------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 122-1 https://www.debian.org/ debian-release@lists.debian.org Adam D. Barratt July 17th, 2017 ------------------------------------------------------------------------- Upcoming Debian 8 Update (8.9) An update to Debian 8 is scheduled for Saturday, July 22nd, 2017. As of now it will include the following bug fixes. They can be found in "jessie-proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "jessie-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This oldstable update adds a few important corrections to the following packages: Package Reason 3dchess Reduce wasteful CPU consumption apt-cacher Prevent HTTP response splitting with encoded newlines in request [CVE-2017-7443]; make sure /var/run/apt-cacher exists base-files Update for the 8.9 point release boinc Improve adjusting OOM score; fix security issue with xhost c-ares Security fix [CVE-2017-1000381] cfitsio Fix crashes related to improper memory handling chkrootkit Fix segmentation fault; fix missing dependency on openssh-client; add Built-Using field cqrlog Tools/cqrlog-apparmor-fix, debian/postrm: Check for /etc/init.d/apparmor before restarting apparmor debconf Use File::Temp instead of the deprecated POSIX::tmpnam() in Debconf::TmpFile debian-archive-keyring Add stretch keys, and move squeeze keys to removed keyring debian-installer Rebuild against proposed-updates debian-installer-netboot- Rebuild against proposed-updates images debian-security-support Update support status of various packages; update translations debootstrap Add support for Buster and Bullseye eterm Fix integer overflow preventing the shell from starting/stopping properly flightgear Prevent overriding arbitrary files from the "save-flightplan" FGCommand [CVE-2017-8921] galternatives Fix blank properties page gitolite3 Fix missing dependency on openssh-client gnats Gnats-user: do not fail to purge if /var/lib/gnats/gnats-db is not empty gnutls28 Improve check for /dev/urandom uniqueness gtk+2.0 Backport patch from GTK+3 to fix stuck grabs in some situations init-select Check for /usr/lib/init-select/get-init before calling it intel-microcode Update included microcode libapache2-mod-perl2 Fix test suite for compatibility with latest apache2 updates libcgi-application-plugin- Fix missing dependency on libclone-perl | libclone-pp-perl anytemplate-perl libclamunrar Fix arbitrary memory write [CVE-2012-6706] libdata-faker-perl Run the test suite under a specific locale libdvdnav Use proper error handling when position cannot be detected libhtml-microformats-perl Fix missing dependency on libmodule-pluggable-perl libhttp-proxy-perl Fix broken 'via' handling libonig Fix multiple invalid pointer dereference, out-of-bounds write memory corruption and stack buffer overflow issues [CVE-2017-9224 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 CVE-2017-9229] libosinfo Add support for jessie and stretch libsys-syscall-perl Add support for more architectures libterralib Remove superfluous Conflicts/Replaces: libterralib3 since that causes problems upgrading to stretch which has that package libx11-protocol-other-perl Disable buggy test lxterminal Security fix: improper use of /tmp for a socket file netcfg IPv6 autoconfiguration: fix NTP server name handling; stop queueing rdnssd's installation with IPv6 setups offlineimap Prevent the usage of maxage (broken and may result in data loss) os-prober EFI: fix check on ID_PART_ENTRY_SCHEME, to look for "dos" instead of "msdos"; make Windows Vista detection more robust; add support for Windows 10 pam Rebuild to fix multi-arch differences partman-ext3 Force ext3|ext4 filesystem creation with "-F" so that D-I doesn't "hang" when re-using an existing partition in some situations perl Apply upstream base.pm no-dot-in-inc fix polarssl Fix freeing of memory allocated on stack when validating a public key with a secp224k1 curve [CVE-2017-2784] proftpd-dfsg Fix "TLSDHParamFile directive appears ignored because unexpected DH is chosen" [CVE-2016-3125], "AllowChrootSymlinks off does not check entire DefaultRoot path for symlinks" [CVE-2017-7418] python-colorlog Fix python3 dependencies python-plumbum Fix python3 dependencies rkhunter Disable remote updates [CVE-2017-7480] shutter Fix insecure use of perl exec() [CVE-2016-10081] and system() tcpdf Security fix: disallow tcpdf calls in HTML [CVE-2017-6100] unrar-nonfree Security fix: add bound checks for VMSF_DELTA, VMSF_RGB and VMSF_AUDIO paramters [CVE-2012-6706] w3m Fix multiple buffer overflows, use after free issues and an infinite loop xarchiver Fix possible data loss due to shell metacharacters xfce4-weather-plugin Adapt to new weather website APIs A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/oldstable.html> Removed packages ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason ears Non-functional gnuvd Broken due to service changes hbro Broken; segfaults on all operations lshell Security issues pgsnap Broken with current PostgreSQL python-django-authority Incompatible with Django 1.7 rant Broken If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part