[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 114-1] Upcoming Debian 8 Update (8.7)

Debian Stable Updates Announcement SUA 114-1      https://www.debian.org/
debian-release@lists.debian.org                           Adam D. Barratt
January 9th, 2017

Upcoming Debian 8 Update (8.7)

An update to Debian 8 is scheduled for Saturday, January 14th, 2017. As of
now it will include the following bug fixes. They can be found in
"jessie-proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are
also already available through "jessie-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of
them by copying "debian-release@lists.debian.org" on your mails.

The point release will also include a rebuild of debian-installer.

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following

    Package                       Reason

    ark                           Stop crashing on exit when being used solely as a KPart
    asterisk                      Fix security issue due to non-printable ASCII chars treated as whitespace [CVE-2016-9938]
    asused                        Use created fields instead of changed, in line with changes to source data
    base-files                    Change /etc/debian_version to 8.7, for Debian 8.7 point release
    bash                          Fix arbitrary code execution via malicious hostname [CVE-2016-0634] and specially crafted SHELLOPTS+PS4 variables allows command substiution [CVE-2016-7543]
    ca-certificates               Update Mozilla certificate authority bundle to version 2.9; postinst: run update-certificates without hooks to initially populate /etc/ssl/certs
    cairo                         Fix DoS via using SVG to generate invalid pointers [CVE-2016-9082]
    ccache                        [amd64] Rebuild in a clean environment
    ceph                          Fix short CORS request issue [CVE-2016-9579], mon DoS [CVE-2016-5009], anonymous read on ACL [CVE-2016-7031], RGW DoS [CVE-2016-8626]
    chirp                         Disable reporting of telemetry by default
    cyrus-imapd-2.4               Fix LIST GROUP support
    darktable                     Fix integer overflow in ljpeg_start() [CVE-2015-3885]
    dbus                          Fix potential format string vulnerability; dbus.prerm: ensure that dbus.socket is stopped before removal
    debian-edu-doc                Update Debian Edu Jessie manual from the wiki; fix (da|nl) Jessie manual PO files to get the PDF manuals built; translation updates
    debian-edu-install            Update version number to 8+edu1
    duck                          Fix loading of code from untrusted location [CVE-2016-1239]
    e2fsprogs                     Rebuild against dietlibc 0.33~cvs20120325-6+deb8u1, to pick up included security fixes
    ebook-speaker                 Fix hint about installing html2text to read html files
    elog                          Fix posting entry as arbitrary username [CVE-2016-6342]
    evolution-data-server         Fix premature drop of connection with reduced TCP window sizes and resulting loss of data
    exim4                         Fix GnuTLS memory leak
    file                          Fix memory leak in magic loader
    ganeti-instance-debootstrap   Fix losetup invocations by replacing -s with --show
    glibc                         Do not unconditionally use the fsqrt instruction on 64-bit PowerPC CPUs; fix a regression introduced by cvs-resolv-ipv6-nameservers.diff in hesiod; disable lock elision (aka Intel TSX) on x86 architectures
    glusterfs                     Quota: Fix could not start auxiliary mount issue
    gnutls28                      Fix incorrect certificate validation when using OCSP responses [GNUTLS-SA-2016-3 / CVE-2016-7444]; ensure compatibility with CVE-2016-6489-patched nettle
    hplip                         Use full gpg key fingerprint when fetching key from keyservers [CVE-2015-0839]
    ieee-data                     Disable monthly update cron job
    intel-microcode               Update microcode
    irssi                         Fix information exposure issue via buf.pl and /upgrade [CVE-2016-7553]; fix NULL pointer dereference in the nickcmp function [CVE-2017-5193], use-after-freee when receiving invalid nick message [CVE-2017-5194] and out-of-bounds read in certain incomplete control codes [CVE-2017-5195]
    isenkram                      Download firmware using curl; use HTTPS when downloading modaliases; change mirror from http.debian.net to httpredir.debian.org
    jq                            Fix heap buffer overflow [CVE-2015-8863] and stack exhaustion [CVE-2016-4074]
    libclamunrar                  Fix out-of-band access
    libdatetime-timezone-perl     Update to 2016h; update included data to 2016i; update to 2016j; update to 2016g
    libfcgi-perl                  Fix "numerous connections cause segfault DoS" [CVE-2012-6687]
    libio-socket-ssl-perl         Fix issue with incorrect "unreadable SSL_key_file" error when using filesystem ACLs
    libmateweather                Switch from discontinued weather.noaa.gov to aviationweather.gov
    libphp-adodb                  Fix XSS vulnerability [CVE-2016-4855] and SQL injection issue [CVE-2016-7405]
    libpng                        Fix null pointer deference issue [CVE-2016-10087]
    libwmf                        Fix allocating huge block of memory [CVE-2016-9011]
    linkchecker                   Fix HTTPS checks
    linux                         Update to stable 3.16.39; add chaoskey driver, backported from 4.8, support for n25q256a11 SPI flash device; security,perf: Allow unprivileged use of perf_event_open to be disabled; several bug and security fixes
    lxc                           Attach: do not send procfd to attached process [CVE-2016-8649]; remount bind mounts if read-only flag is provided; fix Alpine Linux container creation
    mapserver                     Fix FTBFS with php >= 5.6.25; fix information leak via error messages [CVE-2016-9839]
    mdadm                         Allow '--grow --continue' to successfully reshape an array when using backup space on a 'spare' device
    metar                         Update report URL
    minissdpd                     Fix improper validation of array index vulnerability [CVE-2016-3178 CVE-2016-3179]
    monotone                      Change the SIGPIPE test case to write 1M of test data to increase chances of overflowing the pipe buffer
    most                          Fix shell injection attack when opening LZMA-compressed files [CVE-2016-1253]
    mpg123                        Fix DoS with crafted ID3v2 tags
    musl                          Fix integer overflow [CVE-2016-8859]
    nbd                           Stop mixing global flags into the flags field that gets sent to the kernel, so that connecting to nbd-server >= 3.9 does not cause every export to be (incorrectly) marked as read-only
    nettle                        Protect against potential side-channel attacks against exponentiation operations [CVE-2016-6489]
    nss-pam-ldapd                 Have init script stop action only return when nslcd has actually stopped
    nvidia-graphics-drivers       Update to new driver version, including security fixes [CVE-2016-8826 CVE-2016-7382 CVE-2016-7389]
    nvidia-graphics-drivers-      Update to new driver version, including security fixes [CVE-2016-8826 CVE-2016-7382 CVE-2016-7389]
    nvidia-graphics-modules       Build against nvidia-kernel-source 340.101
    openbox                       Add libxcursor-dev build-dependency to fix loading of startup notifications; replace getgrent with getgroups so as not to enumerate all groups at startup
    opendkim                      Fix relaxed canonicalization of folded headers, which broke signatures
    pam                           Fix handling of loginuid in containers
    pgpdump                       Fix endless loop parsing specially crafted input in read_binary [CVE-2016-4021] and buffer overrun in read_radix64
    postgresql-9.4                New upstream release
    postgresql-common             pg_upgradecluster: Properly upgrade databases with non-login role owners; pg_ctlcluster: Protect against symlink in /var/log/postgresql/ allowing the creation of arbitrary files elsewhere [CVE-2016-1255]
    potrace                       Security fixes [CVE-2016-8694 CVE-2016-8695 CVE-2016-8696 CVE-2016-8697 CVE-2016-8698 CVE-2016-8699 CVE-2016-8700 CVE-2016-8701 CVE-2016-8702  CVE-2016-8703]
    python-crypto                 Raise a warning when IV is used with ECB or CTR and ignore the IV [CVE-2013-7459]
    python-werkzeug               Fix XSS issue in debugger
    qtbase-opensource-src         Prevent bad-ptrs deref in QNetworkConfigurationManagerPrivate; fix X11 tray icons on some desktops
    rawtherapee                   Fix buffer overflow in dcraw [CVE-2015-8366]
    redmine                       Handle dependency check failure when triggered, to avoid breaking in the middle of dist-upgrades; avoid opening database configuration that are not readable
    samba                         Fix "client side SMB2/3 required signing can be downgraded" [CVE-2016-2119], various regressions introduced by the 4.2.10 security fixes, segfault with clustering
    sed                           Ensure consistent permissions with different umasks
    shutter                       Fix insecure usage of system() [CVE-2015-0854]
    sniffit                       Security fix [CVE-2014-5439]
    suckless-tools                Fix SEGV in slock when users account has been disabled [CVE-2016-6866]
    sympa                         Fix logrotate configuration so that sympa is not left in a confused state when systemd is used
    systemd                       Don't return any error in manager_dispatch_notify_fd() [CVE-2016-7796]; core: Rework logic to determine when we decide to add automatic deps for mounts; various ordering fixes for ifupdown; systemctl: Fix argument handling when invoked as shutdown; localed: tolerate absence of /etc/default/keyboard; systemctl, loginctl, etc.: Don't start polkit agent when running as root
    tevent                        New upstream version, required for samba
    tre                           Fix regex integer overflow in buffer size computations [CVE-2016-8859]
    tzdata                        Update included data to 2016h; update to 2016g; update to 2016j; update included data to 2016i
    unrtf                         Fix buffer overflow in various cmd_ functions [CVE-2016-10091]
    w3m                           Several security fixes [CVE-2016-9430 CVE-2016-9434 CVE-2016-9438 CVE-2016-9440 CVE-2016-9441 CVE-2016-9423 CVE-2016-9431 CVE-2016-9424 CVE-2016-9432 CVE-2016-9433 CVE-2016-9437 CVE-2016-9422 CVE-2016-9435 CVE-2016-9436 CVE-2016-9426 CVE-2016-9425 CVE-2016-9428 CVE-2016-9442 CVE-2016-9443 CVE-2016-9429 CVE-2016-9621 CVE-2016-9439 CVE-2016-9622 CVE-2016-9623 CVE-2016-9624 CVE-2016-9625 CVE-2016-9626 CVE-2016-9627 CVE-2016-9628 CVE-2016-9629 CVE-2016-9631 CVE-2016-9630 CVE-2016-9632 CVE-2016-9633]
    wireless-regdb                Update included data
    wot                           Remove plugin due to privacy issues
    xwax                          Replace ffmpeg with avconv from libav-tools
    zookeeper                     Fix buffer overflow via the input command when using the "cmd:" batch mode syntax [CVE-2016-5017]

A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:


Removed packages

The following packages will be removed due to circumstances beyond our

    Package                    Reason

    dotclear            Security issues
    icedove-l10n        Superseded by icedove
    iceowl-l10n         Superseded by iceowl
    sogo                Security issues

If you encounter any issues, please don't hesitate to get in touch with
the Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: