Updated Debian 10: 10.5 released
August 1st, 2020
The Debian project is pleased to announce the fifth update of its
stable distribution Debian 10 (codename buster
).
This point release mainly adds corrections for security issues,
along with a few adjustments for serious problems. Security advisories
have already been published separately and are referenced where available.
This point release also addresses Debian Security Advisory: DSA-4735-1 grub2 -- security update which covers multiple CVE issues regarding the GRUB2 UEFI SecureBoot 'BootHole' vulnerability.
Please note that the point release does not constitute a new version of Debian
10 but only updates some of the packages included. There is
no need to throw away old buster
media. After installation,
packages can be upgraded to the current versions using an up-to-date Debian
mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
Package | Reason |
---|---|
appstream-glib | Fix build failures in 2020 and later |
asunder | Use gnudb instead of freedb by default |
b43-fwcutter | Ensure removal succeeds under non-English locales; do not fail removal if some files no longer exist; fix missing dependencies on pciutils and ca-certificates |
balsa | Provide server identity when validating certificates, allowing successful validation when using the glib-networking patch for CVE-2020-13645 |
base-files | Update for the point release |
batik | Fix server-side request forgery via xlink:href attributes [CVE-2019-17566] |
borgbackup | Fix index corruption bug leading to data loss |
bundler | Update required version of ruby-molinillo |
c-icap-modules | Add support for ClamAV 0.102 |
cacti | Fix issue where UNIX timestamps after September 13th 2020 were rejected as graph start / end; fix remote code execution [CVE-2020-7237], cross-site scripting [CVE-2020-7106], CSRF issue [CVE-2020-13231]; disabling a user account does not immediately invalidate permissions [CVE-2020-13230] |
calamares-settings-debian | Enable displaymanager module, fixing autologin options; use xdg-user-dir to specify Desktop directory |
clamav | New upstream release; security fixes [CVE-2020-3327 CVE-2020-3341 CVE-2020-3350 CVE-2020-3327 CVE-2020-3481] |
cloud-init | New upstream release |
commons-configuration2 | Prevent object creation when loading YAML files [CVE-2020-1953] |
confget | Fix the Python module's handling of values containing = |
dbus | New upstream stable release; prevent a denial of service issue [CVE-2020-12049]; prevent use-after-free if two usernames share a uid |
debian-edu-config | Fix loss of dynamically allocated IPv4 address |
debian-installer | Update Linux ABI to 4.19.0-10 |
debian-installer-netboot-images | Rebuild against proposed-updates |
debian-ports-archive-keyring | Increase the expiration date of the 2020 key (84C573CD4E1AFD6C) by one year; add Debian Ports Archive Automatic Signing Key (2021); move the 2018 key (ID: 06AED62430CB581C) to the removed keyring |
debian-security-support | Update support status of several packages |
dpdk | New upstream release |
exiv2 | Adjust overly restrictive security patch [CVE-2018-10958 and CVE-2018-10999]; fix denial of service issue [CVE-2018-16336] |
fdroidserver | Fix Litecoin address validation |
file-roller | Security fix [CVE-2020-11736] |
freerdp2 | Fix smartcard logins; security fixes [CVE-2020-11521 CVE-2020-11522 CVE-2020-11523 CVE-2020-11524 CVE-2020-11525 CVE-2020-11526] |
fwupd | New upstream release; fix possible signature verification issue [CVE-2020-10759]; use rotated Debian signing keys |
fwupd-amd64-signed | New upstream release; fix possible signature verification issue [CVE-2020-10759]; use rotated Debian signing keys |
fwupd-arm64-signed | New upstream release; fix possible signature verification issue [CVE-2020-10759]; use rotated Debian signing keys |
fwupd-armhf-signed | New upstream release; fix possible signature verification issue [CVE-2020-10759]; use rotated Debian signing keys |
fwupd-i386-signed | New upstream release; fix possible signature verification issue [CVE-2020-10759]; use rotated Debian signing keys |
fwupdate | Use rotated Debian signing keys |
fwupdate-amd64-signed | Use rotated Debian signing keys |
fwupdate-arm64-signed | Use rotated Debian signing keys |
fwupdate-armhf-signed | Use rotated Debian signing keys |
fwupdate-i386-signed | Use rotated Debian signing keys |
gist | Avoid deprecated authorization API |
glib-networking | Return bad identity error if identity is unset [CVE-2020-13645]; break balsa older than 2.5.6-2+deb10u1 as the fix for CVE-2020-13645 breaks balsa's certificate verification |
gnutls28 | Fix TL1.2 resumption errors; fix memory leak; handle zero length session tickets, fixing connection errors on TLS1.2 sessions to some big hosting providers; fix verification error with alternate chains |
intel-microcode | Downgrade some microcodes to previously issued versions, working around hangs on boot on Skylake-U/Y and Skylake Xeon E3 |
jackson-databind | Fix multiple security issues affecting BeanDeserializerFactory [CVE-2020-9548 CVE-2020-9547 CVE-2020-9546 CVE-2020-8840 CVE-2020-14195 CVE-2020-14062 CVE-2020-14061 CVE-2020-14060 CVE-2020-11620 CVE-2020-11619 CVE-2020-11113 CVE-2020-11112 CVE-2020-11111 CVE-2020-10969 CVE-2020-10968 CVE-2020-10673 CVE-2020-10672 CVE-2019-20330 CVE-2019-17531 and CVE-2019-17267] |
jameica | Add mckoisqldb to classpath, allowing use of SynTAX plugin |
jigdo | Fix HTTPS support in jigdo-lite and jigdo-mirror |
