------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 9: 9.1 released press@debian.org July 22nd, 2017 https://www.debian.org/News/2017/20170722 ------------------------------------------------------------------------ The Debian project is pleased to announce the first update of its stable distribution Debian 9 (codename "stretch"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included. There is no need to throw away old "stretch" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: +--------------------------+------------------------------------------+ | Package | Reason | +--------------------------+------------------------------------------+ | 3dchess [1] | Reduce wasteful CPU consumption | | | | | adwaita-icon-theme [2] | Fix malformed send-to-symbolic icon | | | | | anope [3] | Fix incorrect mail-transport-agent | | | relationship | | | | | apt [4] | Reset failure reason when connection was | | | successful, so later errors are reported | | | as such and not as "connection failure" | | | warnings; http: A response with Content- | | | Length: 0 has no content, so don't try | | | to read it; use port from SRV record | | | instead of initial port | | | | | avogadro [5] | Update eigen3 patches | | | | | base-files [6] | Update for the 9.1 point release | | | | | c-ares [7] | Security fix [CVE-2017-1000381] | | | | | debian-edu-doc [8] | Update Debian Edu Stretch manual from | | | the wiki; update translations | | | | | debsecan [9] | Add support for stretch and buster; | | | Python needs https_proxy for proxy | | | configuration with https:// URLs | | | | | devscripts [10] | debchange: target stretch-backports with | | | --bpo; support $codename{,-{proposed- | | | updates,security}}; bts: add support for | | | the new "a11y" tag | | | | | dgit [11] | Multiple bugfixes | | | | | dovecot [12] | Fix syntax errors when sending Solr | | | queries | | | | | dwarfutils [13] | Security fixes [CVE-2017-9052 CVE-2017- | | | 9053 CVE-2017-9054 CVE-2017-9055 | | | CVE-2017-9998] | | | | | fpc [14] | Fix conversion from local time to UTC | | | | | galternatives [15] | Fix blank window when displaying | | | properties | | | | | geolinks [16] | Fix python3 dependencies | | | | | gnats [17] | gnats-user: do not fail to purge if / | | | var/lib/gnats/gnats-db is not empty | | | | | gnome-settings- | Do not add the "US" keyboard layout by | | daemon [18] | default for new users, for some reason, | | | this layout was preferred over the | | | system configured one on the first | | | login; preserve NumLock state between | | | sessions by default | | | | | gnuplot [19] | Fix memory corruption vulnerability | | | | | gnutls28 [20] | Fix breakage with AES-GCM in-place | | | encryption and decryption on aarch64 | | | | | grub-installer [21] | Fix support for systems with a large | | | number of disks | | | | | intel-microcode [22] | Update included microcode | | | | | libclamunrar [23] | Fix arbitrary memory write [CVE-2012- | | | 6706] | | | | | libopenmpt [24] | Security fixes: out-of-bounds read while | | | loading a malfomed PLM file; arbitrary | | | code execution by a crafted PSM file | | | [CVE-2017-11311]; various security fixes | | | | | libquicktime [25] | Security fixes [CVE-2017-9122 CVE-2017- | | | 9123 CVE-2017-9124 CVE-2017-9125 | | | CVE-2017-9126 CVE-2017-9127 CVE-2017- | | | 9128] | | | | | linux-latest [26] | Revert changes to debug symbol meta- | | | packages | | | | | nagios-nrpe [27] | Restore previous SSL defaults | | | | | nvidia-graphics- | Bump Pre-Depends: nvidia-installer- | | drivers [28] | cleanup to (>= 20151021) for smoother | | | upgrades from jessie | | | | | octave-ocs [29] | Fix loading package functions | | | | | open-iscsi [30] | Speed up Debian Installer when iSCSI is | | | not used | | | | | openssh [31] | Fix incoming compression statistics | | | | | openstack-debian- | Also add security updates for non | | images [32] | wheezy/jessie | | | | | os-prober [33] | EFI - look for "dos" instead of | | | "msdos" | | | | | osinfo-db [34] | Improve support for Stretch and Jessie | | | | | partman-base [35] | Protect the firmware area on all mmcblk | | | devices (and not only on mmcblk0) from | | | being clobbered during guided | | | partitioning | | | | | pdns-recursor [36] | Add 2017 DNSSEC root key | | | | | perl [37] | Backport various Getopt-Long fixes from | | | upstream 2.49..2.51; backport upstream | | | patch fixing regexp "Malformed UTF-8 | | | character" ; apply upstream base.pm no- | | | dot-in-inc fix | | | | | phpunit [38] | Security