Debian Buster Openstack images changelog 10.4.3-20200610 Updates in 2 source package(s), 2 binary package(s): Source linux-signed-amd64, binaries: linux-image-4.19.0-9-cloud-amd64:amd64 linux-signed-amd64 (4.19.118+2+deb10u1) buster-security; urgency=high * Sign kernel from linux 4.19.118-2+deb10u1 [ Salvatore Bonaccorso ] * selinux: properly handle multiple messages in selinux_netlink_send() (CVE-2020-10751) * fs/namespace.c: fix mountpoint reference counter race (CVE-2020-12114) * USB: core: Fix free-while-in-use bug in the USB S-Glibrary (CVE-2020-12464) * [x86] KVM: SVM: Fix potential memory leak in svm_cpu_init() (CVE-2020-12768) * scsi: sg: add sg_remove_request in sg_write (CVE-2020-12770) * USB: gadget: fix illegal array access in binding with UDC (CVE-2020-13143) * netlabel: cope with NULL catmap (CVE-2020-10711) * fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() (CVE-2020-10732) * kernel/relay.c: handle alloc_percpu returning NULL in relay_open (CVE-2019-19462) * mm: Fix mremap not considering huge pmd devmap (CVE-2020-10757) * [x86] KVM: nVMX: Always sync GUEST_BNDCFGS when it comes from vmcs01 * KVM: Introduce a new guest mapping API * [arm64] kvm: fix compilation on aarch64 * [s390x] kvm: fix compilation on s390 * [s390x] kvm: fix compile on s390 part 2 * KVM: Properly check if "page" is valid in kvm_vcpu_unmap * [x86] kvm: Introduce kvm_(un)map_gfn() (CVE-2019-3016) * [x86] kvm: Cache gfn to pfn translation (CVE-2019-3016) * [x86] KVM: Make sure KVM_VCPU_FLUSH_TLB flag is not missed (CVE-2019-3016) * [x86] KVM: Clean up host's steal time structure (CVE-2019-3016) * include/uapi/linux/swab.h: fix userspace breakage, use __BITS_PER_LONG for swap (Closes: #960271) [ Ben Hutchings ] * propagate_one(): mnt_set_mountpoint() needs mount_lock * [x86] Add support for mitigation of Special Register Buffer Data Sampling (SRBDS) (CVE-2020-0543): - x86/cpu: Add 'table' argument to cpu_matches() - x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation - x86/speculation: Add SRBDS vulnerability and mitigation documentation - x86/speculation: Add Ivy Bridge to affected list * [x86] speculation: Do not match steppings, to avoid an ABI change Source linux-signed-arm64, binaries: linux-image-4.19.0-9-arm64:arm64 linux-signed-arm64 (4.19.118+2+deb10u1) buster-security; urgency=high * Sign kernel from linux 4.19.118-2+deb10u1 [ Salvatore Bonaccorso ] * selinux: properly handle multiple messages in selinux_netlink_send() (CVE-2020-10751) * fs/namespace.c: fix mountpoint reference counter race (CVE-2020-12114) * USB: core: Fix free-while-in-use bug in the USB S-Glibrary (CVE-2020-12464) * [x86] KVM: SVM: Fix potential memory leak in svm_cpu_init() (CVE-2020-12768) * scsi: sg: add sg_remove_request in sg_write (CVE-2020-12770) * USB: gadget: fix illegal array access in binding with UDC (CVE-2020-13143) * netlabel: cope with NULL catmap (CVE-2020-10711) * fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() (CVE-2020-10732) * kernel/relay.c: handle alloc_percpu returning NULL in relay_open (CVE-2019-19462) * mm: Fix mremap not considering huge pmd devmap (CVE-2020-10757) * [x86] KVM: nVMX: Always sync GUEST_BNDCFGS when it comes from vmcs01 * KVM: Introduce a new guest mapping API * [arm64] kvm: fix compilation on aarch64 * [s390x] kvm: fix compilation on s390 * [s390x] kvm: fix compile on s390 part 2 * KVM: Properly check if "page" is valid in kvm_vcpu_unmap * [x86] kvm: Introduce kvm_(un)map_gfn() (CVE-2019-3016) * [x86] kvm: Cache gfn to pfn translation (CVE-2019-3016) * [x86] KVM: Make sure KVM_VCPU_FLUSH_TLB flag is not missed (CVE-2019-3016) * [x86] KVM: Clean up host's steal time structure (CVE-2019-3016) * include/uapi/linux/swab.h: fix userspace breakage, use __BITS_PER_LONG for swap (Closes: #960271) [ Ben Hutchings ] * propagate_one(): mnt_set_mountpoint() needs mount_lock * [x86] Add support for mitigation of Special Register Buffer Data Sampling (SRBDS) (CVE-2020-0543): - x86/cpu: Add 'table' argument to cpu_matches() - x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation - x86/speculation: Add SRBDS vulnerability and mitigation documentation - x86/speculation: Add Ivy Bridge to affected list * [x86] speculation: Do not match steppings, to avoid an ABI change -- Steve McIntyre <93sam@debian.org> Wed, 10 Jun 2020 16:29:58 +0100 10.4.2-20200608 Updates in 3 source package(s), 8 binary package(s): Source gnutls28, binaries: libgnutls30:amd64 libgnutls30:arm64 gnutls28 (3.6.7-4+deb10u4) buster-security; urgency=high * Non-maintainer upload by the Security Team. * GNUTLS-SA-2020-06-03: Flaw in TLS session ticket key construction (CVE-2020-13777) (Closes: #962289) Source bind9, binaries: libdns-export1104:amd64 libisc-export1100:amd64 libdns-export1104:arm64 libisc-export1100:arm64 bind9 (1:9.11.5.P4+dfsg-5.1+deb10u1) buster-security; urgency=high * [CVE-2019-6477]: TCP-pipelined queries can bypass tcp-clients limit. (Closes: #945171) * [CVE-2020-8616]: Fix NXNSATTACK amplification attack on BIND 9 * [CVE-2020-8617]: Fix assertion failure in TSIG processing code Source ca-certificates, binaries: ca-certificates:amd64 ca-certificates:arm64 ca-certificates (20200601~deb10u1) buster; urgency=medium * Rebuild for buster. * Merge changes from 20200601 - d/control; set d/gbp.conf branch to debian-buster * This release updates the Mozilla CA bundle to 2.40, blacklists distrusted Symantec roots, and blacklists expired "AddTrust External Root". Closes: #956411, #955038, #911289, #961907 ca-certificates (20200601) unstable; urgency=medium * debian/control: Set Standards-Version: 4.5.0.2 Set Build-Depends: debhelper-compat (= 13) * debian/copyright: Replace tabs in license text * mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority bundle to version 2.40. Closes: #956411, #955038 * mozilla/blacklist.txt Add distrusted Symantec CA list to blacklist for explicit removal. Closes: #911289 Blacklist expired root certificate, "AddTrust External Root" Closes: #961907 The following certificate authorities were added (+): + "Certigna Root CA" + "emSign ECC Root CA - C3" + "emSign ECC Root CA - G3" + "emSign Root CA - C1" + "emSign Root CA - G1" + "Entrust Root Certification Authority - G4" + "GTS Root R1" + "GTS Root R2" + "GTS Root R3" + "GTS Root R4" + "Hongkong Post Root CA 3" + "UCA Extended Validation Root" + "UCA Global G2 Root" The following certificate authorities were removed (-): - "AddTrust External Root" - "Certinomis - Root CA" - "Certplus Class 2 Primary CA" - "Deutsche Telekom Root CA 2" - "GeoTrust Global CA" - "GeoTrust Primary Certification Authority" - "GeoTrust Primary Certification Authority - G2" - "GeoTrust Primary Certification Authority - G3" - "GeoTrust Universal CA" - "thawte Primary Root CA" - "thawte Primary Root CA - G2" - "thawte Primary Root CA - G3" - "VeriSign Class 3 Public Primary Certification Authority - G4" - "VeriSign Class 3 Public Primary Certification Authority - G5" - "VeriSign Universal Root Certification Authority" 10.4.1-20200515 -- Steve McIntyre <93sam@debian.org> Tue, 09 Jun 2020 17:34:01 +0100 Updates in 1 source package(s), 8 binary package(s): Source apt, binaries: apt:amd64 apt-utils:amd64 libapt-inst2.0:amd64 libapt-pkg5.0:amd64 apt:arm64 apt-utils:arm64 libapt-inst2.0:arm64 libapt-pkg5.0:arm64 apt (1.8.2.1) buster-security; urgency=high * SECURITY UPDATE: Out of bounds read in ar, tar implementations (LP: #1878177) - apt-pkg/contrib/arfile.cc: Fix out-of-bounds read in member name - apt-pkg/contrib/arfile.cc: Fix out-of-bounds read on unterminated member names in error path - apt-pkg/contrib/extracttar.cc: Fix out-of-bounds read on unterminated member names in error path - CVE-2020-3810 * .gitlab.ci.yml: Point to debian:buster -- Steve McIntyre <93sam@debian.org> Sun, 17 May 2020 01:07:37 +0100 10.4.0 First build for 10.4.0 release -- Steve McIntyre <93sam@debian.org> Sun, 10 May 2020 01:11:39 +0100