[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 89-1] Upcoming Debian 8 Update (8.3)

Debian Stable Updates Announcement SUA 89-1       https://www.debian.org/
debian-release@lists.debian.org                          Adam D. Barratt
January 18th, 2016

Upcoming Debian 8 Update (8.3)

An update to Debian 8 is scheduled for Saturday, January 23rd, 2016. As of
now it will include the following bug fixes. They can be found in
"jessie-proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are
also already available through "jessie-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of
them by copying "debian-release@lists.debian.org" on your mails.

The point release will also include a rebuild of debian-installer.

Miscellaneous Bugfixes

This stable update adds important corrections to the following

  Package                               Reason

  android-platform-frameworks-base      [i386] Rebuild to fix dependency on android-libhost
  apache2                               Fix split-logfile to work with current perl, secondary-init-script to not source the main init script with 'set -e', tests on deferred mpm switch; add versioned Replaces/Breaks for libapache2-mod-macro
  apt                                   Hide first pdiff merge failure debug message; fix marking of deps of pkgs in APT::Never-MarkAuto-Sections as manual; do not parse Status fields from remote sources
  apt-dater-host                        Fix kernel version detection
  apt-offline                           Add missing dependency on python-apt
  arb                                   Skip compiler version check
  augeas                                HTTPD lense: include /etc/apache2/conf-available directory, allow EOL comments after section tags
  base-files                            Update for the 8.3 point release; os-release: Drop trailing slash in SUPPORT_URL variable
  bcfg2                                 Support Django 1.7
  ben                                   Fix buildd.debian.org compact links; ignore potential errors when deleting lock file; call dose-debcheck with --deb-native-arch
  ca-certificates                       Update Mozilla certificate authority bundle to version 2.6
  ceph                                  URL encode bucket name [CVE-2015-5245]
  charybdis                             Security fix [CVE-2015-5290]; initialise gnutls properly
  chrony                                Build depend on libcap-dev, to allow dropping of privileges
  commons-httpclient                    Ensure HTTPS calls use http.socket.timeout during SSL Handshake [CVE-2015-5262]
  cpuset                                Update filesystem namespace prefix patch
  curlftpfs                             Avoid unsafe cast for getpass() on 64-bit archs
  dbconfig-common                       Fix permission of PostgreSQL backup files
  debian-handbook                       Update for Jessie
  debian-installer                      Re-introduce installer images for QNAP TS-x09; provide u-boot images for plug computers; add the part_gpt module into the core grub image; add beep to UEFI x86 boot menu; add 's' shortcut for speech to UEFI x86 boot menu; exclude usb-serial-modules from the armel network-console image and usb-modules explicitly on armel/orion5x network-console; drop the file extension from the initrd for QNAP devices; adjust p-u support to handle file:// instead of (f|ht)tp:// only
  docbook2x                             Do not install info/dir.gz files
  doctrine                              Fix security misconfiguration vulnerability [CVE-2015-5723]
  drbd-utils                            Fix drbdadm adjust with IPv6 peer addresses
  ejabberd                              Fix broken LDAP queries
  exfat-utils                           Fix buffer overflow and infinite loop
  exim4                                 Fix some MIME ACL related crashes; fix a bug causing duplicate deliveries especially on TLS connections
  fglrx-driver                          New upstream release; fix security issue [CVE-2015-7724]
  file                                  Fix --parameter handling
  flash-kernel                          Avoid waiting for Ctrl-C if any debconf frontend is in use
  fuse-exfat                            Fix buffer overflow and infinite loop
  ganglia-modules-linux                 Only restart the ganglia service after installation if it is running
  getmail4                              Set poplib._MAXLINE=1MB
  glance                                Prevent image status being directly modified via v1 API [CVE-2015-5251]
  glibc                                 Fix getaddrinfo sometimes returning uninitialized data with nscd; fix data corruption while reading the NSS files database [CVE-2015-5277]; fix buffer overflow (read past end of buffer) in internal_fnmatch; fix  _IO_wstr_overflow integer overflow; fix unexpected closing of nss_files databases after lookups, causing denial of service [CVE-2014-8121]; fix NSCD netgroup cache; unconditionally disable LD_POINTER_GUARD; mangle function pointers in tls_dtor_list; fix memory allocations issues that can lead to buffer overflows on the stack; update TSX blacklist to also include some Broadwell CPUs
  gnome-orca                            Ensure correct focus on password entry, so characters are not echoed
  gnome-shell-extension-weather         Display a warning if API key has not been supplied by the user, since querying openweathermap.org no longer works without such a key
  gummi                                 Avoid predictable naming of temporary files [CVE 2015-7758]
  human-icon-theme                      debian/clean-up.sh: Do not run processes in background
  ieee-data                             Update included data files, adding mam.txt and oui36.txt; stop downloading via HTTPS, as neither wget nor curl support TLS AIA, as now used by standards.ieee.org
  intel-microcode                       Update included microcode
  iptables-persistent                   Stop rules files being world-readable; rewrite README
  isc-dhcp                              Fix error when max lease time is used on 64-bit systems
  keepassx                              Fix storage of passwords in clear text [CVE-2015-8378]
  libapache-mod-fastcgi                 Switch B-D from libtool to libtool-bin to fix FTBFS
  libapache2-mod-perl2                  Fix crashes in modperl_interp_unselect()
  libcgi-session-perl                   Untaint raw data coming from session storage backends, fixing a regression caused by CVE-2015-8607 fixes in perl
  libdatetime-timezone-perl             New upstream release
  libencode-perl                        Correctly handle a lack of BOM when decoding
  libhtml-scrubber-perl                 Fix cross-site scripting vulnerability in comments [CVE-2015-5667]
  libinfinity                           Fix possible crashes when an entry is removed from the document browser and when access control lists are enabled
  libiptables-parse-perl                Fix use of predictable names for temporary files [CVE-2015-8326]
  libraw                                Fix index overflow in smal_decode_segment [CVE-2015-8366]; fix memory objects are not intialized properly [CVE-2015-8367]
  libssh                                Fix "null pointer dereference due to a logical error in the handling of a SSH_MSG_NEWKEYS and KEXDH_REPLY packets" [CVE-2015-3146]
  linux                                 Update to upstream release 3.16.7-ctk20; nbd: Restore request timeout detection; [x86] Enable PINCTRL_BAYTRAIL; [mips*/octeon] Enable CAVIUM_CN63XXP1; firmware_class: Fix condition in directory search loop; [x86] KVM: svm: unconditionally intercept #DB [CVE-2015-8104]
  linux-tools                           Add new hyperv-daemons package
  lldpd                                 Fix a segfault and an assertion error when receiving incorrectly formed LLDP management addresses
  madfuload                             Use autoreconf -fi to fix FTBFS with automake 1.14
  mdadm                                 Disable incremental assembly, as it can cause issues booting a degraded RAID
  mkvmlinuz                             Direct run-parts output to stderr
  monit                                 Fix umask-related regression from 5.8.1
  mpm-itk                               Fix an issue where closing of connections was attempted in the parent, resulting in "Connection: close" not being honoured, and various odd effects with SSL keepalive in certain browsers
  multipath-tools                       Fix discovery of devices with blank sysfs attribute; add documentation to cover additional friendly names scenarios; init: Fix stop failure when no root device is found; use 'SCSI_IDENT_.*' as the default property whitelist
  netcfg                                Fix is_layer3_qeth on s390x to avoid bailing out if the network driver is not qeth
  nvidia-graphics-drivers               New upstream release [CVE-2015-5950]; fix Unsanitized User Mode Input issue [CVE-2015-7869]
  nvidia-graphics-drivers-legacy-304xx  Update to new upstream version; fix unsanitized User Mode Input [CVE-2015-7869]
  nvidia-graphics-modules               Rebuild against nvidia-kernel-source 340.96
  openldap                              Fix a crash when adding a large attribute value with the auditlog overlay enabled
  openvpn                               Add --no-block to if-up.d script to avoid hanging boot on interfaces with openvpn instances
  owncloud                              Fix local file inclusion on MS Windows Platform [CVE-2015-4716], resource exhaustion when sanitizing filenames [CVE-2015-4717], command injection when using external SMB storage [CVE-2015-4718], calendar export: Authorization Bypass Through User-Controlled Key [CVE-2015-6670]; fix reflected XSS in OCS provider discovery [oc-sa-2016-001] [CVE-2016-1498], disclosure of files that begin with \".v\" due to unchecked return value [oc-sa-2016-003] [CVE-2016-1500], information exposure via directory listing in the file scanner [oc-sa-2016-002] [CVE-2016-1499], installation path disclosure through error message [oc-sa-2016-004] [CVE-2016-1501]
