Debian 10 更新:10.4 發佈

2020年05月09日

Debian 項目很高興地宣佈對 Debian 10 穩定版的第四次更新(發行版代號 buster)。此次小版本更新主要添加了對安全問題的修正補丁,以及為一些嚴重問題所作的調整。安全通告已單獨發佈,並會在適當的情況下予以引用。

請注意,此更新並不是 Debian 10 的新版本,它僅更新了所包含的一些套件。沒有必要丟棄舊的buster的安裝介質。在安裝之後,只需使用最新的 Debian 映射站台更新舊的套件即可。

經常從 security.debian.org 安裝更新的用户將不必更新許多套件,因本更新中包含了 security.debian.org 的大多數更新。

新的安裝映射站台即將於常規的位置予以提供。

只需令套件管理系統指向 Debian 的許多 HTTP 映射站台之一,您便能夠把已有的系統升級至本次更新版本。詳盡的映射站台列表可以在以下網址處獲得:

https://www.debian.org/mirror/list

雜項錯誤修正

此穩定版更新為以下套件添加了一些重要的修正:

套件 原因
apt-cacher-ng Enforce secured call to the server in maintenance job triggering [CVE-2020-5202]; allow .zst compression for tarballs; increase size of the decompression line buffer for configuration file reading
backuppc Pass the username to start-stop-daemon when reloading, preventing reload failures
base-files 為小版本更新提供文件
brltty Reduce severity of log message to avoid generating too many messages when used with new Orca versions
checkstyle Fix XML External Entity injection issue [CVE-2019-9658 CVE-2019-10782]
choose-mirror 更新其包含的映射站台列表
clamav 新上游發行版本 [CVE-2020-3123]
corosync totemsrp: Reduce MTU to avoid generating oversized packets
corosync-qdevice 修復服務啟動問題
csync2 Fail HELLO command when SSL is required
cups Fix heap buffer overflow [CVE-2020-3898] and the `ippReadIO` function may under-read an extension field [CVE-2019-8842]
dav4tbsync 新上游發行版本,修復與新版本 Thunderbird 的兼容性
debian-edu-config Add policy files for Firefox ESR and Thunderbird to fix the TLS/SSL setup
debian-installer 為 4.19.0-9 kernel ABI 更新
debian-installer-netboot-images Rebuild against proposed-updates
debian-security-support 新上游穩定釋出版本;更新幾個套件的狀態;改用 runuser 而不是 su
distro-info-data 添加 Ubuntu 20.10 以及 stretch 的可能結束支持日期
dojo Fix improper regular expression usage [CVE-2019-10785]
dpdk 新上游穩定釋出版本
dtv-scan-tables New upstream snapshot; add all current German DVB-T2 muxes and the Eutelsat-5-West-A satellite
eas4tbsync 新上游發行版本,修復與新版本 Thunderbird 的兼容性
edk2 安全修復 [CVE-2019-14558 CVE-2019-14559 CVE-2019-14563 CVE-2019-14575 CVE-2019-14586 CVE-2019-14587]
el-api 修復從 stretch 升級到 buster 時包含 Tomcat 8 的問題
fex Fix a potential security issue in fexsrv
filezilla Fix untrusted search path vulnerability [CVE-2019-5429]
frr Fix extended next hop capability
fuse Remove outdated udevadm commands from post-install scripts; don't explicitly remove fuse.conf on purge
fuse3 Remove outdated udevadm commands from post-install scripts; don't explicitly remove fuse.conf on purge; fix memory leak in fuse_session_new()
golang-github-prometheus-common Extend validity of test certificates
gosa Replace (un)serialize with json_encode/json_decode to mitigate PHP object injection [CVE-2019-14466]
hbci4java Support EU directive on payment services (PSD2)
hibiscus Support EU directive on payment services (PSD2)
iputils Correct an issue in which ping would improperly exit with a failure code when there were untried addresses still available in the getaddrinfo() library call return value
ircd-hybrid Use dhparam.pem to avoid crash on startup
jekyll 允許使用 ruby-i18n 0.x 和 1.x
jsp-api 修復從 stretch 升級到 buster 時包含 Tomcat 8 的問題
lemonldap-ng Prevent unwanted access to administration endpoints [CVE-2019-19791]; fix the GrantSession plugin which could not prohibit logon when two factor authentication was used; fix arbitrary redirects with OIDC if redirect_uri was not used
libdatetime-timezone-perl Update included data
libreoffice Fix OpenGL slide transitions
libssh Fix possible denial of service issue when handling AES-CTR keys with OpenSSL [CVE-2020-1730]
libvncserver 修復堆溢出 [CVE-2019-15690]
linux 新上游穩定釋出版本
linux-latest 更新 kernel ABI 到 4.19.0-9
linux-signed-amd64 新上游穩定釋出版本
linux-signed-arm64 新上游穩定釋出版本
linux-signed-i386 新上游穩定釋出版本
lwip 修復緩衝區溢出 [CVE-2020-8597]
lxc-templates 新上游穩定釋出版本; handle languages that are only UTF-8 encoded
manila Fix missing access permissions check [CVE-2020-9543]
megatools 添加對 mega.nz 鏈接的新格式的支持
mew Fix server SSL certificate validity checking
mew-beta Fix server SSL certificate validity checking
mkvtoolnix Rebuild to tighten libmatroska6v5 dependency
ncbi-blast+ 禁用對 SSE4.2 的支持
node-anymatch 移除不必要的依賴
node-dot Prevent code execution after prototype pollution [CVE-2020-8141]
node-dot-prop Fix prototype pollution [CVE-2020-8116]
node-knockout Fix escaping with older Internet Explorer versions [CVE-2019-14862]
node-mongodb Reject invalid _bsontypes [CVE-2019-2391 CVE-2020-7610]
node-yargs-parser Fix prototype pollution [CVE-2020-7608]
npm Fix arbitrary path access [CVE-2019-16775 CVE-2019-16776 CVE-2019-16777]
nvidia-graphics-drivers 新上游穩定釋出版本
nvidia-graphics-drivers-legacy-390xx 新上游穩定釋出版本
nvidia-settings-legacy-340xx 新上游發行版本
oar Revert to stretch behavior for Storable::dclone perl function, fixing recursion depth issues
opam Prefer mccs over aspcud
openvswitch Fix vswitchd abort when a port is added and the controller is down
orocos-kdl Fix string conversion with Python 3
owfs Remove broken Python 3 packages
pango1.0 Fix crash in pango_fc_font_key_get_variations() when key is null
pgcli Add missing dependency on python3-pkg-resources
php-horde-data Fix authenticated remote code execution vulnerability [CVE-2020-8518]
php-horde-form Fix authenticated remote code execution vulnerability [CVE-2020-8866]
php-horde-trean Fix authenticated remote code execution vulnerability [CVE-2020-8865]
postfix 新上游穩定釋出版本; fix panic with Postfix multi-Milter configuration during MAIL FROM; fix d/init.d running change so it works with multi-instance again
proftpd-dfsg Fix memory access issue in keyboard-interative code in mod_sftp; properly handle DEBUG, IGNORE, DISCONNECT, and UNIMPLEMENTED messages in keyboard-interactive mode
puma Fix Denial of Service issue [CVE-2019-16770]
purple-discord Fix crashes in ssl_nss_read
python-oslo.utils Fix leak of sensitive information via mistral logs [CVE-2019-3866]
rails Fix possible cross-site scripting via Javascript escape helper [CVE-2020-5267]
rake Fix command injection vulnerability [CVE-2020-8130]
raspi3-firmware Fix dtb names mismatch in z50-raspi-firmware; fix boot on Raspberry Pi families 1 and 0
resource-agents Fix ethmonitor does not list interfaces without assigned IP address; remove no longer required xen-toolstack patch; fix non-standard usage in ZFS agent
rootskel Disable multiple console support if preseeding is in use
ruby-i18n Fix gemspec generation
rubygems-integration Avoid deprecation warnings when users install a newer version of Rubygems via gem update --system
schleuder Improve patch to handle encoding errors introduced in the previous version; switch default encoding to UTF-8; let x-add-key handle mails with attached, quoted-printable encoded keys; fix x-attach-listkey with mails created by Thunderbird that include protected headers
scilab Fix library loading with OpenJDK 11.0.7
serverspec-runner 支持 Ruby 2.5
softflowd Fix broken flow aggregation which might result in flow table overflow and 100% CPU usage
speech-dispatcher Fix default pulseaudio latency which triggers scratchy output
spl-linux 修復死鎖
sssd Fix sssd_be busy-looping when LDAP connection is intermittent
systemd when authorizing via PolicyKit re-resolve callback/userdata instead of caching it [CVE-2020-1712]; install 60-block.rules in udev-udeb and initramfs-tools
taglib Fix corruption issues with OGG files
tbsync 新上游發行版本,修復與新版本 Thunderbird 的兼容性
timeshift Fix predictable temporary directory use [CVE-2020-10174]
tinyproxy Only set PIDDIR, if PIDFILE is a non-zero length string
tzdata 新上游穩定釋出版本
uim unregister modules that are not installed, fixing a regression in the previous upload
user-mode-linux Fix build failure with current stable kernels
vite Fix crash when there are more than 32 elements
waagent 新上游發行版本;支持與 cloud-init 共同安裝
websocket-api 修復從 stretch 升級到 buster 時包含 Tomcat 8 的問題
wpa Do not try to detect PSK mismatch during PTK rekeying; check for FT support when selecting FT suites; fix MAC randomisation issue with some cards
xdg-utils xdg-open: fix pcmanfm check and handling of directories with spaces in their names; xdg-screensaver: Sanitise window name before sending it over D-Bus; xdg-mime: Create config directory if it does not exist yet
xtrlock Fix blocking of (some) multitouch devices while locked [CVE-2016-10894]
zfs-linux 修復潛在的死鎖問題

安全更新

此修訂版本將以下安全更新添加到了穩定發行版本中。安全團隊已經分別為這些更新發布了通告:

通告編號 套件
DSA-4616 qemu
DSA-4617 qtbase-opensource-src
DSA-4618 libexif
DSA-4619 libxmlrpc3-java
DSA-4620 firefox-esr
DSA-4623 postgresql-11
DSA-4624 evince
DSA-4625 thunderbird
DSA-4627 webkit2gtk
DSA-4629 python-django
DSA-4630 python-pysaml2
DSA-4631 pillow
DSA-4632 ppp
DSA-4633 curl
DSA-4634 opensmtpd
DSA-4635 proftpd-dfsg
DSA-4636 python-bleach
DSA-4637 network-manager-ssh
DSA-4638 chromium
DSA-4639 firefox-esr
DSA-4640 graphicsmagick
DSA-4641 webkit2gtk
DSA-4642 thunderbird
DSA-4643 python-bleach
DSA-4644 tor
DSA-4645 chromium
DSA-4646 icu
DSA-4647 bluez
DSA-4648 libpam-krb5
DSA-4649 haproxy
DSA-4650 qbittorrent
DSA-4651 mediawiki
DSA-4652 gnutls28
DSA-4653 firefox-esr
DSA-4654 chromium
DSA-4655 firefox-esr
DSA-4656 thunderbird
DSA-4657 git
DSA-4658 webkit2gtk
DSA-4659 git
DSA-4660 awl
DSA-4661 openssl
DSA-4663 python-reportlab
DSA-4664 mailman
DSA-4665 qemu
DSA-4666 openldap
DSA-4667 linux-signed-amd64
DSA-4667 linux-signed-arm64
DSA-4667 linux-signed-i386
DSA-4667 linux
DSA-4669 nodejs
DSA-4671 vlc
DSA-4672 trafficserver

刪除的套件

由於我們無法控制的情況,以下套件已被刪除:

套件 原因
getlive 由於 Hotmail 的更改而破損
gplaycli 由於 Google API 更改而破損
kerneloops 上游服務不再可用
lambda-align2 [arm64 armel armhf i386 mips64el ppc64el s390x] 在非 amd64 架構上破損
libmicrodns 安全問題
libperlspeak-perl 安全問題;不再獲得維護
quotecolors 與更新版本的 Thunderbird 不兼容
torbirdy 與更新版本的 Thunderbird 不兼容
ugene Non-free; fails to build
yahoo2mbox 在過去幾年處於破損狀態

Debian 安裝器

安裝器已經更新,以配合發佈時包含在穩定版本中的修正內容。

鏈接

此修訂版本中有更改的套件的完整列表:

http://ftp.debian.org/debian/dists/buster/ChangeLog

當前穩定發行版:

http://ftp.debian.org/debian/dists/stable/

擬議的穩定發行版更新:

http://ftp.debian.org/debian/dists/proposed-updates

穩定發行版信息(發行説明,勘誤等):

https://www.debian.org/releases/stable/

安全公告及信息:

https://www.debian.org/security/

關於 Debian

Debian 項目是一個自由軟件開發者組織,這些志願者為製作完全自由免費的 Debian 操作系統而自願貢獻時間和精力。

聯繫信息

更多信息,請訪問 Debian 主頁 https://www.debian.org/、發送郵件至 <press@debian.org> ,或聯繫穩定版本發佈團隊 <debian-release@lists.debian.org>。