[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 132-1] Upcoming Debian 9 Update (9.3)

Debian Stable Updates Announcement SUA 132-1      https://www.debian.org/
debian-release@lists.debian.org                           Adam D. Barratt
December 5th, 2017

Upcoming Debian 9 Update (9.3)

An update to Debian 9 is scheduled for Saturday, December 9th, 2017. As
of now it will include the following bug fixes. They can be found in
"stretch-proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are
also already available through "stretch-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of
them by copying "debian-release@lists.debian.org" on your mails.

The point release will also include a rebuild of debian-installer.

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following

    Package                       Reason

    abiword                       Fix flickering
    apparmor                      Pin the AppArmor feature set to Stretch's kernel
    base-files                    Update for the point release
    berusky                       Fix startup crash with certain video card configurations
    charmtimetracker              Fix missing binary dependency on libqt5sql5-sqlite
    corebird                      Increase maximum length of tweet to 280 characters
    dbus                          When parsing dbus-daemon configuration, don't delay startup if high-quality entropy is not yet available; when using the Monitoring interface, match message filters that specify a destination correctly; increase listen() backlog of AF_UNIX sockets to the maximum possible, minimizing failed connections under heavy load
    debian-edu-doc                Merge stretch related documentation and translation updates from unstable and the wiki; documentation/common/edu.css.xml: improve HTML manual readability
    dehydrated                    Update subscriber license agreement URL
    doit                          Add Breaks: nikola (<< 7.6.0-1~) to ensure its removal on upgrades from jessie
    eclipse-titan                 Rebuild against current stretch GCC
    fig2dev                       Add input sanitisation on FIG files [CVE-2017-16899]; sanitize input of fill patterns
    flickcurl                     Fix fix oauth token fetching; prevent double free corruption during authentication
    flightgear                    Prevent malicious add-ons from overriding arbitrary files [CVE-2017-13709]
    ganeti                        Backport upstream support for non-DSA SSH keys; fix failover from dead nodes when using extstorage; fix instance import/export/move with current socat versions
    gdm3                          Backport several patches to fix XDMCP support
    getmail4                      Fix issue related to malformed fingerprints
    glibc                         Do not update /etc/nsswitch.conf when its content already matches the default; debian/script.in/nohwcap.sh: always check for all optimized packages as multiarch allows one to install foreign architectures; avoid use-after-free read access in clntudp_call [CVE-2017-12133]; define collation for Malayalam chillu characters and correct collation of U+0D36 and U+0D37 Malayalam characters; fix invalid cast in group merging affecting ppc64 and s390x; fix compatibility with Intel C++ __regcall calling convention
    grok                          Fix pointer aliasing bug; libgrok-dev: add missing dependencies on libgrok1 and libtokyocabinet-dev
    gunicorn                      Drop unnecessary "Pre-Depends" on dpkg-dev which was causing gunicorn and python-gunicorn to bring in a compiler as a dependency
    icu                           Fix double free in createMetazoneMappings() [CVE-2017-14952]
    inn2                          [i386] Rebuild to pick up correct path to gzip binary
    iproute2                      Fix segfault in "tc" with iptables 1.6
    jdcal                         Fix Python3 dependencies
    kde-gtk-config                Fix preview buttons in KDE-GTK-config UI
    lasi                          liblasi-dev: add missing dependencies on libpango1.0-dev and libfreetype6-dev
    libdatetime-timezone-perl     Update included data
    libdbd-firebird-perl          Fix fetching of decimal(x,y) values between -1 and 0
    libdbi                        Re-enable error handler call in dbi_result_next_row()
    liblog-log4perl-perl          Work around Perl 5.24 no longer allowing syswrite and utf8 together
    liblouis                      Fix buffer overflow and use-after-free issues [CVE-2017-13738 CVE-2017-13739 CVE-2017-13740 CVE-2017-13741 CVE-2017-13742 CVE-2017-13743 CVE-2017-13744]
    libmpd                        libmpd-dev: Add the missing dependency on libglib2.0-dev
    libofx                        Security fixes [CVE-2017-2816 CVE-2017-14731]
    libxkbcommon                  libxkbcommon-x11-dev: add missing dependency on libxkbcommon-dev
    libxsettings-client           Add missing libxsettings-client-dev -> libxsettings-dev dependency
    linux                         xen/time: do not decrease steal time after live migration on xen; new stable kernel version 4.9.65
    live-config                   Configure autologin for KDE / Plasma live images
    lxc                           Don't hardcode list of valid Debian releases, allowing the creation of containers for stable, buster, testing and unstable; don't insert C.* locales into /etc/locale.gen
    mongodb                       Fix segfault/FTBFS on ARM64 with 48-bit virtual addresses, spidermonkey GC segfault when built with GCC 6; mongodb.service: start after network.target
    openssh                       Test configuration before starting or reloading sshd under systemd; adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme; make "--" before the hostname terminate argument processing after the hostname too
    pdns                          Fix incorrect qname casing in NSEC3 generation; add missing check on API operations [CVE-2017-15091]
    pdns-recursor                 Security fixes: insufficient validation of DNSSEC signatures [CVE-2017-15090]; Cross-Site Scripting in the web interface [CVE-2017-15092]; configuration file injection in the API [CVE-2017-15093]; memory leak in DNSSEC parsing [CVE-2017-15094]
    postgresql-9.6                Upstream bugfix release
    publicsuffix                  Update included data
    pyosmium                      Upstream bugfix release: handler functions not called when using replication service or when using Reader instead of file
    python-diff-match-patch       Add missing python3 dependency on Python 3 package
    python-inflect                Fix Python 3 dependencies
    python-tablib                 Safely load YAML [CVE-2017-2810]
    python2.7                     Fix integer overflow in PyString_DecodeEscape [CVE-2017-1000158]; support all groups in TLS communication
    qtcurve                       Fix crashes by using strncmp() instead of memcmp()
    ruby-httparty                 Relax dependency version in gem dependency on json
    ruby-ox                       Avoid crash with invalid XML passed to Oj.parse_obj() [CVE-2017-15928]
    ruby-pygments.rb              Avoid closing too many files when mentos starts, which can cause build failures in other packages on slower systems
    schroot                       Fix bash completion file; add systemd service file with Type=oneshot to avoid timeout issues with too many open sessions
    simutrans                     Enable sound for simutrans again. Switch from SDL to mixer_sdl backend
    sitesummary                   Adjust nagios kernel version checking module to work with 4.x kernels
    slic3r                        Fix missing dependency on perlapi-*
    spamassassin                  Disable bb.barracudacentral.org; update the systemd unit file to use the same pid file as was used in the sysvinit script; update systemd unit dependencies to include network and syslog; fix inappropriate invocation of invoke-rc.d in cron script
    sqldeveloper-package          Fix build failure
    sqlite3                       Fix heap-based buffer over-read via undersized RTree blobs [CVE-2017-10989]
    syslinux                      Fix btrfs logical to physical block address mapping; fix boot problem for old BIOS firmware by correct C/H/S order; support ext4 64bit feature
    tdbcodbc                      Fix bug in ODBC library search
    tor                           Add "Bastet" directory authority; fix a timing-based assertion failure; update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 country database
    tzdata                        New upstream release
    udftools                      Fix path to pktsetup in udftools init script
    weechat                       "logger: call strftime before replacing buffer local variables" [CVE-2017-14727]
    xml2                          Fix corruption when dealing with UTF-8 files, usage string for 2csv tool
    xrdp                          Fix high CPU load on SSL shutdown
    zsh                           Rebuild to pull in updated libraries for zsh-static

A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:


Removed packages

The following packages will be removed due to circumstances beyond our

    Package                    Reason

    libnet-ping-external-perl  Unmaintained, security issues

If you encounter any issues, please don't hesitate to get in touch with
the Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: