---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 144-1 https://www.debian.org/ firstname.lastname@example.org Adam D. Barratt July 9th, 2018 ---------------------------------------------------------------------------- Upcoming Debian 9 Update (9.5) An update to Debian 9 is scheduled for Saturday, July 14th, 2018. As of now it will include the following bug fixes. They can be found in "stretch- proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "stretch-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "email@example.com" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: Package Reason ------- ------ 2ping Add missing dependency on python-pkg-resources abiword Resolve binary file conflict between abiword- dbgsym and abiword-plugin-grammar-dbgsym adminer Don't allow connections to privileged ports [CVE-2018-7667] animals Fix incorrect file permissions that made the game unusable apache2 Upgrade mod_http and mod_proxy_http2 to the versions from 2.4.33, fixing segfaults, high memory usage and potential crash [CVE-2018-1302]; make the apache-htcacheclean init script actually use /etc/default/apache- htcacheclean for its config auto-complete-el Add upstream fix for emacs25; adjust the emacs dependencies to the emacs versions in stretch; set auto-complete-el.emacsen-compat to silence installation warning awffull Do not use removed options in /etc/cron.daily/awffull ax25-tools Avoid segmentation fault at runtime base-files Update for the point release blktrace Fix buffer overflow in btt [CVE-2018-10689] ca-certificates Update Mozilla CA bundle to version 2.22 and bug fixes camo Add missing dependency on openssl cffi Add missing files for cffi-libffi and cffi- toolchain; add several missing dependencies check-postgres Update testsuite to handle pg_get_indexdef() now always including the schema name clamav New upstream version; don't fail on recently removed config options clustershell Add missing dependency on python-pkg-resources debian-security-support Update included data dehydrated Fix failure to create fullchain.pem devscripts uscan: fix the new package version regex for filenamemangle; debsign: fix bash completion; bts: support the new "ftbfs" tag; uscan: support HTTPS in the sf.net redirector; debcheckout: support salsa.debian.org; debdiff: sort shlibs files before comparing, reducing diff noise; uscan: actually support --copy disc-cover Fix perl error when running disc-cover discover Use correct type for the length parameter of the getline() call django-xmlrpc Fix python3 dependencies dosbox Fix crashes with core=dynamic dpdk New upstream stable update dpkg Fix integer overflow in deb(5) format version parser; fix directory traversal with dpkg-deb --raw-extract; add support for riscv64 CPU; do not normalize args past a passthrough stop word in Dpkg::Getopt; parse start-stop-daemon usernames and groupnames starting with digits correctly; always use the binary version for the .buildinfo filename dput-ng Add jessie-backports-sloppy and stretch- backports targets; include 'testing' in the rm- managed suites and 'oldstable' in "protected distributions"; add ports-master profile; FTP: parse and use optional [:port] part for fqdn elastix Rebuild with ITK that has been built with gcc 6 email2trac Fix detection of Trac 1.2 faad2 Fix several DoS issues via crafted MP4 files [CVE-2017-9218 CVE-2017-9219 CVE-2017-9220 CVE-2017-9221 CVE-2017-9222 CVE-2017-9223 CVE-2017-9253 CVE-2017-9254 CVE-2017-9255 CVE-2017-9256 CVE-2017-9257] faker Add missing dependency on python-ipaddress fastkml Add missing dependency on pkg-resources file Avoid reading past the end of buffer [CVE-2018-10360] freedink-dfarc Fix directory traversal in D-Mod extractor [CVE-2018-0496] ganeti Properly verify SSL certificates during VM export ghostscript Fix segfault with fuzzing file in gxht_thresh_image_init(); fix buffer overflow in fill_threshold_buffer [CVE-2016-10317]; pdfwrite - Guard against trying to output an infinite number [CVE-2018-10194] git-annex Security fixes [CVE-2018-10857 CVE-2018-10859] glx-alternatives New upstream version grid-engine Use correct paths to qmon pixmaps intel-microcode Update included microcode, including fixes for Spectre v2 [CVE-2017-5715] jdresolve Fix incompatibility with libnet-dns-perl in Debian 8 and later libb64 Rebuild with PIE libdate-holidays-de-perl Mark Reformation