Updated Debian 10: 10.6 released

September 26th, 2020

The Debian project is pleased to announce the sixth update of its stable distribution Debian 10 (codename buster). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 10 but only updates some of the packages included. There is no need to throw away old buster media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages.

Note that, due to build issues, the updates for the cargo, rustc and rustc-bindgen packages are currently not available for the armel architecture. They may be added at a later date if the issues are resolved.

Package	Reason
arch-test	Fix detection of s390x sometimes failing
asterisk	Fix crash when negotiating for T.38 with a declined stream [CVE-2019-15297], SIP request can change address of a SIP peer [CVE-2019-18790], AMI user could execute system commands [CVE-2019-18610], segfault in pjsip show history with IPv6 peers
bacula	Fix oversized digest strings allow a malicious client to cause a heap overflow in the director's memory [CVE-2020-11061]
base-files	Update /etc/debian_version for the point release
calamares-settings-debian	Disable displaymanager module
cargo	New upstream release, to support upcoming Firefox ESR versions
chocolate-doom	Fix missing validation [CVE-2020-14983]
chrony	Prevent symlink race when writing to the PID file [CVE-2020-14367]; fix temperature reading
debian-installer	Update Linux ABI to 4.19.0-11
debian-installer-netboot-images	Rebuild against proposed-updates
diaspora-installer	Use --frozen option to bundle install to use upstream Gemfile.lock; don't exclude Gemfile.lock during upgrades; don't overwrite config/oidc_key.pem during upgrades; make config/schedule.yml writeable
dojo	Fix prototype pollution in deepCopy method [CVE-2020-5258] and in jqMix method [CVE-2020-5259]
dovecot	Fix dsync sieve filter sync regression; fix handling of getpwent result in userdb-passwd
facter	Change Google GCE Metadata endpoint from v1beta1 to v1
gnome-maps	Fix an issue with misaligned shape layer rendering
gnome-shell	LoginDialog: Reset auth prompt on VT switch before fade in [CVE-2020-17489]
gnome-weather	Prevent a crash when the configured set of locations are invalid
grunt	Use safeLoad when loading YAML files [CVE-2020-7729]
gssdp	New upstream stable release
gupnp	New upstream stable release; prevent the CallStranger attack [CVE-2020-12695]; require GSSDP 1.0.5
haproxy	logrotate.conf: use rsyslog helper instead of SysV init script; reject messages where chunked is missing from Transfer-Encoding [CVE-2019-18277]
icinga2	Fix symlink attack [CVE-2020-14004]
incron	Fix cleanup of zombie processes
inetutils	Fix remote code execution issue [CVE-2020-10188]
libcommons-compress-java	Fix denial of service issue [CVE-2019-12402]
libdbi-perl	Fix memory corruption in XS functions when Perl stack is reallocated [CVE-2020-14392]; fix a buffer overflow on an overlong DBD class name [CVE-2020-14393]; fix a NULL profile dereference in dbi_profile() [CVE-2019-20919]
libvncserver	libvncclient: bail out if UNIX socket name would overflow [CVE-2019-20839]; fix pointer aliasing/alignment issue [CVE-2020-14399]; limit max textchat size [CVE-2020-14405]; libvncserver: add missing NULL pointer checks [CVE-2020-14397]; fix pointer aliasing/alignment issue [CVE-2020-14400]; scale: cast to 64 bit before shifting [CVE-2020-14401]; prevent OOB accesses [CVE-2020-14402 CVE-2020-14403 CVE-2020-14404]
libx11	Fix integer overflows [CVE-2020-14344 CVE-2020-14363]
lighttpd	Backport several usability and security fixes
linux	New upstream stable release; increase ABI to 11
linux-latest	Update for -11 Linux kernel ABI
linux-signed-amd64	New upstream stable release
linux-signed-arm64	New upstream stable release
linux-signed-i386	New upstream stable release
llvm-toolchain-7	New upstream release, to support upcoming Firefox ESR versions; fix bugs affecting rustc build
lucene-solr	Fix security issue in DataImportHandler configuration handling [CVE-2019-0193]
milkytracker	Fix heap overflow [CVE-2019-14464], stack overflow [CVE-2019-14496], heap overflow [CVE-2019-14497], use after free [CVE-2020-15569]
node-bl	Fix over-read vulnerability [CVE-2020-8244]
node-elliptic	Prevent malleability and overflows [CVE-2020-13822]
node-mysql	Add localInfile option to control LOAD DATA LOCAL INFILE [CVE-2019-14939]
node-url-parse	Fix insufficient validation and sanitization of user input [CVE-2020-8124]
npm	Don't show password in logs [CVE-2020-15095]
orocos-kdl	Remove explicit inclusion of default include path, fixing issues with cmake < 3.16
postgresql-11	New upstream stable release; set a secure search_path in logical replication walsenders and apply workers [CVE-2020-14349]; make contrib modules' installation scripts more secure [CVE-2020-14350]
postgresql-common	Don't drop plpgsql before testing extensions
pyzmq	Asyncio: wait for POLLOUT on sender in can_connect
qt4-x11	Fix buffer overflow in XBM parser [CVE-2020-17507]
qtbase-opensource-src	Fix buffer overflow in XBM parser [CVE-2020-17507]; fix clipboard breaking when timer wraps after 50 days
ros-actionlib	Load YAML safely [CVE-2020-10289]
rustc	New upstream release, to support upcoming Firefox ESR versions
rust-cbindgen	New upstream release, to support upcoming Firefox ESR versions
ruby-ronn	Fix handling of UTF-8 content in manpages
s390-tools	Hardcode perl dependency instead of using ${perl:Depends}, fixing installation under debootstrap

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID	Package
DSA-4662	openjdk-11
DSA-4734	openjdk-11
DSA-4736	firefox-esr
DSA-4737	xrdp
DSA-4738	ark
DSA-4739	webkit2gtk
DSA-4740	thunderbird
DSA-4741	json-c
DSA-4742	firejail
DSA-4743	ruby-kramdown
DSA-4744	roundcube
DSA-4745	dovecot
DSA-4746	net-snmp
DSA-4747	icingaweb2
DSA-4748	ghostscript
DSA-4749	firefox-esr
DSA-4750	nginx
DSA-4751	squid
DSA-4752	bind9
DSA-4753	mupdf
DSA-4754	thunderbird
DSA-4755	openexr
DSA-4756	lilypond
DSA-4757	apache2
DSA-4758	xorg-server
DSA-4759	ark
DSA-4760	qemu
DSA-4761	zeromq3
DSA-4762	lemonldap-ng
DSA-4763	teeworlds
DSA-4764	inspircd
DSA-4765	modsecurity

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/buster/ChangeLog

The current stable distribution:

http://ftp.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates

stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/

Security announcements and information:

https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.