------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 89-1 https://www.debian.org/ debian-release@lists.debian.org Adam D. Barratt January 18th, 2016 ------------------------------------------------------------------------- Upcoming Debian 8 Update (8.3) An update to Debian 8 is scheduled for Saturday, January 23rd, 2016. As of now it will include the following bug fixes. They can be found in "jessie-proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "jessie-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This stable update adds important corrections to the following packages: Package Reason android-platform-frameworks-base [i386] Rebuild to fix dependency on android-libhost apache2 Fix split-logfile to work with current perl, secondary-init-script to not source the main init script with 'set -e', tests on deferred mpm switch; add versioned Replaces/Breaks for libapache2-mod-macro apt Hide first pdiff merge failure debug message; fix marking of deps of pkgs in APT::Never-MarkAuto-Sections as manual; do not parse Status fields from remote sources apt-dater-host Fix kernel version detection apt-offline Add missing dependency on python-apt arb Skip compiler version check augeas HTTPD lense: include /etc/apache2/conf-available directory, allow EOL comments after section tags base-files Update for the 8.3 point release; os-release: Drop trailing slash in SUPPORT_URL variable bcfg2 Support Django 1.7 ben Fix buildd.debian.org compact links; ignore potential errors when deleting lock file; call dose-debcheck with --deb-native-arch ca-certificates Update Mozilla certificate authority bundle to version 2.6 ceph URL encode bucket name [CVE-2015-5245] charybdis Security fix [CVE-2015-5290]; initialise gnutls properly chrony Build depend on libcap-dev, to allow dropping of privileges commons-httpclient Ensure HTTPS calls use http.socket.timeout during SSL Handshake [CVE-2015-5262] cpuset Update filesystem namespace prefix patch curlftpfs Avoid unsafe cast for getpass() on 64-bit archs dbconfig-common Fix permission of PostgreSQL backup files debian-handbook Update for Jessie debian-installer Re-introduce installer images for QNAP TS-x09; provide u-boot images for plug computers; add the part_gpt module into the core grub image; add beep to UEFI x86 boot menu; add 's' shortcut for speech to UEFI x86 boot menu; exclude usb-serial-modules from the armel network-console image and usb-modules explicitly on armel/orion5x network-console; drop the file extension from the initrd for QNAP devices; adjust p-u support to handle file:// instead of (f|ht)tp:// only docbook2x Do not install info/dir.gz files doctrine Fix security misconfiguration vulnerability [CVE-2015-5723] drbd-utils Fix drbdadm adjust with IPv6 peer addresses ejabberd Fix broken LDAP queries exfat-utils Fix buffer overflow and infinite loop exim4 Fix some MIME ACL related crashes; fix a bug causing duplicate deliveries especially on TLS connections fglrx-driver New upstream release; fix security issue [CVE-2015-7724] file Fix --parameter handling flash-kernel Avoid waiting for Ctrl-C if any debconf frontend is in use fuse-exfat Fix buffer overflow and infinite loop ganglia-modules-linux Only restart the ganglia service after installation if it is running getmail4 Set poplib._MAXLINE=1MB glance Prevent image status being directly modified via v1 API [CVE-2015-5251] glibc Fix getaddrinfo sometimes returning uninitialized data with nscd; fix data corruption while reading the NSS files database [CVE-2015-5277]; fix buffer overflow (read past end of buffer) in internal_fnmatch; fix _IO_wstr_overflow integer overflow; fix unexpected closing of nss_files databases after lookups, causing denial of service [CVE-2014-8121]; fix NSCD netgroup cache; unconditionally disable LD_POINTER_GUARD; mangle function pointers in tls_dtor_list; fix memory allocations issues that can lead to buffer overflows on the stack; update TSX blacklist to also include some Broadwell CPUs gnome-orca Ensure correct focus on password entry, so characters are not echoed gnome-shell-extension-weather Display a warning if API key has not been supplied by the user, since querying openweathermap.org no longer works without such a key gummi Avoid predictable naming of temporary files [CVE 2015-7758] human-icon-theme debian/clean-up.sh: Do not run processes in background ieee-data Update included data files, adding mam.txt and oui36.txt; stop downloading via HTTPS, as neither wget nor curl support TLS AIA, as now used by standards.ieee.org intel-microcode Update included microcode iptables-persistent Stop rules files being world-readable; rewrite README isc-dhcp Fix error when max lease time is used on 64-bit systems keepassx Fix storage of passwords in clear text [CVE-2015-8378] libapache-mod-fastcgi Switch B-D from libtool to libtool-bin to fix FTBFS libapache2-mod-perl2 Fix crashes in modperl_interp_unselect() libcgi-session-perl Untaint raw data coming from session storage backends, fixing a regression caused by CVE-2015-8607 fixes in perl libdatetime-timezone-perl New upstream release libencode-perl Correctly handle a lack of BOM when decoding libhtml-scrubber-perl Fix cross-site scripting vulnerability in comments [CVE-2015-5667] libinfinity Fix possible crashes when an entry is removed from the document browser and when access control lists are enabled libiptables-parse-perl Fix use of predictable names for temporary files [CVE-2015-8326] libraw Fix index overflow in smal_decode_segment [CVE-2015-8366]; fix memory objects are not intialized properly [CVE-2015-8367] libssh Fix "null pointer dereference due to a logical error in the handling of a SSH_MSG_NEWKEYS and KEXDH_REPLY packets" [CVE-2015-3146] linux Update to upstream release 