UNSUBSCRIBE On Mon, 3 Feb 2020, 22:40 Adam D. Barratt, <a...@adam-barratt.org.uk> wrote:
> > ---------------------------------------------------------------------------- > Debian Stable Updates Announcement SUA 177-1 > https://www.debian.org/ > debian-release@lists.debian.org > <https://www.debian.org/debian-release@lists.debian.org> > Adam D. Barratt > February 3rd, 2020 > > ---------------------------------------------------------------------------- > > Upcoming Debian 10 Update (10.3) > > An update to Debian 10 is scheduled for Saturday, February 8th, 2020. As > of now it will include the following bug fixes. They can be found in > "buster-proposed-updates", which is carried by all official mirrors. > > Please note that packages published through security.debian.org are not > listed, but will be included if possible. Some of the updates below are > also > already available through "buster-updates". > > Testing and feedback would be appreciated. Bugs should be filed in the > Debian Bug Tracking System, but please make the Release Team aware of them > by copying "debian-release@lists.debian.org" on your mails. > > The point release will also include a rebuild of debian-installer. > > > Miscellaneous Bugfixes > ---------------------- > > This stable update adds a few important corrections to the following > packages: > > Package Reason > ------- ------ > > alot Remove expiration time from test suite keys, > fixing build failure > > atril Fix segfault when no document is loaded; fix > read of uninitialised memory [CVE-2019-11459] > > base-files Update for the point release > > beagle Provide wrapper script instead of symlinks to > JARs, making them work again > > bgpdump Fix segmentation fault > > boost1.67 Fix undefined behaviour leading to crashing > libboost-numpy > > brightd Actually compare the value read out of > /sys/class/power_supply/AC/online with '0' > > casacore-data-jplde Include tables up to 2040 > > clamav New upstream release; fix denial of service > issue [CVE-2019-15961]; remove ScanOnAccess > option, replacing with clamonacc > > compactheader New upstream release compatible with > Thunderbird 68 > > console-common Fix regression that led to files not being > included > > csh Fix segfault on eval > > cups Fix memory leak in ppdOpen; fix validation of > default language in ippSetValuetag > [CVE-2019-2228] > > cyrus-imapd Add BACKUP type to cyrus-upgrade-db, fixing > upgrade issues > > debian-edu-config Keep proxy settings on client if wpad is > unreachable > > debian-security-support Update security support status of several > packages > > debos Rebuild against updated > golang-github-go-debos- > fakemachine > > dispmua New upstream release compatible with > Thunderbird 68 > > dkimpy New upstream stable release > > dkimpy-milter Fix privilege managment at startup so Unix > sockets work > > dpdk New upstream stable release > > e2fsprogs Fix potential stack underflow in e2fsck > [CVE-2019-5188]; fix use after free in e2fsck > > fig2dev Allow Fig v2 text strings ending with multiple > ^A [CVE-2019-19555]; reject huge arrow types > causing integer overflow [CVE-2019-19746]; fix > several crashes [CVE-2019-19797] > > freerdp2 Fix realloc return handling [CVE-2019-17177] > > freetds Tds: Make sure UDT has varint set to 8 > [CVE-2019-13508] > > git-lfs Fix build issues with newer Go versions > > gnubg Increase the size of static buffers used to > build messages during program start so that > the > Spanish translation doesn't overflow a buffer > > gnutls28 Fix interop problems with gnutls 2.x; fix > parsing of certificates using RegisteredID > > gtk2-engines-murrine Fix co-installability with other themes > > guile-2.2 Fix build failure > > libburn Fix "cdrskin multi-track burning was slow and > stalled after track 1" > > libcgns Fix build failure on ppc64el > > libimobiledevice Properly handle partial SSL writes > > libmatroska Bump shared library dependency to 1.4.7 since > that version introduced new symbols > > libmysofa Security fixes [CVE-2019-16091 CVE-2019-16092 > CVE-2019-16093 CVE-2019-16094 CVE-2019-16095] > > libole-storage-lite-perl Fix interpretation of years from 2020 onwards > > libparse-win32registry- Fix interpretation of years from 2020 onwards > perl > > libperl4-corelibs-perl Fix interpretation of years from 2020 onwards > > libsolv Fix heap buffer overflow [CVE-2019-20387] > > libspreadsheet-wright-perl Fix previously unusable OpenDocument > spreadsheets and passing of JSON formatting > options > > libtimedate-perl Fix interpretation of years from 2020 onwards > > libvirt apparmor: Allow one to run pygrub; don't > render > osxsave, ospke into QEMU comman line; this > helps newer QEMU with some configs generated > by > virt-install > > libvncserver rfbserver: don't leak stack memory to the > remote [CVE-2019-15681]; resolve a freeze > during connection closure and a segmentation > fault on multi-threaded VNC servers; fix issue > connecting to VMWare servers; fix crashing of > x11vnc when vncviewer connects > > limnoria Fix remote information disclosure and possibly > remote code execution in the Math plugin > [CVE-2019-19010] > > linux New upstream stable version; new upstream > stable release > > linux-latest Update for -8 kernel ABI > > linux-signed-amd64 