fix: arbitrary PHP code | | | execution via HTTP POST | | | | | protozero [39] | Fix data_view equality operator | | | | | pulseaudio [40] | Fix copyright file | | | | | pykde4 [41] | Drop bindings for plasma webview | | | bindings; they're obsolete and non- | | | functional | | | | | python-colorlog [42] | Fix python3 dependencies | | | | | python-imaplib2 [43] | Fix python3 dependencies | | | | | python-plumbum [44] | Fix python3 dependencies | | | | | qgis [45] | Fix missing Breaks/Replaces against | | | python-qgis-common | | | | | request-tracker4 [46] | Handle configuration permissions | | | correctly following RT_SiteConfig.d | | | changes | | | | | retext [47] | Backport upstream fix for crash in | | | XSettings code; fix syntax in appdata | | | XML file | | | | | rkhunter [48] | Disable remote updates [CVE-2017-7480] | | | | | socat [49] | Fix signals leading to possible 100% CPU | | | usage | | | | | squashfs-tools [50] | Fix corruption of large files; fix rare | | | race condition | | | | | systemd [51] | Fix out-of-bounds write in systemd- | | | resolved [CVE-2017-9445]; be truly quiet | | | in systemctl -q is-enabled; improve | | | RLIMIT_NOFILE handling; debian/extra/ | | | rules: Use updated U2F ruleset | | | | | thermald [52] | Add Broadwell-GT3E and Kabylake support | | | | | unrar-nonfree [53] | Add bound checks for VMSF_DELTA, | | | VMSF_RGB and VMSF_AUDIO paramters | | | [CVE-2012-6706] | | | | | win32-loader [54] | Replace all mirror urls with | | | deb.debian.org; drop bz2 compression for | | | source | | | | +--------------------------+------------------------------------------+ 1: https://packages.debian.org/src:3dchess 2: https://packages.debian.org/src:adwaita-icon-theme 3: https://packages.debian.org/src:anope 4: https://packages.debian.org/src:apt 5: https://packages.debian.org/src:avogadro 6: https://packages.debian.org/src:base-files 7: https://packages.debian.org/src:c-ares 8: https://packages.debian.org/src:debian-edu-doc 9: https://packages.debian.org/src:debsecan 10: https://packages.debian.org/src:devscripts 11: https://packages.debian.org/src:dgit 12: https://packages.debian.org/src:dovecot 13: https://packages.debian.org/src:dwarfutils 14: https://packages.debian.org/src:fpc 15: https://packages.debian.org/src:galternatives 16: https://packages.debian.org/src:geolinks 17: https://packages.debian.org/src:gnats 18: https://packages.debian.org/src:gnome-settings-daemon 19: https://packages.debian.org/src:gnuplot 20: https://packages.debian.org/src:gnutls28 21: https://packages.debian.org/src:grub-installer 22: https://packages.debian.org/src:intel-microcode 23: https://packages.debian.org/src:libclamunrar 24: https://packages.debian.org/src:libopenmpt 25: https://packages.debian.org/src:libquicktime 26: https://packages.debian.org/src:linux-latest 27: https://packages.debian.org/src:nagios-nrpe 28: https://packages.debian.org/src:nvidia-graphics-drivers 29: https://packages.debian.org/src:octave-ocs 30: https://packages.debian.org/src:open-iscsi 31: https://packages.debian.org/src:openssh 32: https://packages.debian.org/src:openstack-debian-images 33: https://packages.debian.org/src:os-prober 34: https://packages.debian.org/src:osinfo-db 35: https://packages.debian.org/src:partman-base 36: https://packages.debian.org/src:pdns-recursor 37: https://packages.debian.org/src:perl 38: https://packages.debian.org/src:phpunit 39: https://packages.debian.org/src:protozero 40: https://packages.debian.org/src:pulseaudio 41: https://packages.debian.org/src:pykde4 42: https://packages.debian.org/src:python-colorlog 43: https://packages.debian.org/src:python-imaplib2 44: https://packages.debian.org/src:python-plumbum 45: https://packages.debian.org/src:qgis 46: https://packages.debian.org/src:request-tracker4 47: https://packages.debian.org/src:retext 48: https://packages.debian.org/src:rkhunter 49: https://packages.debian.org/src:socat 50: https://packages.debian.org/src:squashfs-tools 51: https://packages.debian.org/src:systemd 52: https://packages.debian.org/src:thermald 53: https://packages.debian.org/src:unrar-nonfree 54: https://packages.debian.org/src:win32-loader Security Updates ---------------- This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates: +----------------+-----------------------+ | Advisory ID | Package | +----------------+-----------------------+ | DSA-3876 [55] | otrs2 [56] | | | | | DSA-3877 [57] | tor [58] | | | | | DSA-3882 [59] | request-tracker4 [60] | | | | | DSA-3884 [61] | gnutls28 [62] | | | | | DSA-3885 [63] | irssi [64] | | | | | DSA-3886 [65] | linux [66] | | | | | DSA-3887 [67] | glibc [68] | | | | | DSA-3888 [69] | exim4 [70] | | | | | DSA-3890 [71] | spip [72] | | | | | DSA-3891 [73] | tomcat8 [74] | | | | | DSA-3893 [75] | jython [76] | | | | | DSA-3895 [77] | flatpak [78] | | | | | DSA-3896 [79] | apache2 [80] | | | | | DSA-3897 [81] | drupal7 [82] | | | | | DSA-3900 [83] | openvpn [84] | | | | | DSA-3901 [85] | libgcrypt20 [86] | | | | | DSA-3902 [87] | jabberd2 [88] | | | | | DSA-3903 [89] | tiff [90] | | | | | DSA-3904 [91] | bind9 [92] | | | | | DSA-3905 [93] | xorg-server [94] | | | | | DSA-3906 [95] | undertow [96] | | | | | DSA-3907 [97] | spice [98] | | | | | DSA-3908 [99] | nginx [100] | | | | | DSA-3910 [101] | knot [102] | | | | | DSA-3911 [103] | evince [104] | | | | | DSA-3912 [105] | heimdal [106] | | | | +----------------+-----------------------+ 55: https://www.debian.org/security/2017/dsa-3876 56: https://packages.debian.org/src:otrs2 57: https://www.debian.org/security/2017/dsa-3877 58: https://packages.debian.org/src:tor 59: https://www.debian.org/security/2017/dsa-3882 60: https://packages.debian.org/src:request-tracker4 61: https://www.debian.org/security/2017/dsa-3884 62: https://packages.debian.org/src:gnutls28 63: https://www.debian.org/security/2017/dsa-3885 64: https://packages.debian.org/src:irssi 65: https://www.debian.org/security/2017/dsa-3886 66: https://packages.debian.org/src:linux 67: https://www.debian.org/security/2017/dsa-3887 68: https://packages.debian.org/src:glibc 69: https://www.debian.org/security/2017/dsa-3888 70: https://packages.debian.org/src:exim4 71: https://www.debian.org/security/2017/dsa-3890 72: https://packages.debian.org/src:spip 73: https://www.debian.org/security/2017/dsa-3891 74: https://packages.debian.org/src:tomcat8 75: https://www.debian.org/security/2017/dsa-3893 76: https://packages.debian.org/src:jython 77: https://www.debian.org/security/2017/dsa-3895 78: https://packages.debian.org/src:flatpak 79: https://www.debian.org/security/2017/dsa-3896 80: https://packages.debian.org/src:apache2 81: https://www.debian.org/security/2017/dsa-3897 82: https://packages.debian.org/src:drupal7 83: https://www.debian.org/security/2017/dsa-3900 84: https://packages.debian.org/src:openvpn 85: https://www.debian.org/security/2017/dsa-3901 86: https://packages.debian.org/src:libgcrypt20 87: https://www.debian.org/security/2017/dsa-3902 88: https://packages.debian.org/src:jabberd2 89: https://www.debian.org/security/2017/dsa-3903 90: https://packages.debian.org/src:tiff 91: https://www.debian.org/security/2017/dsa-3904 92: https://packages.debian.org/src:bind9 93: https://www.debian.org/security/2017/dsa-3905 94: https://packages.debian.org/src:xorg-server 95: https://www.debian.org/security/2017/dsa-3906 96: https://packages.debian.org/src:undertow 97: https://www.debian.org/security/2017/dsa-3907 98: https://packages.debian.org/src:spice 99: https://www.debian.org/security/2017/dsa-3908 100: https://packages.debian.org/src:nginx 101: https://www.debian.org/security/2017/dsa-3910 102: https://packages.debian.org/src:knot 103: https://www.debian.org/security/2017/dsa-3911 104: https://packages.debian.org/src:evince 105: https://www.debian.org/security/2017/dsa-3912 106: https://packages.debian.org/src:heimdal Removed packages ---------------- The following packages were removed due to circumstances beyond our control: +-------------+---------------------------------+ | Package | Reason | +-------------+---------------------------------+ | aiccu [107] | Useless since shutdown of SixXS | | | | +-------------+---------------------------------+ 107: https://packages.debian.org/src:aiccu Debian Installer ---------------- The installer has been updated to include the fixes incorporated into stable by the point release. URLs ---- The complete lists of packages that have changed with this revision: http://ftp.debian.org/debian/dists/stretch/ChangeLog The current stable distribution: http://ftp.debian.org/debian/dists/stable/ Proposed updates to the stable distribution: http://ftp.debian.org/debian/dists/proposed-updates stable distribution information (release notes, errata etc.): https://www.debian.org/releases/stable/ Security announcements and information: https://security.debian.org/ About Debian ------------ The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian. Contact Information ------------------- For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.
Attachment:
signature.asc
Description: PGP signature