Debian Buster Openstack images changelog 10.1.4-20191009 Updates in 1 source package(s), 6 binary package(s): Source openssh, binaries: openssh-client:amd64 openssh-server:amd64 openssh-sftp-server:amd64 openssh-client:arm64 openssh-server:arm64 openssh-sftp-server:arm64 openssh (1:7.9p1-10+deb10u1) buster-security; urgency=high * Apply upstream patch to deny (non-fatally) shmget/shmat/shmdt in preauth privsep child, coping with changes in OpenSSL 1.1.1d that broke OpenSSH on Linux kernels before 3.19 (closes: #941663). -- Steve McIntyre <93sam@debian.org> Wed, 09 Oct 2019 12:38:48 +0100 10.1.3-20191003 Updates in 2 source package(s), 12 binary package(s): Source openssl, binaries: libssl1.1:amd64 openssl:amd64 libssl1.1:arm64 openssl:arm64 openssl (1.1.1d-0+deb10u1) buster-security; urgency=medium * New upstream version - CVE-2019-1549 (Fixed a fork protection issue). - CVE-2019-1547 (Compute ECC cofactors if not provided during EC_GROUP construction). - CVE-2019-1563 (Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey). * Update symbol list Source e2fsprogs, binaries: e2fsprogs:amd64 libcom-err2:amd64 libext2fs2:amd64 libss2:amd64 e2fsprogs:arm64 libcom-err2:arm64 libext2fs2:arm64 libss2:arm64 e2fsprogs (1.44.5-1+deb10u2) buster-security; urgency=high * Fix CVE-2019-5094: potential buffer overrun in e2fsck (Closes: #941139) -- Steve McIntyre <93sam@debian.org> Fri, 04 Oct 2019 15:44:50 +0100 Updates in 2 source package(s), 2 binary package(s): Source linux-signed-amd64, binaries: linux-image-4.19.0-6-cloud-amd64:amd64 linux-signed-amd64 (4.19.67+2+deb10u1) buster-security; urgency=high * Sign kernel from linux 4.19.67-2+deb10u1 [ Romain Perier ] * ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit (CVE-2019-15117) * ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term (CVE-2019-15118) [ Salvatore Bonaccorso ] * vhost: make sure log_num < in_num (CVE-2019-14835) * [x86] ptrace: fix up botched merge of spectrev1 fix (CVE-2019-15902) * KVM: coalesced_mmio: add bounds checking (CVE-2019-14821) Source linux-signed-arm64, binaries: linux-image-4.19.0-6-arm64:arm64 linux-signed-arm64 (4.19.67+2+deb10u1) buster-security; urgency=high * Sign kernel from linux 4.19.67-2+deb10u1 [ Romain Perier ] * ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit (CVE-2019-15117) * ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term (CVE-2019-15118) [ Salvatore Bonaccorso ] * vhost: make sure log_num < in_num (CVE-2019-14835) * [x86] ptrace: fix up botched merge of spectrev1 fix (CVE-2019-15902) * KVM: coalesced_mmio: add bounds checking (CVE-2019-14821) -- Steve McIntyre <93sam@debian.org> Thu, 26 Sep 2019 02:18:53 +0100 10.1.1-20190923 Updates in 2 source package(s), 4 binary package(s): Source expat, binaries: libexpat1:amd64 libexpat1:arm64 expat (2.2.6-2+deb10u1) buster-security; urgency=high * Non-maintainer upload by the Security Team. * xmlparse.c: Deny internal entities closing the doctype (CVE-2019-15903) (Closes: #939394) Source tzdata, binaries: tzdata:amd64 tzdata:arm64 tzdata (2019c-0+deb10u1) buster; urgency=medium * New upstream version, affecting the following future timestamps: - Fiji's next DST transitions will be 2019-11-10 and 2020-01-12 instead of 2019-11-03 and 2020-01-19. - Norfolk Island will observe Australian-style DST starting in spring 2019. The first transition is on 2019-10-06. -- Steve McIntyre <93sam@debian.org> Mon, 23 Sep 2019 16:44:17 -0700 10.1.0 First build for 10.1.0 release -- Steve McIntyre <93sam@debian.org> Sun, 08 Sep 2019 16:45:22 +0100