Uppdaterad Debian 10; 10.5 utgiven

1 augusti 2020

Debianprojektet presenterar stolt sin femte uppdatering till dess stabila utgåva Debian 10 (med kodnamnet buster). Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem, tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner har redan publicerats separat och refereras när de finns tillgängliga.

Denna punktutgåva adresserar även Debians säkerhetsbulletin: DSA-4735-1 grub2 -- säkerhetsuppdatering som täcker flera CVE-problem rörande GRUB2 UEFI SecureBoots sårbarheter 'BootHole'.

Vänligen notera att punktutgåvan inte innebär en ny version av Debian 10 utan endast uppdaterar några av de inkluderade paketen. Det behövs inte kastas bort gamla media av buster. Efter installationen kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad Debianspegling..

De som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.

Nya installationsavbildningar kommer snart att finnas tillgängliga på de vanliga platserna.

En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:

https://www.debian.org/mirror/list

Blandade felrättningar

Denna uppdatering av den stabila utgåvan lägger till några viktiga felrättningar till följande paket:

Paket Orsak
appstream-glib Fix build failures in 2020 and later
asunder Use gnudb instead of freedb by default
b43-fwcutter Ensure removal succeeds under non-English locales; do not fail removal if some files no longer exist; fix missing dependencies on pciutils and ca-certificates
balsa Provide server identity when validating certificates, allowing successful validation when using the glib-networking patch for CVE-2020-13645
base-files Update for the point release
batik Fix server-side request forgery via xlink:href attributes [CVE-2019-17566]
borgbackup Fix index corruption bug leading to data loss
bundler Update required version of ruby-molinillo
c-icap-modules Add support for ClamAV 0.102
cacti Fix issue where UNIX timestamps after September 13th 2020 were rejected as graph start / end; fix remote code execution [CVE-2020-7237], cross-site scripting [CVE-2020-7106], CSRF issue [CVE-2020-13231]; disabling a user account does not immediately invalidate permissions [CVE-2020-13230]
calamares-settings-debian Enable displaymanager module, fixing autologin options; use xdg-user-dir to specify Desktop directory
clamav New upstream release; security fixes [CVE-2020-3327 CVE-2020-3341 CVE-2020-3350 CVE-2020-3327 CVE-2020-3481]
cloud-init New upstream release
commons-configuration2 Prevent object creation when loading YAML files [CVE-2020-1953]
confget Fix the Python module's handling of values containing =
dbus New upstream stable release; prevent a denial of service issue [CVE-2020-12049]; prevent use-after-free if two usernames share a uid
debian-edu-config Fix loss of dynamically allocated IPv4 address
debian-installer Update Linux ABI to 4.19.0-10
debian-installer-netboot-images Rebuild against proposed-updates
debian-ports-archive-keyring Increase the expiration date of the 2020 key (84C573CD4E1AFD6C) by one year; add Debian Ports Archive Automatic Signing Key (2021); move the 2018 key (ID: 06AED62430CB581C) to the removed keyring
debian-security-support Update support status of several packages
dpdk New upstream release
exiv2 Adjust overly restrictive security patch [CVE-2018-10958 and CVE-2018-10999]; fix denial of service issue [CVE-2018-16336]
fdroidserver Fix Litecoin address validation
file-roller Security fix [CVE-2020-11736]
freerdp2 Fix smartcard logins; security fixes [CVE-2020-11521 CVE-2020-11522 CVE-2020-11523 CVE-2020-11524 CVE-2020-11525 CVE-2020-11526]
fwupd New upstream release; fix possible signature verification issue [CVE-2020-10759]; use rotated Debian signing keys
fwupd-amd64-signed New upstream release; fix possible signature verification issue [CVE-2020-10759]; use rotated Debian signing keys
fwupd-arm64-signed New upstream release; fix possible signature verification issue [CVE-2020-10759]; use rotated Debian signing keys
fwupd-armhf-signed New upstream release; fix possible signature verification issue [CVE-2020-10759]; use rotated Debian signing keys
fwupd-i386-signed New upstream release; fix possible signature verification issue [CVE-2020-10759]; use rotated Debian signing keys
fwupdate Use rotated Debian signing keys
fwupdate-amd64-signed Use rotated Debian signing keys
fwupdate-arm64-signed Use rotated Debian signing keys
fwupdate-armhf-signed Use rotated Debian signing keys
fwupdate-i386-signed Use rotated Debian signing keys
gist Avoid deprecated authorization API
glib-networking Return bad identity error if identity is unset [CVE-2020-13645]; break balsa older than 2.5.6-2+deb10u1 as the fix for CVE-2020-13645 breaks balsa's certificate verification
gnutls28 Fix TL1.2 resumption errors; fix memory leak; handle zero length session tickets, fixing connection errors on TLS1.2 sessions to some big hosting providers; fix verification error with alternate chains
intel-microcode Downgrade some microcodes to previously issued versions, working around hangs on boot on Skylake-U/Y and Skylake Xeon E3
jackson-databind Fix multiple security issues affecting BeanDeserializerFactory [CVE-2020-9548 CVE-2020-9547 CVE-2020-9546 CVE-2020-8840 CVE-2020-14195 CVE-2020-14062 CVE-2020-14061 CVE-2020-14060 CVE-2020-11620 CVE-2020-11619 CVE-2020-11113 CVE-2020-11112 CVE-2020-11111 CVE-2020-10969 CVE-2020-10968 CVE-2020-10673 CVE-2020-10672 CVE-2019-20330 CVE-2019-17531 and CVE-2019-17267]
jameica Add mckoisqldb to classpath, allowing use of SynTAX plugin
jigdo Fix HTTPS support in jigdo-lite and jigdo-mirror
ksh Fix environment variable restriction issue [CVE-2019-14868]
lemonldap-ng Fix nginx configuration regression introduced by the fix for CVE-2019-19791
libapache-mod-jk Rename Apache configuration file so it can be automatically enabled and disabled
libclamunrar New upstream stable release; add an unversioned meta-package
libembperl-perl Handle error pages from Apache >= 2.4.40
libexif Security fixes [CVE-2020-12767 CVE-2020-0093 CVE-2020-13112 CVE-2020-13113 CVE-2020-13114]; fix buffer overflow [CVE-2020-0182] and integer overflow [CVE-2020-0198]
libinput Quirks: add trackpoint integration attribute
libntlm Fix buffer overflow [CVE-2019-17455]
libpam-radius-auth Fix buffer overflow in password field [CVE-2015-9542]
libunwind Fix segfaults on mips; manually enable C++ exception support only on i386 and amd64
libyang Fix cache corruption crash, CVE-2019-19333, CVE-2019-19334
linux New upstream stable release
linux-latest Update for 4.19.0-10 kernel ABI
linux-signed-amd64 New upstream stable release
linux-signed-arm64 New upstream stable release
linux-signed-i386 New upstream stable release
lirc Fix conffile management
mailutils maidag: drop setuid privileges for all delivery operations but mda [CVE-2019-18862]
mariadb-10.3 New upstream stable release; security fixes [CVE-2020-2752 CVE-2020-2760 CVE-2020-2812 CVE-2020-2814 CVE-2020-13249]; fix regression in RocksDB ZSTD detection
mod-gnutls Fix a possible segfault on failed TLS handshake; fix test failures
multipath-tools kpartx: use correct path to partx in udev rule
mutt Don't check IMAP PREAUTH encryption if $tunnel is in use
mydumper Link against libm
nfs-utils statd: take user-id from /var/lib/nfs/sm [CVE-2019-3689]; don't make /var/lib/nfs owned by statd
nginx Fix error page request smuggling vulnerability [CVE-2019-20372]
nmap Update default key size to 2048 bits
node-dot-prop Fix regression introduced in CVE-2020-8116 fix
node-handlebars Disallow calling helperMissing and blockHelperMissing directly [CVE-2019-19919]
node-minimist Fix prototype pollution [CVE-2020-7598]
nvidia-graphics-drivers New upstream stable release; security fixes [CVE-2020-5963 CVE-2020-5967]
nvidia-graphics-drivers-legacy-390xx New upstream stable release; security fixes [CVE-2020-5963 CVE-2020-5967]
openstack-debian-images Install resolvconf if installing cloud-init
pagekite Avoid issues with expiry of shipped SSL certificates by using those from the ca-certificates package
pdfchain Fix crash at startup
perl Fix multiple regular expression related security issues [CVE-2020-10543 CVE-2020-10878 CVE-2020-12723]
php-horde Fix cross-site scripting vulnerability [CVE-2020-8035]
php-horde-gollem Fix cross-site scripting vulnerability in breadcrumb output [CVE-2020-8034]
pillow Fix multiple out-of-bounds read issues [CVE-2020-11538 CVE-2020-10378 CVE-2020-10177]
policyd-rate-limit Fix issues in accounting due to socket reuse
postfix New upstream stable release; fix segfault in the tlsproxy client role when the server role was disabled; fix maillog_file_rotate_suffix default value used the minute instead of the month; fix several TLS related issues; README.Debian fixes
python-markdown2 Fix cross-site scripting issue [CVE-2020-11888]
python3.7 Avoid infinite loop when reading specially crafted TAR files using the tarfile module [CVE-2019-20907]; resolve hash collisions for IPv4Interface and IPv6Interface [CVE-2020-14422]; fix denial of service issue in urllib.request.AbstractBasicAuthHandler [CVE-2020-8492]
qdirstat Fix saving of user-configured MIME categories
raspi3-firmware Fix typo that could lead to unbootable systems
resource-agents IPsrcaddr: make proto optional to fix regression when used without NetworkManager
ruby-json Fix unsafe object creation vulnerability [CVE-2020-10663]
shim Use rotated Debian signing keys
shim-helpers-amd64-signed Use rotated Debian signing keys
shim-helpers-arm64-signed Use rotated Debian signing keys
shim-helpers-i386-signed Use rotated Debian signing keys
speedtest-cli Pass correct headers to fix upload speed test
ssvnc Fix out-of-bounds write [CVE-2018-20020], infinite loop [CVE-2018-20021], improper initialisation [CVE-2018-20022], potential denial-of-service [CVE-2018-20024]
storebackup Fix possible privilege escalation vulnerability [CVE-2020-7040]
suricata Fix dropping privileges in nflog runmode
tigervnc Don't use libunwind on armel, armhf or arm64
transmission Fix possible denial of service issue [CVE-2018-10756]
wav2cdr Use C99 fixed-size integer types to fix runtime assertion on 64bit architectures other than amd64 and alpha
zipios++ Security fix [CVE-2019-13453]

Säkerhetsuppdateringar

Denna revision lägger till följande säkerhetsuppdateringar till den stabila utgåvan. Säkerhetsgruppen har redan släppt bulletiner för alla dessa uppdateringar:

Bulletin-ID Paket
DSA-4626 php7.3
DSA-4674 roundcube
DSA-4675 graphicsmagick
DSA-4676 salt
DSA-4677 wordpress
DSA-4678 firefox-esr
DSA-4679 keystone
DSA-4680 tomcat9
DSA-4681 webkit2gtk
DSA-4682 squid
DSA-4683 thunderbird
DSA-4684 libreswan
DSA-4685 apt
DSA-4686 apache-log4j1.2
DSA-4687 exim4
DSA-4688 dpdk
DSA-4689 bind9
DSA-4690 dovecot
DSA-4691 pdns-recursor
DSA-4692 netqmail
DSA-4694 unbound
DSA-4695 firefox-esr
DSA-4696 nodejs
DSA-4697 gnutls28
DSA-4699 linux-signed-amd64
DSA-4699 linux-signed-arm64
DSA-4699 linux-signed-i386
DSA-4699 linux
DSA-4700 roundcube
DSA-4701 intel-microcode
DSA-4702 thunderbird
DSA-4704 vlc
DSA-4705 python-django
DSA-4707 mutt
DSA-4708 neomutt
DSA-4709 wordpress
DSA-4710 trafficserver
DSA-4711 coturn
DSA-4712 imagemagick
DSA-4713 firefox-esr
DSA-4714 chromium
DSA-4716 docker.io
DSA-4718 thunderbird
DSA-4719 php7.3
DSA-4720 roundcube
DSA-4721 ruby2.5
DSA-4722 ffmpeg
DSA-4723 xen
DSA-4724 webkit2gtk
DSA-4725 evolution-data-server
DSA-4726 nss
DSA-4727 tomcat9
DSA-4728 qemu
DSA-4729 libopenmpt
DSA-4730 ruby-sanitize
DSA-4731 redis
DSA-4732 squid
DSA-4733 qemu
DSA-4735 grub-efi-amd64-signed
DSA-4735 grub-efi-arm64-signed
DSA-4735 grub-efi-ia32-signed
DSA-4735 grub2

Borttagna paket

Följande paket har tagits bort på grund av omständigheter utom vår kontroll:

Paket Orsak
golang-github-unknwon-cae Security issues; unmaintained
janus Not supportable in stable
mathematica-fonts Relies on unavailable download location
matrix-synapse Security issues; unsupportable
selenium-firefoxdriver Incompatible with newer Firefox ESR versions

Debianinstalleraren

Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den stabila utgåvan med denna punktutgåva.

URLer

Den fullständiga listan på paket som har förändrats i denna revision:

http://ftp.debian.org/debian/dists/buster/ChangeLog

Den aktuella stabila utgåvan:

http://ftp.debian.org/debian/dists/stable/

Föreslagna uppdateringar till den stabila utgåvan:

http://ftp.debian.org/debian/dists/proposed-updates

Information om den stabila utgåvan (versionsfakta, kända problem osv.):

https://www.debian.org/releases/stable/

Säkerhetsbulletiner och information:

https://www.debian.org/security/

Om Debian

Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.

Kontaktinformation

För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org>, eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.