Debian 9858 Published by

The sixth update of Debian GNU/Linux 10 is now available. This point release mainly adds corrections for security issues, along with a few adjustments for serious problems.





------------------------------------------------------------------------
The Debian Project                               https://www.debian.org/
Updated Debian 10: 10.6 released                        press@debian.org
September 26th, 2020           https://www.debian.org/News/2020/20200926
------------------------------------------------------------------------


The Debian project is pleased to announce the sixth update of its stable
distribution Debian 10 (codename "buster"). This point release mainly
adds corrections for security issues, along with a few adjustments for
serious problems. Security advisories have already been published
separately and are referenced where available.

Please note that the point release does not constitute a new version of
Debian 10 but only updates some of the packages included. There is no
need to throw away old "buster" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list



Miscellaneous Bugfixes
----------------------

This stable update adds a few important corrections to the following
packages.

Note that, due to build issues, the updates for the cargo, rustc and
rustc-bindgen packages are currently not available for the "armel"
architecture. They may be added at a later date if the issues are
resolved.

+--------------------------+------------------------------------------+
| Package                  | Reason                                   |
+--------------------------+------------------------------------------+
| arch-test [1]            | Fix detection of s390x sometimes failing |
|                          |                                          |
| asterisk [2]             | Fix crash when negotiating for T.38 with |
|                          | a declined stream [CVE-2019-15297],      |
|                          | "SIP request can change address of a SIP |
|                          | peer"  [CVE-2019-18790],  "AMI user      |
|                          | could execute system                     |
|                          | commands"  [CVE-2019-18610], segfault in |
|                          | pjsip show history with IPv6 peers       |
|                          |                                          |
| bacula [3]               | Fix  "oversized digest strings allow a   |
|                          | malicious client to cause a heap         |
|                          | overflow in the director's               |
|                          | memory"  [CVE-2020-11061]                |
|                          |                                          |
| base-files [4]           | Update /etc/debian_version for the point |
|                          | release                                  |
|                          |                                          |
| calamares-settings-      | Disable displaymanager module            |
| debian [5]               |                                          |
|                          |                                          |
| cargo [6]                | New upstream release, to support         |
|                          | upcoming Firefox ESR versions            |
|                          |                                          |
| chocolate-doom [7]       | Fix missing validation [CVE-2020-14983]  |
|                          |                                          |
| chrony [8]               | Prevent symlink race when writing to the |
|                          | PID file [CVE-2020-14367]; fix           |
|                          | temperature reading                      |
|                          |                                          |
| debian-installer [9]     | Update Linux ABI to 4.19.0-11            |
|                          |                                          |
| debian-installer-        | Rebuild against proposed-updates         |
| netboot-images [10]      |                                          |
|                          |                                          |
| diaspora-installer [11]  | Use --frozen option to bundle install to |
|                          | use upstream Gemfile.lock; don't exclude |
|                          | Gemfile.lock during upgrades; don't      |
|                          | overwrite config/oidc_key.pem during     |
|                          | upgrades; make config/schedule.yml       |
|                          | writeable                                |
|                          |                                          |
| dojo [12]                | Fix prototype pollution in deepCopy      |
|                          | method [CVE-2020-5258] and in jqMix      |
|                          | method [CVE-2020-5259]                   |
|                          |                                          |
| dovecot [13]             | Fix dsync sieve filter sync regression;  |
|                          | fix handling of getpwent result in       |
|                          | userdb-passwd                            |
|                          |                                          |
| facter [14]              | Change Google GCE Metadata endpoint from |
|                          | "v1beta1"  to  "v1"                      |
|                          |                                          |
| gnome-maps [15]          | Fix an issue with misaligned shape layer |
|                          | rendering                                |
|                          |                                          |
| gnome-shell [16]         | LoginDialog: Reset auth prompt on VT     |
|                          | switch before fade in [CVE-2020-17489]   |
|                          |                                          |
| gnome-weather [17]       | Prevent a crash when the configured set  |
|                          | of locations are invalid                 |
|                          |                                          |
| grunt [18]               | Use safeLoad when loading YAML files     |
|                          | [CVE-2020-7729]                          |
|                          |                                          |
| gssdp [19]               | New upstream stable release              |
|                          |                                          |
| gupnp [20]               | New upstream stable release; prevent the |
|                          | "CallStranger"  attack [CVE-2020-12695]; |
|                          | require GSSDP 1.0.5                      |
|                          |                                          |
| haproxy [21]             | logrotate.conf: use rsyslog helper       |
|                          | instead of SysV init script; reject      |
|                          | messages where  "chunked"  is missing    |
|                          | from Transfer-Encoding [CVE-2019-18277]  |
|                          |                                          |
| icinga2 [22]             | Fix symlink attack [CVE-2020-14004]      |
|                          |                                          |
| incron [23]              | Fix cleanup of zombie processes          |
|                          |                                          |
| inetutils [24]           | Fix remote code execution issue          |
|                          | [CVE-2020-10188]                         |
|                          |                                          |
| libcommons-compress-     | Fix denial of service issue [CVE-2019-   |
| java [25]                | 12402]                                   |
|                          |                                          |
| libdbi-perl [26]         | Fix memory corruption in XS functions    |
|                          | when Perl stack is reallocated           |
|                          | [CVE-2020-14392]; fix a buffer overflow  |
|                          | on an overlong DBD class name [CVE-2020- |
|                          | 14393]; fix a NULL profile dereference   |
|                          | in dbi_profile() [CVE-2019-20919]        |
|                          |                                          |
| libvncserver [27]        | libvncclient: bail out if UNIX socket    |
|                          | name would overflow [CVE-2019-20839];    |
|                          | fix pointer aliasing/alignment issue     |
|                          | [CVE-2020-14399]; limit max textchat     |
|                          | size [CVE-2020-14405]; libvncserver: add |
|                          | missing NULL pointer checks [CVE-2020-   |
|                          | 14397]; fix pointer aliasing/alignment   |
|                          | issue [CVE-2020-14400]; scale: cast to   |
|                          | 64 bit before shifting [CVE-2020-14401]; |
|                          | prevent OOB accesses [CVE-2020-14402     |
|                          | CVE-2020-14403 CVE-2020-14404]           |
|                          |                                          |
| libx11 [28]              | Fix integer overflows [CVE-2020-14344    |
|                          | CVE-2020-14363]                          |
|                          |                                          |
| lighttpd [29]            | Backport several usability and security  |
|                          | fixes                                    |
|                          |                                          |
| linux [30]               | New upstream stable release; increase    |
|                          | ABI to 11                                |
|                          |                                          |
| linux-latest [31]        | Update for -11 Linux kernel ABI          |
|                          |                                          |
| linux-signed-amd64 [32]  | New upstream stable release              |
|                          |                                          |
| linux-signed-arm64 [33]  | New upstream stable release              |
|                          |                                          |
| linux-signed-i386 [34]   | New upstream stable release              |
|                          |                                          |
| llvm-toolchain-7 [35]    | New upstream release, to support         |
|                          | upcoming Firefox ESR versions; fix bugs  |
|                          | affecting rustc build                    |
|                          |                                          |
| lucene-solr [36]         | Fix security issue in DataImportHandler  |
|                          | configuration handling [CVE-2019-0193]   |
|                          |                                          |
| milkytracker [37]        | Fix heap overflow [CVE-2019-14464],      |
|                          | stack overflow [CVE-2019-14496], heap    |
|                          | overflow [CVE-2019-14497], use after     |
|                          | free [CVE-2020-15569]                    |
|                          |                                          |
| node-bl [38]             | Fix over-read vulnerability [CVE-2020-   |
|                          | 8244]                                    |
|                          |                                          |
| node-elliptic [39]       | Prevent malleability and overflows       |
|                          | [CVE-2020-13822]                         |
|                          |                                          |
| node-mysql [40]          | Add localInfile option to control LOAD   |
|                          | DATA LOCAL INFILE [CVE-2019-14939]       |
|                          |                                          |
| node-url-parse [41]      | Fix insufficient validation and          |
|                          | sanitization of user input [CVE-2020-    |
|                          | 8124]                                    |
|                          |                                          |
| npm [42]                 | Don't show password in logs [CVE-2020-   |
|                          | 15095]                                   |
|                          |                                          |
| orocos-kdl [43]          | Remove explicit inclusion of default     |
|                          | include path, fixing issues with cmake < |
|                          | 3.16                                     |
|                          |                                          |
| postgresql-11 [44]       | New upstream stable release; set a       |
|                          | secure search_path in logical            |
|                          | replication walsenders and apply workers |
|                          | [CVE-2020-14349]; make contrib modules'  |
|                          | installation scripts more secure         |
|                          | [CVE-2020-14350]                         |
|                          |                                          |
| postgresql-common [45]   | Don't drop plpgsql before testing        |
|                          | extensions                               |
|                          |                                          |
| pyzmq [46]               | Asyncio: wait for POLLOUT on sender in   |
|                          | can_connect                              |
|                          |                                          |
| qt4-x11 [47]             | Fix buffer overflow in XBM parser        |
|                          | [CVE-2020-17507]                         |
|                          |                                          |
| qtbase-opensource-       | Fix buffer overflow in XBM parser        |
| src [48]                 | [CVE-2020-17507]; fix clipboard breaking |
|                          | when timer wraps after 50 days           |
|                          |                                          |
| ros-actionlib [49]       | Load YAML safely [CVE-2020-10289]        |
|                          |                                          |
| rustc [50]               | New upstream release, to support         |
|                          | upcoming Firefox ESR versions            |
|                          |                                          |
| rust-cbindgen [51]       | New upstream release, to support         |
|                          | upcoming Firefox ESR versions            |
|                          |                                          |
| ruby-ronn [52]           | Fix handling of UTF-8 content in         |
|                          | manpages                                 |
|                          |                                          |
| s390-tools [53]          | Hardcode perl dependency instead of      |
|                          | using ${perl:Depends}, fixing            |
|                          | installation under debootstrap           |
|                          |                                          |
+--------------------------+------------------------------------------+

