Uppdaterad Debian 10; 10.4 utgiven
9 maj 2020
Debianprojektet presenterar stolt sin fjärde uppdatering till dess
stabila utgåva Debian 10 (med kodnamnet buster
).
Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem,
tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner
har redan publicerats separat och refereras när de finns tillgängliga.
Vänligen notera att punktutgåvan inte innebär en ny version av Debian
10 utan endast uppdaterar några av de inkluderade paketen. Det behövs
inte kastas bort gamla media av buster
. Efter installationen
kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad
Debianspegling..
De som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.
Nya installationsavbildningar kommer snart att finnas tillgängliga på de vanliga platserna.
En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:
Blandade felrättningar
Denna uppdatering av den stabila utgåvan lägger till några viktiga felrättningar till följande paket:
Paket | Orsak |
---|---|
apt-cacher-ng | Enforce secured call to the server in maintenance job triggering [CVE-2020-5202]; allow .zst compression for tarballs; increase size of the decompression line buffer for configuration file reading |
backuppc | Pass the username to start-stop-daemon when reloading, preventing reload failures |
base-files | Update for the point release |
brltty | Reduce severity of log message to avoid generating too many messages when used with new Orca versions |
checkstyle | Fix XML External Entity injection issue [CVE-2019-9658 CVE-2019-10782] |
choose-mirror | Update included mirror list |
clamav | New upstream release [CVE-2020-3123] |
corosync | totemsrp: Reduce MTU to avoid generating oversized packets |
corosync-qdevice | Fix service startup |
csync2 | Fail HELLO command when SSL is required |
cups | Fix heap buffer overflow [CVE-2020-3898] and the `ippReadIO` function may under-read an extension field[CVE-2019-8842] |
dav4tbsync | New upstream release, restoring compatibility with newer Thunderbird versions |
debian-edu-config | Add policy files for Firefox ESR and Thunderbird to fix the TLS/SSL setup |
debian-installer | Update for the 4.19.0-9 kernel ABI |
debian-installer-netboot-images | Rebuild against proposed-updates |
debian-security-support | New upstream stable release; update status of several packages; use runuserrather than su |
distro-info-data | Add Ubuntu 20.10, and likely end of support date for stretch |
dojo | Fix improper regular expression usage [CVE-2019-10785] |
dpdk | New upstream stable release |
dtv-scan-tables | New upstream snapshot; add all current German DVB-T2 muxes and the Eutelsat-5-West-A satellite |
eas4tbsync | New upstream release, restoring compatibility with newer Thunderbird versions |
edk2 | Security fixes [CVE-2019-14558 CVE-2019-14559 CVE-2019-14563 CVE-2019-14575 CVE-2019-14586 CVE-2019-14587] |
el-api | Fix stretch to buster upgrades that involve Tomcat 8 |
fex | Fix a potential security issue in fexsrv |
filezilla | Fix untrusted search path vulnerability [CVE-2019-5429] |
frr | Fix extended next hop capability |
fuse | Remove outdated udevadm commands from post-install scripts; don't explicitly remove fuse.conf on purge |
fuse3 | Remove outdated udevadm commands from post-install scripts; don't explicitly remove fuse.conf on purge; fix memory leak in fuse_session_new() |
golang-github-prometheus-common | Extend validity of test certificates |
gosa | Replace (un)serialize with json_encode/json_decode to mitigate PHP object injection [CVE-2019-14466] |
hbci4java | Support EU directive on payment services (PSD2) |
hibiscus | Support EU directive on payment services (PSD2) |
iputils | Correct an issue in which ping would improperly exit with a failure code when there were untried addresses still available in the getaddrinfo() library call return value |
ircd-hybrid | Use dhparam.pem to avoid crash on startup |
jekyll | Allow use of ruby-i18n 0.x and 1.x |
jsp-api | Fix stretch to buster upgrades that involve Tomcat 8 |
lemonldap-ng | Prevent unwanted access to administration endpoints [CVE-2019-19791]; fix the GrantSession plugin which could not prohibit logon when two factor authentication was used; fix arbitrary redirects with OIDC if redirect_uri was not used |
libdatetime-timezone-perl | Update included data |
libreoffice | Fix OpenGL slide transitions |
libssh | Fix possible denial of service issue when handling AES-CTR keys with OpenSSL [CVE-2020-1730] |
libvncserver | Fix heap overflow [CVE-2019-15690] |
linux | New upstream stable release |
linux-latest | Update kernel ABI to 4.19.0-9 |
linux-signed-amd64 | New upstream stable release |
linux-signed-arm64 | New upstream stable release |
linux-signed-i386 | New upstream stable release |
lwip | Fix buffer overflow [CVE-2020-8597] |
lxc-templates | New upstream stable release; handle languages that are only UTF-8 encoded |
manila | Fix missing access permissions check [CVE-2020-9543] |
megatools | Add support for the new format of mega.nz links |
mew | Fix server SSL certificate validity checking |
mew-beta | Fix server SSL certificate validity checking |
mkvtoolnix | Rebuild to tighten libmatroska6v5 dependency |
ncbi-blast+ | Disable SSE4.2 support |
node-anymatch | Remove unnecessary dependencies |
node-dot | Prevent code execution after prototype pollution [CVE-2020-8141] |
node-dot-prop | Fix prototype pollution [CVE-2020-8116] |
node-knockout | Fix escaping with older Internet Explorer versions [CVE-2019-14862] |
node-mongodb | Reject invalid _bsontypes [CVE-2019-2391 CVE-2020-7610] |
node-yargs-parser | Fix prototype pollution [CVE-2020-7608] |
npm | Fix arbitrary path access [CVE-2019-16775 CVE-2019-16776 CVE-2019-16777] |
nvidia-graphics-drivers | New upstream stable release |
nvidia-graphics-drivers-legacy-390xx | New upstream stable release |
nvidia-settings-legacy-340xx | New upstream release |
oar | Revert to stretch behavior for Storable::dclone perl function, fixing recursion depth issues |
opam | Prefer mccs over aspcud |
openvswitch | Fix vswitchd abort when a port is added and the controller is down |
orocos-kdl | Fix string conversion with Python 3 |
owfs | Remove broken Python 3 packages |
pango1.0 | Fix crash in pango_fc_font_key_get_variations() when key is null |
pgcli | Add missing dependency on python3-pkg-resources |
php-horde-data | Fix authenticated remote code execution vulnerability [CVE-2020-8518] |
php-horde-form | Fix authenticated remote code execution vulnerability [CVE-2020-8866] |
php-horde-trean | Fix authenticated remote code execution vulnerability [CVE-2020-8865] |
postfix | New upstream stable release; fix panic with Postfix multi-Milter configuration during MAIL FROM; fix d/init.d running change so it works with multi-instance again |
proftpd-dfsg | Fix memory access issue in keyboard-interative code in mod_sftp; properly handle DEBUG, IGNORE, DISCONNECT, and UNIMPLEMENTED messages in keyboard-interactive mode |
puma | Fix Denial of Service issue [CVE-2019-16770] |
purple-discord | Fix crashes in ssl_nss_read |
python-oslo.utils | Fix leak of sensitive information via mistral logs [CVE-2019-3866] |
rails | Fix possible cross-site scripting via Javascript escape helper [CVE-2020-5267] |
rake | Fix command injection vulnerability [CVE-2020-8130] |
raspi3-firmware | Fix dtb names mismatch in z50-raspi-firmware; fix boot on Raspberry Pi families 1 and 0 |
resource-agents | Fix ethmonitor does not list interfaces without assigned IP address; remove no longer required xen-toolstack patch; fix non-standard usage in ZFS agent |
rootskel | Disable multiple console support if preseeding is in use |
ruby-i18n | Fix gemspec generation |
rubygems-integration | Avoid deprecation warnings when users install a newer version of Rubygems via gem update --system |
schleuder | Improve patch to handle encoding errors introduced in the previous version; switch default encoding to UTF-8; let x-add-key handle mails with attached, quoted-printable encoded keys; fix x-attach-listkey with mails created by Thunderbird that include protected headers |
scilab | Fix library loading with OpenJDK 11.0.7 |
serverspec-runner | Support Ruby 2.5 |
softflowd | Fix broken flow aggregation which might result in flow table overflow and 100% CPU usage |
speech-dispatcher | Fix default pulseaudio latency which triggers scratchyoutput |
spl-linux | Fix deadlock |
sssd | Fix sssd_be busy-looping when LDAP connection is intermittent |
systemd | when authorizing via PolicyKit re-resolve callback/userdata instead of caching it [CVE-2020-1712]; install 60-block.rules in udev-udeb and initramfs-tools |
taglib | Fix corruption issues with OGG files |
tbsync | New upstream release, restoring compatibility with newer Thunderbird versions |
timeshift | Fix predictable temporary directory use [CVE-2020-10174] |
tinyproxy | Only set PIDDIR, if PIDFILE is a non-zero length string |
tzdata | New upstream stable release |
uim | unregister modules that are not installed, fixing a regression in the previous upload |
user-mode-linux | Fix build failure with current stable kernels |
vite | Fix crash when there are more than 32 elements |
waagent | New upstream release; support co-installation with cloud-init |
websocket-api | Fix stretch to buster upgrades that involve Tomcat 8 |
wpa | Do not try to detect PSK mismatch during PTK rekeying; check for FT support when selecting FT suites; fix MAC randomisation issue with some cards |
xdg-utils | xdg-open: fix pcmanfm check and handling of directories with spaces in their names; xdg-screensaver: Sanitise window name before sending it over D-Bus; xdg-mime: Create config directory if it does not exist yet |
xtrlock | Fix blocking of (some) multitouch devices while locked [CVE-2016-10894] |
zfs-linux | Fix potential deadlock issues |
Säkerhetsuppdateringar
Denna revision lägger till följande säkerhetsuppdateringar till den stabila utgåvan. Säkerhetsgruppen har redan släppt bulletiner för alla dessa uppdateringar:
Borttagna paket
Följande paket har tagits bort på grund av omständigheter utom vår kontroll:
Paket | Orsak |
---|---|
getlive | Broken due to Hotmail changes |
gplaycli | Broken by Google API changes |
kerneloops | Upstream service no longer available |
lambda-align2 | [arm64 armel armhf i386 mips64el ppc64el s390x] Broken on non-amd64 architectures |
libmicrodns | Security issues |
libperlspeak-perl | Security issues; unmaintained |
quotecolors | Incompatible with newer Thunderbird versions |
torbirdy | Incompatible with newer Thunderbird versions |
ugene | Non-free; fails to build |
yahoo2mbox | Broken for several years |
Debianinstalleraren
Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den stabila utgåvan med denna punktutgåva.
URLer
Den fullständiga listan på paket som har förändrats i denna revision:
Den aktuella stabila utgåvan:
Föreslagna uppdateringar till den stabila utgåvan:
Information om den stabila utgåvan (versionsfakta, kända problem osv.):
Säkerhetsbulletiner och information:
Om Debian
Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.
Kontaktinformation
För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org>, eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.