Uppdaterad Debian 10; 10.3 utgiven
8 februari 2020
Debianprojektet presenterar stolt sin tredje uppdatering till dess
stabila utgåva Debian 10 (med kodnamnet buster
).
Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem,
tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner
har redan publicerats separat och refereras när de finns tillgängliga.
Vänligen notera att punktutgåvan inte innebär en ny version av Debian
10 utan endast uppdaterar några av de inkluderade paketen. Det behövs
inte kastas bort gamla media av buster
. Efter installationen
kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad
Debianspegling..
De som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.
Nya installationsavbildningar kommer snart att finnas tillgängliga på de vanliga platserna.
En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:
Blandade felrättningar
Denna uppdatering av den stabila utgåvan lägger till några viktiga felrättningar till följande paket:
Paket | Orsak |
---|---|
alot | Remove expiration time from test suite keys, fixing build failure |
atril | Fix segfault when no document is loaded; fix read of uninitialised memory [CVE-2019-11459] |
base-files | Update for the point release |
beagle | Provide wrapper script instead of symlinks to JARs, making them work again |
bgpdump | Fix segmentation fault |
boost1.67 | Fix undefined behaviour leading to crashing libboost-numpy |
brightd | Actually compare the value read out of /sys/class/power_supply/AC/online with 0 |
casacore-data-jplde | Include tables up to 2040 |
clamav | New upstream release; fix denial of service issue [CVE-2019-15961]; remove ScanOnAccess option, replacing with clamonacc |
compactheader | New upstream release compatible with Thunderbird 68 |
console-common | Fix regression that led to files not being included |
csh | Fix segfault on eval |
cups | Fix memory leak in ppdOpen; fix validation of default language in ippSetValuetag [CVE-2019-2228] |
cyrus-imapd | Add BACKUP type to cyrus-upgrade-db, fixing upgrade issues |
debian-edu-config | Keep proxy settings on client if WPAD is unreachable |
debian-installer | Rebuild against proposed-updates; tweak mini.iso generation on arm so EFI netboot will work; update USE_UDEBS_FROM default from unstable to buster, to help users performing local builds |
debian-installer-netboot-images | Rebuild against proposed-updates |
debian-security-support | Update security support status of several packages |
debos | Rebuild against updated golang-github-go-debos-fakemachine |
dispmua | New upstream release compatible with Thunderbird 68 |
dkimpy | New upstream stable release |
dkimpy-milter | Fix privilege management at startup so Unix sockets work |
dpdk | New upstream stable release |
e2fsprogs | Fix potential stack underflow in e2fsck [CVE-2019-5188]; fix use after free in e2fsck |
fig2dev | Allow Fig v2 text strings ending with multiple ^A [CVE-2019-19555]; reject huge arrow types causing integer overflow [CVE-2019-19746]; fix several crashes [CVE-2019-19797] |
freerdp2 | Fix realloc return handling [CVE-2019-17177] |
freetds | tds: Make sure UDT has varint set to 8 [CVE-2019-13508] |
git-lfs | Fix build issues with newer Go versions |
gnubg | Increase the size of static buffers used to build messages during program start so that the Spanish translation doesn't overflow a buffer |
gnutls28 | Fix interop problems with gnutls 2.x; fix parsing of certificates using RegisteredID |
gtk2-engines-murrine | Fix co-installability with other themes |
guile-2.2 | Fix build failure |
libburn | Fix cdrskin multi-track burning was slow and stalled after track 1 |
libcgns | Fix build failure on ppc64el |
libimobiledevice | Properly handle partial SSL writes |
libmatroska | Increase shared library dependency to 1.4.7 since that version introduced new symbols |
libmysofa | Security fixes [CVE-2019-16091 CVE-2019-16092 CVE-2019-16093 CVE-2019-16094 CVE-2019-16095] |
libole-storage-lite-perl | Fix interpretation of years from 2020 onwards |
libparse-win32registry-perl | Fix interpretation of years from 2020 onwards |
libperl4-corelibs-perl | Fix interpretation of years from 2020 onwards |
libsolv | Fix heap buffer overflow [CVE-2019-20387] |
libspreadsheet-wright-perl | Fix previously unusable OpenDocument spreadsheets and passing of JSON formatting options |
libtimedate-perl | Fix interpretation of years from 2020 onwards |
libvirt | Apparmor: Allow one to run pygrub; don't render osxsave, ospke into QEMU command line; this helps newer QEMU with some configs generated by virt-install |
libvncserver | RFBserver: don't leak stack memory to the remote [CVE-2019-15681]; resolve a freeze during connection closure and a segmentation fault on multi-threaded VNC servers; fix issue connecting to VMWare servers; fix crashing of x11vnc when vncviewer connects |
limnoria | Fix remote information disclosure and possibly remote code execution in the Math plugin [CVE-2019-19010] |
linux | New upstream stable release |
linux-latest | Update for 4.19.0-8 Linux kernel ABI |
linux-signed-amd64 | New upstream stable release |
linux-signed-arm64 | New upstream stable release |
linux-signed-i386 | New upstream stable release |
mariadb-10.3 | New upstream stable release [CVE-2019-2938 CVE-2019-2974 CVE-2020-2574] |
mesa | Call shmget() with permission 0600 instead of 0777 [CVE-2019-5068] |
mnemosyne | Add missing dependency on PIL |
modsecurity | Fix cookie header parsing bug [CVE-2019-19886] |
node-handlebars | Disallow calling helperMissingand blockHelperMissingdirectly [CVE-2019-19919] |
node-kind-of | Fix type checking vulnerability in ctorName() [CVE-2019-20149] |
ntpsec | Fix slow DNS retries; fix ntpdate -s (syslog) to fix the if-up hook; documentation fixes |
numix-gtk-theme | Fix co-installability with other themes |
nvidia-graphics-drivers-legacy-340xx | New upstream stable release |
nyancat | Rebuild in a clean environment to add the systemd unit for nyancat-server |
openjpeg2 | Fix heap overflow [CVE-2018-21010] and integer overflow [CVE-2018-20847] |
opensmtpd | Warn users of change of smtpd.conf syntax (in earlier versions); install smtpctl setgid opensmtpq; handle non-zero exit code from hostname during config phase |
openssh | Deny (non-fatally) ipc in the seccomp sandbox, fixing failures with OpenSSL 1.1.1d and Linux < 3.19 on some architectures |
php-horde | Fix stored cross-site scripting issue in Horde Cloud Block [CVE-2019-12095] |
php-horde-text-filter | Fix invalid regular expressions |
postfix | New upstream stable release |
postgresql-11 | New upstream stable release |
print-manager | Fix crash if CUPS returns the same ID for multiple print jobs |
proftpd-dfsg | Fix CRL issues [CVE-2019-19270 CVE-2019-19269] |
pykaraoke | Fix path to fonts |
python-evtx | Fix import of hexdump |
python-internetarchive | Close file after getting hash, avoiding file descriptor exhaustion |
python3.7 | Security fixes [CVE-2019-9740 CVE-2019-9947 CVE-2019-9948 CVE-2019-10160 CVE-2019-16056 CVE-2019-16935] |
qtbase-opensource-src | Add support for non-PPD printers and avoid silent fallback to a printer supporting PPD; fix crash when using QLabels with rich text; fix graphics tablet hover events |
qtwebengine-opensource-src | Fix PDF parsing; disable executable stack |
quassel | Fix quasselcore AppArmor denials when the config is saved; correct default channel for Debian; remove unnecessary NEWS file |
qwinff | Fix crash due to incorrect file detection |
raspi3-firmware | Fix detection of serial console with kernel 5.x |
ros-ros-comm | Fix security issues [CVE-2019-13566 CVE-2019-13465 CVE-2019-13445] |
roundcube | New upstream stable release; fix insecure permissions in enigma plugin [CVE-2018-1000071] |
schleuder | Fix recognizing keywords in mails with protected headersand empty subject; strip non-self-signatures when refreshing or fetching keys; error if the argument provided to `refresh_keys` is not an existing list; add missing List-Id header to notification mails sent to admins; handle decryption problems gracefully; default to ASCII-8BIT encoding |
simplesamlphp | Fix incompatibility with PHP 7.3 |
sogo-connector | New upstream release compatible with Thunderbird 68 |
spf-engine | Fix privilege management at startup so Unix sockets work; update documentation for TestOnly |
sudo | Fix a (non-exploitable in buster) buffer overflow when pwfeedback is enabled and input is a not a tty [CVE-2019-18634] |
systemd | Set fs.file-max sysctl to LONG_MAX rather than ULONG_MAX; change ownership/mode of the execution directories also for static users, ensuring that execution directories like CacheDirectory and StateDirectory are properly chowned to the user specified in User= before launching the service |
tifffile | Fix wrapper script |
tigervnc | Security fixes [CVE-2019-15691 CVE-2019-15692 CVE-2019-15693 CVE-2019-15694 CVE-2019-15695] |
tightvnc | Security fixes [CVE-2014-6053 CVE-2019-8287 CVE-2018-20021 CVE-2018-20022 CVE-2018-20748 CVE-2018-7225 CVE-2019-15678 CVE-2019-15679 CVE-2019-15680 CVE-2019-15681] |
uif | Fix paths to ip(6)tables-restore in light of the migration to nftables |
unhide | Fix stack exhaustion |
x2goclient | Strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths in SCP mode; fixes regression with newer libssh versions with fixes for CVE-2019-14889 applied |
xmltooling | Fix race condition that could lead to crash under load |
Säkerhetsuppdateringar
Denna revision lägger till följande säkerhetsuppdateringar till den stabila utgåvan. Säkerhetsgruppen har redan släppt bulletiner för alla dessa uppdateringar:
Borttagna paket
Följande paket har tagits bort på grund av omständigheter utom vår kontroll:
Paket | Orsak |
---|---|
caml-crush | [armel] Unbuildable due to lack of ocaml-native-compilers |
firetray | Incompatible with current Thunderbird versions |
koji | Security issues |
python-lamson | Broken by changes in python-daemon |
radare2 | Security issues; upstream do not offer stable support |
radare2-cutter | Depends on to-be-removed radare2 |
Debianinstalleraren
Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den stabila utgåvan med denna punktutgåva.
URLer
Den fullständiga listan på paket som har förändrats i denna revision:
Den aktuella stabila utgåvan:
Föreslagna uppdateringar till den stabila utgåvan:
Information om den stabila utgåvan (versionsfakta, kända problem osv.):
Säkerhetsbulletiner och information:
Om Debian
Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.
Kontaktinformation
För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org>, eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.