The Debian project has announced the second update of its stable distribution Debian 10. This update come with 66 bug fixes and 98 security updates.
------------------------------------------------------------------------
The Debian Project https://www.debian.org/
Updated Debian 10: 10.2 released press@debian.org
November 16th, 2019 https://www.debian.org/News/2019/20191116
------------------------------------------------------------------------
The Debian project is pleased to announce the second update of its stable distribution Debian 10 (codename "buster"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian 10 but only updates some of the packages included. There is no need to throw away old "buster" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
https://www.debian.org/mirror/list
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following packages:
+---------------------------+-----------------------------------------+
| Package | Reason |
+---------------------------+-----------------------------------------+
aegisub [1] | Fix crash when selecting a language from the bottom of the "Spell checker language" list; fix crash when right-clicking in the subtitles text box
akonadi [2] | Fix various crashes / deadlock issues
base-files [3] | Update /etc/debian_version for the point release
capistrano [4] | Fix failure to remove old releases when there were too many
cron [5] | Stop using obsolete SELinux API
cyrus-imapd [6] | Fix data loss on upgrade from version 3.0.0 or earlier
debian-edu-config [7] | Handle newer Firefox ESR configuration files; add post-up stanza to /etc/network/interfaces eth0 entry conditionally
debian-installer [8] | Fix unreadable fonts on hidpi displays in netboot images booted with EFI
debian-installer-netboot-images[9] | Rebuild against proposed-updates
distro-info-data [10] | Add Ubuntu 20.04 LTS, Focal Fossa
dkimpy-milter [11] | New upstream stable release; fix sysvinit support; catch more ASCII encoding errors to improve resilience against bad data; fix message extraction so that signing in the same pass through the milter as verifying works correctly
emacs [12] | Update the EPLA packaging key
fence-agents [13] | Fix incomplete removal of fence_amt_ws |
flatpak [14] | New upstream stable release
flightcrew [15] | Security fixes [CVE-2019-13032 CVE-2019-13241]
fonts-noto-cjk [16] | Fix over-aggressive font selection of Noto CJK fonts in modern web browsers under Chinese locale
freetype [17] | Properly handle phantom points for variable hinted fonts
gdb [18] | Rebuild against new libbabeltrace, with higher version number to avoid conflict with earlier upload
glib2.0 [19] | Ensure libdbus clients can authenticate with a GDBusServer like the one in ibus
gnome-shell [20] | New upstream stable release; fix truncation of long messages in Shell-modal dialogs; avoid crash on reallocation of dead actors
gnome-sound-recorder [21] | Fix crash when selecting a recording
gnustep-base [22] | Disable gdomap daemon that was accidentally enabled on upgrades from stretch
graphite-web [23] | Remove unused "send_email" function [CVE-2017-18638]; avoid hourly error in cron when there is no whisper database
inn2 [24] | Fix negotiation of DHE ciphersuites
libapache-mod-auth- | Fix use after free bug leading to crash
kerb [25]
perl [26]
perl [27]
libofx [28] Fix null pointer dereference issue [CVE-2019-9656]
libreoffice [29] | Fix the postgresql driver with PostgreSQL 12
libsixel [30] | Fix several security issues [CVE-2018-19756 CVE-2018-19757 CVE-2018-19759 CVE-2018-19761 CVE-2018-19762 CVE-2018-19763 CVE-2019-3573 CVE-2019-3574]
libxslt [31] | Fix dangling pointer in xsltCopyText [CVE-2019-18197]
lucene-solr [32] | Disable obsolete call to ContextHandler in solr-jetty9.xml; fix Jetty permissions on SOLR index
mariadb-10.3 [33] | New upstream stable release
modsecurity-crs [34] | Fix PHP script upload rules [CVE-2019-13464]
mutter [35] | New upstream stable release
ncurses [36] | Fix several security issues [CVE-2019-17594 CVE-2019-17595] and other issues in tic
ndppd [37] | Avoid world writable PID file, that was breaking daemon init scripts
network-manager [38] | Fix file permissions for "/var/lib/NetworkManager/secret_key" and /var/lib/NetworkManager
node-fstream [39] | Fix arbitrary file overwrite issue [CVE-2019-13173]
node-set-value [40] | Fix prototype pollution [CVE-2019- 10747]
node-yarnpkg [41] | Force using HTTPS for regular registries
nx-libs [42] | Fix regressions introduced in previous upload, affecting x2go
open-vm-tools [43] | Fix memory leaks and error handling
openvswitch [44] | Update debian/ifupdown.sh to allow setting-up the MTU; fix Python dependencies to use Python 3
picard [45] | Update translations to fix crash with Spanish locale plasma-applet-redshift- Fix manual mode when used with redshift
control [46] | versions above 1.12
postfix [47] | New upstream stable release; work around poor TCP loopback performance
python-cryptography [48] | Fix test suite failures when built against newer OpenSSL versions; fix a memory leak triggerable when parsing x509 certificate extensions like AIA
python-flask-rdf [49] | Add Depends on python{3,}-rdflib python- New upstream stable release; fix switch
oslo.messaging [50] | connection destination when a rabbitmq cluster node disappears |
python-werkzeug [51] | Ensure Docker containers have unique debugger PINs [CVE-2019-14806]
python2.7 [52] | Fix several security issues [CVE-2018-20852 CVE-2019-10160 CVE-2019-16056 CVE-2019-16935 CVE-2019-9740 CVE-2019-9947]
quota [53] | Fix rpc.rquotad spinning at 100% CPU
rpcbind [54] | Allow remote calls to be enabled at run-time
shelldap [55] | Repair SASL authentications, add a 'sasluser' option
sogo [56] | Fix display of PGP-signed e-mails
spf-engine [57] | New upstream stable release; fix sysvinit support |
standardskriver [58] | Fix deprecation warning from config.RawConfigParser; use external "ip" command rather than deprecated "ifconfig" command
swi-prolog [59] | Use HTTPS when contacting upstream pack servers
systemd [60] | core: never propagate reload failure to service result; fix sync_file_range failures in nspawn containers on arm, ppc; fix RootDirectory not working when used in combination with User; ensure that access controls on systemd-resolved's D-Bus interface are enforced correctly [CVE-2019-15718]; fix StopWhenUnneeded=true for mount units; make MountFlags=shared work again
tmpreaper [61] | Prevent breaking of systemd services that use PrivateTmp=true trapperkeeper-webserver- | Restore SSL compatibility with newer
jetty9-clojure [62] | Jetty versions
tzdata [63] | New upstream release
ublock-origin [64] | New upstream version, compatible with Firefox ESR68
uim [65] | Resurrect libuim-data as a transitional package, fixing some issues after upgrades to buster
vanguards [66] | New upstream stable release; prevent a reload of tor's configuration via SIGHUP causing a denial-of-service for vanguards protections
+---------------------------+-----------------------------------------+
1: https://packages.debian.org/src:aegisub
2: https://packages.debian.org/src:akonadi
3: https://packages.debian.org/src:base-files
4: https://packages.debian.org/src:capistrano
5: https://packages.debian.org/src:cron
6: https://packages.debian.org/src:cyrus-imapd
7: https://packages.debian.org/src:debian-edu-config
8: https://packages.debian.org/src:debian-installer
