Debian 10 更新:10.3 发布
2020年02月08日
Debian 项目很高兴地宣布对 Debian 10 稳定版的第三次更新(发行版代号 buster
)。此次小版本更新主要添加了对安全问题的修正补丁,以及为一些严重问题所作的调整。安全通告已单独发布,并会在适当的情况下予以引用。
请注意,此更新并不是 Debian 10 的新版本,它仅更新了所包含的一些软件包。没有必要丢弃旧的buster
的安装介质。在安装之后,只需使用最新的 Debian 镜像更新旧的软件包即可。
经常从 security.debian.org 安装更新的用户将不必更新许多软件包,因本更新中包含了 security.debian.org 的大多数更新。
新的安装镜像即将于常规的位置予以提供。
只需令软件包管理系统指向 Debian 的许多 HTTP 镜像站点之一,您便能够把已有的系统升级至本次更新版本。详尽的镜像列表可以在以下网址处获得:
杂项错误修正
此稳定版更新为以下软件包添加了一些重要的修正:
| 软件包 | 原因 |
|---|---|
| alot | Remove expiration time from test suite keys, fixing build failure |
| atril | 修复没有文件加载时出现的段错误;修复读取未初始化的内存 [CVE-2019-11459] |
| base-files | 为小版本更新提供文件 |
| beagle | Provide wrapper script instead of symlinks to JARs, making them work again |
| bgpdump | 修复段错误 |
| boost1.67 | 修复导致 libboost-numpy 崩溃的未定义行为 |
| brightd | Actually compare the value read out of /sys/class/power_supply/AC/online with 0 |
| casacore-data-jplde | Include tables up to 2040 |
| clamav | 新上游发行版本; fix denial of service issue [CVE-2019-15961]; remove ScanOnAccess option, replacing with clamonacc |
| compactheader | 兼容 Thunderbird 68 的新上游发行版本 |
| console-common | Fix regression that led to files not being included |
| csh | Fix segfault on eval |
| cups | Fix memory leak in ppdOpen; fix validation of default language in ippSetValuetag [CVE-2019-2228] |
| cyrus-imapd | Add BACKUP type to cyrus-upgrade-db, fixing upgrade issues |
| debian-edu-config | Keep proxy settings on client if WPAD is unreachable |
| debian-installer | Rebuild against proposed-updates; tweak mini.iso generation on arm so EFI netboot will work; update USE_UDEBS_FROM default from unstable to buster, to help users performing local builds |
| debian-installer-netboot-images | Rebuild against proposed-updates |
| debian-security-support | 更新几个软件包的安全支持状态 |
| debos | Rebuild against updated golang-github-go-debos-fakemachine |
| dispmua | 兼容 Thunderbird 68 的新上游发行版本 |
| dkimpy | 新上游稳定释出版本 |
| dkimpy-milter | Fix privilege management at startup so Unix sockets work |
| dpdk | 新上游稳定释出版本 |
| e2fsprogs | Fix potential stack underflow in e2fsck [CVE-2019-5188]; fix use after free in e2fsck |
| fig2dev | Allow Fig v2 text strings ending with multiple ^A [CVE-2019-19555]; reject huge arrow types causing integer overflow [CVE-2019-19746]; fix several crashes [CVE-2019-19797] |
| freerdp2 | Fix realloc return handling [CVE-2019-17177] |
| freetds | tds: Make sure UDT has varint set to 8 [CVE-2019-13508] |
| git-lfs | Fix build issues with newer Go versions |
| gnubg | Increase the size of static buffers used to build messages during program start so that the Spanish translation doesn't overflow a buffer |
| gnutls28 | Fix interop problems with gnutls 2.x; fix parsing of certificates using RegisteredID |
| gtk2-engines-murrine | Fix co-installability with other themes |
| guile-2.2 | 修复构建失败问题 |
| libburn | Fix cdrskin multi-track burning was slow and stalled after track 1 |
| libcgns | 修复在 ppc64el 上的构建失败问题 |
| libimobiledevice | Properly handle partial SSL writes |
| libmatroska | Increase shared library dependency to 1.4.7 since that version introduced new symbols |
| libmysofa | 修复安全问题 [CVE-2019-16091 CVE-2019-16092 CVE-2019-16093 CVE-2019-16094 CVE-2019-16095] |
| libole-storage-lite-perl | Fix interpretation of years from 2020 onwards |
| libparse-win32registry-perl | Fix interpretation of years from 2020 onwards |
| libperl4-corelibs-perl | Fix interpretation of years from 2020 onwards |
| libsolv | 修复堆缓冲区溢出问题 [CVE-2019-20387] |
| libspreadsheet-wright-perl | Fix previously unusable OpenDocument spreadsheets and passing of JSON formatting options |
| libtimedate-perl | Fix interpretation of years from 2020 onwards |
| libvirt | Apparmor: Allow one to run pygrub; don't render osxsave, ospke into QEMU command line; this helps newer QEMU with some configs generated by virt-install |
| libvncserver | RFBserver: don't leak stack memory to the remote [CVE-2019-15681]; resolve a freeze during connection closure and a segmentation fault on multi-threaded VNC servers; fix issue connecting to VMWare servers; fix crashing of x11vnc when vncviewer connects |
| limnoria | Fix remote information disclosure and possibly remote code execution in the Math plugin [CVE-2019-19010] |
| linux | 新上游稳定释出版本 |
| linux-latest | 为 4.19.0-8 Linux 内核 ABI 更新 |
| linux-signed-amd64 | 新上游稳定释出版本 |
| linux-signed-arm64 | 新上游稳定释出版本 |
| linux-signed-i386 | 新上游稳定释出版本 |
| mariadb-10.3 | 新上游稳定释出版本 [CVE-2019-2938 CVE-2019-2974 CVE-2020-2574] |
| mesa | Call shmget() with permission 0600 instead of 0777 [CVE-2019-5068] |
| mnemosyne | Add missing dependency on PIL |
| modsecurity | Fix cookie header parsing bug [CVE-2019-19886] |
| node-handlebars | Disallow calling helperMissingand blockHelperMissingdirectly [CVE-2019-19919] |
| node-kind-of | Fix type checking vulnerability in ctorName() [CVE-2019-20149] |
| ntpsec | Fix slow DNS retries; fix ntpdate -s (syslog) to fix the if-up hook; documentation fixes |
| numix-gtk-theme | Fix co-installability with other themes |
| nvidia-graphics-drivers-legacy-340xx | 新上游稳定释出版本 |
| nyancat | Rebuild in a clean environment to add the systemd unit for nyancat-server |
| openjpeg2 | Fix heap overflow [CVE-2018-21010] and integer overflow [CVE-2018-20847] |
| opensmtpd | Warn users of change of smtpd.conf syntax (in earlier versions); install smtpctl setgid opensmtpq; handle non-zero exit code from hostname during config phase |
| openssh | Deny (non-fatally) ipc in the seccomp sandbox, fixing failures with OpenSSL 1.1.1d and Linux < 3.19 on some architectures |
| php-horde | Fix stored cross-site scripting issue in Horde Cloud Block [CVE-2019-12095] |
| php-horde-text-filter | Fix invalid regular expressions |
| postfix | 新上游稳定释出版本 |
| postgresql-11 | 新上游稳定释出版本 |
| print-manager | Fix crash if CUPS returns the same ID for multiple print jobs |
| proftpd-dfsg | Fix CRL issues [CVE-2019-19270 CVE-2019-19269] |
| pykaraoke | Fix path to fonts |
| python-evtx | Fix import of hexdump |
| python-internetarchive | Close file after getting hash, avoiding file descriptor exhaustion |
| python3.7 | 修复安全问题 [CVE-2019-9740 CVE-2019-9947 CVE-2019-9948 CVE-2019-10160 CVE-2019-16056 CVE-2019-16935] |
| qtbase-opensource-src | Add support for non-PPD printers and avoid silent fallback to a printer supporting PPD; fix crash when using QLabels with rich text; fix graphics tablet hover events |
| qtwebengine-opensource-src | Fix PDF parsing; disable executable stack |
| quassel | Fix quasselcore AppArmor denials when the config is saved; correct default channel for Debian; remove unnecessary NEWS file |
| qwinff | Fix crash due to incorrect file detection |
| raspi3-firmware | Fix detection of serial console with kernel 5.x |
| ros-ros-comm | Fix security issues [CVE-2019-13566 CVE-2019-13465 CVE-2019-13445] |
| roundcube | 新上游稳定释出版本; fix insecure permissions in enigma plugin [CVE-2018-1000071] |
| schleuder | Fix recognizing keywords in mails with protected headersand empty subject; strip non-self-signatures when refreshing or fetching keys; error if the argument provided to `refresh_keys` is not an existing list; add missing List-Id header to notification mails sent to admins; handle decryption problems gracefully; default to ASCII-8BIT encoding |
| simplesamlphp | Fix incompatibility with PHP 7.3 |
| sogo-connector | 兼容 Thunderbird 68 的新上游发行版本 |
| spf-engine | Fix privilege management at startup so Unix sockets work; update documentation for TestOnly |
| sudo | Fix a (non-exploitable in buster) buffer overflow when pwfeedback is enabled and input is a not a tty [CVE-2019-18634] |
| systemd | Set fs.file-max sysctl to LONG_MAX rather than ULONG_MAX; change ownership/mode of the execution directories also for static users, ensuring that execution directories like CacheDirectory and StateDirectory are properly chowned to the user specified in User= before launching the service |
| tifffile | Fix wrapper script |
| tigervnc | 修复安全问题 [CVE-2019-15691 CVE-2019-15692 CVE-2019-15693 CVE-2019-15694 CVE-2019-15695] |
| tightvnc | 修复安全问题 [CVE-2014-6053 CVE-2019-8287 CVE-2018-20021 CVE-2018-20022 CVE-2018-20748 CVE-2018-7225 CVE-2019-15678 CVE-2019-15679 CVE-2019-15680 CVE-2019-15681] |
| uif | Fix paths to ip(6)tables-restore in light of the migration to nftables |
| unhide | Fix stack exhaustion |
| x2goclient | Strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths in SCP mode; fixes regression with newer libssh versions with fixes for CVE-2019-14889 applied |
| xmltooling | Fix race condition that could lead to crash under load |
安全更新
此修订版本将以下安全更新添加到了稳定发行版本中。安全团队已经分别为这些更新发布了通告:
删除的软件包
由于我们无法控制的情况,以下软件包已被删除:
| 软件包 | 原因 |
|---|---|
| caml-crush | [armel] 由于缺少 ocaml-native-compiler 而无法构建 |
| firetray | 与当前版本的 Thunderbird 不兼容 |
| koji | 安全问题 |
| python-lamson | 由于 python-daemon 的更改而破损 |
| radare2 | 安全问题;上游不提供稳定支持 |
| radare2-cutter | 依赖于要被删除的 radare2 |
Debian 安装器
安装器已经更新,以配合发布时包含在稳定版本中的修正内容。
链接
此修订版本中有更改的软件包的完整列表:
当前稳定发行版:
拟议的稳定发行版更新:
稳定发行版信息(发行说明,勘误等):
安全公告及信息:
关于 Debian
Debian 项目是一个自由软件开发者组织,这些志愿者为制作完全自由免费的 Debian 操作系统而自愿贡献时间和精力。
联系信息
更多信息,请访问 Debian 主页 https://www.debian.org/、发送邮件至 <press@debian.org> ,或联系稳定版本发布团队 <debian-release@lists.debian.org>。