[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 131-1] Upcoming Debian 8 Update (8.10)

Debian Stable Updates Announcement SUA 131-1      https://www.debian.org/
debian-release@lists.debian.org                           Adam D. Barratt
December 5th, 2017

Upcoming Debian 8 Update (8.10)

An update to Debian 8 is scheduled for Saturday, December 9th, 2017. As
of now it will include the following bug fixes. They can be found in
"jessie-proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are
also already available through "jessie-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of
them by copying "debian-release@lists.debian.org" on your mails.

The point release will also include a rebuild of debian-installer.

Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following

    Package                       Reason

    bareos                        Fix permissions of bareos-dir logrotate config; fix file corruption when using SHA1 signature
    base-files                    Update for the point release
    bind9                         Import upcoming DNSSEC KSK-2017
    cups                          Disable SSLv3 and RC4 by default to address POODLE vulnerability
    db                            Do not access DB_CONFIG when db_home is not set [CVE-2017-10140]
    db5.3                         Do not access DB_CONFIG when db_home is not set [CVE-2017-10140]
    debmirror                     Tolerate unknown lines in *.diff/Index; mirror DEP-11 metadata files; prefer xz over gz, and cope with either being missing; mirror and validate InRelease files
    dns-root-data                 Update root.hints to 2017072601 version; add KSK-2017 to root.key file
    dput                          dput.cf: replace security-master.d.o with ftp.upload.security.d.o
    dwww                          Fix `Last-Modified' header name
    elog                          Update patch 0005_elogd_CVE-2016-6342_fix to grant access as normal user
    flightgear                    Fix arbitrary file overwrite vulnerability [CVE-2017-13709]
    gsoap                         Fix integer overflow via large XML document [CVE-2017-9765]
    hexchat                       Fix segmentation fault following /server command
    icu                           Fix double free in createMetazoneMappings() [CVE-2017-14952]
    kdepim                        Fix "send Later with Delay bypasses OpenPGP" [CVE-2017-9604]
    kedpm                         Fix information leak via command history file [CVE-2017-8296]
    keyringer                     Handle subkeys without expiration date and public keys listed multiple times
    krb5                          Security fixes - remote authenticated attackers can crash the KDC [CVE-2017-11368]; kdc crash on restrict_anon_to_tgt [CVE-2016-3120]; remote DOS with ldap for authenticated attackers [CVE-2016-3119]; prevent requires_preauth bypass [CVE-2015-2694]
    libdatetime-timezone-perl     Update included data
    libdbi                        Re-enable error handler call in dbi_result_next_row()
    libembperl-perl               Change hard dependency on mod_perl in zembperl.load to Recommends, fixing an installation failure when libapache2-mod-perl2 is not installed
    libio-socket-ssl-perl         Fix segfault using malformed client certificates
    liblouis                      Fix multiple stack-based buffer overflows [CVE-2014-8184]
    libofx                        Security fixes [CVE-2017-2816 CVE-2017-14731]
    libwnckmm                     Tighten dependencies between packages; use jquery.js from libjs-jquery
    libwpd                        Security fix [CVE-2017-14226]
    libx11                        Fix "insufficient validation of data from the X server can cause out of boundary memory read (XGetImage()) or write (XListFonts())" [CVE-2016-7942 CVE-2016-7943]
    libxfixes                     Fix integer overflow on illegal server response [CVE-2016-7944]
    libxi                         Fix "insufficient validation of data from the X server can cause out of boundary memory access or endless loops" [CVE-2016-7945 CVE-2016-7946]
    libxrandr                     Avoid out of boundary accesses on illegal responses [CVE-2016-7947 CVE-2016-7948]
    libxtst                       Fix "insufficient validation of data from the X server can cause out of boundary memory access or endless loops" [CVE-2016-7951 CVE-2016-7952]
    libxv                         Fix protocol handling issues in libXv [CVE-2016-5407]
    libxvmc                       Avoid buffer underflow on empty strings [CVE-2016-7953]
    linux                         New stable kernel version 3.16.51; new upstream stable release
    ncurses                       Fix various crash bugs in the tic library and the tic binary [CVE-2017-10684 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-13728 CVE-2017-13729 CVE-2017-13730 CVE-2017-13731 CVE-2017-13732 CVE-2017-13734 CVE-2017-13733]
    openssh                       Test configuration before starting or reloading sshd under systemd; make "--" before the hostname terminate argument processing after the hostname too
    pdns                          Add missing check on API operations [CVE-2017-15091]
    pdns-recursor                 Fix configuration file injection in the API [CVE-2017-15093]
    postgresql-9.4                New upstream bugfix release
    python-tablib                 Securely load YAML [CVE-2017-2810]
    request-tracker4              Fix regression in previous security release where incorrect SHA256 passwords could trigger an error
    ruby-ox                       Avoid crash with invalid XML passed to Oj.parse_obj() [CVE-2017-15928]
    sam2p                         Fix several integer overflow or heap-based buffer overflow issues [CVE-2017-14628 CVE-2017-14629 CVE-2017-14630 CVE-2017-14631 CVE-2017-14636 CVE-2017-14637 CVE-2017-16663]
    slurm-llnl                    Fix security issue caused by insecure file path handling triggered by the failure of a Prolog script [CVE-2016-10030]
    sudo                          Fix arbitrary terminal access [CVE-2017-1000368]
    syslinux                      Fix boot problem for old BIOS firmware by correcting C/H/S order
    tor                           Add "Bastet" directory authority; update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 country database; fix a memset() off the end of an array when packing cells
    transfig                      Add input sanitisation on FIG files [CVE-2017-16899]; sanitize input of fill patterns
    tzdata                        New upstream release
    unbound                       Fix install of trust anchor when two anchors are present; include root trust anchor id 20326
    weechat                       "logger: call strftime before replacing buffer local variables" [CVE-2017-14727]

A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:


Removed packages

The following packages will be removed due to circumstances beyond our

    Package                    Reason

    aiccu                      Useless since shutdown of SixXS
    libnet-ping-external-perl  Unmaintained, security issues

If you encounter any issues, please don't hesitate to get in touch with
the Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: