Debian 10 更新:10.3 發佈

2020年02月08日

Debian 項目很高興地宣佈對 Debian 10 穩定版的第三次更新(發行版代號 buster)。此次小版本更新主要添加了對安全問題的修正補丁,以及為一些嚴重問題所作的調整。安全通告已單獨發佈,並會在適當的情況下予以引用。

請注意,此更新並不是 Debian 10 的新版本,它僅更新了所包含的一些套件。沒有必要丟棄舊的buster的安裝介質。在安裝之後,只需使用最新的 Debian 映射站台更新舊的套件即可。

經常從 security.debian.org 安裝更新的用户將不必更新許多套件,因本更新中包含了 security.debian.org 的大多數更新。

新的安裝映射站台即將於常規的位置予以提供。

只需令套件管理系統指向 Debian 的許多 HTTP 映射站台之一,您便能夠把已有的系統升級至本次更新版本。詳盡的映射站台列表可以在以下網址處獲得:

https://www.debian.org/mirror/list

雜項錯誤修正

此穩定版更新為以下套件添加了一些重要的修正:

套件 原因
alot Remove expiration time from test suite keys, fixing build failure
atril 修復沒有文件加載時出現的段錯誤;修復讀取未初始化的記憶體 [CVE-2019-11459]
base-files 為小版本更新提供文件
beagle Provide wrapper script instead of symlinks to JARs, making them work again
bgpdump 修復段錯誤
boost1.67 修復導致 libboost-numpy 崩潰的未定義行為
brightd Actually compare the value read out of /sys/class/power_supply/AC/online with 0
casacore-data-jplde Include tables up to 2040
clamav 新上游發行版本; fix denial of service issue [CVE-2019-15961]; remove ScanOnAccess option, replacing with clamonacc
compactheader 兼容 Thunderbird 68 的新上游發行版本
console-common Fix regression that led to files not being included
csh Fix segfault on eval
cups Fix memory leak in ppdOpen; fix validation of default language in ippSetValuetag [CVE-2019-2228]
cyrus-imapd Add BACKUP type to cyrus-upgrade-db, fixing upgrade issues
debian-edu-config Keep proxy settings on client if WPAD is unreachable
debian-installer Rebuild against proposed-updates; tweak mini.iso generation on arm so EFI netboot will work; update USE_UDEBS_FROM default from unstable to buster, to help users performing local builds
debian-installer-netboot-images Rebuild against proposed-updates
debian-security-support 更新幾個套件的安全支持狀態
debos Rebuild against updated golang-github-go-debos-fakemachine
dispmua 兼容 Thunderbird 68 的新上游發行版本
dkimpy 新上游穩定釋出版本
dkimpy-milter Fix privilege management at startup so Unix sockets work
dpdk 新上游穩定釋出版本
e2fsprogs Fix potential stack underflow in e2fsck [CVE-2019-5188]; fix use after free in e2fsck
fig2dev Allow Fig v2 text strings ending with multiple ^A [CVE-2019-19555]; reject huge arrow types causing integer overflow [CVE-2019-19746]; fix several crashes [CVE-2019-19797]
freerdp2 Fix realloc return handling [CVE-2019-17177]
freetds tds: Make sure UDT has varint set to 8 [CVE-2019-13508]
git-lfs Fix build issues with newer Go versions
gnubg Increase the size of static buffers used to build messages during program start so that the Spanish translation doesn't overflow a buffer
gnutls28 Fix interop problems with gnutls 2.x; fix parsing of certificates using RegisteredID
gtk2-engines-murrine Fix co-installability with other themes
guile-2.2 修復構建失敗問題
libburn Fix cdrskin multi-track burning was slow and stalled after track 1
libcgns 修復在 ppc64el 上的構建失敗問題
libimobiledevice Properly handle partial SSL writes
libmatroska Increase shared library dependency to 1.4.7 since that version introduced new symbols
libmysofa 修復安全問題 [CVE-2019-16091 CVE-2019-16092 CVE-2019-16093 CVE-2019-16094 CVE-2019-16095]
libole-storage-lite-perl Fix interpretation of years from 2020 onwards
libparse-win32registry-perl Fix interpretation of years from 2020 onwards
libperl4-corelibs-perl Fix interpretation of years from 2020 onwards
libsolv 修復堆緩衝區溢出問題 [CVE-2019-20387]
libspreadsheet-wright-perl Fix previously unusable OpenDocument spreadsheets and passing of JSON formatting options
libtimedate-perl Fix interpretation of years from 2020 onwards
libvirt Apparmor: Allow one to run pygrub; don't render osxsave, ospke into QEMU command line; this helps newer QEMU with some configs generated by virt-install
libvncserver RFBserver: don't leak stack memory to the remote [CVE-2019-15681]; resolve a freeze during connection closure and a segmentation fault on multi-threaded VNC servers; fix issue connecting to VMWare servers; fix crashing of x11vnc when vncviewer connects
limnoria Fix remote information disclosure and possibly remote code execution in the Math plugin [CVE-2019-19010]
linux 新上游穩定釋出版本
linux-latest 為 4.19.0-8 Linux 核心 ABI 更新
linux-signed-amd64 新上游穩定釋出版本
linux-signed-arm64 新上游穩定釋出版本
linux-signed-i386 新上游穩定釋出版本
mariadb-10.3 新上游穩定釋出版本 [CVE-2019-2938 CVE-2019-2974 CVE-2020-2574]
mesa Call shmget() with permission 0600 instead of 0777 [CVE-2019-5068]
mnemosyne Add missing dependency on PIL
modsecurity Fix cookie header parsing bug [CVE-2019-19886]
node-handlebars Disallow calling helperMissing and blockHelperMissing directly [CVE-2019-19919]
node-kind-of Fix type checking vulnerability in ctorName() [CVE-2019-20149]
ntpsec Fix slow DNS retries; fix ntpdate -s (syslog) to fix the if-up hook; documentation fixes
numix-gtk-theme Fix co-installability with other themes
nvidia-graphics-drivers-legacy-340xx 新上游穩定釋出版本
nyancat Rebuild in a clean environment to add the systemd unit for nyancat-server
openjpeg2 Fix heap overflow [CVE-2018-21010] and integer overflow [CVE-2018-20847]
opensmtpd Warn users of change of smtpd.conf syntax (in earlier versions); install smtpctl setgid opensmtpq; handle non-zero exit code from hostname during config phase
openssh Deny (non-fatally) ipc in the seccomp sandbox, fixing failures with OpenSSL 1.1.1d and Linux < 3.19 on some architectures
php-horde Fix stored cross-site scripting issue in Horde Cloud Block [CVE-2019-12095]
php-horde-text-filter Fix invalid regular expressions
postfix 新上游穩定釋出版本
postgresql-11 新上游穩定釋出版本
print-manager Fix crash if CUPS returns the same ID for multiple print jobs
proftpd-dfsg Fix CRL issues [CVE-2019-19270 CVE-2019-19269]
pykaraoke Fix path to fonts
python-evtx Fix import of hexdump
python-internetarchive Close file after getting hash, avoiding file descriptor exhaustion
python3.7 修復安全問題 [CVE-2019-9740 CVE-2019-9947 CVE-2019-9948 CVE-2019-10160 CVE-2019-16056 CVE-2019-16935]
qtbase-opensource-src Add support for non-PPD printers and avoid silent fallback to a printer supporting PPD; fix crash when using QLabels with rich text; fix graphics tablet hover events
qtwebengine-opensource-src Fix PDF parsing; disable executable stack
quassel Fix quasselcore AppArmor denials when the config is saved; correct default channel for Debian; remove unnecessary NEWS file
qwinff Fix crash due to incorrect file detection
raspi3-firmware Fix detection of serial console with kernel 5.x
ros-ros-comm Fix security issues [CVE-2019-13566 CVE-2019-13465 CVE-2019-13445]
roundcube 新上游穩定釋出版本; fix insecure permissions in enigma plugin [CVE-2018-1000071]
schleuder Fix recognizing keywords in mails with protected headers and empty subject; strip non-self-signatures when refreshing or fetching keys; error if the argument provided to `refresh_keys` is not an existing list; add missing List-Id header to notification mails sent to admins; handle decryption problems gracefully; default to ASCII-8BIT encoding
simplesamlphp Fix incompatibility with PHP 7.3
sogo-connector 兼容 Thunderbird 68 的新上游發行版本
spf-engine Fix privilege management at startup so Unix sockets work; update documentation for TestOnly
sudo Fix a (non-exploitable in buster) buffer overflow when pwfeedback is enabled and input is a not a tty [CVE-2019-18634]
systemd Set fs.file-max sysctl to LONG_MAX rather than ULONG_MAX; change ownership/mode of the execution directories also for static users, ensuring that execution directories like CacheDirectory and StateDirectory are properly chowned to the user specified in User= before launching the service
tifffile Fix wrapper script
tigervnc 修復安全問題 [CVE-2019-15691 CVE-2019-15692 CVE-2019-15693 CVE-2019-15694 CVE-2019-15695]
tightvnc 修復安全問題 [CVE-2014-6053 CVE-2019-8287 CVE-2018-20021 CVE-2018-20022 CVE-2018-20748 CVE-2018-7225 CVE-2019-15678 CVE-2019-15679 CVE-2019-15680 CVE-2019-15681]
uif Fix paths to ip(6)tables-restore in light of the migration to nftables
unhide Fix stack exhaustion
x2goclient Strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths in SCP mode; fixes regression with newer libssh versions with fixes for CVE-2019-14889 applied
xmltooling Fix race condition that could lead to crash under load

