Debian 10 更新:10.3 发布

2020年02月08日

Debian 项目很高兴地宣布对 Debian 10 稳定版的第三次更新(发行版代号 buster)。此次小版本更新主要添加了对安全问题的修正补丁,以及为一些严重问题所作的调整。安全通告已单独发布,并会在适当的情况下予以引用。

请注意,此更新并不是 Debian 10 的新版本,它仅更新了所包含的一些软件包。没有必要丢弃旧的buster的安装介质。在安装之后,只需使用最新的 Debian 镜像更新旧的软件包即可。

经常从 security.debian.org 安装更新的用户将不必更新许多软件包,因本更新中包含了 security.debian.org 的大多数更新。

新的安装镜像即将于常规的位置予以提供。

只需令软件包管理系统指向 Debian 的许多 HTTP 镜像站点之一,您便能够把已有的系统升级至本次更新版本。详尽的镜像列表可以在以下网址处获得:

https://www.debian.org/mirror/list

杂项错误修正

此稳定版更新为以下软件包添加了一些重要的修正:

软件包 原因
alot Remove expiration time from test suite keys, fixing build failure
atril 修复没有文件加载时出现的段错误;修复读取未初始化的内存 [CVE-2019-11459]
base-files 为小版本更新提供文件
beagle Provide wrapper script instead of symlinks to JARs, making them work again
bgpdump 修复段错误
boost1.67 修复导致 libboost-numpy 崩溃的未定义行为
brightd Actually compare the value read out of /sys/class/power_supply/AC/online with 0
casacore-data-jplde Include tables up to 2040
clamav 新上游发行版本; fix denial of service issue [CVE-2019-15961]; remove ScanOnAccess option, replacing with clamonacc
compactheader 兼容 Thunderbird 68 的新上游发行版本
console-common Fix regression that led to files not being included
csh Fix segfault on eval
cups Fix memory leak in ppdOpen; fix validation of default language in ippSetValuetag [CVE-2019-2228]
cyrus-imapd Add BACKUP type to cyrus-upgrade-db, fixing upgrade issues
debian-edu-config Keep proxy settings on client if WPAD is unreachable
debian-installer Rebuild against proposed-updates; tweak mini.iso generation on arm so EFI netboot will work; update USE_UDEBS_FROM default from unstable to buster, to help users performing local builds
debian-installer-netboot-images Rebuild against proposed-updates
debian-security-support 更新几个软件包的安全支持状态
debos Rebuild against updated golang-github-go-debos-fakemachine
dispmua 兼容 Thunderbird 68 的新上游发行版本
dkimpy 新上游稳定释出版本
dkimpy-milter Fix privilege management at startup so Unix sockets work
dpdk 新上游稳定释出版本
e2fsprogs Fix potential stack underflow in e2fsck [CVE-2019-5188]; fix use after free in e2fsck
fig2dev Allow Fig v2 text strings ending with multiple ^A [CVE-2019-19555]; reject huge arrow types causing integer overflow [CVE-2019-19746]; fix several crashes [CVE-2019-19797]
freerdp2 Fix realloc return handling [CVE-2019-17177]
freetds tds: Make sure UDT has varint set to 8 [CVE-2019-13508]
git-lfs Fix build issues with newer Go versions
gnubg Increase the size of static buffers used to build messages during program start so that the Spanish translation doesn't overflow a buffer
gnutls28 Fix interop problems with gnutls 2.x; fix parsing of certificates using RegisteredID
gtk2-engines-murrine Fix co-installability with other themes
guile-2.2 修复构建失败问题
libburn Fix cdrskin multi-track burning was slow and stalled after track 1
libcgns 修复在 ppc64el 上的构建失败问题
libimobiledevice Properly handle partial SSL writes
libmatroska Increase shared library dependency to 1.4.7 since that version introduced new symbols
libmysofa 修复安全问题 [CVE-2019-16091 CVE-2019-16092 CVE-2019-16093 CVE-2019-16094 CVE-2019-16095]
libole-storage-lite-perl Fix interpretation of years from 2020 onwards
libparse-win32registry-perl Fix interpretation of years from 2020 onwards
libperl4-corelibs-perl Fix interpretation of years from 2020 onwards
libsolv 修复堆缓冲区溢出问题 [CVE-2019-20387]
libspreadsheet-wright-perl Fix previously unusable OpenDocument spreadsheets and passing of JSON formatting options
libtimedate-perl Fix interpretation of years from 2020 onwards
libvirt Apparmor: Allow one to run pygrub; don't render osxsave, ospke into QEMU command line; this helps newer QEMU with some configs generated by virt-install
libvncserver RFBserver: don't leak stack memory to the remote [CVE-2019-15681]; resolve a freeze during connection closure and a segmentation fault on multi-threaded VNC servers; fix issue connecting to VMWare servers; fix crashing of x11vnc when vncviewer connects
limnoria Fix remote information disclosure and possibly remote code execution in the Math plugin [CVE-2019-19010]
linux 新上游稳定释出版本
linux-latest 为 4.19.0-8 Linux 内核 ABI 更新
linux-signed-amd64 新上游稳定释出版本
linux-signed-arm64 新上游稳定释出版本
linux-signed-i386 新上游稳定释出版本
mariadb-10.3 新上游稳定释出版本 [CVE-2019-2938 CVE-2019-2974 CVE-2020-2574]
mesa Call shmget() with permission 0600 instead of 0777 [CVE-2019-5068]
mnemosyne Add missing dependency on PIL
modsecurity Fix cookie header parsing bug [CVE-2019-19886]
node-handlebars Disallow calling helperMissing and blockHelperMissing directly [CVE-2019-19919]
node-kind-of Fix type checking vulnerability in ctorName() [CVE-2019-20149]
ntpsec Fix slow DNS retries; fix ntpdate -s (syslog) to fix the if-up hook; documentation fixes
numix-gtk-theme Fix co-installability with other themes
nvidia-graphics-drivers-legacy-340xx 新上游稳定释出版本
nyancat Rebuild in a clean environment to add the systemd unit for nyancat-server
openjpeg2 Fix heap overflow [CVE-2018-21010] and integer overflow [CVE-2018-20847]
opensmtpd Warn users of change of smtpd.conf syntax (in earlier versions); install smtpctl setgid opensmtpq; handle non-zero exit code from hostname during config phase
openssh Deny (non-fatally) ipc in the seccomp sandbox, fixing failures with OpenSSL 1.1.1d and Linux < 3.19 on some architectures
php-horde Fix stored cross-site scripting issue in Horde Cloud Block [CVE-2019-12095]
php-horde-text-filter Fix invalid regular expressions
postfix 新上游稳定释出版本
postgresql-11 新上游稳定释出版本
print-manager Fix crash if CUPS returns the same ID for multiple print jobs
proftpd-dfsg Fix CRL issues [CVE-2019-19270 CVE-2019-19269]
pykaraoke Fix path to fonts
python-evtx Fix import of hexdump
python-internetarchive Close file after getting hash, avoiding file descriptor exhaustion
python3.7 修复安全问题 [CVE-2019-9740 CVE-2019-9947 CVE-2019-9948 CVE-2019-10160 CVE-2019-16056 CVE-2019-16935]
qtbase-opensource-src Add support for non-PPD printers and avoid silent fallback to a printer supporting PPD; fix crash when using QLabels with rich text; fix graphics tablet hover events
qtwebengine-opensource-src Fix PDF parsing; disable executable stack
quassel Fix quasselcore AppArmor denials when the config is saved; correct default channel for Debian; remove unnecessary NEWS file
qwinff Fix crash due to incorrect file detection
raspi3-firmware Fix detection of serial console with kernel 5.x
ros-ros-comm Fix security issues [CVE-2019-13566 CVE-2019-13465 CVE-2019-13445]
roundcube 新上游稳定释出版本; fix insecure permissions in enigma plugin [CVE-2018-1000071]
schleuder Fix recognizing keywords in mails with protected headers and empty subject; strip non-self-signatures when refreshing or fetching keys; error if the argument provided to `refresh_keys` is not an existing list; add missing List-Id header to notification mails sent to admins; handle decryption problems gracefully; default to ASCII-8BIT encoding
simplesamlphp Fix incompatibility with PHP 7.3
sogo-connector 兼容 Thunderbird 68 的新上游发行版本
spf-engine Fix privilege management at startup so Unix sockets work; update documentation for TestOnly
sudo Fix a (non-exploitable in buster) buffer overflow when pwfeedback is enabled and input is a not a tty [CVE-2019-18634]
systemd Set fs.file-max sysctl to LONG_MAX rather than ULONG_MAX; change ownership/mode of the execution directories also for static users, ensuring that execution directories like CacheDirectory and StateDirectory are properly chowned to the user specified in User= before launching the service
tifffile Fix wrapper script
tigervnc 修复安全问题 [CVE-2019-15691 CVE-2019-15692 CVE-2019-15693 CVE-2019-15694 CVE-2019-15695]
tightvnc 修复安全问题 [CVE-2014-6053 CVE-2019-8287 CVE-2018-20021 CVE-2018-20022 CVE-2018-20748 CVE-2018-7225 CVE-2019-15678 CVE-2019-15679 CVE-2019-15680 CVE-2019-15681]
uif Fix paths to ip(6)tables-restore in light of the migration to nftables
unhide Fix stack exhaustion
x2goclient Strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths in SCP mode; fixes regression with newer libssh versions with fixes for CVE-2019-14889 applied
xmltooling Fix race condition that could lead to crash under load

安全更新

此修订版本将以下安全更新添加到了稳定发行版本中。安全团队已经分别为这些更新发布了通告:

通告编号 软件包
DSA-4546 openjdk-11
DSA-4563 webkit2gtk
DSA-4564 linux
DSA-4564 linux-signed-i386
DSA-4564 linux-signed-arm64
DSA-4564 linux-signed-amd64
DSA-4565 intel-microcode
DSA-4566 qemu
DSA-4567 dpdk
DSA-4568 postgresql-common
DSA-4569 ghostscript
DSA-4570 mosquitto
DSA-4571 enigmail
DSA-4571 thunderbird
DSA-4572 slurm-llnl
DSA-4573 symfony
DSA-4575 chromium
DSA-4577 haproxy
DSA-4578 libvpx
DSA-4579 nss
DSA-4580 firefox-esr
DSA-4581 git
DSA-4582 davical
DSA-4583 spip
DSA-4584 spamassassin
DSA-4585 thunderbird
DSA-4586 ruby2.5
DSA-4588 python-ecdsa
DSA-4589 debian-edu-config
DSA-4590 cyrus-imapd
DSA-4591 cyrus-sasl2
DSA-4592 mediawiki
DSA-4593 freeimage
DSA-4595 debian-lan-config
DSA-4597 netty
DSA-4598 python-django
DSA-4599 wordpress
DSA-4600 firefox-esr
DSA-4601 ldm
DSA-4602 xen
DSA-4603 thunderbird
DSA-4604 cacti
DSA-4605 openjdk-11
DSA-4606 chromium
DSA-4607 openconnect
DSA-4608 tiff
DSA-4609 python-apt
DSA-4610 webkit2gtk
DSA-4611 opensmtpd
DSA-4612 prosody-modules
DSA-4613 libidn2
DSA-4615 spamassassin

删除的软件包

由于我们无法控制的情况,以下软件包已被删除:

软件包 原因
caml-crush [armel] 由于缺少 ocaml-native-compiler 而无法构建
firetray 与当前版本的 Thunderbird 不兼容
koji 安全问题
python-lamson 由于 python-daemon 的更改而破损
radare2 安全问题;上游不提供稳定支持
radare2-cutter 依赖与要被删除的 radare2

Debian 安装器

安装器已经更新,以配合发布时包含在稳定版本中的修正内容。

链接

此修订版本中有更改的软件包的完整列表:

http://ftp.debian.org/debian/dists/buster/ChangeLog

当前稳定发行版:

http://ftp.debian.org/debian/dists/stable/

拟议的稳定发行版更新:

http://ftp.debian.org/debian/dists/proposed-updates

稳定发行版信息(发行说明,勘误等):

https://www.debian.org/releases/stable/

安全公告及信息:

https://www.debian.org/security/

关于 Debian

Debian 项目是一个自由软件开发者组织,这些志愿者为制作完全自由免费的 Debian 操作系统而自愿贡献时间和精力。

联系信息

更多信息,请访问 Debian 主页 https://www.debian.org/、发送邮件至 <press@debian.org> ,或联系稳定版本发布团队 <debian-release@lists.debian.org>。