3.16.7-ctk20; nbd: Restore request timeout detection; [x86] Enable PINCTRL_BAYTRAIL; [mips*/octeon] Enable CAVIUM_CN63XXP1; firmware_class: Fix condition in directory search loop; [x86] KVM: svm: unconditionally intercept #DB [CVE-2015-8104] linux-tools Add new hyperv-daemons package lldpd Fix a segfault and an assertion error when receiving incorrectly formed LLDP management addresses madfuload Use autoreconf -fi to fix FTBFS with automake 1.14 mdadm Disable incremental assembly, as it can cause issues booting a degraded RAID mkvmlinuz Direct run-parts output to stderr monit Fix umask-related regression from 5.8.1 mpm-itk Fix an issue where closing of connections was attempted in the parent, resulting in "Connection: close" not being honoured, and various odd effects with SSL keepalive in certain browsers multipath-tools Fix discovery of devices with blank sysfs attribute; add documentation to cover additional friendly names scenarios; init: Fix stop failure when no root device is found; use 'SCSI_IDENT_.*' as the default property whitelist netcfg Fix is_layer3_qeth on s390x to avoid bailing out if the network driver is not qeth nvidia-graphics-drivers New upstream release [CVE-2015-5950]; fix Unsanitized User Mode Input issue [CVE-2015-7869] nvidia-graphics-drivers-legacy-304xx Update to new upstream version; fix unsanitized User Mode Input [CVE-2015-7869] nvidia-graphics-modules Rebuild against nvidia-kernel-source 340.96 openldap Fix a crash when adding a large attribute value with the auditlog overlay enabled openvpn Add --no-block to if-up.d script to avoid hanging boot on interfaces with openvpn instances owncloud Fix local file inclusion on MS Windows Platform [CVE-2015-4716], resource exhaustion when sanitizing filenames [CVE-2015-4717], command injection when using external SMB storage [CVE-2015-4718], calendar export: Authorization Bypass Through User-Controlled Key [CVE-2015-6670]; fix reflected XSS in OCS provider discovery [oc-sa-2016-001] [CVE-2016-1498], disclosure of files that begin with \".v\" due to unchecked return value [oc-sa-2016-003] [CVE-2016-1500], information exposure via directory listing in the file scanner [oc-sa-2016-002] [CVE-2016-1499], installation path disclosure through error message [oc-sa-2016-004] [CVE-2016-1501] pam Fix DoS/user enumeration due to blocking pipe in pam_unix [CVE-2015-3238] pcre3 Fix security issues [CVE-2015-2325 CVE-2015-2326 CVE-2015-3210 CVE-2015-5073 CVE-2015-8384 CVE-2015-8388] pdns Fix upgrades with default configuration perl Correctly handle a lack of BOM when decoding php-auth-sasl Rebuild with pkg-php-tools 1.28 to correct PHP dependencies php-doctrine-annotations Fix security misconfiguration vulnerability [CVE-2015-5723] php-doctrine-cache Fix security misconfiguration vulnerability [CVE-2015-5723] php-doctrine-common Fix security misconfiguration vulnerability [CVE-2015-5723] php-dropbox Refuse to handle any files containing an @ [CVE-2015-4715] php-mail-mimedecode Rebuild with pkg-php-tools 1.28 to correct PHP dependencies php5 New upstream release plowshare4 Disable Javascript support postgresql-9.1 New upstream release pykerberos Add KDC authenticity verification support [CVE-2015-3206] python-yaql Remove broken python3-yaql package qpsmtpd Fix compatibility issue with newer Net::DNS versions quassel Fix remote DoS in quassel core, using /op * command [CVE-2015-8547] redis Ensure that a valid runtime directory is created when running under systemd redmine Fix upgrades when there are locally-installed plugins; fix moving issues across projects rsyslog Fix crash in imfile module when using inotify mode; prevent a segfault in dynafile creation ruby-bson Fix DoS and possible injection [CVE-2015-4410] s390-dasd If no channel is found, exit cleanly. This allows s390-dasd to step out of the way on VMs with virtio disks shadow Fix error handling in busy user detection sparse Fix build failure with llvm-3.5 spip Fix cross-site scripting issue stk Install missing SKINI.{msg,tbl} include files sus Update checksums for upstream tarball swift Fix unauthorized delete of versioned Swift object [CVE-2015-1856]; fix information leak via Swift tempurls [CVE-2015-5223]; fix service name of object-expirer in init script; add container-sync init script; "standardise" user addition systemd Fix namespace breakage due to incorrect path sorting; don't timeout after 90 seconds when no password was entered for cryptsetup devices; only set the kernel's timezone when the RTC runs in local time, avoiding possible jumps backward in time; fix incorrect handling of comma separator in systemd-delta; make DHCP broadcast behaviour configurable in systemd-networkd tangerine-icon-theme debian/clean-up.sh: Do not run processes in background torbrowser-launcher Really apply patches from 0.1.9-1+deb8u1; stop confining start-tor-browser script with AppArmor; set usr.bin.torbrowser-launcher AppArmor profiles to complain mode ttylog Fix truncation of device name when selecting device tzdata New upstream release uqm Fix missing -lm vlc New upstream stable release webkitgtk New upstream stable release; fix "late TLS certificate verification" [CVE-2015-2330] wxmaxima Prevent crash on encountering parenthesis in dialogues zendframework Fix entropy issue with captcha [ZF2015-09] A complete list of all accepted packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/stable.html> Removed packages ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason core-network Security issues elasticsearch No longer supported googlecl Broken due to relying on obsolete APIs libnsbmp Security issues, unmaintained libnsgif Security issues, unmaintained vimperator Incompatible with newer iceweasel versions If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part