安全更新

此修訂版本將以下安全更新添加到了穩定發行版本中。安全團隊已經分別為這些更新發布了通告:

通告編號 套件
DSA-4546 openjdk-11
DSA-4563 webkit2gtk
DSA-4564 linux
DSA-4564 linux-signed-i386
DSA-4564 linux-signed-arm64
DSA-4564 linux-signed-amd64
DSA-4565 intel-microcode
DSA-4566 qemu
DSA-4567 dpdk
DSA-4568 postgresql-common
DSA-4569 ghostscript
DSA-4570 mosquitto
DSA-4571 enigmail
DSA-4571 thunderbird
DSA-4572 slurm-llnl
DSA-4573 symfony
DSA-4575 chromium
DSA-4577 haproxy
DSA-4578 libvpx
DSA-4579 nss
DSA-4580 firefox-esr
DSA-4581 git
DSA-4582 davical
DSA-4583 spip
DSA-4584 spamassassin
DSA-4585 thunderbird
DSA-4586 ruby2.5
DSA-4588 python-ecdsa
DSA-4589 debian-edu-config
DSA-4590 cyrus-imapd
DSA-4591 cyrus-sasl2
DSA-4592 mediawiki
DSA-4593 freeimage
DSA-4595 debian-lan-config
DSA-4597 netty
DSA-4598 python-django
DSA-4599 wordpress
DSA-4600 firefox-esr
DSA-4601 ldm
DSA-4602 xen
DSA-4603 thunderbird
DSA-4604 cacti
DSA-4605 openjdk-11
DSA-4606 chromium
DSA-4607 openconnect
DSA-4608 tiff
DSA-4609 python-apt
DSA-4610 webkit2gtk
DSA-4611 opensmtpd
DSA-4612 prosody-modules
DSA-4613 libidn2
DSA-4615 spamassassin

刪除的套件

由於我們無法控制的情況,以下套件已被刪除:

套件 原因
caml-crush [armel] 由於缺少 ocaml-native-compiler 而無法構建
firetray 與當前版本的 Thunderbird 不兼容
koji 安全問題
python-lamson 由於 python-daemon 的更改而破損
radare2 安全問題;上游不提供穩定支持
radare2-cutter 依賴與要被刪除的 radare2

Debian 安裝器

安裝器已經更新,以配合發佈時包含在穩定版本中的修正內容。

鏈接

此修訂版本中有更改的套件的完整列表:

http://ftp.debian.org/debian/dists/buster/ChangeLog

當前穩定發行版:

http://ftp.debian.org/debian/dists/stable/

擬議的穩定發行版更新:

http://ftp.debian.org/debian/dists/proposed-updates

穩定發行版信息(發行説明,勘誤等):

https://www.debian.org/releases/stable/

安全公告及信息:

https://www.debian.org/security/

關於 Debian

Debian 項目是一個自由軟件開發者組織,這些志願者為製作完全自由免費的 Debian 操作系統而自願貢獻時間和精力。

聯繫信息

更多信息,請訪問 Debian 主頁 https://www.debian.org/、發送郵件至 <press@debian.org> ,或聯繫穩定版本發佈團隊 <debian-release@lists.debian.org>。