------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 8: 8.9 released press@debian.org July 22nd, 2017 https://www.debian.org/News/2017/2017072202 ------------------------------------------------------------------------ The Debian project is pleased to announce the ninth update of its oldstable distribution Debian 8 (codename "jessie"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 8 but only updates some of the packages included. There is no need to throw away old "jessie" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Miscellaneous Bugfixes ---------------------- This oldstable update adds a few important corrections to the following packages: +-----------------------------+---------------------------------------+ | Package | Reason | +-----------------------------+---------------------------------------+ | 3dchess [1] | Reduce wasteful CPU consumption | | | | | apt-cacher [2] | Prevent HTTP response splitting with | | | encoded newlines in request | | | [CVE-2017-7443]; make sure /var/run/ | | | apt-cacher exists | | | | | base-files [3] | Update for the 8.9 point release | | | | | boinc [4] | Improve adjusting OOM score; fix | | | security issue with xhost | | | | | c-ares [5] | Security fix [CVE-2017-1000381] | | | | | cfitsio [6] | Fix crashes related to improper | | | memory handling | | | | | chkrootkit [7] | Fix segmentation fault; fix missing | | | dependency on openssh-client; add | | | Built-Using field | | | | | cqrlog [8] | tools/cqrlog-apparmor-fix, debian/ | | | postrm: Check for /etc/init.d/ | | | apparmor before restarting apparmor | | | | | debconf [9] | Use File::Temp instead of the | | | deprecated POSIX::tmpnam() in | | | Debconf::TmpFile | | | | | debian-archive-keyring [10] | Add stretch keys, and move squeeze | | | keys to removed keyring | | | | | debian-installer [11] | Rebuild against proposed-updates | | | | | debian-installer-netboot- | Rebuild against proposed-updates | | images [12] | | | | | | debian-security- | Update support status of various | | support [13] | packages; update translations | | | | | debootstrap [14] | Add support for Buster and Bullseye | | | | | eterm [15] | Fix integer overflow preventing the | | | shell from starting/stopping properly | | | | | flightgear [16] | Prevent overriding arbitrary files | | | from the "save-flightplan" | | | FGCommand [CVE-2017-8921] | | | | | galternatives [17] | Fix blank properties page | | | | | gitolite3 [18] | Fix missing dependency on openssh- | | | client | | | | | gnats [19] | gnats-user: do not fail to purge if / | | | var/lib/gnats/gnats-db is not empty | | | | | gnutls28 [20] | Improve check for /dev/urandom | | | uniqueness | | | | | gtk+2.0 [21] | Backport patch from GTK+3 to fix | | | stuck grabs in some situations | | | | | init-select [22] | Check for /usr/lib/init-select/get- | | | init before calling it | | | | | intel-microcode [23] | Update included microcode | | | | | libapache2-mod-perl2 [24] | Fix test suite for compatibility with | | | latest Apache 2 updates | | | | | libcgi-application-plugin- | Fix missing dependency on one of | | anytemplate-perl [25] | libclone-perl and libclone-pp-perl | | | | | libclamunrar [26] | Fix arbitrary memory write [CVE-2012- | | | 6706] | | | | | libdata-faker-perl [27] | Run the test suite under a specific | | | locale | | | | | libdvdnav [28] | Use proper error handling when | | | position cannot be detected | | | | | libhtml-microformats- | Fix missing dependency on libmodule- | | perl [29] | pluggable-perl | | | | | libhttp-proxy-perl [30] | Fix broken 'via' handling | | | | | libonig [31] | Fix multiple invalid pointer | | | dereference, out-of-bounds write | | | memory corruption and stack buffer | | | overflow issues [CVE-2017-9224 | | | CVE-2017-9226 CVE-2017-9227 CVE-2017- | | | 9228 CVE-2017-9229] | | | | | libosinfo [32] | Add support for jessie and stretch | | | | | libsys-syscall-perl [33] | Add support for more architectures | | | | | libterralib [34] | Remove superfluous Conflicts/ | | | Replaces: libterralib3 since that | | | causes problems upgrading to stretch | | | which has that package | | | | | libx11-protocol-other- | Disable buggy test | | perl [35] | | | | | | lxterminal [36] | Security fix: improper use of /tmp | | | for a socket file | | | | | netcfg [37] | IPv6 autoconfiguration: fix NTP | | | server name handling; stop queueing | | | rdnssd's installation with IPv6 | | | setups | | | | | offlineimap [38] | Prevent the usage of maxage (broken | | | and may result in data loss) | | | | | os-prober [39] | EFI: fix check on | | | ID_PART_ENTRY_SCHEME, to look for | | | "dos" instead of "msdos" ; make | | | Windows Vista detection more robust; | | | add support for Windows 10 | | | | | pam [40] | Rebuild to fix multi-arch differences | | | | | partman-ext3 [41] | Force ext3|ext4 filesystem creation | | | with "-F" so that D-I doesn't | | | "hang" when re-using an existing | | | partition in some situations | | | | | perl [42] | Apply upstream base.pm no-dot-in-inc | | | fix | | | | | polarssl [43] | Fix freeing of memory allocated on | | | stack when validating a public key | | | with a secp224k1 curve [CVE-2017- | | | 2784] | | | | | proftpd-dfsg [44] | Fix "TLSDHParamFile directive | | | appears ignored because unexpected DH | | | is chosen" [CVE-2016-3125], | | | "AllowChrootSymlinks off does not | | | check entire DefaultRoot path for | | | symlinks" [CVE-2017-7418] | | | | | python-colorlog [45] | Fix python3 dependencies | | | | | python-plumbum [46] | Fix python3 dependencies | | | | | rkhunter [47] | Disable remote updates [CVE-2017- | | | 7480] | | | | | shutter [48] | Fix insecure use of perl exec() | | | [CVE-2016-10081] and system() | | | | | tcpdf [49] | Security fix: disallow tcpdf calls in | | | HTML [CVE-2017-6100] | | | | | unrar-nonfree [50] | Security fix: add bound checks for | | | VMSF_DELTA, VMSF_RGB and VMSF_AUDIO | | | paramters [CVE-2012-6706] | | | | | w3m [51] | Fix multiple buffer overflows, use | | | after free issues and an infinite | | | loop | | | | | xarchiver [52] | Fix possible data loss due to shell | | | metacharacters | | | | | xfce4-weather-plugin [53] | Adapt to new weather website APIs | | | | +-----------------------------+---------------------------------------+ 1: https://packages.debian.org/src:3dchess 2: https://packages.debian.org/src:apt-cacher 3: https://packages.debian.org/src:base-files 4: https://packages.debian.org/src:boinc 5: https://packages.debian.org/src:c-ares 6: https://packages.debian.org/src:cfitsio 7: https://packages.debian.org/src:chkrootkit 8: https://packages.debian.org/src:cqrlog 9: https://packages.debian.org/src:debconf 10: https://packages.debian.org/src:debian-archive-keyring 11: https://packages.debian.org/src:debian-installer 12: https://packages.debian.org/src:debian-installer-netboot-images 13: https://packages.debian.org/src:debian-security-support 14: https://packages.debian.org/src:debootstrap 15: https://packages.debian.org/src:eterm 16: https://packages.debian.org/src:flightgear 17: https://packages.debian.org/src:galternatives 18: https://packages.debian.org/src:gitolite3 19: https://packages.debian.org/src:gnats 20: https://packages.debian.org/src:gnutls28 21: https://packages.debian.org/src:gtk+2.0 22: https://packages.debian.org/src:init-select 23: https://packages.debian.org/src:intel-microcode 24: https://packages.debian.org/src:libapache2-mod-perl2 25: https://packages.debian.org/src:libcgi-application-plugin-anytemplate-perl 26: https://packages.debian.org/src:libclamunrar 27: https://packages.debian.org/src:libdata-faker-perl 28: https://packages.debian.org/src:libdvdnav 29: https://packages.debian.org/src:libhtml-microformats-perl 30: https://packages.debian.org/src:libhttp-proxy-perl 31: https://packages.debian.org/src:libonig 32: https://packages.debian.org/src:libosinfo 33: https://packages.debian.org/src:libsys-syscall-perl 34: https://packages.debian.org/src:libterralib 35: https://packages.debian.org/src:libx11-protocol-other-perl 36: https://packages.debian.org/src:lxterminal 37: https://packages.debian.org/src:netcfg 38: https://packages.debian.org/src:offlineimap 39: https://packages.debian.org/src:os-prober 40: https://packages.debian.org/src:pam 41: https://packages.debian.org/src:partman-ext3 42: https://packages.debian.org/src:perl 43: https://packages.debian.org/src:polarssl 44: https://packages.debian.org/src:proftpd-dfsg 45: https://packages.debian.org/src:python-colorlog 46: https://packages.debian.org/src:python-plumbum 47: https://packages.debian.org/src:rkhunter 48: https://packages.debian.org/src:shutter 49: https://packages.debian.org/src:tcpdf 50: https://packages.debian.org/src:unrar-nonfree 51: https://packages.debian.org/src:w3m 52: https://packages.debian.org/src:xarchiver 53: https://packages.debian.org/src:xfce4-weather-plugin Security Updates ---------------- This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates: +----------------+------------------------------+ | Advisory ID | Package | +----------------+------------------------------+ | DSA-3742 [54] | flightgear [55] | | | | | DSA-3793 [56] | shadow [57] | | | | | DSA-3840 [58] | mysql-connector-java [59] | | | | | DSA-3841 [60] | libxstream-java [61] | | | | | DSA-3842 [62] | tomcat7 [63] | | | | | DSA-3843 [64] | tomcat8 [65] | | | | | DSA-3844 [66] | tiff [67] | | | | | DSA-3845 [68] | libtirpc [69] | | | | | DSA-3845 [70] | rpcbind [71] | | | | | DSA-3846 [72] | libytnef [73] | | | | | DSA-3847 [74] | xen [75] | | | | | DSA-3848 [76] | git [77] | | | | | DSA-3849 [78] | kde4libs [79] | | | | | DSA-3850 [80] | rtmpdump [81] | | | | | DSA-3851 [82] | postgresql-9.4 [83] | | | | | DSA-3852 [84] | squirrelmail [85] | | | | | DSA-3853 [86] | bitlbee [87] | | | | | DSA-3854 [88] | bind9 [89] | | | | | DSA-3855 [90] | jbig2dec [91] | | | | | DSA-3856 [92] | deluge [93] | | | | | DSA-3857 [94] | mysql-connector-java [95] | | | | | DSA-3859 [96] | dropbear [97] | | | | | DSA-3860 [98] | samba [99] | | | | | DSA-3861 [100] | libtasn1-6 [101] | | | | | DSA-3862 [102] | puppet [103] | | | | | DSA-3863 [104] | imagemagick [105] | | | | | DSA-3864 [106] | fop [107] | | | | | DSA-3865 [108] | mosquitto [109] | | | | | DSA-3866 [110] | strongswan [111] | | | | | DSA-3867 [112] | sudo [113] | | | | | DSA-3868 [114] | openldap [115] | | | | | DSA-3869 [116] | tnef [117] | | | | | DSA-3870 [118] | wordpress [119] | | | | | DSA-3871 [120] | zookeeper [121] | | | | | DSA-3872 [122] | nss [123] | | | | | DSA-3873 [124] | perl [125] | | | | | DSA-3874 [126] | ettercap [127] | | | | | DSA-3875 [128] | libmwaw [129] | | | | | DSA-3876 [130] | otrs2 [131] | | | | | DSA-3877 [132] | tor [133] | | | | | DSA-3878 [134] | zziplib [135] | | | | | DSA-3879 [136] | libosip2 [137] | | | | | DSA-3880 [138] | libgcrypt20 [139] | | | | | DSA-3882 [140] | request-tracker4 [141] | | | | | DSA-3883 [142] | rt-authen-externalauth [143] | | | | | DSA-3884 [144] | gnutls28 [145] | | | | | DSA-3885 [146] | irssi [147] | | | | | DSA-3886 [148] | linux [149] | | | | | DSA-3887 [150] | glibc [151] | | | | | DSA-3888 [152] | exim4 [153] | | | | | DSA-3889 [154] | libffi [155] | | | | | DSA-3891 [156] | tomcat8 [157] | | | | | DSA-3892 [158] | tomcat7 [159] | | | | | DSA-3893 [160] | jython [161] | | | | | DSA-3894 [162] | graphite2 [163] | | | | | DSA-3896 [164] | apache2 [165] | | | | | DSA-3897 [166] | drupal7 [167] | | | | | DSA-3898 [168] | expat [169] | | | | | DSA-3899 [170] | vlc [171] | | | | | DSA-3900 [172] | openvpn [173] | | | | | DSA-3901 [174] | libgcrypt20 [175] | | | | | DSA-3903 [176] | tiff [177] | | | | | DSA-3904 [178] | bind9 [179] | | | | | DSA-3905 [180] | xorg-server [181] | | | | | DSA-3907 [182] | spice [183] | | | | | DSA-3910 [184] | knot [185] | | | | | DSA-3911 [186] | evince [187] | | | | | DSA-3912 [188] | heimdal [189] | | | | +----------------+------------------------------+ 54: https://www.debian.org/security/2016/dsa-3742 55: https://packages.debian.org/src:flightgear 56: https://www.debian.org/security/2017/dsa-3793 57: https://packages.debian.org/src:shadow 58: https://www.debian.org/security/2017/dsa-3840 59: https://packages.debian.org/src:mysql-connector-java 60: https://www.debian.org/security/2017/dsa-3841 61: https://packages.debian.org/src:libxstream-java 62: https://www.debian.org/security/2017/dsa-3842 63: https://packages.debian.org/src:tomcat7 64: https://www.debian.org/security/2017/dsa-3843 65: https://packages.debian.org/src:tomcat8 66: https://www.debian.org/security/2017/dsa-3844 67: https://packages.debian.org/src:tiff 68: https://www.debian.org/security/2017/dsa-3845 69: https://packages.debian.org/src:libtirpc 70: https://www.debian.org/security/2017/dsa-3845 71: https://packages.debian.org/src:rpcbind 72: https://www.debian.org/security/2017/dsa-3846 73: https://packages.debian.org/src:libytnef 74: https://www.debian.org/security/2017/dsa-3847 75: https://packages.debian.org/src:xen 76: https://www.debian.org/security/2017/dsa-3848 77: https://packages.debian.org/src:git 78: https://www.debian.org/security/2017/dsa-3849 79: https://packages.debian.org/src:kde4libs 80: https://www.debian.org/security/2017/dsa-3850 81: https://packages.debian.org/src:rtmpdump 82: https://www.debian.org/security/2017/dsa-3851 83: https://packages.debian.org/src:postgresql-9.4 84: https://www.debian.org/security/2017/dsa-3852 85: https://packages.debian.org/src:squirrelmail 86: https://www.debian.org/security/2017/dsa-3853 87: https://packages.debian.org/src:bitlbee 88: https://www.debian.org/security/2017/dsa-3854 89: https://packages.debian.org/src:bind9 90: https://www.debian.org/security/2017/dsa-3855 91: https://packages.debian.org/src:jbig2dec 92: https://www.debian.org/security/2017/dsa-3856 93: https://packages.debian.org/src:deluge 94: https://www.debian.org/security/2017/dsa-3857 95: https://packages.debian.org/src:mysql-connector-java 96: https://www.debian.org/security/2017/dsa-3859 97: https://packages.debian.org/src:dropbear 98: https://www.debian.org/security/2017/dsa-3860 99: https://packages.debian.org/src:samba 100: https://www.debian.org/security/2017/dsa-3861 101: https://packages.debian.org/src:libtasn1-6 102: https://www.debian.org/security/2017/dsa-3862 103: https://packages.debian.org/src:puppet 104: https://www.debian.org/security/2017/dsa-3863 105: https://packages.debian.org/src:imagemagick 106: https://www.debian.org/security/2017/dsa-3864 107: https://packages.debian.org/src:fop 108: https://www.debian.org/security/2017/dsa-3865 109: https://packages.debian.org/src:mosquitto 110: https://www.debian.org/security/2017/dsa-3866 111: https://packages.debian.org/src:strongswan 112: https://www.debian.org/security/2017/dsa-3867 113: https://packages.debian.org/src:sudo 114: https://www.debian.org/security/2017/dsa-3868 115: https://packages.debian.org/src:openldap 116: https://www.debian.org/security/2017/dsa-3869 117: https://packages.debian.org/src:tnef 118: https://www.debian.org/security/2017/dsa-3870 119: https://packages.debian.org/src:wordpress 120: https://www.debian.org/security/2017/dsa-3871 121: https://packages.debian.org/src:zookeeper 122: https://www.debian.org/security/2017/dsa-3872 123: https://packages.debian.org/src:nss 124: https://www.debian.org/security/2017/dsa-3873 125: https://packages.debian.org/src:perl 126: https://www.debian.org/security/2017/dsa-3874 127: https://packages.debian.org/src:ettercap 128: https://www.debian.org/security/2017/dsa-3875 129: https://packages.debian.org/src:libmwaw 130: https://www.debian.org/security/2017/dsa-3876 131: https://packages.debian.org/src:otrs2 132: https://www.debian.org/security/2017/dsa-3877 133: https://packages.debian.org/src:tor 134: https://www.debian.org/security/2017/dsa-3878 135: https://packages.debian.org/src:zziplib 136: https://www.debian.org/security/2017/dsa-3879 137: https://packages.debian.org/src:libosip2 138: https://www.debian.org/security/2017/dsa-3880 139: https://packages.debian.org/src:libgcrypt20 140: https://www.debian.org/security/2017/dsa-3882 141: https://packages.debian.org/src:request-tracker4 142: https://www.debian.org/security/2017/dsa-3883 143: https://packages.debian.org/src:rt-authen-externalauth 144: https://www.debian.org/security/2017/dsa-3884 145: https://packages.debian.org/src:gnutls28 146: https://www.debian.org/security/2017/dsa-3885 147: https://packages.debian.org/src:irssi 148: https://www.debian.org/security/2017/dsa-3886 149: https://packages.debian.org/src:linux 150: https://www.debian.org/security/2017/dsa-3887 151: https://packages.debian.org/src:glibc 152: https://www.debian.org/security/2017/dsa-3888 153: https://packages.debian.org/src:exim4 154: https://www.debian.org/security/2017/dsa-3889 155: https://packages.debian.org/src:libffi 156: https://www.debian.org/security/2017/dsa-3891 157: https://packages.debian.org/src:tomcat8 158: https://www.debian.org/security/2017/dsa-3892 159: https://packages.debian.org/src:tomcat7 160: https://www.debian.org/security/2017/dsa-3893 161: https://packages.debian.org/src:jython 162: https://www.debian.org/security/2017/dsa-3894 163: https://packages.debian.org/src:graphite2 164: https://www.debian.org/security/2017/dsa-3896 165: https://packages.debian.org/src:apache2 166: https://www.debian.org/security/2017/dsa-3897 167: https://packages.debian.org/src:drupal7 168: https://www.debian.org/security/2017/dsa-3898 169: https://packages.debian.org/src:expat 170: https://www.debian.org/security/2017/dsa-3899 171: https://packages.debian.org/src:vlc 172: https://www.debian.org/security/2017/dsa-3900 173: https://packages.debian.org/src:openvpn 174: https://www.debian.org/security/2017/dsa-3901 175: https://packages.debian.org/src:libgcrypt20 176: https://www.debian.org/security/2017/dsa-3903 177: https://packages.debian.org/src:tiff 178: https://www.debian.org/security/2017/dsa-3904 179: https://packages.debian.org/src:bind9 180: https://www.debian.org/security/2017/dsa-3905 181: https://packages.debian.org/src:xorg-server 182: https://www.debian.org/security/2017/dsa-3907 183: https://packages.debian.org/src:spice 184: https://www.debian.org/security/2017/dsa-3910 185: https://packages.debian.org/src:knot 186: https://www.debian.org/security/2017/dsa-3911 187: https://packages.debian.org/src:evince 188: https://www.debian.org/security/2017/dsa-3912 189: https://packages.debian.org/src:heimdal Removed packages ---------------- The following packages were removed due to circumstances beyond our control: +-------------------------------+--------------------------------------+ | Package | Reason | +-------------------------------+--------------------------------------+ | ears [190] | Requires unavailable python- | | | musicbrainz | | | | | gnuvd [191] | Broken by upstream site changes | | | | | hbro [192] | Segfaults on all usage | | | | | hbro-contrib [193] | Build-depends on to-be-removed hbro | | | | | lshell [194] | Security issues | | | | | pgsnap [195] | Incompatible with current PostgreSQL | | | versions | | | | | python-django-authority [196] | Incompatible with Django 1.7 | | | | | rant [197] | Broken | | | | +-------------------------------+--------------------------------------+ 190: https://packages.debian.org/src:ears 191: https://packages.debian.org/src:gnuvd 192: https://packages.debian.org/src:hbro 193: https://packages.debian.org/src:hbro-contrib 194: https://packages.debian.org/src:lshell 195: https://packages.debian.org/src:pgsnap 196: https://packages.debian.org/src:python-django-authority 197: https://packages.debian.org/src:rant Debian Installer ---------------- The installer has been updated to include the fixes incorporated into oldstable by the point release. URLs ---- The complete lists of packages that have changed with this revision: http://ftp.debian.org/debian/dists/jessie/ChangeLog The current oldstable distribution: http://ftp.debian.org/debian/dists/oldstable/ Proposed updates to the oldstable distribution: http://ftp.debian.org/debian/dists/oldstable-proposed-updates oldstable distribution information (release notes, errata etc.): https://www.debian.org/releases/oldstable/ Security announcements and information: https://security.debian.org/ About Debian ------------ The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian. Contact Information ------------------- For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.
Attachment:
signature.asc
Description: PGP signature