Updated Debian 10: 10.11 released
October 9th, 2021
The Debian project is pleased to announce the eleventh update of its
oldstable distribution Debian 10 (codename buster
).
This point release mainly adds corrections for security issues,
along with a few adjustments for serious problems. Security advisories
have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian
10 but only updates some of the packages included. There is
no need to throw away old buster
media. After installation,
packages can be upgraded to the current versions using an up-to-date Debian
mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This oldstable update adds a few important corrections to the following packages:
Package | Reason |
---|---|
atftp | Fix buffer overflow [CVE-2021-41054] |
base-files | Update for the 10.11 point release |
btrbk | Fix arbitrary code execution issue [CVE-2021-38173] |
clamav | New upstream stable release; fix clamdscan segfaults when --fdpass and --multipass are used together with ExcludePath |
commons-io | Fix path traversal issue [CVE-2021-29425] |
cyrus-imapd | Fix denial-of-service issue [CVE-2021-33582] |
debconf | Check that whiptail or dialog is actually usable |
debian-installer | Rebuild against buster-proposed-updates; update Linux ABI to 4.19.0-18 |
debian-installer-netboot-images | Rebuild against buster-proposed-updates |
distcc | Fix GCC cross-compiler links in update-distcc-symlinks and add support for clang and CUDA (nvcc) |
distro-info-data | Update included data for several releases |
dwarf-fortress | Remove undistributable prebuilt shared libraries from the source tarball |
espeak-ng | Fix using espeak with mbrola-fr4 when mbrola-fr1 is not installed |
gcc-mingw-w64 | Fix gcov handling |
gthumb | Fix heap-based buffer overflow issue [CVE-2019-20326] |
hg-git | Fix test failures with recent git versions |
htslib | Fix autopkgtest on i386 |
http-parser | Fix HTTP request smuggling issue [CVE-2019-15605] |
irssi | Fix use after free issue when sending SASL login to the server [CVE-2019-13045] |
java-atk-wrapper | Also use dbus to detect accessibility being enabled |
krb5 | Fix KDC null dereference crash on FAST request with no server field [CVE-2021-37750]; fix memory leak in krb5_gss_inquire_cred |
libdatetime-timezone-perl | New upstream stable release; update DST rules for Samoa and Jordon; confirmation of no leap second on 2021-12-31 |
libpam-tacplus | Prevent shared secrets from being added in plaintext to the system log [CVE-2020-13881] |
linux | proc: Track /proc/$pid/attr/ opener mm_struct, fixing issues with lxc-attach; new upstream stable release; increase ABI version to 18; [rt] Update to 4.19.207-rt88; usb: hso: fix error handling code of hso_create_net_device [CVE-2021-37159] |
linux-latest | Update to 4.19.0-18 kernel ABI |
linux-signed-amd64 | proc: Track /proc/$pid/attr/ opener mm_struct, fixing issues with lxc-attach; new upstream stable release; increase ABI version to 18; [rt] Update to 4.19.207-rt88; usb: hso: fix error handling code of hso_create_net_device [CVE-2021-37159] |
linux-signed-arm64 | proc: Track /proc/$pid/attr/ opener mm_struct, fixing issues with lxc-attach; new upstream stable release; increase ABI version to 18; [rt] Update to 4.19.207-rt88; usb: hso: fix error handling code of hso_create_net_device [CVE-2021-37159] |
linux-signed-i386 | proc: Track /proc/$pid/attr/ opener mm_struct, fixing issues with lxc-attach; new upstream stable release; increase ABI version to 18; [rt] Update to 4.19.207-rt88; usb: hso: fix error handling code of hso_create_net_device [CVE-2021-37159] |
mariadb-10.3 | New upstream stable release; security fixes [CVE-2021-2389 CVE-2021-2372]; fix Perl executable path in scripts |
modsecurity-crs | Fix request body bypass issue [CVE-2021-35368] |
node-ansi-regex | Fix regular expression-based denial of service issue [CVE-2021-3807] |
node-axios | Fix regular expression-based denial of service issue [CVE-2021-3749] |
node-jszip | Use a null prototype object for this.files [CVE-2021-23413] |
node-tar | Remove non-directory paths from the directory cache [CVE-2021-32803]; strip absolute paths more comprehensively [CVE-2021-32804] |
nvidia-cuda-toolkit | Fix setting of NVVMIR_LIBRARY_DIR on ppc64el |
nvidia-graphics-drivers | New upstream stable release; fix denial of service issues [CVE-2021-1093 CVE-2021-1094 CVE-2021-1095]; nvidia-driver-libs: Add Recommends: libnvidia-encode1 |
nvidia-graphics-drivers-legacy-390xx | New upstream stable release; fix denial of service issues [CVE-2021-1093 CVE-2021-1094 CVE-2021-1095]; nvidia-legacy-390xx-driver-libs: Add Recommends: libnvidia-legacy-390xx-encode1 |
postgresql-11 | New upstream stable release; fix mis-planning of repeated application of a projection step [CVE-2021-3677]; disallow SSL renegotiation more completely |
proftpd-dfsg | Fix mod_radius leaks memory contents to radius server, cannot disable client-initiated renegotiation for FTPS, navigation into symlinked directories, mod_sftp crash when using pubkey-auth with DSA keys |
psmisc | Fix regression in killall not matching process with names longer than 15 characters |
python-uflash | Update firmware URL |
request-tracker4 | Fix login timing side-channel attack issue [CVE-2021-38562] |
ring | Fix denial of service issue in the embedded copy of pjproject [CVE-2021-21375] |
sabnzbdplus | Prevent directory escape in renamer function [CVE-2021-29488] |
shim | Add arm64 patch to tweak section layout and stop crashing problems; in insecure mode, don't abort if we can't create the MokListXRT variable; don't abort on grub installation failures; warn instead |
shim-helpers-amd64-signed | Add arm64 patch to tweak section layout and stop crashing problems; in insecure mode, don't abort if we can't create the MokListXRT variable; don't abort on grub installation failures; warn instead |
shim-helpers-arm64-signed | Add arm64 patch to tweak section layout and stop crashing problems; in insecure mode, don't abort if we can't create the MokListXRT variable; don't abort on grub installation failures; warn instead |
shim-helpers-i386-signed | Add arm64 patch to tweak section layout and stop crashing problems; in insecure mode, don't abort if we can't create the MokListXRT variable; don't abort on grub installation failures; warn instead |
shim-signed | Work around boot-breaking issues on arm64 by including an older known working version of unsigned shim on that platform; switch arm64 back to using a current unsigned build; add arm64 patch to tweak section layout and stop crashing problems; in insecure mode, don't abort if we can't create the MokListXRT variable; don't abort on grub installation failures; warn instead |
shiro | Fix authentication bypass issues [CVE-2020-1957 CVE-2020-11989 CVE-2020-13933 CVE-2020-17510]; update Spring Framework compatibility patch; support Guice 4 |
tzdata | Update DST rules for Samoa and Jordan; confirm the absence of a leap second on 2021-12-31 |
ublock-origin | New upstream stable release; fix denial of service issue [CVE-2021-36773] |
ulfius | Ensure memory is initialised before use [CVE-2021-40540] |
xmlgraphics-commons | Fix Server-Side Request Forgery issue [CVE-2020-11988] |
yubikey-manager | Add missing dependency on python3-pkg-resources to yubikey-manager |
Security Updates
This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
Package | Reason |
---|---|
birdtray | Incompatible with newer Thunderbird versions |
libprotocol-acme-perl | Only supports obsolete ACME version 1 |
Debian Installer
The installer has been updated to include the fixes incorporated into oldstable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current oldstable distribution:
Proposed updates to the oldstable distribution:
oldstable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.