New upstream stable release > > linux-signed-arm64 New upstream stable release > > linux-signed-i386 New upstream stable release > > mariadb-10.3 New upstream stable release [CVE-2019-2938 > CVE-2019-2974 CVE-2020-2574] > > mesa Call shmget() with permission 0600 instead of > 0777 [CVE-2019-5068] > > mnemosyne Add missing dependency on PIL > > modsecurity Fix cookie header parsing bug [CVE-2019-19886] > > node-handlebars Disallow calling "helperMissing" and > "blockHelperMissing" directly [CVE-2019-19919] > > node-kind-of Fix type checking vulnerability in ctorName() > [CVE-2019-20149] > > ntpsec Fix slow DNS retries; fix ntpdate -s (syslog) > to fix the if-up hook; documentation fixes > > numix-gtk-theme Fix co-installability with other themes > > nvidia-graphics-drivers- New upstream stable release > legacy-340xx > > nyancat Rebuild in a clean environment to add the > systemd unit for nyancat-server > > openjpeg2 Fix heap overflow [CVE-2018-21010] and integer > overflow [CVE-2018-20847] > > opensmtpd Warn users of change of smtpd.conf syntax (in > earlier versions); install smtpctl setgid > opensmtpq; handle non-zero exit code from > hostname during config phase > > openssh Deny (non-fatally) ipc in the seccomp sandbox, > fixing failures with OpenSSL 1.1.1d and Linux > < > 3.19 on some architectures > > php-horde Fix stored cross-site scripting issue in Horde > Cloud Block [CVE-2019-12095] > > php-horde-text-filter Fix invalid regular expressions > > postfix New upstream stable release > > postgresql-11 New upstream stable release > > print-manager Fix crash if CUPS returns the same ID for > multiple print jobs > > proftpd-dfsg Fix CRL issues [CVE-2019-19270 CVE-2019-19269] > > pykaraoke Fix path to fonts > > python-evtx Fix import of "hexdump" > > python-internetarchive Close file after getting hash, avoiding file > descriptor exhaustion > > python3.7 Security fixes [CVE-2019-9740 CVE-2019-9947 > CVE-2019-9948 CVE-2019-10160 CVE-2019-16056 > CVE-2019-16935] > > qtbase-opensource-src Add support for non-PPD printers and avoid > silent fallback to a printer supporting PPD; > fix crash when using QLabels with rich text; > fix graphics tablet hover events > > qtwebengine-opensource-src Fix PDF parsing; disable executable stack > > quassel Fix quasselcore AppArmor denials when the > config is saved; correct default channel for > Debian; fix quasselcore AppArmor denials when > the config is saved; correct default channel > for Debian; remove unnecessary NEWS file > > qwinff Fix crash due to incorrect file detection > > raspi3-firmware Fix detection of serial console with kernel > 5.x > > ros-ros-comm Fix security issues [CVE-2019-13566 > CVE-2019-13465 CVE-2019-13445] > > roundcube New upstream stable release; fix insecure > permissions in enigma plugin > [CVE-2018-1000071] > > schleuder Fix recognizing keywords in mails with > "protected headers" and empty subject; strip > non-self-signatures when refreshing or > fetching > keys; error if the argument provided to > `refresh_keys` is not an existing list; add > missing List-Id header to notification mails > sent to admins; handle decryption problems > gracefully; default to ASCII-8BIT encoding > > simplesamlphp Fix incompatibility with PHP 7.3 > > sogo-connector New upstream release compatible with > Thunderbird 68 > > spf-engine Fix privilege managment at startup so Unix > sockets work; update documentation for > TestOnly > > sudo Fix a buffer overflow when pwfeedback is > enabled and input is a not a tty > [CVE-2019-18634] > > systemd Set fs.file-max sysctl to LONG_MAX rather than > ULONG_MAX; change ownership/mode of the > execution directories also for static users, > ensuring that execution directories like > CacheDirectory and StateDirectory are properly > chowned to the user specified in User= before > launching the service > > tifffile Fix wrapper script > > tigervnc Security fixes [CVE-2019-15691 CVE-2019-15692 > CVE-2019-15693 CVE-2019-15694 CVE-2019-15695] > > tightvnc Security fixes [CVE-2014-6053 CVE-2019-8287 > CVE-2018-20021 CVE-2018-20022 CVE-2018-20748 > CVE-2018-7225 CVE-2019-15678 CVE-2019-15679 > CVE-2019-15680 CVE-2019-15681] > > uif Fix paths to ip(6)tables-restore in light of > the migration to nftables > > unhide Fix stack exhaustion > > x2goclient Strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} > from destination paths in scp mode; fixes > regression with newer libssh versions with > fixes for CVE-2019-14889 applied > > xmltooling Fix race condition that could lead to crash > under load > > > A complete list of all accepted and rejected packages together with > rationale is on the preparation page for this revision: > > <https://release.debian.org/proposed-updates/stable.html> > > > Removed packages > ---------------- > > The following packages will be removed due to circumstances beyond our > control: > > Package Reason > ------- ------ > > caml-crush [armel] Unbuildable due to lack of ocaml-native- > compilers > > firetray Incompatible with current Thunderbird versions > > koji Security issues > > python-lamson Broken by changes in python-daemon > > > If you encounter any issues, please don't hesitate to get in touch with the > Debian Release Team at "debian-release@lists.debian.org". >