Debian stretch Openstack images changelog 9.13.25-20210628 Updates in 1 source package(s), 2 binary package(s): Source libgcrypt20, binaries: libgcrypt20:amd64 libgcrypt20:arm64 libgcrypt20 (1.7.6-2+deb9u4) stretch-security; urgency=high * Non-maintainer upload by the LTS Team. * CVE-2021-33560 34_cipher-Fix-ElGamal-encryption-for-other-implementati.patch from upstream LIBGCRYPT-1.8-BRANCH: Fix weak ElGamal encryption with keys *not* generated by GnuPG/libgcrypt. -- Steve McIntyre <93sam@debian.org> Mon, 28 Jun 2021 15:04:04 +0000 9.13.24-20210623 Updates in 2 source package(s), 6 binary package(s): Source linux-latest, binaries: linux-image-amd64:amd64 linux-image-arm64:arm64 linux-latest (80+deb9u14) stretch-security; urgency=medium * Update to 4.9.0-16 linux-latest (80+deb9u13) stretch-security; urgency=medium * Update to 4.9.0-15 linux-latest (80+deb9u12) stretch-security; urgency=high * debian/control: Point Vcs URLs to Salsa * Update to 4.9.0-14 linux-latest (80+deb9u11) stretch; urgency=medium * Update to 4.9.0-13 linux-latest (80+deb9u10) stretch; urgency=medium * Update to 4.9.0-12 linux-latest (80+deb9u9) stretch; urgency=medium * Update to 4.9.0-11 linux-latest (80+deb9u8) stretch; urgency=medium * Update to 4.9.0-10 linux-latest (80+deb9u7) stretch; urgency=medium * Update to 4.9.0-9 linux-latest (80+deb9u6) stretch-security; urgency=high * Update to 4.9.0-8 linux-latest (80+deb9u5) stretch; urgency=medium * Update to 4.9.0-7 linux-latest (80+deb9u4) stretch-security; urgency=high * Update to 4.9.0-6 linux-latest (80+deb9u3) stretch-security; urgency=high * Update to 4.9.0-5 linux-latest (80+deb9u2) stretch; urgency=medium * Update to 4.9.0-4 linux-latest (80+deb9u1) stretch; urgency=medium * Revert changes to debug symbol meta-packages (Closes: #866691) linux-latest (80) unstable; urgency=medium * Re-introduce xen-linux-system-amd64 *again* as transitional package (Closes: #857039) * Update to 4.9.0-3 linux-latest (79) unstable; urgency=medium * Update to 4.9.0-2 linux-latest (78) unstable; urgency=medium * debian/rules: Use dpkg-parsechangelog -S option to select fields * linux-image: Delete NEWS for version 76 about vsyscall changes, now reverted * Update to 4.9.0-1 linux-latest (77) unstable; urgency=medium * Update to 4.8.0-2 * Use debhelper compatibility level 9 * Re-introduce xen-linux-system packages, accidentally dropped in version 75 linux-latest (76) unstable; urgency=medium * Update to 4.8.0-1 * linux-image-{686-pae,amd64}: Delete old NEWS * linux-image: Add back-dated NEWS for conntrack helpers change in Linux 4.7 (Closes: #839632) * linux-image: Add NEWS for security hardening config changes for Linux 4.8 linux-latest (75) unstable; urgency=medium * Update to 4.7.0-1 * Rename and move debug symbol meta-packages to the debug archive * debian/control: Set priority of transitional packages to extra * debian/control: Update Standards-Version to 3.9.8; no changes needed linux-latest (74) unstable; urgency=medium * Update to 4.6.0-1 linux-latest (73) unstable; urgency=medium * Update to 4.5.0-2 linux-latest (72) unstable; urgency=medium * Update to 4.5.0-1 linux-latest (71) unstable; urgency=medium * Update to 4.4.0-1 - Change linux-{image,headers}-{kirkwood,orion5x} to transitional packages linux-latest (70) unstable; urgency=medium * Change linux-{image,headers}-586 to transitional packages linux-latest (69) unstable; urgency=medium * Update to 4.3.0-1 linux-latest (68) unstable; urgency=medium * Update to 4.2.0-1 * debian/bin/gencontrol.py: Use Python 3 linux-latest (67) unstable; urgency=medium * Adjust for migration to git: - Add .gitignore file - debian/control: Update Vcs-* fields * .gitignore: Ignore linux-perf build directory * Update to 4.1.0-2 * Change source format to 3.0 (native) so that .git directory is excluded by default linux-latest (66) unstable; urgency=medium * Update to 4.1.0-1 * Rename linux-tools to linux-perf, providing linux-tools as a transitional package linux-latest (65) unstable; urgency=medium * Update to 4.0.0-2 linux-latest (64) unstable; urgency=medium * Update to 4.0.0-1 * Stop generating linux-{headers,image}-486 transitional packages * debian/control: Build-Depend on linux-headers-*-all, so that after an ABI bump linux is auto-built before linux-latest on each architecture. (Closes: #746618) linux-latest (63) unstable; urgency=medium * Update to 3.16.0-4 - Change linux-{image,headers}-486 to transitional packages linux-latest (62) unstable; urgency=medium * Update to 3.16-3 (Closes: #766078) linux-latest (61) unstable; urgency=medium * Update to 3.16-2 linux-latest (60) unstable; urgency=medium * linux-image-{686-pae,amd64}: Add backdated NEWS for introduction of xz compression affecting Xen (Closes: #727736) * Update to 3.16-1 linux-latest (59) unstable; urgency=medium * Update to 3.14-2 linux-latest (58) unstable; urgency=medium * Rebuild to include arm64 and ppc64el architectures linux-latest (57) unstable; urgency=medium * Suppress lintian warnings about linux-image-dbg metapackages not looking like debug info packages * debian/control: Update Standards-Version to 3.9.5; no changes needed * Update to 3.14-1 linux-latest (56) unstable; urgency=medium * Update to 3.13-1 linux-latest (55) unstable; urgency=low * Update to 3.12-1 linux-latest (54) unstable; urgency=low * Update to 3.11-2 linux-latest (53) unstable; urgency=low * Add linux-image--dbg metapackages, providing the virtual package linux-latest-image-dbg * Update standards-version to 3.9.4; no changes required * Change section and priority fields to match archive overrides * Update to 3.11-1 * Stop providing virtual package linux-headers linux-latest (52) unstable; urgency=low * Update to 3.10-3 linux-latest (51) unstable; urgency=low * Update to 3.10-2 linux-latest (50) unstable; urgency=low * Update to 3.10-1 linux-latest (49) unstable; urgency=low * Update to 3.9-1 linux-latest (48) unstable; urgency=low * Update to 3.8-2 (Closes: #708842) linux-latest (47) unstable; urgency=low * Update to 3.8-1 * Remove transitional packages provided in wheezy linux-latest (46) unstable; urgency=low * Set Priority: extra, as currently overridden in the archive (Closes: #689846) * Add Czech debconf template translation (Michal Šimůnek) (Closes: #685501) * Update to 3.2.0-4 (Closes: #688222, #689864) linux-latest (45) unstable; urgency=low * Update to 3.2.0-3 linux-latest (44) unstable; urgency=high [ Ben Hutchings ] * Update debconf template translations: - Add Polish (Michał Kułach) (Closes: #659571) - Add Turkish (Mert Dirik) (Closes: #660119) * Update standards-version to 3.9.3: - Do not move packages to the 'metapackages' section, as that will cause APT not to auto-remove their dependencies * Move transitional packages to the section 'oldlibs', so that APT will treat the replacement packages as manually installed * Update to 3.2.0-2 * Stop generating linux-{headers,image}-2.6- transitional packages for flavours added since Linux 3.0 linux-latest (43) unstable; urgency=low * Add Vcs-{Svn,Browser} fields * Add debconf template translations: - Danish (Joe Hansen) (Closes: #656642) - Spanish (Slime Siabef) (Closes: #654681) - Italian (Stefano Canepa) (Closes: #657386) * [s390] Update the check for flavours without modules, removing the useless linux-headers{,-2.6}-s390x-tape packages linux-latest (42) unstable; urgency=low * Rename source package to linux-latest * Add debconf template translations: - Portugese (Miguel Figueiredo) (Closes: #651123) - Serbian latin (Zlatan Todoric) (Closes: #635895) - Russian (Yuri Kozlov) (Closes: #652431) - Japanese (Nobuhiro Iwamatsu) (Closes: #655687) * Update to 3.2.0-1 linux-latest-2.6 (41) unstable; urgency=low * Remove dependency on module makefiles in linux-support package * Update to 3.1.0-1 linux-latest-2.6 (40) unstable; urgency=low * Add debconf template translations: - Serbian cyrillic (Zlatan Todoric) (Closes: #635893) - German (Holger Wansing) (Closes: #637764) - French (Debian French l10n team) (Closes: #636624) - Swedish (Martin Bagge) (Closes: #640058) - Dutch (Jeroen Schot) (Closes: #640115) - Catalan (Innocent De Marchi) (Closes: #642109) * Update to 3.0.0-2 linux-latest-2.6 (39) unstable; urgency=low * Update to 3.0.0-1 linux-latest-2.6 (38) experimental; urgency=low * Correct xen-linux-system transitional package names linux-latest-2.6 (37) experimental; urgency=low * Update to 3.0.0-rc5 * Restore xen-linux-system- packages * Remove common description text from linux-image-2.6- packages linux-latest-2.6 (36) experimental; urgency=low * Update to 3.0.0-rc1 - Add linux-doc, linux-headers-, linux-source and linux-tools packages - Change *-2.6-* to transitional packages linux-latest-2.6 (35.1) unstable; urgency=low [ Bastian Blank ] * Update to 2.6.39-2. linux-latest-2.6 (35) unstable; urgency=low * Update to 2.6.39-1 - Change linux-image{,-2.6}-686{,-bigmem} to transitional packages linux-latest-2.6 (34) unstable; urgency=low * [hppa] Update to 2.6.38-2a linux-latest-2.6 (33) unstable; urgency=low * Update to 2.6.38-2 linux-latest-2.6 (32) unstable; urgency=low * Update to 2.6.38-1 linux-latest-2.6 (31) unstable; urgency=low * Update to 2.6.37-2 linux-latest-2.6 (30) unstable; urgency=low * Update to 2.6.37-1 linux-latest-2.6 (29) unstable; urgency=low * Add xen-linux-system-2.6-* meta-packages (Closes: #402414) * Add bug presubj message for image meta packages directing users to the real image packages (Closes: #549591) * Fix repetition in description of linux-image-2.6-xen-amd64 (Closes: #598648) * [x86] Correct lists of suitable processors linux-latest-2.6 (28) unstable; urgency=low * Move NEWS from linux-2.6, since apt-listchanges only shows it for upgraded packages * Add linux-tools-2.6 meta package * Change versions for linux-doc-2.6 and linux-source-2.6 to match those of the other meta packages linux-latest-2.6 (27) unstable; urgency=low * Really build linux-doc-2.6 and linux-source-2.6 meta packages linux-latest-2.6 (26) unstable; urgency=low [ Joachim Breitner ] * Create linux-doc-2.6 and linux-source-2.6 meta packages (Closes: 347284) [ Ben Hutchings ] * Update to 2.6.32-5. * Update standards-version to 3.8.4; no changes required. * Explicitly describe all packages as meta-packages. linux-latest-2.6 (25) unstable; urgency=high * Update package description templates in line with linux-2.6. * Update to 2.6.32-3. * Set urgency to 'high' since this must transition with linux-2.6. linux-latest-2.6 (24) unstable; urgency=low * Update to 2.6.32-2. linux-latest-2.6 (23) unstable; urgency=low * Update to 2.6.32-trunk. linux-latest-2.6 (22) unstable; urgency=low * Update to 2.6.31-1. linux-latest-2.6 (21) unstable; urgency=low [ Bastian Blank ] * Update to 2.6.30-2. [ Ben Hutchings ] * Add myself to uploaders. linux-latest-2.6 (20) unstable; urgency=low * Move into kernel section. * Update to 2.6.30-1. linux-latest-2.6 (19) unstable; urgency=low * Update to 2.6.29-2. * Use debhelper compat level 7. * Update copyright file. linux-latest-2.6 (18) unstable; urgency=low * Update to 2.6.29-1. * Use dh_prep. * Remove lenny transition packages. linux-latest-2.6 (17) unstable; urgency=low * Use correct part of the config for image type. * Add description parts to all image packages. linux-latest-2.6 (16) unstable; urgency=low * Rebuild to pick up new images linux-latest-2.6 (15) unstable; urgency=low * Update to 2.6.26-1. * Make linux-image-* complete meta packages. linux-latest-2.6 (14) unstable; urgency=low * Update to 2.6.25-2. linux-latest-2.6 (13) unstable; urgency=low * Add transitional packages for k7. linux-latest-2.6 (12) unstable; urgency=low * Update to 2.6.24-1. linux-latest-2.6 (11) unstable; urgency=low * Update to 2.6.22-3. linux-latest-2.6 (10) unstable; urgency=low * Update to 2.6.22-2. linux-latest-2.6 (9) unstable; urgency=low * Update to 2.6.22-1. linux-latest-2.6 (8) unstable; urgency=low * Update to 2.6.21-2. * Add modules meta packages. * Provide linux-latest-modules-*. (closes: #428783) linux-latest-2.6 (7) unstable; urgency=low * Update to 2.6.21-1. * Remove etch transition packages. linux-latest-2.6 (6) unstable; urgency=low * Update to 2.6.18-4. * i386: Add amd64 transition packages. linux-latest-2.6 (5) unstable; urgency=low * Update to 2.6.18-3. Source python-urllib3, binaries: python-urllib3:amd64 python3-urllib3:amd64 python-urllib3:arm64 python3-urllib3:arm64 python-urllib3 (1.19.1-1+deb9u1) stretch-security; urgency=medium * Non-maintainer upload by the Debian LTS Team. * Fix CVE-2018-20060, CVE-2019-11236, CVE-2019-11324 CVE-2020-26137 -- Steve McIntyre <93sam@debian.org> Wed, 23 Jun 2021 13:35:34 +0000 9.13.23-20210604 Updates in 1 source package(s), 4 binary package(s): Source isc-dhcp, binaries: isc-dhcp-client:amd64 isc-dhcp-common:amd64 isc-dhcp-client:arm64 isc-dhcp-common:arm64 isc-dhcp (4.3.5-3+deb9u2) stretch-security; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2021-25217: denial of service in server and client via application crash when parsing lease information. -- Steve McIntyre <93sam@debian.org> Fri, 04 Jun 2021 12:00:23 +0000 9.13.22-20210531 Updates in 2 source package(s), 4 binary package(s): Source libxml2, binaries: libxml2:amd64 libxml2:arm64 libxml2 (2.9.4+dfsg1-2.2+deb9u5) stretch-security; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2021-3541 Fix for "Parameter Laughs"-attack, that is similar to the "Billion Laughs"-attacks found earlier in libexpat. Source lz4, binaries: liblz4-1:amd64 liblz4-1:arm64 lz4 (0.0~r131-2+deb9u1) stretch-security; urgency=high * CVE-2021-3520: Fix a potential memory corruption vulnerability that could be exploited with a negative memmove(3) size argument. (Closes: #987856) -- Steve McIntyre <93sam@debian.org> Mon, 31 May 2021 16:21:18 +0000 9.13.21-20210511 Updates in 1 source package(s), 2 binary package(s): Source libxml2, binaries: libxml2:amd64 libxml2:arm64 libxml2 (2.9.4+dfsg1-2.2+deb9u4) stretch-security; urgency=medium * Non-maintainer upload by the LTS team. * CVE-2021-3516: use-after-free in xmlEncodeEntitiesInternal * CVE-2021-3517: heap-based buffer overflow in xmlEncodeEntitiesInternal * CVE-2021-3518: use-after-free in xmlXIncludeDoProcess * CVE-2021-3537: NULL pointer dereference in xmlValidBuildAContentModel -- Steve McIntyre <93sam@debian.org> Wed, 12 May 2021 00:53:25 +0000 9.13.20-20210507 Updates in 5 source package(s), 24 binary package(s): Source qemu, binaries: qemu-utils:amd64 qemu-utils:arm64 qemu (1:2.8+dfsg-6+deb9u14) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2021-20257: net: e1000: infinite loop while processing transmit descriptors * Fix CVE-2021-20255: A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. * Fix CVE-2021-20203: An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. * Fix CVE-2021-3416: A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario. * Fix CVE-2021-3409/CVE-2020-17380: The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or potential code execution. * Fix CVE-2021-3392: A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req' from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Source python3.5, binaries: libpython3.5-minimal:amd64 libpython3.5-stdlib:amd64 python3.5:amd64 python3.5-minimal:amd64 libpython3.5-minimal:arm64 libpython3.5-stdlib:arm64 python3.5:arm64 python3.5-minimal:arm64 python3.5 (3.5.3-1+deb9u4) stretch-security; urgency=medium * Non-maintainer upload by the LTS Security Team. * CVE-2021-23336: only use '&' as a query string separator * CVE-2021-3426: remove the pydoc getfile feature * CVE-2021-3177: replace snprintf with Python unicode Source lxml, binaries: python-lxml:amd64 python-lxml:arm64 lxml (3.7.1-1+deb9u4) stretch-security; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2021-28957 Due to missing input sanitization, XSS is possible for the HTML5 formatcion attribute. Source bind9, binaries: libdns-export162:amd64 libisc-export160:amd64 libdns-export162:arm64 libisc-export160:arm64 bind9 (1:9.10.3.dfsg.P4-12.3+deb9u9) stretch-security; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2021-25214: A malformed incoming IXFR transfer could trigger an assertion failure in ``named``, causing it to quit abnormally. * CVE-2021-25215: ``named`` crashed when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query. * CVE-2021-25216: Compile with system provided SPNEGO * Ensure all resources are properly cleaned up when a call to gss_accept_sec_context() fails. Source python2.7, binaries: libpython2.7-minimal:amd64 libpython2.7-stdlib:amd64 python2.7:amd64 python2.7-minimal:amd64 libpython2.7-minimal:arm64 libpython2.7-stdlib:arm64 python2.7:arm64 python2.7-minimal:arm64 python2.7 (2.7.13-2+deb9u5) stretch-security; urgency=medium * Non-maintainer upload by the LTS Security Team. * Update keycert.pem to fix corresponding tests. * Disable some failing tests (see debian/TODO). * CVE-2021-23336: only use '&' as a query string separator. * CVE-2019-16935: Escape the server title of DocXMLRPCServer. * Add debian/.gitlab-ci.yml. -- Steve McIntyre <93sam@debian.org> Fri, 07 May 2021 06:15:15 +0000 9.13.19-20210320 Updates in 2 source package(s), 6 binary package(s): Source cloud-init, binaries: cloud-init:amd64 cloud-init:arm64 cloud-init (0.7.9-2+deb9u1) stretch-security; urgency=medium * Avoid logging generated passwords (CVE-2021-3429) (Closes: #985540) Source shadow, binaries: login:amd64 passwd:amd64 login:arm64 passwd:arm64 shadow (1:4.4-4.1+deb9u1) stretch-security; urgency=high * Non-maintainer upload by the LTS Security Team. * CVE-2017-20002: revert adding pts/0 and pts/1 to securetty. Adding pts/* defeats the purpose of securetty. Let containers add it if needed as described in #830255. (cherry-picked from 1:4.5-1) See also #877374 (previous proposed update) and #914957 (/etc/securetty will be dropped in bullseye). * CVE-2017-12424: the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts. (Closes: #756630) -- Steve McIntyre <93sam@debian.org> Sat, 20 Mar 2021 22:16:44 +0000 9.13.18-20210314 Updates in 1 source package(s), 2 binary package(s): Source ca-certificates, binaries: ca-certificates:amd64 ca-certificates:arm64 ca-certificates (20200601~deb9u2) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * mozilla/blacklist: Revert Symantec CA blacklist (#911289). Closes: #962596 The following root certificates were added back (+): + "GeoTrust Global CA" + "GeoTrust Primary Certification Authority" + "GeoTrust Primary Certification Authority - G2" + "GeoTrust Primary Certification Authority - G3" + "GeoTrust Universal CA" + "thawte Primary Root CA" + "thawte Primary Root CA - G2" + "thawte Primary Root CA - G3" + "VeriSign Class 3 Public Primary Certification Authority - G4" + "VeriSign Class 3 Public Primary Certification Authority - G5" + "VeriSign Universal Root Certification Authority" NOTE: due to bug #743339, CA certificates added back in this version won't automatically be trusted again on upgrade. Affected users may need to reconfigure the package to restore the desired state. -- Steve McIntyre <93sam@debian.org> Mon, 15 Mar 2021 01:07:03 +0000 9.13.17-20210308 Updates in 1 source package(s), 2 binary package(s): Source linux-latest, binaries: linux-image-amd64:amd64 linux-image-arm64:arm64 linux-latest (80+deb9u13) stretch-security; urgency=medium * Update kernel to 4.9.0-15 -- Steve McIntyre <93sam@debian.org> Tue, 09 Mar 2021 15:29:47 +0000 9.13.16-20210219 Updates in 6 source package(s), 16 binary package(s): Source openssl, binaries: libssl1.1:amd64 openssl:amd64 libssl1.1:arm64 openssl:arm64 openssl (1.1.0l-1~deb9u3) stretch-security; urgency=high * CVE-2021-23840: Prevent an issue where "Digital EnVeloPe" EVP-related calls could cause applications to behave incorrectly or crash. * CVE-2021-23841: Preevent an issue in the X509 certificate handler caused by the lack of error handling while parsing the "issuer" field. Source libbsd, binaries: libbsd0:amd64 libbsd0:arm64 libbsd (0.8.3-1+deb9u1) stretch-security; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2019-20367 A non-NUL terminated symbol name in the string table might result in a out-of-bounds read. Source qemu, binaries: qemu-utils:amd64 qemu-utils:arm64 qemu (1:2.8+dfsg-6+deb9u13) stretch-security; urgency=medium * Non-maintainer upload by the LTS Security Team. * CVE-2020-15469: a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference. * CVE-2020-15859: QEMU has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address. * CVE-2020-25084: QEMU has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked. * CVE-2020-28916: hw/net/e1000e_core.c has an infinite loop via an RX descriptor with a NULL buffer address. * CVE-2020-29130: slirp.c has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. * CVE-2020-29443: ide_atapi_cmd_reply_end in hw/ide/atapi.c allows out-of-bounds read access because a buffer index is not validated. * CVE-2021-20181: 9pfs: ZDI-CAN-10904: QEMU Plan 9 file system TOCTOU privilege escalation vulnerability. * CVE-2021-20221: aarch64: GIC: out-of-bound heap buffer access via an interrupt ID field. Source screen, binaries: screen:amd64 screen:arm64 screen (4.5.0-6+deb9u1) stretch-security; urgency=high * [CVE-2021-26937] Fix invalid write access and application crash or possibly unspecified other impact via a crafted UTF-8 character sequence. (Closes: #982435) Source bind9, binaries: libdns-export162:amd64 libisc-export160:amd64 libdns-export162:arm64 libisc-export160:arm64 bind9 (1:9.10.3.dfsg.P4-12.3+deb9u8) stretch-security; urgency=high * CVE-2020-8625: Prevent a buffer overflow attack in the GSSAPI ("Generic Security Services") security policy negotiation. (Closes: #983004) Source openssl1.0, binaries: libssl1.0.2:amd64 libssl1.0.2:arm64 openssl1.0 (1.0.2u-1~deb9u4) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * CVE-2021-23840: Prevent an issue where "Digital EnVeloPe" EVP-related calls could cause applications to behave incorrectly or even crash. * CVE-2021-23841: Preevent an issue in the X509 certificate handler, caused by the lack of error handling while parsing "issuer" fields. -- Steve McIntyre <93sam@debian.org> Fri, 19 Feb 2021 20:32:09 +0000 9.13.15-20210210 Updates in 2 source package(s), 4 binary package(s): Source gdisk, binaries: gdisk:amd64 gdisk:arm64 gdisk (1.0.1-1+deb9u1) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * Add patch to fix segfault on some weird data structures. (Fixes: CVE-2020-0256) * Add patch to fix a bug that could cause crash if a badly-formatted MBR disk was read. (Fixes: CVE-2021-0308) Source tzdata, binaries: tzdata:amd64 tzdata:arm64 tzdata (2021a-0+deb9u1) stretch-security; urgency=medium * New upstream version, affecting the following timestamp: - South Sudan changes from +03 to +02 on 2021-02-01. -- Steve McIntyre <93sam@debian.org> Wed, 10 Feb 2021 13:13:39 +0000 9.13.14-20210127 Updates in 1 source package(s), 2 binary package(s): Source sudo, binaries: sudo:amd64 sudo:arm64 sudo (1.8.19p1-2.1+deb9u3) stretch-security; urgency=high * Non-maintainer upload by the Security Team. * Heap-based buffer overflow (CVE-2021-3156) - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit - Add sudoedit flag checks in plugin that are consistent with front-end - Fix potential buffer overflow when unescaping backslashes in user_args - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL - Don't assume that argv is allocated as a single flat buffer -- Steve McIntyre <93sam@debian.org> Wed, 27 Jan 2021 21:29:22 +0000 9.13.13-20210106 Updates in 1 source package(s), 2 binary package(s): Source p11-kit, binaries: libp11-kit0:amd64 libp11-kit0:arm64 p11-kit (0.23.3-2+deb9u1) stretch-security; urgency=medium * Non-maintainer upload by the LTS team. * CVE-2020-29361: Multiple integer overflows. * CVE-2020-29362: Heap-based buffer over-read. -- Steve McIntyre <93sam@debian.org> Thu, 07 Dec 2020 21:34:23 +0000 9.13.12-20201230 Updates in 2 source package(s), 4 binary package(s): Source lxml, binaries: python-lxml:amd64 python-lxml:arm64 lxml (3.7.1-1+deb9u3) stretch-security; urgency=medium * Non-maintainer upload by the LTS Team. * Enable the test suite (non-fatal). * Switch to source format 3.0 (quilt), rather than having the patches in debian/patches/ but applied directly without a patch system. * Fix regression in Python 2 in the last part of CVE-2020-27783. * math-svg.patch: update expected results for the test suite. Source tzdata, binaries: tzdata:amd64 tzdata:arm64 tzdata (2020e-0+deb9u1) stretch-security; urgency=medium * New upstream version, affecting the following timestamp: - Volgograd switched to Moscow time on 2020-12-27 at 02:00. -- Steve McIntyre <93sam@debian.org> Wed, 30 Dec 2020 16:52:35 +0000 9.13.11-20201218 Updates in 2 source package(s), 4 binary package(s): Source linux, binaries: linux-image-4.9.0-14-amd64:amd64 linux-image-4.9.0-14-arm64:arm64 linux (4.9.246-2) stretch-security; urgency=high * [arm64] Fix FTBFS after Xen netback fix: - arm64: Remove redundant mov from LL/SC cmpxchg - arm64: Avoid redundant type conversions in xchg() and cmpxchg() - arm64: cmpxchg: Use "K" instead of "L" for ll/sc immediate constraint - arm64: Use correct ll/sc atomic constraints Source lxml, binaries: python-lxml:amd64 python-lxml:arm64 lxml (3.7.1-1+deb9u3) stretch-security; urgency=medium * Non-maintainer upload by the LTS Team. * Enable the test suite (non-fatal). * Switch to source format 3.0 (quilt), rather than having the patches in debian/patches/ but applied directly without a patch system. * Fix regression in Python 2 in the last part of CVE-2020-27783. * math-svg.patch: update expected results for the test suite. lxml (3.7.1-1+deb9u2) stretch-security; urgency=high * Non-maintainer upload by the LTS Team. * CVE-2020-27783: Backport additional upstream commit a105ab8dc262ec6735977c25c13f0bdfcdec72a7 to address math/svg part of the vulnerability and complete the fix -- Steve McIntyre <93sam@debian.org> Fri, 18 Dec 2020 11:42:32 +0000 9.13.10-20201217 Updates in 4 source package(s), 10 binary package(s): Source openssl, binaries: libssl1.1:amd64 openssl:amd64 libssl1.1:arm64 openssl:arm64 openssl (1.1.0l-1~deb9u2) stretch-security; urgency=medium * Non-maintainer upload by the LTS team. * CVE-2020-1971: EDIPARTYNAME NULL pointer de-reference. Source linux, binaries: linux-image-4.9.0-14-amd64:amd64 linux-image-4.9.0-14-arm64:arm64 linux (4.9.246-2) stretch-security; urgency=high * [arm64] Fix FTBFS after Xen netback fix: - arm64: Remove redundant mov from LL/SC cmpxchg - arm64: Avoid redundant type conversions in xchg() and cmpxchg() - arm64: cmpxchg: Use "K" instead of "L" for ll/sc immediate constraint - arm64: Use correct ll/sc atomic constraints linux (4.9.246-1) stretch-security; urgency=high * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.241 - tipc: fix the skb_unshare() in tipc_buf_append() - net/ipv4: always honour route mtu during forwarding - r8169: fix data corruption issue on RTL8402 - ALSA: bebob: potential info leak in hwdep_read() - net: hdlc: In hdlc_rcv, check to make sure dev is an HDLC device - net: hdlc_raw_eth: Clear the IFF_TX_SKB_SHARING flag after calling ether_setup - nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() - tcp: fix to update snd_wl1 in bulk receiver fast path - icmp: randomize the global rate limiter (CVE-2020-25705) - cifs: remove bogus debug code - [x86] KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages - ima: Don't ignore errors from crypto_shash_update() - crypto: algif_aead - Do not set MAY_BACKLOG on the async path - [x86] EDAC/i5100: Fix error handling order in i5100_init_one() - [armhf] media: Revert "media: exynos4-is: Add missed check for pinctrl_lookup_state()" - [armhf] media: omap3isp: Fix memleak in isp_probe - [armhf] crypto: omap-sham - fix digcnt register handling with export/ import - [armhf] media: ti-vpe: Fix a missing check and reference count leak - regulator: resolve supply after creating regulator - ath10k: provide survey info as accumulated data - ath6kl: prevent potential array overflow in ath6kl_add_new_sta() - ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() - wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 - [arm64] ASoC: qcom: lpass-platform: fix memory leak - mwifiex: Do not use GFP_KERNEL in atomic context - [x86] drm/gma500: fix error check - scsi: qla4xxx: Fix an error handling path in 'qla4xxx_get_host_stats()' - scsi: csiostor: Fix wrong return value in csio_hw_prep_fw() - [x86] VMCI: check return value of get_user_pages_fast() for errors - tty: serial: earlycon dependency - pty: do tty_flip_buffer_push without port->lock in pty_write - [x86] video: fbdev: vga16fb: fix setting of pixclock because a pass-by- value error - video: fbdev: sis: fix null ptr dereference - HID: roccat: add bounds checking in kone_sysfs_write_settings() - ath6kl: wmi: prevent a shift wrapping bug in ath6kl_wmi_delete_pstream_cmd() - [amd64] misc: mic: scif: Fix error handling path - ALSA: seq: oss: Avoid mutex lock for a long-time ioctl - quota: clear padding in v2r1_mem2diskdqb() - net: enic: Cure the enic api locking trainwreck - iwlwifi: mvm: split a print to avoid a WARNING in ROC - usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above. - nl80211: fix non-split wiphy information - scsi: be2iscsi: Fix a theoretical leak in beiscsi_create_eqs() - mwifiex: fix double free - IB/mlx4: Fix starvation in paravirt mux/demux - IB/mlx4: Adjust delayed work when a dup is observed - mtd: lpddr: fix excessive stack usage with clang - mtd: mtdoops: Don't write panic data twice - [armel,armhf] 9007/1: l2c: fix prefetch bits init in L2X0_AUX_CTRL using DT values - RDMA/qedr: Fix use of uninitialized field - [x86] perf intel-pt: Fix "context_switch event has no tid" error - [arm64] RDMA/hns: Set the unsupported wr opcode - overflow: Include header file with SIZE_MAX declaration - IB/rdmavt: Fix sizeof mismatch - rapidio: fix error handling path - rapidio: fix the missed put_device() for rio_mport_add_riodev - [arm64,armhf] clk: bcm2835: add missing release if devm_clk_hw_register fails - vfio/pci: Clear token on bypass registration failure - [armhf] Input: omap4-keypad - fix handling of platform_get_irq() error - [armhf] Input: twl4030_keypad - fix handling of platform_get_irq() error - [armhf] Input: sun4i-ps2 - fix handling of platform_get_irq() error - [x86] KVM: x86: emulating RDPID failure shall return #UD rather than #GP - [arm64] dts: qcom: msm8916: Fix MDP/DSI interrupts - [arm64] dts: zynqmp: Remove additional compatible string for i2c IPs - nvmet: fix uninitialized work for zero kato - [x86] crypto: ccp - fix error handling - media: firewire: fix memory leak - media: ati_remote: sanity check for both endpoints - [armhf] media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync - [armhf] media: exynos4-is: Fix a reference count leak due to pm_runtime_get_sync - [armhf] media: exynos4-is: Fix a reference count leak - media: media/pci: prevent memory leak in bttv_probe - media: uvcvideo: Ensure all probed info is returned to v4l2 - mmc: sdio: Check for CISTPL_VERS_1 buffer size - media: saa7134: avoid a shift overflow - fs: dlm: fix configfs memory leak - ntfs: add check for mft record size in superblock - PM: hibernate: remove the bogus call to get_gendisk() in software_resume() - scsi: mvumi: Fix error return in mvumi_io_attach() - scsi: target: core: Add CONTROL field for trace events - [amd64] mic: vop: copy data to kernel space then write to io memory - [amd64] misc: vop: add round_up(x,4) for vring_size to avoid kernel panic - usb: gadget: function: printer: fix use-after-free in __lock_acquire - udf: Limit sparing table size - udf: Avoid accessing uninitialized data on failed inode read - USB: cdc-acm: handle broken union descriptors - ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() - misc: rtsx: Fix memory leak in rtsx_pci_probe - reiserfs: only call unlock_new_inode() if I_NEW - xfs: make sure the rt allocator doesn't run off the end - usb: ohci: Default to per-port over-current protection - Bluetooth: Only mark socket zapped after unlocking - brcmsmac: fix memory leak in wlc_phy_attach_lcnphy - rtl8xxxu: prevent potential memory leak - Fix use after free in get_capset_info callback. - tty: ipwireless: fix error handling - ipvs: Fix uninit-value in do_ip_vs_set_ctl() - reiserfs: Fix memory leak in reiserfs_parse_options() - brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach - usb: core: Solve race condition in anchor cleanup functions - ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() - usb: cdc-acm: add quirk to blacklist ETAS ES58X devices - USB: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync(). - eeprom: at25: set minimum read/write access stride to 1 - usb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets. https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.242 - SUNRPC: ECONNREFUSED should cause a rebind. - efivarfs: Replace invalid slashes with exclamation marks in dentries. - tipc: fix memory leak caused by tipc_buf_append() - [x86] arch/x86/amd/ibs: Fix re-arming IBS Fetch - fuse: fix page dereference after free - p54: avoid accessing the data mapped to streaming DMA - mtd: lpddr: Fix bad logic in print_drs_error - fscrypt: return -EXDEV for incompatible rename or link into encrypted dir - fscrypto: move ioctl processing more fully into common code - fscrypt: use EEXIST when file already uses different policy - f2fs: add trace exit in exception path - f2fs: fix to check segment boundary during SIT page readahead - um: change sigio_spinlock to a mutex - [armel,armhf] 8997/2: hw_breakpoint: Handle inexact watchpoint addresses - xfs: fix realtime bitmap/summary file truncation when growing rt volume - ath10k: fix VHT NSS calculation when STBC is enabled - media: tw5864: check status of tw5864_frameinterval_get - mmc: via-sdmmc: Fix data race bug - USB: adutux: fix debugging - [arm64] mm: return cpu_all_mask when node is NUMA_NO_NODE - drivers/net/wan/hdlc_fr: Correctly handle special skb->protocol values - md/bitmap: md_bitmap_get_counter returns wrong blocks - [armhf] clk: ti: clockdomain: fix static checker warning - net: 9p: initialize sun_server.sun_path to have addr's value only when addr is valid - ext4: Detect already used quota file early - gfs2: add validation checks for size of superblock - [armhf] memory: emif: Remove bogus debugfs error handling - md/raid5: fix oops during stripe resizing - [x86] perf/x86/amd/ibs: Don't include randomized bits in get_ibs_op_count() - [x86] perf/x86/amd/ibs: Fix raw sample data accumulation - fs: Don't invalidate page buffers in block_write_full_page() - NFS: fix nfs_path in case of a rename retry - ACPI / extlog: Check for RDMSR failure - ACPI: video: use ACPI backlight for HP 635 Notebook - ACPI: debug: don't allow debugging when ACPI is disabled - acpi-cpufreq: Honor _PSD table setting on new AMD CPUs - scsi: mptfusion: Fix null pointer dereferences in mptscsih_remove() - btrfs: reschedule if necessary when logging directory items - btrfs: cleanup cow block on error - btrfs: fix use-after-free on readahead extent after failure to create it - [arm64,armhf] usb: dwc3: core: add phy cleanup for probe error handling - [arm64,armhf] usb: dwc3: core: don't trigger runtime pm when remove driver - vt: keyboard, simplify vt_kdgkbsent - vt: keyboard, extend func_buf_lock to readers (CVE-2020-25656) - ubifs: dent: Fix some potential memory leaks while iterating entries - ubi: check kthread_should_stop() after the setting of task state - ceph: promote to unsigned long long before shifting - libceph: clear con->out_msg on Policy::stateful_server faults - 9P: Cast to loff_t before multiplying - ring-buffer: Return 0 on success from ring_buffer_resize() - vringh: fix __vringh_iov() when riov and wiov are different - tty: make FONTX ioctl use the tty pointer they were actually passed (CVE-2020-25668) - cachefiles: Handle readpage error correctly - device property: Keep secondary firmware node secondary by type - device property: Don't clear secondary pointer for shared primary firmware node - [arm64] KVM: arm64: Fix AArch32 handling of DBGD{CCINT,SCRext} and DBGVCR - [x86] staging: comedi: cb_pcidas: Allow 2-channel commands for AO subdevice - tipc: fix use-after-free in tipc_bcast_get_mode - ALSA: usb-audio: Add implicit feedback quirk for Qu-16 - kthread_worker: prevent queuing delayed work from timer_fn when it is being canceled - ftrace: Fix recursion check for NMI test - ftrace: Handle tracing when switching between context - tracing: Fix out of bounds write in get_trace_buf - [armhf] dts: sun4i-a10: fix cpu_alert temperature - [x86] kexec: Use up-to-dated screen_info copy to fill boot params - of: Fix reserved-memory overlap detection - scsi: core: Don't start concurrent async scan on same host - vsock: use ns_capable_noaudit() on socket create - ACPI: NFIT: Fix comparison to '-ENXIO' - vt: Disable KD_FONT_OP_COPY (CVE-2020-28974) - fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent - USB: serial: cyberjack: fix write-URB completion race - USB: serial: option: add LE910Cx compositions 0x1203, 0x1230, 0x1231 - USB: serial: option: add Telit FN980 composition 0x1055 - USB: Add NO_LPM quirk for Kingston flash drive https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.243 - powercap: restrict energy meter to root access (CVE-2020-8694) https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.244 - regulator: defer probe when trying to get voltage from unresolved supply - ring-buffer: Fix recursion protection transitions between interrupt context - gfs2: Wake up when sd_glock_disposal becomes zero - mm: mempolicy: fix potential pte_unmap_unlock pte error - time: Prevent undefined behaviour in timespec64_to_ns() - btrfs: reschedule when cloning lots of extents - genirq: Let GENERIC_IRQ_IPI select IRQ_DOMAIN_HIERARCHY - net: xfrm: fix a race condition during allocing spi - perf tools: Add missing swap for ino_generation - ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link() - can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context - can: dev: __can_get_echo_skb(): fix real payload length return value for RTR frames - can: can_create_echo_skb(): fix echo skb generation: always use skb_clone() - can: peak_usb: add range checking in decode operations - can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping - xfs: flush new eof page on truncate to avoid post-eof corruption - Btrfs: fix missing error return if writeback for extent buffer never started - pinctrl: devicetree: Avoid taking direct reference to device name string (CVE-2020-0427) - i40e: Fix a potential NULL pointer dereference - i40e: add num_vectors checker in iwarp handler - i40e: Wrong truncation from u16 to u8 - i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c - i40e: Memory leak in i40e_config_iwarp_qvlist - geneve: add transport ports in route lookup for geneve (CVE-2020-25645) - ath9k_htc: Use appropriate rs_datalen type - gfs2: Free rd_bits later in gfs2_clear_rgrpd to fix use-after-free - gfs2: check for live vs. read-only file system in gfs2_fitrim - scsi: hpsa: Fix memory leak in hpsa_init_one() - drm/amdgpu: perform srbm soft reset always on SDMA resume - mac80211: fix use of skb payload instead of header - cfg80211: regulatory: Fix inconsistent format argument - scsi: scsi_dh_alua: Avoid crash during alua_bus_detach() - [amd64] iommu/amd: Increase interrupt remapping table limit to 512 entries - xfs: fix flags argument to rmap lookup when converting shared file rmaps - xfs: fix rmap key and record comparison functions - xfs: fix a missing unlock on error in xfs_fs_map_blocks - of/address: Fix of_node memory leak in of_dma_is_coherent - [i386] cosa: Add missing kfree in error path of cosa_write - perf: Fix get_recursion_context() - ext4: correctly report "not supported" for {usr,grp}jquota when !CONFIG_QUOTA - ext4: unlock xattr_sem properly in ext4_inline_data_truncate() - usb: cdc-acm: Add DISABLE_ECHO for Renesas USB Download mode - [x86] mei: protect mei_cl_mtu from null dereference - ocfs2: initialize ip_next_orphan - don't dump the threads that had been already exiting when zapped. - [x86] drm/gma500: Fix out-of-bounds access to struct drm_device.vblank[] - [x86] pinctrl: amd: use higher precision for 512 RtcClk - [x86] pinctrl: amd: fix incorrect way to disable debounce filter - swiotlb: fix "x86: Don't panic if can not alloc buffer for swiotlb" - IPv6: Set SIT tunnel hard_header_len to zero - net/x25: Fix null-ptr-deref in x25_connect - net: Update window_clamp if SOCK_RCVBUF is set - random32: make prandom_u32() output unpredictable - [x86] speculation: Allow IBPB to be conditionally enabled on CPUs with always-on STIBP - perf/core: Fix bad use of igrab() - perf/core: Fix crash when using HW tracing kernel filters - perf/core: Fix a memory leak in perf_event_parse_addr_filter() (CVE-2020-25704) - xen/events: avoid removing an event channel while handling it (CVE-2020-27675) - xen/events: Fix potential DoS of dom0 by rogue guests (CVE-2020-27673): + xen/events: add a proper barrier to 2-level uevent unmasking + xen/events: fix race in evtchn_fifo_unmask() + xen/events: add a new "late EOI" evtchn framework + xen/blkback: use lateeoi irq binding + xen/netback: use lateeoi irq binding + xen/scsiback: use lateeoi irq binding + xen/pciback: use lateeoi irq binding + xen/events: switch user event channels to lateeoi model + xen/events: use a common cpu hotplug hook for event channels + xen/events: defer eoi in case of excessive number of events + xen/events: block rogue events for some time - perf/core: Fix race in the perf_mmap_close() function (CVE-2020-14351) - Revert "kernel/reboot.c: convert simple_strtoul to kstrtoint" - reboot: fix overflow parsing reboot cpu number - ext4: fix leaking sysfs kobject after failed mount - Convert trailing spaces and periods in path components https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.245 - [armhf] i2c: imx: use clk notifier for rate changes - [armhf] i2c: imx: Fix external abort on interrupt in exit paths - [armhf] i2c: mux: pca954x: Add missing pca9546 definition to chip_desc - [x86] Input: sunkbd - avoid use-after-free in teardown paths (CVE-2020-25669) - mac80211: always wind down STA state - [x86] KVM: x86: clflushopt should be treated as a no-op by emulation https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.246 - ah6: fix error return code in ah6_input() - atm: nicstar: Unmap DMA on send error - bnxt_en: read EEPROM A2h address using page 0 - devlink: Add missing genlmsg_cancel() in devlink_nl_sb_port_pool_fill() - inet_diag: Fix error path to cancel the meseage in inet_req_diag_fill() - net: b44: fix error return code in b44_init_one() - net: bridge: add missing counters to ndo_get_stats64 callback - net: Have netpoll bring-up DSA management interface - netlabel: fix our progress tracking in netlbl_unlabel_staticlist() - netlabel: fix an uninitialized warning in netlbl_unlabel_staticlist() - net/mlx4_core: Fix init_hca fields offset - net: x25: Increase refcnt of "struct x25_neigh" in x25_rx_call_request - qlcnic: fix error return code in qlcnic_83xx_restart_hw() - sctp: change to hold/put transport for proto_unreach_timer - net: usb: qmi_wwan: Set DTR quirk for MR400 - tcp: only postpone PROBE_RTT if RTT is < current min_rtt estimate - [armhf] pinctrl: rockchip: enable gpio pclk for rockchip_gpio_to_irq - [arm64] psci: Avoid printing in cpu_psci_cpu_die() - vfs: remove lockdep bogosity in __sb_start_write - [armhf] dts: imx6qdl-udoo: fix rgmii phy-mode for ksz9031 phy - [armhf] dts: imx50-evk: Fix the chip select 1 IOMUX - perf lock: Don't free "lock_seq_stat" if read_count isn't zero - can: dev: can_restart(): post buffer from the right context - can: peak_usb: fix potential integer overflow on shift of a int - [armhf] regulator: ti-abb: Fix array out of bound read access on the first transition - xfs: revert "xfs: fix rmap key and record comparison functions" - libfs: fix error cast of negative value in simple_attr_write() - ALSA: ctl: fix error path at adding user-defined element set - ALSA: mixart: Fix mutex deadlock - tty: serial: imx: keep console clocks always on - ext4: fix bogus warning in ext4_update_dx_flag() - [x86] iio: accel: kxcjk1013: Replace is_smo8500_device with an acpi_type enum - regulator: fix memory leak with repeated set_machine_constraints() - mac80211: minstrel: remove deferred sampling code - mac80211: minstrel: fix tx status processing corner case - mac80211: free sta in sta_info_insert_finish() on errors - [x86] microcode/intel: Check patch signature before saving microcode for early loading [ Ben Hutchings ] * fscrypto: Ignore ABI changes * xen/events: Ignore ABI changes * efivarfs: revert "fix memory leak in efivarfs_create()" (regression in 4.9.246) * [x86] speculation: Fix prctl() when spectre_v2_user={seccomp,prctl},ibpb (regressions in 4.9.228, 4.9.244) * regulator: avoid resolve_supply() infinite recursion (regression in 4.9.241) * regulator: workaround self-referent regulators (regression in 4.9.241) * bonding: wait for sysfs kobject destruction before freeing struct slave (regression in 4.9.226) * [x86] iommu/amd: Set DTE[IntTabLen] to represent 512 IRTEs (regression in 4.9.244) Source openssl1.0, binaries: libssl1.0.2:amd64 libssl1.0.2:arm64 openssl1.0 (1.0.2u-1~deb9u3) stretch-security; urgency=medium * Non-maintainer upload by the LTS team. * CVE-2020-1971: EDIPARTYNAME NULL pointer de-reference. Source lxml, binaries: python-lxml:amd64 python-lxml:arm64 lxml (3.7.1-1+deb9u2) stretch-security; urgency=high * Non-maintainer upload by the LTS Team. * CVE-2020-27783: Backport additional upstream commit a105ab8dc262ec6735977c25c13f0bdfcdec72a7 to address math/svg part of the vulnerability and complete the fix -- Steve McIntyre <93sam@debian.org> Thu, 17 Dec 2020 23:58:43 +0000 9.13.9-20201210 Updates in 4 source package(s), 14 binary package(s): Source apt, binaries: apt:amd64 apt-utils:amd64 libapt-inst2.0:amd64 libapt-pkg5.0:amd64 apt:arm64 apt-utils:arm64 libapt-inst2.0:arm64 libapt-pkg5.0:arm64 apt (1.4.11) stretch-security; urgency=high * SECURITY UPDATE: Integer overflow in parsing (LP: #1899193) - apt-pkg/contrib/arfile.cc: add extra checks. - apt-pkg/contrib/tarfile.cc: limit tar item sizes to 128 GiB - apt-pkg/deb/debfile.cc: limit control file sizes to 64 MiB - test/*: add tests. - CVE-2020-27350 * Additional hardening: - apt-pkg/contrib/tarfile.cc: Limit size of long names and links to 1 MiB + * Fix autopkgtest regression in 1.8.2.1 security update Source lxml, binaries: python-lxml:amd64 python-lxml:arm64 lxml (3.7.1-1+deb9u1) stretch-security; urgency=medium * Non-maintainer upload by the Debian LTS Team. * CVE-2018-19787: lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping. * CVE-2020-27783: Prevent combinations of