |
sdl-image1.2 | Fix buffer overflows [CVE-2019-5052 CVE-2019-7635], out-of-bounds access [CVE-2019-12216 CVE-2019-12217 CVE-2019-12218 CVE-2019-12219 CVE-2019-12220 CVE-2019-12221 CVE-2019-12222 CVE-2019-5051] |
sendmail | sendmail-bin.postinst, initscript: Let start-stop-daemon match on pidfile and executable; sendmail-bin.prerm: Stop sendmail before removing the alternatives |
slirp4netns | New upstream stable release with security fixes - check sscanf result when emulating ident [CVE-2019-9824]; fixes heap overflow in included libslirp [CVE-2019-14378] |
systemd | Network: Fix failure to bring up interface with Linux kernel 5.2; ask-password: Prevent buffer overflow when reading from keyring; network: Behave more gracefully when IPv6 has been disabled |
tzdata | New upstream release |
unzip | Fix zip bomb issues [CVE-2019-13232] |
usb.ids | Routine update of USB IDs |
warzone2100 | Fix a segmentation fault when hosting a multiplayer game |
webkit2gtk | New upstream stable version; stop requiring SSE2-capable CPUs |
win32-loader | Rebuild against current packages, particularly debian-archive-keyring; fix build failure by enforcing a POSIX locale |
xymon | Fix several (server only) security issues [CVE-2019-13273 CVE-2019-13274 CVE-2019-13451 CVE-2019-13452 CVE-2019-13455 CVE-2019-13484 CVE-2019-13485 CVE-2019-13486] |
yubikey-personalization | Backport additional security precautions |
z3 | Do not set the SONAME of libz3java.so to libz3.so.4 |
Säkerhetsuppdateringar
Denna revision lägger till följande säkerhetsuppdateringar till den stabila utgåvan. Säkerhetsgruppen har redan släppt bulletiner för alla dessa uppdateringar:
Borttagna paket
Följande paket har tagits bort på grund av omständigheter utom vår kontroll:
Paket | Orsak |
---|---|
pump | Unmaintained; security issues |
rustc | Remove outdated rust-doc cruft |
Debianinstalleraren
Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den stabila utgåvan med denna punktutgåva.
URLer
Den fullständiga listan på paket som har förändrats i denna revision:
Den aktuella stabila utgåvan:
Föreslagna uppdateringar till den stabila utgåvan:
Information om den stabila utgåvan (versionsfakta, kända problem osv.):
Säkerhetsbulletiner och information:
Om Debian
Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.
Kontaktinformation
För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org>, eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.