2021-10-09 17:16
------------------------------------------------------------------------
The Debian Project https://www.debian.org/
Updated Debian 10: 10.11 released press@debian.org
October 9th, 2021 https://www.debian.org/News/2021/2021100902
------------------------------------------------------------------------
The Debian project is pleased to announce the eleventh update of its
oldstable distribution Debian 10 (codename "buster"). This point release
mainly adds corrections for security issues, along with a few
adjustments for serious problems. Security advisories have already been
published separately and are referenced where available.
Please note that the point release does not constitute a new version of
Debian 10 but only updates some of the packages included. There is no
need to throw away old "buster" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.
Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:
https://www.debian.org/mirror/list
Miscellaneous Bugfixes
----------------------
This oldstable update adds a few important corrections to the following
packages:
+---------------------------+-----------------------------------------+
| Package | Reason |
+---------------------------+-----------------------------------------+
| atftp [1] | Fix buffer overflow [CVE-2021-41054] |
| | |
| base-files [2] | Update for the 10.11 point release |
| | |
| btrbk [3] | Fix arbitrary code execution issue |
| | [CVE-2021-38173] |
| | |
| clamav [4] | New upstream stable release; fix |
| | clamdscan segfaults when --fdpass and |
| | --multipass are used together with |
| | ExcludePath |
| | |
| commons-io [5] | Fix path traversal issue [CVE-2021- |
| | 29425] |
| | |
| cyrus-imapd [6] | Fix denial-of-service issue [CVE-2021- |
| | 33582] |
| | |
| debconf [7] | Check that whiptail or dialog is |
| | actually usable |
| | |
| debian-installer [8] | Rebuild against buster-proposed- |
| | updates; update Linux ABI to 4.19.0-18 |
| | |
| debian-installer-netboot- | Rebuild against buster-proposed-updates |
| images [9] | |
| | |
| distcc [10] | Fix GCC cross-compiler links in update- |
| | distcc-symlinks and add support for |
| | clang and CUDA (nvcc) |
| | |
| distro-info-data [11] | Update included data for several |
| | releases |
| | |
| dwarf-fortress [12] | Remove undistributable prebuilt shared |
| | libraries from the source tarball |
| | |
| espeak-ng [13] | Fix using espeak with mbrola-fr4 when |
| | mbrola-fr1 is not installed |
| | |
| gcc-mingw-w64 [14] | Fix gcov handling |
| | |
| gthumb [15] | Fix heap-based buffer overflow issue |
| | [CVE-2019-20326] |
| | |
| hg-git [16] | Fix test failures with recent git |
| | versions |
| | |
| htslib [17] | Fix autopkgtest on i386 |
| | |
| http-parser [18] | Fix HTTP request smuggling issue |
| | [CVE-2019-15605] |
| | |
| irssi [19] | Fix use after free issue when sending |
| | SASL login to the server [CVE-2019- |
| | 13045] |
| | |
| java-atk-wrapper [20] | Also use dbus to detect accessibility |
| | being enabled |
| | |
| krb5 [21] | Fix KDC null dereference crash on FAST |
| | request with no server field [CVE-2021- |
| | 37750]; fix memory leak in |
| | krb5_gss_inquire_cred |
| | |
| libdatetime-timezone-perl | New upstream stable release; update DST |
| [22] | rules for Samoa and Jordon; |
| | confirmation of no leap second on 2021- |
| | 12-31 |
| | |
| libpam-tacplus [23] | Prevent shared secrets from being added |
| | in plaintext to the system log |
| | [CVE-2020-13881] |
| | |
| linux [24] | "proc: Track /proc/$pid/attr/ opener |
| | mm_struct" , fixing issues with lxc- |
| | attach; new upstream stable release; |
| | increase ABI version to 18; [rt] Update |
| | to 4.19.207-rt88; usb: hso: fix error |
| | handling code of hso_create_net_device |
