Updated Debian 10: 10.4 released
May 9th, 2020
The Debian project is pleased to announce the fourth update of its
stable distribution Debian 10 (codename buster
).
This point release mainly adds corrections for security issues,
along with a few adjustments for serious problems. Security advisories
have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian
10 but only updates some of the packages included. There is
no need to throw away old buster
media. After installation,
packages can be upgraded to the current versions using an up-to-date Debian
mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
| Package | Reason |
|---|---|
| apt-cacher-ng | Enforce secured call to the server in maintenance job triggering [CVE-2020-5202]; allow .zst compression for tarballs; increase size of the decompression line buffer for configuration file reading |
| backuppc | Pass the username to start-stop-daemon when reloading, preventing reload failures |
| base-files | Update for the point release |
| brltty | Reduce severity of log message to avoid generating too many messages when used with new Orca versions |
| checkstyle | Fix XML External Entity injection issue [CVE-2019-9658 CVE-2019-10782] |
| choose-mirror | Update included mirror list |
| clamav | New upstream release [CVE-2020-3123] |
| corosync | totemsrp: Reduce MTU to avoid generating oversized packets |
| corosync-qdevice | Fix service startup |
| csync2 | Fail HELLO command when SSL is required |
| cups | Fix heap buffer overflow [CVE-2020-3898] and the `ippReadIO` function may under-read an extension field[CVE-2019-8842] |
| dav4tbsync | New upstream release, restoring compatibility with newer Thunderbird versions |
| debian-edu-config | Add policy files for Firefox ESR and Thunderbird to fix the TLS/SSL setup |
| debian-installer | Update for the 4.19.0-9 kernel ABI |
| debian-installer-netboot-images | Rebuild against proposed-updates |
| debian-security-support | New upstream stable release; update status of several packages; use runuserrather than su |
| distro-info-data | Add Ubuntu 20.10, and likely end of support date for stretch |
| dojo | Fix improper regular expression usage [CVE-2019-10785] |
| dpdk | New upstream stable release |
| dtv-scan-tables | New upstream snapshot; add all current German DVB-T2 muxes and the Eutelsat-5-West-A satellite |
| eas4tbsync | New upstream release, restoring compatibility with newer Thunderbird versions |
| edk2 | Security fixes [CVE-2019-14558 CVE-2019-14559 CVE-2019-14563 CVE-2019-14575 CVE-2019-14586 CVE-2019-14587] |
| el-api | Fix stretch to buster upgrades that involve Tomcat 8 |
| fex | Fix a potential security issue in fexsrv |
| filezilla | Fix untrusted search path vulnerability [CVE-2019-5429] |
| frr | Fix extended next hop capability |
| fuse | Remove outdated udevadm commands from post-install scripts; don't explicitly remove fuse.conf on purge |
| fuse3 | Remove outdated udevadm commands from post-install scripts; don't explicitly remove fuse.conf on purge; fix memory leak in fuse_session_new() |
| golang-github-prometheus-common | Extend validity of test certificates |
| gosa | Replace (un)serialize with json_encode/json_decode to mitigate PHP object injection [CVE-2019-14466] |
| hbci4java | Support EU directive on payment services (PSD2) |
| hibiscus | Support EU directive on payment services (PSD2) |
| iputils | Correct an issue in which ping would improperly exit with a failure code when there were untried addresses still available in the getaddrinfo() library call return value |
| ircd-hybrid | Use dhparam.pem to avoid crash on startup |
| jekyll | Allow use of ruby-i18n 0.x and 1.x |
| jsp-api | Fix stretch to buster upgrades that involve Tomcat 8 |
| lemonldap-ng | Prevent unwanted access to administration endpoints [CVE-2019-19791]; fix the GrantSession plugin which could not prohibit logon when two factor authentication was used; fix arbitrary redirects with OIDC if redirect_uri was not used |
| libdatetime-timezone-perl | Update included data |
| libreoffice | Fix OpenGL slide transitions |
| libssh | Fix possible denial of service issue when handling AES-CTR keys with OpenSSL [CVE-2020-1730] |
| libvncserver | Fix heap overflow [CVE-2019-15690] |
| linux | New upstream stable release |
| linux-latest | Update kernel ABI to 4.19.0-9 |
| linux-signed-amd64 | New upstream stable release |
| linux-signed-arm64 | New upstream stable release |
| linux-signed-i386 | New upstream stable release |
| lwip | Fix buffer overflow [CVE-2020-8597] |
| lxc-templates | New upstream stable release; handle languages that are only UTF-8 encoded |
| manila | Fix missing access permissions check [CVE-2020-9543] |
| megatools | Add support for the new format of mega.nz links |
| mew | Fix server SSL certificate validity checking |
| mew-beta | Fix server SSL certificate validity checking |
| mkvtoolnix | Rebuild to tighten libmatroska6v5 dependency |
| ncbi-blast+ | Disable SSE4.2 support |
| node-anymatch | Remove unnecessary dependencies |
| node-dot | Prevent code execution after prototype pollution [CVE-2020-8141] |
| node-dot-prop | Fix prototype pollution [CVE-2020-8116] |
| node-knockout | Fix escaping with older Internet Explorer versions [CVE-2019-14862] |
| node-mongodb | Reject invalid _bsontypes [CVE-2019-2391 CVE-2020-7610] |
| node-yargs-parser | Fix prototype pollution [CVE-2020-7608] |
| npm | Fix arbitrary path access [CVE-2019-16775 CVE-2019-16776 CVE-2019-16777] |
| nvidia-graphics-drivers | New upstream stable release |
| nvidia-graphics-drivers-legacy-390xx | New upstream stable release |
| nvidia-settings-legacy-340xx | New upstream release |
| oar | Revert to stretch behavior for Storable::dclone perl function, fixing recursion depth issues |
| opam | Prefer mccs over aspcud |
| openvswitch | Fix vswitchd abort when a port is added and the controller is down |
| orocos-kdl | Fix string conversion with Python 3 |
| owfs | Remove broken Python 3 packages |
| pango1.0 | Fix crash in pango_fc_font_key_get_variations() when key is null |
| pgcli | Add missing dependency on python3-pkg-resources |
| php-horde-data | Fix authenticated remote code execution vulnerability [CVE-2020-8518] |
| php-horde-form | Fix authenticated remote code execution vulnerability [CVE-2020-8866] |
| php-horde-trean | Fix authenticated remote code execution vulnerability [CVE-2020-8865] |
| postfix | New upstream stable release; fix panic with Postfix multi-Milter configuration during MAIL FROM; fix d/init.d running change so it works with multi-instance again |
| proftpd-dfsg | Fix memory access issue in keyboard-interative code in mod_sftp; properly handle DEBUG, IGNORE, DISCONNECT, and UNIMPLEMENTED messages in keyboard-interactive mode |
| puma | Fix Denial of Service issue [CVE-2019-16770] |
| purple-discord | Fix crashes in ssl_nss_read |
| python-oslo.utils | Fix leak of sensitive information via mistral logs [CVE-2019-3866] |
| rails | Fix possible cross-site scripting via Javascript escape helper [CVE-2020-5267] |
| rake | Fix command injection vulnerability [CVE-2020-8130] |
| raspi3-firmware | Fix dtb names mismatch in z50-raspi-firmware; fix boot on Raspberry Pi families 1 and 0 |
| resource-agents | Fix ethmonitor does not list interfaces without assigned IP address; remove no longer required xen-toolstack patch; fix non-standard usage in ZFS agent |
| rootskel | Disable multiple console support if preseeding is in use |
| ruby-i18n | Fix gemspec generation |
| rubygems-integration | Avoid deprecation warnings when users install a newer version of Rubygems via gem update --system |
| schleuder | Improve patch to handle encoding errors introduced in the previous version; switch default encoding to UTF-8; let x-add-key handle mails with attached, quoted-printable encoded keys; fix x-attach-listkey with mails created by Thunderbird that include protected headers |
| scilab | Fix library loading with OpenJDK 11.0.7 |
| serverspec-runner | Support Ruby 2.5 |
| softflowd | Fix broken flow aggregation which might result in flow table overflow and 100% CPU usage |
| speech-dispatcher | Fix default pulseaudio latency which triggers scratchyoutput |
| spl-linux | Fix deadlock |
| sssd | Fix sssd_be busy-looping when LDAP connection is intermittent |
| systemd | when authorizing via PolicyKit re-resolve callback/userdata instead of caching it [CVE-2020-1712]; install 60-block.rules in udev-udeb and initramfs-tools |
| taglib | Fix corruption issues with OGG files |
| tbsync | New upstream release, restoring compatibility with newer Thunderbird versions |
| timeshift | Fix predictable temporary directory use [CVE-2020-10174] |
| tinyproxy | Only set PIDDIR, if PIDFILE is a non-zero length string |
| tzdata | New upstream stable release |
| uim | unregister modules that are not installed, fixing a regression in the previous upload |
| user-mode-linux | Fix build failure with current stable kernels |
| vite | Fix crash when there are more than 32 elements |
| waagent | New upstream release; support co-installation with cloud-init |
| websocket-api | Fix stretch to buster upgrades that involve Tomcat 8 |
| wpa | Do not try to detect PSK mismatch during PTK rekeying; check for FT support when selecting FT suites; fix MAC randomisation issue with some cards |
| xdg-utils | xdg-open: fix pcmanfm check and handling of directories with spaces in their names; xdg-screensaver: Sanitise window name before sending it over D-Bus; xdg-mime: Create config directory if it does not exist yet |
| xtrlock | Fix blocking of (some) multitouch devices while locked [CVE-2016-10894] |
| zfs-linux | Fix potential deadlock issues |
Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
| Package | Reason |
|---|---|
| getlive | Broken due to Hotmail changes |
| gplaycli | Broken by Google API changes |
| kerneloops | Upstream service no longer available |
| lambda-align2 | [arm64 armel armhf i386 mips64el ppc64el s390x] Broken on non-amd64 architectures |
| libmicrodns | Security issues |
| libperlspeak-perl | Security issues; unmaintained |
| quotecolors | Incompatible with newer Thunderbird versions |
| torbirdy | Incompatible with newer Thunderbird versions |
| ugene | Non-free; fails to build |
| yahoo2mbox | Broken for several years |
Debian Installer
The installer has been updated to include the fixes incorporated into stable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current stable distribution:
Proposed updates to the stable distribution:
stable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.
