[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 107-1] Upcoming Debian 8 Update (8.6)

Hash: SHA256

- -------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 107-1      https://www.debian.org/
debian-release@lists.debian.org                           Adam D. Barratt
September 13th, 2016
- -------------------------------------------------------------------------

Upcoming Debian 8 Update (8.6)

An update to Debian 8 is scheduled for Saturday, September 17th, 2016.
As of now it will include the following bug fixes. They can be found in
"jessie-proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are
also already available through "jessie-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of
them by copying "debian-release@lists.debian.org" on your mails.

The point release will also include a rebuild of debian-installer.

Miscellaneous Bugfixes
- ----------------------

This stable update adds a few important corrections to the following

    Package                       Reason

    adblock-plus                  New upstream release, compatible with firefox-esr
    apache2                       Fix race condition and logical error in init script; remove links to manpages.debian.org in default index.html; mod_socache_memcache: Increase idle timeout to 15s to allow keep-alive connections; mod_proxy_fcgi: Fix wrong behaviour with 304 responses; correct systemd-sysv-generator behaviour; mod_proxy_html: Add missing config file mods-available/proxy_html.conf
    audiofile                     Fix buffer overflow when changing both sample format and number of channels [CVE-2015-7747]
    automake-1.14                 Avoid insecure use of /tmp/ in install-sh
    backintime                    Add missing dependency on python-dbus
    backuppc                      Fix regressions from samba update to 4.2
    base-files                    Update for the point release
    biber                         Fix breakage triggered by point release update of perl
    cacti                         Fix SQL injection in tree.php [CVE-2016-3172] and graph_view.php [CVE-2016-3659]; fix authentication bypass [CVE-2016-2313]; fix regression in the fix for CVE-2016-2313 that broke guest user logins
    ccache                        Upstream bug-fix release
    clamav                        Don't fail if AllowSupplementaryGroups is still set in the config file
    cmake                         Fix FindOpenSSL module to detect OpenSSL 1.0.1t
    conkeror                      Support Firefox 44 and later
    debian-edu-config             Move from Iceweasel to Firefox ESR; adjust ldap-tools/ldap-debian-edu-install to be compliant with systemd now that unit samba.service is masked; dhclient-exit-hooks.d/hostname: adjust for the case of a dedicated LTSP server; adjust cf.krb5client to ensure that cfengine runs are idempotent; move code to cleanup /usr/share/pam-configs/krb5 diversion from postinst to preinst to ease upgrades from old wheezy installations; don't purge libnss-mdns as cups now needs mdns for automatic printer detection
    debian-edu-doc                Update Debian Edu Jessie and Wheezy manuals from the wiki
    debian-security-support       Update included support data; add support for marking packages as losing support at a future date
    dietlibc                      Fix insecure default PATH
    dwarfutils                    Security fixes [CVE-2015-8538 CVE-2015-8750 CVE-2016-2050 CVE-2016-2091 CVE-2016-5034 CVE-2016-5036 CVE-2016-5038 CVE-2016-5039 CVE-2016-5042]
    e2fsprogs                     Disable prompts for time skew which is fudged in e2fsck; fix potential corruption of Hurd file systems by e2fsck, pointer bugs that could cause crashes in e2fsck and resize2fs
    exim4                         Fix cutthrough bug with body lines having a single dot; fix crash on "exim -be '${if crypteq{xxx}{\$aaa}{yes}{no}}'"; improve NEWS file; backport missing upstream patch to actually make $initial_cwd expansion work
    file                          Fix buffer over-write in finfo_open with malformed magic file [CVE-2015-8865]
    firegestures                  New upstream release, compatible with firefox-esr
    flashplugin-nonfree           update-flashplugin-nonfree: Delete old get-upstream-version.pl from cache
    fusionforge                   Remove dependency on Mediawiki plugin from fusionforge-full metapackage
    glibc                         Fix assertion failure with unconnectable name server addresses (regression introduced by CVE-2015-7547 fix); fix *context functions on s390x; fix a buffer overflow in the glob function [CVE-2016-1234], a stack overflow in nss_dns_getnetbyname_r [CVE-2016-3075], a stack overflow in getaddrinfo function [CVE-2016-3706], a stack overflow in Sun RPC clntudp_call() [CVE-2016-4429]; update from upstream stable branch; fix open and openat functions with O_TMPFILE; fix backtrace hang on armel/armhf, possibly causing a minor denial-of-service vulnerability [CVE-2016-6323]; fix mtr on systems using only IPv6 nameservers
    gnome-maps                    New upstream release; use the Mapbox tile server, instead of the no longer supported MapQuest server
    gnome-sudoku                  Don't generate the same puzzle sequence every time
    gnupg                         gpgv: Tweak default options for extra security; g10: Fix checking key for signature validation
    gnupg2                        gpgv: Tweak default options for extra security; g10: Fix checking key for signature validation
    greasemonkey                  New upstream release, compatible with firefox-esr
    intel-microcode               New upstream release
    jakarta-jmeter                Really install the templates; fix an error with libxstream-java >= 1.4.9 when loading the templates
    javatools                     Return correct architecture string for ppc64el in java-arch.sh
    kamailio                      Fix libssl version check
    libbusiness-creditcard-perl   Adjust to changes in credit card ranges and processing of various companies
    libcss-dom-perl               Work around Encode changes included in perl and libencode-perl stable updates
    libdatetime-timezone-perl     Update included data to 2016e
    libdevel-declare-perl         Fix breakage caused by change in perl stable update
    libnet-ssleay-perl            Fix build failure with openssl 1.0.1t-1+deb8u1
    libquota-perl                 Adapt platform detection to work with Linux 4.x
    libtool                       Fix multi-arch co-installability [amd64 i386]
    libxml2                       Fix a problem unparsing URIs without a host part like qemu:///system; this unbreaks libvirt, libsys-virt-perl and others
    linux                         New upstream stable release
    lxc                           Make sure stretch/sid containers have an init system, after init 1.34 dropped the `Essential: yes` header
    mozilla-noscript              New upstream release, compatible with firefox-esr
    nullmailer                    Do not keep relayhost data in debconf database longer than strictly needed
    open-iscsi                    Init script: wait a bit after iSCSI devices have appeared, working around a race condition in which dependent devices can appear only after the initial udev settle has returned; open-iscsi-udeb: update initramfs after copying configuration to target system
    openssl                       Fix length check for CRLs; enable asm optimisation for s390x
    ovirt-guest-agent             Install ovirt-guest-agent.py executable; change owner of log directory to ovirtagent in postinst
    piuparts                      Fix build failure (don't test the current Debian release status, tracking that is distro-info-data's problem)
    policykit-1                   several bug-fixes; fix heap corruption [CVE-2015-3255], local authenticated denial of service [CVE-2015-4625] and issue with invalid object paths in RegisterAuthenticationAgent [CVE-2015-3218]
    publicsuffix                  New upstream release
    pypdf2                        Fix infinite loop in readObject() function
    python-django                 Bugfix update to 1.7.11
    python2.7                     Address StartTLS stripping attack in smtplib [CVE-2016-0772], integer overflow in zipimporter [CVE-2016-5636], HTTP header injection [CVE-2016-5699]
    quassel                       Fix remote DoS in quassel core with invalid handshake data [CVE-2016-4414]
    ruby-eventmachine             Fix remotely triggerable crash due to FD handling
    ruby2.1                       DL::dlopen should not open a library with tainted library name in safe mode [CVE-2009-5147]; Fiddle handles should not call functions with tainted function names [CVE-2015-7551]
    sendmail                      Do not abort with an assertion if the connection to an LDAP server is lost; ensure sendmail {client_port} is set correctly on little endian machines
    sqlite3                       Fix tempdir selection vulnerability [CVE-2016-6153], segfault following heavy SAVEPOINT usage
    systemd                       Use the right timeout for stop processes we fork; don't reset log level to NOTICE if we get quiet on the kernel cmdline; fix prepare priority queue comparison function in sd-event; update links to kernel.org cgroup documentation; don't start console-getty.service when /dev/console is missing; order systemd-user-sessions.service after nss-user-lookup.target and network.target
    tabmixplus                    New upstream release, compatible with firefox-esr
    tcpreplay                     Handle frames of 65535 octets size, add a size check [CVE-2016-6160]
    tor                           Update the set of authority directory servers
    tzdata                        New upstream release; update to 2016e
    unbound                       Init script fixes: add "pidfile" magic comment; call start-stop-daemon with --retry for 'stop' action
    util-vserver                  Rebuild against dietlibc 0.33~cvs20120325-6+deb8u1, fixing insecure default PATH
    vorbis-tools                  Fix large alloca on bad AIFF input to oggenc [CVE-2015-6749], Validate count of channels in the header [CVE-2014-9638 CVE-2014-9639], fix segmentation fault in vcut
    wget                          By default, on server redirects to a FTP resource, use the original URL to get the local file name [CVE-2016-4971]
    wpa                           Security updates relating to invalid characters [CVE-2016-4476, CVE-2016-4477]
    yaws                          Fix HTTP_PROXY cgi env injection [CVE-2016-1000108]
    zabbix                        Fix mysql.size shell command injection in zabbix-agent [CVE-2016-4338]

A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:


Removed packages
- ----------------

The following packages will be removed due to circumstances beyond our

    Package                    Reason

    minit               Unmaintained and outdated
    trn                 Security issues; replaced by trn4

If you encounter any issues, please don't hesitate to get in touch with
the Debian Release Team at "debian-release@lists.debian.org".
Version: GnuPG v2


Reply to: