Debian 10 "Buster" RC2 to be Available

Release candidate has a lot of changes and updates and community should expect final release on 6th of July
28 June 2019   416

The second release candidate for the major update of Debian 10 "Buster" was released. Currently, there are 75 critical errors blocking the release (two weeks ago there were 98, and a month and a half 132). Testing branch was transferred to a state of complete freezing from making changes (an exception is made only for emergency interventions). The final release of Debian 10 is expected July 6th.

Compared with the previous test release installer presents the following changes:

  • A section called "Unlocking LUKS devices from GRUB" has been added to cryptsetup, which points to a guide for setting up an unlock partition at the GRUB level;
  • Verification keys for Buster release added to debian-archive-keyring;
  • Working image was prepar that fits 16 GB USB Flash. The package selection process is optimized to fit a multi-arch firmware into a 700 megabyte image, from which the i686 PAE core is excluded;
  • A package hasged-udeb has been added to solve problems with insufficient entropy quality of a pseudo-random number generator;
  • Dark theme was renamed to high contrast (Accessible high contrast);
  • support for verified boot (UEFI Secure Boot) is included for the amd64 architecture. To ensure the operation of Secure Boot, the Shim loader, digitally signed by Microsoft (shim-signed), is used in conjunction with the certification of the kernel and the grub loader (grub-efi-amd64-signed) with the project’s own certificate (shim acts as an interlayer for use by the distribution kit keys). The shim-signed and grub-efi-ARCH-signed packages are included in the build dependencies for amd64, i386 and arm64. The loader and grub, certified by a working certificate, are included in the EFI images for amd64, i386 and arm64;
  • support for downloadable (netboot) images for SD cards was added;
  • u-boot images for a64-olinuxino, orangepi_zero_plus2 and teres_i boards was added.
  • support for NanoPi NEO2 and Marvell 8040 MACCHIATOBin was added;
  • All drivers have been added to the kernel-image package to support hardware-based pseudo-random number generators, and all keyboard drivers have been added to the input-modules package.

Get more info at official email.

Two Vulnerabilities to be Found at SDL

Two of six serious vulnerabilities in this cross-platform multimedia library create conditions for remote code execution.
04 July 2019   874

The SDL (Simple Direct Layer) library set, which provides tools for hardware accelerated 2D and 3D graphics rendering, input processing, audio playback, 3D output via OpenGL / OpenGL ES, and many other related operations, revealed 6 vulnerabilities. Including in the SDL2_image library, two problems have been discovered that allow organizing remote code execution in the system. Attacks can be made on applications that use SDL to load images.

Both vulnerabilities (CVE-2019-5051, CVE-2019-5051) are present in the IMG_LoadPCX_RW function and are caused by the lack of the necessary error handler and integer overflow that can be exploited through the transfer of a specially crafted PCX file. Issues have already been fixed in the SDL_image 2.0.5 release. Information about the remaining 4 vulnerabilities has not yet been disclosed.

Vulnerabilities were found by Talos, so you can find more info at their website.