|
Package
|
Reason
|
|
acmetool
|
Rebuild against recent golang to pick up security fixes
|
|
atril
|
dvi: Mitigate command injection attacks by quoting filename [CVE-2017-1000159]; fix overflow checks in tiff backend [CVE-2019-1010006]; tiff: Handle failure from TIFFReadRGBAImageOriented [CVE-2019-11459]
|
|
bacula
|
Add transitional package bacula-director-common, avoiding loss of /etc/bacula/bacula-dir.conf when purged; make PID files owned by root
|
|
base-files
|
Update /etc/debian_version for the point release
|
|
batik
|
Fix server-side request forgery via xlink:href attributes [CVE-2019-17566]
|
|
c-icap-modules
|
Support ClamAV 0.102
|
|
ca-certificates
|
Update Mozilla CA bundle to 2.40, blacklist distrusted Symantec roots and expired AddTrust External Root ; remove e-mail only certificates
|
|
chasquid
|
Rebuild against recent golang to pick up security fixes
|
|
checkstyle
|
Fix XML External Entity injection issue [CVE-2019-9658 CVE-2019-10782]
|
|
clamav
|
New upstream release [CVE-2020-3123]; security fixes [CVE-2020-3327 CVE-2020-3341]
|
|
compactheader
|
New upstream version, compatible with newer Thunderbird versions
|
|
cram
|
Ignore test failures to fix build issues
|
|
csync2
|
Fail HELLO command when SSL is required
|
|
cups
|
Fix heap buffer overflow [CVE-2020-3898] and the `ippReadIO` function may under-read an extension field [CVE-2019-8842]
|
|
dbus
|
New upstream stable release; prevent a denial of service issue [CVE-2020-12049]; prevent use-after-free if two usernames share a uid
|
|
debian-installer
|
Update for the 4.9.0-13 Linux kernel ABI
|
|
debian-installer-netboot-images
|
Rebuild against stretch-proposed-updates
|
|
debian-security-support
|
Update support status of several packages
|
|
erlang
|
Fix use of weak TLS ciphers [CVE-2020-12872]
|
|
exiv2
|
Fix denial of service issue [CVE-2018-16336]; fix over-restrictive fix for CVE-2018-10958 and CVE-2018-10999
|
|
fex
|
Security update
|
|
file-roller
|
Security fix [CVE-2020-11736]
|
|
fwupd
|
New upstream release; use a CNAME to redirect to the correct CDN for metadata; do not abort startup if the XML metadata file is invalid; add the Linux Foundation public GPG keys for firmware and metadata; raise the metadata limit to 10MB
|
|
glib-networking
|
Return bad identity error if identity is unset [CVE-2020-13645]
|
|
gnutls28
|
Fix memory corruption issue [CVE-2019-3829]; fix memory leak; add support for zero length session tickets, fix connection errors on TLS1.2 sessions to some hosting providers
|
|
gosa
|
Tighten check on LDAP success/failure [CVE-2019-11187]; fix compatibility with newer PHP versions; backport several other patches; replace (un)serialize with json_encode/json_decode to mitigate PHP object injection [CVE-2019-14466]
|
|
heartbleeder
|
Rebuild against recent golang to pick up security fixes
|
|
intel-microcode
|
Downgrade some microcodes to previously released revisions, working around hangs on boot on Skylake-U/Y and Skylake Xeon E3
|
|
iptables-persistent
|
Don't fail if modprobe does
|
|
jackson-databind
|
Fix multiple security issues affecting BeanDeserializerFactory [CVE-2020-9548 CVE-2020-9547 CVE-2020-9546 CVE-2020-8840 CVE-2020-14195 CVE-2020-14062 CVE-2020-14061 CVE-2020-14060 CVE-2020-11620 CVE-2020-11619 CVE-2020-11113 CVE-2020-11112 CVE-2020-11111 CVE-2020-10969 CVE-2020-10968 CVE-2020-10673 CVE-2020-10672 CVE-2019-20330 CVE-2019-17531 and CVE-2019-17267]
|
|
libbusiness-hours-perl
|
Use explicit 4 digit years, fixing build and usage issues
|
|
libclamunrar
|
New upstream stable release; add an unversioned meta-package
|
|
libdbi
|
Comment out _error_handler() call again, fixing issues with consumers
|
|
libembperl-perl
|
Handle error pages from Apache >= 2.4.40
|
|
libexif
|