    1: https://packages.debian.org/src:arch-test
    2: https://packages.debian.org/src:asterisk
    3: https://packages.debian.org/src:bacula
    4: https://packages.debian.org/src:base-files
    5: https://packages.debian.org/src:calamares-settings-debian
    6: https://packages.debian.org/src:cargo
    7: https://packages.debian.org/src:chocolate-doom
    8: https://packages.debian.org/src:chrony
    9: https://packages.debian.org/src:debian-installer
   10: https://packages.debian.org/src:debian-installer-netboot-images
   11: https://packages.debian.org/src:diaspora-installer
   12: https://packages.debian.org/src:dojo
   13: https://packages.debian.org/src:dovecot
   14: https://packages.debian.org/src:facter
   15: https://packages.debian.org/src:gnome-maps
   16: https://packages.debian.org/src:gnome-shell
   17: https://packages.debian.org/src:gnome-weather
   18: https://packages.debian.org/src:grunt
   19: https://packages.debian.org/src:gssdp
   20: https://packages.debian.org/src:gupnp
   21: https://packages.debian.org/src:haproxy
   22: https://packages.debian.org/src:icinga2
   23: https://packages.debian.org/src:incron
   24: https://packages.debian.org/src:inetutils
   25: https://packages.debian.org/src:libcommons-compress-java
   26: https://packages.debian.org/src:libdbi-perl
   27: https://packages.debian.org/src:libvncserver
   28: https://packages.debian.org/src:libx11
   29: https://packages.debian.org/src:lighttpd
   30: https://packages.debian.org/src:linux
   31: https://packages.debian.org/src:linux-latest
   32: https://packages.debian.org/src:linux-signed-amd64
   33: https://packages.debian.org/src:linux-signed-arm64
   34: https://packages.debian.org/src:linux-signed-i386
   35: https://packages.debian.org/src:llvm-toolchain-7
   36: https://packages.debian.org/src:lucene-solr
   37: https://packages.debian.org/src:milkytracker
   38: https://packages.debian.org/src:node-bl
   39: https://packages.debian.org/src:node-elliptic
   40: https://packages.debian.org/src:node-mysql
   41: https://packages.debian.org/src:node-url-parse
   42: https://packages.debian.org/src:npm
   43: https://packages.debian.org/src:orocos-kdl
   44: https://packages.debian.org/src:postgresql-11
   45: https://packages.debian.org/src:postgresql-common
   46: https://packages.debian.org/src:pyzmq
   47: https://packages.debian.org/src:qt4-x11
   48: https://packages.debian.org/src:qtbase-opensource-src
   49: https://packages.debian.org/src:ros-actionlib
   50: https://packages.debian.org/src:rustc
   51: https://packages.debian.org/src:rust-cbindgen
   52: https://packages.debian.org/src:ruby-ronn
   53: https://packages.debian.org/src:s390-tools

Security Updates
----------------

This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:

+----------------+--------------------+
| Advisory ID    | Package            |
+----------------+--------------------+
| DSA-4662 [54]  | openjdk-11 [55]    |
|                |                    |
| DSA-4734 [56]  | openjdk-11 [57]    |
|                |                    |
| DSA-4736 [58]  | firefox-esr [59]   |
|                |                    |
| DSA-4737 [60]  | xrdp [61]          |
|                |                    |
| DSA-4738 [62]  | ark [63]           |
|                |                    |
| DSA-4739 [64]  | webkit2gtk [65]    |
|                |                    |
| DSA-4740 [66]  | thunderbird [67]   |
|                |                    |
| DSA-4741 [68]  | json-c [69]        |
|                |                    |
| DSA-4742 [70]  | firejail [71]      |
|                |                    |
| DSA-4743 [72]  | ruby-kramdown [73] |
|                |                    |
| DSA-4744 [74]  | roundcube [75]     |
|                |                    |
| DSA-4745 [76]  | dovecot [77]       |
|                |                    |
| DSA-4746 [78]  | net-snmp [79]      |
|                |                    |
| DSA-4747 [80]  | icingaweb2 [81]    |
|                |                    |
| DSA-4748 [82]  | ghostscript [83]   |
|                |                    |
| DSA-4749 [84]  | firefox-esr [85]   |
|                |                    |
| DSA-4750 [86]  | nginx [87]         |
|                |                    |
| DSA-4751 [88]  | squid [89]         |
|                |                    |
| DSA-4752 [90]  | bind9 [91]         |
|                |                    |
| DSA-4753 [92]  | mupdf [93]         |
|                |                    |
| DSA-4754 [94]  | thunderbird [95]   |
|                |                    |
| DSA-4755 [96]  | openexr [97]       |
|                |                    |
| DSA-4756 [98]  | lilypond [99]      |
|                |                    |
| DSA-4757 [100] | apache2 [101]      |
|                |                    |
| DSA-4758 [102] | xorg-server [103]  |
|                |                    |
| DSA-4759 [104] | ark [105]          |
|                |                    |
| DSA-4760 [106] | qemu [107]         |
|                |                    |
| DSA-4761 [108] | zeromq3 [109]      |
|                |                    |
| DSA-4762 [110] | lemonldap-ng [111] |
|                |                    |
| DSA-4763 [112] | teeworlds [113]    |
|                |                    |
| DSA-4764 [114] | inspircd [115]     |
|                |                    |
| DSA-4765 [116] | modsecurity [117]  |
|                |                    |
+----------------+--------------------+

   54: https://www.debian.org/security/2020/dsa-4662
   55: https://packages.debian.org/src:openjdk-11
   56: https://www.debian.org/security/2020/dsa-4734
   57: https://packages.debian.org/src:openjdk-11
   58: https://www.debian.org/security/2020/dsa-4736
   59: https://packages.debian.org/src:firefox-esr
   60: https://www.debian.org/security/2020/dsa-4737
   61: https://packages.debian.org/src:xrdp
   62: https://www.debian.org/security/2020/dsa-4738
   63: https://packages.debian.org/src:ark
   64: https://www.debian.org/security/2020/dsa-4739
   65: https://packages.debian.org/src:webkit2gtk
   66: https://www.debian.org/security/2020/dsa-4740
   67: https://packages.debian.org/src:thunderbird
   68: https://www.debian.org/security/2020/dsa-4741
   69: https://packages.debian.org/src:json-c
   70: https://www.debian.org/security/2020/dsa-4742
   71: https://packages.debian.org/src:firejail
   72: https://www.debian.org/security/2020/dsa-4743
   73: https://packages.debian.org/src:ruby-kramdown
   74: https://www.debian.org/security/2020/dsa-4744
   75: https://packages.debian.org/src:roundcube
   76: https://www.debian.org/security/2020/dsa-4745
   77: https://packages.debian.org/src:dovecot
   78: https://www.debian.org/security/2020/dsa-4746
   79: https://packages.debian.org/src:net-snmp
   80: https://www.debian.org/security/2020/dsa-4747
   81: https://packages.debian.org/src:icingaweb2
   82: https://www.debian.org/security/2020/dsa-4748
   83: https://packages.debian.org/src:ghostscript
   84: https://www.debian.org/security/2020/dsa-4749
   85: https://packages.debian.org/src:firefox-esr
   86: https://www.debian.org/security/2020/dsa-4750
   87: https://packages.debian.org/src:nginx
   88: https://www.debian.org/security/2020/dsa-4751
   89: https://packages.debian.org/src:squid
   90: https://www.debian.org/security/2020/dsa-4752
   91: https://packages.debian.org/src:bind9
   92: https://www.debian.org/security/2020/dsa-4753
   93: https://packages.debian.org/src:mupdf
   94: https://www.debian.org/security/2020/dsa-4754
   95: https://packages.debian.org/src:thunderbird
   96: https://www.debian.org/security/2020/dsa-4755
   97: https://packages.debian.org/src:openexr
   98: https://www.debian.org/security/2020/dsa-4756
   99: https://packages.debian.org/src:lilypond
  100: https://www.debian.org/security/2020/dsa-4757
  101: https://packages.debian.org/src:apache2
  102: https://www.debian.org/security/2020/dsa-4758
  103: https://packages.debian.org/src:xorg-server
  104: https://www.debian.org/security/2020/dsa-4759
  105: https://packages.debian.org/src:ark
  106: https://www.debian.org/security/2020/dsa-4760
  107: https://packages.debian.org/src:qemu
  108: https://www.debian.org/security/2020/dsa-4761
  109: https://packages.debian.org/src:zeromq3
  110: https://www.debian.org/security/2020/dsa-4762
  111: https://packages.debian.org/src:lemonldap-ng
  112: https://www.debian.org/security/2020/dsa-4763
  113: https://packages.debian.org/src:teeworlds
  114: https://www.debian.org/security/2020/dsa-4764
  115: https://packages.debian.org/src:inspircd
  116: https://www.debian.org/security/2020/dsa-4765
  117: https://packages.debian.org/src:modsecurity

Debian Installer
----------------

The installer has been updated to include the fixes incorporated into
stable by the point release.


URLs
----

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/buster/ChangeLog


The current stable distribution:

http://ftp.debian.org/debian/dists/stable/


Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates


stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/


Security announcements and information:

https://www.debian.org/security/



About Debian
------------

The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian.


Contact Information
-------------------

For further information, please visit the Debian web pages at
https://www.debian.org/, send mail to <press@debian.org>, or contact the
stable release team at <debian-release@lists.debian.org>.

Debianl10