Jump to content
Bruno

NEW UPDATES Debian

Recommended Posts

sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4720-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
July 08, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : roundcube
CVE ID         : CVE-2020-15562
Debian Bug     : 964355

It was discovered that roundcube, a skinnable AJAX based webmail
solution for IMAP servers, did not properly sanitize incoming mail
messages. This would allow a remote attacker to perform a Cross-Side
Scripting (XSS) attack.

For the stable distribution (buster), this problem has been fixed in
version 1.3.14+dfsg.1-1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4721-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 08, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby2.5
CVE ID         : CVE-2020-10663 CVE-2020-10933

Several vulnerabilities have been discovered in the interpreter for the
Ruby language.

CVE-2020-10663

    Jeremy Evans reported an unsafe object creation vulnerability in the
    json gem bundled with Ruby. When parsing certain JSON documents, the
    json gem can be coerced into creating arbitrary objects in the
    target system.

CVE-2020-10933

    Samuel Williams reported a flaw in the socket library which may lead
    to exposure of possibly sensitive data from the interpreter.

For the stable distribution (buster), these problems have been fixed in
version 2.5.5-3+deb10u2.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4722-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 08, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ffmpeg
CVE ID         : CVE-2019-13390 CVE-2019-17539 CVE-2019-17542
                 CVE-2020-12284 CVE-2020-13904

Several vulnerabilities have been discovered in the FFmpeg multimedia
framework, which could result in denial of service or potentially the
execution of arbitrary code if malformed files/streams are processed.

For the stable distribution (buster), these problems have been fixed in
version 7:4.1.6-1~deb10u1.

Share this post


Link to post
Share on other sites
sunrat
------------------------------------------------------------------------
The Debian Project                               https://www.debian.org/
Debian 8 Long Term Support reaching end-of-life         press@debian.org
July 9th, 2020                 https://www.debian.org/News/2020/20200709
------------------------------------------------------------------------


The Debian Long Term Support (LTS) Team hereby announces that Debian 8
"jessie" support has reached its end-of-life on June 30, 2020, five
years after its initial release on April 26, 2015.

Debian will not provide further security updates for Debian 8. A subset
of "jessie" packages will be supported by external parties. Detailed
information can be found at Extended LTS [1].

    1: https://wiki.debian.org/LTS/Extended

The LTS Team will prepare the transition to Debian 9 "stretch", which is
the current oldstable release. The LTS Team has taken over support from
the Security Team on July 6, 2020 while the final point update for
"stretch" will be released on July 18, 2020.

Debian 9 will also receive Long Term Support for five years after its
initial release with support ending on June 30, 2022. The supported
architectures remain amd64, i386, armel and armhf. In addition we are
pleased to announce, for the first time support will be extended to
include the arm64 architecture.

For further information about using "stretch" LTS and upgrading from
"jessie" LTS, please refer to LTS/Using [2].

    2: https://wiki.debian.org/LTS/Using

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4723-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 12, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xen
CVE ID         : CVE-2020-11739 CVE-2020-11740 CVE-2020-11741 CVE-2020-11742 
                 CVE-2020-11743 CVE-2020-15563 CVE-2020-15564 CVE-2020-15565 
                 CVE-2020-15566 CVE-2020-15567

Multiple vulnerabilities have been discovered in the Xen hypervisor,
which could result in denial of service, guest-to-host privilege
escalation or information leaks.
      
For the stable distribution (buster), these problems have been fixed in
version 4.11.4+24-gddaaccbbab-1~deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4714-3                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
July 13, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium
Debian Bug     : 963548

The previous update for chromium released as DSA 4714-2 contained a flaw in
the service worker implementation.  This problem causes the browser to crash
when a connection error occurs.  Updated chromium packages are now available
that correct this issue.

For the stable distribution (buster), this problem has been fixed in
version 83.0.4103.116-1~deb10u3.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4724-1                   security@debian.org
https://www.debian.org/security/                           Alberto Garcia
July 15, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : webkit2gtk
CVE ID         : CVE-2020-9802 CVE-2020-9803 CVE-2020-9805 CVE-2020-9806
                 CVE-2020-9807 CVE-2020-9843 CVE-2020-9850 CVE-2020-13753

The following vulnerabilities have been discovered in the webkit2gtk
web engine:

CVE-2020-9802

    Samuel Gross discovered that processing maliciously crafted web
    content may lead to arbitrary code execution.

CVE-2020-9803

    Wen Xu discovered that processing maliciously crafted web content
    may lead to arbitrary code execution.

CVE-2020-9805

    An anonymous researcher discovered that processing maliciously
    crafted web content may lead to universal cross site scripting.

CVE-2020-9806

    Wen Xu discovered that processing maliciously crafted web content
    may lead to arbitrary code execution.

CVE-2020-9807

    Wen Xu discovered that processing maliciously crafted web content
    may lead to arbitrary code execution.

CVE-2020-9843

    Ryan Pickren discovered that processing maliciously crafted web
    content may lead to a cross site scripting attack.

CVE-2020-9850

    @jinmo123, @setuid0x0_, and @insu_yun_en discovered that a remote
    attacker may be able to cause arbitrary code execution.

CVE-2020-13753

    Milan Crha discovered that an attacker may be able to execute
    commands outside the bubblewrap sandbox.

For the stable distribution (buster), these problems have been fixed in
version 2.28.3-2~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4725-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 15, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : evolution-data-server
CVE ID         : CVE-2020-14928

Damian Poddebniak and Fabian Ising discovered a response injection
vulnerability in Evolution data server, which could enable MITM
attacks.

For the stable distribution (buster), this problem has been fixed in
version 3.30.5-1+deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4726-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 17, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : nss
CVE ID         : CVE-2019-17006 CVE-2019-17023 CVE-2020-12399 CVE-2020-12402

Several vulnerabilities were discovered in NSS, a set of cryptographic
libraries, which may result in side channel/timing attacks or denial
of service.

For the stable distribution (buster), these problems have been fixed in
version 2:3.42.1-1+deb10u3.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4727-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 17, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tomcat9
CVE ID         : CVE-2020-9484 CVE-2020-11996 CVE-2020-13934 CVE-2020-13935

Several vulnerabilities were discovered in the Tomcat servlet and JSP
engine, which could result in code execution or denial of service.

For the stable distribution (buster), these problems have been fixed in
version 9.0.31-1~deb10u2.

Share this post


Link to post
Share on other sites
sunrat
------------------------------------------------------------------------
The Debian Project                               https://www.debian.org/
Updated Debian 9: 9.13 released                         press@debian.org
July 18th, 2020                https://www.debian.org/News/2020/20200718
------------------------------------------------------------------------

The Debian project is pleased to announce the thirteenth (and final)
update of its oldstable distribution Debian 9 (codename "stretch"). This
point release mainly adds corrections for security issues, along with a
few adjustments for serious problems. Security advisories have already
been published separately and are referenced where available.

After this point release, Debian's Security and Release Teams will no
longer be producing updates for Debian 9. Users wishing to continue to
receive security support should upgrade to Debian 10, or see
https://wiki.debian.org/LTS for details about the subset of
architectures and packages covered by the Long Term Support project.

Please note that the point release does not constitute a new version of
Debian 9 but only updates some of the packages included. There is no
need to throw away old "stretch" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list


Miscellaneous Bugfixes
----------------------

This oldstable update adds a few important corrections to the following
packages:

+--------------------------+------------------------------------------+
| Package                  | Reason                                   |
+--------------------------+------------------------------------------+
| acmetool [1]             | Rebuild against recent golang to pick up |
|                          | security fixes                           |
|                          |                                          |
| atril [2]                | dvi: Mitigate command injection attacks  |
|                          | by quoting filename [CVE-2017-1000159];  |
|                          | fix overflow checks in tiff backend      |
|                          | [CVE-2019-1010006]; tiff: Handle failure |
|                          | from TIFFReadRGBAImageOriented           |
|                          | [CVE-2019-11459]                         |
|                          |                                          |
| bacula [3]               | Add transitional package bacula-         |
|                          | director-common, avoiding loss of /etc/  |
|                          | bacula/bacula-dir.conf when purged; make |
|                          | PID files owned by root                  |
|                          |                                          |
| base-files [4]           | Update /etc/debian_version for the point |
|                          | release                                  |
|                          |                                          |
| batik [5]                | Fix server-side request forgery via      |
|                          | xlink:href attributes [CVE-2019-17566]   |
|                          |                                          |
| c-icap-modules [6]       | Support ClamAV 0.102                     |
|                          |                                          |
| ca-certificates [7]      | Update Mozilla CA bundle to 2.40,        |
|                          | blacklist distrusted Symantec roots and  |
|                          | expired  "AddTrust External Root" ;      |
|                          | remove e-mail only certificates          |
|                          |                                          |
| chasquid [8]             | Rebuild against recent golang to pick up |
|                          | security fixes                           |
|                          |                                          |
| checkstyle [9]           | Fix XML External Entity injection issue  |
|                          | [CVE-2019-9658 CVE-2019-10782]           |
|                          |                                          |
| clamav [10]              | New upstream release [CVE-2020-3123];    |
|                          | security fixes [CVE-2020-3327 CVE-2020-  |
|                          | 3341]                                    |
|                          |                                          |
| compactheader [11]       | New upstream version, compatible with    |
|                          | newer Thunderbird versions               |
|                          |                                          |
| cram [12]                | Ignore test failures to fix build issues |
|                          |                                          |
| csync2 [13]              | Fail HELLO command when SSL is required  |
|                          |                                          |
| cups [14]                | Fix heap buffer overflow [CVE-2020-3898] |
|                          | and  "the `ippReadIO` function may       |
|                          | under-read an extension                  |
|                          | field"  [CVE-2019-8842]                  |
|                          |                                          |
| dbus [15]                | New upstream stable release; prevent a   |
|                          | denial of service issue [CVE-2020-       |
|                          | 12049]; prevent use-after-free if two    |
|                          | usernames share a uid                    |
|                          |                                          |
| debian-installer [16]    | Update for the 4.9.0-13 Linux kernel ABI |
|                          |                                          |
| debian-installer-        | Rebuild against stretch-proposed-updates |
| netboot-images [17]      |                                          |
|                          |                                          |
| debian-security-         | Update support status of several         |
| support [18]             | packages                                 |
|                          |                                          |
| erlang [19]              | Fix use of weak TLS ciphers [CVE-2020-   |
|                          | 12872]                                   |
|                          |                                          |
| exiv2 [20]               | Fix denial of service issue [CVE-2018-   |
|                          | 16336]; fix over-restrictive fix for     |
|                          | CVE-2018-10958 and CVE-2018-10999        |
|                          |                                          |
| fex [21]                 | Security update                          |
|                          |                                          |
| file-roller [22]         | Security fix [CVE-2020-11736]            |
|                          |                                          |
| fwupd [23]               | New upstream release; use a CNAME to     |
|                          | redirect to the correct CDN for          |
|                          | metadata; do not abort startup if the    |
|                          | XML metadata file is invalid; add the    |
|                          | Linux Foundation public GPG keys for     |
|                          | firmware and metadata; raise the         |
|                          | metadata limit to 10MB                   |
|                          |                                          |
| glib-networking [24]     | Return bad identity error if identity is |
|                          | unset [CVE-2020-13645]                   |
|                          |                                          |
| gnutls28 [25]            | Fix memory corruption issue [CVE-2019-   |
|                          | 3829]; fix memory leak; add support for  |
|                          | zero length session tickets, fix         |
|                          | connection errors on TLS1.2 sessions to  |
|                          | some hosting providers                   |
|                          |                                          |
| gosa [26]                | Tighten check on LDAP success/failure    |
|                          | [CVE-2019-11187]; fix compatibility with |
|                          | newer PHP versions; backport several     |
|                          | other patches; replace (un)serialize     |
|                          | with json_encode/json_decode to mitigate |
|                          | PHP object injection [CVE-2019-14466]    |
|                          |                                          |
| heartbleeder [27]        | Rebuild against recent golang to pick up |
|                          | security fixes                           |
|                          |                                          |
| intel-microcode [28]     | Downgrade some microcodes to previously  |
|                          | released revisions, working around hangs |
|                          | on boot on Skylake-U/Y and Skylake Xeon  |
|                          | E3                                       |
|                          |                                          |
| iptables-persistent [29] | Don't fail if modprobe does              |
|                          |                                          |
| jackson-databind [30]    | Fix multiple security issues affecting   |
|                          | BeanDeserializerFactory [CVE-2020-9548   |
|                          | CVE-2020-9547 CVE-2020-9546 CVE-2020-    |
|                          | 8840 CVE-2020-14195 CVE-2020-14062       |
|                          | CVE-2020-14061 CVE-2020-14060 CVE-2020-  |
|                          | 11620 CVE-2020-11619 CVE-2020-11113      |
|                          | CVE-2020-11112 CVE-2020-11111 CVE-2020-  |
|                          | 10969 CVE-2020-10968 CVE-2020-10673      |
|                          | CVE-2020-10672 CVE-2019-20330 CVE-2019-  |
|                          | 17531 and CVE-2019-17267]                |
|                          |                                          |
| libbusiness-hours-       | Use explicit 4 digit years, fixing build |
| perl [31]                | and usage issues                         |
|                          |                                          |
| libclamunrar [32]        | New upstream stable release; add an      |
|                          | unversioned meta-package                 |
|                          |                                          |
| libdbi [33]              | Comment out _error_handler() call again, |
|                          | fixing issues with consumers             |
|                          |                                          |
| libembperl-perl [34]     | Handle error pages from Apache >= 2.4.40 |
|                          |                                          |
| libexif [35]             | Security fixes [CVE-2016-6328 CVE-2017-  |
|                          | 7544 CVE-2018-20030 CVE-2020-12767       |
|                          | CVE-2020-0093]; security fixes           |
|                          | [CVE-2020-13112 CVE-2020-13113 CVE-2020- |
|                          | 13114]; fix a buffer read overflow       |
|                          | [CVE-2020-0182] and an unsigned integer  |
|                          | overflow [CVE-2020-0198]                 |
|                          |                                          |
| libvncserver [36]        | Fix heap overflow [CVE-2019-15690]       |
|                          |                                          |
| linux [37]               | New upstream stable release; update ABI  |
|                          | to 4.9.0-13                              |
|                          |                                          |
| linux-latest [38]        | Update for 4.9.0-13 kernel ABI           |
|                          |                                          |
| mariadb-10.1 [39]        | New upstream stable release; security    |
|                          | fixes [CVE-2020-2752 CVE-2020-2812       |
|                          | CVE-2020-2814]                           |
|                          |                                          |
| megatools [40]           | Add support for the new format of        |
|                          | mega.nz links                            |
|                          |                                          |
| mod-gnutls [41]          | Avoid deprecated ciphersuites in test    |
|                          | suite; fix test failures when combined   |
|                          | with Apache's fix for CVE-2019-10092     |
|                          |                                          |
| mongo-tools [42]         | Rebuild against recent golang to pick up |
|                          | security fixes                           |
|                          |                                          |
| neon27 [43]              | Treat OpenSSL-related test failures as   |
|                          | non-fatal                                |
|                          |                                          |
| nfs-utils [44]           | Fix potential file overwrite             |
|                          | vulnerability [CVE-2019-3689]; don't     |
|                          | make all of /var/lib/nfs owned by the    |
|                          | statd user                               |
|                          |                                          |
| nginx [45]               | Fix error page request smuggling         |
|                          | vulnerability [CVE-2019-20372]           |
|                          |                                          |
| node-url-parse [46]      | Sanitize paths and hosts before parsing  |
|                          | [CVE-2018-3774]                          |
|                          |                                          |
| nvidia-graphics-         | New upstream stable release; new         |
| drivers [47]             | upstream stable release; security fixes  |
|                          | [CVE-2020-5963 CVE-2020-5967]            |
|                          |                                          |
| pcl [48]                 | Fix missing dependency on libvtk6-qt-dev |
|                          |                                          |
| perl [49]                | Fix multiple regular expression related  |
|                          | security issues [CVE-2020-10543          |
|                          | CVE-2020-10878 CVE-2020-12723]           |
|                          |                                          |
| php-horde [50]           | Fix cross-site scripting vulnerability   |
|                          | [CVE-2020-8035]                          |
|                          |                                          |
| php-horde-data [51]      | Fix authenticated remote code execution  |
|                          | vulnerability [CVE-2020-8518]            |
|                          |                                          |
| php-horde-form [52]      | Fix authenticated remote code execution  |
|                          | vulnerability [CVE-2020-8866]            |
|                          |                                          |
| php-horde-gollem [53]    | Fix cross-site scripting vulnerability   |
|                          | in breadcrumb output [CVE-2020-8034]     |
|                          |                                          |
| php-horde-trean [54]     | Fix authenticated remote code execution  |
|                          | vulnerability [CVE-2020-8865]            |
|                          |                                          |
| phpmyadmin [55]          | Several security fixes [CVE-2018-19968   |
|                          | CVE-2018-19970 CVE-2018-7260 CVE-2019-   |
|                          | 11768 CVE-2019-12616 CVE-2019-6798       |
|                          | CVE-2019-6799 CVE-2020-10802 CVE-2020-   |
|                          | 10803 CVE-2020-10804 CVE-2020-5504]      |
|                          |                                          |
| postfix [56]             | New upstream stable release              |
|                          |                                          |
| proftpd-dfsg [57]        | Fix handling SSH_MSG_IGNORE packets      |
|                          |                                          |
| python-icalendar [58]    | Fix Python3 dependencies                 |
|                          |                                          |
| rails [59]               | Fix possible cross-site scripting via    |
|                          | Javascript escape helper [CVE-2020-5267] |
|                          |                                          |
| rake [60]                | Fix command injection vulnerability      |
|                          | [CVE-2020-8130]                          |
|                          |                                          |
| roundcube [61]           | Fix cross-site scripting issue via HTML  |
|                          | messages with malicious svg/namespace    |
|                          | [CVE-2020-15562]                         |
|                          |                                          |
| ruby-json [62]           | Fix unsafe object creation vulnerability |
|                          | [CVE-2020-10663]                         |
|                          |                                          |
| ruby2.3 [63]             | Fix unsafe object creation vulnerability |
|                          | [CVE-2020-10663]                         |
|                          |                                          |
| sendmail [64]            | Fix finding the queue runner control     |
|                          | process in  "split daemon"  mode,        |
|                          | "NOQUEUE: connect from (null)" , removal |
|                          | failure when using BTRFS                 |
|                          |                                          |
| sogo-connector [65]      | New upstream version, compatible with    |
|                          | newer Thunderbird versions               |
|                          |                                          |
| ssvnc [66]               | Fix out-of-bounds write [CVE-2018-       |
|                          | 20020], infinite loop [CVE-2018-20021],  |
|                          | improper initialisation [CVE-2018-       |
|                          | 20022], potential denial-of-service      |
|                          | [CVE-2018-20024]                         |
|                          |                                          |
| storebackup [67]         | Fix possible privilege escalation        |
|                          | vulnerability [CVE-2020-7040]            |
|                          |                                          |
| swt-gtk [68]             | Fix missing dependency on                |
|                          | libwebkitgtk-1.0-0                       |
|                          |                                          |
| tinyproxy [69]           | Create PID file before dropping          |
|                          | privileges to non-root account           |
|                          | [CVE-2017-11747]                         |
|                          |                                          |
| tzdata [70]              | New upstream stable release              |
|                          |                                          |
| websockify [71]          | Fix missing dependency on python{3,}-    |
|                          | pkg-resources                            |
|                          |                                          |
| wpa [72]                 | Fix AP mode PMF disconnection protection |
|                          | bypass [CVE-2019-16275]; fix MAC         |
|                          | randomisation issues with some cards     |
|                          |                                          |
| xdg-utils [73]           | Sanitise window name before sending it   |
|                          | over D-Bus; correctly handle directories |
|                          | with names containing spaces; create the |
|                          | "applications"  directory if needed      |
|                          |                                          |
| xml-security-c [74]      | Fix length calculation in the concat     |
|                          | method                                   |
|                          |                                          |
| xtrlock [75]             | Fix blocking of (some) multitouch        |
|                          | devices while locked [CVE-2016-10894]    |
|                          |                                          |
+--------------------------+------------------------------------------+

 

Security Updates
----------------

This revision adds the following security updates to the oldstable
release. The Security Team has already released an advisory for each of
these updates:

+----------------+----------------------------+
| Advisory ID    | Package                    |
+----------------+----------------------------+
| DSA-4005 [76]  | openjfx [77]               |
|                |                            |
| DSA-4255 [78]  | ant [79]                   |
|                |                            |
| DSA-4352 [80]  | chromium-browser [81]      |
|                |                            |
| DSA-4379 [82]  | golang-1.7 [83]            |
|                |                            |
| DSA-4380 [84]  | golang-1.8 [85]            |
|                |                            |
| DSA-4395 [86]  | chromium [87]              |
|                |                            |
| DSA-4421 [88]  | chromium [89]              |
|                |                            |
| DSA-4616 [90]  | qemu [91]                  |
|                |                            |
| DSA-4617 [92]  | qtbase-opensource-src [93] |
|                |                            |
| DSA-4618 [94]  | libexif [95]               |
|                |                            |
| DSA-4619 [96]  | libxmlrpc3-java [97]       |
|                |                            |
| DSA-4620 [98]  | firefox-esr [99]           |
|                |                            |
| DSA-4621 [100] | openjdk-8 [101]            |
|                |                            |
| DSA-4622 [102] | postgresql-9.6 [103]       |
|                |                            |
| DSA-4624 [104] | evince [105]               |
|                |                            |
| DSA-4625 [106] | thunderbird [107]          |
|                |                            |
| DSA-4628 [108] | php7.0 [109]               |
|                |                            |
| DSA-4629 [110] | python-django [111]        |
|                |                            |
| DSA-4630 [112] | python-pysaml2 [113]       |
|                |                            |
| DSA-4631 [114] | pillow [115]               |
|                |                            |
| DSA-4632 [116] | ppp [117]                  |
|                |                            |
| DSA-4633 [118] | curl [119]                 |
|                |                            |
| DSA-4634 [120] | opensmtpd [121]            |
|                |                            |
| DSA-4635 [122] | proftpd-dfsg [123]         |
|                |                            |
| DSA-4637 [124] | network-manager-ssh [125]  |
|                |                            |
| DSA-4639 [126] | firefox-esr [127]          |
|                |                            |
| DSA-4640 [128] | graphicsmagick [129]       |
|                |                            |
| DSA-4642 [130] | thunderbird [131]          |
|                |                            |
| DSA-4646 [132] | icu [133]                  |
|                |                            |
| DSA-4647 [134] | bluez [135]                |
|                |                            |
| DSA-4648 [136] | libpam-krb5 [137]          |
|                |                            |
| DSA-4650 [138] | qbittorrent [139]          |
|                |                            |
| DSA-4653 [140] | firefox-esr [141]          |
|                |                            |
| DSA-4655 [142] | firefox-esr [143]          |
|                |                            |
| DSA-4656 [144] | thunderbird [145]          |
|                |                            |
| DSA-4657 [146] | git [147]                  |
|                |                            |
| DSA-4659 [148] | git [149]                  |
|                |                            |
| DSA-4660 [150] | awl [151]                  |
|                |                            |
| DSA-4663 [152] | python-reportlab [153]     |
|                |                            |
| DSA-4664 [154] | mailman [155]              |
|                |                            |
| DSA-4666 [156] | openldap [157]             |
|                |                            |
| DSA-4668 [158] | openjdk-8 [159]            |
|                |                            |
| DSA-4670 [160] | tiff [161]                 |
|                |                            |
| DSA-4671 [162] | vlc [163]                  |
|                |                            |
| DSA-4673 [164] | tomcat8 [165]              |
|                |                            |
| DSA-4674 [166] | roundcube [167]            |
|                |                            |
| DSA-4675 [168] | graphicsmagick [169]       |
|                |                            |
| DSA-4676 [170] | salt [171]                 |
|                |                            |
| DSA-4677 [172] | wordpress [173]            |
|                |                            |
| DSA-4678 [174] | firefox-esr [175]          |
|                |                            |
| DSA-4683 [176] | thunderbird [177]          |
|                |                            |
| DSA-4685 [178] | apt [179]                  |
|                |                            |
| DSA-4686 [180] | apache-log4j1.2 [181]      |
|                |                            |
| DSA-4687 [182] | exim4 [183]                |
|                |                            |
| DSA-4688 [184] | dpdk [185]                 |
|                |                            |
| DSA-4689 [186] | bind9 [187]                |
|                |                            |
| DSA-4692 [188] | netqmail [189]             |
|                |                            |
| DSA-4693 [190] | drupal7 [191]              |
|                |                            |
| DSA-4695 [192] | firefox-esr [193]          |
|                |                            |
| DSA-4698 [194] | linux [195]                |
|                |                            |
| DSA-4700 [196] | roundcube [197]            |
|                |                            |
| DSA-4701 [198] | intel-microcode [199]      |
|                |                            |
| DSA-4702 [200] | thunderbird [201]          |
|                |                            |
| DSA-4703 [202] | mysql-connector-java [203] |
|                |                            |
| DSA-4704 [204] | vlc [205]                  |
|                |                            |
| DSA-4705 [206] | python-django [207]        |
|                |                            |
| DSA-4706 [208] | drupal7 [209]              |
|                |                            |
| DSA-4707 [210] | mutt [211]                 |
|                |                            |
| DSA-4711 [212] | coturn [213]               |
|                |                            |
| DSA-4713 [214] | firefox-esr [215]          |
|                |                            |
| DSA-4715 [216] | imagemagick [217]          |
|                |                            |
| DSA-4717 [218] | php7.0 [219]               |
|                |                            |
| DSA-4718 [220] | thunderbird [221]          |
|                |                            |
+----------------+----------------------------+

 

Removed packages
----------------

The following packages were removed due to circumstances beyond our
control:

+------------------------------+---------------------------------------+
| Package                      | Reason                                |
+------------------------------+---------------------------------------+
| certificatepatrol [222]      | Incompatible with newer Firefox ESR   |
|                              | versions                              |
|                              |                                       |
| colorediffs-extension [223]  | Incompatible with newer Thunderbird   |
|                              | versions                              |
|                              |                                       |
| dynalogin [224]              | Depends on to-be-removed simpleid     |
|                              |                                       |
| enigmail [225]               | Incompatible with newer Thunderbird   |
|                              | versions                              |
|                              |                                       |
| firefox-esr [226]            | [armel] No longer supported (requires |
|                              | nodejs)                               |
|                              |                                       |
| firefox-esr [226]            | [mips mipsel mips64el] No longer      |
|                              | supported (needs newer rustc)         |
|                              |                                       |
| getlive [227]                | Broken due to Hotmail changes         |
|                              |                                       |
| gplaycli [228]               | Broken by Google API changes          |
|                              |                                       |
| kerneloops [229]             | Upstream service no longer available  |
|                              |                                       |
| libmicrodns [230]            | Security issues                       |
|                              |                                       |
| libperlspeak-perl [231]      | Security issues; unmaintained         |
|                              |                                       |
| mathematica-fonts [232]      | Relies on unavailable download        |
|                              | location                              |
|                              |                                       |
| pdns-recursor [233]          | Security issues; unsupported          |
|                              |                                       |
| predictprotein [234]         | Depends on to-be-removed profphd      |
|                              |                                       |
| profphd [235]                | Unusable                              |
|                              |                                       |
| quotecolors [236]            | Incompatible with newer Thunderbird   |
|                              | versions                              |
|                              |                                       |
| selenium-firefoxdriver [237] | Incompatible with newer Firefox ESR   |
|                              | versions                              |
|                              |                                       |
| simpleid [238]               | Does not work with PHP7               |
|                              |                                       |
| simpleid-ldap [239]          | Depends on to-be-removed simpleid     |
|                              |                                       |
| torbirdy [240]               | Incompatible with newer Thunderbird   |
|                              | versions                              |
|                              |                                       |
| weboob [241]                 | Unmaintained; already removed from    |
|                              | later releases                        |
|                              |                                       |
| yahoo2mbox [242]             | Broken for several years              |
|                              |                                       |
+------------------------------+---------------------------------------+

 

Debian Installer
----------------

The installer has been updated to include the fixes incorporated into
oldstable by the point release.


URLs
----

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/stretch/ChangeLog


The current oldstable distribution:

http://ftp.debian.org/debian/dists/oldstable/

 

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4728-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 19, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : qemu
CVE ID         : CVE-2020-10756 CVE-2020-13361 CVE-2020-13362 
                 CVE-2020-13754 CVE-2020-13659
Debian Bug     : 964247 961887 961887 961888

Multiple security issues were discovered in QEMU, a fast processor
emulator, which could result in denial of service.

For the stable distribution (buster), these problems have been fixed in
version 1:3.1+dfsg-8+deb10u6.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4729-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 19, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libopenmpt
CVE ID         : CVE-2019-14380 CVE-2019-17113

Two security issues were found in libopenmpt, a cross-platform C++ and
C library to decode tracked music files, which could result in denial of
service and potentially the execution of arbitrary if malformed music
files are processed.

For the stable distribution (buster), these problems have been fixed in
version 0.4.3-1+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4730-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 19, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby-sanitize
CVE ID         : CVE-2020-4054
Debian Bug     : 963808

Michal Bentkowski discovered that ruby-sanitize, a whitelist-based HTML
sanitizer, is prone to a HTML sanitization bypass vulnerability when
using the "relaxed" or a custom config allowing certain elements.
Content in a <math> or <svg> element may not be sanitized correctly even
if math and svg are not in the allowlist.

For the stable distribution (buster), this problem has been fixed in
version 4.6.6-2.1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4731-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 19, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : redis
CVE ID         : CVE-2020-14147

An integer overflow flaw leading to a stack-based buffer overflow was
discovered in redis, a persistent key-value database. A remote attacker
can use this flaw to cause a denial of service (application crash).

For the stable distribution (buster), this problem has been fixed in
version 5:5.0.3-4+deb10u2.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4732-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 21, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : squid
CVE ID         : CVE-2019-18860 CVE-2020-1504

Two security issues were discovered in the Squid proxy caching
server, which could result in cache poisoning, request smuggling
and incomplete validation of hostnames in cachemgr.cgi.

For the stable distribution (buster), these problems have been fixed in
version 4.6-1+deb10u3.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4733-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 24, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : qemu
CVE ID         : CVE-2020-8608
Debian Bug     : 964793

It was discovered that incorrect memory handling in the SLIRP networking
implementation could result in denial of service or potentially the
execution of arbitrary code.

For the stable distribution (buster), this problem has been fixed in
version 1:3.1+dfsg-8+deb10u7. In addition this update fixes a regression
caused by the patch for CVE-2020-13754, which could lead to startup
failures in some Xen setups.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4734-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 26, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openjdk-11
CVE ID         : CVE-2020-14556 CVE-2020-14562 CVE-2020-14573 CVE-2020-14577 
                 CVE-2020-14578 CVE-2020-14579 CVE-2020-14581 CVE-2020-14583 
                 CVE-2020-14593 CVE-2020-14621

Several vulnerabilities have been discovered in the OpenJDK Java runtime,
resulting in denial of service, bypass of access/sandbox restrictions or
information disclosure.

For the stable distribution (buster), these problems have been fixed in
version 11.0.8+10-1~deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4735-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
July 29, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : grub2
CVE ID         : CVE-2020-10713 CVE-2020-14308 CVE-2020-14309 CVE-2020-14310
                 CVE-2020-14311 CVE-2020-15706 CVE-2020-15707

Several vulnerabilities have been discovered in the GRUB2 bootloader.

CVE-2020-10713

    A flaw in the grub.cfg parsing code was found allowing to break
    UEFI Secure Boot and load arbitrary code. Details can be found at
    https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/

CVE-2020-14308

    It was discovered that grub_malloc does not validate the allocation
    size allowing for arithmetic overflow and subsequently a heap-based
    buffer overflow.

CVE-2020-14309

    An integer overflow in grub_squash_read_symlink may lead to a heap-
    based buffer overflow.

CVE-2020-14310

    An integer overflow in read_section_from_string may lead to a heap-
    based buffer overflow.

CVE-2020-14311

    An integer overflow in grub_ext2_read_link may lead to a heap-based
    buffer overflow.

CVE-2020-15706

    script: Avoid a use-after-free when redefining a function during
    execution.

CVE-2020-15707

    An integer overflow flaw was found in the initrd size handling.

Further detailed information can be found at
https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot

For the stable distribution (buster), these problems have been fixed in
version 2.02+dfsg1-20+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4736-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 29, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2020-6463 CVE-2020-6514 CVE-2020-15652 CVE-2020-15659

Multiple security issues have been found in the Mozilla Firefox
web browser, which could potentially result in the execution of
arbitrary code or an information leak.

For the stable distribution (buster), these problems have been fixed in
version 68.11.0esr-1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4737-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 29, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xrdp
CVE ID         : CVE-2020-4044
Debian Bug     : 964573

Ashley Newson discovered that the XRDP sessions manager was susceptible
to denial of service. A local attacker can further take advantage of
this flaw to impersonate the XRDP sessions manager and capture any user
credentials that are submitted to XRDP, approve or reject arbitrary
login credentials or to hijack existing sessions for xorgxrdp sessions.

For the stable distribution (buster), this problem has been fixed in
version 0.9.9-1+deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4735-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 30, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : grub2
Debian Bug     : 966554

The update for grub2 released as DSA 4735-1 caused a boot-regression
when chainloading another bootlaoder and breaking notably dual-boot with
Windows. Updated grub2 packages are now available to correct this issue.

For the stable distribution (buster), this problem has been fixed in
version 2.02+dfsg1-20+deb10u2.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4738-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 31, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ark
CVE ID         : CVE-2020-16116

Dominik Penner discovered that the Ark archive manager did not sanitise
extraction paths, which could result in maliciously crafted archives
writing outside the extraction directory.

For the stable distribution (buster), this problem has been fixed in
version 4:18.08.3-1+deb10u1.

Share this post


Link to post
Share on other sites
sunrat
------------------------------------------------------------------------
The Debian Project                               https://www.debian.org/
Updated Debian 10: 10.5 released                        press@debian.org
August 1st, 2020               https://www.debian.org/News/2020/20200801
------------------------------------------------------------------------


The Debian project is pleased to announce the fifth update of its stable
distribution Debian 10 (codename "buster"). This point release mainly
adds corrections for security issues, along with a few adjustments for
serious problems. Security advisories have already been published
separately and are referenced where available.

This point release also addresses Debian Security Advisory: DSA-4735-1
grub2 -- security update [1] which covers multiple CVE issues regarding
the GRUB2 UEFI SecureBoot 'BootHole' vulnerability [2].

    1: https://www.debian.org/security/2020/dsa-4735
    2: https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot/

Please note that the point release does not constitute a new version of
Debian 10 but only updates some of the packages included. There is no
need to throw away old "buster" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list



Miscellaneous Bugfixes
----------------------

This stable update adds a few important corrections to the following
packages:

+---------------------------+------------------------------------------+
| Package                   | Reason                                   |
+---------------------------+------------------------------------------+
| appstream-glib [3]        | Fix build failures in 2020 and later     |
|                           |                                          |
| asunder [4]               | Use gnudb instead of freedb by default   |
|                           |                                          |
| b43-fwcutter [5]          | Ensure removal succeeds under non-       |
|                           | English locales; do not fail removal if  |
|                           | some files no longer exist; fix missing  |
|                           | dependencies on pciutils and ca-         |
|                           | certificates                             |
|                           |                                          |
| balsa [6]                 | Provide server identity when validating  |
|                           | certificates, allowing successful        |
|                           | validation when using the glib-          |
|                           | networking patch for CVE-2020-13645      |
|                           |                                          |
| base-files [7]            | Update for the point release             |
|                           |                                          |
| batik [8]                 | Fix server-side request forgery via      |
|                           | xlink:href attributes [CVE-2019-17566]   |
|                           |                                          |
| borgbackup [9]            | Fix index corruption bug leading to data |
|                           | loss                                     |
|                           |                                          |
| bundler [10]              | Update required version of ruby-         |
|                           | molinillo                                |
|                           |                                          |
| c-icap-modules [11]       | Add support for ClamAV 0.102             |
|                           |                                          |
| cacti [12]                | Fix issue where UNIX timestamps after    |
|                           | September 13th 2020 were rejected as     |
|                           | graph start / end; fix remote code       |
|                           | execution [CVE-2020-7237], cross-site    |
|                           | scripting [CVE-2020-7106], CSRF issue    |
|                           | [CVE-2020-13231]; disabling a user       |
|                           | account does not immediately invalidate  |
|                           | permissions [CVE-2020-13230]             |
|                           |                                          |
| calamares-settings-       | Enable displaymanager module, fixing     |
| debian [13]               | autologin options; use xdg-user-dir to   |
|                           | specify Desktop directory                |
|                           |                                          |
| clamav [14]               | New upstream release; security fixes     |
|                           | [CVE-2020-3327 CVE-2020-3341 CVE-2020-   |
|                           | 3350 CVE-2020-3327 CVE-2020-3481]        |
|                           |                                          |
| cloud-init [15]           | New upstream release                     |
|                           |                                          |
| commons-                  | Prevent object creation when loading     |
| configuration2 [16]       | YAML files [CVE-2020-1953]               |
|                           |                                          |
| confget [17]              | Fix the Python module's handling of      |
|                           | values containing  "="                   |
|                           |                                          |
| dbus [18]                 | New upstream stable release; prevent a   |
|                           | denial of service issue [CVE-2020-       |
|                           | 12049]; prevent use-after-free if two    |
|                           | usernames share a uid                    |
|                           |                                          |
| debian-edu-config [19]    | Fix loss of dynamically allocated IPv4   |
|                           | address                                  |
|                           |                                          |
| debian-installer [20]     | Update Linux ABI to 4.19.0-10            |
|                           |                                          |
| debian-installer-netboot- | Rebuild against proposed-updates         |
| images [21]               |                                          |
|                           |                                          |
| debian-ports-archive-     | Increase the expiration date of the 2020 |
| keyring [22]              | key (84C573CD4E1AFD6C) by one year; add  |
|                           | Debian Ports Archive Automatic Signing   |
|                           | Key (2021); move the 2018 key (ID:       |
|                           | 06AED62430CB581C) to the removed keyring |
|                           |                                          |
| debian-security-          | Update support status of several         |
| support [23]              | packages                                 |
|                           |                                          |
| dpdk [24]                 | New upstream release                     |
|                           |                                          |
| exiv2 [25]                | Adjust overly restrictive security patch |
|                           | [CVE-2018-10958 and CVE-2018-10999]; fix |
|                           | denial of service issue [CVE-2018-16336] |
|                           |                                          |
| fdroidserver [26]         | Fix Litecoin address validation          |
|                           |                                          |
| file-roller [27]          | Security fix [CVE-2020-11736]            |
|                           |                                          |
| freerdp2 [28]             | Fix smartcard logins; security fixes     |
|                           | [CVE-2020-11521 CVE-2020-11522 CVE-2020- |
|                           | 11523 CVE-2020-11524 CVE-2020-11525      |
|                           | CVE-2020-11526]                          |
|                           |                                          |
| fwupd [29]                | New upstream release; fix possible       |
|                           | signature verification issue [CVE-2020-  |
|                           | 10759]; use rotated Debian signing keys  |
|                           |                                          |
| fwupd-amd64-signed [30]   | New upstream release; fix possible       |
|                           | signature verification issue [CVE-2020-  |
|                           | 10759]; use rotated Debian signing keys  |
|                           |                                          |
| fwupd-arm64-signed [31]   | New upstream release; fix possible       |
|                           | signature verification issue [CVE-2020-  |
|                           | 10759]; use rotated Debian signing keys  |
|                           |                                          |
| fwupd-armhf-signed [32]   | New upstream release; fix possible       |
|                           | signature verification issue [CVE-2020-  |
|                           | 10759]; use rotated Debian signing keys  |
|                           |                                          |
| fwupd-i386-signed [33]    | New upstream release; fix possible       |
|                           | signature verification issue [CVE-2020-  |
|                           | 10759]; use rotated Debian signing keys  |
|                           |                                          |
| fwupdate [34]             | Use rotated Debian signing keys          |
|                           |                                          |
| fwupdate-amd64-           | Use rotated Debian signing keys          |
| signed [35]               |                                          |
|                           |                                          |
| fwupdate-arm64-           | Use rotated Debian signing keys          |
| signed [36]               |                                          |
|                           |                                          |
| fwupdate-armhf-           | Use rotated Debian signing keys          |
| signed [37]               |                                          |
|                           |                                          |
| fwupdate-i386-signed [38] | Use rotated Debian signing keys          |
|                           |                                          |
| gist [39]                 | Avoid deprecated authorization API       |
|                           |                                          |
| glib-networking [40]      | Return bad identity error if identity is |
|                           | unset [CVE-2020-13645]; break balsa      |
|                           | older than 2.5.6-2+deb10u1 as the fix    |
|                           | for CVE-2020-13645 breaks balsa's        |
|                           | certificate verification                 |
|                           |                                          |
| gnutls28 [41]             | Fix TL1.2 resumption errors; fix memory  |
|                           | leak; handle zero length session         |
|                           | tickets, fixing connection errors on     |
|                           | TLS1.2 sessions to some big hosting      |
|                           | providers; fix verification error with   |
|                           | alternate chains                         |
|                           |                                          |
| intel-microcode [42]      | Downgrade some microcodes to previously  |
|                           | issued versions, working around hangs on |
|                           | boot on Skylake-U/Y and Skylake Xeon E3  |
|                           |                                          |
| jackson-databind [43]     | Fix multiple security issues affecting   |
|                           | BeanDeserializerFactory [CVE-2020-9548   |
|                           | CVE-2020-9547 CVE-2020-9546 CVE-2020-    |
|                           | 8840 CVE-2020-14195 CVE-2020-14062       |
|                           | CVE-2020-14061 CVE-2020-14060 CVE-2020-  |
|                           | 11620 CVE-2020-11619 CVE-2020-11113      |
|                           | CVE-2020-11112 CVE-2020-11111 CVE-2020-  |
|                           | 10969 CVE-2020-10968 CVE-2020-10673      |
|                           | CVE-2020-10672 CVE-2019-20330 CVE-2019-  |
|                           | 17531 and CVE-2019-17267]                |
|                           |                                          |
| jameica [44]              | Add mckoisqldb to classpath, allowing    |
|                           | use of SynTAX plugin                     |
|                           |                                          |
| jigdo [45]                | Fix HTTPS support in jigdo-lite and      |
|                           | jigdo-mirror                             |
|                           |                                          |
| ksh [46]                  | Fix environment variable restriction     |
|                           | issue [CVE-2019-14868]                   |
|                           |                                          |
| lemonldap-ng [47]         | Fix nginx configuration regression       |
|                           | introduced by the fix for CVE-2019-19791 |
|                           |                                          |
| libapache-mod-jk [48]     | Rename Apache configuration file so it   |
|                           | can be automatically enabled and         |
|                           | disabled                                 |
|                           |                                          |
| libclamunrar [49]         | New upstream stable release; add an      |
|                           | unversioned meta-package                 |
|                           |                                          |
| libembperl-perl [50]      | Handle error pages from Apache >= 2.4.40 |
|                           |                                          |
| libexif [51]              | Security fixes [CVE-2020-12767 CVE-2020- |
|                           | 0093 CVE-2020-13112 CVE-2020-13113       |
|                           | CVE-2020-13114]; fix buffer overflow     |
|                           | [CVE-2020-0182] and integer overflow     |
|                           | [CVE-2020-0198]                          |
|                           |                                          |
| libinput [52]             | Quirks: add trackpoint integration       |
|                           | attribute                                |
|                           |                                          |
| libntlm [53]              | Fix buffer overflow [CVE-2019-17455]     |
|                           |                                          |
| libpam-radius-auth [54]   | Fix buffer overflow in password field    |
|                           | [CVE-2015-9542]                          |
|                           |                                          |
| libunwind [55]            | Fix segfaults on mips; manually enable C |
|                           | ++ exception support only on i386 and    |
|                           | amd64                                    |
|                           |                                          |
| libyang [56]              | Fix cache corruption crash, CVE-2019-    |
|                           | 19333, CVE-2019-19334                    |
|                           |                                          |
| linux [57]                | New upstream stable release              |
|                           |                                          |
| linux-latest [58]         | Update for 4.19.0-10 kernel ABI          |
|                           |                                          |
| linux-signed-amd64 [59]   | New upstream stable release              |
|                           |                                          |
| linux-signed-arm64 [60]   | New upstream stable release              |
|                           |                                          |
| linux-signed-i386 [61]    | New upstream stable release              |
|                           |                                          |
| lirc [62]                 | Fix conffile management                  |
|                           |                                          |
| mailutils [63]            | maidag: drop setuid privileges for all   |
|                           | delivery operations but mda [CVE-2019-   |
|                           | 18862]                                   |
|                           |                                          |
| mariadb-10.3 [64]         | New upstream stable release; security    |
|                           | fixes [CVE-2020-2752 CVE-2020-2760       |
|                           | CVE-2020-2812 CVE-2020-2814 CVE-2020-    |
|                           | 13249]; fix regression in RocksDB ZSTD   |
|                           | detection                                |
|                           |                                          |
| mod-gnutls [65]           | Fix a possible segfault on failed TLS    |
|                           | handshake; fix test failures             |
|                           |                                          |
| multipath-tools [66]      | kpartx: use correct path to partx in     |
|                           | udev rule                                |
|                           |                                          |
| mutt [67]                 | Don't check IMAP PREAUTH encryption if   |
|                           | $tunnel is in use                        |
|                           |                                          |
| mydumper [68]             | Link against libm                        |
|                           |                                          |
| nfs-utils [69]            | statd: take user-id from /var/lib/nfs/sm |
|                           | [CVE-2019-3689]; don't make /var/lib/nfs |
|                           | owned by statd                           |
|                           |                                          |
| nginx [70]                | Fix error page request smuggling         |
|                           | vulnerability [CVE-2019-20372]           |
|                           |                                          |
| nmap [71]                 | Update default key size to 2048 bits     |
|                           |                                          |
| node-dot-prop [72]        | Fix regression introduced in CVE-2020-   |
|                           | 8116 fix                                 |
|                           |                                          |
| node-handlebars [73]      | Disallow calling  "helperMissing"  and   |
|                           | "blockHelperMissing"  directly           |
|                           | [CVE-2019-19919]                         |
|                           |                                          |
| node-minimist [74]        | Fix prototype pollution [CVE-2020-7598]  |
|                           |                                          |
| nvidia-graphics-          | New upstream stable release; security    |
| drivers [75]              | fixes [CVE-2020-5963 CVE-2020-5967]      |
|                           |                                          |
| nvidia-graphics-drivers-  | New upstream stable release; security    |
| legacy-390xx [76]         | fixes [CVE-2020-5963 CVE-2020-5967]      |
|                           |                                          |
| openstack-debian-         | Install resolvconf if installing cloud-  |
| images [77]               | init                                     |
|                           |                                          |
| pagekite [78]             | Avoid issues with expiry of shipped SSL  |
|                           | certificates by using those from the ca- |
|                           | certificates package                     |
|                           |                                          |
| pdfchain [79]             | Fix crash at startup                     |
|                           |                                          |
| perl [80]                 | Fix multiple regular expression related  |
|                           | security issues [CVE-2020-10543          |
|                           | CVE-2020-10878 CVE-2020-12723]           |
|                           |                                          |
| php-horde [81]            | Fix cross-site scripting vulnerability   |
|                           | [CVE-2020-8035]                          |
|                           |                                          |
| php-horde-gollem [82]     | Fix cross-site scripting vulnerability   |
|                           | in breadcrumb output [CVE-2020-8034]     |
|                           |                                          |
| pillow [83]               | Fix multiple out-of-bounds read issues   |
|                           | [CVE-2020-11538 CVE-2020-10378 CVE-2020- |
|                           | 10177]                                   |
|                           |                                          |
| policyd-rate-limit [84]   | Fix issues in accounting due to socket   |
|                           | reuse                                    |
|                           |                                          |
| postfix [85]              | New upstream stable release; fix         |
|                           | segfault in the tlsproxy client role     |
|                           | when the server role was disabled; fix   |
|                           | "maillog_file_rotate_suffix default      |
|                           | value used the minute instead of the     |
|                           | month" ; fix several TLS related issues; |
|                           | README.Debian fixes                      |
|                           |                                          |
| python-markdown2 [86]     | Fix cross-site scripting issue           |
|                           | [CVE-2020-11888]                         |
|                           |                                          |
| python3.7 [87]            | Avoid infinite loop when reading         |
|                           | specially crafted TAR files using the    |
|                           | tarfile module [CVE-2019-20907]; resolve |
|                           | hash collisions for IPv4Interface and    |
|                           | IPv6Interface [CVE-2020-14422]; fix      |
|                           | denial of service issue in               |
|                           | urllib.request.AbstractBasicAuthHandler  |
|                           | [CVE-2020-8492]                          |
|                           |                                          |
| qdirstat [88]             | Fix saving of user-configured MIME       |
|                           | categories                               |
|                           |                                          |
| raspi3-firmware [89]      | Fix typo that could lead to unbootable   |
|                           | systems                                  |
|                           |                                          |
| resource-agents [90]      | IPsrcaddr: make  "proto"  optional to    |
|                           | fix regression when used without         |
|                           | NetworkManager                           |
|                           |                                          |
| ruby-json [91]            | Fix unsafe object creation vulnerability |
|                           | [CVE-2020-10663]                         |
|                           |                                          |
| shim [92]                 | Use rotated Debian signing keys          |
|                           |                                          |
| shim-helpers-amd64-       | Use rotated Debian signing keys          |
| signed [93]               |                                          |
|                           |                                          |
| shim-helpers-arm64-       | Use rotated Debian signing keys          |
| signed [94]               |                                          |
|                           |                                          |
| shim-helpers-i386-        | Use rotated Debian signing keys          |
| signed [95]               |                                          |
|                           |                                          |
| speedtest-cli [96]        | Pass correct headers to fix upload speed |
|                           | test                                     |
|                           |                                          |
| ssvnc [97]                | Fix out-of-bounds write [CVE-2018-       |
|                           | 20020], infinite loop [CVE-2018-20021],  |
|                           | improper initialisation [CVE-2018-       |
|                           | 20022], potential denial-of-service      |
|                           | [CVE-2018-20024]                         |
|                           |                                          |
| storebackup [98]          | Fix possible privilege escalation        |
|                           | vulnerability [CVE-2020-7040]            |
|                           |                                          |
| suricata [99]             | Fix dropping privileges in nflog runmode |
|                           |                                          |
| tigervnc [100]            | Don't use libunwind on armel, armhf or   |
|                           | arm64                                    |
|                           |                                          |
| transmission [101]        | Fix possible denial of service issue     |
|                           | [CVE-2018-10756]                         |
|                           |                                          |
| wav2cdr [102]             | Use C99 fixed-size integer types to fix  |
|                           | runtime assertion on 64bit architectures |
|                           | other than amd64 and alpha               |
|                           |                                          |
| zipios++ [103]            | Security fix [CVE-2019-13453]            |
|                           |                                          |
+---------------------------+------------------------------------------+

 

Security Updates
----------------

This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:

+----------------+-----------------------------+
| Advisory ID    | Package                     |
+----------------+-----------------------------+
| DSA-4626 [104] | php7.3 [105]                |
|                |                             |
| DSA-4674 [106] | roundcube [107]             |
|                |                             |
| DSA-4675 [108] | graphicsmagick [109]        |
|                |                             |
| DSA-4676 [110] | salt [111]                  |
|                |                             |
| DSA-4677 [112] | wordpress [113]             |
|                |                             |
| DSA-4678 [114] | firefox-esr [115]           |
|                |                             |
| DSA-4679 [116] | keystone [117]              |
|                |                             |
| DSA-4680 [118] | tomcat9 [119]               |
|                |                             |
| DSA-4681 [120] | webkit2gtk [121]            |
|                |                             |
| DSA-4682 [122] | squid [123]                 |
|                |                             |
| DSA-4683 [124] | thunderbird [125]           |
|                |                             |
| DSA-4684 [126] | libreswan [127]             |
|                |                             |
| DSA-4685 [128] | apt [129]                   |
|                |                             |
| DSA-4686 [130] | apache-log4j1.2 [131]       |
|                |                             |
| DSA-4687 [132] | exim4 [133]                 |
|                |                             |
| DSA-4688 [134] | dpdk [135]                  |
|                |                             |
| DSA-4689 [136] | bind9 [137]                 |
|                |                             |
| DSA-4690 [138] | dovecot [139]               |
|                |                             |
| DSA-4691 [140] | pdns-recursor [141]         |
|                |                             |
| DSA-4692 [142] | netqmail [143]              |
|                |                             |
| DSA-4694 [144] | unbound [145]               |
|                |                             |
| DSA-4695 [146] | firefox-esr [147]           |
|                |                             |
| DSA-4696 [148] | nodejs [149]                |
|                |                             |
| DSA-4697 [150] | gnutls28 [151]              |
|                |                             |
| DSA-4699 [152] | linux-signed-amd64 [153]    |
|                |                             |
| DSA-4699 [154] | linux-signed-arm64 [155]    |
|                |                             |
| DSA-4699 [156] | linux-signed-i386 [157]     |
|                |                             |
| DSA-4699 [158] | linux [159]                 |
|                |                             |
| DSA-4700 [160] | roundcube [161]             |
|                |                             |
| DSA-4701 [162] | intel-microcode [163]       |
|                |                             |
| DSA-4702 [164] | thunderbird [165]           |
|                |                             |
| DSA-4704 [166] | vlc [167]                   |
|                |                             |
| DSA-4705 [168] | python-django [169]         |
|                |                             |
| DSA-4707 [170] | mutt [171]                  |
|                |                             |
| DSA-4708 [172] | neomutt [173]               |
|                |                             |
| DSA-4709 [174] | wordpress [175]             |
|                |                             |
| DSA-4710 [176] | trafficserver [177]         |
|                |                             |
| DSA-4711 [178] | coturn [179]                |
|                |                             |
| DSA-4712 [180] | imagemagick [181]           |
|                |                             |
| DSA-4713 [182] | firefox-esr [183]           |
|                |                             |
| DSA-4714 [184] | chromium [185]              |
|                |                             |
| DSA-4716 [186] | docker.io [187]             |
|                |                             |
| DSA-4718 [188] | thunderbird [189]           |
|                |                             |
| DSA-4719 [190] | php7.3 [191]                |
|                |                             |
| DSA-4720 [192] | roundcube [193]             |
|                |                             |
| DSA-4721 [194] | ruby2.5 [195]               |
|                |                             |
| DSA-4722 [196] | ffmpeg [197]                |
|                |                             |
| DSA-4723 [198] | xen [199]                   |
|                |                             |
| DSA-4724 [200] | webkit2gtk [201]            |
|                |                             |
| DSA-4725 [202] | evolution-data-server [203] |
|                |                             |
| DSA-4726 [204] | nss [205]                   |
|                |                             |
| DSA-4727 [206] | tomcat9 [207]               |
|                |                             |
| DSA-4728 [208] | qemu [209]                  |
|                |                             |
| DSA-4729 [210] | libopenmpt [211]            |
|                |                             |
| DSA-4730 [212] | ruby-sanitize [213]         |
|                |                             |
| DSA-4731 [214] | redis [215]                 |
|                |                             |
| DSA-4732 [216] | squid [217]                 |
|                |                             |
| DSA-4733 [218] | qemu [219]                  |
|                |                             |
| DSA-4735 [220] | grub-efi-amd64-signed [221] |
|                |                             |
| DSA-4735 [222] | grub-efi-arm64-signed [223] |
|                |                             |
| DSA-4735 [224] | grub-efi-ia32-signed [225]  |
|                |                             |
| DSA-4735 [226] | grub2 [227]                 |
|                |                             |
+----------------+-----------------------------+

 

Removed packages
----------------

The following packages were removed due to circumstances beyond our
control:

+--------------------------------+------------------------------------+
| Package                        | Reason                             |
+--------------------------------+------------------------------------+
| golang-github-unknwon-         | Security issues; unmaintained      |
| cae [228]                      |                                    |
|                                |                                    |
| janus [229]                    | Not supportable in stable          |
|                                |                                    |
| mathematica-fonts [230]        | Relies on unavailable download     |
|                                | location                           |
|                                |                                    |
| matrix-synapse [231]           | Security issues; unsupportable     |
|                                |                                    |
| selenium-firefoxdriver [232]   | Incompatible with newer Firefox    |
|                                | ESR versions                       |
|                                |                                    |
+--------------------------------+------------------------------------+

 

Debian Installer
----------------

The installer has been updated to include the fixes incorporated into
stable by the point release.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4740-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 02, 2020                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2020-6463 CVE-2020-6514 CVE-2020-15652 CVE-2020-15659

Multiple security issues have been found in Thunderbird which could
result in denial of service or potentially the execution of arbitrary
code.

For the stable distribution (buster), these problems have been fixed in
version 1:68.11.0-1~deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4739-1                   security@debian.org
https://www.debian.org/security/                           Alberto Garcia
August 03, 2020                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : webkit2gtk
CVE ID         : CVE-2020-9862 CVE-2020-9893 CVE-2020-9894 CVE-2020-9895
                 CVE-2020-9915 CVE-2020-9925

The following vulnerabilities have been discovered in the webkit2gtk
web engine:

CVE-2020-9862

    Ophir Lojkine discovered that copying a URL from the Web Inspector
    may lead to command injection.

CVE-2020-9893

    0011 discovered that a remote attacker may be able to cause
    unexpected application termination or arbitrary code execution.

CVE-2020-9894

    0011 discovered that a remote attacker may be able to cause
    unexpected application termination or arbitrary code execution.

CVE-2020-9895

    Wen Xu discovered that a remote attacker may be able to cause
    unexpected application termination or arbitrary code execution.

CVE-2020-9915

    Ayoub Ait Elmokhtar discovered that processing maliciously crafted
    web content may prevent Content Security Policy from being
    enforced.

CVE-2020-9925

    An anonymous researcher discovered that processing maliciously
    crafted web content may lead to universal cross site scripting.

For the stable distribution (buster), these problems have been fixed in
version 2.28.4-1~deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4741-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 05, 2020                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : json-c
CVE ID         : CVE-2020-12762

Tobias Stoeckmann discovered an integer overflow in the json-c JSON
library, which could result in denial of service or potentially the
execution of arbitrary code if large malformed JSON files are processed.

For the stable distribution (buster), this problem has been fixed in
version 0.12.1+ds-2+deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4742-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 06, 2020                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firejail
CVE ID         : CVE-2020-17367 CVE-2020-17368

Tim Starling discovered two vulnerabilities in firejail, a sandbox
program to restrict the running environment of untrusted applications.

CVE-2020-17367

    It was reported that firejail does not respect the end-of-options
    separator ("--"), allowing an attacker with control over the command
    line options of the sandboxed application, to write data to a
    specified file.

CVE-2020-17368

    It was reported that firejail when redirecting output via --output
    or --output-stderr, concatenates all command line arguments into a
    single string that is passed to a shell. An attacker who has control
    over the command line arguments of the sandboxed application could
    take advantage of this flaw to run run arbitrary other commands.

For the stable distribution (buster), these problems have been fixed in
version 0.9.58.2-2+deb10u1.

Share this post


Link to post
Share on other sites

×
×
  • Create New...