------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 9: 9.9 released press@debian.org April 27th, 2019 https://www.debian.org/News/2019/20190427 ------------------------------------------------------------------------ The Debian project is pleased to announce the ninth update of its stable distribution Debian 9 (codename "stretch"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included. There is no need to throw away old "stretch" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list As a special case for this point release, those using the "apt-get" tool to perform the upgrade will need to ensure that the "dist-upgrade" command is used, in order to update to the latest kernel packages. Users of other tools such as "apt" and "aptitude" should use the "upgrade" command. Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: +--------------------------+------------------------------------------+ | Package | Reason | +--------------------------+------------------------------------------+ | audiofile [1] | Fix denial of service [CVE-2018-13440] | | | and buffer overflow issues [CVE-2018- | | | 17095] | | | | | base-files [2] | Update for the point release | | | | | bwa [3] | Fix buffer overflow [CVE-2019-10269] | | | | | ca-certificates-java [4] | Fix bashisms in postinst and jks- | | | keystore | | | | | cernlib [5] | Apply optimization flag -O to Fortran | | | modules instead of -O2 which generates | | | broken code; fix build failure on arm64 | | | by disabling PIE for Fortran executables | | | | | choose-mirror [6] | Update included mirror list | | | | | chrony [7] | Fix logging of measurements and | | | statistics, and stopping of chronyd, on | | | some platforms when seccomp filtering is | | | enabled | | | | | ckermit [8] | Drop OpenSSL version check | | | | | clamav [9] | Fix out-of-bounds heap access when | | | scanning PDF documents [CVE-2019-1787], | | | PE files packed using Aspack [CVE-2019- | | | 1789] or OLE2 files [CVE-2019-1788] | | | | | dansguardian [10] | Add "missingok" to logrotate | | | configuration | | | | | debian-installer [11] | Rebuild against proposed-updates | | | | | debian-installer- | Rebuild against proposed-updates | | netboot-images [12] | | | | | | debian-security- | Update support statuses | | support [13] | | | | | | diffoscope [14] | Fix tests to work with Ghostscript 9.26 | | | | | dns-root-data [15] | Update root data to 2019031302 | | | | | dnsruby [16] | Add new root key (KSK-2017); ruby 2.3.0 | | | deprecates TimeoutError, use | | | Timeout::Error | | | | | dpdk [17] | New upstream stable release | | | | | edk2 [18] | Fix buffer overflow in BlockIo service | | | [CVE-2018-12180]; DNS: Check received | | | packet size before using [CVE-2018- | | | 12178]; fix stack overflow with | | | corrupted BMP [CVE-2018-12181] | | | | | firmware-nonfree [19] | atheros / iwlwifi: update BlueTooth | | | firmware [CVE-2018-5383] | | | | | flatpak [20] | Reject all ioctls that the kernel will | | | interpret as TIOCSTI [CVE-2019-10063] | | | | | geant321 [21] | Rebuild against cernlib with fixed | | | Fortran optmisations | | | | | gnome-chemistry- | Stop building the obsolete gcu-plugin | | utils [22] | package | | | | | gocode [23] | gocode-auto-complete-el: Promote auto- | | | complete-el to Pre-Depends to ensure | | | successful upgrades | | | | | gpac [24] | Fix buffer overflows [CVE-2018-7752 | | | CVE-2018-20762], heap overflows | | | [CVE-2018-13005 CVE-2018-13006 CVE-2018- | | | 20761], out-of-bounds writes [CVE-2018- | | | 20760 CVE-2018-20763] | | | | | icedtea-web [25] | Stop building the browser plugin, no | | | longer works with Firefox 60 | | | | | igraph [26] | Fix a crash when loading malformed | | | GraphML files [CVE-2018-20349] | | | | | jabref [27] | Fix XML External Entity attack | | | [CVE-2018-1000652] | | | | | java-common [28] | Remove the default-java-plugin package, | | | as the icedtea-web Xul plugin is being | | | removed | | | | | jquery [29] | Prevent Object.prototype pollution | | | [CVE-2019-11358] | | | | | kauth [30] | Fix insecure handling of arguments in | | | helpers [CVE-2019-7443] | | | | | libdate-holidays-de- | Add March 8th (from 2019 onwards) and | | perl [31] | May 8th (2020 only) as public holidays | | | (Berlin only) | | | | | libdatetime-timezone- | Update included data | | perl [32] | | | | | | libreoffice [33] | Introduce next Japanese gengou era | | | 'Reiwa'; make -core conflict against | | | openjdk-8-jre-headless (= 8u181-b13- | | | 2~deb9u1), which had a broken | | | ClassPathURLCheck | | | | | linux [34] | New upstream stable version | | | | | linux-latest [35] | Update for -9 kernel ABI | | | | | mariadb-10.1 [36] | New upstream stable version | | | | | mclibs [37] | Rebuild against cernlib with fixed | | | Fortran optmisations | | | | | ncmpc [38] | Fix NULL pointer dereference [CVE-2018- | | | 9240] | | | | | node-superagent [39] | Fix ZIP bomb attacks [CVE-2017-16129]; | | | fix syntax error | | | | | nvidia-graphics- | New upstream stable release [CVE-2018- | | drivers [40] | 6260] | | | | | nvidia-settings [41] | New upstream stable release | | | | | obs-build [42] | Do not allow writing to files in the | | | host system [CVE-2017-14804] | | | | | paw [43] | Rebuild against cernlib with fixed | | | Fortran optmisations | | | | | perlbrew [44] | Allow HTTPS CPAN URLs | | | | | postfix [45] | New upstream stable release | | | | | postgresql-9.6 [46] | New upstream stable release | | | | | psk31lx [47] | Make version sort correctly to avoid | | | potential upgrade issues | | | | | publicsuffix [48] | Update included data | | | | | pyca [49] | Add "missingok" to logrotate | | | configuration | | | | | python-certbot [50] | Revert to debhelper compat 9, to ensure | | | systemd timers are correctly started | | | | | python-cryptography [51] | Remove BIO_callback_ctrl: The prototype | | | differs with the OpenSSL's definition of | | | it after it was changed (fixed) within | | | OpenSSL | | | | | python-django- | Apply django 1.10 middleware fix; | | casclient [52] | python(3)-django-casclient: fix missing | | | dependencies on python(3)-django | | | | | python-mode [53] | Remove support for xemacs21 | | | | | python-pip [54] | Properly catch requests' HTTPError in | | | index.py | | | | | python-pykmip [55] | Fix potential denial of service issue | | | [CVE-2018-1000872] | | | | | r-cran-igraph [56] | Fix denial of service via crafted object | | | [CVE-2018-20349] | | | | | rails [57] | Fix information disclosure issues | | | [CVE-2018-16476 CVE-2019-5418], denial | | | of service issue [CVE-2019-5419] | | | | | rsync [58] | Several security fixes for zlib | | | [CVE-2016-9840 CVE-2016-9841 CVE-2016- | | | 9842 CVE-2016-9843] | | | | | ruby-i18n [59] | Prevent a remote denial-of-service | | | vulnerability [CVE-2014-10077] | | | | | ruby2.3 [60] | Fix FTBFS | | | | | runc [61] | Fix root privilege escalation | | | vulnerability [CVE-2019-5736] | | | | | systemd [62] | journald: fix assertion failure on | | | journal_file_link_data; tmpfiles: fix | | | "e" to support shell style globs; | | | mount-util: accept that | | | name_to_handle_at() might fail with | | | EPERM; automount: ack automount requests | | | even when already mounted [CVE-2018- | | | 1049]; fix potential root privilege | | | escalation [CVE-2018-15686] | | | | | twitter-bootstrap3 [63] | Fix cross site scripting issue in | | | tooltips or popovers [CVE-2019-8331] | | | | | tzdata [64] | New upstream release | | | | | unzip [65] | Fix buffer overflow in password | | | protected ZIP archives [CVE-2018- | | | 1000035] | | | | | vcftools [66] | Fix information disclosure [CVE-2018- | | | 11099] and denial of service [CVE-2018- | | | 11129 CVE-2018-11130] via crafted files | | | | | vips [67] | Fix NULL function pointer dereference | | | [CVE-2018-7998], uninitialised memory | | | access [CVE-2019-6976] | | | | | waagent [68] | New upstream release, with many Azure | | | fixes [CVE-2019-0804] | | | | | yorick-av [69] | Rescale frame timestamps; set VBV buffer | | | size for MPEG1/2 files | | | | | zziplib [70] | Fix invalid memory access [CVE-2018- | | | 6381], bus error [CVE-2018-6540], out- | | | of-bounds read [CVE-2018-7725], crash | | | via crafted zip file [CVE-2018-7726], | | | memory leak [CVE-2018-16548]; reject ZIP | | | file if the size of the central | | | directory and/or the offset of start of | | | central directory point beyond the end | | | of the ZIP file [CVE-2018-6484, | | | CVE-2018-6541, CVE-2018-6869] | | | | +--------------------------+------------------------------------------+ 1: https://packages.debian.org/src:audiofile 2: https://packages.debian.org/src:base-files 3: https://packages.debian.org/src:bwa 4: https://packages.debian.org/src:ca-certificates-java 5: https://packages.debian.org/src:cernlib 6: https://packages.debian.org/src:choose-mirror 7: https://packages.debian.org/src:chrony 8: https://packages.debian.org/src:ckermit 9: https://packages.debian.org/src:clamav 10: https://packages.debian.org/src:dansguardian 11: https://packages.debian.org/src:debian-installer 12: https://packages.debian.org/src:debian-installer-netboot-images 13: https://packages.debian.org/src:debian-security-support 14: https://packages.debian.org/src:diffoscope 15: https://packages.debian.org/src:dns-root-data 16: https://packages.debian.org/src:dnsruby 17: https://packages.debian.org/src:dpdk 18: https://packages.debian.org/src:edk2 19: https://packages.debian.org/src:firmware-nonfree 20: https://packages.debian.org/src:flatpak 21: https://packages.debian.org/src:geant321 22: https://packages.debian.org/src:gnome-chemistry-utils 23: https://packages.debian.org/src:gocode 24: https://packages.debian.org/src:gpac 25: https://packages.debian.org/src:icedtea-web 26: https://packages.debian.org/src:igraph 27: https://packages.debian.org/src:jabref 28: https://packages.debian.org/src:java-common 29: https://packages.debian.org/src:jquery 30: https://packages.debian.org/src:kauth 31: https://packages.debian.org/src:libdate-holidays-de-perl 32: https://packages.debian.org/src:libdatetime-timezone-perl 33: https://packages.debian.org/src:libreoffice 34: https://packages.debian.org/src:linux 35: https://packages.debian.org/src:linux-latest 36: https://packages.debian.org/src:mariadb-10.1 37: https://packages.debian.org/src:mclibs 38: https://packages.debian.org/src:ncmpc 39: https://packages.debian.org/src:node-superagent 40: https://packages.debian.org/src:nvidia-graphics-drivers 41: https://packages.debian.org/src:nvidia-settings 42: https://packages.debian.org/src:obs-build 43: https://packages.debian.org/src:paw 44: https://packages.debian.org/src:perlbrew 45: https://packages.debian.org/src:postfix 46: https://packages.debian.org/src:postgresql-9.6 47: https://packages.debian.org/src:psk31lx 48: https://packages.debian.org/src:publicsuffix 49: https://packages.debian.org/src:pyca 50: https://packages.debian.org/src:python-certbot 51: https://packages.debian.org/src:python-cryptography 52: https://packages.debian.org/src:python-django-casclient 53: https://packages.debian.org/src:python-mode 54: https://packages.debian.org/src:python-pip 55: https://packages.debian.org/src:python-pykmip 56: https://packages.debian.org/src:r-cran-igraph 57: https://packages.debian.org/src:rails 58: https://packages.debian.org/src:rsync 59: https://packages.debian.org/src:ruby-i18n 60: https://packages.debian.org/src:ruby2.3 61: https://packages.debian.org/src:runc 62: https://packages.debian.org/src:systemd 63: https://packages.debian.org/src:twitter-bootstrap3 64: https://packages.debian.org/src:tzdata 65: https://packages.debian.org/src:unzip 66: https://packages.debian.org/src:vcftools 67: https://packages.debian.org/src:vips 68: https://packages.debian.org/src:waagent 69: https://packages.debian.org/src:yorick-av 70: https://packages.debian.org/src:zziplib Security Updates ---------------- This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates: +----------------+----------------------------------+ | Advisory ID | Package | +----------------+----------------------------------+ | DSA-4259 [71] | ruby2.3 [72] | | | | | DSA-4332 [73] | ruby2.3 [74] | | | | | DSA-4341 [75] | mariadb-10.1 [76] | | | | | DSA-4373 [77] | coturn [78] | | | | | DSA-4374 [79] | qtbase-opensource-src [80] | | | | | DSA-4377 [81] | rssh [82] | | | | | DSA-4385 [83] | dovecot [84] | | | | | DSA-4387 [85] | openssh [86] | | | | | DSA-4388 [87] | mosquitto [88] | | | | | DSA-4389 [89] | libu2f-host [90] | | | | | DSA-4390 [91] | flatpak [92] | | | | | DSA-4391 [93] | firefox-esr [94] | | | | | DSA-4392 [95] | thunderbird [96] | | | | | DSA-4393 [97] | systemd [98] | | | | | DSA-4394 [99] | rdesktop [100] | | | | | DSA-4396 [101] | ansible [102] | | | | | DSA-4397 [103] | ldb [104] | | | | | DSA-4398 [105] | php7.0 [106] | | | | | DSA-4399 [107] | ikiwiki [108] | | | | | DSA-4400 [109] | openssl1.0 [110] | | | | | DSA-4401 [111] | wordpress [112] | | | | | DSA-4402 [113] | mumble [114] | | | | | DSA-4403 [115] | php7.0 [116] | | | | | DSA-4405 [117] | openjpeg2 [118] | | | | | DSA-4406 [119] | waagent [120] | | | | | DSA-4407 [121] | xmltooling [122] | | | | | DSA-4408 [123] | liblivemedia [124] | | | | | DSA-4409 [125] | neutron [126] | | | | | DSA-4410 [127] | openjdk-8 [128] | | | | | DSA-4411 [129] | firefox-esr [130] | | | | | DSA-4412 [131] | drupal7 [132] | | | | | DSA-4413 [133] | ntfs-3g [134] | | | | | DSA-4414 [135] | libapache2-mod-auth-mellon [136] | | | | | DSA-4415 [137] | passenger [138] | | | | | DSA-4416 [139] | wireshark [140] | | | | | DSA-4417 [141] | firefox-esr [142] | | | | | DSA-4418 [143] | dovecot [144] | | | | | DSA-4419 [145] | twig [146] | | | | | DSA-4420 [147] | thunderbird [148] | | | | | DSA-4422 [149] | apache2 [150] | | | | | DSA-4423 [151] | putty [152] | | | | | DSA-4424 [153] | pdns [154] | | | | | DSA-4425 [155] | wget [156] | | | | | DSA-4426 [157] | tryton-server [158] | | | | | DSA-4427 [159] | samba [160] | | | | | DSA-4428 [161] | systemd [162] | | | | | DSA-4429 [163] | spip [164] | | | | | DSA-4430 [165] | wpa [166] | | | | | DSA-4431 [167] | libssh2 [168] | | | | | DSA-4432 [169] | ghostscript [170] | | | | | DSA-4433 [171] | ruby2.3 [172] | | | | | DSA-4434 [173] | drupal7 [174] | | | | +----------------+----------------------------------+ 71: https://www.debian.org/security/2018/dsa-4259 72: https://packages.debian.org/src:ruby2.3 73: https://www.debian.org/security/2018/dsa-4332 74: https://packages.debian.org/src:ruby2.3 75: https://www.debian.org/security/2018/dsa-4341 76: https://packages.debian.org/src:mariadb-10.1 77: https://www.debian.org/security/2019/dsa-4373 78: https://packages.debian.org/src:coturn 79: https://www.debian.org/security/2019/dsa-4374 80: https://packages.debian.org/src:qtbase-opensource-src 81: https://www.debian.org/security/2019/dsa-4377 82: https://packages.debian.org/src:rssh 83: https://www.debian.org/security/2019/dsa-4385 84: https://packages.debian.org/src:dovecot 85: https://www.debian.org/security/2019/dsa-4387 86: https://packages.debian.org/src:openssh 87: https://www.debian.org/security/2019/dsa-4388 88: https://packages.debian.org/src:mosquitto 89: https://www.debian.org/security/2019/dsa-4389 90: https://packages.debian.org/src:libu2f-host 91: https://www.debian.org/security/2019/dsa-4390 92: https://packages.debian.org/src:flatpak 93: https://www.debian.org/security/2019/dsa-4391 94: https://packages.debian.org/src:firefox-esr 95: https://www.debian.org/security/2019/dsa-4392 96: https://packages.debian.org/src:thunderbird 97: https://www.debian.org/security/2019/dsa-4393 98: https://packages.debian.org/src:systemd 99: https://www.debian.org/security/2019/dsa-4394 100: https://packages.debian.org/src:rdesktop 101: https://www.debian.org/security/2019/dsa-4396 102: https://packages.debian.org/src:ansible 103: https://www.debian.org/security/2019/dsa-4397 104: https://packages.debian.org/src:ldb 105: https://www.debian.org/security/2019/dsa-4398 106: https://packages.debian.org/src:php7.0 107: https://www.debian.org/security/2019/dsa-4399 108: https://packages.debian.org/src:ikiwiki 109: https://www.debian.org/security/2019/dsa-4400 110: https://packages.debian.org/src:openssl1.0 111: https://www.debian.org/security/2019/dsa-4401 112: https://packages.debian.org/src:wordpress 113: https://www.debian.org/security/2019/dsa-4402 114: https://packages.debian.org/src:mumble 115: https://www.debian.org/security/2019/dsa-4403 116: https://packages.debian.org/src:php7.0 117: https://www.debian.org/security/2019/dsa-4405 118: https://packages.debian.org/src:openjpeg2 119: https://www.debian.org/security/2019/dsa-4406 120: https://packages.debian.org/src:waagent 121: https://www.debian.org/security/2019/dsa-4407 122: https://packages.debian.org/src:xmltooling 123: https://www.debian.org/security/2019/dsa-4408 124: https://packages.debian.org/src:liblivemedia 125: https://www.debian.org/security/2019/dsa-4409 126: https://packages.debian.org/src:neutron 127: https://www.debian.org/security/2019/dsa-4410 128: https://packages.debian.org/src:openjdk-8 129: https://www.debian.org/security/2019/dsa-4411 130: https://packages.debian.org/src:firefox-esr 131: https://www.debian.org/security/2019/dsa-4412 132: https://packages.debian.org/src:drupal7 133: https://www.debian.org/security/2019/dsa-4413 134: https://packages.debian.org/src:ntfs-3g 135: https://www.debian.org/security/2019/dsa-4414 136: https://packages.debian.org/src:libapache2-mod-auth-mellon 137: https://www.debian.org/security/2019/dsa-4415 138: https://packages.debian.org/src:passenger 139: https://www.debian.org/security/2019/dsa-4416 140: https://packages.debian.org/src:wireshark 141: https://www.debian.org/security/2019/dsa-4417 142: https://packages.debian.org/src:firefox-esr 143: https://www.debian.org/security/2019/dsa-4418 144: https://packages.debian.org/src:dovecot 145: https://www.debian.org/security/2019/dsa-4419 146: https://packages.debian.org/src:twig 147: https://www.debian.org/security/2019/dsa-4420 148: https://packages.debian.org/src:thunderbird 149: https://www.debian.org/security/2019/dsa-4422 150: https://packages.debian.org/src:apache2 151: https://www.debian.org/security/2019/dsa-4423 152: https://packages.debian.org/src:putty 153: https://www.debian.org/security/2019/dsa-4424 154: https://packages.debian.org/src:pdns 155: https://www.debian.org/security/2019/dsa-4425 156: https://packages.debian.org/src:wget 157: https://www.debian.org/security/2019/dsa-4426 158: https://packages.debian.org/src:tryton-server 159: https://www.debian.org/security/2019/dsa-4427 160: https://packages.debian.org/src:samba 161: https://www.debian.org/security/2019/dsa-4428 162: https://packages.debian.org/src:systemd 163: https://www.debian.org/security/2019/dsa-4429 164: https://packages.debian.org/src:spip 165: https://www.debian.org/security/2019/dsa-4430 166: https://packages.debian.org/src:wpa 167: https://www.debian.org/security/2019/dsa-4431 168: https://packages.debian.org/src:libssh2 169: https://www.debian.org/security/2019/dsa-4432 170: https://packages.debian.org/src:ghostscript 171: https://www.debian.org/security/2019/dsa-4433 172: https://packages.debian.org/src:ruby2.3 173: https://www.debian.org/security/2019/dsa-4434 174: https://packages.debian.org/src:drupal7 Removed packages ---------------- The following packages were removed due to circumstances beyond our control: +-----------------------------+----------------------------------------+ | Package | Reason | +-----------------------------+----------------------------------------+ | gcontactsync [175] | Incompatible with newer firefox-esr | | | versions | | | | | google-tasks-sync [176] | Incompatible with newer firefox-esr | | | versions | | | | | mozilla-gnome-kerying [177] | Incompatible with newer firefox-esr | | | versions | | | | | tbdialout [178] | Incompatible with newer thunderbird | | | versions | | | | | timeline [179] | Incompatible with newer thunderbird | | | versions | | | | +-----------------------------+----------------------------------------+ 175: https://packages.debian.org/src:gcontactsync 176: https://packages.debian.org/src:google-tasks-sync 177: https://packages.debian.org/src:mozilla-gnome-kerying 178: https://packages.debian.org/src:tbdialout 179: https://packages.debian.org/src:timeline Debian Installer ---------------- The installer has been updated to include the fixes incorporated into stable by the point release. URLs ---- The complete lists of packages that have changed with this revision: http://ftp.debian.org/debian/dists/stretch/ChangeLog The current stable distribution: http://ftp.debian.org/debian/dists/stable/ Proposed updates to the stable distribution: http://ftp.debian.org/debian/dists/proposed-updates stable distribution information (release notes, errata etc.): https://www.debian.org/releases/stable/ Security announcements and information: https://www.debian.org/security/ About Debian ------------ The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian. Contact Information ------------------- For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.
Attachment:
signature.asc
Description: OpenPGP digital signature