  pam                                   Fix DoS/user enumeration due to blocking pipe in pam_unix [CVE-2015-3238]
  pcre3                                 Fix security issues [CVE-2015-2325 CVE-2015-2326 CVE-2015-3210 CVE-2015-5073 CVE-2015-8384 CVE-2015-8388]
  pdns                                  Fix upgrades with default configuration
  perl                                  Correctly handle a lack of BOM when decoding
  php-auth-sasl                         Rebuild with pkg-php-tools 1.28 to correct PHP dependencies
  php-doctrine-annotations              Fix security misconfiguration vulnerability [CVE-2015-5723]
  php-doctrine-cache                    Fix security misconfiguration vulnerability [CVE-2015-5723]
  php-doctrine-common                   Fix security misconfiguration vulnerability [CVE-2015-5723]
  php-dropbox                           Refuse to handle any files containing an @ [CVE-2015-4715]
  php-mail-mimedecode                   Rebuild with pkg-php-tools 1.28 to correct PHP dependencies
  php5                                  New upstream release
  plowshare4                            Disable Javascript support
  postgresql-9.1                        New upstream release
  pykerberos                            Add KDC authenticity verification support [CVE-2015-3206]
  python-yaql                           Remove broken python3-yaql package
  qpsmtpd                               Fix compatibility issue with newer Net::DNS versions
  quassel                               Fix remote DoS in quassel core, using /op * command [CVE-2015-8547]
  redis                                 Ensure that a valid runtime directory is created when running under systemd
  redmine                               Fix upgrades when there are locally-installed plugins; fix moving issues across projects
  rsyslog                               Fix crash in imfile module when using inotify mode; prevent a segfault in dynafile creation
  ruby-bson                             Fix DoS and possible injection [CVE-2015-4410]
  s390-dasd                             If no channel is found, exit cleanly. This allows s390-dasd to step out of the way on VMs with virtio disks
  shadow                                Fix error handling in busy user detection
  sparse                                Fix build failure with llvm-3.5
  spip                                  Fix cross-site scripting issue
  stk                                   Install missing SKINI.{msg,tbl} include files
  sus                                   Update checksums for upstream tarball
  swift                                 Fix unauthorized delete of versioned Swift object [CVE-2015-1856]; fix information leak via Swift tempurls [CVE-2015-5223]; fix service name of object-expirer in init script; add container-sync init script; "standardise" user addition
  systemd                               Fix namespace breakage due to incorrect path sorting; don't timeout after 90 seconds when no password was entered for cryptsetup devices; only set the kernel's timezone when the RTC runs in local time, avoiding possible jumps backward in time; fix incorrect handling of comma separator in systemd-delta; make DHCP broadcast behaviour configurable in systemd-networkd
  tangerine-icon-theme                  debian/clean-up.sh: Do not run processes in background
  torbrowser-launcher                   Really apply patches from 0.1.9-1+deb8u1; stop confining start-tor-browser script with AppArmor; set usr.bin.torbrowser-launcher AppArmor profiles to complain mode
  ttylog                                Fix truncation of device name when selecting device
  tzdata                                New upstream release
  uqm                                   Fix missing -lm
  vlc                                   New upstream stable release
  webkitgtk                             New upstream stable release; fix "late TLS certificate verification" [CVE-2015-2330]
  wxmaxima                              Prevent crash on encountering parenthesis in dialogues
  zendframework                         Fix entropy issue with captcha [ZF2015-09]

A complete list of all accepted packages together with
rationale is on the preparation page for this revision:


Removed packages

The following packages will be removed due to circumstances beyond our

  Package             Reason

  core-network        Security issues
  elasticsearch       No longer supported
  googlecl            Broken due to relying on obsolete APIs
  libnsbmp            Security issues, unmaintained
  libnsgif            Security issues, unmaintained
  vimperator          Incompatible with newer iceweasel versions

If you encounter any issues, please don't hesitate to get in touch with
the Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: