------------------------------------------------------------------------
The Debian Project https://www.debian.org/
Updated Debian 9: 9.9 released press@debian.org
April 27th, 2019 https://www.debian.org/News/2019/20190427
------------------------------------------------------------------------
The Debian project is pleased to announce the ninth update of its stable
distribution Debian 9 (codename "stretch"). This point release mainly
adds corrections for security issues, along with a few adjustments for
serious problems. Security advisories have already been published
separately and are referenced where available.
Please note that the point release does not constitute a new version of
Debian 9 but only updates some of the packages included. There is no
need to throw away old "stretch" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.
Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:
https://www.debian.org/mirror/list
As a special case for this point release, those using the "apt-get" tool
to perform the upgrade will need to ensure that the "dist-upgrade"
command is used, in order to update to the latest kernel packages. Users
of other tools such as "apt" and "aptitude" should use the "upgrade"
command.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
+--------------------------+------------------------------------------+
| Package | Reason |
+--------------------------+------------------------------------------+
| audiofile [1] | Fix denial of service [CVE-2018-13440] |
| | and buffer overflow issues [CVE-2018- |
| | 17095] |
| | |
| base-files [2] | Update for the point release |
| | |
| bwa [3] | Fix buffer overflow [CVE-2019-10269] |
| | |
| ca-certificates-java [4] | Fix bashisms in postinst and jks- |
| | keystore |
| | |
| cernlib [5] | Apply optimization flag -O to Fortran |
| | modules instead of -O2 which generates |
| | broken code; fix build failure on arm64 |
| | by disabling PIE for Fortran executables |
| | |
| choose-mirror [6] | Update included mirror list |
| | |
| chrony [7] | Fix logging of measurements and |
| | statistics, and stopping of chronyd, on |
| | some platforms when seccomp filtering is |
| | enabled |
| | |
| ckermit [8] | Drop OpenSSL version check |
| | |
| clamav [9] | Fix out-of-bounds heap access when |
| | scanning PDF documents [CVE-2019-1787], |
| | PE files packed using Aspack [CVE-2019- |
| | 1789] or OLE2 files [CVE-2019-1788] |
| | |
| dansguardian [10] | Add "missingok" to logrotate |
| | configuration |
| | |
| debian-installer [11] | Rebuild against proposed-updates |
| | |
| debian-installer- | Rebuild against proposed-updates |
| netboot-images [12] | |
| | |
| debian-security- | Update support statuses |
| support [13] | |
| | |
| diffoscope [14] | Fix tests to work with Ghostscript 9.26 |
| | |
| dns-root-data [15] | Update root data to 2019031302 |
| | |
| dnsruby [16] | Add new root key (KSK-2017); ruby 2.3.0 |
| | deprecates TimeoutError, use |
| | Timeout::Error |
| | |
| dpdk [17] | New upstream stable release |
| | |
| edk2 [18] | Fix buffer overflow in BlockIo service |
| | [CVE-2018-12180]; DNS: Check received |
| | packet size before using [CVE-2018- |
| | 12178]; fix stack overflow with |
| | corrupted BMP [CVE-2018-12181] |
| | |
| firmware-nonfree [19] | atheros / iwlwifi: update BlueTooth |
| | firmware [CVE-2018-5383] |
| | |
| flatpak [20] | Reject all ioctls that the kernel will |
| | interpret as TIOCSTI [CVE-2019-10063] |
| | |
| geant321 [21] | Rebuild against cernlib with fixed |
| | Fortran optmisations |
| | |
| gnome-chemistry- | Stop building the obsolete gcu-plugin |
| utils [22] | package |
| | |
| gocode [23] | gocode-auto-complete-el: Promote auto- |
| | complete-el to Pre-Depends to ensure |
| | successful upgrades |
| | |
| gpac [24] | Fix buffer overflows [CVE-2018-7752 |
| | CVE-2018-20762], heap overflows |
| | [CVE-2018-13005 CVE-2018-13006 CVE-2018- |
| | 20761], out-of-bounds writes [CVE-2018- |
| | 20760 CVE-2018-20763] |
| | |
| icedtea-web [25] | Stop building the browser plugin, no |
| | longer works with Firefox 60 |
| | |
| igraph [26] | Fix a crash when loading malformed |
| | GraphML files [CVE-2018-20349] |
| | |
| jabref [27] | Fix XML External Entity attack |
| | [CVE-2018-1000652] |
| | |
| java-common [28] | Remove the default-java-plugin package, |
| | as the icedtea-web Xul plugin is being |
| | removed |
| | |
| jquery [29] | Prevent Object.prototype pollution |
| | [CVE-2019-11358] |
| | |
| kauth [30] | Fix insecure handling of arguments in |
| | helpers [CVE-2019-7443] |
| | |
| libdate-holidays-de- | Add March 8th (from 2019 onwards) and |
| perl [31] | May 8th (2020 only) as public holidays |
| | (Berlin only) |
| | |
| libdatetime-timezone- | Update included data |
| perl [32] | |
| | |
| libreoffice [33] | Introduce next Japanese gengou era |
| | 'Reiwa'; make -core conflict against |
| | openjdk-8-jre-headless (= 8u181-b13- |
| | 2~deb9u1), which had a broken |
| | ClassPathURLCheck |
| | |
| linux [34] | New upstream stable version |
| | |
| linux-latest [35] | Update for -9 kernel ABI |
| | |
| mariadb-10.1 [36] | New upstream stable version |
| | |
| mclibs [37] | Rebuild against cernlib with fixed |
| | Fortran optmisations |
| | |
| ncmpc [38] | Fix NULL pointer dereference [CVE-2018- |
| | 9240] |
| | |
| node-superagent [39] | Fix ZIP bomb attacks [CVE-2017-16129]; |
| | fix syntax error |
| | |
| nvidia-graphics- | New upstream stable release [CVE-2018- |
| drivers [40] | 6260] |
| | |
| nvidia-settings [41] | New upstream stable release |
| | |
| obs-build [42] | Do not allow writing to files in the |
| | host system [CVE-2017-14804] |
| | |
| paw [43] | Rebuild against cernlib with fixed |
| | Fortran optmisations |
| | |
| perlbrew [44] | Allow HTTPS CPAN URLs |
| | |
| postfix [45] | New upstream stable release |
| | |
| postgresql-9.6 [46] | New upstream stable release |
| | |
| psk31lx [47] | Make version sort correctly to avoid |
| | potential upgrade issues |
| | |
| publicsuffix [48] | Update included data |
| | |
| pyca [49] | Add "missingok" to logrotate |
| | configuration |
| | |
| python-certbot [50] | Revert to debhelper compat 9, to ensure |
| | systemd timers are correctly started |
| | |
| python-cryptography [51] | Remove BIO_callback_ctrl: The prototype |
| | differs with the OpenSSL's definition of |
| | it after it was changed (fixed) within |
| | OpenSSL |
| | |
| python-django- | Apply django 1.10 middleware fix; |
| casclient [52] | python(3)-django-casclient: fix missing |
| | dependencies on python(3)-django |
| | |
| python-mode [53] | Remove support for xemacs21 |
| | |
| python-pip [54] | Properly catch requests' HTTPError in |
| | index.py |
| | |
| python-pykmip [55] | Fix potential denial of service issue |
| | [CVE-2018-1000872] |
| | |
| r-cran-igraph [56] | Fix denial of service via crafted object |
| | [CVE-2018-20349] |
| | |
| rails [57] | Fix information disclosure issues |
| | [CVE-2018-16476 CVE-2019-5418], denial |
| | of service issue [CVE-2019-5419] |
| | |
| rsync [58] | Several security fixes for zlib |
| | [CVE-2016-9840 CVE-2016-9841 CVE-2016- |
| | 9842 CVE-2016-9843] |
| | |
| ruby-i18n [59] | Prevent a remote denial-of-service |
| | vulnerability [CVE-2014-10077] |
| | |
| ruby2.3 [60] | Fix FTBFS |
| | |
| runc [61] | Fix root privilege escalation |
| | vulnerability [CVE-2019-5736] |
| | |
| systemd [62] | journald: fix assertion failure on |
| | journal_file_link_data; tmpfiles: fix |
| | "e" to support shell style globs; |
| | mount-util: accept that |
| | name_to_handle_at() might fail with |
| | EPERM; automount: ack automount requests |
| | even when already mounted [CVE-2018- |
| | 1049]; fix potential root privilege |
| | escalation [CVE-2018-15686] |
| | |
| twitter-bootstrap3 [63] | Fix cross site scripting issue in |
| | tooltips or popovers [CVE-2019-8331] |
| | |
| tzdata [64] | New upstream release |
| | |
| unzip [65] | Fix buffer overflow in password |
| | protected ZIP archives [CVE-2018- |
| | 1000035] |
| | |
| vcftools [66] | Fix information disclosure [CVE-2018- |
| | 11099] and denial of service [CVE-2018- |
| | 11129 CVE-2018-11130] via crafted files |
| | |
| vips [67] | Fix NULL function pointer dereference |
| | [CVE-2018-7998], uninitialised memory |
| | access [CVE-2019-6976] |
| | |
| waagent [68] | New upstream release, with many Azure |
| | fixes [CVE-2019-0804] |
| | |
| yorick-av [69] | Rescale frame timestamps; set VBV buffer |
| | size for MPEG1/2 files |
| | |
| zziplib [70] | Fix invalid memory access [CVE-2018- |
| | 6381], bus error [CVE-2018-6540], out- |
| | of-bounds read [CVE-2018-7725], crash |
| | via crafted zip file [CVE-2018-7726], |
| | memory leak [CVE-2018-16548]; reject ZIP |
| | file if the size of the central |
| | directory and/or the offset of start of |
| | central directory point beyond the end |
| | of the ZIP file [CVE-2018-6484, |
| | CVE-2018-6541, CVE-2018-6869] |
| | |
+--------------------------+------------------------------------------+
1: https://packages.debian.org/src:audiofile
2: https://packages.debian.org/src:base-files
3: https://packages.debian.org/src:bwa
4: https://packages.debian.org/src:ca-certificates-java
5: https://packages.debian.org/src:cernlib
6: https://packages.debian.org/src:choose-mirror
7: https://packages.debian.org/src:chrony
8: https://packages.debian.org/src:ckermit
9: https://packages.debian.org/src:clamav
10: https://packages.debian.org/src:dansguardian
11: https://packages.debian.org/src:debian-installer
12: https://packages.debian.org/src:debian-installer-netboot-images
13: https://packages.debian.org/src:debian-security-support
14: https://packages.debian.org/src:diffoscope
15: https://packages.debian.org/src:dns-root-data
16: https://packages.debian.org/src:dnsruby
17: https://packages.debian.org/src:dpdk
18: https://packages.debian.org/src:edk2
19: https://packages.debian.org/src:firmware-nonfree
20: https://packages.debian.org/src:flatpak
21: https://packages.debian.org/src:geant321
22: https://packages.debian.org/src:gnome-chemistry-utils
23: https://packages.debian.org/src:gocode
24: https://packages.debian.org/src:gpac
25: https://packages.debian.org/src:icedtea-web
26: https://packages.debian.org/src:igraph
27: https://packages.debian.org/src:jabref
28: https://packages.debian.org/src:java-common
29: https://packages.debian.org/src:jquery
30: https://packages.debian.org/src:kauth
31: https://packages.debian.org/src:libdate-holidays-de-perl
32: https://packages.debian.org/src:libdatetime-timezone-perl
33: https://packages.debian.org/src:libreoffice
34: https://packages.debian.org/src:linux
35: https://packages.debian.org/src:linux-latest
36: https://packages.debian.org/src:mariadb-10.1
37: https://packages.debian.org/src:mclibs
38: https://packages.debian.org/src:ncmpc
39: https://packages.debian.org/src:node-superagent
40: https://packages.debian.org/src:nvidia-graphics-drivers
41: https://packages.debian.org/src:nvidia-settings
42: https://packages.debian.org/src:obs-build
43: https://packages.debian.org/src:paw
44: https://packages.debian.org/src:perlbrew
45: https://packages.debian.org/src:postfix
46: https://packages.debian.org/src:postgresql-9.6
47: https://packages.debian.org/src:psk31lx
48: https://packages.debian.org/src:publicsuffix
49: https://packages.debian.org/src:pyca
50: https://packages.debian.org/src:python-certbot
51: https://packages.debian.org/src:python-cryptography
52: https://packages.debian.org/src:python-django-casclient
53: https://packages.debian.org/src:python-mode
54: https://packages.debian.org/src:python-pip
55: https://packages.debian.org/src:python-pykmip
56: https://packages.debian.org/src:r-cran-igraph
57: https://packages.debian.org/src:rails
58: https://packages.debian.org/src:rsync
59: https://packages.debian.org/src:ruby-i18n
60: https://packages.debian.org/src:ruby2.3
61: https://packages.debian.org/src:runc
62: https://packages.debian.org/src:systemd
63: https://packages.debian.org/src:twitter-bootstrap3
64: https://packages.debian.org/src:tzdata
65: https://packages.debian.org/src:unzip
66: https://packages.debian.org/src:vcftools
67: https://packages.debian.org/src:vips
68: https://packages.debian.org/src:waagent
69: https://packages.debian.org/src:yorick-av
70: https://packages.debian.org/src:zziplib
Security Updates
----------------
This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:
+----------------+----------------------------------+
| Advisory ID | Package |
+----------------+----------------------------------+
| DSA-4259 [71] | ruby2.3 [72] |
| | |
| DSA-4332 [73] | ruby2.3 [74] |
| | |
| DSA-4341 [75] | mariadb-10.1 [76] |
| | |
| DSA-4373 [77] | coturn [78] |
| | |
| DSA-4374 [79] | qtbase-opensource-src [80] |
| | |
| DSA-4377 [81] | rssh [82] |
| | |
| DSA-4385 [83] | dovecot [84] |
| | |
| DSA-4387 [85] | openssh [86] |
| | |
| DSA-4388 [87] | mosquitto [88] |
| | |
| DSA-4389 [89] | libu2f-host [90] |
| | |
| DSA-4390 [91] | flatpak [92] |
| | |
| DSA-4391 [93] | firefox-esr [94] |
| | |
| DSA-4392 [95] | thunderbird [96] |
| | |
| DSA-4393 [97] | systemd [98] |
| | |
| DSA-4394 [99] | rdesktop [100] |
| | |
| DSA-4396 [101] | ansible [102] |
| | |
| DSA-4397 [103] | ldb [104] |
| | |
| DSA-4398 [105] | php7.0 [106] |
| | |
| DSA-4399 [107] | ikiwiki [108] |
| | |
| DSA-4400 [109] | openssl1.0 [110] |
| | |
| DSA-4401 [111] | wordpress [112] |
| | |
| DSA-4402 [113] | mumble [114] |
| | |
| DSA-4403 [115] | php7.0 [116] |
| | |
| DSA-4405 [117] | openjpeg2 [118] |
| | |
| DSA-4406 [119] | waagent [120] |
| | |
| DSA-4407 [121] | xmltooling [122] |
| | |
| DSA-4408 [123] | liblivemedia [124] |
| | |
| DSA-4409 [125] | neutron [126] |
| | |
| DSA-4410 [127] | openjdk-8 [128] |
| | |
| DSA-4411 [129] | firefox-esr [130] |
| | |
| DSA-4412 [131] | drupal7 [132] |
| | |
| DSA-4413 [133] | ntfs-3g [134] |
| | |
| DSA-4414 [135] | libapache2-mod-auth-mellon [136] |
| | |
| DSA-4415 [137] | passenger [138] |
| | |
| DSA-4416 [139] | wireshark [140] |
| | |
| DSA-4417 [141] | firefox-esr [142] |
| | |
| DSA-4418 [143] | dovecot [144] |
| | |
| DSA-4419 [145] | twig [146] |
| | |
| DSA-4420 [147] | thunderbird [148] |
| | |
| DSA-4422 [149] | apache2 [150] |
| | |
| DSA-4423 [151] | putty [152] |
| | |
| DSA-4424 [153] | pdns [154] |
| | |
| DSA-4425 [155] | wget [156] |
| | |
| DSA-4426 [157] | tryton-server [158] |
| | |
| DSA-4427 [159] | samba [160] |
| | |
| DSA-4428 [161] | systemd [162] |
| | |
| DSA-4429 [163] | spip [164] |
| | |
| DSA-4430 [165] | wpa [166] |
| | |
| DSA-4431 [167] | libssh2 [168] |
| | |
| DSA-4432 [169] | ghostscript [170] |
| | |
| DSA-4433 [171] | ruby2.3 [172] |
| | |
| DSA-4434 [173] | drupal7 [174] |
| | |
+----------------+----------------------------------+
71: https://www.debian.org/security/2018/dsa-4259
72: https://packages.debian.org/src:ruby2.3
73: https://www.debian.org/security/2018/dsa-4332
74: https://packages.debian.org/src:ruby2.3
75: https://www.debian.org/security/2018/dsa-4341
76: https://packages.debian.org/src:mariadb-10.1
77: https://www.debian.org/security/2019/dsa-4373
78: https://packages.debian.org/src:coturn
79: https://www.debian.org/security/2019/dsa-4374
80: https://packages.debian.org/src:qtbase-opensource-src
81: https://www.debian.org/security/2019/dsa-4377
82: https://packages.debian.org/src:rssh
83: https://www.debian.org/security/2019/dsa-4385
84: https://packages.debian.org/src:dovecot
85: https://www.debian.org/security/2019/dsa-4387
86: https://packages.debian.org/src:openssh
87: https://www.debian.org/security/2019/dsa-4388
88: https://packages.debian.org/src:mosquitto
89: https://www.debian.org/security/2019/dsa-4389
90: https://packages.debian.org/src:libu2f-host
91: https://www.debian.org/security/2019/dsa-4390
92: https://packages.debian.org/src:flatpak
93: https://www.debian.org/security/2019/dsa-4391
94: https://packages.debian.org/src:firefox-esr
95: https://www.debian.org/security/2019/dsa-4392
96: https://packages.debian.org/src:thunderbird
97: https://www.debian.org/security/2019/dsa-4393
98: https://packages.debian.org/src:systemd
99: https://www.debian.org/security/2019/dsa-4394
100: https://packages.debian.org/src:rdesktop
101: https://www.debian.org/security/2019/dsa-4396
102: https://packages.debian.org/src:ansible
103: https://www.debian.org/security/2019/dsa-4397
104: https://packages.debian.org/src:ldb
105: https://www.debian.org/security/2019/dsa-4398
106: https://packages.debian.org/src:php7.0
107: https://www.debian.org/security/2019/dsa-4399
108: https://packages.debian.org/src:ikiwiki
109: https://www.debian.org/security/2019/dsa-4400
110: https://packages.debian.org/src:openssl1.0
111: https://www.debian.org/security/2019/dsa-4401
112: https://packages.debian.org/src:wordpress
113: https://www.debian.org/security/2019/dsa-4402
114: https://packages.debian.org/src:mumble
115: https://www.debian.org/security/2019/dsa-4403
116: https://packages.debian.org/src:php7.0
117: https://www.debian.org/security/2019/dsa-4405
118: https://packages.debian.org/src:openjpeg2
119: https://www.debian.org/security/2019/dsa-4406
120: https://packages.debian.org/src:waagent
121: https://www.debian.org/security/2019/dsa-4407
122: https://packages.debian.org/src:xmltooling
123: https://www.debian.org/security/2019/dsa-4408
124: https://packages.debian.org/src:liblivemedia
125: https://www.debian.org/security/2019/dsa-4409
126: https://packages.debian.org/src:neutron
127: https://www.debian.org/security/2019/dsa-4410
128: https://packages.debian.org/src:openjdk-8
129: https://www.debian.org/security/2019/dsa-4411
130: https://packages.debian.org/src:firefox-esr
131: https://www.debian.org/security/2019/dsa-4412
132: https://packages.debian.org/src:drupal7
133: https://www.debian.org/security/2019/dsa-4413
134: https://packages.debian.org/src:ntfs-3g
135: https://www.debian.org/security/2019/dsa-4414
136: https://packages.debian.org/src:libapache2-mod-auth-mellon
137: https://www.debian.org/security/2019/dsa-4415
138: https://packages.debian.org/src:passenger
139: https://www.debian.org/security/2019/dsa-4416
140: https://packages.debian.org/src:wireshark
141: https://www.debian.org/security/2019/dsa-4417
142: https://packages.debian.org/src:firefox-esr
143: https://www.debian.org/security/2019/dsa-4418
144: https://packages.debian.org/src:dovecot
145: https://www.debian.org/security/2019/dsa-4419
146: https://packages.debian.org/src:twig
147: https://www.debian.org/security/2019/dsa-4420
148: https://packages.debian.org/src:thunderbird
149: https://www.debian.org/security/2019/dsa-4422
150: https://packages.debian.org/src:apache2
151: https://www.debian.org/security/2019/dsa-4423
152: https://packages.debian.org/src:putty
153: https://www.debian.org/security/2019/dsa-4424
154: https://packages.debian.org/src:pdns
155: https://www.debian.org/security/2019/dsa-4425
156: https://packages.debian.org/src:wget
157: https://www.debian.org/security/2019/dsa-4426
158: https://packages.debian.org/src:tryton-server
159: https://www.debian.org/security/2019/dsa-4427
160: https://packages.debian.org/src:samba
161: https://www.debian.org/security/2019/dsa-4428
162: https://packages.debian.org/src:systemd
163: https://www.debian.org/security/2019/dsa-4429
164: https://packages.debian.org/src:spip
165: https://www.debian.org/security/2019/dsa-4430
166: https://packages.debian.org/src:wpa
167: https://www.debian.org/security/2019/dsa-4431
168: https://packages.debian.org/src:libssh2
169: https://www.debian.org/security/2019/dsa-4432
170: https://packages.debian.org/src:ghostscript
171: https://www.debian.org/security/2019/dsa-4433
172: https://packages.debian.org/src:ruby2.3
173: https://www.debian.org/security/2019/dsa-4434
174: https://packages.debian.org/src:drupal7
Removed packages
----------------
The following packages were removed due to circumstances beyond our
control:
+-----------------------------+----------------------------------------+
| Package | Reason |
+-----------------------------+----------------------------------------+
| gcontactsync [175] | Incompatible with newer firefox-esr |
| | versions |
| | |
| google-tasks-sync [176] | Incompatible with newer firefox-esr |
| | versions |
| | |
| mozilla-gnome-kerying [177] | Incompatible with newer firefox-esr |
| | versions |
| | |
| tbdialout [178] | Incompatible with newer thunderbird |
| | versions |
| | |
| timeline [179] | Incompatible with newer thunderbird |
| | versions |
| | |
+-----------------------------+----------------------------------------+
175: https://packages.debian.org/src:gcontactsync
176: https://packages.debian.org/src:google-tasks-sync
177: https://packages.debian.org/src:mozilla-gnome-kerying
178: https://packages.debian.org/src:tbdialout
179: https://packages.debian.org/src:timeline
Debian Installer
----------------
The installer has been updated to include the fixes incorporated into
stable by the point release.
URLs
----
The complete lists of packages that have changed with this revision:
http://ftp.debian.org/debian/dists/stretch/ChangeLog
The current stable distribution:
http://ftp.debian.org/debian/dists/stable/
Proposed updates to the stable distribution:
http://ftp.debian.org/debian/dists/proposed-updates
stable distribution information (release notes, errata etc.):
https://www.debian.org/releases/stable/
Security announcements and information:
https://www.debian.org/security/
About Debian
------------
The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian.
Contact Information
-------------------
For further information, please visit the Debian web pages at
https://www.debian.org/, send mail to <press@debian.org>, or contact the
stable release team at <debian-release@lists.debian.org>.
Attachment:
signature.asc
Description: OpenPGP digital signature