Uppdaterad Debian 10; 10.13 utgiven

10 september 2022

Debianprojektet presenterar stolt sin trettonde (och sista) uppdatering till dess gamla stabila utgåva Debian 10 (med kodnamnet buster). Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem, tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner har redan publicerats separat och refereras när de finns tillgängliga.

Efter denna punktutgåva kommer inte Debians säkerhetsgrupp och utgåvegrupp att producera uppdateringar till Debian 10. Användare som vill fortsätta få säkerhetsstöd bör uppdatera till Debian 11, eller se https://wiki.debian.org/LTS för detaljer om undergruppen av arkitekturer och paket som stöds av projektet för långtidsstöd (Long Term Support).

Vänligen notera att punktutgåvan inte innebär en ny version av Debian 10 utan endast uppdaterar några av de inkluderade paketen. Det behövs inte kastas bort gamla media av buster. Efter installationen kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad Debianspegling..

De som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.

Nya installationsavbildningar kommer snart att finnas tillgängliga på de vanliga platserna.

En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:

https://www.debian.org/mirror/list

Blandade felrättningar

Denna uppdatering av den gamla stabila utgåvan lägger till några viktiga felrättningar till följande paket:

Paket	Orsak
adminer	Fix open redirect issue, cross-site scripting issues [CVE-2020-35572 CVE-2021-29625]; elasticsearch: Do not print response if HTTP code is not 200 [CVE-2021-21311]; provide a compiled version and configuration files
apache2	Fix denial of service issue [CVE-2022-22719], HTTP request smuggling issue [CVE-2022-22720], integer overflow issue [CVE-2022-22721], out-of-bounds write issue [CVE-2022-23943], HTTP request smuggling issue [CVE-2022-26377], out-of-bounds read issues [CVE-2022-28614 CVE-2022-28615], denial of service issue [CVE-2022-29404], out-of-bounds read issue [CVE-2022-30556], possible IP-based authentication bypass issue [CVE-2022-31813]
base-files	Update for the 10.13 point release
clamav	New upstream stable release; security fixes [CVE-2022-20770 CVE-2022-20771 CVE-2022-20785 CVE-2022-20792 CVE-2022-20796]
commons-daemon	Fix JVM detection
composer	Fix code injection vulnerability [CVE-2022-24828]; update GitHub token pattern; use Authorization header instead of deprecated access_token query parameter
debian-installer	Rebuild against buster-proposed-updates; increase Linux ABI to 4.19.0-21
debian-installer-netboot-images	Rebuild against buster-proposed-updates; increase Linux ABI to 4.19.0-21
debian-security-support	Update security status of various packages
debootstrap	Ensure non-merged-usr chroots can continue to be created for older releases and buildd chroots
distro-info-data	Add Ubuntu 22.04 LTS, Jammy Jellyfish and Ubuntu 22.10, Kinetic Kudu
dropbear	Fix possible username enumeration issue [CVE-2019-12953]
eboard	Fix segfault on engine selection
esorex	Fix testsuite failures on armhf and ppc64el caused by incorrect libffi usage
evemu	Fix build failure with recent kernel versions
feature-check	Fix some version comparisons
flac	Fix out-of-bounds write issue [CVE-2021-0561]
foxtrotgps	Fix build failure with newer imagemagick versions
freeradius	Fix side-channel leak where 1 in 2048 handshakes fail [CVE-2019-13456], denial of service issue due to multithreaded BN_CTX access [CVE-2019-17185], crash due to non-thread safe memory allocation
freetype	Fix buffer overflow issue [CVE-2022-27404]; fix crashes [CVE-2022-27405 CVE-2022-27406]
fribidi	Fix buffer overflow issues [CVE-2022-25308 CVE-2022-25309]; fix crash [CVE-2022-25310]
ftgl	Don't try to convert PNG to EPS for latex, as our imagemagick has EPS disabled for security reasons
gif2apng	Fix heap-based buffer overflows [CVE-2021-45909 CVE-2021-45910 CVE-2021-45911]
gnucash	Fix build failure with recent tzdata
gnutls28	Fix test suite when combined with OpenSSL 1.1.1e or newer
golang-github-docker-go-connections	Skip tests that use expired certificates
golang-github-pkg-term	Fix building on newer 4.19 kernels
golang-github-russellhaering-goxmldsig	Fix NULL pointer dereference issue [CVE-2020-7711]
grub-efi-amd64-signed	New upstream release
grub-efi-arm64-signed	New upstream release
grub-efi-ia32-signed	New upstream release
grub2	New upstream release
htmldoc	Fix infinite loop [CVE-2022-24191], integer overflow issues [CVE-2022-27114] and heap buffer overflow issue [CVE-2022-28085]
iptables-netflow	Fix DKMS build failure regression caused by Linux upstream changes in the 4.19.191 kernel
isync	Fix buffer overflow issues [CVE-2021-3657]
kannel	Fix build failure by disabling generation of Postscript documentation
krb5	Use SHA256 as Pkinit CMS Digest
libapache2-mod-auth-openidc	Improve validation of the post-logout URL parameter on logout [CVE-2019-14857]
libdatetime-timezone-perl	Update included data
libhttp-cookiejar-perl	Fix build failure by increasing the expiry date of a test cookie
libnet-freedb-perl	Change the default host from the defunct freedb.freedb.org to gnudb.gnudb.org
libnet-ssleay-perl	Fix test failures with OpenSSL 1.1.1n
librose-db-object-perl	Fix test failure after 6/6/2020
libvirt-php	Fix segmentation fault in libvirt_node_get_cpu_stats
llvm-toolchain-13	New source package to support building of newer firefox-esr and thunderbird versions
minidlna	Validate HTTP requests to protect against DNS rebinding attacks [CVE-2022-26505]
mokutil	New upstream version, to allow for SBAT management
mutt	Fix uudecode buffer overflow [CVE-2022-1328]
node-ejs	Sanitize options and new objects [CVE-2022-29078]
node-end-of-stream	Work around test bug
node-minimist	Fix prototype pollution issue [CVE-2021-44906]
node-node-forge	Fix signature verification issues [CVE-2022-24771 CVE-2022-24772 CVE-2022-24773]
node-require-from-string	Fix a test in conjunction with nodejs >= 10.16
nvidia-graphics-drivers	New upstream release
nvidia-graphics-drivers-legacy-390xx	New upstream release; fix out-of-bound write issues [CVE-2022-28181 CVE-2022-28185]; security fixes [CVE-2022-31607 CVE-2022-31608 CVE-2022-31615]
octavia	Fix client certificate checks [CVE-2019-17134]; correctly detect that the agent is running on Debian; fix template that generates vrrp check script; add additional runtime dependencies; ship additional configuration directly in the agent package
orca	Fix use with WebKitGTK 2.36
pacemaker	Update relationship versions to fix upgrades from stretch LTS
pglogical	Fix build failure
php-guzzlehttp-psr7	Fix improper header parsing [CVE-2022-24775]
postfix	New upstream stable release; do not override user set default_transport; if-up.d: do not error out if postfix can't send mail yet; fix duplicate bounce_notice_recipient entries in postconf output
postgresql-common	pg_virtualenv: Write temporary password file before chowning the file
postsrsd	Fix potential denial of service issue when Postfix sends certain long data fields such as multiple concatenated email addresses [CVE-2021-35525]
procmail	Fix NULL pointer dereference
publicsuffix	Update included data
python-keystoneauth1	Update tests to fix build failure
python-scrapy	Don't send authentication data with all requests [CVE-2021-41125]; don't expose cookies cross-domain when redirecting [CVE-2022-0577]
python-udatetime	Properly link against libm library
qtbase-opensource-src	Fix setTabOrder for compound widgets; add an expansion limit for XML entities [CVE-2015-9541]
ruby-activeldap	Add missing dependency on ruby-builder
ruby-hiredis	Skip some unreliable tests in order to fix build failure
ruby-http-parser.rb	Fix build failure when using http-parser containing the fix for CVE-2019-15605
ruby-riddle	Allow use of LOAD DATA LOCAL INFILE
sctk	Use pdftoppm instead of convert to convert PDF to JPEG as the latter fails with the changed security policy of ImageMagick
twisted	Fix incorrect URI and HTTP method validation issue [CVE-2019-12387], incorrect certificate validation in XMPP support [CVE-2019-12855], HTTP/2 denial of service issues, HTTP request smuggling issues [CVE-2020-10108 CVE-2020-10109 CVE-2022-24801], information disclosure issue when following cross-domain redirects [CVE-2022-21712], denial of service issue during SSH handshake [CVE-2022-21716]
tzdata	Update timezone data for Iran, Chile and Palestine; update leap andra list
ublock-origin	New upstream stable release
unrar-nonfree	Fix directory traversal issue [CVE-2022-30333]
wireshark	Fix remote code execution issue [CVE-2021-22191], denial of service issues [CVE-2021-4181 CVE-2021-4184 CVE-2021-4185 CVE-2022-0581 CVE-2022-0582 CVE-2022-0583 CVE-2022-0585 CVE-2022-0586]

Säkerhetsuppdateringar

Denna revision lägger till följande säkerhetsuppdateringar till den gamla stabila utgåvan. Säkerhetsgruppen har redan släppt bulletiner för alla dessa uppdateringar:

Bulletin-ID	Paket
DSA-4836	openvswitch
DSA-4852	openvswitch
DSA-4906	chromium
DSA-4911	chromium
DSA-4917	chromium
DSA-4981	firefox-esr
DSA-5034	thunderbird
DSA-5044	firefox-esr
DSA-5045	thunderbird
DSA-5069	firefox-esr
DSA-5074	thunderbird
DSA-5077	librecad
DSA-5080	snapd
DSA-5086	thunderbird
DSA-5090	firefox-esr
DSA-5094	thunderbird
DSA-5097	firefox-esr
DSA-5106	thunderbird
DSA-5108	tiff
DSA-5109	faad2
DSA-5111	zlib
DSA-5113	firefox-esr
DSA-5115	webkit2gtk
DSA-5118	thunderbird
DSA-5119	subversion
DSA-5122	gzip
DSA-5123	xz-utils
DSA-5126	ffmpeg
DSA-5129	firefox-esr
DSA-5131	openjdk-11
DSA-5132	ecdsautils
DSA-5135	postgresql-11
DSA-5137	needrestart
DSA-5138	waitress
DSA-5139	openssl
DSA-5140	openldap
DSA-5141	thunderbird
DSA-5142	libxml2
DSA-5143	firefox-esr
DSA-5144	condor
DSA-5145	lrzip
DSA-5147	dpkg
DSA-5149	cups
DSA-5150	rsyslog
DSA-5151	smarty3
DSA-5152	spip
DSA-5153	trafficserver
DSA-5154	webkit2gtk
DSA-5156	firefox-esr
DSA-5157	cifs-utils
DSA-5158	thunderbird
DSA-5159	python-bottle
DSA-5160	ntfs-3g
DSA-5164	exo
DSA-5165	vlc
DSA-5167	firejail
DSA-5169	openssl
DSA-5171	squid
DSA-5172	firefox-esr
DSA-5173	linux-latest
DSA-5173	linux-signed-amd64
DSA-5173	linux-signed-arm64
DSA-5173	linux-signed-i386
DSA-5173	linux
DSA-5174	gnupg2
DSA-5175	thunderbird
DSA-5176	blender
DSA-5178	intel-microcode
DSA-5181	request-tracker4
DSA-5182	webkit2gtk
DSA-5185	mat2
DSA-5186	djangorestframework
DSA-5188	openjdk-11
DSA-5189	gsasl
DSA-5190	spip
DSA-5193	firefox-esr
DSA-5194	booth
DSA-5195	thunderbird
DSA-5196	libpgjava

Borttagna paket

Följande paket har tagits bort på grund av omständigheter utom vår kontroll:

Paket	Orsak
elog	Icke underhållen; säkerhetsproblem
libnet-amazon-perl	Beroende på bottaget API

Debianinstalleraren

Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den gamla stabila utgåvan med denna punktutgåva.

URLer

Den fullständiga listan på paket som har förändrats i denna revision:

https://deb.debian.org/debian/dists/buster/ChangeLog

Den aktuella gamla stabila utgåvan:

https://deb.debian.org/debian/dists/oldstable/

Föreslagna uppdateringar till den gamla stabila utgåvan:

https://deb.debian.org/debian/dists/oldstable-proposed-updates

Information om den gamla stabila utgåvan (versionsfakta, kända problem osv.):

https://www.debian.org/releases/oldstable/

Säkerhetsbulletiner och information:

https://www.debian.org/security/

Om Debian

Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.

Kontaktinformation

För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org>, eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.