------------------------------------------------------------------------
The Debian Project https://www.debian.org/
Updated Debian 9: 9.3 released press@debian.org
December 9th, 2017 https://www.debian.org/News/2017/2017120902
------------------------------------------------------------------------
The Debian project is pleased to announce the third update of its stable
distribution Debian 9 (codename "stretch"). This point release mainly
adds corrections for security issues, along with a few adjustments for
serious problems. Security advisories have already been published
separately and are referenced where available.
Please note that the point release does not constitute a new version of
Debian 9 but only updates some of the packages included. There is no
need to throw away old "stretch" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.
Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:
https://www.debian.org/mirror/list
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
+--------------------------+------------------------------------------+
| Package | Reason |
+--------------------------+------------------------------------------+
| abiword [1] | Fix flickering |
| | |
| base-files [2] | Update for the point release |
| | |
| berusky [3] | Fix startup crash with certain video |
| | card configurations |
| | |
| charmtimetracker [4] | Fix missing binary dependency on |
| | libqt5sql5-sqlite |
| | |
| corebird [5] | Increase maximum length of tweet to 280 |
| | characters |
| | |
| dbus [6] | When parsing dbus-daemon configuration, |
| | don't delay startup if high-quality |
| | entropy is not yet available; when using |
| | the Monitoring interface, match message |
| | filters that specify a destination |
| | correctly; increase listen() backlog of |
| | AF_UNIX sockets to the maximum possible, |
| | minimizing failed connections under |
| | heavy load |
| | |
| debian-edu-doc [7] | Merge stretch related documentation and |
| | translation updates from unstable and |
| | the wiki; documentation/common/ |
| | edu.css.xml: improve HTML manual |
| | readability |
| | |
| debian-installer [8] | Rebuild for the point release |
| | |
| dehydrated [9] | Update subscriber license agreement URL |
| | |
| doit [10] | Add Breaks: nikola (<< 7.6.0-1~) to |
| | ensure its removal on upgrades from |
| | jessie |
| | |
| eclipse-titan [11] | Rebuild against current stretch GCC |
| | |
| fig2dev [12] | Add input sanitisation on FIG files |
| | [CVE-2017-16899]; sanitize input of fill |
| | patterns |
| | |
| flickcurl [13] | Fix fix oauth token fetching; prevent |
| | double free corruption during |
| | authentication |
| | |
| flightgear [14] | Prevent malicious add-ons from |
| | overriding arbitrary files [CVE-2017- |
| | 13709] |
| | |
| ganeti [15] | Backport upstream support for non-DSA |
| | SSH keys; fix failover from dead nodes |
| | when using extstorage; fix instance |
| | import/export/move with current socat |
| | versions |
| | |
| gdm3 [16] | Backport several patches to fix XDMCP |
| | support |
| | |
| getmail4 [17] | Fix issue related to malformed |
| | fingerprints |
| | |
| grok [18] | Fix pointer aliasing bug; libgrok-dev: |
| | add missing dependencies on libgrok1 and |
| | libtokyocabinet-dev |
| | |
| gunicorn [19] | Drop unnecessary "Pre-Depends" on |
| | dpkg-dev which was causing gunicorn and |
| | python-gunicorn to bring in a compiler |
| | as a dependency |
| | |
| icu [20] | Fix double free in |
| | createMetazoneMappings() [CVE-2017- |
| | 14952] |
| | |
| inn2 [21] | [i386] Rebuild to pick up correct path |
| | to gzip binary |
| | |
| iproute2 [22] | Fix segfault in "tc" with iptables 1.6 |
| | |
| jdcal [23] | Fix Python3 dependencies |
| | |
| kde-gtk-config [24] | Fix preview buttons in KDE-GTK-config UI |
| | |
| lasi [25] | liblasi-dev: add missing dependencies on |
| | libpango1.0-dev and libfreetype6-dev |
| | |
| libdatetime-timezone- | Update included data |
| perl [26] | |
| | |
| libdbd-firebird- | Fix fetching of decimal(x,y) values |
| perl [27] | between -1 and 0 |
| | |
| libdbi [28] | Re-enable error handler call in |
| | dbi_result_next_row() |
| | |
| liblog-log4perl- | Work around Perl 5.24 no longer allowing |
| perl [29] | syswrite and utf8 together |
| | |
| liblouis [30] | Fix buffer overflow and use-after-free |
| | issues [CVE-2017-13738 CVE-2017-13739 |
| | CVE-2017-13740 CVE-2017-13741 CVE-2017- |
| | 13742 CVE-2017-13743 CVE-2017-13744] |
| | |
| libmpd [31] | libmpd-dev: Add the missing dependency |
| | on libglib2.0-dev |
| | |
| libofx [32] | Security fixes [CVE-2017-2816 CVE-2017- |
| | 14731] |
| | |
| libxkbcommon [33] | libxkbcommon-x11-dev: add missing |
| | dependency on libxkbcommon-dev |
| | |
| libxsettings-client [34] | Add missing libxsettings-client-dev -> |
| | libxsettings-dev dependency |
| | |
| linux [35] | xen/time: do not decrease steal time |
| | after live migration on xen; new stable |
| | kernel version 4.9.65 |
| | |
| live-config [36] | Configure autologin for KDE / Plasma |
| | live images |
| | |
| lxc [37] | Don't hardcode list of valid Debian |
| | releases, allowing the creation of |
| | containers for stable, buster, testing |
| | and unstable; don't insert C.* locales |
| | into /etc/locale.gen |
| | |
| mongodb [38] | Fix segfault/FTBFS on ARM64 with 48-bit |
| | virtual addresses, spidermonkey GC |
| | segfault when built with GCC 6; |
| | mongodb.service: start after |
| | network.target |
| | |
| openssh [39] | Test configuration before starting or |
| | reloading sshd under systemd; adjust |
| | compatibility patterns for WinSCP to |
| | correctly identify versions that |
| | implement only the legacy DH group |
| | exchange scheme; make "--" before the |
| | hostname terminate argument processing |
| | after the hostname too |
| | |
| pdns [40] | Fix incorrect qname casing in NSEC3 |
| | generation; add missing check on API |
| | operations [CVE-2017-15091] |
| | |
| pdns-recursor [41] | Security fixes: insufficient validation |
| | of DNSSEC signatures [CVE-2017-15090]; |
| | Cross-Site Scripting in the web |
| | interface [CVE-2017-15092]; |
| | configuration file injection in the API |
| | [CVE-2017-15093]; memory leak in DNSSEC |
| | parsing [CVE-2017-15094] |
| | |
| postgresql-9.6 [42] | Upstream bugfix release |
| | |
| publicsuffix [43] | Update included data |
| | |
| pyosmium [44] | Upstream bugfix release: handler |
| | functions not called when using |
| | replication service or when using Reader |
| | instead of file |
| | |
| python-diff-match- | Add missing python3 dependency on Python |
| patch [45] | 3 package |
| | |
| python-inflect [46] | Fix Python 3 dependencies |
| | |
| python-tablib [47] | Safely load YAML [CVE-2017-2810] |
| | |
| python2.7 [48] | Fix integer overflow in |
| | PyString_DecodeEscape [CVE-2017- |
| | 1000158]; support all groups in TLS |
| | communication |
| | |
| qtcurve [49] | Fix crashes by using strncmp() instead |
| | of memcmp() |
| | |
| ruby-httparty [50] | Relax dependency version in gem |
| | dependency on json |
| | |
| ruby-ox [51] | Avoid crash with invalid XML passed to |
| | Oj.parse_obj() [CVE-2017-15928] |
| | |
| ruby-pygments.rb [52] | Avoid closing too many files when mentos |
| | starts, which can cause build failures |
| | in other packages on slower systems |
| | |
| schroot [53] | Fix bash completion file; add systemd |
| | service file with Type=oneshot to avoid |
| | timeout issues with too many open |
| | sessions |
| | |
| simutrans [54] | Enable sound for simutrans again. Switch |
| | from SDL to mixer_sdl backend |
| | |
| sitesummary [55] | Adjust nagios kernel version checking |
| | module to work with 4.x kernels |
| | |
| slic3r [56] | Fix missing dependency on perlapi-* |
| | |
| spamassassin [57] | Disable bb.barracudacentral.org; update |
| | the systemd unit file to use the same |
| | pid file as was used in the sysvinit |
| | script; update systemd unit dependencies |
| | to include network and syslog; fix |
| | inappropriate invocation of invoke-rc.d |
| | in cron script |
| | |
| sqldeveloper- | Fix build failure |
| package [58] | |
| | |
| sqlite3 [59] | Fix heap-based buffer over-read via |
| | undersized RTree blobs [CVE-2017-10989] |
| | |
| syslinux [60] | Fix btrfs logical to physical block |
| | address mapping; fix boot problem for |
| | old BIOS firmware by correct C/H/S |
| | order; support ext4 64bit feature |
| | |
| tdbcodbc [61] | Fix bug in ODBC library search |
| | |
| tor [62] | Add "Bastet" directory authority; fix |
| | a timing-based assertion failure; update |
| | geoip and geoip6 to the October 4 2017 |
| | Maxmind GeoLite2 country database |
| | |
| tzdata [63] | New upstream release |
| | |
| udftools [64] | Fix path to pktsetup in udftools init |
| | script |
| | |
| weechat [65] | "logger: call strftime before replacing |
| | buffer local variables" [CVE-2017- |
| | 14727] |
| | |
| xml2 [66] | Fix corruption when dealing with UTF-8 |
| | files, usage string for 2csv tool |
| | |
| xrdp [67] | Fix high CPU load on SSL shutdown |
| | |
| zsh [68] | Rebuild to pull in updated libraries for |
| | zsh-static |
| | |
+--------------------------+------------------------------------------+
1: https://packages.debian.org/src:abiword
2: https://packages.debian.org/src:base-files
3: https://packages.debian.org/src:berusky
4: https://packages.debian.org/src:charmtimetracker
5: https://packages.debian.org/src:corebird
6: https://packages.debian.org/src:dbus
7: https://packages.debian.org/src:debian-edu-doc
8: https://packages.debian.org/src:debian-installer
9: https://packages.debian.org/src:dehydrated
10: https://packages.debian.org/src:doit
11: https://packages.debian.org/src:eclipse-titan
12: https://packages.debian.org/src:fig2dev
13: https://packages.debian.org/src:flickcurl
14: https://packages.debian.org/src:flightgear
15: https://packages.debian.org/src:ganeti
16: https://packages.debian.org/src:gdm3
17: https://packages.debian.org/src:getmail4
18: https://packages.debian.org/src:grok
19: https://packages.debian.org/src:gunicorn
20: https://packages.debian.org/src:icu
21: https://packages.debian.org/src:inn2
22: https://packages.debian.org/src:iproute2
23: https://packages.debian.org/src:jdcal
24: https://packages.debian.org/src:kde-gtk-config
25: https://packages.debian.org/src:lasi
26: https://packages.debian.org/src:libdatetime-timezone-perl
27: https://packages.debian.org/src:libdbd-firebird-perl
28: https://packages.debian.org/src:libdbi
29: https://packages.debian.org/src:liblog-log4perl-perl
30: https://packages.debian.org/src:liblouis
31: https://packages.debian.org/src:libmpd
32: https://packages.debian.org/src:libofx
33: https://packages.debian.org/src:libxkbcommon
34: https://packages.debian.org/src:libxsettings-client
35: https://packages.debian.org/src:linux
36: https://packages.debian.org/src:live-config
37: https://packages.debian.org/src:lxc
38: https://packages.debian.org/src:mongodb
39: https://packages.debian.org/src:openssh
40: https://packages.debian.org/src:pdns
41: https://packages.debian.org/src:pdns-recursor
42: https://packages.debian.org/src:postgresql-9.6
43: https://packages.debian.org/src:publicsuffix
44: https://packages.debian.org/src:pyosmium
45: https://packages.debian.org/src:python-diff-match-patch
46: https://packages.debian.org/src:python-inflect
47: https://packages.debian.org/src:python-tablib
48: https://packages.debian.org/src:python2.7
49: https://packages.debian.org/src:qtcurve
50: https://packages.debian.org/src:ruby-httparty
51: https://packages.debian.org/src:ruby-ox
52: https://packages.debian.org/src:ruby-pygments.rb
53: https://packages.debian.org/src:schroot
54: https://packages.debian.org/src:simutrans
55: https://packages.debian.org/src:sitesummary
56: https://packages.debian.org/src:slic3r
57: https://packages.debian.org/src:spamassassin
58: https://packages.debian.org/src:sqldeveloper-package
59: https://packages.debian.org/src:sqlite3
60: https://packages.debian.org/src:syslinux
61: https://packages.debian.org/src:tdbcodbc
62: https://packages.debian.org/src:tor
63: https://packages.debian.org/src:tzdata
64: https://packages.debian.org/src:udftools
65: https://packages.debian.org/src:weechat
66: https://packages.debian.org/src:xml2
67: https://packages.debian.org/src:xrdp
68: https://packages.debian.org/src:zsh
Security Updates
----------------
This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:
+----------------+--------------------------+
| Advisory ID | Package |
+----------------+--------------------------+
| DSA-3989 [69] | dnsmasq [70] |
| | |
| DSA-3990 [71] | asterisk [72] |
| | |
| DSA-3991 [73] | qemu [74] |
| | |
| DSA-3992 [75] | curl [76] |
| | |
| DSA-3993 [77] | tor [78] |
| | |
| DSA-3994 [79] | nautilus [80] |
| | |
| DSA-3995 [81] | libxfont [82] |
| | |
| DSA-3996 [83] | ffmpeg [84] |
| | |
| DSA-3997 [85] | wordpress [86] |
| | |
| DSA-3998 [87] | nss [88] |
| | |
| DSA-3999 [89] | wpa [90] |
| | |
| DSA-4000 [91] | xorg-server [92] |
| | |
| DSA-4001 [93] | yadifa [94] |
| | |
| DSA-4003 [95] | libvirt [96] |
| | |
| DSA-4004 [97] | jackson-databind [98] |
| | |
| DSA-4006 [99] | mupdf [100] |
| | |
| DSA-4007 [101] | curl [102] |
| | |
| DSA-4008 [103] | wget [104] |
| | |
| DSA-4009 [105] | shadowsocks-libev [106] |
| | |
| DSA-4011 [107] | quagga [108] |
| | |
| DSA-4013 [109] | openjpeg2 [110] |
| | |
| DSA-4014 [111] | thunderbird [112] |
| | |
| DSA-4015 [113] | openjdk-8 [114] |
| | |
| DSA-4016 [115] | irssi [116] |
| | |
| DSA-4017 [117] | openssl1.0 [118] |
| | |
| DSA-4018 [119] | openssl [120] |
| | |
| DSA-4019 [121] | imagemagick [122] |
| | |
| DSA-4020 [123] | chromium-browser [124] |
| | |
| DSA-4021 [125] | otrs2 [126] |
| | |
| DSA-4023 [127] | slurm-llnl [128] |
| | |
| DSA-4024 [129] | chromium-browser [130] |
| | |
| DSA-4025 [131] | libpam4j [132] |
| | |
| DSA-4026 [133] | bchunk [134] |
| | |
| DSA-4028 [135] | postgresql-9.6 [136] |
| | |
| DSA-4029 [137] | postgresql-common [138] |
| | |
| DSA-4030 [139] | roundcube [140] |
| | |
| DSA-4031 [141] | ruby2.3 [142] |
| | |
| DSA-4032 [143] | imagemagick [144] |
| | |
| DSA-4033 [145] | konversation [146] |
| | |
| DSA-4034 [147] | varnish [148] |
| | |
| DSA-4035 [149] | firefox-esr [150] |
| | |
| DSA-4036 [151] | mediawiki [152] |
| | |
| DSA-4037 [153] | jackson-databind [154] |
| | |
| DSA-4038 [155] | shibboleth-sp2 [156] |
| | |
| DSA-4039 [157] | opensaml2 [158] |
| | |
| DSA-4041 [159] | procmail [160] |
| | |
| DSA-4042 [161] | libxml-libxml-perl [162] |
| | |
| DSA-4043 [163] | samba [164] |
| | |
| DSA-4044 [165] | swauth [166] |
| | |
| DSA-4045 [167] | vlc [168] |
| | |
| DSA-4047 [169] | otrs2 [170] |
| | |
| DSA-4049 [171] | ffmpeg [172] |
| | |
| DSA-4050 [173] | xen [174] |
| | |
| DSA-4051 [175] | curl [176] |
| | |
| DSA-4052 [177] | bzr [178] |
| | |
| DSA-4053 [179] | exim4 [180] |
| | |
+----------------+--------------------------+
69: https://www.debian.org/security/2017/dsa-3989
70: https://packages.debian.org/src:dnsmasq
71: https://www.debian.org/security/2017/dsa-3990
72: https://packages.debian.org/src:asterisk
73: https://www.debian.org/security/2017/dsa-3991
74: https://packages.debian.org/src:qemu
75: https://www.debian.org/security/2017/dsa-3992
76: https://packages.debian.org/src:curl
77: https://www.debian.org/security/2017/dsa-3993
78: https://packages.debian.org/src:tor
79: https://www.debian.org/security/2017/dsa-3994
80: https://packages.debian.org/src:nautilus
81: https://www.debian.org/security/2017/dsa-3995
82: https://packages.debian.org/src:libxfont
83: https://www.debian.org/security/2017/dsa-3996
84: https://packages.debian.org/src:ffmpeg
85: https://www.debian.org/security/2017/dsa-3997
86: https://packages.debian.org/src:wordpress
87: https://www.debian.org/security/2017/dsa-3998
88: https://packages.debian.org/src:nss
89: https://www.debian.org/security/2017/dsa-3999
90: https://packages.debian.org/src:wpa
91: https://www.debian.org/security/2017/dsa-4000
92: https://packages.debian.org/src:xorg-server
93: https://www.debian.org/security/2017/dsa-4001
94: https://packages.debian.org/src:yadifa
95: https://www.debian.org/security/2017/dsa-4003
96: https://packages.debian.org/src:libvirt
97: https://www.debian.org/security/2017/dsa-4004
98: https://packages.debian.org/src:jackson-databind
99: https://www.debian.org/security/2017/dsa-4006
100: https://packages.debian.org/src:mupdf
101: https://www.debian.org/security/2017/dsa-4007
102: https://packages.debian.org/src:curl
103: https://www.debian.org/security/2017/dsa-4008
104: https://packages.debian.org/src:wget
105: https://www.debian.org/security/2017/dsa-4009
106: https://packages.debian.org/src:shadowsocks-libev
107: https://www.debian.org/security/2017/dsa-4011
108: https://packages.debian.org/src:quagga
109: https://www.debian.org/security/2017/dsa-4013
110: https://packages.debian.org/src:openjpeg2
111: https://www.debian.org/security/2017/dsa-4014
112: https://packages.debian.org/src:thunderbird
113: https://www.debian.org/security/2017/dsa-4015
114: https://packages.debian.org/src:openjdk-8
115: https://www.debian.org/security/2017/dsa-4016
116: https://packages.debian.org/src:irssi
117: https://www.debian.org/security/2017/dsa-4017
118: https://packages.debian.org/src:openssl1.0
119: https://www.debian.org/security/2017/dsa-4018
120: https://packages.debian.org/src:openssl
121: https://www.debian.org/security/2017/dsa-4019
122: https://packages.debian.org/src:imagemagick
123: https://www.debian.org/security/2017/dsa-4020
124: https://packages.debian.org/src:chromium-browser
125: https://www.debian.org/security/2017/dsa-4021
126: https://packages.debian.org/src:otrs2
127: https://www.debian.org/security/2017/dsa-4023
128: https://packages.debian.org/src:slurm-llnl
129: https://www.debian.org/security/2017/dsa-4024
130: https://packages.debian.org/src:chromium-browser
131: https://www.debian.org/security/2017/dsa-4025
132: https://packages.debian.org/src:libpam4j
133: https://www.debian.org/security/2017/dsa-4026
134: https://packages.debian.org/src:bchunk
135: https://www.debian.org/security/2017/dsa-4028
136: https://packages.debian.org/src:postgresql-9.6
137: https://www.debian.org/security/2017/dsa-4029
138: https://packages.debian.org/src:postgresql-common
139: https://www.debian.org/security/2017/dsa-4030
140: https://packages.debian.org/src:roundcube
141: https://www.debian.org/security/2017/dsa-4031
142: https://packages.debian.org/src:ruby2.3
143: https://www.debian.org/security/2017/dsa-4032
144: https://packages.debian.org/src:imagemagick
145: https://www.debian.org/security/2017/dsa-4033
146: https://packages.debian.org/src:konversation
147: https://www.debian.org/security/2017/dsa-4034
148: https://packages.debian.org/src:varnish
149: https://www.debian.org/security/2017/dsa-4035
150: https://packages.debian.org/src:firefox-esr
151: https://www.debian.org/security/2017/dsa-4036
152: https://packages.debian.org/src:mediawiki
153: https://www.debian.org/security/2017/dsa-4037
154: https://packages.debian.org/src:jackson-databind
155: https://www.debian.org/security/2017/dsa-4038
156: https://packages.debian.org/src:shibboleth-sp2
157: https://www.debian.org/security/2017/dsa-4039
158: https://packages.debian.org/src:opensaml2
159: https://www.debian.org/security/2017/dsa-4041
160: https://packages.debian.org/src:procmail
161: https://www.debian.org/security/2017/dsa-4042
162: https://packages.debian.org/src:libxml-libxml-perl
163: https://www.debian.org/security/2017/dsa-4043
164: https://packages.debian.org/src:samba
165: https://www.debian.org/security/2017/dsa-4044
166: https://packages.debian.org/src:swauth
167: https://www.debian.org/security/2017/dsa-4045
168: https://packages.debian.org/src:vlc
169: https://www.debian.org/security/2017/dsa-4047
170: https://packages.debian.org/src:otrs2
171: https://www.debian.org/security/2017/dsa-4049
172: https://packages.debian.org/src:ffmpeg
173: https://www.debian.org/security/2017/dsa-4050
174: https://packages.debian.org/src:xen
175: https://www.debian.org/security/2017/dsa-4051
176: https://packages.debian.org/src:curl
177: https://www.debian.org/security/2017/dsa-4052
178: https://packages.debian.org/src:bzr
179: https://www.debian.org/security/2017/dsa-4053
180: https://packages.debian.org/src:exim4
Removed packages
----------------
The following packages were removed due to circumstances beyond our
control:
+---------------------------------+-------------------------------+
| Package | Reason |
+---------------------------------+-------------------------------+
| libnet-ping-external-perl [181] | Unmaintained, security issues |
| | |
+---------------------------------+-------------------------------+
181: https://packages.debian.org/src:libnet-ping-external-perl
Debian Installer
----------------
The installer has been updated to include the fixes incorporated into
stable by the point release.
URLs
----
The complete lists of packages that have changed with this revision:
http://ftp.debian.org/debian/dists/stretch/ChangeLog
The current stable distribution:
http://ftp.debian.org/debian/dists/stable/
Proposed updates to the stable distribution:
http://ftp.debian.org/debian/dists/proposed-updates
stable distribution information (release notes, errata etc.):
https://www.debian.org/releases/stable/
Security announcements and information:
https://security.debian.org/ [182]
182: https://www.debian.org/security/
About Debian
------------
The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian.
Contact Information
-------------------
For further information, please visit the Debian web pages at
https://www.debian.org/, send mail to <press@debian.org>, or contact the
stable release team at <debian-release@lists.debian.org>.
Attachment:
signature.asc
Description: PGP signature