------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 114-1 https://www.debian.org/ debian-release@lists.debian.org Adam D. Barratt January 9th, 2017 ------------------------------------------------------------------------- Upcoming Debian 8 Update (8.7) An update to Debian 8 is scheduled for Saturday, January 14th, 2017. As of now it will include the following bug fixes. They can be found in "jessie-proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "jessie-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: Package Reason ark Stop crashing on exit when being used solely as a KPart asterisk Fix security issue due to non-printable ASCII chars treated as whitespace [CVE-2016-9938] asused Use created fields instead of changed, in line with changes to source data base-files Change /etc/debian_version to 8.7, for Debian 8.7 point release bash Fix arbitrary code execution via malicious hostname [CVE-2016-0634] and specially crafted SHELLOPTS+PS4 variables allows command substiution [CVE-2016-7543] ca-certificates Update Mozilla certificate authority bundle to version 2.9; postinst: run update-certificates without hooks to initially populate /etc/ssl/certs cairo Fix DoS via using SVG to generate invalid pointers [CVE-2016-9082] ccache [amd64] Rebuild in a clean environment ceph Fix short CORS request issue [CVE-2016-9579], mon DoS [CVE-2016-5009], anonymous read on ACL [CVE-2016-7031], RGW DoS [CVE-2016-8626] chirp Disable reporting of telemetry by default cyrus-imapd-2.4 Fix LIST GROUP support darktable Fix integer overflow in ljpeg_start() [CVE-2015-3885] dbus Fix potential format string vulnerability; dbus.prerm: ensure that dbus.socket is stopped before removal debian-edu-doc Update Debian Edu Jessie manual from the wiki; fix (da|nl) Jessie manual PO files to get the PDF manuals built; translation updates debian-edu-install Update version number to 8+edu1 duck Fix loading of code from untrusted location [CVE-2016-1239] e2fsprogs Rebuild against dietlibc 0.33~cvs20120325-6+deb8u1, to pick up included security fixes ebook-speaker Fix hint about installing html2text to read html files elog Fix posting entry as arbitrary username [CVE-2016-6342] evolution-data-server Fix premature drop of connection with reduced TCP window sizes and resulting loss of data exim4 Fix GnuTLS memory leak file Fix memory leak in magic loader ganeti-instance-debootstrap Fix losetup invocations by replacing -s with --show glibc Do not unconditionally use the fsqrt instruction on 64-bit PowerPC CPUs; fix a regression introduced by cvs-resolv-ipv6-nameservers.diff in hesiod; disable lock elision (aka Intel TSX) on x86 architectures glusterfs Quota: Fix could not start auxiliary mount issue gnutls28 Fix incorrect certificate validation when using OCSP responses [GNUTLS-SA-2016-3 / CVE-2016-7444]; ensure compatibility with CVE-2016-6489-patched nettle hplip Use full gpg key fingerprint when fetching key from keyservers [CVE-2015-0839] ieee-data Disable monthly update cron job intel-microcode Update microcode irssi Fix information exposure issue via buf.pl and /upgrade [CVE-2016-7553]; fix NULL pointer dereference in the nickcmp function [CVE-2017-5193], use-after-freee when receiving invalid nick message [CVE-2017-5194] and out-of-bounds read in certain incomplete control codes [CVE-2017-5195] isenkram Download firmware using curl; use HTTPS when downloading modaliases; change mirror from http.debian.net to httpredir.debian.org jq Fix heap buffer overflow [CVE-2015-8863] and stack exhaustion [CVE-2016-4074] libclamunrar Fix out-of-band access libdatetime-timezone-perl Update to 2016h; update included data to 2016i; update to 2016j; update to 2016g libfcgi-perl Fix "numerous connections cause segfault DoS" [CVE-2012-6687] libio-socket-ssl-perl Fix issue with incorrect "unreadable SSL_key_file" error when using filesystem ACLs libmateweather Switch from discontinued weather.noaa.gov to aviationweather.gov libphp-adodb Fix XSS vulnerability [CVE-2016-4855] and SQL injection issue [CVE-2016-7405] libpng Fix null pointer deference issue [CVE-2016-10087] libwmf Fix allocating huge block of memory [CVE-2016-9011] linkchecker Fix HTTPS checks linux Update to stable 3.16.39; add chaoskey driver, backported from 4.8, support for n25q256a11 SPI flash device; security,perf: Allow unprivileged use of perf_event_open to be disabled; several bug and security fixes lxc Attach: do not send procfd to attached process [CVE-2016-8649]; remount bind mounts if read-only flag is provided; fix Alpine Linux container creation mapserver Fix FTBFS with php >= 5.6.25; fix information leak via error messages [CVE-2016-9839] mdadm Allow '--grow --continue' to successfully reshape an array when using backup space on a 'spare' device metar Update report URL minissdpd Fix improper validation of array index vulnerability [CVE-2016-3178 CVE-2016-3179] monotone Change the SIGPIPE test case to write 1M of test data to increase chances of overflowing the pipe buffer most Fix shell injection attack when opening LZMA-compressed files [CVE-2016-1253] mpg123 Fix DoS with crafted ID3v2 tags musl Fix integer overflow [CVE-2016-8859] nbd Stop mixing global flags into the flags field that gets sent to the kernel, so that connecting to nbd-server >= 3.9 does not cause every export to be (incorrectly) marked as read-only nettle Protect against potential side-channel attacks against exponentiation operations [CVE-2016-6489] nss-pam-ldapd Have init script stop action only return when nslcd has actually stopped nvidia-graphics-drivers Update to new driver version, including security fixes [CVE-2016-8826 CVE-2016-7382 CVE-2016-7389] nvidia-graphics-drivers- Update to new driver version, including security fixes [CVE-2016-8826 CVE-2016-7382 CVE-2016-7389] legacy-304xx nvidia-graphics-modules Build against nvidia-kernel-source 340.101 openbox Add libxcursor-dev build-dependency to fix loading of startup notifications; replace getgrent with getgroups so as not to enumerate all groups at startup opendkim Fix relaxed canonicalization of folded headers, which broke signatures pam Fix handling of loginuid in containers pgpdump Fix endless loop parsing specially crafted input in read_binary [CVE-2016-4021] and buffer overrun in read_radix64 postgresql-9.4 New upstream release postgresql-common pg_upgradecluster: Properly upgrade databases with non-login role owners; pg_ctlcluster: Protect against symlink in /var/log/postgresql/ allowing the creation of arbitrary files elsewhere [CVE-2016-1255] potrace Security fixes [CVE-2016-8694 CVE-2016-8695 CVE-2016-8696 CVE-2016-8697 CVE-2016-8698 CVE-2016-8699 CVE-2016-8700 CVE-2016-8701 CVE-2016-8702 CVE-2016-8703] python-crypto Raise a warning when IV is used with ECB or CTR and ignore the IV [CVE-2013-7459] python-werkzeug Fix XSS issue in debugger qtbase-opensource-src Prevent bad-ptrs deref in QNetworkConfigurationManagerPrivate; fix X11 tray icons on some desktops rawtherapee Fix buffer overflow in dcraw [CVE-2015-8366] redmine Handle dependency check failure when triggered, to avoid breaking in the middle of dist-upgrades; avoid opening database configuration that are not readable samba Fix "client side SMB2/3 required signing can be downgraded" [CVE-2016-2119], various regressions introduced by the 4.2.10 security fixes, segfault with clustering sed Ensure consistent permissions with different umasks shutter Fix insecure usage of system() [CVE-2015-0854] sniffit Security fix [CVE-2014-5439] suckless-tools Fix SEGV in slock when users account has been disabled [CVE-2016-6866] sympa Fix logrotate configuration so that sympa is not left in a confused state when systemd is used systemd Don't return any error in manager_dispatch_notify_fd() [CVE-2016-7796]; core: Rework logic to determine when we decide to add automatic deps for mounts; various ordering fixes for ifupdown; systemctl: Fix argument handling when invoked as shutdown; localed: tolerate absence of /etc/default/keyboard; systemctl, loginctl, etc.: Don't start polkit agent when running as root tevent New upstream version, required for samba tre Fix regex integer overflow in buffer size computations [CVE-2016-8859] tzdata Update included data to 2016h; update to 2016g; update to 2016j; update included data to 2016i unrtf Fix buffer overflow in various cmd_ functions [CVE-2016-10091] w3m Several security fixes [CVE-2016-9430 CVE-2016-9434 CVE-2016-9438 CVE-2016-9440 CVE-2016-9441 CVE-2016-9423 CVE-2016-9431 CVE-2016-9424 CVE-2016-9432 CVE-2016-9433 CVE-2016-9437 CVE-2016-9422 CVE-2016-9435 CVE-2016-9436 CVE-2016-9426 CVE-2016-9425 CVE-2016-9428 CVE-2016-9442 CVE-2016-9443 CVE-2016-9429 CVE-2016-9621 CVE-2016-9439 CVE-2016-9622 CVE-2016-9623 CVE-2016-9624 CVE-2016-9625 CVE-2016-9626 CVE-2016-9627 CVE-2016-9628 CVE-2016-9629 CVE-2016-9631 CVE-2016-9630 CVE-2016-9632 CVE-2016-9633] wireless-regdb Update included data wot Remove plugin due to privacy issues xwax Replace ffmpeg with avconv from libav-tools zookeeper Fix buffer overflow via the input command when using the "cmd:" batch mode syntax [CVE-2016-5017] A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/stable.html> Removed packages ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason dotclear Security issues icedove-l10n Superseded by icedove iceowl-l10n Superseded by iceowl sogo Security issues If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part