Updated Debian 10: 10.2 released
November 16th, 2019
The Debian project is pleased to announce the second update of its
stable distribution Debian 10 (codename buster
).
This point release mainly adds corrections for security issues,
along with a few adjustments for serious problems. Security advisories
have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian
10 but only updates some of the packages included. There is
no need to throw away old buster
media. After installation,
packages can be upgraded to the current versions using an up-to-date Debian
mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
Package | Reason |
---|---|
aegisub | Fix crash when selecting a language from the bottom of the Spell checker languagelist; fix crash when right-clicking in the subtitles text box |
akonadi | Fix various crashes / deadlock issues |
base-files | Update /etc/debian_version for the point release |
capistrano | Fix failure to remove old releases when there were too many |
cron | Stop using obsolete SELinux API |
cyrus-imapd | Fix data loss on upgrade from version 3.0.0 or earlier |
debian-edu-config | Handle newer Firefox ESR configuration files; add post-up stanza to /etc/network/interfaces eth0 entry conditionally |
debian-installer | Fix unreadable fonts on hidpi displays in netboot images booted with EFI |
debian-installer-netboot-images | Rebuild against proposed-updates |
distro-info-data | Add Ubuntu 20.04 LTS, Focal Fossa |
dkimpy-milter | New upstream stable release; fix sysvinit support; catch more ASCII encoding errors to improve resilience against bad data; fix message extraction so that signing in the same pass through the milter as verifying works correctly |
emacs | Update the EPLA packaging key |
fence-agents | Fix incomplete removal of fence_amt_ws |
flatpak | New upstream stable release |
flightcrew | Security fixes [CVE-2019-13032 CVE-2019-13241] |
fonts-noto-cjk | Fix over-aggressive font selection of Noto CJK fonts in modern web browsers under Chinese locale |
freetype | Properly handle phantom points for variable hinted fonts |
gdb | Rebuild against new libbabeltrace, with higher version number to avoid conflict with earlier upload |
glib2.0 | Ensure libdbus clients can authenticate with a GDBusServer like the one in ibus |
gnome-shell | New upstream stable release; fix truncation of long messages in Shell-modal dialogs; avoid crash on reallocation of dead actors |
gnome-sound-recorder | Fix crash when selecting a recording |
gnustep-base | Disable gdomap daemon that was accidentally enabled on upgrades from stretch |
graphite-web | Remove unused send_emailfunction [CVE-2017-18638]; avoid hourly error in cron when there is no whisper database |
inn2 | Fix negotiation of DHE ciphersuites |
libapache-mod-auth-kerb | Fix use after free bug leading to crash |
libdate-holidays-de-perl | Mark International Childrens Day (Sep 20th) as a holiday in Thuringia from 2019 onwards |
libdatetime-timezone-perl | Update included data |
libofx | Fix null pointer dereference issue [CVE-2019-9656] |
libreoffice | Fix the postgresql driver with PostgreSQL 12 |
libsixel | Fix several security issues [CVE-2018-19756 CVE-2018-19757 CVE-2018-19759 CVE-2018-19761 CVE-2018-19762 CVE-2018-19763 CVE-2019-3573 CVE-2019-3574] |
libxslt | Fix dangling pointer in xsltCopyText [CVE-2019-18197] |
lucene-solr | Disable obsolete call to ContextHandler in solr-jetty9.xml; fix Jetty permissions on SOLR index |
mariadb-10.3 | New upstream stable release |
modsecurity-crs | Fix PHP script upload rules [CVE-2019-13464] |
mutter | New upstream stable release |
ncurses | Fix several security issues [CVE-2019-17594 CVE-2019-17595] and other issues in tic |
ndppd | Avoid world writable PID file, that was breaking daemon init scripts |
network-manager | Fix file permissions for /var/lib/NetworkManager/secret_keyand /var/lib/NetworkManager |
node-fstream | Fix arbitrary file overwrite issue [CVE-2019-13173] |
node-set-value | Fix prototype pollution [CVE-2019-10747] |
node-yarnpkg | Force using HTTPS for regular registries |
nx-libs | Fix regressions introduced in previous upload, affecting x2go |
open-vm-tools | Fix memory leaks and error handling |
openvswitch | Update debian/ifupdown.sh to allow setting-up the MTU; fix Python dependencies to use Python 3 |
picard | Update translations to fix crash with Spanish locale |
plasma-applet-redshift-control | Fix manual mode when used with redshift versions above 1.12 |
postfix | New upstream stable release; work around poor TCP loopback performance |
python-cryptography | Fix test suite failures when built against newer OpenSSL versions; fix a memory leak triggerable when parsing x509 certificate extensions like AIA |
python-flask-rdf | Add Depends on python{3,}-rdflib |
python-oslo.messaging | New upstream stable release; fix switch connection destination when a rabbitmq cluster node disappears |
python-werkzeug | Ensure Docker containers have unique debugger PINs [CVE-2019-14806] |
python2.7 | Fix several security issues [CVE-2018-20852 CVE-2019-10160 CVE-2019-16056 CVE-2019-16935 CVE-2019-9740 CVE-2019-9947] |
quota | Fix rpc.rquotad spinning at 100% CPU |
rpcbind | Allow remote calls to be enabled at run-time |
shelldap | Repair SASL authentications, add a 'sasluser' option |
sogo | Fix display of PGP-signed e-mails |
spf-engine | New upstream stable release; fix sysvinit support |
standardskriver | Fix deprecation warning from config.RawConfigParser; use external ipcommand rather than deprecated ifconfigcommand |
swi-prolog | Use HTTPS when contacting upstream pack servers |
systemd | core: never propagate reload failure to service result; fix sync_file_range failures in nspawn containers on arm, ppc; fix RootDirectory not working when used in combination with User; ensure that access controls on systemd-resolved's D-Bus interface are enforced correctly [CVE-2019-15718]; fix StopWhenUnneeded=true for mount units; make MountFlags=shared work again |
tmpreaper | Prevent breaking of systemd services that use PrivateTmp=true |
trapperkeeper-webserver-jetty9-clojure | Restore SSL compatibility with newer Jetty versions |
tzdata | New upstream release |
ublock-origin | New upstream version, compatible with Firefox ESR68 |
uim | Resurrect libuim-data as a transitional package, fixing some issues after upgrades to buster |
vanguards | New upstream stable release; prevent a reload of tor's configuration via SIGHUP causing a denial-of-service for vanguards protections |
Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
Package | Reason |
---|---|
firefox-esr | [armel] No longer supportable due to nodejs build-dependency |
Debian Installer
The installer has been updated to include the fixes incorporated into stable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current stable distribution:
Proposed updates to the stable distribution:
stable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.