ksh | Fix environment variable restriction issue [CVE-2019-14868] |
lemonldap-ng | Fix nginx configuration regression introduced by the fix for CVE-2019-19791 |
libapache-mod-jk | Rename Apache configuration file so it can be automatically enabled and disabled |
libclamunrar | New upstream stable release; add an unversioned meta-package |
libembperl-perl | Handle error pages from Apache >= 2.4.40 |
libexif | Security fixes [CVE-2020-12767 CVE-2020-0093 CVE-2020-13112 CVE-2020-13113 CVE-2020-13114]; fix buffer overflow [CVE-2020-0182] and integer overflow [CVE-2020-0198] |
libinput | Quirks: add trackpoint integration attribute |
libntlm | Fix buffer overflow [CVE-2019-17455] |
libpam-radius-auth | Fix buffer overflow in password field [CVE-2015-9542] |
libunwind | Fix segfaults on mips; manually enable C++ exception support only on i386 and amd64 |
libyang | Fix cache corruption crash, CVE-2019-19333, CVE-2019-19334 |
linux | New upstream stable release |
linux-latest | Update for 4.19.0-10 kernel ABI |
linux-signed-amd64 | New upstream stable release |
linux-signed-arm64 | New upstream stable release |
linux-signed-i386 | New upstream stable release |
lirc | Fix conffile management |
mailutils | maidag: drop setuid privileges for all delivery operations but mda [CVE-2019-18862] |
mariadb-10.3 | New upstream stable release; security fixes [CVE-2020-2752 CVE-2020-2760 CVE-2020-2812 CVE-2020-2814 CVE-2020-13249]; fix regression in RocksDB ZSTD detection |
mod-gnutls | Fix a possible segfault on failed TLS handshake; fix test failures |
multipath-tools | kpartx: use correct path to partx in udev rule |
mutt | Don't check IMAP PREAUTH encryption if $tunnel is in use |
mydumper | Link against libm |
nfs-utils | statd: take user-id from /var/lib/nfs/sm [CVE-2019-3689]; don't make /var/lib/nfs owned by statd |
nginx | Fix error page request smuggling vulnerability [CVE-2019-20372] |
nmap | Update default key size to 2048 bits |
node-dot-prop | Fix regression introduced in CVE-2020-8116 fix |
node-handlebars | Disallow calling helperMissingand blockHelperMissingdirectly [CVE-2019-19919] |
node-minimist | Fix prototype pollution [CVE-2020-7598] |
nvidia-graphics-drivers | New upstream stable release; security fixes [CVE-2020-5963 CVE-2020-5967] |
nvidia-graphics-drivers-legacy-390xx | New upstream stable release; security fixes [CVE-2020-5963 CVE-2020-5967] |
openstack-debian-images | Install resolvconf if installing cloud-init |
pagekite | Avoid issues with expiry of shipped SSL certificates by using those from the ca-certificates package |
pdfchain | Fix crash at startup |
perl | Fix multiple regular expression related security issues [CVE-2020-10543 CVE-2020-10878 CVE-2020-12723] |
php-horde | Fix cross-site scripting vulnerability [CVE-2020-8035] |
php-horde-gollem | Fix cross-site scripting vulnerability in breadcrumb output [CVE-2020-8034] |
pillow | Fix multiple out-of-bounds read issues [CVE-2020-11538 CVE-2020-10378 CVE-2020-10177] |
policyd-rate-limit | Fix issues in accounting due to socket reuse |
postfix | New upstream stable release; fix segfault in the tlsproxy client role when the server role was disabled; fix maillog_file_rotate_suffix default value used the minute instead of the month; fix several TLS related issues; README.Debian fixes |
python-markdown2 | Fix cross-site scripting issue [CVE-2020-11888] |
python3.7 | Avoid infinite loop when reading specially crafted TAR files using the tarfile module [CVE-2019-20907]; resolve hash collisions for IPv4Interface and IPv6Interface [CVE-2020-14422]; fix denial of service issue in urllib.request.AbstractBasicAuthHandler [CVE-2020-8492] |
qdirstat | Fix saving of user-configured MIME categories |
raspi3-firmware | Fix typo that could lead to unbootable systems |
resource-agents | IPsrcaddr: make protooptional to fix regression when used without NetworkManager |
ruby-json | Fix unsafe object creation vulnerability [CVE-2020-10663] |
shim | Use rotated Debian signing keys |
shim-helpers-amd64-signed | Use rotated Debian signing keys |
shim-helpers-arm64-signed | Use rotated Debian signing keys |
shim-helpers-i386-signed | Use rotated Debian signing keys |
speedtest-cli | Pass correct headers to fix upload speed test |
ssvnc | Fix out-of-bounds write [CVE-2018-20020], infinite loop [CVE-2018-20021], improper initialisation [CVE-2018-20022], potential denial-of-service [CVE-2018-20024] |
storebackup | Fix possible privilege escalation vulnerability [CVE-2020-7040] |
suricata | Fix dropping privileges in nflog runmode |
tigervnc | Don't use libunwind on armel, armhf or arm64 |
transmission | Fix possible denial of service issue [CVE-2018-10756] |
wav2cdr | Use C99 fixed-size integer types to fix runtime assertion on 64bit architectures other than amd64 and alpha |
zipios++ | Security fix [CVE-2019-13453] |
Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
Package | Reason |
---|---|
golang-github-unknwon-cae | Security issues; unmaintained |
janus | Not supportable in stable |
mathematica-fonts | Relies on unavailable download location |
matrix-synapse | Security issues; unsupportable |
selenium-firefoxdriver | Incompatible with newer Firefox ESR versions |
Debian Installer
The installer has been updated to include the fixes incorporated into stable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current stable distribution:
Proposed updates to the stable distribution:
stable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.