Debian buster Openstack images changelog 10.13.15-20230609 Updates in 2 source package(s), 6 binary package(s): Source cpio, binaries: cpio:amd64 cpio:arm64 cpio (2.12+dfsg-9+deb10u1) buster-security; urgency=medium * Non-maintainer upload by the LTS Security Team. * CVE-2019-14866: Improper validation of input files when generating tar archives. * CVE-2021-38185: Arbitrary code via crafted pattern file. Source openssl, binaries: libssl1.1:amd64 openssl:amd64 libssl1.1:arm64 openssl:arm64 openssl (1.1.1n-0+deb10u5) buster-security; urgency=medium [ Sylvain Beucler ] * Non-maintainer upload by the LTS Security Team. [ Sebastian Andrzej Siewior ] * CVE-2023-0464 (Excessive Resource Usage Verifying X.509 Policy Constraints) (Closes: #1034720). * CVE-2023-0465 (Invalid certificate policies in leaf certificates are silently ignored). * CVE-2023-0466 (Certificate policy check not enabled). * Alternative fix for CVE-2022-4304 (Timing Oracle in RSA Decryption). * CVE-2023-2650 (Possible DoS translating ASN.1 object identifiers). -- Steve McIntyre <93sam@debian.org> Fri, 09 Jun 2023 12:45:25 +0000 10.13.14-20230528 Updates in 3 source package(s), 12 binary package(s): Source linux-latest, binaries: linux-image-cloud-amd64:amd64 linux-image-arm64:arm64 linux-latest (105+deb10u19) buster-security; urgency=medium * Update to 4.19.0-24 linux-latest (105+deb10u18) buster-security; urgency=medium * Update to 4.19.0-23 linux-latest (105+deb10u17) buster-security; urgency=medium * Update to 4.19.0-22 linux-latest (105+deb10u16) buster-security; urgency=medium * Update to 4.19.0-21 linux-latest (105+deb10u15) buster; urgency=medium * Update to 4.19.0-20 linux-latest (105+deb10u14) buster-security; urgency=high * Update to 4.19.0-19 * linux-image: Add NEWS for unprivileged eBPF change linux-latest (105+deb10u13) buster; urgency=medium * Update to 4.19.0-18 linux-latest (105+deb10u12) buster; urgency=medium * Update to 4.19.0-17 linux-latest (105+deb10u11) buster; urgency=medium * Update to 4.19.0-16 linux-latest (105+deb10u10) buster; urgency=medium * Update to 4.19.0-15 linux-latest (105+deb10u9) buster-security; urgency=high * Update to 4.19.0-14 linux-latest (105+deb10u8) buster; urgency=medium * Update to 4.19.0-13 linux-latest (105+deb10u7) buster-security; urgency=high * Update to 4.19.0-12 linux-latest (105+deb10u6) buster; urgency=medium * Update to 4.19.0-11 linux-latest (105+deb10u5) buster; urgency=medium * Update to 4.19.0-10 linux-latest (105+deb10u4) buster; urgency=medium * Update to 4.19.0-9 linux-latest (105+deb10u3) buster; urgency=medium * Update to 4.19.0-8 linux-latest (105+deb10u2) buster; urgency=medium * Update to 4.19.0-7 linux-latest (105+deb10u1) buster; urgency=medium * Update to 4.19.0-6 linux-latest (105) unstable; urgency=medium * Update to 4.19.0-5 linux-latest (104) unstable; urgency=medium * Update to 4.19.0-4 linux-latest (103) unstable; urgency=medium * Update to 4.19.0-3 linux-latest (102) unstable; urgency=medium * Update to 4.19.0-2 linux-latest (101) unstable; urgency=medium * Update to 4.19.0-1 linux-latest (100) unstable; urgency=medium [ Romain Perier ] * Update to 4.18.0-3 linux-latest (99) unstable; urgency=medium * Update to 4.18.0-2 linux-latest (98) unstable; urgency=medium * Update to 4.18.0-1 linux-latest (97) unstable; urgency=medium * Update to 4.17.0-3 linux-latest (96) unstable; urgency=medium [ Romain Perier ] * Update to 4.17.0-2 linux-latest (95) unstable; urgency=medium [ Romain Perier ] * Update to 4.17.0-1 linux-latest (94) unstable; urgency=medium [ Ben Hutchings ] * Substitute source package name in lintian-overrides * Change binary package names to include any source package name suffix * Don't build redundant linux-doc, linux-source, linux-tools packages [ Salvatore Bonaccorso ] * Update to 4.16.0-2 linux-latest (93) unstable; urgency=medium * Update to 4.16.0-1 linux-latest (92) unstable; urgency=medium * Update to 4.15.0-3 linux-latest (91) unstable; urgency=medium [ Ben Hutchings ] * debian/control: Point Vcs URLs to Salsa [ Salvatore Bonaccorso ] * Update to 4.15.0-2 linux-latest (90) unstable; urgency=medium * Update to 4.15.0-1 linux-latest (89) unstable; urgency=medium * Update to 4.14.0-3 linux-latest (88) unstable; urgency=medium * Update to 4.14.0-2 linux-latest (87) unstable; urgency=medium * linux-image: Add back-dated NEWS for vsyscall change in Linux 4.10 * linux-doc: Add symlinks to current documentation * Update to 4.14.0-1 * linux-image: Add back-dated NEWS about AppArmor introduction linux-latest (86) unstable; urgency=medium * Add myself to Uploaders * Update to 4.13.0-1 linux-latest (85) unstable; urgency=medium * debian/control: Remove Frederik Schüler from Uploaders field * Update to 4.12.0-2 linux-latest (84) unstable; urgency=medium * Update to 4.12.0-1 (Closes: #872055) linux-latest (83) unstable; urgency=medium * Update to 4.11.0-2 linux-latest (82) unstable; urgency=medium * Revert changes to debug symbol meta-packages (Closes: #866691) linux-latest (81) unstable; urgency=medium * Update to 4.11.0-1 * Stop generating various transitional packages needed in stretch linux-latest (80) unstable; urgency=medium * Re-introduce xen-linux-system-amd64 *again* as transitional package (Closes: #857039) * Update to 4.9.0-3 linux-latest (79) unstable; urgency=medium * Update to 4.9.0-2 linux-latest (78) unstable; urgency=medium * debian/rules: Use dpkg-parsechangelog -S option to select fields * linux-image: Delete NEWS for version 76 about vsyscall changes, now reverted * Update to 4.9.0-1 linux-latest (77) unstable; urgency=medium * Update to 4.8.0-2 * Use debhelper compatibility level 9 * Re-introduce xen-linux-system packages, accidentally dropped in version 75 linux-latest (76) unstable; urgency=medium * Update to 4.8.0-1 * linux-image-{686-pae,amd64}: Delete old NEWS * linux-image: Add back-dated NEWS for conntrack helpers change in Linux 4.7 (Closes: #839632) * linux-image: Add NEWS for security hardening config changes for Linux 4.8 linux-latest (75) unstable; urgency=medium * Update to 4.7.0-1 * Rename and move debug symbol meta-packages to the debug archive * debian/control: Set priority of transitional packages to extra * debian/control: Update Standards-Version to 3.9.8; no changes needed linux-latest (74) unstable; urgency=medium * Update to 4.6.0-1 linux-latest (73) unstable; urgency=medium * Update to 4.5.0-2 linux-latest (72) unstable; urgency=medium * Update to 4.5.0-1 linux-latest (71) unstable; urgency=medium * Update to 4.4.0-1 - Change linux-{image,headers}-{kirkwood,orion5x} to transitional packages linux-latest (70) unstable; urgency=medium * Change linux-{image,headers}-586 to transitional packages linux-latest (69) unstable; urgency=medium * Update to 4.3.0-1 linux-latest (68) unstable; urgency=medium * Update to 4.2.0-1 * debian/bin/gencontrol.py: Use Python 3 linux-latest (67) unstable; urgency=medium * Adjust for migration to git: - Add .gitignore file - debian/control: Update Vcs-* fields * .gitignore: Ignore linux-perf build directory * Update to 4.1.0-2 * Change source format to 3.0 (native) so that .git directory is excluded by default linux-latest (66) unstable; urgency=medium * Update to 4.1.0-1 * Rename linux-tools to linux-perf, providing linux-tools as a transitional package linux-latest (65) unstable; urgency=medium * Update to 4.0.0-2 linux-latest (64) unstable; urgency=medium * Update to 4.0.0-1 * Stop generating linux-{headers,image}-486 transitional packages * debian/control: Build-Depend on linux-headers-*-all, so that after an ABI bump linux is auto-built before linux-latest on each architecture. (Closes: #746618) linux-latest (63) unstable; urgency=medium * Update to 3.16.0-4 - Change linux-{image,headers}-486 to transitional packages linux-latest (62) unstable; urgency=medium * Update to 3.16-3 (Closes: #766078) linux-latest (61) unstable; urgency=medium * Update to 3.16-2 linux-latest (60) unstable; urgency=medium * linux-image-{686-pae,amd64}: Add backdated NEWS for introduction of xz compression affecting Xen (Closes: #727736) * Update to 3.16-1 linux-latest (59) unstable; urgency=medium * Update to 3.14-2 linux-latest (58) unstable; urgency=medium * Rebuild to include arm64 and ppc64el architectures linux-latest (57) unstable; urgency=medium * Suppress lintian warnings about linux-image-dbg metapackages not looking like debug info packages * debian/control: Update Standards-Version to 3.9.5; no changes needed * Update to 3.14-1 linux-latest (56) unstable; urgency=medium * Update to 3.13-1 linux-latest (55) unstable; urgency=low * Update to 3.12-1 linux-latest (54) unstable; urgency=low * Update to 3.11-2 linux-latest (53) unstable; urgency=low * Add linux-image--dbg metapackages, providing the virtual package linux-latest-image-dbg * Update standards-version to 3.9.4; no changes required * Change section and priority fields to match archive overrides * Update to 3.11-1 * Stop providing virtual package linux-headers linux-latest (52) unstable; urgency=low * Update to 3.10-3 linux-latest (51) unstable; urgency=low * Update to 3.10-2 linux-latest (50) unstable; urgency=low * Update to 3.10-1 linux-latest (49) unstable; urgency=low * Update to 3.9-1 linux-latest (48) unstable; urgency=low * Update to 3.8-2 (Closes: #708842) linux-latest (47) unstable; urgency=low * Update to 3.8-1 * Remove transitional packages provided in wheezy linux-latest (46) unstable; urgency=low * Set Priority: extra, as currently overridden in the archive (Closes: #689846) * Add Czech debconf template translation (Michal Šimůnek) (Closes: #685501) * Update to 3.2.0-4 (Closes: #688222, #689864) linux-latest (45) unstable; urgency=low * Update to 3.2.0-3 linux-latest (44) unstable; urgency=high [ Ben Hutchings ] * Update debconf template translations: - Add Polish (Michał Kułach) (Closes: #659571) - Add Turkish (Mert Dirik) (Closes: #660119) * Update standards-version to 3.9.3: - Do not move packages to the 'metapackages' section, as that will cause APT not to auto-remove their dependencies * Move transitional packages to the section 'oldlibs', so that APT will treat the replacement packages as manually installed * Update to 3.2.0-2 * Stop generating linux-{headers,image}-2.6- transitional packages for flavours added since Linux 3.0 linux-latest (43) unstable; urgency=low * Add Vcs-{Svn,Browser} fields * Add debconf template translations: - Danish (Joe Hansen) (Closes: #656642) - Spanish (Slime Siabef) (Closes: #654681) - Italian (Stefano Canepa) (Closes: #657386) * [s390] Update the check for flavours without modules, removing the useless linux-headers{,-2.6}-s390x-tape packages linux-latest (42) unstable; urgency=low * Rename source package to linux-latest * Add debconf template translations: - Portugese (Miguel Figueiredo) (Closes: #651123) - Serbian latin (Zlatan Todoric) (Closes: #635895) - Russian (Yuri Kozlov) (Closes: #652431) - Japanese (Nobuhiro Iwamatsu) (Closes: #655687) * Update to 3.2.0-1 linux-latest-2.6 (41) unstable; urgency=low * Remove dependency on module makefiles in linux-support package * Update to 3.1.0-1 linux-latest-2.6 (40) unstable; urgency=low * Add debconf template translations: - Serbian cyrillic (Zlatan Todoric) (Closes: #635893) - German (Holger Wansing) (Closes: #637764) - French (Debian French l10n team) (Closes: #636624) - Swedish (Martin Bagge) (Closes: #640058) - Dutch (Jeroen Schot) (Closes: #640115) - Catalan (Innocent De Marchi) (Closes: #642109) * Update to 3.0.0-2 linux-latest-2.6 (39) unstable; urgency=low * Update to 3.0.0-1 linux-latest-2.6 (38) experimental; urgency=low * Correct xen-linux-system transitional package names linux-latest-2.6 (37) experimental; urgency=low * Update to 3.0.0-rc5 * Restore xen-linux-system- packages * Remove common description text from linux-image-2.6- packages linux-latest-2.6 (36) experimental; urgency=low * Update to 3.0.0-rc1 - Add linux-doc, linux-headers-, linux-source and linux-tools packages - Change *-2.6-* to transitional packages linux-latest-2.6 (35.1) unstable; urgency=low [ Bastian Blank ] * Update to 2.6.39-2. linux-latest-2.6 (35) unstable; urgency=low * Update to 2.6.39-1 - Change linux-image{,-2.6}-686{,-bigmem} to transitional packages linux-latest-2.6 (34) unstable; urgency=low * [hppa] Update to 2.6.38-2a linux-latest-2.6 (33) unstable; urgency=low * Update to 2.6.38-2 linux-latest-2.6 (32) unstable; urgency=low * Update to 2.6.38-1 linux-latest-2.6 (31) unstable; urgency=low * Update to 2.6.37-2 linux-latest-2.6 (30) unstable; urgency=low * Update to 2.6.37-1 linux-latest-2.6 (29) unstable; urgency=low * Add xen-linux-system-2.6-* meta-packages (Closes: #402414) * Add bug presubj message for image meta packages directing users to the real image packages (Closes: #549591) * Fix repetition in description of linux-image-2.6-xen-amd64 (Closes: #598648) * [x86] Correct lists of suitable processors linux-latest-2.6 (28) unstable; urgency=low * Move NEWS from linux-2.6, since apt-listchanges only shows it for upgraded packages * Add linux-tools-2.6 meta package * Change versions for linux-doc-2.6 and linux-source-2.6 to match those of the other meta packages linux-latest-2.6 (27) unstable; urgency=low * Really build linux-doc-2.6 and linux-source-2.6 meta packages linux-latest-2.6 (26) unstable; urgency=low [ Joachim Breitner ] * Create linux-doc-2.6 and linux-source-2.6 meta packages (Closes: 347284) [ Ben Hutchings ] * Update to 2.6.32-5. * Update standards-version to 3.8.4; no changes required. * Explicitly describe all packages as meta-packages. linux-latest-2.6 (25) unstable; urgency=high * Update package description templates in line with linux-2.6. * Update to 2.6.32-3. * Set urgency to 'high' since this must transition with linux-2.6. linux-latest-2.6 (24) unstable; urgency=low * Update to 2.6.32-2. linux-latest-2.6 (23) unstable; urgency=low * Update to 2.6.32-trunk. linux-latest-2.6 (22) unstable; urgency=low * Update to 2.6.31-1. linux-latest-2.6 (21) unstable; urgency=low [ Bastian Blank ] * Update to 2.6.30-2. [ Ben Hutchings ] * Add myself to uploaders. linux-latest-2.6 (20) unstable; urgency=low * Move into kernel section. * Update to 2.6.30-1. linux-latest-2.6 (19) unstable; urgency=low * Update to 2.6.29-2. * Use debhelper compat level 7. * Update copyright file. linux-latest-2.6 (18) unstable; urgency=low * Update to 2.6.29-1. * Use dh_prep. * Remove lenny transition packages. linux-latest-2.6 (17) unstable; urgency=low * Use correct part of the config for image type. * Add description parts to all image packages. linux-latest-2.6 (16) unstable; urgency=low * Rebuild to pick up new images linux-latest-2.6 (15) unstable; urgency=low * Update to 2.6.26-1. * Make linux-image-* complete meta packages. linux-latest-2.6 (14) unstable; urgency=low * Update to 2.6.25-2. linux-latest-2.6 (13) unstable; urgency=low * Add transitional packages for k7. linux-latest-2.6 (12) unstable; urgency=low * Update to 2.6.24-1. linux-latest-2.6 (11) unstable; urgency=low * Update to 2.6.22-3. linux-latest-2.6 (10) unstable; urgency=low * Update to 2.6.22-2. linux-latest-2.6 (9) unstable; urgency=low * Update to 2.6.22-1. linux-latest-2.6 (8) unstable; urgency=low * Update to 2.6.21-2. * Add modules meta packages. * Provide linux-latest-modules-*. (closes: #428783) linux-latest-2.6 (7) unstable; urgency=low * Update to 2.6.21-1. * Remove etch transition packages. linux-latest-2.6 (6) unstable; urgency=low * Update to 2.6.18-4. * i386: Add amd64 transition packages. linux-latest-2.6 (5) unstable; urgency=low * Update to 2.6.18-3. Source python2.7, binaries: libpython2.7-minimal:amd64 libpython2.7-stdlib:amd64 python2.7:amd64 python2.7-minimal:amd64 libpython2.7-minimal:arm64 libpython2.7-stdlib:arm64 python2.7:arm64 python2.7-minimal:arm64 python2.7 (2.7.16-2+deb10u2) buster-security; urgency=high * Non-maintainer upload by the LTS Security Team. * Update self-signed.pythontest.net SSL certificate in testsuite (fixes test_httplib test suite) * CVE-2015-20107: the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). * CVE-2019-20907: in Lib/tarfile.py, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. (Closes: #970099) * CVE-2020-8492: Python allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. (Closes: #970099) * CVE-2020-26116: http.client allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request. * CVE-2021-3177: Python has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely. * CVE-2021-3733: There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. * CVE-2021-3737: An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. * CVE-2021-4189: the FTP (File Transfer Protocol) client library in PASV (passive) mode trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports. For the rare user who wants the previous behavior, set a `trust_server_pasv_ipv4_address` attribute on your `ftplib.FTP` instance to True. * CVE-2022-45061: An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Source tzdata, binaries: tzdata:amd64 tzdata:arm64 tzdata (2021a-0+deb10u11) buster-security; urgency=medium * Sync patchset with bullseye. * Revert the Lebanon DST change. * Update templates and add translations for Ciudad Juarez. * No leap second in June 2023. -- Steve McIntyre <93sam@debian.org> Sun, 28 May 2023 18:20:13 +0000 10.13.13-20230501 Updates in 3 source package(s), 16 binary package(s): Source distro-info-data, binaries: distro-info-data:amd64 distro-info-data:arm64 distro-info-data (0.41+deb10u7) buster-security; urgency=medium * Update data to 0.58, without new columns: - Add Debian 14 "forky" with a vague creation date. - Correct Ubuntu 23.04 release date to 2023-04-20. - Tighten validate-csv-data heuristics, restricting Ubuntu EoLs to Tue-Thursday. - Document Ubuntu ESM overlap period (LP: #2003949) - Add Ubuntu 23.10 Mantic Minotaur (LP: #2018028) - Set the planned release date for Debian bookworm (and an EoL based on it). - Adjust trixie's creation date to match bookworm's release. Source libxml2, binaries: libxml2:amd64 libxml2:arm64 libxml2 (2.9.4+dfsg1-7+deb10u6) buster-security; urgency=high * Non-maintainer upload by the LTS Team. * schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK * CVE-2023-28484 Fix null deref in xmlSchemaFixupComplexType * CVE-2023-29469 Hashing of empty dict strings isn't deterministic Source systemd, binaries: libpam-systemd:amd64 libsystemd0:amd64 libudev1:amd64 systemd:amd64 systemd-sysv:amd64 udev:amd64 libpam-systemd:arm64 libsystemd0:arm64 libudev1:arm64 systemd:arm64 systemd-sysv:arm64 udev:arm64 systemd (241-7~deb10u9) buster-security; urgency=medium * Non-maintainer upload by the LTS Security Team. * CVE-2023-26604: Local privilege escalation for some sudo configurations. -- Steve McIntyre <93sam@debian.org> Mon, 01 May 2023 14:09:08 +0000 10.13.12-20230325 Updates in 5 source package(s), 10 binary package(s): Source pcre2, binaries: libpcre2-8-0:amd64 libpcre2-8-0:arm64 pcre2 (10.32-5+deb10u1) buster-security; urgency=high * Non-maintainer upload by the LTS Security Team. * CVE-2019-20454: Out-of-bounds read when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. * CVE-2022-1586: Out-of-bounds read involving unicode property matching in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT. (Closes: #1011954). * CVE-2022-1587: Out-of-bounds read affecting recursions in JIT-compiled regular expressions caused by duplicate data transfers. (Closes: #1011954). * Subject buffer overread in JIT when UTF is disabled and \X or \R has a greater than 1 fixed quantifier. Source python-cryptography, binaries: python3-cryptography:amd64 python3-cryptography:arm64 python-cryptography (2.6.1-3+deb10u4) buster-security; urgency=high * Adjust which call to CFFI's from_buffer is marked require_writable=True to address an issue in 2.6.1-3+deb10u4's attempt to fix CVE-2023-23931. python-cryptography (2.6.1-3+deb10u3) buster-security; urgency=high * Non-maintainer upload by the Debian LTS team. * CVE-2023-23931: Prevent a potential memory corruption vulnerability caused by a programming confusion between mutable and immutable buffers. (Closes: #1031049) Source qemu, binaries: qemu-utils:amd64 qemu-utils:arm64 qemu (1:3.1+dfsg-8+deb10u10) buster-security; urgency=high * Non-maintainer upload by the LTS Security Team. * CVE-2020-14394: An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service. (Closes: #979677) * CVE-2020-17380/CVE-2021-3409: A heap-based buffer overflow was found in QEMU in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host. (Closes: #970937, #986795) * CVE-2020-29130: slirp.c has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. * CVE-2021-3592: An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and could occur while processing a udp packet that is smaller than the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host. (Closes: #989993) * CVE-2021-3593: An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. (Closes: #989994) * CVE-2021-3594: An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. (Closes: #989995) * CVE-2021-3595: An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. (Closes: #989996) * CVE-2022-0216: A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service. (Closes: #1014590) * CVE-2022-1050: A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition. (Closes: #1014589) Source tzdata, binaries: tzdata:amd64 tzdata:arm64 tzdata (2021a-0+deb10u10) buster-security; urgency=medium * Update DST rules for Greenland * Update DST rules for Egypt * Update DST rules for Morocco * Update DST rules for Palestine tzdata (2021a-0+deb10u9) buster-security; urgency=medium * Backport changes from upstream: - Fiji no longer observes DST. - Update DST rules for Mexico. - Update DST rules for Lebanon. * Add myself to Uploaders. Source xapian-core, binaries: libxapian30:amd64 libxapian30:arm64 xapian-core (1.4.11-1+deb10u1) buster-security; urgency=medium * debian/patches/fix-db-corruption-on-ENOSPC.patch: New patch to fix potential database corruption if switching the new revision live fails with ENOSPC but the recovery process does NOT get ENOSPC. The fix here is taken from upstream's 1.4.22 release and is the simplest way to address the problem: simply reread the current version file from disk which means the in memory state will match the previously committed state. Closes: #1032398 * debian/patches/fix-check-on-replication-changesets.patch: Fix xapian-check and Database::check() on a database with valid replication changesets to not incorrectly fail with "DatabaseError: Changes file - bad table code". The fix here is taken from upstream's 1.4.15 release. -- Steve McIntyre <93sam@debian.org> Sat, 25 Mar 2023 14:33:56 +0000 10.13.11-20230221 Updates in 3 source package(s), 10 binary package(s): Source gnutls28, binaries: libgnutls30:amd64 libgnutls30:arm64 gnutls28 (3.6.7-4+deb10u10) buster-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2023-0361: Hubert Kario discovered a timing side channel in the RSA decryption implementation of the GNU TLS library. Source isc-dhcp, binaries: isc-dhcp-client:amd64 isc-dhcp-common:amd64 isc-dhcp-client:arm64 isc-dhcp-common:arm64 isc-dhcp (4.4.1-2+deb10u3) buster-security; urgency=medium * Non-maintainer upload. * Backport missing IPv6 address lifetime handling. (closes: #1022969) Source openssl, binaries: libssl1.1:amd64 openssl:amd64 libssl1.1:arm64 openssl:arm64 openssl (1.1.1n-0+deb10u4) buster-security; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2022-4450 (Double free after calling PEM_read_bio_ex). * CVE-2023-0286 (X.400 address type confusion in X.509 GeneralName). * CVE-2023-0215 (Use-after-free following BIO_new_NDEF). * CVE-2022-4304 (Timing Oracle in RSA Decryption). * CVE-2022-2097 (AES OCB fails to encrypt some bytes). -- Steve McIntyre <93sam@debian.org> Tue, 21 Feb 2023 16:51:01 +0000 10.13.10-20230122 Updates in 3 source package(s), 6 binary package(s): Source libtasn1-6, binaries: libtasn1-6:amd64 libtasn1-6:arm64 libtasn1-6 (4.13-3+deb10u1) buster-security; urgency=high * Non-maintainer upload by the Debian LTS team. * CVE-2021-46848: Fix an off-by-one array size issue that affected the asn1_encode_simple_der function. * Add debian/.gitlab-ci.yml and disable crossbuilding tests. * Move texinfo to Build-Depends to fix "any"-style build. Source linux-latest, binaries: linux-image-cloud-amd64:amd64 linux-image-arm64:arm64 linux-latest (105+deb10u18) buster-security; urgency=medium * Update to 4.19.0-23 linux-latest (105+deb10u17) buster-security; urgency=medium * Update to 4.19.0-22 linux-latest (105+deb10u16) buster-security; urgency=medium * Update to 4.19.0-21 linux-latest (105+deb10u15) buster; urgency=medium * Update to 4.19.0-20 linux-latest (105+deb10u14) buster-security; urgency=high * Update to 4.19.0-19 * linux-image: Add NEWS for unprivileged eBPF change linux-latest (105+deb10u13) buster; urgency=medium * Update to 4.19.0-18 linux-latest (105+deb10u12) buster; urgency=medium * Update to 4.19.0-17 linux-latest (105+deb10u11) buster; urgency=medium * Update to 4.19.0-16 linux-latest (105+deb10u10) buster; urgency=medium * Update to 4.19.0-15 linux-latest (105+deb10u9) buster-security; urgency=high * Update to 4.19.0-14 linux-latest (105+deb10u8) buster; urgency=medium * Update to 4.19.0-13 linux-latest (105+deb10u7) buster-security; urgency=high * Update to 4.19.0-12 linux-latest (105+deb10u6) buster; urgency=medium * Update to 4.19.0-11 linux-latest (105+deb10u5) buster; urgency=medium * Update to 4.19.0-10 linux-latest (105+deb10u4) buster; urgency=medium * Update to 4.19.0-9 linux-latest (105+deb10u3) buster; urgency=medium * Update to 4.19.0-8 linux-latest (105+deb10u2) buster; urgency=medium * Update to 4.19.0-7 linux-latest (105+deb10u1) buster; urgency=medium * Update to 4.19.0-6 linux-latest (105) unstable; urgency=medium * Update to 4.19.0-5 linux-latest (104) unstable; urgency=medium * Update to 4.19.0-4 linux-latest (103) unstable; urgency=medium * Update to 4.19.0-3 linux-latest (102) unstable; urgency=medium * Update to 4.19.0-2 linux-latest (101) unstable; urgency=medium * Update to 4.19.0-1 linux-latest (100) unstable; urgency=medium [ Romain Perier ] * Update to 4.18.0-3 linux-latest (99) unstable; urgency=medium * Update to 4.18.0-2 linux-latest (98) unstable; urgency=medium * Update to 4.18.0-1 linux-latest (97) unstable; urgency=medium * Update to 4.17.0-3 linux-latest (96) unstable; urgency=medium [ Romain Perier ] * Update to 4.17.0-2 linux-latest (95) unstable; urgency=medium [ Romain Perier ] * Update to 4.17.0-1 linux-latest (94) unstable; urgency=medium [ Ben Hutchings ] * Substitute source package name in lintian-overrides * Change binary package names to include any source package name suffix * Don't build redundant linux-doc, linux-source, linux-tools packages [ Salvatore Bonaccorso ] * Update to 4.16.0-2 linux-latest (93) unstable; urgency=medium * Update to 4.16.0-1 linux-latest (92) unstable; urgency=medium * Update to 4.15.0-3 linux-latest (91) unstable; urgency=medium [ Ben Hutchings ] * debian/control: Point Vcs URLs to Salsa [ Salvatore Bonaccorso ] * Update to 4.15.0-2 linux-latest (90) unstable; urgency=medium * Update to 4.15.0-1 linux-latest (89) unstable; urgency=medium * Update to 4.14.0-3 linux-latest (88) unstable; urgency=medium * Update to 4.14.0-2 linux-latest (87) unstable; urgency=medium * linux-image: Add back-dated NEWS for vsyscall change in Linux 4.10 * linux-doc: Add symlinks to current documentation * Update to 4.14.0-1 * linux-image: Add back-dated NEWS about AppArmor introduction linux-latest (86) unstable; urgency=medium * Add myself to Uploaders * Update to 4.13.0-1 linux-latest (85) unstable; urgency=medium * debian/control: Remove Frederik Schüler from Uploaders field * Update to 4.12.0-2 linux-latest (84) unstable; urgency=medium * Update to 4.12.0-1 (Closes: #872055) linux-latest (83) unstable; urgency=medium * Update to 4.11.0-2 linux-latest (82) unstable; urgency=medium * Revert changes to debug symbol meta-packages (Closes: #866691) linux-latest (81) unstable; urgency=medium * Update to 4.11.0-1 * Stop generating various transitional packages needed in stretch linux-latest (80) unstable; urgency=medium * Re-introduce xen-linux-system-amd64 *again* as transitional package (Closes: #857039) * Update to 4.9.0-3 linux-latest (79) unstable; urgency=medium * Update to 4.9.0-2 linux-latest (78) unstable; urgency=medium * debian/rules: Use dpkg-parsechangelog -S option to select fields * linux-image: Delete NEWS for version 76 about vsyscall changes, now reverted * Update to 4.9.0-1 linux-latest (77) unstable; urgency=medium * Update to 4.8.0-2 * Use debhelper compatibility level 9 * Re-introduce xen-linux-system packages, accidentally dropped in version 75 linux-latest (76) unstable; urgency=medium * Update to 4.8.0-1 * linux-image-{686-pae,amd64}: Delete old NEWS * linux-image: Add back-dated NEWS for conntrack helpers change in Linux 4.7 (Closes: #839632) * linux-image: Add NEWS for security hardening config changes for Linux 4.8 linux-latest (75) unstable; urgency=medium * Update to 4.7.0-1 * Rename and move debug symbol meta-packages to the debug archive * debian/control: Set priority of transitional packages to extra * debian/control: Update Standards-Version to 3.9.8; no changes needed linux-latest (74) unstable; urgency=medium * Update to 4.6.0-1 linux-latest (73) unstable; urgency=medium * Update to 4.5.0-2 linux-latest (72) unstable; urgency=medium * Update to 4.5.0-1 linux-latest (71) unstable; urgency=medium * Update to 4.4.0-1 - Change linux-{image,headers}-{kirkwood,orion5x} to transitional packages linux-latest (70) unstable; urgency=medium * Change linux-{image,headers}-586 to transitional packages linux-latest (69) unstable; urgency=medium * Update to 4.3.0-1 linux-latest (68) unstable; urgency=medium * Update to 4.2.0-1 * debian/bin/gencontrol.py: Use Python 3 linux-latest (67) unstable; urgency=medium * Adjust for migration to git: - Add .gitignore file - debian/control: Update Vcs-* fields * .gitignore: Ignore linux-perf build directory * Update to 4.1.0-2 * Change source format to 3.0 (native) so that .git directory is excluded by default linux-latest (66) unstable; urgency=medium * Update to 4.1.0-1 * Rename linux-tools to linux-perf, providing linux-tools as a transitional package linux-latest (65) unstable; urgency=medium * Update to 4.0.0-2 linux-latest (64) unstable; urgency=medium * Update to 4.0.0-1 * Stop generating linux-{headers,image}-486 transitional packages * debian/control: Build-Depend on linux-headers-*-all, so that after an ABI bump linux is auto-built before linux-latest on each architecture. (Closes: #746618) linux-latest (63) unstable; urgency=medium * Update to 3.16.0-4 - Change linux-{image,headers}-486 to transitional packages linux-latest (62) unstable; urgency=medium * Update to 3.16-3 (Closes: #766078) linux-latest (61) unstable; urgency=medium * Update to 3.16-2 linux-latest (60) unstable; urgency=medium * linux-image-{686-pae,amd64}: Add backdated NEWS for introduction of xz compression affecting Xen (Closes: #727736) * Update to 3.16-1 linux-latest (59) unstable; urgency=medium * Update to 3.14-2 linux-latest (58) unstable; urgency=medium * Rebuild to include arm64 and ppc64el architectures linux-latest (57) unstable; urgency=medium * Suppress lintian warnings about linux-image-dbg metapackages not looking like debug info packages * debian/control: Update Standards-Version to 3.9.5; no changes needed * Update to 3.14-1 linux-latest (56) unstable; urgency=medium * Update to 3.13-1 linux-latest (55) unstable; urgency=low * Update to 3.12-1 linux-latest (54) unstable; urgency=low * Update to 3.11-2 linux-latest (53) unstable; urgency=low * Add linux-image--dbg metapackages, providing the virtual package linux-latest-image-dbg * Update standards-version to 3.9.4; no changes required * Change section and priority fields to match archive overrides * Update to 3.11-1 * Stop providing virtual package linux-headers linux-latest (52) unstable; urgency=low * Update to 3.10-3 linux-latest (51) unstable; urgency=low * Update to 3.10-2 linux-latest (50) unstable; urgency=low * Update to 3.10-1 linux-latest (49) unstable; urgency=low * Update to 3.9-1 linux-latest (48) unstable; urgency=low * Update to 3.8-2 (Closes: #708842) linux-latest (47) unstable; urgency=low * Update to 3.8-1 * Remove transitional packages provided in wheezy linux-latest (46) unstable; urgency=low * Set Priority: extra, as currently overridden in the archive (Closes: #689846) * Add Czech debconf template translation (Michal Šimůnek) (Closes: #685501) * Update to 3.2.0-4 (Closes: #688222, #689864) linux-latest (45) unstable; urgency=low * Update to 3.2.0-3 linux-latest (44) unstable; urgency=high [ Ben Hutchings ] * Update debconf template translations: - Add Polish (Michał Kułach) (Closes: #659571) - Add Turkish (Mert Dirik) (Closes: #660119) * Update standards-version to 3.9.3: - Do not move packages to the 'metapackages' section, as that will cause APT not to auto-remove their dependencies * Move transitional packages to the section 'oldlibs', so that APT will treat the replacement packages as manually installed * Update to 3.2.0-2 * Stop generating linux-{headers,image}-2.6- transitional packages for flavours added since Linux 3.0 linux-latest (43) unstable; urgency=low * Add Vcs-{Svn,Browser} fields * Add debconf template translations: - Danish (Joe Hansen) (Closes: #656642) - Spanish (Slime Siabef) (Closes: #654681) - Italian (Stefano Canepa) (Closes: #657386) * [s390] Update the check for flavours without modules, removing the useless linux-headers{,-2.6}-s390x-tape packages linux-latest (42) unstable; urgency=low * Rename source package to linux-latest * Add debconf template translations: - Portugese (Miguel Figueiredo) (Closes: #651123) - Serbian latin (Zlatan Todoric) (Closes: #635895) - Russian (Yuri Kozlov) (Closes: #652431) - Japanese (Nobuhiro Iwamatsu) (Closes: #655687) * Update to 3.2.0-1 linux-latest-2.6 (41) unstable; urgency=low * Remove dependency on module makefiles in linux-support package * Update to 3.1.0-1 linux-latest-2.6 (40) unstable; urgency=low * Add debconf template translations: - Serbian cyrillic (Zlatan Todoric) (Closes: #635893) - German (Holger Wansing) (Closes: #637764) - French (Debian French l10n team) (Closes: #636624) - Swedish (Martin Bagge) (Closes: #640058) - Dutch (Jeroen Schot) (Closes: #640115) - Catalan (Innocent De Marchi) (Closes: #642109) * Update to 3.0.0-2 linux-latest-2.6 (39) unstable; urgency=low * Update to 3.0.0-1 linux-latest-2.6 (38) experimental; urgency=low * Correct xen-linux-system transitional package names linux-latest-2.6 (37) experimental; urgency=low * Update to 3.0.0-rc5 * Restore xen-linux-system- packages * Remove common description text from linux-image-2.6- packages linux-latest-2.6 (36) experimental; urgency=low * Update to 3.0.0-rc1 - Add linux-doc, linux-headers-, linux-source and linux-tools packages - Change *-2.6-* to transitional packages linux-latest-2.6 (35.1) unstable; urgency=low [ Bastian Blank ] * Update to 2.6.39-2. linux-latest-2.6 (35) unstable; urgency=low * Update to 2.6.39-1 - Change linux-image{,-2.6}-686{,-bigmem} to transitional packages linux-latest-2.6 (34) unstable; urgency=low * [hppa] Update to 2.6.38-2a linux-latest-2.6 (33) unstable; urgency=low * Update to 2.6.38-2 linux-latest-2.6 (32) unstable; urgency=low * Update to 2.6.38-1 linux-latest-2.6 (31) unstable; urgency=low * Update to 2.6.37-2 linux-latest-2.6 (30) unstable; urgency=low * Update to 2.6.37-1 linux-latest-2.6 (29) unstable; urgency=low * Add xen-linux-system-2.6-* meta-packages (Closes: #402414) * Add bug presubj message for image meta packages directing users to the real image packages (Closes: #549591) * Fix repetition in description of linux-image-2.6-xen-amd64 (Closes: #598648) * [x86] Correct lists of suitable processors linux-latest-2.6 (28) unstable; urgency=low * Move NEWS from linux-2.6, since apt-listchanges only shows it for upgraded packages * Add linux-tools-2.6 meta package * Change versions for linux-doc-2.6 and linux-source-2.6 to match those of the other meta packages linux-latest-2.6 (27) unstable; urgency=low * Really build linux-doc-2.6 and linux-source-2.6 meta packages linux-latest-2.6 (26) unstable; urgency=low [ Joachim Breitner ] * Create linux-doc-2.6 and linux-source-2.6 meta packages (Closes: 347284) [ Ben Hutchings ] * Update to 2.6.32-5. * Update standards-version to 3.8.4; no changes required. * Explicitly describe all packages as meta-packages. linux-latest-2.6 (25) unstable; urgency=high * Update package description templates in line with linux-2.6. * Update to 2.6.32-3. * Set urgency to 'high' since this must transition with linux-2.6. linux-latest-2.6 (24) unstable; urgency=low * Update to 2.6.32-2. linux-latest-2.6 (23) unstable; urgency=low * Update to 2.6.32-trunk. linux-latest-2.6 (22) unstable; urgency=low * Update to 2.6.31-1. linux-latest-2.6 (21) unstable; urgency=low [ Bastian Blank ] * Update to 2.6.30-2. [ Ben Hutchings ] * Add myself to uploaders. linux-latest-2.6 (20) unstable; urgency=low * Move into kernel section. * Update to 2.6.30-1. linux-latest-2.6 (19) unstable; urgency=low * Update to 2.6.29-2. * Use debhelper compat level 7. * Update copyright file. linux-latest-2.6 (18) unstable; urgency=low * Update to 2.6.29-1. * Use dh_prep. * Remove lenny transition packages. linux-latest-2.6 (17) unstable; urgency=low * Use correct part of the config for image type. * Add description parts to all image packages. linux-latest-2.6 (16) unstable; urgency=low * Rebuild to pick up new images linux-latest-2.6 (15) unstable; urgency=low * Update to 2.6.26-1. * Make linux-image-* complete meta packages. linux-latest-2.6 (14) unstable; urgency=low * Update to 2.6.25-2. linux-latest-2.6 (13) unstable; urgency=low * Add transitional packages for k7. linux-latest-2.6 (12) unstable; urgency=low * Update to 2.6.24-1. linux-latest-2.6 (11) unstable; urgency=low * Update to 2.6.22-3. linux-latest-2.6 (10) unstable; urgency=low * Update to 2.6.22-2. linux-latest-2.6 (9) unstable; urgency=low * Update to 2.6.22-1. linux-latest-2.6 (8) unstable; urgency=low * Update to 2.6.21-2. * Add modules meta packages. * Provide linux-latest-modules-*. (closes: #428783) linux-latest-2.6 (7) unstable; urgency=low * Update to 2.6.21-1. * Remove etch transition packages. linux-latest-2.6 (6) unstable; urgency=low * Update to 2.6.18-4. * i386: Add amd64 transition packages. linux-latest-2.6 (5) unstable; urgency=low * Update to 2.6.18-3. Source sudo, binaries: sudo:amd64 sudo:arm64 sudo (1.8.27-1+deb10u5) buster-security; urgency=high * Non-maintainer upload by the LTS Team. * CVE-2023-22809 sudoedit: do not permit editor arguments to include "--" -- Steve McIntyre <93sam@debian.org> Sun, 22 Jan 2023 16:10:05 +0000 10.13.9-20221214 Updates in 3 source package(s), 26 binary package(s): Source grub2, binaries: grub-common:amd64 grub-pc:amd64 grub-pc-bin:amd64 grub2-common:amd64 grub-common:arm64 grub-efi-arm64:arm64 grub-efi-arm64-bin:arm64 grub2-common:arm64 grub2 (2.06-3~deb10u3) buster-security; urgency=high [ Steve McIntyre ] * Actually ensure the patches are applied for CVE-2022-2601 and CVE-2022-3775. Closes: #1024617 * Include fonts in the memdisk build for EFI images. * Fix bug in core file code so errors are handled better. This makes the fallback font-handling patch work properly. * Bump Debian SBAT level to 4 - Due to a mistake in the buster upload (2.06-3~deb10u2) that left the CVE-2022-2601 bugs in place, we need to bump SBAT for all of the Debian GRUB binaries. :-( Source krb5, binaries: libgssapi-krb5-2:amd64 libk5crypto3:amd64 libkrb5-3:amd64 libkrb5support0:amd64 libgssapi-krb5-2:arm64 libk5crypto3:arm64 libkrb5-3:arm64 libkrb5support0:arm64 krb5 (1.17-3+deb10u5) buster-security; urgency=high * Non-maintainer upload by the Debian LTS team. * CVE-2022-42898: Prevent integer overflows in PAC parsing; potentially critical for 32-bit KDCs or when cross-realm acts maliciously. (Closes: #1024267) Source vim, binaries: vim:amd64 vim-common:amd64 vim-runtime:amd64 vim-tiny:amd64 xxd:amd64 vim:arm64 vim-common:arm64 vim-runtime:arm64 vim-tiny:arm64 xxd:arm64 vim (2:8.1.0875-5+deb10u4) buster-security; urgency=medium * Non-maintainer upload by the LTS team. * Add missing CVE to previous changelog entry. * Fix CVE-2022-0318, CVE-2022-0392, CVE-2022-0629, CVE-2022-0696, CVE-2022-1619, CVE-2022-1621, CVE-2022-1785, CVE-2022-1897, CVE-2022-1942, CVE-2022-2000, CVE-2022-2129, CVE-2022-3235, CVE-2022-3256, CVE-2022-3352 -- Steve McIntyre <93sam@debian.org> Wed, 14 Dec 2022 13:36:46 +0000 10.13.8-20221118 Updates in 3 source package(s), 20 binary package(s): Source grub2, binaries: grub-common:amd64 grub-pc:amd64 grub-pc-bin:amd64 grub2-common:amd64 grub-common:arm64 grub-efi-arm64:arm64 grub-efi-arm64-bin:arm64 grub2-common:arm64 grub2 (2.06-3~deb10u2) buster-security; urgency=medium [ Steve McIntyre ] * Pull in upstream patches to harden font and image handling - CVE-2022-2601, CVE-2022-3775. * Bump SBAT level to 3 for grub-efi packages. Source sudo, binaries: sudo:amd64 sudo:arm64 sudo (1.8.27-1+deb10u4) buster-security; urgency=high * Non-maintainer upload by the Debian LTS team. * CVE-2021-23239: Prevent an issue where a local unprivileged user may have been able to perform arbitrary directory-existence tests by exploiting a race condition in sudoedit by replacing a user-controlled directory by a symlink to an arbitrary path. Source vim, binaries: vim:amd64 vim-common:amd64 vim-runtime:amd64 vim-tiny:amd64 xxd:amd64 vim:arm64 vim-common:arm64 vim-runtime:arm64 vim-tiny:arm64 xxd:arm64 vim (2:8.1.0875-5+deb10u3) buster-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2021-3927, CVE-2021-3928, CVE-2021-3974, CVE-2021-3984, CVE-2021-4019, CVE-2021-4069, CVE-2021-4192, CVE-2021-4193, CVE-2022-0213, CVE-2022-0261, CVE-2022-0319, CVE-2022-0351, CVE-2022-0359, CVE-2022-0361, CVE-2022-0368, CVE-2022-0408, CVE-2022-0413, CVE-2022-0417, CVE-2022-0443, CVE-2022-0554, CVE-2022-0572, CVE-2022-0685, CVE-2022-0714, CVE-2022-0729, CVE-2022-0943, CVE-2022-1154, CVE-2022-1616, CVE-2022-1720, CVE-2022-1851, CVE-2022-1898, CVE_2022-1968, CVE-2022-2285, CVE-2022-2304, CVE-2022-2598, CVE-2022-2946, CVE-2022-3099, CVE-2022-3134, CVE-2022-3234, CVE-2022-3324, CVE-2022-3705 Multiple security vulnerabilities have been discovered in vim, an enhanced vi editor. Buffer overflows, out-of-bounds reads and use-after-free may lead to a denial-of-service (application crash) or other unspecified impact. -- Steve McIntyre <93sam@debian.org> Fri, 18 Nov 2022 20:12:29 +0000 10.13.7-20221101 Updates in 4 source package(s), 22 binary package(s): Source distro-info-data, binaries: distro-info-data:amd64 distro-info-data:arm64 distro-info-data (0.41+deb10u6) buster-security; urgency=medium * Update data to 0.55, without new columns: - Correct release date of Debian 8 (jessie) to 2015-04-26 - Add dates for Ubuntu 23.04, Lunar Lobster (LP: #1993667) Source libxml2, binaries: libxml2:amd64 libxml2:arm64 libxml2 (2.9.4+dfsg1-7+deb10u5) buster-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2022-40303: Parsing a XML document with the XML_PARSE_HUGE option enabled can result in an integer overflow because safety checks were missing in some functions. Also, the xmlParseEntityValue function didn't have any length limitation. * Fix CVE-2022-40304: When a reference cycle is detected in the XML entity cleanup function the XML entity data can be stored in a dictionary. In this case, the dictionary becomes corrupted resulting in logic errors, including memory errors like double free. Source ncurses, binaries: libncurses6:amd64 libncursesw6:amd64 libtinfo6:amd64 ncurses-base:amd64 ncurses-bin:amd64 libncurses6:arm64 libncursesw6:arm64 libtinfo6:arm64 ncurses-base:arm64 ncurses-bin:arm64 ncurses (6.1+20181013-2+deb10u3) buster-security; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2022-29458 Avoid out-of-bounds read in convert_strings in the terminfo library. Source python3.7, binaries: libpython3.7-minimal:amd64 libpython3.7-stdlib:amd64 python3.7:amd64 python3.7-minimal:amd64 libpython3.7-minimal:arm64 libpython3.7-stdlib:arm64 python3.7:arm64 python3.7-minimal:arm64 python3.7 (3.7.3-2+deb10u4) buster-security; urgency=medium * Non-maintainer upload by the LTS Security Team. * Resolve CVE-2022-37454, a buffer overflow it the SHA-3 implementation in the _sha3 (and thus hashlib) module. -- Steve McIntyre <93sam@debian.org> Tue, 01 Nov 2022 12:39:17 +0000 10.13.6-20221028 Updates in 2 source package(s), 4 binary package(s): Source expat, binaries: libexpat1:amd64 libexpat1:arm64 expat (2.2.6-2+deb10u6) buster-security; urgency=high * Non-maintainer upload by the LTS Team. * Add patch to fix heap use-after-free after overeager destruction of a shared DTD in function XML_ExternalEntityParserCreate in out-of-memory situations. (Fixes: CVE-2022-43680) (Closes: #1022743) Source tzdata, binaries: tzdata:amd64 tzdata:arm64 tzdata (2021a-0+deb10u8) buster-security; urgency=medium * Cherry-pick patches from upstream (thanks Aurelien Jarno): - 12-syria-dst.patch: Syria is abandoning the DST regime and is changing to permanent +03, so it will not fall back from +03 to +02 on 2022-10-28. - 13-jordan-dst.patch: Jordan is abandoning the DST regime and are changing to permanent +03, so it will not fall back from +03 to +02 on 2022-10-28. -- Steve McIntyre <93sam@debian.org> Fri, 28 Oct 2022 17:54:47 +0000 10.13.5-20221022 Updates in 1 source package(s), 10 binary package(s): Source glibc, binaries: libc-bin:amd64 libc-l10n:amd64 libc6:amd64 locales:amd64 locales-all:amd64 libc-bin:arm64 libc-l10n:arm64 libc6:arm64 locales:arm64 locales-all:arm64 glibc (2.28-10+deb10u2) buster-security; urgency=medium * Non-maintainer upload by LTS team. * CVE-2016-10228 iconv option parsing Closes: #856503 * CVE-2019-19126 setuid environment filtering Closes: #945250 * CVE-2019-25013 oob read in iconv Closes: #979273 * CVE-2020-1752 use after free in glob Closes: #953788 * CVE-2020-6096 [arm] memcpy underflow Closes: #961452 * CVE-2020-10029 sinl buffer overflow Closes: #953108 * CVE-2020-27618 iconv infinite loop Closes: #973914 * CVE-2021-3326 iconv abort Closes: #981198 * CVE-2021-3999 oob write for getcwd size 1 * CVE-2021-27645 nscd double free Closes: #983479 * CVE-2021-33574 mq_notify use after free Closes: #989147 * CVE-2021-35942 wordexp input validation Closes: #990542 * CVE-2022-23218 svcunix_create buffer overflow * CVE-2022-23219 clnt_create buffer overflow -- Steve McIntyre <93sam@debian.org> Sat, 22 Oct 2022 16:43:04 +0000 10.13.4-20221012 Updates in 2 source package(s), 6 binary package(s): Source dbus, binaries: dbus:amd64 libdbus-1-3:amd64 dbus (1.12.24-0+deb10u1) buster-security; urgency=medium * Non-maintainer upload by the LTS Team. * New upstream stable release. Notable changes: - Fix several denial of service issues where an authenticated attacker can crash the system bus by sending crafted messages (CVE-2022-42010, CVE-2022-42011, CVE-2022-42012) - Use a path-based Unix socket for the session bus, avoiding sandbox escape for Flatpak apps with network access (dbus#416) - Don't crash if asked to watch more than 128 directories for changes Source isc-dhcp, binaries: isc-dhcp-client:amd64 isc-dhcp-common:amd64 isc-dhcp-client:arm64 isc-dhcp-common:arm64 isc-dhcp (4.4.1-2+deb10u2) buster-security; urgency=high * Non-maintainer upload by the LTS team. (Closes: #1021320) * An option refcount overflow exists in dhcpd. (Fixes: CVE-2022-2928) * DHCP memory leak. (Fixes: CVE-2022-2929) -- Steve McIntyre <93sam@debian.org> Wed, 12 Oct 2022 14:43:39 +0000 10.13.3-20221010 Updates in 4 source package(s), 12 binary package(s): Source bind9, binaries: libdns-export1104:amd64 libisc-export1100:amd64 libdns-export1104:arm64 libisc-export1100:arm64 bind9 (1:9.11.5.P4+dfsg-5.1+deb10u8) buster-security; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2022-2795: degraded performance when processing large delegations. * CVE-2022-38177: memory leak in ECDSA verification. * CVE-2022-38178: memory leak in EdDSA verification. Source dbus, binaries: dbus:amd64 libdbus-1-3:amd64 dbus:arm64 libdbus-1-3:arm64 dbus (1.12.24-0+deb10u1) buster-security; urgency=medium * Non-maintainer upload by the LTS Team. * New upstream stable release. Notable changes: - Fix several denial of service issues where an authenticated attacker can crash the system bus by sending crafted messages (CVE-2022-42010, CVE-2022-42011, CVE-2022-42012) - Use a path-based Unix socket for the session bus, avoiding sandbox escape for Flatpak apps with network access (dbus#416) - Don't crash if asked to watch more than 128 directories for changes Source linux-latest, binaries: linux-image-cloud-amd64:amd64 linux-image-arm64:arm64 linux-latest (105+deb10u17) buster-security; urgency=medium * Update to 4.19.0-22 linux-latest (105+deb10u16) buster-security; urgency=medium * Update to 4.19.0-21 linux-latest (105+deb10u15) buster; urgency=medium * Update to 4.19.0-20 linux-latest (105+deb10u14) buster-security; urgency=high * Update to 4.19.0-19 * linux-image: Add NEWS for unprivileged eBPF change linux-latest (105+deb10u13) buster; urgency=medium * Update to 4.19.0-18 linux-latest (105+deb10u12) buster; urgency=medium * Update to 4.19.0-17 linux-latest (105+deb10u11) buster; urgency=medium * Update to 4.19.0-16 linux-latest (105+deb10u10) buster; urgency=medium * Update to 4.19.0-15 linux-latest (105+deb10u9) buster-security; urgency=high * Update to 4.19.0-14 linux-latest (105+deb10u8) buster; urgency=medium * Update to 4.19.0-13 linux-latest (105+deb10u7) buster-security; urgency=high * Update to 4.19.0-12 linux-latest (105+deb10u6) buster; urgency=medium * Update to 4.19.0-11 linux-latest (105+deb10u5) buster; urgency=medium * Update to 4.19.0-10 linux-latest (105+deb10u4) buster; urgency=medium * Update to 4.19.0-9 linux-latest (105+deb10u3) buster; urgency=medium * Update to 4.19.0-8 linux-latest (105+deb10u2) buster; urgency=medium * Update to 4.19.0-7 linux-latest (105+deb10u1) buster; urgency=medium * Update to 4.19.0-6 linux-latest (105) unstable; urgency=medium * Update to 4.19.0-5 linux-latest (104) unstable; urgency=medium * Update to 4.19.0-4 linux-latest (103) unstable; urgency=medium * Update to 4.19.0-3 linux-latest (102) unstable; urgency=medium * Update to 4.19.0-2 linux-latest (101) unstable; urgency=medium * Update to 4.19.0-1 linux-latest (100) unstable; urgency=medium [ Romain Perier ] * Update to 4.18.0-3 linux-latest (99) unstable; urgency=medium * Update to 4.18.0-2 linux-latest (98) unstable; urgency=medium * Update to 4.18.0-1 linux-latest (97) unstable; urgency=medium * Update to 4.17.0-3 linux-latest (96) unstable; urgency=medium [ Romain Perier ] * Update to 4.17.0-2 linux-latest (95) unstable; urgency=medium [ Romain Perier ] * Update to 4.17.0-1 linux-latest (94) unstable; urgency=medium [ Ben Hutchings ] * Substitute source package name in lintian-overrides * Change binary package names to include any source package name suffix * Don't build redundant linux-doc, linux-source, linux-tools packages [ Salvatore Bonaccorso ] * Update to 4.16.0-2 linux-latest (93) unstable; urgency=medium * Update to 4.16.0-1 linux-latest (92) unstable; urgency=medium * Update to 4.15.0-3 linux-latest (91) unstable; urgency=medium [ Ben Hutchings ] * debian/control: Point Vcs URLs to Salsa [ Salvatore Bonaccorso ] * Update to 4.15.0-2 linux-latest (90) unstable; urgency=medium * Update to 4.15.0-1 linux-latest (89) unstable; urgency=medium * Update to 4.14.0-3 linux-latest (88) unstable; urgency=medium * Update to 4.14.0-2 linux-latest (87) unstable; urgency=medium * linux-image: Add back-dated NEWS for vsyscall change in Linux 4.10 * linux-doc: Add symlinks to current documentation * Update to 4.14.0-1 * linux-image: Add back-dated NEWS about AppArmor introduction linux-latest (86) unstable; urgency=medium * Add myself to Uploaders * Update to 4.13.0-1 linux-latest (85) unstable; urgency=medium * debian/control: Remove Frederik Schüler from Uploaders field * Update to 4.12.0-2 linux-latest (84) unstable; urgency=medium * Update to 4.12.0-1 (Closes: #872055) linux-latest (83) unstable; urgency=medium * Update to 4.11.0-2 linux-latest (82) unstable; urgency=medium * Revert changes to debug symbol meta-packages (Closes: #866691) linux-latest (81) unstable; urgency=medium * Update to 4.11.0-1 * Stop generating various transitional packages needed in stretch linux-latest (80) unstable; urgency=medium * Re-introduce xen-linux-system-amd64 *again* as transitional package (Closes: #857039) * Update to 4.9.0-3 linux-latest (79) unstable; urgency=medium * Update to 4.9.0-2 linux-latest (78) unstable; urgency=medium * debian/rules: Use dpkg-parsechangelog -S option to select fields * linux-image: Delete NEWS for version 76 about vsyscall changes, now reverted * Update to 4.9.0-1 linux-latest (77) unstable; urgency=medium * Update to 4.8.0-2 * Use debhelper compatibility level 9 * Re-introduce xen-linux-system packages, accidentally dropped in version 75 linux-latest (76) unstable; urgency=medium * Update to 4.8.0-1 * linux-image-{686-pae,amd64}: Delete old NEWS * linux-image: Add back-dated NEWS for conntrack helpers change in Linux 4.7 (Closes: #839632) * linux-image: Add NEWS for security hardening config changes for Linux 4.8 linux-latest (75) unstable; urgency=medium * Update to 4.7.0-1 * Rename and move debug symbol meta-packages to the debug archive * debian/control: Set priority of transitional packages to extra * debian/control: Update Standards-Version to 3.9.8; no changes needed linux-latest (74) unstable; urgency=medium * Update to 4.6.0-1 linux-latest (73) unstable; urgency=medium * Update to 4.5.0-2 linux-latest (72) unstable; urgency=medium * Update to 4.5.0-1 linux-latest (71) unstable; urgency=medium * Update to 4.4.0-1 - Change linux-{image,headers}-{kirkwood,orion5x} to transitional packages linux-latest (70) unstable; urgency=medium * Change linux-{image,headers}-586 to transitional packages linux-latest (69) unstable; urgency=medium * Update to 4.3.0-1 linux-latest (68) unstable; urgency=medium * Update to 4.2.0-1 * debian/bin/gencontrol.py: Use Python 3 linux-latest (67) unstable; urgency=medium * Adjust for migration to git: - Add .gitignore file - debian/control: Update Vcs-* fields * .gitignore: Ignore linux-perf build directory * Update to 4.1.0-2 * Change source format to 3.0 (native) so that .git directory is excluded by default linux-latest (66) unstable; urgency=medium * Update to 4.1.0-1 * Rename linux-tools to linux-perf, providing linux-tools as a transitional package linux-latest (65) unstable; urgency=medium * Update to 4.0.0-2 linux-latest (64) unstable; urgency=medium * Update to 4.0.0-1 * Stop generating linux-{headers,image}-486 transitional packages * debian/control: Build-Depend on linux-headers-*-all, so that after an ABI bump linux is auto-built before linux-latest on each architecture. (Closes: #746618) linux-latest (63) unstable; urgency=medium * Update to 3.16.0-4 - Change linux-{image,headers}-486 to transitional packages linux-latest (62) unstable; urgency=medium * Update to 3.16-3 (Closes: #766078) linux-latest (61) unstable; urgency=medium * Update to 3.16-2 linux-latest (60) unstable; urgency=medium * linux-image-{686-pae,amd64}: Add backdated NEWS for introduction of xz compression affecting Xen (Closes: #727736) * Update to 3.16-1 linux-latest (59) unstable; urgency=medium * Update to 3.14-2 linux-latest (58) unstable; urgency=medium * Rebuild to include arm64 and ppc64el architectures linux-latest (57) unstable; urgency=medium * Suppress lintian warnings about linux-image-dbg metapackages not looking like debug info packages * debian/control: Update Standards-Version to 3.9.5; no changes needed * Update to 3.14-1 linux-latest (56) unstable; urgency=medium * Update to 3.13-1 linux-latest (55) unstable; urgency=low * Update to 3.12-1 linux-latest (54) unstable; urgency=low * Update to 3.11-2 linux-latest (53) unstable; urgency=low * Add linux-image--dbg metapackages, providing the virtual package linux-latest-image-dbg * Update standards-version to 3.9.4; no changes required * Change section and priority fields to match archive overrides * Update to 3.11-1 * Stop providing virtual package linux-headers linux-latest (52) unstable; urgency=low * Update to 3.10-3 linux-latest (51) unstable; urgency=low * Update to 3.10-2 linux-latest (50) unstable; urgency=low * Update to 3.10-1 linux-latest (49) unstable; urgency=low * Update to 3.9-1 linux-latest (48) unstable; urgency=low * Update to 3.8-2 (Closes: #708842) linux-latest (47) unstable; urgency=low * Update to 3.8-1 * Remove transitional packages provided in wheezy linux-latest (46) unstable; urgency=low * Set Priority: extra, as currently overridden in the archive (Closes: #689846) * Add Czech debconf template translation (Michal Šimůnek) (Closes: #685501) * Update to 3.2.0-4 (Closes: #688222, #689864) linux-latest (45) unstable; urgency=low * Update to 3.2.0-3 linux-latest (44) unstable; urgency=high [ Ben Hutchings ] * Update debconf template translations: - Add Polish (Michał Kułach) (Closes: #659571) - Add Turkish (Mert Dirik) (Closes: #660119) * Update standards-version to 3.9.3: - Do not move packages to the 'metapackages' section, as that will cause APT not to auto-remove their dependencies * Move transitional packages to the section 'oldlibs', so that APT will treat the replacement packages as manually installed * Update to 3.2.0-2 * Stop generating linux-{headers,image}-2.6- transitional packages for flavours added since Linux 3.0 linux-latest (43) unstable; urgency=low * Add Vcs-{Svn,Browser} fields * Add debconf template translations: - Danish (Joe Hansen) (Closes: #656642) - Spanish (Slime Siabef) (Closes: #654681) - Italian (Stefano Canepa) (Closes: #657386) * [s390] Update the check for flavours without modules, removing the useless linux-headers{,-2.6}-s390x-tape packages linux-latest (42) unstable; urgency=low * Rename source package to linux-latest * Add debconf template translations: - Portugese (Miguel Figueiredo) (Closes: #651123) - Serbian latin (Zlatan Todoric) (Closes: #635895) - Russian (Yuri Kozlov) (Closes: #652431) - Japanese (Nobuhiro Iwamatsu) (Closes: #655687) * Update to 3.2.0-1 linux-latest-2.6 (41) unstable; urgency=low * Remove dependency on module makefiles in linux-support package * Update to 3.1.0-1 linux-latest-2.6 (40) unstable; urgency=low * Add debconf template translations: - Serbian cyrillic (Zlatan Todoric) (Closes: #635893) - German (Holger Wansing) (Closes: #637764) - French (Debian French l10n team) (Closes: #636624) - Swedish (Martin Bagge) (Closes: #640058) - Dutch (Jeroen Schot) (Closes: #640115) - Catalan (Innocent De Marchi) (Closes: #642109) * Update to 3.0.0-2 linux-latest-2.6 (39) unstable; urgency=low * Update to 3.0.0-1 linux-latest-2.6 (38) experimental; urgency=low * Correct xen-linux-system transitional package names linux-latest-2.6 (37) experimental; urgency=low * Update to 3.0.0-rc5 * Restore xen-linux-system- packages * Remove common description text from linux-image-2.6- packages linux-latest-2.6 (36) experimental; urgency=low * Update to 3.0.0-rc1 - Add linux-doc, linux-headers-, linux-source and linux-tools packages - Change *-2.6-* to transitional packages linux-latest-2.6 (35.1) unstable; urgency=low [ Bastian Blank ] * Update to 2.6.39-2. linux-latest-2.6 (35) unstable; urgency=low * Update to 2.6.39-1 - Change linux-image{,-2.6}-686{,-bigmem} to transitional packages linux-latest-2.6 (34) unstable; urgency=low * [hppa] Update to 2.6.38-2a linux-latest-2.6 (33) unstable; urgency=low * Update to 2.6.38-2 linux-latest-2.6 (32) unstable; urgency=low * Update to 2.6.38-1 linux-latest-2.6 (31) unstable; urgency=low * Update to 2.6.37-2 linux-latest-2.6 (30) unstable; urgency=low * Update to 2.6.37-1 linux-latest-2.6 (29) unstable; urgency=low * Add xen-linux-system-2.6-* meta-packages (Closes: #402414) * Add bug presubj message for image meta packages directing users to the real image packages (Closes: #549591) * Fix repetition in description of linux-image-2.6-xen-amd64 (Closes: #598648) * [x86] Correct lists of suitable processors linux-latest-2.6 (28) unstable; urgency=low * Move NEWS from linux-2.6, since apt-listchanges only shows it for upgraded packages * Add linux-tools-2.6 meta package * Change versions for linux-doc-2.6 and linux-source-2.6 to match those of the other meta packages linux-latest-2.6 (27) unstable; urgency=low * Really build linux-doc-2.6 and linux-source-2.6 meta packages linux-latest-2.6 (26) unstable; urgency=low [ Joachim Breitner ] * Create linux-doc-2.6 and linux-source-2.6 meta packages (Closes: 347284) [ Ben Hutchings ] * Update to 2.6.32-5. * Update standards-version to 3.8.4; no changes required. * Explicitly describe all packages as meta-packages. linux-latest-2.6 (25) unstable; urgency=high * Update package description templates in line with linux-2.6. * Update to 2.6.32-3. * Set urgency to 'high' since this must transition with linux-2.6. linux-latest-2.6 (24) unstable; urgency=low * Update to 2.6.32-2. linux-latest-2.6 (23) unstable; urgency=low * Update to 2.6.32-trunk. linux-latest-2.6 (22) unstable; urgency=low * Update to 2.6.31-1. linux-latest-2.6 (21) unstable; urgency=low [ Bastian Blank ] * Update to 2.6.30-2. [ Ben Hutchings ] * Add myself to uploaders. linux-latest-2.6 (20) unstable; urgency=low * Move into kernel section. * Update to 2.6.30-1. linux-latest-2.6 (19) unstable; urgency=low * Update to 2.6.29-2. * Use debhelper compat level 7. * Update copyright file. linux-latest-2.6 (18) unstable; urgency=low * Update to 2.6.29-1. * Use dh_prep. * Remove lenny transition packages. linux-latest-2.6 (17) unstable; urgency=low * Use correct part of the config for image type. * Add description parts to all image packages. linux-latest-2.6 (16) unstable; urgency=low * Rebuild to pick up new images linux-latest-2.6 (15) unstable; urgency=low * Update to 2.6.26-1. * Make linux-image-* complete meta packages. linux-latest-2.6 (14) unstable; urgency=low * Update to 2.6.25-2. linux-latest-2.6 (13) unstable; urgency=low * Add transitional packages for k7. linux-latest-2.6 (12) unstable; urgency=low * Update to 2.6.24-1. linux-latest-2.6 (11) unstable; urgency=low * Update to 2.6.22-3. linux-latest-2.6 (10) unstable; urgency=low * Update to 2.6.22-2. linux-latest-2.6 (9) unstable; urgency=low * Update to 2.6.22-1. linux-latest-2.6 (8) unstable; urgency=low * Update to 2.6.21-2. * Add modules meta packages. * Provide linux-latest-modules-*. (closes: #428783) linux-latest-2.6 (7) unstable; urgency=low * Update to 2.6.21-1. * Remove etch transition packages. linux-latest-2.6 (6) unstable; urgency=low * Update to 2.6.18-4. * i386: Add amd64 transition packages. linux-latest-2.6 (5) unstable; urgency=low * Update to 2.6.18-3. Source tzdata, binaries: tzdata:amd64 tzdata:arm64 tzdata (2021a-0+deb10u7) buster-security; urgency=medium * Cherry-pick patches from upstream (thanks Aurelien Jarno): - 10-no-leap-second-2022-12-31.patch: update leap-seconds.list, new expiration date on 28 June 2023. - 11-palestine-dst3.patch: Palestine transitions are now Saturdays at 02:00. This means 2022 falls back 10-29 at 02:00, not 10-28 at 01:00. -- Steve McIntyre <93sam@debian.org> Mon, 10 Oct 2022 16:11:18 +0000 10.13.2-20220925 Updates in 3 source package(s), 8 binary package(s): Source bzip2, binaries: bzip2:amd64 libbz2-1.0:amd64 bzip2:arm64 libbz2-1.0:arm64 bzip2 (1.0.6-9.2~deb10u2) buster-security; urgency=medium * Append -D_FILE_OFFSET_BITS=64 variable to buildflags, to renable handling big files in 32-bit archs (Closes: #944557) * debian/patches/40-bzdiff-l.patch: Fix bzdiff does not work when comparing two bzip2 compressed files. Thanks to Joey Schulze . (Closes: #965309) Source expat, binaries: libexpat1:amd64 libexpat1:arm64 expat (2.2.6-2+deb10u5) buster-security; urgency=high * Non-maintainer upload by the LTS Team. * CVE-2022-40674 heap use-after-free issue in doContent() (based on the backport for Bullseye made by Laszlo Boszormenyi) * update test-* patches to be able to run testsuite * debian/rules: add run of testsuite (but leave it deactivated as I only tested on amd64) Source glib2.0, binaries: libglib2.0-0:amd64 libglib2.0-0:arm64 glib2.0 (2.58.3-2+deb10u4) buster-security; urgency=medium * CVE-2021-3800: information leak using CHARSETALIASDIR envvar. -- Steve McIntyre <93sam@debian.org> Sun, 25 Sep 2022 14:56:18 +0000 10.13.1-20220915 Updates in 3 source package(s), 6 binary package(s): Source glib2.0, binaries: libglib2.0-0:amd64 libglib2.0-0:arm64 glib2.0 (2.58.3-2+deb10u4) buster-security; urgency=medium * CVE-2021-3800: information leak using CHARSETALIASDIR envvar. Source sqlite3, binaries: libsqlite3-0:amd64 libsqlite3-0:arm64 sqlite3 (3.27.2-3+deb10u2) buster-security; urgency=high * CVE-2020-35525: Prevent a potential null pointer deference issue in INTERSEC query processing. * CVE-2020-35527: Prevent an out-of-bounds access issue that could be exploited via ALTER TABLE in views that have a nested FROM clauses. * CVE-2021-20223: Prevent an issue with the "unicode61" tokenizer related to Unicode control characters ("class Cc") and embedded NUL characters being misinterpreted as tokens. Source zlib, binaries: zlib1g:amd64 zlib1g:arm64 zlib (1:1.2.11.dfsg-1+deb10u2) buster-security; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2022-37434: heap buffer overflow via large gzip header extra field (Closes: #1016710). -- Steve McIntyre <93sam@debian.org> Thu, 15 Sep 2022 12:47:24 +0000 10.13.0 First build for 10.13.0 release -- Steve McIntyre <93sam@debian.org> Sat, 10 Sep 2022 21:13:47 +0000