March 27th, 2021
The Debian project is pleased to announce the ninth update of its stable distribution Debian 10 (codename buster). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian 10 but only updates some of the packages included. There is no need to throw away old buster media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.
Those who frequently install updates from security.debian.org won’t have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian’s many HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
| Package | Reason |
|---|---|
| avahi | Remove avahi-daemon-check-dns mechanism, which is no longer needed |
| base-files | Update /etc/debian_version for the 10.9 point release |
| cloud-init | Avoid logging generated passwords to world-readable log files [CVE-2021-3429] |
| debian-archive-keyring | Add bullseye keys; retire jessie keys |
| debian-installer | Use 4.19.0-16 Linux kernel ABI |
| debian-installer-netboot-images | Rebuild against proposed-updates |
| exim4 | Fix use of concurrent TLS connections under GnuTLS; fix TLS certificate verification with CNAMEs; README.Debian: document the limitation/extent of server certificate verification in the default configuration |
| fetchmail | No longer report System error during SSL_connect(): Success; remove OpenSSL version check |
| fwupd | Add SBAT support |
| fwupd-amd64-signed | Add SBAT support |
| fwupd-arm64-signed | Add SBAT support |
| fwupd-armhf-signed | Add SBAT support |
| fwupd-i386-signed | Add SBAT support |
| fwupdate | Add SBAT support |
| fwupdate-amd64-signed | Add SBAT support |
| fwupdate-arm64-signed | Add SBAT support |
| fwupdate-armhf-signed | Add SBAT support |
| fwupdate-i386-signed | Add SBAT support |
| gdnsd | Fix stack overflow with overly-large IPv6 addresses [CVE-2019-13952] |
| groff | Rebuild against ghostscript 9.27 |
| hwloc-contrib | Enable support for the ppc64el architecture |
| intel-microcode | Update various microcode |
| iputils | Fix ping rounding errors; fix tracepath target corruption |
| jquery | Fix untrusted code execution vulnerabilities [CVE-2020-11022 CVE-2020-11023] |
| libbsd | Fix out-of-bounds read issue [CVE-2019-20367] |
| libpano13 | Fix format string vulnerability |
| libreoffice | Do not load encodings.py from current directoy |
| linux | New upstream stable release; update ABI to -16; rotate secure boot signing keys; rt: update to 4.19.173-rt72 |
| linux-latest | Update to -15 kernel ABI; update for -16 kernel ABI |
| linux-signed-amd64 | New upstream stable release; update ABI to -16; rotate secure boot signing keys; rt: update to 4.19.173-rt72 |
| linux-signed-arm64 | New upstream stable release; update ABI to -16; rotate secure boot signing keys; rt: update to 4.19.173-rt72 |
| linux-signed-i386 | New upstream stable release; update ABI to -16; rotate secure boot signing keys; rt: update to 4.19.173-rt72 |
| lirc | Normalize embedded ${DEB_HOST_MULTIARCH} value in /etc/lirc/lirc_options.conf to find unmodified configuration files on all architectures; recommend gir1.2-vte-2.91 instead of non-existent gir1.2-vte |
| m2crypto | Fix test failure with recent OpenSSL versions |
| openafs | Fix outgoing connections after unix epoch time 0x60000000 (14 January 2021) |
| portaudio19 | Handle EPIPE from alsa_snd_pcm_poll_descriptors, fixing crash |
| postgresql-11 | New upstream stable release; fix information leakage in constraint-violation error messages [CVE-2021-3393]; fix CREATE INDEX CONCURRENTLY to wait for concurrent prepared transactions |
| privoxy | Security issues [CVE-2020-35502 CVE-2021-20209 CVE-2021-20210 CVE-2021-20211 CVE-2021-20212 CVE-2021-20213 CVE-2021-20214 CVE-2021-20215 CVE-2021-20216 CVE-2021-20217 CVE-2021-20272 CVE-2021-20273 CVE-2021-20275 CVE-2021-20276] |
| python3.7 | Fix CRLF injection in http.client [CVE-2020-26116]; fix buffer overflow in PyCArg_repr in _ctypes/callproc.c [CVE-2021-3177] |
| redis | Fix a series of integer overflow issues on 32-bit systems [CVE-2021-21309] |
| ruby-mechanize | Fix command injection issue [CVE-2021-21289] |
| systemd | core: make sure to restore the control command id, too, fixing a segfault; seccomp: allow turning off of seccomp filtering via an environment variable |
| uim | libuim-data: Perform symlink_to_dir conversion of /usr/share/doc/libuim-data in the resurrected package for clean upgrades from stretch |
| xcftools | Fix integer overflow vulnerability [CVE-2019-5086 CVE-2019-5087] |
| xterm | Correct upper-limit for selection buffer, accounting for combining characters [CVE-2021-27135] |
Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Debian Installer
The installer has been updated to include the fixes incorporated into stable by the point release.
URLs
The complete lists of packages that have changed with this revision:
http://ftp.debian.org/debian/dists/buster/ChangeLog
The current stable distribution:
Proposed updates to the stable distribution:
stable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to press@debian.org, or contact the stable release team at debian-release@lists.debian.org.