Debian 10 更新:10.3 發佈
2020年02月08日
Debian 項目很高興地宣佈對 Debian 10 穩定版的第三次更新(發行版代號 buster
)。此次小版本更新主要添加了對安全問題的修正補丁,以及為一些嚴重問題所作的調整。安全通告已單獨發佈,並會在適當的情況下予以引用。
請注意,此更新並不是 Debian 10 的新版本,它僅更新了所包含的一些套件。沒有必要丟棄舊的buster
的安裝介質。在安裝之後,只需使用最新的 Debian 映射站台更新舊的套件即可。
經常從 security.debian.org 安裝更新的用户將不必更新許多套件,因本更新中包含了 security.debian.org 的大多數更新。
新的安裝映射站台即將於常規的位置予以提供。
只需令套件管理系統指向 Debian 的許多 HTTP 映射站台之一,您便能夠把已有的系統升級至本次更新版本。詳盡的映射站台列表可以在以下網址處獲得:
雜項錯誤修正
此穩定版更新為以下套件添加了一些重要的修正:
套件 | 原因 |
---|---|
alot | Remove expiration time from test suite keys, fixing build failure |
atril | 修復沒有文件加載時出現的段錯誤;修復讀取未初始化的記憶體 [CVE-2019-11459] |
base-files | 為小版本更新提供文件 |
beagle | Provide wrapper script instead of symlinks to JARs, making them work again |
bgpdump | 修復段錯誤 |
boost1.67 | 修復導致 libboost-numpy 崩潰的未定義行為 |
brightd | Actually compare the value read out of /sys/class/power_supply/AC/online with 0 |
casacore-data-jplde | Include tables up to 2040 |
clamav | 新上游發行版本; fix denial of service issue [CVE-2019-15961]; remove ScanOnAccess option, replacing with clamonacc |
compactheader | 兼容 Thunderbird 68 的新上游發行版本 |
console-common | Fix regression that led to files not being included |
csh | Fix segfault on eval |
cups | Fix memory leak in ppdOpen; fix validation of default language in ippSetValuetag [CVE-2019-2228] |
cyrus-imapd | Add BACKUP type to cyrus-upgrade-db, fixing upgrade issues |
debian-edu-config | Keep proxy settings on client if WPAD is unreachable |
debian-installer | Rebuild against proposed-updates; tweak mini.iso generation on arm so EFI netboot will work; update USE_UDEBS_FROM default from unstable to buster, to help users performing local builds |
debian-installer-netboot-images | Rebuild against proposed-updates |
debian-security-support | 更新幾個套件的安全支持狀態 |
debos | Rebuild against updated golang-github-go-debos-fakemachine |
dispmua | 兼容 Thunderbird 68 的新上游發行版本 |
dkimpy | 新上游穩定釋出版本 |
dkimpy-milter | Fix privilege management at startup so Unix sockets work |
dpdk | 新上游穩定釋出版本 |
e2fsprogs | Fix potential stack underflow in e2fsck [CVE-2019-5188]; fix use after free in e2fsck |
fig2dev | Allow Fig v2 text strings ending with multiple ^A [CVE-2019-19555]; reject huge arrow types causing integer overflow [CVE-2019-19746]; fix several crashes [CVE-2019-19797] |
freerdp2 | Fix realloc return handling [CVE-2019-17177] |
freetds | tds: Make sure UDT has varint set to 8 [CVE-2019-13508] |
git-lfs | Fix build issues with newer Go versions |
gnubg | Increase the size of static buffers used to build messages during program start so that the Spanish translation doesn't overflow a buffer |
gnutls28 | Fix interop problems with gnutls 2.x; fix parsing of certificates using RegisteredID |
gtk2-engines-murrine | Fix co-installability with other themes |
guile-2.2 | 修復構建失敗問題 |
libburn | Fix cdrskin multi-track burning was slow and stalled after track 1 |
libcgns | 修復在 ppc64el 上的構建失敗問題 |
libimobiledevice | Properly handle partial SSL writes |
libmatroska | Increase shared library dependency to 1.4.7 since that version introduced new symbols |
libmysofa | 修復安全問題 [CVE-2019-16091 CVE-2019-16092 CVE-2019-16093 CVE-2019-16094 CVE-2019-16095] |
libole-storage-lite-perl | Fix interpretation of years from 2020 onwards |
libparse-win32registry-perl | Fix interpretation of years from 2020 onwards |
libperl4-corelibs-perl | Fix interpretation of years from 2020 onwards |
libsolv | 修復堆緩衝區溢出問題 [CVE-2019-20387] |
libspreadsheet-wright-perl | Fix previously unusable OpenDocument spreadsheets and passing of JSON formatting options |
libtimedate-perl | Fix interpretation of years from 2020 onwards |
libvirt | Apparmor: Allow one to run pygrub; don't render osxsave, ospke into QEMU command line; this helps newer QEMU with some configs generated by virt-install |
libvncserver | RFBserver: don't leak stack memory to the remote [CVE-2019-15681]; resolve a freeze during connection closure and a segmentation fault on multi-threaded VNC servers; fix issue connecting to VMWare servers; fix crashing of x11vnc when vncviewer connects |
limnoria | Fix remote information disclosure and possibly remote code execution in the Math plugin [CVE-2019-19010] |
linux | 新上游穩定釋出版本 |
linux-latest | 為 4.19.0-8 Linux 核心 ABI 更新 |
linux-signed-amd64 | 新上游穩定釋出版本 |
linux-signed-arm64 | 新上游穩定釋出版本 |
linux-signed-i386 | 新上游穩定釋出版本 |
mariadb-10.3 | 新上游穩定釋出版本 [CVE-2019-2938 CVE-2019-2974 CVE-2020-2574] |
mesa | Call shmget() with permission 0600 instead of 0777 [CVE-2019-5068] |
mnemosyne | Add missing dependency on PIL |
modsecurity | Fix cookie header parsing bug [CVE-2019-19886] |
node-handlebars | Disallow calling helperMissingand blockHelperMissingdirectly [CVE-2019-19919] |
node-kind-of | Fix type checking vulnerability in ctorName() [CVE-2019-20149] |
ntpsec | Fix slow DNS retries; fix ntpdate -s (syslog) to fix the if-up hook; documentation fixes |
numix-gtk-theme | Fix co-installability with other themes |
nvidia-graphics-drivers-legacy-340xx | 新上游穩定釋出版本 |
nyancat | Rebuild in a clean environment to add the systemd unit for nyancat-server |
openjpeg2 | Fix heap overflow [CVE-2018-21010] and integer overflow [CVE-2018-20847] |
opensmtpd | Warn users of change of smtpd.conf syntax (in earlier versions); install smtpctl setgid opensmtpq; handle non-zero exit code from hostname during config phase |
openssh | Deny (non-fatally) ipc in the seccomp sandbox, fixing failures with OpenSSL 1.1.1d and Linux < 3.19 on some architectures |
php-horde | Fix stored cross-site scripting issue in Horde Cloud Block [CVE-2019-12095] |
php-horde-text-filter | Fix invalid regular expressions |
postfix | 新上游穩定釋出版本 |
postgresql-11 | 新上游穩定釋出版本 |
print-manager | Fix crash if CUPS returns the same ID for multiple print jobs |
proftpd-dfsg | Fix CRL issues [CVE-2019-19270 CVE-2019-19269] |
pykaraoke | Fix path to fonts |
python-evtx | Fix import of hexdump |
python-internetarchive | Close file after getting hash, avoiding file descriptor exhaustion |
python3.7 | 修復安全問題 [CVE-2019-9740 CVE-2019-9947 CVE-2019-9948 CVE-2019-10160 CVE-2019-16056 CVE-2019-16935] |
qtbase-opensource-src | Add support for non-PPD printers and avoid silent fallback to a printer supporting PPD; fix crash when using QLabels with rich text; fix graphics tablet hover events |
qtwebengine-opensource-src | Fix PDF parsing; disable executable stack |
quassel | Fix quasselcore AppArmor denials when the config is saved; correct default channel for Debian; remove unnecessary NEWS file |
qwinff | Fix crash due to incorrect file detection |
raspi3-firmware | Fix detection of serial console with kernel 5.x |
ros-ros-comm | Fix security issues [CVE-2019-13566 CVE-2019-13465 CVE-2019-13445] |
roundcube | 新上游穩定釋出版本; fix insecure permissions in enigma plugin [CVE-2018-1000071] |
schleuder | Fix recognizing keywords in mails with protected headersand empty subject; strip non-self-signatures when refreshing or fetching keys; error if the argument provided to `refresh_keys` is not an existing list; add missing List-Id header to notification mails sent to admins; handle decryption problems gracefully; default to ASCII-8BIT encoding |
simplesamlphp | Fix incompatibility with PHP 7.3 |
sogo-connector | 兼容 Thunderbird 68 的新上游發行版本 |
spf-engine | Fix privilege management at startup so Unix sockets work; update documentation for TestOnly |
sudo | Fix a (non-exploitable in buster) buffer overflow when pwfeedback is enabled and input is a not a tty [CVE-2019-18634] |
systemd | Set fs.file-max sysctl to LONG_MAX rather than ULONG_MAX; change ownership/mode of the execution directories also for static users, ensuring that execution directories like CacheDirectory and StateDirectory are properly chowned to the user specified in User= before launching the service |
tifffile | Fix wrapper script |
tigervnc | 修復安全問題 [CVE-2019-15691 CVE-2019-15692 CVE-2019-15693 CVE-2019-15694 CVE-2019-15695] |
tightvnc | 修復安全問題 [CVE-2014-6053 CVE-2019-8287 CVE-2018-20021 CVE-2018-20022 CVE-2018-20748 CVE-2018-7225 CVE-2019-15678 CVE-2019-15679 CVE-2019-15680 CVE-2019-15681] |
uif | Fix paths to ip(6)tables-restore in light of the migration to nftables |
unhide | Fix stack exhaustion |
x2goclient | Strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths in SCP mode; fixes regression with newer libssh versions with fixes for CVE-2019-14889 applied |
xmltooling | Fix race condition that could lead to crash under load |
安全更新
此修訂版本將以下安全更新添加到了穩定發行版本中。安全團隊已經分別為這些更新發布了通告:
刪除的套件
由於我們無法控制的情況,以下套件已被刪除:
套件 | 原因 |
---|---|
caml-crush | [armel] 由於缺少 ocaml-native-compiler 而無法構建 |
firetray | 與當前版本的 Thunderbird 不兼容 |
koji | 安全問題 |
python-lamson | 由於 python-daemon 的更改而破損 |
radare2 | 安全問題;上游不提供穩定支持 |
radare2-cutter | 依賴於要被刪除的 radare2 |
Debian 安裝器
安裝器已經更新,以配合發佈時包含在穩定版本中的修正內容。
鏈接
此修訂版本中有更改的套件的完整列表:
當前穩定發行版:
擬議的穩定發行版更新:
穩定發行版信息(發行説明,勘誤等):
安全公告及信息:
關於 Debian
Debian 項目是一個自由軟件開發者組織,這些志願者為製作完全自由免費的 Debian 操作系統而自願貢獻時間和精力。
聯繫信息
更多信息,請訪問 Debian 主頁 https://www.debian.org/、發送郵件至 <press@debian.org> ,或聯繫穩定版本發佈團隊 <debian-release@lists.debian.org>。