• Updated Debian 10: 10.12 released (1/2)

    From Laura Arjona Reina@21:1/5 to All on Sat Mar 26 18:30:01 2022
    ------------------------------------------------------------------------
    The Debian Project https://www.debian.org/ Updated Debian 10: 10.12 released press@debian.org
    March 26th, 2022 https://www.debian.org/News/2022/2022032602 ------------------------------------------------------------------------


    The Debian project is pleased to announce the twelfth update of its
    oldstable distribution Debian 10 (codename "buster"). This point release
    mainly adds corrections for security issues, along with a few
    adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

    Please note that the point release does not constitute a new version of
    Debian 10 but only updates some of the packages included. There is no
    need to throw away old "buster" media. After installation, packages can
    be upgraded to the current versions using an up-to-date Debian mirror.

    Those who frequently install updates from security.debian.org won't have
    to update many packages, and most such updates are included in the point release.

    New installation images will be available soon at the regular locations.

    Upgrading an existing installation to this revision can be achieved by
    pointing the package management system at one of Debian's many HTTP
    mirrors. A comprehensive list of mirrors is available at:

    https://www.debian.org/mirror/list



    OpenSSL signature algorithm check tightening --------------------------------------------

    The OpenSSL update provided in this point release includes a change to
    ensure that the requested signature algorithm is supported by the active security level.

    Although this will not affect most use-cases, it could lead to error
    messages being generated if a non-supported algorithm is requested - for example, use of RSA+SHA1 signatures with the default security level of
    2.

    In such cases, the security level will need to be explicitly lowered,
    either for individual requests or more globally. This may require
    changes to the configuration of applications. For OpenSSL itself, per-
    request lowering can be achieved using a command-line option such as:

    -cipher "ALL:@SECLEVEL=1"

    with the relevant system-level configuration being found in /etc/ssl/ openssl.cnf


    Miscellaneous Bugfixes
    ----------------------

    This oldstable update adds a few important corrections to the following packages:

    +--------------------------+------------------------------------------+
    | Package | Reason | +--------------------------+------------------------------------------+
    | apache-log4j1.2 [1] | Resolve security issues [CVE-2021-4104 |
    | | CVE-2022-23302 CVE-2022-23305 CVE-2022- |
    | | 23307], by removing support for the |
    | | JMSSink, JDBCAppender, JMSAppender and |
    | | Apache Chainsaw modules |
    | | |
    | apache-log4j2 [2] | Fix remote code execution issue |
    | | [CVE-2021-44832] |
    | | |
    | atftp [3] | Fix information leak issue [CVE-2021- |
    | | 46671] |
    | | |
    | base-files [4] | Update for the 10.12 point release |
    | | |
    | beads [5] | Rebuild against updated cimg to fix |
    | | multiple heap buffer overflows |
    | | [CVE-2020-25693] |
    | | |
    | btrbk [6] | Fix regression in the update for |
    | | CVE-2021-38173 |
    | | |
    | cargo-mozilla [7] | New package, backported from Debian 11, |
    | | to help build new rust versions |
    | | |
    | chrony [8] | Allow reading the chronyd configuration |
    | | file that timemaster(8) generates |
    | | |
    | cimg [9] | Fix heap buffer overflow issues |
    | | [CVE-2020-25693] |
    | | |
    | clamav [10] | New upstream stable release; fix denial |
    | | of service issue [CVE-2022-20698] |
    | | |
    | cups [11] | Fix "an input validation issue might |
    | | allow a malicious application to read |
    | | restricted memory" [CVE-2020-10001] |
    | | |
    | debian-installer [12] | Rebuild against oldstable-proposed- |
    | | updates; update kernel ABI to -20 |
    | | |
    | debian-installer- | Rebuild against oldstable-proposed- |
    | netboot-images [13] | updates |
    | | |
    | detox [14] | Fix processing of large files on ARM |
    | | architectures |
    | | |
    | evolution-data- | Fix crash on malformed server reponse |
    | server [15] | [CVE-2020-16117] |
    | | |
    | flac [16] | Fix out of bounds read issue [CVE-2020- |
    | | 0499] |
    | | |
    | gerbv [17] | Fix code execution issue [CVE-2021- |
    | | 40391] |
    | | |
    | glibc [18] | Import several fixes from upstream's |
    | | stable branch; simplify the check for |
    | | supported kernel versions, as 2.x |
    | | kernels are no longer supported; support |
    | | installation on kernels with a release |
    | | number greater than 255 |
    | | |
    | gmp [19] | Fix integer and buffer overflow issue |
    | | [CVE-2021-43618] |
    | | |
    | graphicsmagick [20] | Fix buffer overflow issue [CVE-2020- |
    | | 12672] |
    | | |
    | htmldoc [21] | Fix out-of-bounds read issue [CVE-2022- |
    | | 0534], buffer overflow issues [CVE-2021- |
    | | 43579 CVE-2021-40985] |
    | | |
    | http-parser [22] | Resolve inadvertent ABI break |
    | | |
    | icu [23] | Fix "pkgdata" utility |
    | | |
    | intel-microcode [24] | Update included microcode; mitigate some |
    | | security issues [CVE-2020-8694 CVE-2020- |
    | | 8695 CVE-2021-0127 CVE-2021-0145 |
    | | CVE-2021-0146 CVE-2021-33120] |
    | | |
    | jbig2dec [25] | Fix buffer overflow issue [CVE-2020- |
    | | 12268] |
    | | |
    | jtharness [26] | New upstream version to support builds |
    | | of newer OpenJDK-11 versions |
    | | |
    | jtreg [27] | New upstream version to support builds |
    | | of newer OpenJDK-11 versions |
    | | |
    | lemonldap-ng [28] | Fix auth process in password-testing |
    | | plugins [CVE-2021-20874]; add recommends |
    | | on gsfonts, fixing captcha |
    | | |
    | leptonlib [29] | Fix denial of service issue [CVE-2020- |
    | | 36277], buffer over-read issues |
    | | [CVE-2020-36278 CVE-2020-36279 CVE-2020- |
    | | 36280 CVE-2020-36281] |
    | | |
    | libdatetime-timezone- | Update included data |
    | perl [30] | |
    | | |
    | libencode-perl [31] | Fix a memory leak in Encode.xs |
    | | |
    | libetpan [32] | Fix STARTTLS response injection issue |
    | | [CVE-2020-15953] |
    | | |
    | libextractor [33] | Fix invalid read issue [CVE-2019-15531] |
    | | |
    | libjackson-json- | Fix code execution issues [CVE-2017- |
    | java [34] | 15095 CVE-2017-7525], XML external |
    | | entity issues [CVE-2019-10172] |
    | | |
    | libmodbus [35] | Fix out of bound read issues [CVE-2019- |
    | | 14462 CVE-2019-14463] |
    | | |
    | libpcap [36] | Check PHB header length before using it |
    | | to allocate memory [CVE-2019-15165] |
    | | |
    | libsdl1.2 [37] | Properly handle input focus events; fix |
    | | buffer overflow issues [CVE-2019-13616 |
    | | CVE-2019-7637], buffer over-read issues |
    | | [CVE-2019-7572 CVE-2019-7573 CVE-2019- |
    | | 7574 CVE-2019-7575 CVE-2019-7576 |
    | | CVE-2019-7577 CVE-2019-7578 CVE-2019- |
    | | 7635 CVE-2019-7636 CVE-2019-7638] |
    | | |
    | libxml2 [38] | Fix use-after-free issue [CVE-2022- |
    | | 23308] |
    | | |
    | linux [39] | New upstream stable release; [rt] Update |
    | | to 4.19.233-rt105; increase ABI to 20 |
    | | |
    | linux-latest [40] | Update to 4.19.0-20 ABI |
    | | |
    | linux-signed-amd64 [41] | New upstream stable release; [rt] Update |
    | | to 4.19.233-rt105; increase ABI to 20 |
    | | |
    | linux-signed-arm64 [42] | New upstream stable release; [rt] Update |
    | | to 4.19.233-rt105; increase ABI to 20 |
    | | |
    | linux-signed-i386 [43] | New upstream stable release; [rt] Update |
    | | to 4.19.233-rt105; increase ABI to 20 |
    | | |
    | llvm-toolchain-11 [44] | New package, backported from Debian 11, |
    | | to help build new rust versions |
    | | |
    | lxcfs [45] | Fix misreporting of swap usage |
    | | |
    | mailman [46] | Fix cross-site scripting issue |
    | | [CVE-2021-43331]; fix "a list moderator |
    | | can crack the list admin password |
    | | encrypted in a CSRF token" [CVE-2021- |
    | | 43332]; fix potential CSRF attack |
    | | against a list admin from a list member |
    | | or moderator [CVE-2021-44227]; fix |
    | | regressions in fixes for CVE-2021-42097 |
    | | and CVE-2021-44227 |
    | | |
    | mariadb-10.3 [47] | New upstream stable release; security |
    | | fixes [CVE-2021-35604 CVE-2021-46659 |
    | | CVE-2021-46661 CVE-2021-46662 CVE-2021- |
    | | 46663 CVE-2021-46664 CVE-2021-46665 |
    | | CVE-2021-46667 CVE-2021-46668 CVE-2022- |
    | | 24048 CVE-2022-24050 CVE-2022-24051 |
    | | CVE-2022-24052] |
    | | |
    | node-getobject [48] | Fix prototype pollution issue [CVE-2020- |
    | | 28282] |
    | | |
    | opensc [49] | Fix out-of-bounds access issues |
    | | [CVE-2019-15945 CVE-2019-15946], crash |
    | | due to read of unknown memory [CVE-2019- |
    | | 19479], double free issue [CVE-2019- |
    | | 20792], buffer overflow issues |
    | | [CVE-2020-26570 CVE-2020-26571 CVE-2020- |
    | | 26572] |
    | | |
    | openscad [50] | Fix buffer overflows in STL parser |
    | | [CVE-2020-28599 CVE-2020-28600] |
    | | |
    | openssl [51] | New upstream release |
    | | |
    | php-illuminate- | Fix query binding issue [CVE-2021- |
    | database [52] | 21263], SQL injection issue when used |
    | | with Microsoft SQL Server |
    | | |
    | phpliteadmin [53] | Fix cross-site scripting issue |
    | | [CVE-2021-46709] |
    | | |
    | plib [54] | Fix integer overflow issue [CVE-2021- |
    | | 38714] |
    | | |
    | privoxy [55] | Fix memory leak [CVE-2021-44540] and |
    | | cross-site scripting issue [CVE-2021- |
    | | 44543] |
    | | |
    | publicsuffix [56] | Update included data |
    | | |
    | python-virtualenv [57] | Avoid attempting to install |
    | | pkg_resources from PyPI |
    | | |
    | raptor2 [58] | Fix out of bounds array access issue |
    | | [CVE-2020-25713] |
    | | |
    | ros-ros-comm [59] | Fix denial of service issue [CVE-2021- |
    | | 37146] |
    | | |
    | rsyslog [60] | Fix heap overflow issues [CVE-2019-17041 |
    | | CVE-2019-17042] |
    | | |
    | ruby-httpclient [61] | Use system certificate store |
    | | |
    | rust-cbindgen [62] | New upstream stable release to support |
    | | builds of newer firefox-esr and |
    | | thunderbird versions |
    | | |
    | rustc-mozilla [63] | New source package to support building |
    | | of newer firefox-esr and thunderbird |
    | | versions |
    | | |
    | s390-dasd [64] | Stop passing deprecated -f option to |
    | | dasdfmt |
    | | |
    | spip [65] | Fix cross-site scripting issue |
    | | |
    | tzdata [66] | Update data for Fiji and Palestine |
    | | |
    | vim [67] | Fix ability to execute code while in |
    | | restricted mode [CVE-2019-20807], buffer |
    | | overflow issues [CVE-2021-3770 CVE-2021- |
    | | 3778 CVE-2021-3875], use after free |
    | | issue [CVE-2021-3796]; remove |
    | | accidentally included patch |
    | | |
    | wavpack [68] | Fix use of uninitialized values |
    | | [CVE-2019-1010317 CVE-2019-1010319] |
    | | |
    | weechat [69] | Fix several denial of service issues |
    | | [CVE-2020-8955 CVE-2020-9759 CVE-2020- |
    | | 9760 CVE-2021-40516] |
    | | |
    | wireshark [70] | Fix several security issues in |
    | | dissectors [CVE-2021-22207 CVE-2021- |
    | | 22235 CVE-2021-39921 CVE-2021-39922 |
    | | CVE-2021-39923 CVE-2021-39924 CVE-2021- |
    | | 39928 CVE-2021-39929] |
    | | |
    | xterm [71] | Fix buffer overflow issue [CVE-2022- |
    | | 24130] |
    | | |
    | zziplib [72] | Fix denial of service issue [CVE-2020- |
    | | 18442] |
    | | | +--------------------------+------------------------------------------+

    1: https://packages.debian.org/src:apache-log4j1.2
    2: https://packages.debian.org/src:apache-log4j2
    3: https://packages.debian.org/src:atftp
    4: https://packages.debian.org/src:base-files
    5: https://packages.debian.org/src:beads
    6: https://packages.debian.org/src:btrbk
    7: https://packages.debian.org/src:cargo-mozilla
    8: https://packages.debian.org/src:chrony
    9: https://packages.debian.org/src:cimg
    10: https://packages.debian.org/src:clamav
    11: https://packages.debian.org/src:cups
    12: https://packages.debian.org/src:debian-installer
    13: https://packages.debian.org/src:debian-installer-netboot-images
    14: https://packages.debian.org/src:detox
    15: https://packages.debian.org/src:evolution-data-server
    16: https://packages.debian.org/src:flac
    17: https://packages.debian.org/src:gerbv
    18: https://packages.debian.org/src:glibc
    19: https://packages.debian.org/src:gmp
    20: https://packages.debian.org/src:graphicsmagick
    21: https://packages.debian.org/src:htmldoc
    22: https://packages.debian.org/src:http-parser
    23: https://packages.debian.org/src:icu
    24: https://packages.debian.org/src:intel-microcode
    25: https://packages.debian.org/src:jbig2dec
    26: https://packages.debian.org/src:jtharness
    27: https://packages.debian.org/src:jtreg
    28: https://packages.debian.org/src:lemonldap-ng
    29: https://packages.debian.org/src:leptonlib
    30: https://packages.debian.org/src:libdatetime-timezone-perl
    31: https://packages.debian.org/src:libencode-perl
    32: https://packages.debian.org/src:libetpan
    33: https://packages.debian.org/src:libextractor
    34: https://packages.debian.org/src:libjackson-json-java
    35: https://packages.debian.org/src:libmodbus
    36: https://packages.debian.org/src:libpcap
    37: https://packages.debian.org/src:libsdl1.2
    38: https://packages.debian.org/src:libxml2
    39: https://packages.debian.org/src:linux
    40: https://packages.debian.org/src:linux-latest
    41: https://packages.debian.org/src:linux-signed-amd64
    42: https://packages.debian.org/src:linux-signed-arm64
    43: https://packages.debian.org/src:linux-signed-i386
    44: https://packages.debian.org/src:llvm-toolchain-11
    45: https://packages.debian.org/src:lxcfs
    46: https://packages.debian.org/src:mailman
    47: https://packages.debian.org/src:mariadb-10.3
    48: https://packages.debian.org/src:node-getobject
    49: https://packages.debian.org/src:opensc
    50: https://packages.debian.org/src:openscad
    51: https://packages.debian.org/src:openssl
    52: https://packages.debian.org/src:php-illuminate-database
    53: https://packages.debian.org/src:phpliteadmin
    54: https://packages.debian.org/src:plib
    55: https://packages.debian.org/src:privoxy
    56: https://packages.debian.org/src:publicsuffix
    57: https://packages.debian.org/src:python-virtualenv
    58: https://packages.debian.org/src:raptor2
    59: https://packages.debian.org/src:ros-ros-comm
    60: https://packages.debian.org/src:rsyslog
    61: https://packages.debian.org/src:ruby-httpclient
    62: https://packages.debian.org/src:rust-cbindgen
    63: https://packages.debian.org/src:rustc-mozilla
    64: https://packages.debian.org/src:s390-dasd
    65: https://packages.debian.org/src:spip
    66: https://packages.debian.org/src:tzdata
    67: https://packages.debian.org/src:vim
    68: https://packages.debian.org/src:wavpack
    69: https://packages.debian.org/src:weechat
    70: https://packages.debian.org/src:wireshark
    71: https://packages.debian.org/src:xterm
    72: https://packages.debian.org/src:zziplib

    Security Updates
    ----------------

    This revision adds the following security updates to the oldstable
    release. The Security Team has already released an advisory for each of
    these updates:

    +----------------+----------------------------+
    | Advisory ID | Package | +----------------+----------------------------+
    | DSA-4513 [73] | samba [74] |
    | | |
    | DSA-4982 [75] | apache2 [76] |
    | | |
    | DSA-4983 [77] | neutron [78] |
    | | |
    | DSA-4985 [79] | wordpress [80] |
    | | |
    | DSA-4986 [81] | tomcat9 [82] |
    | | |
    | DSA-4987 [83] | squashfs-tools [84] |
    | | |
    | DSA-4989 [85] | strongswan [86] |
    | | |
    | DSA-4990 [87] | ffmpeg [88] |
    | | |
    | DSA-4991 [89] | mailman [90] |
    | | |
    | DSA-4993 [91] | php7.3 [92] |
    | | |
    | DSA-4994 [93] | bind9 [94] |
    | | |
    | DSA-4995 [95] | webkit2gtk [96] |
    | | |
    | DSA-4997 [97] | tiff [98] |
    | | |
    | DSA-5000 [99] | openjdk-11 [100] |
    | | |
    | DSA-5001 [101] | redis [102] |
    | | |
    | DSA-5004 [103] | libxstream-java [104] |
    | | |
    | DSA-5005 [105] | ruby-kaminari [106] |
    | | |
    | DSA-5006 [107] | postgresql-11 [108] |
    | | |
    | DSA-5010 [109] | libxml-security-java [110] |
    | | |
    | DSA-5011 [111] | salt [112] |
    | | |
    | DSA-5013 [113] | roundcube [114] |
    | | |
    | DSA-5014 [115] | icu [116] |
    | | |
    | DSA-5015 [117] | samba [118] |
    | | |
    | DSA-5016 [119] | nss [120] |
    | | |
    | DSA-5018 [121] | python-babel [122] |
    | | |
    | DSA-5019 [123] | wireshark [124] |
    | | |
    | DSA-5020 [125] | apache-log4j2 [126] |
    | | |
    | DSA-5021 [127] | mediawiki [128] |
    | | |
    | DSA-5022 [129] | apache-log4j2 [130] |
    | | |
    | DSA-5023 [131] | modsecurity-apache [132] |
    | | |
    | DSA-5024 [133] | apache-log4j2 [134] |
    | | |
    | DSA-5027 [135] | xorg-server [136] |
    | | |
    | DSA-5028 [137] | spip [138] |
    | | |
    | DSA-5029 [139] | sogo [140] |
    | | |
    | DSA-5030 [141] | webkit2gtk [142] |
    | | |
    | DSA-5032 [143] | djvulibre [144] |
    | | |
    | DSA-5035 [145] | apache2 [146] |
    | | |
    | DSA-5036 [147] | sphinxsearch [148] |
    | | |
    | DSA-5037 [149] | roundcube [150] |
    | | |
    | DSA-5038 [151] | ghostscript [152] |
    | | |
    | DSA-5039 [153] | wordpress [154] |
    | | |
    | DSA-5040 [155] | lighttpd [156] |
    | | |
    | DSA-5043 [157] | lxml [158] |
    | | |
    | DSA-5047 [159] | prosody [160] |
    | | |
    | DSA-5051 [161] | aide [162] |
    | | |
    | DSA-5052 [163] | usbview [164] |
    | | |
    | DSA-5053 [165] | pillow [166] |
    | | |
    | DSA-5056 [167] | strongswan [168] |
    | | |
    | DSA-5057 [169] | openjdk-11 [170] |
    | | |
    | DSA-5059 [171] | policykit-1 [172] |
    | | |
    | DSA-5060 [173] | webkit2gtk [174] |
    | | |
    | DSA-5062 [175] | nss [176] |
    | | |
    | DSA-5063 [177] | uriparser [178] |
    | | |
    | DSA-5065 [179] | ipython [180] |
    | | |
    | DSA-5066 [181] | ruby2.5 [182] |
    | | |
    | DSA-5071 [183] | samba [184] |
    | | |
    | DSA-5072 [185] | debian-edu-config [186] |
    | | |
    | DSA-5073 [187] | expat [188] |
    | | |
    | DSA-5075 [189] | minetest [190] |
    | | |
    | DSA-5076 [191] | h2database [192] |
    | | |
    | DSA-5078 [193] | zsh [194] |
    | | |
    | DSA-5081 [195] | redis [196] |
    | | |
    | DSA-5083 [197] | webkit2gtk [198] |
    | | |
    | DSA-5085 [199] | expat [200] |
    | | |
    | DSA-5087 [201] | cyrus-sasl2 [202] |
    | | |
    | DSA-5088 [203] | varnish [204] |
    | | |
    | DSA-5093 [205] | spip [206] |
    | | |
    | DSA-5096 [207] | linux-latest [208] |
    | | |
    | DSA-5096 [209] | linux-signed-amd64 [210] |
    | | |
    | DSA-5096 [211] | linux-signed-arm64 [212] |
    | | |

    [continued in next message]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)