Debian 10 更新:10.4 发布
2020年05月09日
Debian 项目很高兴地宣布对 Debian 10 稳定版的第四次更新(发行版代号 buster
)。此次小版本更新主要添加了对安全问题的修正补丁,以及为一些严重问题所作的调整。安全通告已单独发布,并会在适当的情况下予以引用。
请注意,此更新并不是 Debian 10 的新版本,它仅更新了所包含的一些软件包。没有必要丢弃旧的buster
的安装介质。在安装之后,只需使用最新的 Debian 镜像更新旧的软件包即可。
经常从 security.debian.org 安装更新的用户将不必更新许多软件包,因本更新中包含了 security.debian.org 的大多数更新。
新的安装镜像即将于常规的位置予以提供。
只需令软件包管理系统指向 Debian 的许多 HTTP 镜像站点之一,您便能够把已有的系统升级至本次更新版本。详尽的镜像列表可以在以下网址处获得:
杂项错误修正
此稳定版更新为以下软件包添加了一些重要的修正:
| 软件包 | 原因 |
|---|---|
| apt-cacher-ng | Enforce secured call to the server in maintenance job triggering [CVE-2020-5202]; allow .zst compression for tarballs; increase size of the decompression line buffer for configuration file reading |
| backuppc | Pass the username to start-stop-daemon when reloading, preventing reload failures |
| base-files | 为小版本更新提供文件 |
| brltty | Reduce severity of log message to avoid generating too many messages when used with new Orca versions |
| checkstyle | Fix XML External Entity injection issue [CVE-2019-9658 CVE-2019-10782] |
| choose-mirror | 更新其包含的镜像列表 |
| clamav | 新上游发行版本 [CVE-2020-3123] |
| corosync | totemsrp: Reduce MTU to avoid generating oversized packets |
| corosync-qdevice | 修复服务启动问题 |
| csync2 | Fail HELLO command when SSL is required |
| cups | Fix heap buffer overflow [CVE-2020-3898] and the `ippReadIO` function may under-read an extension field[CVE-2019-8842] |
| dav4tbsync | 新上游发行版本,修复与新版本 Thunderbird 的兼容性 |
| debian-edu-config | Add policy files for Firefox ESR and Thunderbird to fix the TLS/SSL setup |
| debian-installer | 为 4.19.0-9 kernel ABI 更新 |
| debian-installer-netboot-images | Rebuild against proposed-updates |
| debian-security-support | 新上游稳定释出版本;更新几个软件包的状态;改用 runuser而不是 su |
| distro-info-data | 添加 Ubuntu 20.10 以及 stretch 的可能结束支持日期 |
| dojo | Fix improper regular expression usage [CVE-2019-10785] |
| dpdk | 新上游稳定释出版本 |
| dtv-scan-tables | New upstream snapshot; add all current German DVB-T2 muxes and the Eutelsat-5-West-A satellite |
| eas4tbsync | 新上游发行版本,修复与新版本 Thunderbird 的兼容性 |
| edk2 | 安全修复 [CVE-2019-14558 CVE-2019-14559 CVE-2019-14563 CVE-2019-14575 CVE-2019-14586 CVE-2019-14587] |
| el-api | 修复从 stretch 升级到 buster 时包含 Tomcat 8 的问题 |
| fex | Fix a potential security issue in fexsrv |
| filezilla | Fix untrusted search path vulnerability [CVE-2019-5429] |
| frr | Fix extended next hop capability |
| fuse | Remove outdated udevadm commands from post-install scripts; don't explicitly remove fuse.conf on purge |
| fuse3 | Remove outdated udevadm commands from post-install scripts; don't explicitly remove fuse.conf on purge; fix memory leak in fuse_session_new() |
| golang-github-prometheus-common | Extend validity of test certificates |
| gosa | Replace (un)serialize with json_encode/json_decode to mitigate PHP object injection [CVE-2019-14466] |
| hbci4java | Support EU directive on payment services (PSD2) |
| hibiscus | Support EU directive on payment services (PSD2) |
| iputils | Correct an issue in which ping would improperly exit with a failure code when there were untried addresses still available in the getaddrinfo() library call return value |
| ircd-hybrid | Use dhparam.pem to avoid crash on startup |
| jekyll | 允许使用 ruby-i18n 0.x 和 1.x |
| jsp-api | 修复从 stretch 升级到 buster 时包含 Tomcat 8 的问题 |
| lemonldap-ng | Prevent unwanted access to administration endpoints [CVE-2019-19791]; fix the GrantSession plugin which could not prohibit logon when two factor authentication was used; fix arbitrary redirects with OIDC if redirect_uri was not used |
| libdatetime-timezone-perl | Update included data |
| libreoffice | Fix OpenGL slide transitions |
| libssh | Fix possible denial of service issue when handling AES-CTR keys with OpenSSL [CVE-2020-1730] |
| libvncserver | 修复堆溢出 [CVE-2019-15690] |
| linux | 新上游稳定释出版本 |
| linux-latest | 更新 kernel ABI 到 4.19.0-9 |
| linux-signed-amd64 | 新上游稳定释出版本 |
| linux-signed-arm64 | 新上游稳定释出版本 |
| linux-signed-i386 | 新上游稳定释出版本 |
| lwip | 修复缓冲区溢出 [CVE-2020-8597] |
| lxc-templates | 新上游稳定释出版本; handle languages that are only UTF-8 encoded |
| manila | Fix missing access permissions check [CVE-2020-9543] |
| megatools | 添加对 mega.nz 链接的新格式的支持 |
| mew | Fix server SSL certificate validity checking |
| mew-beta | Fix server SSL certificate validity checking |
| mkvtoolnix | Rebuild to tighten libmatroska6v5 dependency |
| ncbi-blast+ | 禁用对 SSE4.2 的支持 |
| node-anymatch | 删除不必要的依赖 |
| node-dot | Prevent code execution after prototype pollution [CVE-2020-8141] |
| node-dot-prop | Fix prototype pollution [CVE-2020-8116] |
| node-knockout | Fix escaping with older Internet Explorer versions [CVE-2019-14862] |
| node-mongodb | Reject invalid _bsontypes [CVE-2019-2391 CVE-2020-7610] |
| node-yargs-parser | Fix prototype pollution [CVE-2020-7608] |
| npm | Fix arbitrary path access [CVE-2019-16775 CVE-2019-16776 CVE-2019-16777] |
| nvidia-graphics-drivers | 新上游稳定释出版本 |
| nvidia-graphics-drivers-legacy-390xx | 新上游稳定释出版本 |
| nvidia-settings-legacy-340xx | 新上游发行版本 |
| oar | Revert to stretch behavior for Storable::dclone perl function, fixing recursion depth issues |
| opam | Prefer mccs over aspcud |
| openvswitch | Fix vswitchd abort when a port is added and the controller is down |
| orocos-kdl | Fix string conversion with Python 3 |
| owfs | Remove broken Python 3 packages |
| pango1.0 | Fix crash in pango_fc_font_key_get_variations() when key is null |
| pgcli | Add missing dependency on python3-pkg-resources |
| php-horde-data | Fix authenticated remote code execution vulnerability [CVE-2020-8518] |
| php-horde-form | Fix authenticated remote code execution vulnerability [CVE-2020-8866] |
| php-horde-trean | Fix authenticated remote code execution vulnerability [CVE-2020-8865] |
| postfix | 新上游稳定释出版本; fix panic with Postfix multi-Milter configuration during MAIL FROM; fix d/init.d running change so it works with multi-instance again |
| proftpd-dfsg | Fix memory access issue in keyboard-interative code in mod_sftp; properly handle DEBUG, IGNORE, DISCONNECT, and UNIMPLEMENTED messages in keyboard-interactive mode |
| puma | Fix Denial of Service issue [CVE-2019-16770] |
| purple-discord | Fix crashes in ssl_nss_read |
| python-oslo.utils | Fix leak of sensitive information via mistral logs [CVE-2019-3866] |
| rails | Fix possible cross-site scripting via Javascript escape helper [CVE-2020-5267] |
| rake | Fix command injection vulnerability [CVE-2020-8130] |
