-------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 122-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
July 17th, 2017
-------------------------------------------------------------------------
Upcoming Debian 8 Update (8.9)
An update to Debian 8 is scheduled for Saturday, July 22nd, 2017. As of
now it will include the following bug fixes. They can be found in
"jessie-proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are
also already available through "jessie-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of
them by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This oldstable update adds a few important corrections to the following
packages:
Package Reason
3dchess Reduce wasteful CPU consumption
apt-cacher Prevent HTTP response splitting with encoded newlines in request [CVE-2017-7443]; make sure /var/run/apt-cacher exists
base-files Update for the 8.9 point release
boinc Improve adjusting OOM score; fix security issue with xhost
c-ares Security fix [CVE-2017-1000381]
cfitsio Fix crashes related to improper memory handling
chkrootkit Fix segmentation fault; fix missing dependency on openssh-client; add Built-Using field
cqrlog Tools/cqrlog-apparmor-fix, debian/postrm: Check for /etc/init.d/apparmor before restarting apparmor
debconf Use File::Temp instead of the deprecated POSIX::tmpnam() in Debconf::TmpFile
debian-archive-keyring Add stretch keys, and move squeeze keys to removed keyring
debian-installer Rebuild against proposed-updates
debian-installer-netboot- Rebuild against proposed-updates
images
debian-security-support Update support status of various packages; update translations
debootstrap Add support for Buster and Bullseye
eterm Fix integer overflow preventing the shell from starting/stopping properly
flightgear Prevent overriding arbitrary files from the "save-flightplan" FGCommand [CVE-2017-8921]
galternatives Fix blank properties page
gitolite3 Fix missing dependency on openssh-client
gnats Gnats-user: do not fail to purge if /var/lib/gnats/gnats-db is not empty
gnutls28 Improve check for /dev/urandom uniqueness
gtk+2.0 Backport patch from GTK+3 to fix stuck grabs in some situations
init-select Check for /usr/lib/init-select/get-init before calling it
intel-microcode Update included microcode
libapache2-mod-perl2 Fix test suite for compatibility with latest apache2 updates
libcgi-application-plugin- Fix missing dependency on libclone-perl | libclone-pp-perl
anytemplate-perl
libclamunrar Fix arbitrary memory write [CVE-2012-6706]
libdata-faker-perl Run the test suite under a specific locale
libdvdnav Use proper error handling when position cannot be detected
libhtml-microformats-perl Fix missing dependency on libmodule-pluggable-perl
libhttp-proxy-perl Fix broken 'via' handling
libonig Fix multiple invalid pointer dereference, out-of-bounds write memory corruption and stack buffer overflow issues [CVE-2017-9224 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 CVE-2017-9229]
libosinfo Add support for jessie and stretch
libsys-syscall-perl Add support for more architectures
libterralib Remove superfluous Conflicts/Replaces: libterralib3 since that causes problems upgrading to stretch which has that package
libx11-protocol-other-perl Disable buggy test
lxterminal Security fix: improper use of /tmp for a socket file
netcfg IPv6 autoconfiguration: fix NTP server name handling; stop queueing rdnssd's installation with IPv6 setups
offlineimap Prevent the usage of maxage (broken and may result in data loss)
os-prober EFI: fix check on ID_PART_ENTRY_SCHEME, to look for "dos" instead of "msdos"; make Windows Vista detection more robust; add support for Windows 10
pam Rebuild to fix multi-arch differences
partman-ext3 Force ext3|ext4 filesystem creation with "-F" so that D-I doesn't "hang" when re-using an existing partition in some situations
perl Apply upstream base.pm no-dot-in-inc fix
polarssl Fix freeing of memory allocated on stack when validating a public key with a secp224k1 curve [CVE-2017-2784]
proftpd-dfsg Fix "TLSDHParamFile directive appears ignored because unexpected DH is chosen" [CVE-2016-3125], "AllowChrootSymlinks off does not check entire DefaultRoot path for symlinks" [CVE-2017-7418]
python-colorlog Fix python3 dependencies
python-plumbum Fix python3 dependencies
rkhunter Disable remote updates [CVE-2017-7480]
shutter Fix insecure use of perl exec() [CVE-2016-10081] and system()
tcpdf Security fix: disallow tcpdf calls in HTML [CVE-2017-6100]
unrar-nonfree Security fix: add bound checks for VMSF_DELTA, VMSF_RGB and VMSF_AUDIO paramters [CVE-2012-6706]
w3m Fix multiple buffer overflows, use after free issues and an infinite loop
xarchiver Fix possible data loss due to shell metacharacters
xfce4-weather-plugin Adapt to new weather website APIs
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/oldstable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
ears Non-functional
gnuvd Broken due to service changes
hbro Broken; segfaults on all operations
lshell Security issues
pgsnap Broken with current PostgreSQL
python-django-authority Incompatible with Django 1.7
rant Broken
If you encounter any issues, please don't hesitate to get in touch with
the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part