[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 127-1] Upcoming Debian 9 Update (9.2)

Debian Stable Updates Announcement SUA 127-1      https://www.debian.org/
debian-release@lists.debian.org                           Adam D. Barratt
October 2nd, 2017

Upcoming Debian 9 Update (9.2)

An update to Debian 9 is scheduled for Saturday, October 7th, 2017. As of
now it will include the following bug fixes. They can be found in
"stretch-proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are
also already available through "stretch-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of
them by copying "debian-release@lists.debian.org" on your mails.

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following

    Package                       Reason

    apt                           Fix issues in apt-daily-upgrade; fix a possible crash in the mirror method
    at-spi2-core                  Fix crash on switching windows
    bareos                        Fix permissions of bareos-dir logrotate config on upgrade; fix file corruption when using SHA1 signature
    bind9                         Import DNSSEC KSK-2017
    bridge-utils                  Fix a problem with some VLAN interfaces not being created
    caja                          Fix excessive CPU use while loading background image
    chrony                        Do not pass 'burst' command to chronyc
    cross-gcc                     Fix outdated support for gcc 6.3.0-18
    cvxopt                        Remove the unneccessary and non-working compatibility layer for lpx_main()
    db5.3                         Do not access DB_CONFIG when db_home is not set [CVE-2017-10140]
    dbus                          New upstream stable release
    debian-edu-doc                Merge stretch related documentation and translation updates; update Debian Edu Stretch manual from the wiki; replace existing boot menu screenshots with recent ones from the wiki
    debian-installer              Update Linux kernel ABI to 4
    debian-installer-netboot      Rebuild for the point release
    desktop-base                  Fix XML syntax errors in gnome wallpaper description files making Joy wallpapers unavailable by default; ensure postinst doesn’t fail on upgrade even when an incomplete theme pack is active
    dns-root-data                 Update root.hints to 2017072601 version; change the state of KSK-2017 to VALID
    dnsdist                       Security fixes [CVE-2016-7069 CVE-2017-7557]
    dnsviz                        Cherry-pick upstream fixes related to root.hints and root.keys changes
    dose3                         Fix versioned provides support - packages that provide the same virtual package in different versions, or that provide the same versioned virtual package as a real package, are co-installable
    ecl                           Add missing dependency on libffi-dev
    erlang-p1-tls                 Fix ECDH curves
    evolution                     Fix hangs on right click in composer window
    expect                        Properly check for EOF, to avoid losing input
    fife                          Fix memory leak
    flatpak                       New upstream stable release; prevent deploying files with inappropriate permissions; restore compatibility with libostree 2017.7
    freerdp                       Enable TLS >= 1.1 support
    gnome-exe-thumbnailer         Switch to msitools' msiinfo for ProductVersion fetching, replacing the insecure VBScript-based parsing [CVE-2017-11421]; fix unreadable white-on-white text on version labels
    gnupg2                        Fix dirmngr issues with broken reverse DNS, assertion when using "tofu-default-policy ask", multiple issues with scdaemon, avoid spurious warnings when sharing a keybox with gpg >= 2.1.20
    gnutls28                      Fix OCSP verification errors, especially with ecdsa signatures
    gosa-plugin-mailaddress       Fix parent constructor calls, for compatibility with PHP7
    gsoap                         Fix integer overflow via large XML document [CVE-2017-9765]
    haveged                       Start haveged.service after systemd-tmpfiles-setup.service has been run
    ipsec-tools                   Security fix [CVE-2016-10396]
    irssi                         Fix null pointer dereference [CVE-2017-10965], use-after-free condition for nicklist [CVE-2017-10966]
    kanatest                      Remove DISABLE_DEPRECATED flags, they cause implicit pointer conversion and thus a segmentation fault on startup
    kdepim                        Fix "send Later with Delay bypasses OpenPGP" [CVE-2017-9604]
    kf5-messagelib                Fix "send Later with Delay bypasses OpenPGP" [CVE-2017-9604]
    krb5                          Fix security issue where remote authenticated attackers can crash the KDC [CVE-2017-11368]; fix startup if getaddrinfo() returns a wildcard v6 address and handling of explicitly specified v4 wildcard address; fix SRV lookups to respect udp_preference_limit
    lava-tool                     Add missing dependency: python-simplejson
    librsb                        Fix a few severe bugs leading to numerically wrong results
    libselinux                    Rebuild with new sbuild to fix changelog date
    libsolv                       Fix dependencies on Python 3 modules
    libwpd                        Fix denial of service issue [CVE-2017-14226]
    linux                         New upstream stable version
    linux-latest                  Update to 4.9.0-4
    lzma                          Rebuild with new sbuild to fix changelog date
    mailman                       Fix broken dependencies in contrib/SpamAssassin.py
    mate-power-manager            Don't abort on unknown DBus signal name
    mate-themes                   Fix font colour of URL bar in Google Chrome
    mate-tweak                    Add missing dependency on python3-gi
    ncurses                       Fix various crash bugs in the tic library and the tic binary [CVE-2017-10684 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-13728 CVE-2017-13729 CVE-2017-13730 CVE-2017-13731 CVE-2017-13732 CVE-2017-13734 CVE-2017-13733]
    nettle                        Rebuild with new sbuild to fix changelog date
    node-brace-expansion          Fix regular expression denial of service issue
    node-dateformat               Set TZ=UTC for tests to fix build failure
    ntp                           Build and install /usr/bin/sntp
    nvidia-graphics-drivers       New upstream long lived branch release 375.82 - security fixes [CVE-2017-6257 CVE-2017-6259], add support for the following GPUs: GeForce GTX 1080 with Max-Q Design, GeForce GTX 1070 with Max-Q Design, GeForce GTX 1060 with Max-Q Design; nvidia-kernel-dkms: Honor parallel setting from dkms
    open-vm-tools                 Randomly generate tmp directory name [CVE-2015-5191]
    opendkim                      Start as root and drop privileges in opendkim for proper key file ownership
    openldap                      Relax the dependency of libldap-2.4-2 on libldap-common to also permit later versions; fix upgrade failure when olcSuffix contains a backslash; avoid reading the value of the LDAP_OPT_X_TLS_REQUIRE_CERT option from previously freed memory; fix potential endless replication loop in a multi-master delta-syncrepl scenario with 3 or more nodes; fix memory corruption caused by calling sasl_client_init() multiple times and possibly concurrently
    openvpn                       Fix broken reconnects due to wrong push digest calculation
    osinfo-db                     Update distribution information
    pcb-rnd                       Fix execution of code from a maliciously formed design file
    postfix                       New upstream stable version - send single character variable names to milters without {}; prevent MIME downgrade of Postfix-generated message/delivery status; work around Berkeley DB attempting to read settings from "DB_CONFIG" file
    python-pampy                  Fix dependencies on Python 3 modules
    request-tracker4              Fix regression in previous security release where incorrect SHA256 passwords could trigger an error
    ruby-gnome2                   Ruby-{gdk3,gtksourceview2,pango,poppler}: Add missing dependencies
    samba                         Ensure SMB signing enforced [CVE-2017-12150]; keep required encryption across SMB3 dfs redirects [CVE-2017-12151]; fix server memory information leak over SMB1 [CVE-2017-12163]; new upstream release; fix libpam-winbind.prerm to be multiarch-safe; add missing logrotate for /var/log/samba/log.samba; fix outdated DNS Root servers; fix "Non-kerberos logins fails on winbind 4.X when krb5_auth is configured in PAM"
    smplayer                      Fix connections to YouTube
    speech-dispatcher             Make spd-conf work again
    suricata                      Limit the number of recursive calls in the DER/ASN.1 decoder to avoid stack overflows
    swift                         New upstream stable release
    tbdialout                     Include leading plus symbol with tel: URI scheme
    tiny-initramfs                Add missing dependency on cpio
    topal                         Fix misuse of sed character class syntax
    torsocks                      Fix check_addr() to return either 0 or 1
    trace-cmd                     Fix segfault while processing certain trace files
    unbound                       Fix install of trust anchor when two anchors are present; depend on dns-root-data (>= 2017072601~) for KSK-2017
    unknown-horizons              Fix memory leak
    up-imapproxy                  Correct systemd service file
    vim                           Fix several crashes / illegal memory accesses [CVE-2017-11109]
    waagent                       New upstream release, with support for Azure Stack
    webkit2gtk                    Upstream security and bugfix release [CVE-2017-2538 CVE-2017-7052 CVE-2017-7018 CVE-2017-7030 CVE-2017-7034 CVE-2017-7037 CVE-2017-7039 CVE-2017-7046 CVE-2017-7048 CVE-2017-7055 CVE-2017-7056 CVE-2017-7061 CVE-2017-7064]
    whois                         Fix whois referrals for .com, .net, .jobs, .bz, .cc and .tv; add several new Indian TLD servers; update the list of gTLDs
    wrk                           Fix build failures
    xfonts-ayu                    Fix generation of bold and italic fonts
    xkeyboard-config              Move Indic layouts back to the main layout list, enabling their use again
    yadm                          Fix race condition which could allow access to private PGP and SSH keys [CVE-2017-11353]

A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:


If you encounter any issues, please don't hesitate to get in touch with
the Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: