10.10 Update
-->
Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the 'component-based servicing stack' (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. Firefox Mac OS X 10.9, 10.10 and 10.11 users move to Extended Support Release. Firefox version 78 is the last supported Firefox version for Mac users of OS X 10.9 Mavericks, OS X 10.10 Yosemite and OS X 10.11 El Capitan. These users will be moved to the Firefox Extended Support Release (ESR) channel by an application update.
Applies to
- Windows 10, Windows 8.1, Windows 8, Windows 7
What is a servicing stack update?
Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the 'component-based servicing stack' (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month.
Why should servicing stack updates be installed and kept up to date?
Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
When are they released?
Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as 'Security' with a severity rating of 'Critical.'
Note
You can find a list of servicing stack updates at Latest servicing stack updates.
What's the difference between a servicing stack update and a cumulative update?
Both Windows 10 and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates.
10.10 Update Release
Servicing stack updates must ship separately from the cumulative updates because they modify the component that installs Windows updates. The servicing stack is released separately because the servicing stack itself requires an update. For example, the cumulative update KB4284880 requires the May 17, 2018 servicing stack update, which includes updates to Windows Update.
Is there any special guidance?
Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update.
Typically, the improvements are reliability and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes.
Installation notes
- Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system.
- Installing servicing stack update does not require restarting the device, so installation should not be disruptive.
- Servicing stack update releases are specific to the operating system version (build number), much like quality updates.
- Servicing stack updates can be delivered with Windows Update, or you can perform a search to install the latest available at Servicing stack update for Windows 10.
- Once a servicing stack update is installed, it cannot be removed or uninstalled from the machine.
Simplifying on-premises deployment of servicing stack updates
With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update will include the latest servicing stack updates, to provide a single cumulative update payload to both Windows Server Update Services (WSUS) and Microsoft Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you will only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update will be available on Windows 10, version 2004 and later starting with the 2021 2C release, KB4601382.
June 19th, 2021
10.10 Update For Mac
The Debian project is pleased to announce the tenth update of itsstable distribution Debian 10 (codename buster
).This point release mainly adds corrections for security issues,along with a few adjustments for serious problems. Security advisorieshave already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian10 but only updates some of the packages included. There isno need to throw away old buster
media. After installation,packages can be upgraded to the current versions using an up-to-date Debianmirror.
Those who frequently install updates from security.debian.org won't haveto update many packages, and most such updates areincluded in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved bypointing the package management system at one of Debian's many HTTP mirrors.A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
| eterm | Fix code execution issue [CVE-2021-33477] |
| exactimage | Fix build with C++11 and OpenEXR 2.5.x |
| fig2dev | Fix buffer overflow [CVE-2021-3561]; several output fixes; rebuild testsuite during build and in autopkgtest |
| fluidsynth | Fix use-after-free issue [CVE-2021-28421] |
| freediameter | Fix denial of service issue [CVE-2020-6098] |
| fwupd | Fix generation of the vendor SBAT string; stop using dpkg-dev in fwupd.preinst; new upstream stable version |
| fwupd-amd64-signed | Sync with fwupd |
| fwupd-arm64-signed | Sync with fwupd |
| fwupd-armhf-signed | Sync with fwupd |
| fwupd-i386-signed | Sync with fwupd |
| fwupdate | Improve SBAT support |
| fwupdate-amd64-signed | Sync with fwupdate |
| fwupdate-arm64-signed | Sync with fwupdate |
| fwupdate-armhf-signed | Sync with fwupdate |
| fwupdate-i386-signed | Sync with fwupdate |
| glib2.0 | Fix several integer overflow issues [CVE-2021-27218 CVE-2021-27219]; fix a symlink attack affecting file-roller [CVE-2021-28153] |
| gnutls28 | Fix null-pointer dereference issue [CVE-2020-24659]; add several improvements to memory reallocation |
| golang-github-docker-docker-credential-helpers | Fix double free issue [CVE-2019-1020014] |
| htmldoc | Fix buffer overflow issues [CVE-2019-19630 CVE-2021-20308] |
| ipmitool | Fix buffer overflow issues [CVE-2020-5208] |
| ircii | Fix denial of service issue [CVE-2021-29376] |
| isc-dhcp | Fix buffer overrun issue [CVE-2021-25217] |
| isync | Reject funnymailbox names from IMAP LIST/LSUB [CVE-2021-20247]; fix handling of unexpected APPENDUID response code [CVE-2021-3578] |
| jackson-databind | Fix external entity expansion issue [CVE-2020-25649] and several serialization-related issues [CVE-2020-24616 CVE-2020-24750 CVE-2020-35490 CVE-2020-35491 CVE-2020-35728 CVE-2020-36179 CVE-2020-36180 CVE-2020-36181 CVE-2020-36182 CVE-2020-36183 CVE-2020-36184 CVE-2020-36185 CVE-2020-36186 CVE-2020-36187 CVE-2020-36188 CVE-2020-36189 CVE-2021-20190] |
| klibc | malloc: Set errno on failure; fix several overflow issues [CVE-2021-31873 CVE-2021-31870 CVE-2021-31872]; cpio: Fix possible crash on 64-bit systems [CVE-2021-31871]; {set,long}jmp [s390x]: save/restore the correct FPU registers |
| libbusiness-us-usps-webtools-perl | Update to new US-USPS API |
| libgcrypt20 | Fix weak ElGamal encryption with keys not generated by GnuPG/libgcrypt [CVE-2021-33560] |
| libgetdata | Fix use after free issue [CVE-2021-20204] |
| libmateweather | Adapt to renaming of America/Godthab to America/Nuuk in tzdata |
| libxml2 | Fix out-of-bounds read in xmllint [CVE-2020-24977]; fix use-after-free issues in xmllint [CVE-2021-3516 CVE-2021-3518]; validate UTF8 in xmlEncodeEntities [CVE-2021-3517]; propagate error in xmlParseElementChildrenContentDeclPriv; fix exponential entity expansion attack [CVE-2021-3541] |
| liferea | Fix compatibility with webkit2gtk >= 2.32 |
| linux | New upstream stable release; increase ABI to 17; [rt] Update to 4.19.193-rt81 |
| linux-latest | Update to 4.19.0-17 ABI |
| linux-signed-amd64 | New upstream stable release; increase ABI to 17; [rt] Update to 4.19.193-rt81 |
| linux-signed-arm64 | New upstream stable release; increase ABI to 17; [rt] Update to 4.19.193-rt81 |
| linux-signed-i386 | New upstream stable release; increase ABI to 17; [rt] Update to 4.19.193-rt81 |
| mariadb-10.3 | New upstream release; security fixes [CVE-2021-2154 CVE-2021-2166 CVE-2021-27928]; fix Innotop support; ship caching_sha2_password.so |
| mqtt-client | Fix denial of service issue [CVE-2019-0222] |
| mumble | Fix remote code execution issue [CVE-2021-27229] |
| mupdf | Fix use-after-free issue [CVE-2020-16600] and double free issue [CVE-2021-3407] |
| nmap | Update included MAC prefix list |
| node-glob-parent | Fix regular expression denial of service issue [CVE-2020-28469] |
| node-handlebars | Fix code execution issues [CVE-2019-20920 CVE-2021-23369] |
| node-hosted-git-info | Fix regular expression denial of service issue [CVE-2021-23362] |
| node-redis | Fix regular expression denial of service issue [CVE-2021-29469] |
| node-ws | Fix regular expression-related denial of service issue [CVE-2021-32640] |
| nvidia-graphics-drivers | Fix improper access control vulnerability [CVE-2021-1076] |
| nvidia-graphics-drivers-legacy-390xx | Fix improper access control vulnerability [CVE-2021-1076]; fix installation failure on Linux 5.11 release candidates |
| opendmarc | Fix heap overflow issue [CVE-2020-12460] |
| openvpn | Fix illegal client floatissue [CVE-2020-11810]; ensure key state is authenticated before sending push reply [CVE-2020-15078]; increase listen() backlog queue to 32 |
| php-horde-text-filter | Fix cross-site scripting issue [CVE-2021-26929] |
| plinth | Use session to verify first boot welcome step |
| ruby-websocket-extensions | Fix denial of service issue [CVE-2020-7663] |
| rust-rustyline | Fix build with newer rustc |
| rxvt-unicode | Disable ESC G Q escape sequence [CVE-2021-33477] |
| sabnzbdplus | Fix code execution vulnerability [CVE-2020-13124] |
| scrollz | Fix denial of service issue [CVE-2021-29376] |
| shim | New upstream release; add SBAT support; fix i386 binary relocations; don't call QueryVariableInfo() on EFI 1.10 machines (e.g. older Intel Macs); fix handling of ignore_db and user_insecure_mode; add maintainer scripts to the template packages to manage installing and removing fbXXX.efi and mmXXX.efi when we install/remove the shim-helpers-$arch-signed packages; exit cleanly if installed on a non-EFI system; don't fail if debconf calls return errors |
| shim-helpers-amd64-signed | Sync with shim |
| shim-helpers-arm64-signed | Sync with shim |
| shim-helpers-i386-signed | Sync with shim |
| shim-signed | Update for new shim; multiple bugfixes in postinst and postrm handling; provide unsigned binaries for arm64 (see NEWS.Debian); exit cleanly if installed on a non-EFI system; don't fail if debconf calls return errors; fix documentation links; build against shim-unsigned 15.4-5~deb10u1; add explicit dependency from shim-signed to shim-signed-common |
| speedtest-cli | Handle case where ignoreidsis empty or contains empty ids |
| tnef | Fix buffer over-read issue [CVE-2019-18849] |
| uim | libuim-data: Copy Breaksfrom uim-data, fixing some upgrade scenarios |
| user-mode-linux | Rebuild against Linux kernel 4.19.194-1 |
| velocity | Fix potential arbitrary code execution issue [CVE-2020-13936] |
| wml | Fix regression in Unicode handling |
| xfce4-weather-plugin | Move to version 2.0 met.no API |
Security Updates
This revision adds the following security updates to the stable release.The Security Team has already released an advisory for each of theseupdates:
| golang-1.11 | |
| DSA-4865 | docker.io |
| DSA-4873 | squid |
| DSA-4874 | firefox-esr |
| DSA-4875 | openssl |
| DSA-4877 | webkit2gtk |
| DSA-4878 | pygments |
| DSA-4879 | spamassassin |
| DSA-4880 | lxml |
| DSA-4881 | curl |
| DSA-4882 | openjpeg2 |
| DSA-4883 | underscore |
| DSA-4884 | ldb |
| DSA-4885 | netty |
| DSA-4886 | chromium |
| DSA-4887 | lib3mf |
| DSA-4888 | xen |
| DSA-4889 | mediawiki |
| DSA-4890 | ruby-kramdown |
| DSA-4891 | tomcat9 |
| DSA-4892 | python-bleach |
| DSA-4893 | xorg-server |
| DSA-4894 | php-pear |
| DSA-4895 | firefox-esr |
| DSA-4896 | wordpress |
| DSA-4898 | wpa |
| DSA-4899 | openjdk-11-jre-dcevm |
| DSA-4899 | openjdk-11 |
| DSA-4900 | gst-plugins-good1.0 |
| DSA-4901 | gst-libav1.0 |
| DSA-4902 | gst-plugins-bad1.0 |
| DSA-4903 | gst-plugins-base1.0 |
| DSA-4904 | gst-plugins-ugly1.0 |
| DSA-4905 | shibboleth-sp |
| DSA-4907 | composer |
| DSA-4908 | libhibernate3-java |
| DSA-4909 | bind9 |
| DSA-4910 | libimage-exiftool-perl |
| DSA-4912 | exim4 |
| DSA-4913 | hivex |
| DSA-4914 | graphviz |
| DSA-4915 | postgresql-11 |
| DSA-4916 | prosody |
| DSA-4918 | ruby-rack-cors |
| DSA-4919 | lz4 |
| DSA-4920 | libx11 |
| DSA-4921 | nginx |
| DSA-4922 | hyperkitty |
| DSA-4923 | webkit2gtk |
| DSA-4924 | squid |
| DSA-4925 | firefox-esr |
| DSA-4926 | lasso |
| DSA-4928 | htmldoc |
| DSA-4929 | rails |
| DSA-4930 | libwebp |
Removed packages
The following packages were removed due to circumstances beyond our control:
The complete lists of packages that have changed with this revision:
The current stable distribution:
Proposed updates to the stable distribution:
stable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers whovolunteer their time and effort in order to produce the completelyfree operating system Debian.
Contact Information
For further information, please visit the Debian web pages athttps://www.debian.org/, send mail to<press@debian.org>, or contact the stable release team at<debian-release@lists.debian.org>.