更新 Debian 10:10.8 版本已发布

2021年02月06日

Debian 项目很高兴地宣布稳定发行版 Debian 10(代号 buster)的第八次更新。 此节点版本主要针对安全问题进行了修复,并针对严重问题进行了一些调整。安全警告已单独发布,并可引用。

请注意此节点版本并不构成 Debian 10 的新版本,仅更新了其中的一部分软件包。没有必要换掉旧的 buster 安装媒介。 在安装后,可以使用最新的 Debian 镜像将软件包升级到当前版本。

经常从 security.debian.org 安装更新的用户无需更新很多软件包,大多数这样的更新都包含在节点版本中。

新的安装镜像将很快在常规位置提供。

将包管理器指向 Debian 的众多 HTTP 镜像之一,可以将现有的安装升级到此版本。访问以下网址以获得所有镜像的列表:

https://www.debian.org/mirror/list

其他错误修复

此稳定版更新为以下软件包作了一些重要的修复:

软件包 原因
atftp Fix denial of service issue [CVE-2020-6097]
base-files Update /etc/debian_version for the 10.8 point release
ca-certificates Update Mozilla CA bundle to 2.40, blacklist expired AddTrust External Root
cacti Fix SQL injection issue [CVE-2020-35701] and stored XSS issue
cairo Fix mask usage in image-compositor [CVE-2020-35492]
choose-mirror Update mirror list
cjson Fix infinite loop in cJSON_Minify
clevis Fix initramfs creation; clevis-dracut: Trigger initramfs creation upon installation
cyrus-imapd Fix version comparison in cron script
debian-edu-config Move host keytabs cleanup code out of gosa-modify-host into a standalone script, reducing LDAP calls to a single query
debian-installer Use 4.19.0-14 Linux kernel ABI; rebuild against proposed-updates
debian-installer-netboot-images Rebuild against proposed-updates
debian-installer-utils Support partitions on USB UAS devices
device-tree-compiler Fix segfault on dtc -I fs /proc/device-tree
didjvu Add missing build-dependency on tzdata
dovecot Fix crash when searching mailboxes containing malformed MIME messages
dpdk New upstream stable release
edk2 CryptoPkg/BaseCryptLib: fix NULL dereference [CVE-2019-14584]
emacs Don't crash with OpenPGP User IDs with no e-mail address
fcitx Fix input method support in Flatpaks
file Increase name recursion depth to 50 by default
geoclue-2.0 Check the maximum allowed accuracy level even for system applications; make the Mozilla API key configurable and use a Debian-specific key by default; fix display of the usage indicator
gnutls28 Fix test suite error caused by expired certificate
grub2 When upgrading grub-pc noninteractively, bail out if grub-install fails; explicitly check whether the target device exists before running grub-install; grub-install: Add backup and restore; don't call grub-install on fresh install of grub-pc
highlight.js Fix prototype pollution [CVE-2020-26237]
intel-microcode Update various microcode
iproute2 Fix bugs in JSON output; fix race condition that DOSes the system when using ip netns add at boot
irssi-plugin-xmpp Do not trigger the irssi core connect timeout prematurely, thus fixing STARTTLS connections
libdatetime-timezone-perl Update for new tzdata version
libdbd-csv-perl Fix test failure with libdbi-perl 1.642-1+deb10u2
libdbi-perl Security fix [CVE-2014-10402]
libmaxminddb Fix heap-based buffer over-read [CVE-2020-28241]
lttng-modules Fix build on kernel versions >= 4.19.0-10
m2crypto Fix compatibility with OpenSSL 1.1.1i and newer
mini-buildd builder.py: sbuild call: set '--no-arch-all' explicitly
net-snmp snmpd: Add cacheTime and execType flags to EXTEND-MIB
node-ini Do not allow invalid hazardous string as section name [CVE-2020-7788]
node-y18n Fix prototype pollution issue [CVE-2020-7774]
nvidia-graphics-drivers New upstream release; fix possible denial of service and information disclosure [CVE-2021-1056]
nvidia-graphics-drivers-legacy-390xx New upstream release; fix possible denial of service and information disclosure [CVE-2021-1056]
pdns Security fixes [CVE-2019-10203 CVE-2020-17482]
pepperflashplugin-nonfree Turn into a dummy package taking care of removing the previously installed plugin (no longer functional nor supported)
pngcheck Fix buffer overflow [CVE-2020-27818]
postgresql-11 New upstream stable release; security fixes [CVE-2020-25694 CVE-2020-25695 CVE-2020-25696]
postsrsd Ensure timestamp tags aren't too long before trying to decode them [CVE-2020-35573]
python-bottle Stop allowing ; as a query-string separator [CVE-2020-28473]
python-certbot Automatically use ACMEv2 API for renewals, to avoid issues with ACMEv1 API removal
qxmpp Fix potential SEGFAULT on connection error
silx python(3)-silx: Add dependency on python(3)-scipy
slirp Fix buffer overflows [CVE-2020-7039 CVE-2020-8608]
steam New upstream release
systemd journal: do not trigger assertion when journal_file_close() is passed NULL
tang Avoid race condition between keygen and update
tzdata New upstream release; update included timezone data
unzip Apply further fixes for CVE-2019-13232
wireshark Fix various crashes, infinite loops and memory leaks [CVE-2019-16319 CVE-2019-19553 CVE-2020-11647 CVE-2020-13164 CVE-2020-15466 CVE-2020-25862 CVE-2020-25863 CVE-2020-26418 CVE-2020-26421 CVE-2020-26575 CVE-2020-28030 CVE-2020-7045 CVE-2020-9428 CVE-2020-9430 CVE-2020-9431]

安全更新

此修订版在稳定版本中添加了以下安全更新。 安全团队已经为每个更新发布了相关建议:

公告序号 软件包
DSA-4797 webkit2gtk
DSA-4801 brotli
DSA-4802 thunderbird
DSA-4803 xorg-server
DSA-4804 xen
DSA-4805 trafficserver
DSA-4806 minidlna
DSA-4807 openssl
DSA-4808 apt
DSA-4809 python-apt
DSA-4810 lxml
DSA-4811 libxstream-java
DSA-4812 xen
DSA-4813 firefox-esr
DSA-4814 xerces-c
DSA-4815 thunderbird
DSA-4816 mediawiki
DSA-4817 php-pear
DSA-4818 sympa
DSA-4819 kitty
DSA-4820 horizon
DSA-4821 roundcube
DSA-4822 p11-kit
DSA-4823 influxdb
DSA-4824 chromium
DSA-4825 dovecot
DSA-4827 firefox-esr
DSA-4828 libxstream-java
DSA-4829 coturn
DSA-4830 flatpak
DSA-4831 ruby-redcarpet
DSA-4832 chromium
DSA-4833 gst-plugins-bad1.0
DSA-4834 vlc
DSA-4835 tomcat9
DSA-4837 salt
DSA-4838 mutt
DSA-4839 sudo
DSA-4840 firefox-esr
DSA-4841 slurm-llnl
DSA-4843 linux-latest
DSA-4843 linux-signed-amd64
DSA-4843 linux-signed-arm64
DSA-4843 linux-signed-i386
DSA-4843 linux

删除的软件包

由于现有条件限制,我们删除了下列软件包:

软件包 原因
compactheader Incompatible with current Thunderbird versions

Debian 安装器

安装程序已更新,现已包含节点版本中整合到稳定版中的修复程序。

相关网页链接

随此修订版更改的包的完整列表:

http://ftp.debian.org/debian/dists/buster/ChangeLog

当前稳定版分发:

http://ftp.debian.org/debian/dists/stable/

稳定版分发的计划更新:

http://ftp.debian.org/debian/dists/proposed-updates

稳定版分发信息(发行说明、勘误表等):

https://www.debian.org/releases/stable/

安全公告与信息:

https://www.debian.org/security/

关于 Debian

Debian 是自由软件开发者们的协会,他们自愿贡献时间参与开发,致力于创建完全自由的操作系统 Debian。

联系我们

请访问 Debian 网站 https://www.debian.org/,发送邮件到 <press@debian.org> , 或通过 <debian-release@lists.debian.org> 联系稳定版发行团队以了解更多信息。