9: https://packages.debian.org/src:debian-installer-netboot-images
10: https://packages.debian.org/src:distro-info-data
11: https://packages.debian.org/src:dkimpy-milter
12: https://packages.debian.org/src:emacs
13: https://packages.debian.org/src:fence-agents
14: https://packages.debian.org/src:flatpak
15: https://packages.debian.org/src:flightcrew
16: https://packages.debian.org/src:fonts-noto-cjk
17: https://packages.debian.org/src:freetype
18: https://packages.debian.org/src:gdb
19: https://packages.debian.org/src:glib2.0
20: https://packages.debian.org/src:gnome-shell
21: https://packages.debian.org/src:gnome-sound-recorder
22: https://packages.debian.org/src:gnustep-base
23: https://packages.debian.org/src:graphite-web
24: https://packages.debian.org/src:inn2
25: https://packages.debian.org/src:libapache-mod-auth-kerb
26: https://packages.debian.org/src:libdate-holidays-de-perl
27: https://packages.debian.org/src:libdatetime-timezone-perl
28: https://packages.debian.org/src:libofx
29: https://packages.debian.org/src:libreoffice
30: https://packages.debian.org/src:libsixel
31: https://packages.debian.org/src:libxslt
32: https://packages.debian.org/src:lucene-solr
33: https://packages.debian.org/src:mariadb-10.3
34: https://packages.debian.org/src:modsecurity-crs
35: https://packages.debian.org/src:mutter
36: https://packages.debian.org/src:ncurses
37: https://packages.debian.org/src:ndppd
38: https://packages.debian.org/src:network-manager
39: https://packages.debian.org/src:node-fstream
40: https://packages.debian.org/src:node-set-value
41: https://packages.debian.org/src:node-yarnpkg
42: https://packages.debian.org/src:nx-libs
43: https://packages.debian.org/src:open-vm-tools
44: https://packages.debian.org/src:openvswitch
45: https://packages.debian.org/src:picard
46: https://packages.debian.org/src:plasma-applet-redshift-control
47: https://packages.debian.org/src:postfix
48: https://packages.debian.org/src:python-cryptography
49: https://packages.debian.org/src:python-flask-rdf
50: https://packages.debian.org/src:python-oslo.messaging
51: https://packages.debian.org/src:python-werkzeug
52: https://packages.debian.org/src:python2.7
53: https://packages.debian.org/src:quota
54: https://packages.debian.org/src:rpcbind
55: https://packages.debian.org/src:shelldap
56: https://packages.debian.org/src:sogo
57: https://packages.debian.org/src:spf-engine
58: https://packages.debian.org/src:standardskriver
59: https://packages.debian.org/src:swi-prolog
60: https://packages.debian.org/src:systemd
61: https://packages.debian.org/src:tmpreaper
62:
https://packages.debian.org/src:trapperkeeper-webserver-jetty9-clojure
63: https://packages.debian.org/src:tzdata
64: https://packages.debian.org/src:ublock-origin
65: https://packages.debian.org/src:uim
66: https://packages.debian.org/src:vanguards
Security Updates
----------------
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
+----------------+-----------------------------+
| Advisory ID | Package |
+----------------+-----------------------------+
| DSA-4509 [67] | apache2 [68] |
| | |
| DSA-4511 [69] | nghttp2 [70] |
| | |
| DSA-4512 [71] | qemu [72] |
| | |
| DSA-4514 [73] | varnish [74] |
| | |
| DSA-4515 [75] | webkit2gtk [76] |
| | |
| DSA-4516 [77] | firefox-esr [78] |
| | |
| DSA-4517 [79] | exim4 [80] |
| | |
| DSA-4518 [81] | ghostscript [82] |
| | |
| DSA-4519 [83] | libreoffice [84] |
| | |
| DSA-4520 [85] | trafficserver [86] |
| | |
| DSA-4521 [87] | docker.io [88] |
| | |
| DSA-4523 [89] | thunderbird [90] |
| | |
| DSA-4524 [91] | dino-im [92] |
| | |
| DSA-4525 [93] | ibus [94] |
| | |
| DSA-4526 [95] | opendmarc [96] |
| | |
| DSA-4527 [97] | php7.3 [98] |
| | |
| DSA-4528 [99] | bird [100] |
| | |
| DSA-4530 [101] | expat [102] |
| | |
| DSA-4531 [103] | linux-signed-amd64 [104] |
| | |
| DSA-4531 [105] | linux-signed-i386 [106] |
| | |
| DSA-4531 [107] | linux [108] |
| | |
| DSA-4531 [109] | linux-signed-arm64 [110] |
| | |
| DSA-4532 [111] | spip [112] |
| | |
| DSA-4533 [113] | lemonldap-ng [114] |
| | |
| DSA-4534 [115] | golang-1.11 [116] |
| | |
| DSA-4535 [117] | e2fsprogs [118] |
| | |
| DSA-4536 [119] | exim4 [120] |
| | |
| DSA-4538 [121] | wpa [122] |
| | |
| DSA-4539 [123] | openssl [124] |
| | |
| DSA-4539 [125] | openssh [126] |
| | |
| DSA-4541 [127] | libapreq2 [128] |
| | |
| DSA-4542 [129] | jackson-databind [130] |
| | |
| DSA-4543 [131] | sudo [132] |
| | |
| DSA-4544 [133] | unbound [134] |
| | |
| DSA-4545 [135] | mediawiki [136] |
| | |
| DSA-4547 [137] | tcpdump [138] |
| | |
| DSA-4549 [139] | firefox-esr [140] |
| | |
| DSA-4550 [141] | file [142] |
| | |
| DSA-4551 [143] | golang-1.11 [144] |
| | |
| DSA-4553 [145] | php7.3 [146] |
| | |
| DSA-4554 [147] | ruby-loofah [148] |
| | |
| DSA-4555 [149] | pam-python [150] |
| | |
| DSA-4556 [151] | qtbase-opensource-src [152] |
| | |
| DSA-4557 [153] | libarchive [154] |
| | |
| DSA-4558 [155] | webkit2gtk [156] |
| | |
| DSA-4559 [157] | proftpd-dfsg [158] |
| | |
| DSA-4560 [159] | simplesamlphp [160] |
| | |
| DSA-4561 [161] | fribidi [162] |
| | |
| DSA-4562 [163] | chromium [164] |
| | |
+----------------+-----------------------------+
67: https://www.debian.org/security/2019/dsa-4509
68: https://packages.debian.org/src:apache2
69: https://www.debian.org/security/2019/dsa-4511
70: https://packages.debian.org/src:nghttp2
71: https://www.debian.org/security/2019/dsa-4512
72: https://packages.debian.org/src:qemu
73: https://www.debian.org/security/2019/dsa-4514
74: https://packages.debian.org/src:varnish
75: https://www.debian.org/security/2019/dsa-4515
76: https://packages.debian.org/src:webkit2gtk
77: https://www.debian.org/security/2019/dsa-4516
78: https://packages.debian.org/src:firefox-esr
79: https://www.debian.org/security/2019/dsa-4517
80: https://packages.debian.org/src:exim4
81: https://www.debian.org/security/2019/dsa-4518
82: https://packages.debian.org/src:ghostscript
83: https://www.debian.org/security/2019/dsa-4519
84: https://packages.debian.org/src:libreoffice
85: https://www.debian.org/security/2019/dsa-4520
86: https://packages.debian.org/src:trafficserver
87: https://www.debian.org/security/2019/dsa-4521
88: https://packages.debian.org/src:docker.io
89: https://www.debian.org/security/2019/dsa-4523
90: https://packages.debian.org/src:thunderbird
91: https://www.debian.org/security/2019/dsa-4524
92: https://packages.debian.org/src:dino-im
93: https://www.debian.org/security/2019/dsa-4525
94: https://packages.debian.org/src:ibus
95: https://www.debian.org/security/2019/dsa-4526
96: https://packages.debian.org/src:opendmarc
97: https://www.debian.org/security/2019/dsa-4527
98: https://packages.debian.org/src:php7.3
99: https://www.debian.org/security/2019/dsa-4528
100: https://packages.debian.org/src:bird
101: https://www.debian.org/security/2019/dsa-4530
102: https://packages.debian.org/src:expat
103: https://www.debian.org/security/2019/dsa-4531
104: https://packages.debian.org/src:linux-signed-amd64
105: https://www.debian.org/security/2019/dsa-4531
106: https://packages.debian.org/src:linux-signed-i386
107: https://www.debian.org/security/2019/dsa-4531
108: https://packages.debian.org/src:linux
109: https://www.debian.org/security/2019/dsa-4531
110: https://packages.debian.org/src:linux-signed-arm64
111: https://www.debian.org/security/2019/dsa-4532
112: https://packages.debian.org/src:spip
113: https://www.debian.org/security/2019/dsa-4533
114: https://packages.debian.org/src:lemonldap-ng
115: https://www.debian.org/security/2019/dsa-4534
116: https://packages.debian.org/src:golang-1.11
117: https://www.debian.org/security/2019/dsa-4535
118: https://packages.debian.org/src:e2fsprogs
119: https://www.debian.org/security/2019/dsa-4536
120: https://packages.debian.org/src:exim4
121: https://www.debian.org/security/2019/dsa-4538
122: https://packages.debian.org/src:wpa
123: https://www.debian.org/security/2019/dsa-4539
124: https://packages.debian.org/src:openssl
125: https://www.debian.org/security/2019/dsa-4539
126: https://packages.debian.org/src:openssh
127: https://www.debian.org/security/2019/dsa-4541
128: https://packages.debian.org/src:libapreq2
129: https://www.debian.org/security/2019/dsa-4542
130: https://packages.debian.org/src:jackson-databind
131: https://www.debian.org/security/2019/dsa-4543
132: https://packages.debian.org/src:sudo
133: https://www.debian.org/security/2019/dsa-4544
134: https://packages.debian.org/src:unbound
135: https://www.debian.org/security/2019/dsa-4545
136: https://packages.debian.org/src:mediawiki
137: https://www.debian.org/security/2019/dsa-4547
138: https://packages.debian.org/src:tcpdump
139: https://www.debian.org/security/2019/dsa-4549
140: https://packages.debian.org/src:firefox-esr
141: https://www.debian.org/security/2019/dsa-4550
142: https://packages.debian.org/src:file
143: https://www.debian.org/security/2019/dsa-4551
144: https://packages.debian.org/src:golang-1.11
145: https://www.debian.org/security/2019/dsa-4553
146: https://packages.debian.org/src:php7.3
147: https://www.debian.org/security/2019/dsa-4554
148: https://packages.debian.org/src:ruby-loofah
149: https://www.debian.org/security/2019/dsa-4555
150: https://packages.debian.org/src:pam-python
151: https://www.debian.org/security/2019/dsa-4556
152: https://packages.debian.org/src:qtbase-opensource-src
153: https://www.debian.org/security/2019/dsa-4557
154: https://packages.debian.org/src:libarchive
155: https://www.debian.org/security/2019/dsa-4558
156: https://packages.debian.org/src:webkit2gtk
157: https://www.debian.org/security/2019/dsa-4559
158: https://packages.debian.org/src:proftpd-dfsg
159: https://www.debian.org/security/2019/dsa-4560
160: https://packages.debian.org/src:simplesamlphp
161: https://www.debian.org/security/2019/dsa-4561
162: https://packages.debian.org/src:fribidi
163: https://www.debian.org/security/2019/dsa-4562
164: https://packages.debian.org/src:chromium
Removed packages
----------------
The following packages were removed due to circumstances beyond our control:
+-------------------+--------------------------------------------------+
| Package | Reason |
+-------------------+--------------------------------------------------+
| firefox-esr [165] | [armel] No longer supportable due to nodejs |
| | build-dependency |
| | |
+-------------------+--------------------------------------------------+
165: https://packages.debian.org/src:firefox-esr
Debian Installer
----------------
The installer has been updated to include the fixes incorporated into stable by the point release.
URLs
----
The complete lists of packages that have changed with this revision:
http://ftp.debian.org/debian/dists/buster/ChangeLog
The current stable distribution:
http://ftp.debian.org/debian/dists/stable/
Proposed updates to the stable distribution:
http://ftp.debian.org/debian/dists/proposed-updates
stable distribution information (release notes, errata etc.):
https://www.debian.org/releases/stable/
Security announcements and information:
https://www.debian.org/security/
About Debian
------------
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