Security fixes [CVE-2016-6328 CVE-2017-7544 CVE-2018-20030 CVE-2020-12767 CVE-2020-0093]; security fixes [CVE-2020-13112 CVE-2020-13113 CVE-2020-13114]; fix a buffer read overflow [CVE-2020-0182] and an unsigned integer overflow [CVE-2020-0198]
|
|
libvncserver
|
Fix heap overflow [CVE-2019-15690]
|
|
linux
|
New upstream stable release; update ABI to 4.9.0-13
|
|
linux-latest
|
Update for 4.9.0-13 kernel ABI
|
|
mariadb-10.1
|
New upstream stable release; security fixes [CVE-2020-2752 CVE-2020-2812 CVE-2020-2814]
|
|
megatools
|
Add support for the new format of mega.nz links
|
|
mod-gnutls
|
Avoid deprecated ciphersuites in test suite; fix test failures when combined with Apache's fix for CVE-2019-10092
|
|
mongo-tools
|
Rebuild against recent golang to pick up security fixes
|
|
neon27
|
Treat OpenSSL-related test failures as non-fatal
|
|
nfs-utils
|
Fix potential file overwrite vulnerability [CVE-2019-3689]; don't make all of /var/lib/nfs owned by the statd user
|
|
nginx
|
Fix error page request smuggling vulnerability [CVE-2019-20372]
|
|
node-url-parse
|
Sanitize paths and hosts before parsing [CVE-2018-3774]
|
|
nvidia-graphics-drivers
|
New upstream stable release; new upstream stable release; security fixes [CVE-2020-5963 CVE-2020-5967]
|
|
pcl
|
Fix missing dependency on libvtk6-qt-dev
|
|
perl
|
Fix multiple regular expression related security issues [CVE-2020-10543 CVE-2020-10878 CVE-2020-12723]
|
|
php-horde
|
Fix cross-site scripting vulnerability [CVE-2020-8035]
|
|
php-horde-data
|
Fix authenticated remote code execution vulnerability [CVE-2020-8518]
|
|
php-horde-form
|
Fix authenticated remote code execution vulnerability [CVE-2020-8866]
|
|
php-horde-gollem
|
Fix cross-site scripting vulnerability in breadcrumb output [CVE-2020-8034]
|
|
php-horde-trean
|
Fix authenticated remote code execution vulnerability [CVE-2020-8865]
|
|
phpmyadmin
|
Several security fixes [CVE-2018-19968 CVE-2018-19970 CVE-2018-7260 CVE-2019-11768 CVE-2019-12616 CVE-2019-6798 CVE-2019-6799 CVE-2020-10802 CVE-2020-10803 CVE-2020-10804 CVE-2020-5504]
|
|
postfix
|
New upstream stable release
|
|
proftpd-dfsg
|
Fix handling SSH_MSG_IGNORE packets
|
|
python-icalendar
|
Fix Python3 dependencies
|
|
rails
|
Fix possible cross-site scripting via Javascript escape helper [CVE-2020-5267]
|
|
rake
|
Fix command injection vulnerability [CVE-2020-8130]
|
|
roundcube
|
Fix cross-site scripting issue via HTML messages with malicious svg/namespace [CVE-2020-15562]
|
|
ruby-json
|
Fix unsafe object creation vulnerability [CVE-2020-10663]
|
|
ruby2.3
|
Fix unsafe object creation vulnerability [CVE-2020-10663]
|
|
sendmail
|
Fix finding the queue runner control process in split daemon mode, NOQUEUE: connect from (null) , removal failure when using BTRFS
|
|
sogo-connector
|
New upstream version, compatible with newer Thunderbird versions
|
|
ssvnc
|
Fix out-of-bounds write [CVE-2018-20020], infinite loop [CVE-2018-20021], improper initialisation [CVE-2018-20022], potential denial-of-service [CVE-2018-20024]
|
|
storebackup
|
Fix possible privilege escalation vulnerability [CVE-2020-7040]
|
|
swt-gtk
|
Fix missing dependency on libwebkitgtk-1.0-0
|
|
tinyproxy
|
Create PID file before dropping privileges to non-root account [CVE-2017-11747]
|
|
tzdata
|
New upstream stable release
|
|
websockify
|
Fix missing dependency on python{3,}-pkg-resources
|
|
wpa
|
Fix AP mode PMF disconnection protection bypass [CVE-2019-16275]; fix MAC randomisation issues with some cards
|
|
xdg-utils
|
Sanitise window name before sending it over D-Bus; correctly handle directories with names containing spaces; create the applications directory if needed
|
|
xml-security-c
|
Fix length calculation in the concat method
|
|
xtrlock
|
Fix blocking of (some) multitouch devices while locked [CVE-2016-10894]
|
