Debian stretch Openstack images changelog 9.13.22-20210531 Updates in 2 source package(s), 4 binary package(s): Source libxml2, binaries: libxml2:amd64 libxml2:arm64 libxml2 (2.9.4+dfsg1-2.2+deb9u5) stretch-security; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2021-3541 Fix for "Parameter Laughs"-attack, that is similar to the "Billion Laughs"-attacks found earlier in libexpat. Source lz4, binaries: liblz4-1:amd64 liblz4-1:arm64 lz4 (0.0~r131-2+deb9u1) stretch-security; urgency=high * CVE-2021-3520: Fix a potential memory corruption vulnerability that could be exploited with a negative memmove(3) size argument. (Closes: #987856) -- Steve McIntyre <93sam@debian.org> Mon, 31 May 2021 16:21:18 +0000 9.13.21-20210511 Updates in 1 source package(s), 2 binary package(s): Source libxml2, binaries: libxml2:amd64 libxml2:arm64 libxml2 (2.9.4+dfsg1-2.2+deb9u4) stretch-security; urgency=medium * Non-maintainer upload by the LTS team. * CVE-2021-3516: use-after-free in xmlEncodeEntitiesInternal * CVE-2021-3517: heap-based buffer overflow in xmlEncodeEntitiesInternal * CVE-2021-3518: use-after-free in xmlXIncludeDoProcess * CVE-2021-3537: NULL pointer dereference in xmlValidBuildAContentModel -- Steve McIntyre <93sam@debian.org> Wed, 12 May 2021 00:53:25 +0000 9.13.20-20210507 Updates in 5 source package(s), 24 binary package(s): Source qemu, binaries: qemu-utils:amd64 qemu-utils:arm64 qemu (1:2.8+dfsg-6+deb9u14) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2021-20257: net: e1000: infinite loop while processing transmit descriptors * Fix CVE-2021-20255: A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. * Fix CVE-2021-20203: An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. * Fix CVE-2021-3416: A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario. * Fix CVE-2021-3409/CVE-2020-17380: The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or potential code execution. * Fix CVE-2021-3392: A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req' from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Source python3.5, binaries: libpython3.5-minimal:amd64 libpython3.5-stdlib:amd64 python3.5:amd64 python3.5-minimal:amd64 libpython3.5-minimal:arm64 libpython3.5-stdlib:arm64 python3.5:arm64 python3.5-minimal:arm64 python3.5 (3.5.3-1+deb9u4) stretch-security; urgency=medium * Non-maintainer upload by the LTS Security Team. * CVE-2021-23336: only use '&' as a query string separator * CVE-2021-3426: remove the pydoc getfile feature * CVE-2021-3177: replace snprintf with Python unicode Source lxml, binaries: python-lxml:amd64 python-lxml:arm64 lxml (3.7.1-1+deb9u4) stretch-security; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2021-28957 Due to missing input sanitization, XSS is possible for the HTML5 formatcion attribute. Source bind9, binaries: libdns-export162:amd64 libisc-export160:amd64 libdns-export162:arm64 libisc-export160:arm64 bind9 (1:9.10.3.dfsg.P4-12.3+deb9u9) stretch-security; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2021-25214: A malformed incoming IXFR transfer could trigger an assertion failure in ``named``, causing it to quit abnormally. * CVE-2021-25215: ``named`` crashed when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query. * CVE-2021-25216: Compile with system provided SPNEGO * Ensure all resources are properly cleaned up when a call to gss_accept_sec_context() fails. Source python2.7, binaries: libpython2.7-minimal:amd64 libpython2.7-stdlib:amd64 python2.7:amd64 python2.7-minimal:amd64 libpython2.7-minimal:arm64 libpython2.7-stdlib:arm64 python2.7:arm64 python2.7-minimal:arm64 python2.7 (2.7.13-2+deb9u5) stretch-security; urgency=medium * Non-maintainer upload by the LTS Security Team. * Update keycert.pem to fix corresponding tests. * Disable some failing tests (see debian/TODO). * CVE-2021-23336: only use '&' as a query string separator. * CVE-2019-16935: Escape the server title of DocXMLRPCServer. * Add debian/.gitlab-ci.yml. -- Steve McIntyre <93sam@debian.org> Fri, 07 May 2021 06:15:15 +0000 9.13.19-20210320 Updates in 2 source package(s), 6 binary package(s): Source cloud-init, binaries: cloud-init:amd64 cloud-init:arm64 cloud-init (0.7.9-2+deb9u1) stretch-security; urgency=medium * Avoid logging generated passwords (CVE-2021-3429) (Closes: #985540) Source shadow, binaries: login:amd64 passwd:amd64 login:arm64 passwd:arm64 shadow (1:4.4-4.1+deb9u1) stretch-security; urgency=high * Non-maintainer upload by the LTS Security Team. * CVE-2017-20002: revert adding pts/0 and pts/1 to securetty. Adding pts/* defeats the purpose of securetty. Let containers add it if needed as described in #830255. (cherry-picked from 1:4.5-1) See also #877374 (previous proposed update) and #914957 (/etc/securetty will be dropped in bullseye). * CVE-2017-12424: the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts. (Closes: #756630) -- Steve McIntyre <93sam@debian.org> Sat, 20 Mar 2021 22:16:44 +0000 9.13.18-20210314 Updates in 1 source package(s), 2 binary package(s): Source ca-certificates, binaries: ca-certificates:amd64 ca-certificates:arm64 ca-certificates (20200601~deb9u2) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * mozilla/blacklist: Revert Symantec CA blacklist (#911289). Closes: #962596 The following root certificates were added back (+): + "GeoTrust Global CA" + "GeoTrust Primary Certification Authority" + "GeoTrust Primary Certification Authority - G2" + "GeoTrust Primary Certification Authority - G3" + "GeoTrust Universal CA" + "thawte Primary Root CA" + "thawte Primary Root CA - G2" + "thawte Primary Root CA - G3" + "VeriSign Class 3 Public Primary Certification Authority - G4" + "VeriSign Class 3 Public Primary Certification Authority - G5" + "VeriSign Universal Root Certification Authority" NOTE: due to bug #743339, CA certificates added back in this version won't automatically be trusted again on upgrade. Affected users may need to reconfigure the package to restore the desired state. -- Steve McIntyre <93sam@debian.org> Mon, 15 Mar 2021 01:07:03 +0000 9.13.17-20210308 Updates in 1 source package(s), 2 binary package(s): Source linux-latest, binaries: linux-image-amd64:amd64 linux-image-arm64:arm64 linux-latest (80+deb9u13) stretch-security; urgency=medium * Update kernel to 4.9.0-15 -- Steve McIntyre <93sam@debian.org> Tue, 09 Mar 2021 15:29:47 +0000 9.13.16-20210219 Updates in 6 source package(s), 16 binary package(s): Source openssl, binaries: libssl1.1:amd64 openssl:amd64 libssl1.1:arm64 openssl:arm64 openssl (1.1.0l-1~deb9u3) stretch-security; urgency=high * CVE-2021-23840: Prevent an issue where "Digital EnVeloPe" EVP-related calls could cause applications to behave incorrectly or crash. * CVE-2021-23841: Preevent an issue in the X509 certificate handler caused by the lack of error handling while parsing the "issuer" field. Source libbsd, binaries: libbsd0:amd64 libbsd0:arm64 libbsd (0.8.3-1+deb9u1) stretch-security; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2019-20367 A non-NUL terminated symbol name in the string table might result in a out-of-bounds read. Source qemu, binaries: qemu-utils:amd64 qemu-utils:arm64 qemu (1:2.8+dfsg-6+deb9u13) stretch-security; urgency=medium * Non-maintainer upload by the LTS Security Team. * CVE-2020-15469: a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference. * CVE-2020-15859: QEMU has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address. * CVE-2020-25084: QEMU has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked. * CVE-2020-28916: hw/net/e1000e_core.c has an infinite loop via an RX descriptor with a NULL buffer address. * CVE-2020-29130: slirp.c has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. * CVE-2020-29443: ide_atapi_cmd_reply_end in hw/ide/atapi.c allows out-of-bounds read access because a buffer index is not validated. * CVE-2021-20181: 9pfs: ZDI-CAN-10904: QEMU Plan 9 file system TOCTOU privilege escalation vulnerability. * CVE-2021-20221: aarch64: GIC: out-of-bound heap buffer access via an interrupt ID field. Source screen, binaries: screen:amd64 screen:arm64 screen (4.5.0-6+deb9u1) stretch-security; urgency=high * [CVE-2021-26937] Fix invalid write access and application crash or possibly unspecified other impact via a crafted UTF-8 character sequence. (Closes: #982435) Source bind9, binaries: libdns-export162:amd64 libisc-export160:amd64 libdns-export162:arm64 libisc-export160:arm64 bind9 (1:9.10.3.dfsg.P4-12.3+deb9u8) stretch-security; urgency=high * CVE-2020-8625: Prevent a buffer overflow attack in the GSSAPI ("Generic Security Services") security policy negotiation. (Closes: #983004) Source openssl1.0, binaries: libssl1.0.2:amd64 libssl1.0.2:arm64 openssl1.0 (1.0.2u-1~deb9u4) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * CVE-2021-23840: Prevent an issue where "Digital EnVeloPe" EVP-related calls could cause applications to behave incorrectly or even crash. * CVE-2021-23841: Preevent an issue in the X509 certificate handler, caused by the lack of error handling while parsing "issuer" fields. -- Steve McIntyre <93sam@debian.org> Fri, 19 Feb 2021 20:32:09 +0000 9.13.15-20210210 Updates in 2 source package(s), 4 binary package(s): Source gdisk, binaries: gdisk:amd64 gdisk:arm64 gdisk (1.0.1-1+deb9u1) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * Add patch to fix segfault on some weird data structures. (Fixes: CVE-2020-0256) * Add patch to fix a bug that could cause crash if a badly-formatted MBR disk was read. (Fixes: CVE-2021-0308) Source tzdata, binaries: tzdata:amd64 tzdata:arm64 tzdata (2021a-0+deb9u1) stretch-security; urgency=medium * New upstream version, affecting the following timestamp: - South Sudan changes from +03 to +02 on 2021-02-01. -- Steve McIntyre <93sam@debian.org> Wed, 10 Feb 2021 13:13:39 +0000 9.13.14-20210127 Updates in 1 source package(s), 2 binary package(s): Source sudo, binaries: sudo:amd64 sudo:arm64 sudo (1.8.19p1-2.1+deb9u3) stretch-security; urgency=high * Non-maintainer upload by the Security Team. * Heap-based buffer overflow (CVE-2021-3156) - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit - Add sudoedit flag checks in plugin that are consistent with front-end - Fix potential buffer overflow when unescaping backslashes in user_args - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL - Don't assume that argv is allocated as a single flat buffer -- Steve McIntyre <93sam@debian.org> Wed, 27 Jan 2021 21:29:22 +0000 9.13.13-20210106 Updates in 1 source package(s), 2 binary package(s): Source p11-kit, binaries: libp11-kit0:amd64 libp11-kit0:arm64 p11-kit (0.23.3-2+deb9u1) stretch-security; urgency=medium * Non-maintainer upload by the LTS team. * CVE-2020-29361: Multiple integer overflows. * CVE-2020-29362: Heap-based buffer over-read. -- Steve McIntyre <93sam@debian.org> Thu, 07 Dec 2020 21:34:23 +0000 9.13.12-20201230 Updates in 2 source package(s), 4 binary package(s): Source lxml, binaries: python-lxml:amd64 python-lxml:arm64 lxml (3.7.1-1+deb9u3) stretch-security; urgency=medium * Non-maintainer upload by the LTS Team. * Enable the test suite (non-fatal). * Switch to source format 3.0 (quilt), rather than having the patches in debian/patches/ but applied directly without a patch system. * Fix regression in Python 2 in the last part of CVE-2020-27783. * math-svg.patch: update expected results for the test suite. Source tzdata, binaries: tzdata:amd64 tzdata:arm64 tzdata (2020e-0+deb9u1) stretch-security; urgency=medium * New upstream version, affecting the following timestamp: - Volgograd switched to Moscow time on 2020-12-27 at 02:00. -- Steve McIntyre <93sam@debian.org> Wed, 30 Dec 2020 16:52:35 +0000 9.13.11-20201218 Updates in 2 source package(s), 4 binary package(s): Source linux, binaries: linux-image-4.9.0-14-amd64:amd64 linux-image-4.9.0-14-arm64:arm64 linux (4.9.246-2) stretch-security; urgency=high * [arm64] Fix FTBFS after Xen netback fix: - arm64: Remove redundant mov from LL/SC cmpxchg - arm64: Avoid redundant type conversions in xchg() and cmpxchg() - arm64: cmpxchg: Use "K" instead of "L" for ll/sc immediate constraint - arm64: Use correct ll/sc atomic constraints Source lxml, binaries: python-lxml:amd64 python-lxml:arm64 lxml (3.7.1-1+deb9u3) stretch-security; urgency=medium * Non-maintainer upload by the LTS Team. * Enable the test suite (non-fatal). * Switch to source format 3.0 (quilt), rather than having the patches in debian/patches/ but applied directly without a patch system. * Fix regression in Python 2 in the last part of CVE-2020-27783. * math-svg.patch: update expected results for the test suite. lxml (3.7.1-1+deb9u2) stretch-security; urgency=high * Non-maintainer upload by the LTS Team. * CVE-2020-27783: Backport additional upstream commit a105ab8dc262ec6735977c25c13f0bdfcdec72a7 to address math/svg part of the vulnerability and complete the fix -- Steve McIntyre <93sam@debian.org> Fri, 18 Dec 2020 11:42:32 +0000 9.13.10-20201217 Updates in 4 source package(s), 10 binary package(s): Source openssl, binaries: libssl1.1:amd64 openssl:amd64 libssl1.1:arm64 openssl:arm64 openssl (1.1.0l-1~deb9u2) stretch-security; urgency=medium * Non-maintainer upload by the LTS team. * CVE-2020-1971: EDIPARTYNAME NULL pointer de-reference. Source linux, binaries: linux-image-4.9.0-14-amd64:amd64 linux-image-4.9.0-14-arm64:arm64 linux (4.9.246-2) stretch-security; urgency=high * [arm64] Fix FTBFS after Xen netback fix: - arm64: Remove redundant mov from LL/SC cmpxchg - arm64: Avoid redundant type conversions in xchg() and cmpxchg() - arm64: cmpxchg: Use "K" instead of "L" for ll/sc immediate constraint - arm64: Use correct ll/sc atomic constraints linux (4.9.246-1) stretch-security; urgency=high * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.241 - tipc: fix the skb_unshare() in tipc_buf_append() - net/ipv4: always honour route mtu during forwarding - r8169: fix data corruption issue on RTL8402 - ALSA: bebob: potential info leak in hwdep_read() - net: hdlc: In hdlc_rcv, check to make sure dev is an HDLC device - net: hdlc_raw_eth: Clear the IFF_TX_SKB_SHARING flag after calling ether_setup - nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() - tcp: fix to update snd_wl1 in bulk receiver fast path - icmp: randomize the global rate limiter (CVE-2020-25705) - cifs: remove bogus debug code - [x86] KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages - ima: Don't ignore errors from crypto_shash_update() - crypto: algif_aead - Do not set MAY_BACKLOG on the async path - [x86] EDAC/i5100: Fix error handling order in i5100_init_one() - [armhf] media: Revert "media: exynos4-is: Add missed check for pinctrl_lookup_state()" - [armhf] media: omap3isp: Fix memleak in isp_probe - [armhf] crypto: omap-sham - fix digcnt register handling with export/ import - [armhf] media: ti-vpe: Fix a missing check and reference count leak - regulator: resolve supply after creating regulator - ath10k: provide survey info as accumulated data - ath6kl: prevent potential array overflow in ath6kl_add_new_sta() - ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() - wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 - [arm64] ASoC: qcom: lpass-platform: fix memory leak - mwifiex: Do not use GFP_KERNEL in atomic context - [x86] drm/gma500: fix error check - scsi: qla4xxx: Fix an error handling path in 'qla4xxx_get_host_stats()' - scsi: csiostor: Fix wrong return value in csio_hw_prep_fw() - [x86] VMCI: check return value of get_user_pages_fast() for errors - tty: serial: earlycon dependency - pty: do tty_flip_buffer_push without port->lock in pty_write - [x86] video: fbdev: vga16fb: fix setting of pixclock because a pass-by- value error - video: fbdev: sis: fix null ptr dereference - HID: roccat: add bounds checking in kone_sysfs_write_settings() - ath6kl: wmi: prevent a shift wrapping bug in ath6kl_wmi_delete_pstream_cmd() - [amd64] misc: mic: scif: Fix error handling path - ALSA: seq: oss: Avoid mutex lock for a long-time ioctl - quota: clear padding in v2r1_mem2diskdqb() - net: enic: Cure the enic api locking trainwreck - iwlwifi: mvm: split a print to avoid a WARNING in ROC - usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above. - nl80211: fix non-split wiphy information - scsi: be2iscsi: Fix a theoretical leak in beiscsi_create_eqs() - mwifiex: fix double free - IB/mlx4: Fix starvation in paravirt mux/demux - IB/mlx4: Adjust delayed work when a dup is observed - mtd: lpddr: fix excessive stack usage with clang - mtd: mtdoops: Don't write panic data twice - [armel,armhf] 9007/1: l2c: fix prefetch bits init in L2X0_AUX_CTRL using DT values - RDMA/qedr: Fix use of uninitialized field - [x86] perf intel-pt: Fix "context_switch event has no tid" error - [arm64] RDMA/hns: Set the unsupported wr opcode - overflow: Include header file with SIZE_MAX declaration - IB/rdmavt: Fix sizeof mismatch - rapidio: fix error handling path - rapidio: fix the missed put_device() for rio_mport_add_riodev - [arm64,armhf] clk: bcm2835: add missing release if devm_clk_hw_register fails - vfio/pci: Clear token on bypass registration failure - [armhf] Input: omap4-keypad - fix handling of platform_get_irq() error - [armhf] Input: twl4030_keypad - fix handling of platform_get_irq() error - [armhf] Input: sun4i-ps2 - fix handling of platform_get_irq() error - [x86] KVM: x86: emulating RDPID failure shall return #UD rather than #GP - [arm64] dts: qcom: msm8916: Fix MDP/DSI interrupts - [arm64] dts: zynqmp: Remove additional compatible string for i2c IPs - nvmet: fix uninitialized work for zero kato - [x86] crypto: ccp - fix error handling - media: firewire: fix memory leak - media: ati_remote: sanity check for both endpoints - [armhf] media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync - [armhf] media: exynos4-is: Fix a reference count leak due to pm_runtime_get_sync - [armhf] media: exynos4-is: Fix a reference count leak - media: media/pci: prevent memory leak in bttv_probe - media: uvcvideo: Ensure all probed info is returned to v4l2 - mmc: sdio: Check for CISTPL_VERS_1 buffer size - media: saa7134: avoid a shift overflow - fs: dlm: fix configfs memory leak - ntfs: add check for mft record size in superblock - PM: hibernate: remove the bogus call to get_gendisk() in software_resume() - scsi: mvumi: Fix error return in mvumi_io_attach() - scsi: target: core: Add CONTROL field for trace events - [amd64] mic: vop: copy data to kernel space then write to io memory - [amd64] misc: vop: add round_up(x,4) for vring_size to avoid kernel panic - usb: gadget: function: printer: fix use-after-free in __lock_acquire - udf: Limit sparing table size - udf: Avoid accessing uninitialized data on failed inode read - USB: cdc-acm: handle broken union descriptors - ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() - misc: rtsx: Fix memory leak in rtsx_pci_probe - reiserfs: only call unlock_new_inode() if I_NEW - xfs: make sure the rt allocator doesn't run off the end - usb: ohci: Default to per-port over-current protection - Bluetooth: Only mark socket zapped after unlocking - brcmsmac: fix memory leak in wlc_phy_attach_lcnphy - rtl8xxxu: prevent potential memory leak - Fix use after free in get_capset_info callback. - tty: ipwireless: fix error handling - ipvs: Fix uninit-value in do_ip_vs_set_ctl() - reiserfs: Fix memory leak in reiserfs_parse_options() - brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach - usb: core: Solve race condition in anchor cleanup functions - ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() - usb: cdc-acm: add quirk to blacklist ETAS ES58X devices - USB: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync(). - eeprom: at25: set minimum read/write access stride to 1 - usb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets. https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.242 - SUNRPC: ECONNREFUSED should cause a rebind. - efivarfs: Replace invalid slashes with exclamation marks in dentries. - tipc: fix memory leak caused by tipc_buf_append() - [x86] arch/x86/amd/ibs: Fix re-arming IBS Fetch - fuse: fix page dereference after free - p54: avoid accessing the data mapped to streaming DMA - mtd: lpddr: Fix bad logic in print_drs_error - fscrypt: return -EXDEV for incompatible rename or link into encrypted dir - fscrypto: move ioctl processing more fully into common code - fscrypt: use EEXIST when file already uses different policy - f2fs: add trace exit in exception path - f2fs: fix to check segment boundary during SIT page readahead - um: change sigio_spinlock to a mutex - [armel,armhf] 8997/2: hw_breakpoint: Handle inexact watchpoint addresses - xfs: fix realtime bitmap/summary file truncation when growing rt volume - ath10k: fix VHT NSS calculation when STBC is enabled - media: tw5864: check status of tw5864_frameinterval_get - mmc: via-sdmmc: Fix data race bug - USB: adutux: fix debugging - [arm64] mm: return cpu_all_mask when node is NUMA_NO_NODE - drivers/net/wan/hdlc_fr: Correctly handle special skb->protocol values - md/bitmap: md_bitmap_get_counter returns wrong blocks - [armhf] clk: ti: clockdomain: fix static checker warning - net: 9p: initialize sun_server.sun_path to have addr's value only when addr is valid - ext4: Detect already used quota file early - gfs2: add validation checks for size of superblock - [armhf] memory: emif: Remove bogus debugfs error handling - md/raid5: fix oops during stripe resizing - [x86] perf/x86/amd/ibs: Don't include randomized bits in get_ibs_op_count() - [x86] perf/x86/amd/ibs: Fix raw sample data accumulation - fs: Don't invalidate page buffers in block_write_full_page() - NFS: fix nfs_path in case of a rename retry - ACPI / extlog: Check for RDMSR failure - ACPI: video: use ACPI backlight for HP 635 Notebook - ACPI: debug: don't allow debugging when ACPI is disabled - acpi-cpufreq: Honor _PSD table setting on new AMD CPUs - scsi: mptfusion: Fix null pointer dereferences in mptscsih_remove() - btrfs: reschedule if necessary when logging directory items - btrfs: cleanup cow block on error - btrfs: fix use-after-free on readahead extent after failure to create it - [arm64,armhf] usb: dwc3: core: add phy cleanup for probe error handling - [arm64,armhf] usb: dwc3: core: don't trigger runtime pm when remove driver - vt: keyboard, simplify vt_kdgkbsent - vt: keyboard, extend func_buf_lock to readers (CVE-2020-25656) - ubifs: dent: Fix some potential memory leaks while iterating entries - ubi: check kthread_should_stop() after the setting of task state - ceph: promote to unsigned long long before shifting - libceph: clear con->out_msg on Policy::stateful_server faults - 9P: Cast to loff_t before multiplying - ring-buffer: Return 0 on success from ring_buffer_resize() - vringh: fix __vringh_iov() when riov and wiov are different - tty: make FONTX ioctl use the tty pointer they were actually passed (CVE-2020-25668) - cachefiles: Handle readpage error correctly - device property: Keep secondary firmware node secondary by type - device property: Don't clear secondary pointer for shared primary firmware node - [arm64] KVM: arm64: Fix AArch32 handling of DBGD{CCINT,SCRext} and DBGVCR - [x86] staging: comedi: cb_pcidas: Allow 2-channel commands for AO subdevice - tipc: fix use-after-free in tipc_bcast_get_mode - ALSA: usb-audio: Add implicit feedback quirk for Qu-16 - kthread_worker: prevent queuing delayed work from timer_fn when it is being canceled - ftrace: Fix recursion check for NMI test - ftrace: Handle tracing when switching between context - tracing: Fix out of bounds write in get_trace_buf - [armhf] dts: sun4i-a10: fix cpu_alert temperature - [x86] kexec: Use up-to-dated screen_info copy to fill boot params - of: Fix reserved-memory overlap detection - scsi: core: Don't start concurrent async scan on same host - vsock: use ns_capable_noaudit() on socket create - ACPI: NFIT: Fix comparison to '-ENXIO' - vt: Disable KD_FONT_OP_COPY (CVE-2020-28974) - fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent - USB: serial: cyberjack: fix write-URB completion race - USB: serial: option: add LE910Cx compositions 0x1203, 0x1230, 0x1231 - USB: serial: option: add Telit FN980 composition 0x1055 - USB: Add NO_LPM quirk for Kingston flash drive https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.243 - powercap: restrict energy meter to root access (CVE-2020-8694) https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.244 - regulator: defer probe when trying to get voltage from unresolved supply - ring-buffer: Fix recursion protection transitions between interrupt context - gfs2: Wake up when sd_glock_disposal becomes zero - mm: mempolicy: fix potential pte_unmap_unlock pte error - time: Prevent undefined behaviour in timespec64_to_ns() - btrfs: reschedule when cloning lots of extents - genirq: Let GENERIC_IRQ_IPI select IRQ_DOMAIN_HIERARCHY - net: xfrm: fix a race condition during allocing spi - perf tools: Add missing swap for ino_generation - ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link() - can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context - can: dev: __can_get_echo_skb(): fix real payload length return value for RTR frames - can: can_create_echo_skb(): fix echo skb generation: always use skb_clone() - can: peak_usb: add range checking in decode operations - can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping - xfs: flush new eof page on truncate to avoid post-eof corruption - Btrfs: fix missing error return if writeback for extent buffer never started - pinctrl: devicetree: Avoid taking direct reference to device name string (CVE-2020-0427) - i40e: Fix a potential NULL pointer dereference - i40e: add num_vectors checker in iwarp handler - i40e: Wrong truncation from u16 to u8 - i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c - i40e: Memory leak in i40e_config_iwarp_qvlist - geneve: add transport ports in route lookup for geneve (CVE-2020-25645) - ath9k_htc: Use appropriate rs_datalen type - gfs2: Free rd_bits later in gfs2_clear_rgrpd to fix use-after-free - gfs2: check for live vs. read-only file system in gfs2_fitrim - scsi: hpsa: Fix memory leak in hpsa_init_one() - drm/amdgpu: perform srbm soft reset always on SDMA resume - mac80211: fix use of skb payload instead of header - cfg80211: regulatory: Fix inconsistent format argument - scsi: scsi_dh_alua: Avoid crash during alua_bus_detach() - [amd64] iommu/amd: Increase interrupt remapping table limit to 512 entries - xfs: fix flags argument to rmap lookup when converting shared file rmaps - xfs: fix rmap key and record comparison functions - xfs: fix a missing unlock on error in xfs_fs_map_blocks - of/address: Fix of_node memory leak in of_dma_is_coherent - [i386] cosa: Add missing kfree in error path of cosa_write - perf: Fix get_recursion_context() - ext4: correctly report "not supported" for {usr,grp}jquota when !CONFIG_QUOTA - ext4: unlock xattr_sem properly in ext4_inline_data_truncate() - usb: cdc-acm: Add DISABLE_ECHO for Renesas USB Download mode - [x86] mei: protect mei_cl_mtu from null dereference - ocfs2: initialize ip_next_orphan - don't dump the threads that had been already exiting when zapped. - [x86] drm/gma500: Fix out-of-bounds access to struct drm_device.vblank[] - [x86] pinctrl: amd: use higher precision for 512 RtcClk - [x86] pinctrl: amd: fix incorrect way to disable debounce filter - swiotlb: fix "x86: Don't panic if can not alloc buffer for swiotlb" - IPv6: Set SIT tunnel hard_header_len to zero - net/x25: Fix null-ptr-deref in x25_connect - net: Update window_clamp if SOCK_RCVBUF is set - random32: make prandom_u32() output unpredictable - [x86] speculation: Allow IBPB to be conditionally enabled on CPUs with always-on STIBP - perf/core: Fix bad use of igrab() - perf/core: Fix crash when using HW tracing kernel filters - perf/core: Fix a memory leak in perf_event_parse_addr_filter() (CVE-2020-25704) - xen/events: avoid removing an event channel while handling it (CVE-2020-27675) - xen/events: Fix potential DoS of dom0 by rogue guests (CVE-2020-27673): + xen/events: add a proper barrier to 2-level uevent unmasking + xen/events: fix race in evtchn_fifo_unmask() + xen/events: add a new "late EOI" evtchn framework + xen/blkback: use lateeoi irq binding + xen/netback: use lateeoi irq binding + xen/scsiback: use lateeoi irq binding + xen/pciback: use lateeoi irq binding + xen/events: switch user event channels to lateeoi model + xen/events: use a common cpu hotplug hook for event channels + xen/events: defer eoi in case of excessive number of events + xen/events: block rogue events for some time - perf/core: Fix race in the perf_mmap_close() function (CVE-2020-14351) - Revert "kernel/reboot.c: convert simple_strtoul to kstrtoint" - reboot: fix overflow parsing reboot cpu number - ext4: fix leaking sysfs kobject after failed mount - Convert trailing spaces and periods in path components https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.245 - [armhf] i2c: imx: use clk notifier for rate changes - [armhf] i2c: imx: Fix external abort on interrupt in exit paths - [armhf] i2c: mux: pca954x: Add missing pca9546 definition to chip_desc - [x86] Input: sunkbd - avoid use-after-free in teardown paths (CVE-2020-25669) - mac80211: always wind down STA state - [x86] KVM: x86: clflushopt should be treated as a no-op by emulation https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.246 - ah6: fix error return code in ah6_input() - atm: nicstar: Unmap DMA on send error - bnxt_en: read EEPROM A2h address using page 0 - devlink: Add missing genlmsg_cancel() in devlink_nl_sb_port_pool_fill() - inet_diag: Fix error path to cancel the meseage in inet_req_diag_fill() - net: b44: fix error return code in b44_init_one() - net: bridge: add missing counters to ndo_get_stats64 callback - net: Have netpoll bring-up DSA management interface - netlabel: fix our progress tracking in netlbl_unlabel_staticlist() - netlabel: fix an uninitialized warning in netlbl_unlabel_staticlist() - net/mlx4_core: Fix init_hca fields offset - net: x25: Increase refcnt of "struct x25_neigh" in x25_rx_call_request - qlcnic: fix error return code in qlcnic_83xx_restart_hw() - sctp: change to hold/put transport for proto_unreach_timer - net: usb: qmi_wwan: Set DTR quirk for MR400 - tcp: only postpone PROBE_RTT if RTT is < current min_rtt estimate - [armhf] pinctrl: rockchip: enable gpio pclk for rockchip_gpio_to_irq - [arm64] psci: Avoid printing in cpu_psci_cpu_die() - vfs: remove lockdep bogosity in __sb_start_write - [armhf] dts: imx6qdl-udoo: fix rgmii phy-mode for ksz9031 phy - [armhf] dts: imx50-evk: Fix the chip select 1 IOMUX - perf lock: Don't free "lock_seq_stat" if read_count isn't zero - can: dev: can_restart(): post buffer from the right context - can: peak_usb: fix potential integer overflow on shift of a int - [armhf] regulator: ti-abb: Fix array out of bound read access on the first transition - xfs: revert "xfs: fix rmap key and record comparison functions" - libfs: fix error cast of negative value in simple_attr_write() - ALSA: ctl: fix error path at adding user-defined element set - ALSA: mixart: Fix mutex deadlock - tty: serial: imx: keep console clocks always on - ext4: fix bogus warning in ext4_update_dx_flag() - [x86] iio: accel: kxcjk1013: Replace is_smo8500_device with an acpi_type enum - regulator: fix memory leak with repeated set_machine_constraints() - mac80211: minstrel: remove deferred sampling code - mac80211: minstrel: fix tx status processing corner case - mac80211: free sta in sta_info_insert_finish() on errors - [x86] microcode/intel: Check patch signature before saving microcode for early loading [ Ben Hutchings ] * fscrypto: Ignore ABI changes * xen/events: Ignore ABI changes * efivarfs: revert "fix memory leak in efivarfs_create()" (regression in 4.9.246) * [x86] speculation: Fix prctl() when spectre_v2_user={seccomp,prctl},ibpb (regressions in 4.9.228, 4.9.244) * regulator: avoid resolve_supply() infinite recursion (regression in 4.9.241) * regulator: workaround self-referent regulators (regression in 4.9.241) * bonding: wait for sysfs kobject destruction before freeing struct slave (regression in 4.9.226) * [x86] iommu/amd: Set DTE[IntTabLen] to represent 512 IRTEs (regression in 4.9.244) Source openssl1.0, binaries: libssl1.0.2:amd64 libssl1.0.2:arm64 openssl1.0 (1.0.2u-1~deb9u3) stretch-security; urgency=medium * Non-maintainer upload by the LTS team. * CVE-2020-1971: EDIPARTYNAME NULL pointer de-reference. Source lxml, binaries: python-lxml:amd64 python-lxml:arm64 lxml (3.7.1-1+deb9u2) stretch-security; urgency=high * Non-maintainer upload by the LTS Team. * CVE-2020-27783: Backport additional upstream commit a105ab8dc262ec6735977c25c13f0bdfcdec72a7 to address math/svg part of the vulnerability and complete the fix -- Steve McIntyre <93sam@debian.org> Thu, 17 Dec 2020 23:58:43 +0000 9.13.9-20201210 Updates in 4 source package(s), 14 binary package(s): Source apt, binaries: apt:amd64 apt-utils:amd64 libapt-inst2.0:amd64 libapt-pkg5.0:amd64 apt:arm64 apt-utils:arm64 libapt-inst2.0:arm64 libapt-pkg5.0:arm64 apt (1.4.11) stretch-security; urgency=high * SECURITY UPDATE: Integer overflow in parsing (LP: #1899193) - apt-pkg/contrib/arfile.cc: add extra checks. - apt-pkg/contrib/tarfile.cc: limit tar item sizes to 128 GiB - apt-pkg/deb/debfile.cc: limit control file sizes to 64 MiB - test/*: add tests. - CVE-2020-27350 * Additional hardening: - apt-pkg/contrib/tarfile.cc: Limit size of long names and links to 1 MiB + * Fix autopkgtest regression in 1.8.2.1 security update Source lxml, binaries: python-lxml:amd64 python-lxml:arm64 lxml (3.7.1-1+deb9u1) stretch-security; urgency=medium * Non-maintainer upload by the Debian LTS Team. * CVE-2018-19787: lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping. * CVE-2020-27783: Prevent combinations of