Debian buster Openstack images changelog 10.11.3-20220130 Updates in 1 source package(s), 2 binary package(s): Source lxml, binaries: python-lxml:amd64 python-lxml:arm64 lxml (4.3.2-1+deb10u4) buster-security; urgency=high * Non-maintainer upload by the Security Team. * Cleaner: Prevent "@import" from re-occurring in the CSS after replacements, e.g. "@@importimport" (CVE-2021-43818) (Closes: #1001885) * Cleaner: Remove SVG image data URLs since they can embed script content (CVE-2021-43818) (Closes: #1001885) -- Steve McIntyre <93sam@debian.org> Mon, 31 Jan 2022 02:32:54 +0000 10.11.2-20211129 Updates in 1 source package(s), 2 binary package(s): Source icu, binaries: libicu63:amd64 libicu63:arm64 icu (63.1-6+deb10u2) buster-security; urgency=high * Non-maintainer upload by the Security Team. * Use LocalMemory for cmd to prevent use after free (CVE-2020-21913) -- Steve McIntyre <93sam@debian.org> Tue, 30 Nov 2021 05:07:38 +0000 10.11.1-20211029 Updates in 2 source package(s), 6 binary package(s): Source bind9, binaries: libdns-export1104:amd64 libisc-export1100:amd64 libdns-export1104:arm64 libisc-export1100:arm64 bind9 (1:9.11.5.P4+dfsg-5.1+deb10u6) buster-security; urgency=high * CVE-2021-25219: The "lame-ttl" option is now forcibly set to 0. This effectively disables the lame server cache, as it could previously be abused by an attacker to significantly degrade resolver performance. Source tzdata, binaries: tzdata:amd64 tzdata:arm64 tzdata (2021a-0+deb10u3) buster; urgency=medium * Cherry-pick patches from tzdata-2021d and tzdata-2021e: - 04-fiji-dst.patch: Fiji suspends DST for the 2021/2022 season. - 05-palestine-dst.patch: Palestine will fall back 2021-10-29 (not 2021-10-30) at 01:00. -- Steve McIntyre <93sam@debian.org> Fri, 29 Oct 2021 05:02:59 +0000 10.11.0 First build for 10.11.0 release -- Steve McIntyre <93sam@debian.org> Sat, 09 Oct 2021 20:19:55 +0000