Debian 10 更新:10.4 發佈
2020年05月09日
Debian 項目很高興地宣佈對 Debian 10 穩定版的第四次更新(發行版代號 buster
)。此次小版本更新主要添加了對安全問題的修正補丁,以及為一些嚴重問題所作的調整。安全通告已單獨發佈,並會在適當的情況下予以引用。
請注意,此更新並不是 Debian 10 的新版本,它僅更新了所包含的一些套件。沒有必要丟棄舊的buster
的安裝介質。在安裝之後,只需使用最新的 Debian 映射站台更新舊的套件即可。
經常從 security.debian.org 安裝更新的使用者將不必更新許多套件,因本更新中包含了 security.debian.org 的大多數更新。
新的安裝映射站台即將於常規的位置予以提供。
只需令套件管理系統指向 Debian 的許多 HTTP 映射站台之一,您便能夠把已有的系統升級至本次更新版本。詳盡的映射站台列表可以在以下網址處獲得:
雜項錯誤修正
此穩定版更新為以下套件添加了一些重要的修正:
| 套件 | 原因 |
|---|---|
| apt-cacher-ng | Enforce secured call to the server in maintenance job triggering [CVE-2020-5202]; allow .zst compression for tarballs; increase size of the decompression line buffer for configuration file reading |
| backuppc | Pass the username to start-stop-daemon when reloading, preventing reload failures |
| base-files | 為小版本更新提供文件 |
| brltty | Reduce severity of log message to avoid generating too many messages when used with new Orca versions |
| checkstyle | Fix XML External Entity injection issue [CVE-2019-9658 CVE-2019-10782] |
| choose-mirror | 更新其包含的映射站台列表 |
| clamav | 新上游發行版本 [CVE-2020-3123] |
| corosync | totemsrp: Reduce MTU to avoid generating oversized packets |
| corosync-qdevice | 修復服務啟動問題 |
| csync2 | Fail HELLO command when SSL is required |
| cups | Fix heap buffer overflow [CVE-2020-3898] and the `ippReadIO` function may under-read an extension field[CVE-2019-8842] |
| dav4tbsync | 新上游發行版本,修復與新版本 Thunderbird 的兼容性 |
| debian-edu-config | Add policy files for Firefox ESR and Thunderbird to fix the TLS/SSL setup |
| debian-installer | 為 4.19.0-9 kernel ABI 更新 |
| debian-installer-netboot-images | Rebuild against proposed-updates |
| debian-security-support | 新上游穩定釋出版本;更新幾個套件的狀態;改用 runuser而不是 su |
| distro-info-data | 添加 Ubuntu 20.10 以及 stretch 的可能結束支持日期 |
| dojo | Fix improper regular expression usage [CVE-2019-10785] |
| dpdk | 新上游穩定釋出版本 |
| dtv-scan-tables | New upstream snapshot; add all current German DVB-T2 muxes and the Eutelsat-5-West-A satellite |
| eas4tbsync | 新上游發行版本,修復與新版本 Thunderbird 的兼容性 |
| edk2 | 安全修復 [CVE-2019-14558 CVE-2019-14559 CVE-2019-14563 CVE-2019-14575 CVE-2019-14586 CVE-2019-14587] |
| el-api | 修復從 stretch 升級到 buster 時包含 Tomcat 8 的問題 |
| fex | Fix a potential security issue in fexsrv |
| filezilla | Fix untrusted search path vulnerability [CVE-2019-5429] |
| frr | Fix extended next hop capability |
| fuse | Remove outdated udevadm commands from post-install scripts; don't explicitly remove fuse.conf on purge |
| fuse3 | Remove outdated udevadm commands from post-install scripts; don't explicitly remove fuse.conf on purge; fix memory leak in fuse_session_new() |
| golang-github-prometheus-common | Extend validity of test certificates |
| gosa | Replace (un)serialize with json_encode/json_decode to mitigate PHP object injection [CVE-2019-14466] |
| hbci4java | Support EU directive on payment services (PSD2) |
| hibiscus | Support EU directive on payment services (PSD2) |
| iputils | Correct an issue in which ping would improperly exit with a failure code when there were untried addresses still available in the getaddrinfo() library call return value |
| ircd-hybrid | Use dhparam.pem to avoid crash on startup |
| jekyll | 允許使用 ruby-i18n 0.x 和 1.x |
| jsp-api | 修復從 stretch 升級到 buster 時包含 Tomcat 8 的問題 |
| lemonldap-ng | Prevent unwanted access to administration endpoints [CVE-2019-19791]; fix the GrantSession plugin which could not prohibit logon when two factor authentication was used; fix arbitrary redirects with OIDC if redirect_uri was not used |
| libdatetime-timezone-perl | Update included data |
| libreoffice | Fix OpenGL slide transitions |
| libssh | Fix possible denial of service issue when handling AES-CTR keys with OpenSSL [CVE-2020-1730] |
| libvncserver | 修復堆溢出 [CVE-2019-15690] |
| linux | 新上游穩定釋出版本 |
| linux-latest | 更新 kernel ABI 到 4.19.0-9 |
| linux-signed-amd64 | 新上游穩定釋出版本 |
| linux-signed-arm64 | 新上游穩定釋出版本 |
| linux-signed-i386 | 新上游穩定釋出版本 |
| lwip | 修復緩衝區溢出 [CVE-2020-8597] |
| lxc-templates | 新上游穩定釋出版本; handle languages that are only UTF-8 encoded |
| manila | Fix missing access permissions check [CVE-2020-9543] |
| megatools | 添加對 mega.nz 鏈接的新格式的支持 |
| mew | Fix server SSL certificate validity checking |
| mew-beta | Fix server SSL certificate validity checking |
| mkvtoolnix | Rebuild to tighten libmatroska6v5 dependency |
| ncbi-blast+ | 禁用對 SSE4.2 的支持 |
| node-anymatch | 移除不必要的依賴 |
| node-dot | Prevent code execution after prototype pollution [CVE-2020-8141] |
| node-dot-prop | Fix prototype pollution [CVE-2020-8116] |
| node-knockout | Fix escaping with older Internet Explorer versions [CVE-2019-14862] |
| node-mongodb | Reject invalid _bsontypes [CVE-2019-2391 CVE-2020-7610] |
| node-yargs-parser | Fix prototype pollution [CVE-2020-7608] |
| npm | Fix arbitrary path access [CVE-2019-16775 CVE-2019-16776 CVE-2019-16777] |
| nvidia-graphics-drivers | 新上游穩定釋出版本 |
| nvidia-graphics-drivers-legacy-390xx | 新上游穩定釋出版本 |
| nvidia-settings-legacy-340xx | 新上游發行版本 |
| oar | Revert to stretch behavior for Storable::dclone perl function, fixing recursion depth issues |
| opam | Prefer mccs over aspcud |
| openvswitch | Fix vswitchd abort when a port is added and the controller is down |
| orocos-kdl | Fix string conversion with Python 3 |
| owfs | Remove broken Python 3 packages |
| pango1.0 | Fix crash in pango_fc_font_key_get_variations() when key is null |
| pgcli | Add missing dependency on python3-pkg-resources |
| php-horde-data | Fix authenticated remote code execution vulnerability [CVE-2020-8518] |
| php-horde-form | Fix authenticated remote code execution vulnerability [CVE-2020-8866] |
| php-horde-trean | Fix authenticated remote code execution vulnerability [CVE-2020-8865] |
| postfix | 新上游穩定釋出版本; fix panic with Postfix multi-Milter configuration during MAIL FROM; fix d/init.d running change so it works with multi-instance again |
| proftpd-dfsg | Fix memory access issue in keyboard-interative code in mod_sftp; properly handle DEBUG, IGNORE, DISCONNECT, and UNIMPLEMENTED messages in keyboard-interactive mode |
| puma | Fix Denial of Service issue [CVE-2019-16770] |
| purple-discord | Fix crashes in ssl_nss_read |
| python-oslo.utils | Fix leak of sensitive information via mistral logs [CVE-2019-3866] |
| rails | Fix possible cross-site scripting via Javascript escape helper [CVE-2020-5267] |
| rake | Fix command injection vulnerability [CVE-2020-8130] |
| raspi3-firmware | Fix dtb names mismatch in z50-raspi-firmware; fix boot on Raspberry Pi families 1 and 0 |
| resource-agents | Fix ethmonitor does not list interfaces without assigned IP address; remove no longer required xen-toolstack patch; fix non-standard usage in ZFS agent |
| rootskel | Disable multiple console support if preseeding is in use |
| ruby-i18n | Fix gemspec generation |
| rubygems-integration | Avoid deprecation warnings when users install a newer version of Rubygems via gem update --system |
| schleuder | Improve patch to handle encoding errors introduced in the previous version; switch default encoding to UTF-8; let x-add-key handle mails with attached, quoted-printable encoded keys; fix x-attach-listkey with mails created by Thunderbird that include protected headers |
| scilab | Fix library loading with OpenJDK 11.0.7 |
| serverspec-runner | 支持 Ruby 2.5 |
| softflowd | Fix broken flow aggregation which might result in flow table overflow and 100% CPU usage |
| speech-dispatcher | Fix default pulseaudio latency which triggers scratchyoutput |
| spl-linux | 修復死鎖 |
| sssd | Fix sssd_be busy-looping when LDAP connection is intermittent |
| systemd | when authorizing via PolicyKit re-resolve callback/userdata instead of caching it [CVE-2020-1712]; install 60-block.rules in udev-udeb and initramfs-tools |
| taglib | Fix corruption issues with OGG files |
| tbsync | 新上游發行版本,修復與新版本 Thunderbird 的兼容性 |
| timeshift | Fix predictable temporary directory use [CVE-2020-10174] |
| tinyproxy | Only set PIDDIR, if PIDFILE is a non-zero length string |
| tzdata | 新上游穩定釋出版本 |
| uim | unregister modules that are not installed, fixing a regression in the previous upload |
| user-mode-linux | Fix build failure with current stable kernels |
| vite | Fix crash when there are more than 32 elements |
| waagent | 新上游發行版本;支持與 cloud-init 共同安裝 |
| websocket-api | 修復從 stretch 升級到 buster 時包含 Tomcat 8 的問題 |
| wpa | Do not try to detect PSK mismatch during PTK rekeying; check for FT support when selecting FT suites; fix MAC randomisation issue with some cards |
| xdg-utils | xdg-open: fix pcmanfm check and handling of directories with spaces in their names; xdg-screensaver: Sanitise window name before sending it over D-Bus; xdg-mime: Create config directory if it does not exist yet |
| xtrlock | Fix blocking of (some) multitouch devices while locked [CVE-2016-10894] |
| zfs-linux | 修復潛在的死鎖問題 |
安全更新
此修訂版本將以下安全更新添加到了穩定發行版本中。安全團隊已經分別為這些更新發布了通告:
刪除的套件
由於我們無法控制的情況,以下套件已被刪除:
| 套件 | 原因 |
|---|---|
| getlive | 由於 Hotmail 的更改而破損 |
| gplaycli | 由於 Google API 更改而破損 |
| kerneloops | 上游服務不再可用 |
| lambda-align2 | [arm64 armel armhf i386 mips64el ppc64el s390x] 在非 amd64 架構上破損 |
| libmicrodns | 安全問題 |
| libperlspeak-perl | 安全問題;不再獲得維護 |
| quotecolors | 與更新版本的 Thunderbird 不兼容 |
| torbirdy | 與更新版本的 Thunderbird 不兼容 |
| ugene | Non-free; fails to build |
| yahoo2mbox | 在過去幾年處於破損狀態 |
Debian 安裝器
安裝器已經更新,以配合發佈時包含在穩定版本中的修正內容。
鏈接
此修訂版本中有更改的套件的完整列表:
當前穩定發行版:
擬議的穩定發行版更新:
穩定發行版信息(發行說明,勘誤等):
安全公告及信息:
關於 Debian
Debian 項目是一個自由軟體開發者組織,這些志願者為製作完全自由免費的 Debian 作業系統而自願貢獻時間和精力。
聯繫信息
更多信息,請訪問 Debian 主頁 https://www.debian.org/、發送郵件至 <press@debian.org> ,或聯繫穩定版本發佈團隊 <debian-release@lists.debian.org>。