-------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 143-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
June 19th, 2018
-------------------------------------------------------------------------
Upcoming Debian 8 Update (8.11)
The final point release for Debian 8 is scheduled for Saturday, June 23rd,
2018. As of now it will include the following bug fixes. They can be found
in "jessie-proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are
also already available through "jessie-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of
them by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This oldstable update adds a few important corrections to the following
packages:
Package Reason
adminer Don't allow connections to privileged ports [CVE-2018-7667]
base-files Update for the point release
blktrace Fix buffer overflow in btt [CVE-2018-10689]
bwm-ng Explicitly build without libstatgrab support
clamav Security update [CVE-2017-6418 CVE-2017-6420 CVE-2017-12374 CVE-2017-12375 CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379 CVE-2017-12380]; fix temporary file cleanup issue
debian-installer Rebuild for the point release
debian-security-support Update package data
dh-make-perl Support Contents file without header
dns-root-data Update IANA DNSSEC files to 2017-02-02 versions
faad2 Fix several DoS issues via crafted MP4 files [CVE-2017-9218 CVE-2017-9219 CVE-2017-9220 CVE-2017-9221 CVE-2017-9222 CVE-2017-9223 CVE-2017-9253 CVE-2017-9254 CVE-2017-9255 CVE-2017-9256 CVE-2017-9257]
file Avoid reading past the end of a buffer [CVE-2018-10360]
ghostscript Fix segfault with fuzzing file in gxht_thresh_image_init(); fix buffer overflow in fill_threshold_buffer [CVE-2016-10317]; pdfwrite - Guard against trying to output an infinite number [CVE-2018-10194]
intel-microcode Update included microcode, including fixes for Spectre v2 [CVE-2017-5715]
lame Fix security issues by switching to use I/O routines from sndfile [CVE-2017-15018 CVE-2017-15045 CVE-2017-15046 CVE-2017-9869 CVE-2017-9870 CVE-2017-9871 CVE-2017-9872]
libdatetime-timezone-perl Update included data
libextractor Various security fixes [CVE-2017-15266 CVE-2017-15267 CVE-2017-15600 CVE-2017-15601 CVE-2017-15602 CVE-2017-15922 CVE-2017-17440]
libipc-run-perl Fix memory leak
linux New upstream stable version
mactelnet Security fix [CVE-2016-7115]
ncurses Fix buffer overflow in the _nc_write_entry function [CVE-2017-16879]
nvidia-graphics-drivers New upstream version
nvidia-graphics-drivers- Update to latest driver
legacy-304xx
openafs Fix kernel module build against linux 3.16.51-3+deb8u1 kernels after security update-induced ABI changes
openldap Fix upgrade failure when olcSuffix contains a backslash; fix memory corruption caused by calling sasl_client_init() multiple times
patch Fix arbitrary command execution in ed-style patches [CVE-2018-1000156]
postgresql-9.4 New upstream release
psensor Fix directory traversal issue [CVE-2014-10073]
python-mimeparse Fix python3-mimeparse's dependencies
rar Strip statically linked rar and install the dynamically linked version instead
reportbug Stop CCing secure-testing-team@lists.alioth.debian.org
sam2p Fix multiple invalid frees and buffer-overflow vulnerabilities [CVE-2018-7487 CVE-2018-7551 CVE-2018-7552 CVE-2018-7553 CVE-2018-7554]
slurm-llnl Fix upgrade issue from wheezy
soundtouch Security fixes [CVE-2017-9258 CVE-2017-9259 CVE-2017-9260]
subversion Fix crashes with Perl bindings, commonly seen when using git-svn
tzdata Update included data
user-mode-linux Rebuild against current jessie kernel
virtualbox-guest-additions- Fix multiple security issues [CVE-2016-0592 CVE-2016-0495 CVE-2015-8104 CVE-2015-7183 CVE-2015-5307 CVE-2015-7183 CVE-2015-4813 CVE-2015-4896 CVE-2015-3456]
iso
xerces-c Fix Denial of Service via external DTD reference [CVE-2017-12627]
zsh Rebuild against libraries currently in jessie
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/oldstable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
dolibarr Too much work to maintain it properly in Debian
electrum No longer able to connect to the network
jirc Broken with jessie's libpoe-filter-xml-perl
nvidia-graphics-modules License problem; incompatible with current kernel ABI
openstreetmap-client Broken
redmine No longer security supported
redmine-plugin-pretend Depends on redmine
redmine-plugin-recaptcha Depends on redmine
redmine-recaptcha Depends on redmine
youtube-dl Incompatible YouTube API changes
If you encounter any issues, please don't hesitate to get in touch with
the Debian Release Team at "debian-release@lists.debian.org".Attachment:
signature.asc
Description: This is a digitally signed message part