| raspi3-firmware | Fix dtb names mismatch in z50-raspi-firmware; fix boot on Raspberry Pi families 1 and 0 |
| resource-agents | Fix ethmonitor does not list interfaces without assigned IP address; remove no longer required xen-toolstack patch; fix non-standard usage in ZFS agent |
| rootskel | Disable multiple console support if preseeding is in use |
| ruby-i18n | Fix gemspec generation |
| rubygems-integration | Avoid deprecation warnings when users install a newer version of Rubygems via gem update --system |
| schleuder | Improve patch to handle encoding errors introduced in the previous version; switch default encoding to UTF-8; let x-add-key handle mails with attached, quoted-printable encoded keys; fix x-attach-listkey with mails created by Thunderbird that include protected headers |
| scilab | Fix library loading with OpenJDK 11.0.7 |
| serverspec-runner | 支持 Ruby 2.5 |
| softflowd | Fix broken flow aggregation which might result in flow table overflow and 100% CPU usage |
| speech-dispatcher | Fix default pulseaudio latency which triggers scratchyoutput |
| spl-linux | 修复死锁 |
| sssd | Fix sssd_be busy-looping when LDAP connection is intermittent |
| systemd | when authorizing via PolicyKit re-resolve callback/userdata instead of caching it [CVE-2020-1712]; install 60-block.rules in udev-udeb and initramfs-tools |
| taglib | Fix corruption issues with OGG files |
| tbsync | 新上游发行版本,修复与新版本 Thunderbird 的兼容性 |
| timeshift | Fix predictable temporary directory use [CVE-2020-10174] |
| tinyproxy | Only set PIDDIR, if PIDFILE is a non-zero length string |
| tzdata | 新上游稳定释出版本 |
| uim | unregister modules that are not installed, fixing a regression in the previous upload |
| user-mode-linux | Fix build failure with current stable kernels |
| vite | Fix crash when there are more than 32 elements |
| waagent | 新上游发行版本;支持与 cloud-init 共同安装 |
| websocket-api | 修复从 stretch 升级到 buster 时包含 Tomcat 8 的问题 |
| wpa | Do not try to detect PSK mismatch during PTK rekeying; check for FT support when selecting FT suites; fix MAC randomisation issue with some cards |
| xdg-utils | xdg-open: fix pcmanfm check and handling of directories with spaces in their names; xdg-screensaver: Sanitise window name before sending it over D-Bus; xdg-mime: Create config directory if it does not exist yet |
| xtrlock | Fix blocking of (some) multitouch devices while locked [CVE-2016-10894] |
| zfs-linux | 修复潜在的死锁问题 |
安全更新
此修订版本将以下安全更新添加到了稳定发行版本中。安全团队已经分别为这些更新发布了通告:
删除的软件包
由于我们无法控制的情况,以下软件包已被删除:
| 软件包 | 原因 |
|---|---|
| getlive | 由于 Hotmail 的更改而破损 |
| gplaycli | 由于 Google API 更改而破损 |
| kerneloops | 上游服务不再可用 |
| lambda-align2 | [arm64 armel armhf i386 mips64el ppc64el s390x] 在非 amd64 架构上破损 |
| libmicrodns | 安全问题 |
| libperlspeak-perl | 安全问题;不再获得维护 |
| quotecolors | 与更新版本的 Thunderbird 不兼容 |
| torbirdy | 与更新版本的 Thunderbird 不兼容 |
| ugene | Non-free; fails to build |
| yahoo2mbox | 在过去几年处于破损状态 |
Debian 安装器
安装器已经更新,以配合发布时包含在稳定版本中的修正内容。
链接
此修订版本中有更改的软件包的完整列表:
当前稳定发行版:
拟议的稳定发行版更新:
稳定发行版信息(发行说明,勘误等):
安全公告及信息:
关于 Debian
Debian 项目是一个自由软件开发者组织,这些志愿者为制作完全自由免费的 Debian 操作系统而自愿贡献时间和精力。
联系信息
更多信息,请访问 Debian 主页 https://www.debian.org/、发送邮件至 <press@debian.org> ,或联系稳定版本发布团队 <debian-release@lists.debian.org>。