Linux Distros

Debian 10.8 Update Release

The Debian project is pleased to announce the eighth update of its stable distribution Debian 10 (codename buster). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 10 but only updates some of the packages included. There is no need to throw away old buster media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won’t have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian’s many HTTP mirrors. A comprehensive list of mirrors is available at:https://www.debian.org/mirror/list

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

PackageReason
atftpFix denial of service issue [CVE-2020-6097]
base-filesUpdate /etc/debian_version for the 10.8 point release
ca-certificatesUpdate Mozilla CA bundle to 2.40, blacklist expired AddTrust External Root
cactiFix SQL injection issue [CVE-2020-35701] and stored XSS issue
cairoFix mask usage in image-compositor [CVE-2020-35492]
choose-mirrorUpdate mirror list
cjsonFix infinite loop in cJSON_Minify
clevisFix initramfs creation; clevis-dracut: Trigger initramfs creation upon installation
cyrus-imapdFix version comparison in cron script
debian-edu-configMove host keytabs cleanup code out of gosa-modify-host into a standalone script, reducing LDAP calls to a single query
debian-installerUse 4.19.0-14 Linux kernel ABI; rebuild against proposed-updates
debian-installer-netboot-imagesRebuild against proposed-updates
debian-installer-utilsSupport partitions on USB UAS devices
device-tree-compilerFix segfault on dtc -I fs /proc/device-tree
didjvuAdd missing build-dependency on tzdata
dovecotFix crash when searching mailboxes containing malformed MIME messages
dpdkNew upstream stable release
edk2CryptoPkg/BaseCryptLib: fix NULL dereference [CVE-2019-14584]
emacsDon’t crash with OpenPGP User IDs with no e-mail address
fcitxFix input method support in Flatpaks
fileIncrease name recursion depth to 50 by default
geoclue-2.0Check the maximum allowed accuracy level even for system applications; make the Mozilla API key configurable and use a Debian-specific key by default; fix display of the usage indicator
gnutls28Fix test suite error caused by expired certificate
grub2When upgrading grub-pc noninteractively, bail out if grub-install fails; explicitly check whether the target device exists before running grub-install; grub-install: Add backup and restore; don’t call grub-install on fresh install of grub-pc
highlight.jsFix prototype pollution [CVE-2020-26237]
intel-microcodeUpdate various microcode
iproute2Fix bugs in JSON output; fix race condition that DOSes the system when using ip netns add at boot
irssi-plugin-xmppDo not trigger the irssi core connect timeout prematurely, thus fixing STARTTLS connections
libdatetime-timezone-perlUpdate for new tzdata version
libdbd-csv-perlFix test failure with libdbi-perl 1.642-1+deb10u2
libdbi-perlSecurity fix [CVE-2014-10402]
libmaxminddbFix heap-based buffer over-read [CVE-2020-28241]
lttng-modulesFix build on kernel versions >= 4.19.0-10
m2cryptoFix compatibility with OpenSSL 1.1.1i and newer
mini-builddbuilder.py: sbuild call: set ‘–no-arch-all’ explicitly
net-snmpsnmpd: Add cacheTime and execType flags to EXTEND-MIB
node-iniDo not allow invalid hazardous string as section name [CVE-2020-7788]
node-y18nFix prototype pollution issue [CVE-2020-7774]
nvidia-graphics-driversNew upstream release; fix possible denial of service and information disclosure [CVE-2021-1056]
nvidia-graphics-drivers-legacy-390xxNew upstream release; fix possible denial of service and information disclosure [CVE-2021-1056]
pdnsSecurity fixes [CVE-2019-10203 CVE-2020-17482]
pepperflashplugin-nonfreeTurn into a dummy package taking care of removing the previously installed plugin (no longer functional nor supported)
pngcheckFix buffer overflow [CVE-2020-27818]
postgresql-11New upstream stable release; security fixes [CVE-2020-25694 CVE-2020-25695 CVE-2020-25696]
postsrsdEnsure timestamp tags aren’t too long before trying to decode them [CVE-2020-35573]
python-bottleStop allowing ; as a query-string separator [CVE-2020-28473]
python-certbotAutomatically use ACMEv2 API for renewals, to avoid issues with ACMEv1 API removal
qxmppFix potential SEGFAULT on connection error
silxpython(3)-silx: Add dependency on python(3)-scipy
slirpFix buffer overflows [CVE-2020-7039 CVE-2020-8608]
steamNew upstream release
systemdjournal: do not trigger assertion when journal_file_close() is passed NULL
tangAvoid race condition between keygen and update
tzdataNew upstream release; update included timezone data
unzipApply further fixes for CVE-2019-13232
wiresharkFix various crashes, infinite loops and memory leaks [CVE-2019-16319 CVE-2019-19553 CVE-2020-11647 CVE-2020-13164 CVE-2020-15466 CVE-2020-25862 CVE-2020-25863 CVE-2020-26418 CVE-2020-26421 CVE-2020-26575 CVE-2020-28030 CVE-2020-7045 CVE-2020-9428 CVE-2020-9430 CVE-2020-9431]

URLs

The complete lists of packages that have changed with this revision:http://ftp.debian.org/debian/dists/buster/ChangeLog

The current stable distribution:http://ftp.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:http://ftp.debian.org/debian/dists/proposed-updates

stable distribution information (release notes, errata etc.):https://www.debian.org/releases/stable/

Security announcements and information:https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Leave a Reply

Your email address will not be published. Required fields are marked *