Updated Debian 10: 10.5 released

August 1st, 2020

The Debian project is pleased to announce the fifth update of its stable distribution Debian 10 (codename buster). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

This point release also addresses Debian Security Advisory: DSA-4735-1 grub2 -- security update which covers multiple CVE issues regarding the GRUB2 UEFI SecureBoot 'BootHole' vulnerability.

Please note that the point release does not constitute a new version of Debian 10 but only updates some of the packages included. There is no need to throw away old buster media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package Reason
appstream-glib Fix build failures in 2020 and later
asunder Use gnudb instead of freedb by default
b43-fwcutter Ensure removal succeeds under non-English locales; do not fail removal if some files no longer exist; fix missing dependencies on pciutils and ca-certificates
balsa Provide server identity when validating certificates, allowing successful validation when using the glib-networking patch for CVE-2020-13645
base-files Update for the point release
batik Fix server-side request forgery via xlink:href attributes [CVE-2019-17566]
borgbackup Fix index corruption bug leading to data loss
bundler Update required version of ruby-molinillo
c-icap-modules Add support for ClamAV 0.102
cacti Fix issue where UNIX timestamps after September 13th 2020 were rejected as graph start / end; fix remote code execution [CVE-2020-7237], cross-site scripting [CVE-2020-7106], CSRF issue [CVE-2020-13231]; disabling a user account does not immediately invalidate permissions [CVE-2020-13230]
calamares-settings-debian Enable displaymanager module, fixing autologin options; use xdg-user-dir to specify Desktop directory
clamav New upstream release; security fixes [CVE-2020-3327 CVE-2020-3341 CVE-2020-3350 CVE-2020-3327 CVE-2020-3481]
cloud-init New upstream release
commons-configuration2 Prevent object creation when loading YAML files [CVE-2020-1953]
confget Fix the Python module's handling of values containing =
dbus New upstream stable release; prevent a denial of service issue [CVE-2020-12049]; prevent use-after-free if two usernames share a uid
debian-edu-config Fix loss of dynamically allocated IPv4 address
debian-installer Update Linux ABI to 4.19.0-10
debian-installer-netboot-images Rebuild against proposed-updates
debian-ports-archive-keyring Increase the expiration date of the 2020 key (84C573CD4E1AFD6C) by one year; add Debian Ports Archive Automatic Signing Key (2021); move the 2018 key (ID: 06AED62430CB581C) to the removed keyring
debian-security-support Update support status of several packages
dpdk New upstream release
exiv2 Adjust overly restrictive security patch [CVE-2018-10958 and CVE-2018-10999]; fix denial of service issue [CVE-2018-16336]
fdroidserver Fix Litecoin address validation
file-roller Security fix [CVE-2020-11736]
freerdp2 Fix smartcard logins; security fixes [CVE-2020-11521 CVE-2020-11522 CVE-2020-11523 CVE-2020-11524 CVE-2020-11525 CVE-2020-11526]
fwupd New upstream release; fix possible signature verification issue [CVE-2020-10759]; use rotated Debian signing keys
fwupd-amd64-signed New upstream release; fix possible signature verification issue [CVE-2020-10759]; use rotated Debian signing keys
fwupd-arm64-signed New upstream release; fix possible signature verification issue [CVE-2020-10759]; use rotated Debian signing keys
fwupd-armhf-signed New upstream release; fix possible signature verification issue [CVE-2020-10759]; use rotated Debian signing keys
fwupd-i386-signed New upstream release; fix possible signature verification issue [CVE-2020-10759]; use rotated Debian signing keys
fwupdate Use rotated Debian signing keys
fwupdate-amd64-signed Use rotated Debian signing keys
fwupdate-arm64-signed Use rotated Debian signing keys
fwupdate-armhf-signed Use rotated Debian signing keys
fwupdate-i386-signed Use rotated Debian signing keys
gist Avoid deprecated authorization API
glib-networking Return bad identity error if identity is unset [CVE-2020-13645]; break balsa older than 2.5.6-2+deb10u1 as the fix for CVE-2020-13645 breaks balsa's certificate verification
gnutls28 Fix TL1.2 resumption errors; fix memory leak; handle zero length session tickets, fixing connection errors on TLS1.2 sessions to some big hosting providers; fix verification error with alternate chains
intel-microcode Downgrade some microcodes to previously issued versions, working around hangs on boot on Skylake-U/Y and Skylake Xeon E3
jackson-databind Fix multiple security issues affecting BeanDeserializerFactory [CVE-2020-9548 CVE-2020-9547 CVE-2020-9546 CVE-2020-8840 CVE-2020-14195 CVE-2020-14062 CVE-2020-14061 CVE-2020-14060 CVE-2020-11620 CVE-2020-11619 CVE-2020-11113 CVE-2020-11112 CVE-2020-11111 CVE-2020-10969 CVE-2020-10968 CVE-2020-10673 CVE-2020-10672 CVE-2019-20330 CVE-2019-17531 and CVE-2019-17267]
jameica Add mckoisqldb to classpath, allowing use of SynTAX plugin
jigdo Fix HTTPS support in jigdo-lite and jigdo-mirror
ksh Fix environment variable restriction issue [CVE-2019-14868]
lemonldap-ng Fix nginx configuration regression introduced by the fix for CVE-2019-19791
libapache-mod-jk Rename Apache configuration file so it can be automatically enabled and disabled
libclamunrar New upstream stable release; add an unversioned meta-package
libembperl-perl Handle error pages from Apache >= 2.4.40
libexif Security fixes [CVE-2020-12767 CVE-2020-0093 CVE-2020-13112 CVE-2020-13113 CVE-2020-13114]; fix buffer overflow [CVE-2020-0182] and integer overflow [CVE-2020-0198]
libinput Quirks: add trackpoint integration attribute
libntlm Fix buffer overflow [CVE-2019-17455]
libpam-radius-auth Fix buffer overflow in password field [CVE-2015-9542]
libunwind Fix segfaults on mips; manually enable C++ exception support only on i386 and amd64
libyang Fix cache corruption crash, CVE-2019-19333, CVE-2019-19334
linux New upstream stable release
linux-latest Update for 4.19.0-10 kernel ABI
linux-signed-amd64 New upstream stable release
linux-signed-arm64 New upstream stable release
linux-signed-i386 New upstream stable release
lirc Fix conffile management
mailutils maidag: drop setuid privileges for all delivery operations but mda [CVE-2019-18862]
mariadb-10.3 New upstream stable release; security fixes [CVE-2020-2752 CVE-2020-2760 CVE-2020-2812 CVE-2020-2814 CVE-2020-13249]; fix regression in RocksDB ZSTD detection
mod-gnutls Fix a possible segfault on failed TLS handshake; fix test failures
multipath-tools kpartx: use correct path to partx in udev rule
mutt Don't check IMAP PREAUTH encryption if $tunnel is in use
mydumper Link against libm
nfs-utils statd: take user-id from /var/lib/nfs/sm [CVE-2019-3689]; don't make /var/lib/nfs owned by statd
nginx Fix error page request smuggling vulnerability [CVE-2019-20372]
nmap Update default key size to 2048 bits
node-dot-prop Fix regression introduced in CVE-2020-8116 fix
node-handlebars Disallow calling helperMissing and blockHelperMissing directly [CVE-2019-19919]
node-minimist Fix prototype pollution [CVE-2020-7598]
nvidia-graphics-drivers New upstream stable release; security fixes [CVE-2020-5963 CVE-2020-5967]
nvidia-graphics-drivers-legacy-390xx New upstream stable release; security fixes [CVE-2020-5963 CVE-2020-5967]
openstack-debian-images Install resolvconf if installing cloud-init
pagekite Avoid issues with expiry of shipped SSL certificates by using those from the ca-certificates package
pdfchain Fix crash at startup
perl Fix multiple regular expression related security issues [CVE-2020-10543 CVE-2020-10878 CVE-2020-12723]
php-horde Fix cross-site scripting vulnerability [CVE-2020-8035]
php-horde-gollem Fix cross-site scripting vulnerability in breadcrumb output [CVE-2020-8034]
pillow Fix multiple out-of-bounds read issues [CVE-2020-11538 CVE-2020-10378 CVE-2020-10177]
policyd-rate-limit Fix issues in accounting due to socket reuse
postfix New upstream stable release; fix segfault in the tlsproxy client role when the server role was disabled; fix maillog_file_rotate_suffix default value used the minute instead of the month; fix several TLS related issues; README.Debian fixes
python-markdown2 Fix cross-site scripting issue [CVE-2020-11888]
python3.7 Avoid infinite loop when reading specially crafted TAR files using the tarfile module [CVE-2019-20907]; resolve hash collisions for IPv4Interface and IPv6Interface [CVE-2020-14422]; fix denial of service issue in urllib.request.AbstractBasicAuthHandler [CVE-2020-8492]
qdirstat Fix saving of user-configured MIME categories
raspi3-firmware Fix typo that could lead to unbootable systems
resource-agents IPsrcaddr: make proto optional to fix regression when used without NetworkManager
ruby-json Fix unsafe object creation vulnerability [CVE-2020-10663]
shim Use rotated Debian signing keys
shim-helpers-amd64-signed Use rotated Debian signing keys
shim-helpers-arm64-signed Use rotated Debian signing keys
shim-helpers-i386-signed Use rotated Debian signing keys
speedtest-cli Pass correct headers to fix upload speed test
ssvnc Fix out-of-bounds write [CVE-2018-20020], infinite loop [CVE-2018-20021], improper initialisation [CVE-2018-20022], potential denial-of-service [CVE-2018-20024]
storebackup Fix possible privilege escalation vulnerability [CVE-2020-7040]
suricata Fix dropping privileges in nflog runmode
tigervnc Don't use libunwind on armel, armhf or arm64
transmission Fix possible denial of service issue [CVE-2018-10756]
wav2cdr Use C99 fixed-size integer types to fix runtime assertion on 64bit architectures other than amd64 and alpha
zipios++ Security fix [CVE-2019-13453]

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package
DSA-4626 php7.3
DSA-4674 roundcube
DSA-4675 graphicsmagick
DSA-4676 salt
DSA-4677 wordpress
DSA-4678 firefox-esr
DSA-4679 keystone
DSA-4680 tomcat9
DSA-4681 webkit2gtk
DSA-4682 squid
DSA-4683 thunderbird
DSA-4684 libreswan
DSA-4685 apt
DSA-4686 apache-log4j1.2
DSA-4687 exim4
DSA-4688 dpdk
DSA-4689 bind9
DSA-4690 dovecot
DSA-4691 pdns-recursor
DSA-4692 netqmail
DSA-4694 unbound
DSA-4695 firefox-esr
DSA-4696 nodejs
DSA-4697 gnutls28
DSA-4699 linux-signed-amd64
DSA-4699 linux-signed-arm64
DSA-4699 linux-signed-i386
DSA-4699 linux
DSA-4700 roundcube
DSA-4701 intel-microcode
DSA-4702 thunderbird
DSA-4704 vlc
DSA-4705 python-django
DSA-4707 mutt
DSA-4708 neomutt
DSA-4709 wordpress
DSA-4710 trafficserver
DSA-4711 coturn
DSA-4712 imagemagick
DSA-4713 firefox-esr
DSA-4714 chromium
DSA-4716 docker.io
DSA-4718 thunderbird
DSA-4719 php7.3
DSA-4720 roundcube
DSA-4721 ruby2.5
DSA-4722 ffmpeg
DSA-4723 xen
DSA-4724 webkit2gtk
DSA-4725 evolution-data-server
DSA-4726 nss
DSA-4727 tomcat9
DSA-4728 qemu
DSA-4729 libopenmpt
DSA-4730 ruby-sanitize
DSA-4731 redis
DSA-4732 squid
DSA-4733 qemu
DSA-4735 grub-efi-amd64-signed
DSA-4735 grub-efi-arm64-signed
DSA-4735 grub-efi-ia32-signed
DSA-4735 grub2

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
golang-github-unknwon-cae Security issues; unmaintained
janus Not supportable in stable
mathematica-fonts Relies on unavailable download location
matrix-synapse Security issues; unsupportable
selenium-firefoxdriver Incompatible with newer Firefox ESR versions

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/buster/ChangeLog

The current stable distribution:

http://ftp.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates

stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/

Security announcements and information:

https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.