| | [CVE-2021-37159] |
| | |
| linux-latest [25] | Update to 4.19.0-18 kernel ABI |
| | |
| linux-signed-amd64 [26] | "proc: Track /proc/$pid/attr/ opener |
| | mm_struct" , fixing issues with lxc- |
| | attach; new upstream stable release; |
| | increase ABI version to 18; [rt] Update |
| | to 4.19.207-rt88; usb: hso: fix error |
| | handling code of hso_create_net_device |
| | [CVE-2021-37159] |
| | |
| linux-signed-arm64 [27] | "proc: Track /proc/$pid/attr/ opener |
| | mm_struct" , fixing issues with lxc- |
| | attach; new upstream stable release; |
| | increase ABI version to 18; [rt] Update |
| | to 4.19.207-rt88; usb: hso: fix error |
| | handling code of hso_create_net_device |
| | [CVE-2021-37159] |
| | |
| linux-signed-i386 [28] | "proc: Track /proc/$pid/attr/ opener |
| | mm_struct" , fixing issues with lxc- |
| | attach; new upstream stable release; |
| | increase ABI version to 18; [rt] Update |
| | to 4.19.207-rt88; usb: hso: fix error |
| | handling code of hso_create_net_device |
| | [CVE-2021-37159] |
| | |
| mariadb-10.3 [29] | New upstream stable release; security |
| | fixes [CVE-2021-2389 CVE-2021-2372]; |
| | fix Perl executable path in scripts |
| | |
| modsecurity-crs [30] | Fix request body bypass issue |
| | [CVE-2021-35368] |
| | |
| node-ansi-regex [31] | Fix regular expression-based denial of |
| | service issue [CVE-2021-3807] |
| | |
| node-axios [32] | Fix regular expression-based denial of |
| | service issue [CVE-2021-3749] |
| | |
| node-jszip [33] | Use a null prototype object for |
| | this.files [CVE-2021-23413] |
| | |
| node-tar [34] | Remove non-directory paths from the |
| | directory cache [CVE-2021-32803]; strip |
| | absolute paths more comprehensively |
| | [CVE-2021-32804] |
| | |
| nvidia-cuda-toolkit [35] | Fix setting of NVVMIR_LIBRARY_DIR on |
| | ppc64el |
| | |
| nvidia-graphics-drivers | New upstream stable release; fix denial |
| [36] | of service issues [CVE-2021-1093 |
| | CVE-2021-1094 CVE-2021-1095]; nvidia- |
| | driver-libs: Add Recommends: libnvidia- |
| | encode1 |
| | |
| nvidia-graphics-drivers- | New upstream stable release; fix denial |
| legacy-390xx [37] | of service issues [CVE-2021-1093 |
| | CVE-2021-1094 CVE-2021-1095]; nvidia- |
| | legacy-390xx-driver-libs: Add |
| | Recommends: libnvidia-legacy-390xx- |
| | encode1 |
| | |
| postgresql-11 [38] | New upstream stable release; fix mis- |
| | planning of repeated application of a |
| | projection step [CVE-2021-3677]; |
| | disallow SSL renegotiation more |
| | completely |
| | |
| proftpd-dfsg [39] | Fix "mod_radius leaks memory contents |
| | to radius server" , "cannot disable |
| | client-initiated renegotiation for |
| | FTPS" , navigation into symlinked |
| | directories, mod_sftp crash when using |
| | pubkey-auth with DSA keys |
| | |
| psmisc [40] | Fix regression in killall not matching |
| | process with names longer than 15 |
| | characters |
| | |
| python-uflash [41] | Update firmware URL |
| | |
| request-tracker4 [42] | Fix login timing side-channel attack |
| | issue [CVE-2021-38562] |
| | |
| ring [43] | Fix denial of service issue in the |
| | embedded copy of pjproject [CVE-2021- |
| | 21375] |
| | |
| sabnzbdplus [44] | Prevent directory escape in renamer |
| | function [CVE-2021-29488] |
| | |
| shim [45] | Add arm64 patch to tweak section layout |
| | and stop crashing problems; in insecure |
| | mode, don't abort if we can't create |
| | the MokListXRT variable; don't abort on |
| | grub installation failures; warn |
| | instead |
| | |
| shim-helpers-amd64-signed | Add arm64 patch to tweak section layout |
| [46] | and stop crashing problems; in insecure |
| | mode, don't abort if we can't create |
| | the MokListXRT variable; don't abort on |
| | grub installation failures; warn |
| | instead |
| | |
| shim-helpers-arm64-signed | Add arm64 patch to tweak section layout |
| [47] | and stop crashing problems; in insecure |
| | mode, don't abort if we can't create |
| | the MokListXRT variable; don't abort on |
| | grub installation failures; warn |
| | instead |
| | |
| shim-helpers-i386-signed | Add arm64 patch to tweak section layout |
| [48] | and stop crashing problems; in insecure |
| | mode, don't abort if we can't create |
| | the MokListXRT variable; don't abort on |
| | grub installation failures; warn |
| | instead |
| | |
| shim-signed [49] | Work around boot-breaking issues on |
| | arm64 by including an older known |
| | working version of unsigned shim on |
| | that platform; switch arm64 back to |
| | using a current unsigned build; add |
| | arm64 patch to tweak section layout and |
| | stop crashing problems; in insecure |
| | mode, don't abort if we can't create |
| | the MokListXRT variable; don't abort on |
| | grub installation failures; warn |
| | instead |
| | |
| shiro [50] | Fix authentication bypass issues |
| | [CVE-2020-1957 CVE-2020-11989 CVE-2020- |
| | 13933 CVE-2020-17510]; update Spring |
| | Framework compatibility patch; support |
| | Guice 4 |
| | |
| tzdata [51] | Update DST rules for Samoa and Jordan; |
| | confirm the absence of a leap second on |
| | 2021-12-31 |
| | |
| ublock-origin [52] | New upstream stable release; fix denial |
| | of service issue [CVE-2021-36773] |
| | |
| ulfius [53] | Ensure memory is initialised before use |
| | [CVE-2021-40540] |
| | |
| xmlgraphics-commons [54] | Fix Server-Side Request Forgery issue |
| | [CVE-2020-11988] |
| | |
| yubikey-manager [55] | Add missing dependency on python3-pkg- |
| | resources to yubikey-manager |
| | |
+---------------------------+-----------------------------------------+
The Debian Project https://www.debian.org/
Updated Debian 10: 10.11 released press@debian.org
October 9th, 2021 https://www.debian.org/News/2021/2021100902
------------------------------------------------------------------------
The Debian project is pleased to announce the eleventh update of its
oldstable distribution Debian 10 (codename "buster"). This point release
mainly adds corrections for security issues, along with a few
adjustments for serious problems. Security advisories have already been
published separately and are referenced where available.
Please note that the point release does not constitute a new version of
Debian 10 but only updates some of the packages included. There is no
need to throw away old "buster" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.
Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:
https://www.debian.org/mirror/list
Miscellaneous Bugfixes
----------------------
This oldstable update adds a few important corrections to the following
packages:
+---------------------------+-----------------------------------------+
| Package | Reason |
+---------------------------+-----------------------------------------+
| atftp [1] | Fix buffer overflow [CVE-2021-41054] |
| | |
| base-files [2] | Update for the 10.11 point release |
| | |
| btrbk [3] | Fix arbitrary code execution issue |
| | [CVE-2021-38173] |
| | |
| clamav [4] | New upstream stable release; fix |
| | clamdscan segfaults when --fdpass and |
| | --multipass are used together with |
| | ExcludePath |
| | |
| commons-io [5] | Fix path traversal issue [CVE-2021- |
| | 29425] |
| | |
| cyrus-imapd [6] | Fix denial-of-service issue [CVE-2021- |
| | 33582] |
| | |
| debconf [7] | Check that whiptail or dialog is |
| | actually usable |
| | |
| debian-installer [8] | Rebuild against buster-proposed- |
| | updates; update Linux ABI to 4.19.0-18 |
| | |
| debian-installer-netboot- | Rebuild against buster-proposed-updates |
| images [9] | |
| | |
| distcc [10] | Fix GCC cross-compiler links in update- |
| | distcc-symlinks and add support for |
| | clang and CUDA (nvcc) |
| | |
| distro-info-data [11] | Update included data for several |
| | releases |
| | |
| dwarf-fortress [12] | Remove undistributable prebuilt shared |
| | libraries from the source tarball |
| | |
| espeak-ng [13] | Fix using espeak with mbrola-fr4 when |
| | mbrola-fr1 is not installed |
| | |
| gcc-mingw-w64 [14] | Fix gcov handling |
| | |
| gthumb [15] | Fix heap-based buffer overflow issue |
| | [CVE-2019-20326] |
| | |
| hg-git [16] | Fix test failures with recent git |
| | versions |
| | |
| htslib [17] | Fix autopkgtest on i386 |
| | |
| http-parser [18] | Fix HTTP request smuggling issue |
| | [CVE-2019-15605] |
| | |
| irssi [19] | Fix use after free issue when sending |
| | SASL login to the server [CVE-2019- |
| | 13045] |
| | |
| java-atk-wrapper [20] | Also use dbus to detect accessibility |
| | being enabled |
| | |
| krb5 [21] | Fix KDC null dereference crash on FAST |
| | request with no server field [CVE-2021- |
| | 37750]; fix memory leak in |
| | krb5_gss_inquire_cred |
| | |
| libdatetime-timezone-perl | New upstream stable release; update DST |
| [22] | rules for Samoa and Jordon; |
| | confirmation of no leap second on 2021- |
| | 12-31 |
| | |
| libpam-tacplus [23] | Prevent shared secrets from being added |
| | in plaintext to the system log |
| | [CVE-2020-13881] |
| | |
| linux [24] | "proc: Track /proc/$pid/attr/ opener |
| | mm_struct" , fixing issues with lxc- |
| | attach; new upstream stable release; |
| | increase ABI version to 18; [rt] Update |
| | to 4.19.207-rt88; usb: hso: fix error |
| | handling code of hso_create_net_device |
| | [CVE-2021-37159] |
| | |
| linux-latest [25] | Update to 4.19.0-18 kernel ABI |
| | |
| linux-signed-amd64 [26] | "proc: Track /proc/$pid/attr/ opener |
| | mm_struct" , fixing issues with lxc- |
| | attach; new upstream stable release; |
| | increase ABI version to 18; [rt] Update |
| | to 4.19.207-rt88; usb: hso: fix error |
| | handling code of hso_create_net_device |
| | [CVE-2021-37159] |
| | |
| linux-signed-arm64 [27] | "proc: Track /proc/$pid/attr/ opener |
| | mm_struct" , fixing issues with lxc- |
| | attach; new upstream stable release; |
| | increase ABI version to 18; [rt] Update |
| | to 4.19.207-rt88; usb: hso: fix error |
| | handling code of hso_create_net_device |
| | [CVE-2021-37159] |
| | |
| linux-signed-i386 [28] | "proc: Track /proc/$pid/attr/ opener |
| | mm_struct" , fixing issues with lxc- |
| | attach; new upstream stable release; |
| | increase ABI version to 18; [rt] Update |
| | to 4.19.207-rt88; usb: hso: fix error |
| | handling code of hso_create_net_device |
| | [CVE-2021-37159] |
| | |
| mariadb-10.3 [29] | New upstream stable release; security |
| | fixes [CVE-2021-2389 CVE-2021-2372]; |
| | fix Perl executable path in scripts |
| | |
| modsecurity-crs [30] | Fix request body bypass issue |
| | [CVE-2021-35368] |
| | |
| node-ansi-regex [31] | Fix regular expression-based denial of |
| | service issue [CVE-2021-3807] |
| | |
| node-axios [32] | Fix regular expression-based denial of |
| | service issue [CVE-2021-3749] |
| | |
| node-jszip [33] | Use a null prototype object for |
| | this.files [CVE-2021-23413] |
| | |
| node-tar [34] | Remove non-directory paths from the |
| | directory cache [CVE-2021-32803]; strip |
| | absolute paths more comprehensively |
| | [CVE-2021-32804] |
| | |
| nvidia-cuda-toolkit [35] | Fix setting of NVVMIR_LIBRARY_DIR on |
| | ppc64el |
| | |
| nvidia-graphics-drivers | New upstream stable release; fix denial |
| [36] | of service issues [CVE-2021-1093 |
| | CVE-2021-1094 CVE-2021-1095]; nvidia- |
| | driver-libs: Add Recommends: libnvidia- |
| | encode1 |
| | |
| nvidia-graphics-drivers- | New upstream stable release; fix denial |
| legacy-390xx [37] | of service issues [CVE-2021-1093 |
| | CVE-2021-1094 CVE-2021-1095]; nvidia- |
| | legacy-390xx-driver-libs: Add |
| | Recommends: libnvidia-legacy-390xx- |
| | encode1 |
| | |
| postgresql-11 [38] | New upstream stable release; fix mis- |
| | planning of repeated application of a |
| | projection step [CVE-2021-3677]; |
| | disallow SSL renegotiation more |
| | completely |
| | |
| proftpd-dfsg [39] | Fix "mod_radius leaks memory contents |
| | to radius server" , "cannot disable |
| | client-initiated renegotiation for |
| | FTPS" , navigation into symlinked |
| | directories, mod_sftp crash when using |
| | pubkey-auth with DSA keys |
| | |
| psmisc [40] | Fix regression in killall not matching |
| | process with names longer than 15 |
| | characters |
| | |
| python-uflash [41] | Update firmware URL |
| | |
| request-tracker4 [42] | Fix login timing side-channel attack |
| | issue [CVE-2021-38562] |
| | |
| ring [43] | Fix denial of service issue in the |
| | embedded copy of pjproject [CVE-2021- |
| | 21375] |
| | |
| sabnzbdplus [44] | Prevent directory escape in renamer |
| | function [CVE-2021-29488] |
| | |
| shim [45] | Add arm64 patch to tweak section layout |
| | and stop crashing problems; in insecure |
| | mode, don't abort if we can't create |
| | the MokListXRT variable; don't abort on |
| | grub installation failures; warn |
| | instead |
| | |
| shim-helpers-amd64-signed | Add arm64 patch to tweak section layout |
| [46] | and stop crashing problems; in insecure |
| | mode, don't abort if we can't create |
| | the MokListXRT variable; don't abort on |
| | grub installation failures; warn |
| | instead |
| | |
| shim-helpers-arm64-signed | Add arm64 patch to tweak section layout |
| [47] | and stop crashing problems; in insecure |
| | mode, don't abort if we can't create |
| | the MokListXRT variable; don't abort on |
| | grub installation failures; warn |
| | instead |
| | |
| shim-helpers-i386-signed | Add arm64 patch to tweak section layout |
| [48] | and stop crashing problems; in insecure |
| | mode, don't abort if we can't create |
| | the MokListXRT variable; don't abort on |
| | grub installation failures; warn |
| | instead |
| | |
| shim-signed [49] | Work around boot-breaking issues on |
| | arm64 by including an older known |
| | working version of unsigned shim on |
| | that platform; switch arm64 back to |
| | using a current unsigned build; add |
| | arm64 patch to tweak section layout and |
| | stop crashing problems; in insecure |
| | mode, don't abort if we can't create |
| | the MokListXRT variable; don't abort on |
| | grub installation failures; warn |
| | instead |
| | |
| shiro [50] | Fix authentication bypass issues |
| | [CVE-2020-1957 CVE-2020-11989 CVE-2020- |
| | 13933 CVE-2020-17510]; update Spring |
| | Framework compatibility patch; support |
| | Guice 4 |
| | |
| tzdata [51] | Update DST rules for Samoa and Jordan; |
| | confirm the absence of a leap second on |
| | 2021-12-31 |
| | |
| ublock-origin [52] | New upstream stable release; fix denial |
| | of service issue [CVE-2021-36773] |
| | |
| ulfius [53] | Ensure memory is initialised before use |
| | [CVE-2021-40540] |
| | |
| xmlgraphics-commons [54] | Fix Server-Side Request Forgery issue |
| | [CVE-2020-11988] |
| | |
| yubikey-manager [55] | Add missing dependency on python3-pkg- |
| | resources to yubikey-manager |
| | |
+---------------------------+-----------------------------------------+
"Kā cilvēks, kam trūkst pašcieņas, nav dīdzējs, bet nīcējs, tā arī tauta, kurai nav pašapziņas." K.Mīlenbahs