[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 137-1] Upcoming Debian 9 Update (9.4)

Debian Stable Updates Announcement SUA 137-1      https://www.debian.org/
debian-release@lists.debian.org                           Adam D. Barratt
March 5th, 2018

Upcoming Debian 9 Update (9.4)

An update to Debian 9 is scheduled for Saturday, March 10th, 2018. As of
now it will include the following bug fixes. They can be found in
"stretch-proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are
also already available through "stretch-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of
them by copying "debian-release@lists.debian.org" on your mails.

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following

    Package                       Reason

    acme-tiny                     Fix outdated version of the subscriber agreement
    activity-log-manager          Add missing dependency on python-zeitgeist
    agenda.app                    Fix creation of tasks and appointments
    apparmor                      Pin the AppArmor feature set to Stretch's kernel
    auto-apt-proxy                Move apt configuration away on removal, and put it back on reinstalls
    bareos                        Fix backups failing with "No Volume name given"
    base-files                    Update for the point release
    cappuccino                    Add missing dependency on gir1.2-gtk-3.0
    cerealizer                    Fix Python3 dependencies
    clamav                        Security update [CVE-2017-6418 CVE-2017-6420 CVE-2017-12374 CVE-2017-12375 CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379 CVE-2017-12380]
    cron                          Properly transition system jobs to system_cronjob_t SELinux context and stop relying on refpolicy specific identifiers
    cups                          Fix execution of arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding [CVE-2017-18190]
    dbus                          New upstream release; raise file descriptor limit sooner, fixing a regression in local DoS fix
    debian-edu-config             Pre-configure Chromium Webbrowser system-wide to auto-detect the http proxy settings via WPAD; allow joining of Windows 10 clients to the Samba NT4-style domain
    debian-installer              Bump Linux kernel version from 4.9.0-4 to 4.9.0-6
    directfb                      Fix architecture-based filter to actually install drivers
    dpdk                          Update to new stable point release
    espeakup                      udeb: fix case where card 0 does not have an id or where cards have non-contiguous indexes; use English by default; use card id in installed system to avoid issues with card detection ordering
    exam                          Fix Python3 dependencies
    flatpak                       New upstream release; fix a D-Bus filtering bypass in flatpak-dbus-proxy; ignore unrecognised permission strings, instead of failing; new upstream release; do not allow legacy eavesdropping on the D-Bus session bus
    fuse-zip                      Fix writeback fail with libzip 1.0
    glade                         Fix possible infinite loop
    glibc                         Do not update /etc/nsswitch.conf when its content already matches the default; debian/script.in/nohwcap.sh: always check for all optimized packages as multiarch allows one to install foreign architectures; avoid use-after-free read access in clntudp_call [CVE-2017-12133]; define collation for Malayalam chillu characters and correct collation of U+0D36 and U+0D37 Malayalam characters; fix invalid cast in group merging affecting ppc64 and s390x; fix compatibility with Intel C++ __regcall calling convention; install the libc-otherbuild postinst and postrm in the libc6-i686 transitional package, to make sure /etc/ld.so.nohwcap is correctly removed after an upgrade
    global                        Gozilla: quote URLs before passing them to BROWSER [CVE-2017-17531]
    gnumail                       Stop linking to OpenSSL
    golang-github-go-ldap-ldap    Require explicit intention for empty password
    gosa-plugin-pwreset           Fix deprecated constructor call
    grilo-plugins                 Fix Radio France source
    hdf5                          Fix javahelper invocation
    inputlirc                     Include input-event-codes.h instead of input.h, fixing build failure
    intercal                      Recompile with PIE
    java-atk-wrapper              Fix iterator initialization; fix missing reference for children
    kildclient                    Drop support for user-defined browsers [CVE-2017-17511]
    libdate-holidays-de-perl      Mark Reformation Day as a holiday in Hamburg and Schleswig-Holstein from 2018 onwards
    libdatetime-timezone-perl     New upstream version
    libhibernate-validator-java   Fix potential privilege escalation by circumventing security manager permissions [CVE-2017-7536]
    libperlx-assert-perl          Add missing dependencies on libkeyword-simple-perl, libdevel-declare-perl
    libreoffice                   Let FunctionAccess execute WEBSERVICE; use the right error code on WEBSERVICE() failures
    libvhdi                       Add missing python3 dependency
    libvirt                       QEMU: shared disks with cache=directsync should be safe for migration; avoid denial of service reading from QEMU monitor [CVE-2018-5748]
    linux                         New upstream version
    lxc                           Fix the creation of testing and unstable containers by including "iproute2" rather than "iproute"
    mapproxy                      Fix Cross Site Scripting (XSS) issue in demo service [CVE-2017-1000426]
    mosquitto                     Fix persistence file being world-readable [CVE-2017-9868]
    mpi4py                        Support current version of libmpi
    ncurses                       Fix buffer overflow in the _nc_write_entry function [CVE-2017-16879]
    needrestart                   Fix switching to list mode if debconf is run non-interactively
    ntp                           Increase stack size to at least 32kB
    nvidia-graphics-drivers-      New upstream release
    nvidia-graphics-drivers-      New upstream release
    nvidia-modprobe               New upstream release; run setuid(0) before forking modprobe to preserve privileges through shell invocations and recursive modprobe calls; new upstream release
    nvidia-persistenced           New upstream release
    nvidia-settings               New upstream release; fix a bug that prevented changes to stereo eye assignment from getting applied from the nvidia-settings control panel
    nvidia-xconfig                New upstream release; fix a regression that prevented nvidia-xconfig from querying some GPUs, e.g. when running `nvidia-xconfig -a`
    ocfs2-tools                   Migrate from using rcS to standard runlevels
    opendmarc                     Update opendmarc service file so changes in opendmarc.conf are used
    openssh                       Fix "in read-only mode, sftp-server was incorrectly permitting creation of zero-length files" [CVE-2017-15906]
    osinfo-db                     Update included data
    pdns-recursor                 Rebuild against publicsuffix 20171028.2055-0+deb9u1
    postfix                       New upstream bugfix release; don't log warnings that some restriction returns OK, when the access map DISCARD feature is in effect; add missing dynamicmaps support in the Postfix sendmail command; fix sending to some sites with "TLSA 2 X X" records
    postgresql-9.6                New upstream version
    publicsuffix                  Update included data
    python-evtx                   Fix missing python3 dependency
    python-hacking                Fix python3 dependencies
    python-hkdf                   Fix python3 dependencies
    python-mimeparse              Fix python3 dependencies
    python-pyperclip              Fix python3 dependencies
    python-spake2                 Fix python3 dependencies
    qtpass                        Fix insecure built-in password generator [CVE-2017-18021]
    quota                         Prevent quotacheck from running into an endless loop
    reportbug                     Don't send email to secure-testing-team@lists.alioth.debian.org any more
    rpy                           Rebuild against r-base 3.3
    ruby-redis-store              Allow unsafe objects to be loaded from redis [CVE-2017-1000248]
    salt                          Fix directory traversal vulnerability on salt-master via crafted minion IDs [CVE-2017-12791], directory traversal vulnerability in minion id validation in SaltStack [CVE-2017-14695], remote Denial of Service with a specially crafted authentication request [CVE-2017-14696]; check if data[return] is dict type
    slic3r                        Patch "use lib" line in all installed binaries; workaround missing GL_MULTISAMPLE macro; fix importing binary STLs on big-endian architectures
    soundtouch                    Security fixes [CVE-2017-9258 CVE-2017-9259 CVE-2017-9260]
    systemd                       networkd: Handle MTU field in IPv6 RA; add a linker script to help prevent symbol collisions, particularly with PAM modules; resolved: Fix loop on packets with pseudo dns types [CVE-2017-15908]; machinectl: Don't output "No machines." with --no-legend option
    tzdata                        New upstream version
    ust                           Fix loading of Python agent library
    uwsgi                         Fix stack-based buffer overflow in uwsgi_expand_path function [CVE-2018-6758]
    vagrant                       Download boxes from app.vagrantcloud.com instead of the deprecated atlas.hashicorp.com
    vdirsyncer                    Fix discovery of Google contacts
    virt-what                     Unbreak virt detection on arm/aarch64
    w3m                           Fix stack overflow [CVE-2018-6196], null deref [CVE-2018-6197], /tmp file races [CVE-2018-6198]
    waagent                       New upstream version
    webkit2gtk                    New upstream stable release
    xchain                        Fix dependency on "wish"
    xrdp                          Fix security issue [CVE-2017-16927]; fix high CPU load on ssl_tls_accept

A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:


Removed packages

The following packages will be removed due to circumstances beyond our

    Package             Reason

    dolibarr            Too much work to maintain it properly in Debian
    electrum            Security issues; broken due to upstream changes
    jirc                Broken with stretch's libpoe-filter-xml-perl
    pgmodeler           Incompatible with stretch's Postgresql
    seelablet           Abandoned upstream; broken

If you encounter any issues, please don't hesitate to get in touch with
the Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: