Updated Debian 10: 10.6 released
September 26th, 2020
The Debian project is pleased to announce the sixth update of its
stable distribution Debian 10 (codename buster
).
This point release mainly adds corrections for security issues,
along with a few adjustments for serious problems. Security advisories
have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian
10 but only updates some of the packages included. There is
no need to throw away old buster
media. After installation,
packages can be upgraded to the current versions using an up-to-date Debian
mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages.
Note that, due to build issues, the updates for the cargo, rustc and rustc-bindgen packages are currently not available for the armel
architecture.
They may be added at a later date if the issues are resolved.
Package | Reason |
---|---|
arch-test | Fix detection of s390x sometimes failing |
asterisk | Fix crash when negotiating for T.38 with a declined stream [CVE-2019-15297], SIP request can change address of a SIP peer[CVE-2019-18790], AMI user could execute system commands[CVE-2019-18610], segfault in pjsip show history with IPv6 peers |
bacula | Fix oversized digest strings allow a malicious client to cause a heap overflow in the director's memory[CVE-2020-11061] |
base-files | Update /etc/debian_version for the point release |
calamares-settings-debian | Disable displaymanager module |
cargo | New upstream release, to support upcoming Firefox ESR versions |
chocolate-doom | Fix missing validation [CVE-2020-14983] |
chrony | Prevent symlink race when writing to the PID file [CVE-2020-14367]; fix temperature reading |
debian-installer | Update Linux ABI to 4.19.0-11 |
debian-installer-netboot-images | Rebuild against proposed-updates |
diaspora-installer | Use --frozen option to bundle install to use upstream Gemfile.lock; don't exclude Gemfile.lock during upgrades; don't overwrite config/oidc_key.pem during upgrades; make config/schedule.yml writeable |
dojo | Fix prototype pollution in deepCopy method [CVE-2020-5258] and in jqMix method [CVE-2020-5259] |
dovecot | Fix dsync sieve filter sync regression; fix handling of getpwent result in userdb-passwd |
facter | Change Google GCE Metadata endpoint from v1beta1to v1 |
gnome-maps | Fix an issue with misaligned shape layer rendering |
gnome-shell | LoginDialog: Reset auth prompt on VT switch before fade in [CVE-2020-17489] |
gnome-weather | Prevent a crash when the configured set of locations are invalid |
grunt | Use safeLoad when loading YAML files [CVE-2020-7729] |
gssdp | New upstream stable release |
gupnp | New upstream stable release; prevent the CallStrangerattack [CVE-2020-12695]; require GSSDP 1.0.5 |
haproxy | logrotate.conf: use rsyslog helper instead of SysV init script; reject messages where chunkedis missing from Transfer-Encoding [CVE-2019-18277] |
icinga2 | Fix symlink attack [CVE-2020-14004] |
incron | Fix cleanup of zombie processes |
inetutils | Fix remote code execution issue [CVE-2020-10188] |
libcommons-compress-java | Fix denial of service issue [CVE-2019-12402] |
libdbi-perl | Fix memory corruption in XS functions when Perl stack is reallocated [CVE-2020-14392]; fix a buffer overflow on an overlong DBD class name [CVE-2020-14393]; fix a NULL profile dereference in dbi_profile() [CVE-2019-20919] |
libvncserver | libvncclient: bail out if UNIX socket name would overflow [CVE-2019-20839]; fix pointer aliasing/alignment issue [CVE-2020-14399]; limit max textchat size [CVE-2020-14405]; libvncserver: add missing NULL pointer checks [CVE-2020-14397]; fix pointer aliasing/alignment issue [CVE-2020-14400]; scale: cast to 64 bit before shifting [CVE-2020-14401]; prevent OOB accesses [CVE-2020-14402 CVE-2020-14403 CVE-2020-14404] |
libx11 | Fix integer overflows [CVE-2020-14344 CVE-2020-14363] |
lighttpd | Backport several usability and security fixes |
linux | New upstream stable release; increase ABI to 11 |
linux-latest | Update for -11 Linux kernel ABI |
linux-signed-amd64 | New upstream stable release |
linux-signed-arm64 | New upstream stable release |
linux-signed-i386 | New upstream stable release |
llvm-toolchain-7 | New upstream release, to support upcoming Firefox ESR versions; fix bugs affecting rustc build |
lucene-solr | Fix security issue in DataImportHandler configuration handling [CVE-2019-0193] |
milkytracker | Fix heap overflow [CVE-2019-14464], stack overflow [CVE-2019-14496], heap overflow [CVE-2019-14497], use after free [CVE-2020-15569] |
node-bl | Fix over-read vulnerability [CVE-2020-8244] |
node-elliptic | Prevent malleability and overflows [CVE-2020-13822] |
node-mysql | Add localInfile option to control LOAD DATA LOCAL INFILE [CVE-2019-14939] |
node-url-parse | Fix insufficient validation and sanitization of user input [CVE-2020-8124] |
npm | Don't show password in logs [CVE-2020-15095] |
orocos-kdl | Remove explicit inclusion of default include path, fixing issues with cmake < 3.16 |
postgresql-11 | New upstream stable release; set a secure search_path in logical replication walsenders and apply workers [CVE-2020-14349]; make contrib modules' installation scripts more secure [CVE-2020-14350] |
postgresql-common | Don't drop plpgsql before testing extensions |
pyzmq | Asyncio: wait for POLLOUT on sender in can_connect |
qt4-x11 | Fix buffer overflow in XBM parser [CVE-2020-17507] |
qtbase-opensource-src | Fix buffer overflow in XBM parser [CVE-2020-17507]; fix clipboard breaking when timer wraps after 50 days |
ros-actionlib | Load YAML safely [CVE-2020-10289] |
rustc | New upstream release, to support upcoming Firefox ESR versions |
rust-cbindgen | New upstream release, to support upcoming Firefox ESR versions |
ruby-ronn | Fix handling of UTF-8 content in manpages |
s390-tools | Hardcode perl dependency instead of using ${perl:Depends}, fixing installation under debootstrap |
Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Debian Installer
The installer has been updated to include the fixes incorporated into stable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current stable distribution:
Proposed updates to the stable distribution:
stable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.