Day as a holiday in Niedersachsen and Bremen libdatetime-timezone-perl Update included data libextractor Various security fixes [CVE-2017-15266 CVE-2017-15267 CVE-2017-15600 CVE-2017-15601 CVE-2017-15602 CVE-2017-15922 CVE-2017-17440] libipc-run-perl Fix memory leak liblouis Fix buffer overflow [CVE-2018-11410]; fix several buffer overflows [CVE-2018-11440 CVE-2018-11577 CVE-2018-11683 CVE-2018-11684 CVE-2018-11685 2018-12085] libosmium Output coordinate with value of -2^31 correctly; fix buffers larger than 2^32 bytes linux New upstream stable version 4.9.110 linux-latest Update to -7 ABI llvm-toolchain-4.0 New package for rust backports local-apt-repository Stop breaking apt when the package is removed but not purged loook Fix handling password protected files miniupnpd Fix Denial of Service issue [CVE-2017-1000494] nss-pam-ldapd Increase size of hostname buffer nvidia-graphics-drivers New upstream version obfsproxy Don't install the broken AppArmor profile openldap Fix an out-of-sync issue with delta-syncrepl replication in multi-master environments; really fix upgrades when the config contains backslash-escaped special characters openstack-debian-images Set CloudStack after OpenStack in the datasource_list, to avoid a 120s delay in cloud-init when booting a machine in an OpenStack cloud patch Fix arbitrary command execution in ed-style patches [CVE-2018-1000156] piglit Fix missing dependency on python-mako postgresql-9.6 New upstream version postgresql-common Prevent upgrading/removing server packages from stopping other major version clusters when running systemd psad Add missing dependencies on net-tools and iproute2 pysurfer Add missing dependency on python-matplotlib python-cluster Add missing dependency on pkg-resources python-pyorick Fix import failure by adding missing dependency on python3-numpy python-scruffy Add missing dependencies on pkg-resources r-cran-mi Add missing dependency on r-cran-arm redis Correct RunTimeDirectory -> RuntimeDirectory typo in systemd .service files reportbug Notify the security team or LTS team about a possible regression if reporting a bug against a package containing a security fix rustc New upstream release to support Firefox ESR salt Fix "salt-ssh minion copied over configuration from the Salt Master without adjusting permissions" [CVE-2017-8109] shared-mime-info Switch dpkg trigger to noawait, fixing upgrade issues from jessie showq Fix prefix, so application actually works source-highlight Fix dependency on libboost-regex-dev starplot Fix startup crash subversion Reject commits which would introduce hash collisions with existing data, thus addressing the SHA1/shattered issue sus Update to new version, technically identical to SUSv4 + TC1 + TC2 systemd networkd-ndisc: Handle missing MTU gracefully; allow RemoveIPC= to be set in the unit file not only via D-Bus; nspawn: Add missing -E to getopt_long'; login: Respect --no-wall when cancelling a shutdown request tclreadline Fix shared library build on ppc64el thefuck Add missing dependency on pkg-resources tinyproxy Do not stop listening after SIGHUP; fix configuration file path; add missing dependency on adduser tlslite-ng Verify MAC even if the padding is 1 byte long tzdata New upstream release unison Rebuild with stretch's ocaml variety Fix shell injection on deleting files to trash; fix shell injection in filter and clock with specially crafted filenames; harden ImageMagick calls against potential shell injection xapian-core Fix MSet::snippet() to escape HTML in all cases [CVE-2018-499] xerces-c Fix Denial of Service via external DTD reference [CVE-2017-12627]; fix a regression that forced gcc to use SSE2, even on platforms that do not support it xrdp Fix off-by-one error which could lead to crashes A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/stable.html> Removed packages ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason ------- ------ libnet-whois-perl Broken mlbviewer No longer works due to content provider changes python-uniconvertor Unusable; requires unpackaged dependency singularity-container Not security supportable undertow Unsupportable; several security issues; alternatives exist visionegg Unusable; requires no longer available numpy.oldnumeric If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "firstname.lastname@example.org".
Description: This is a digitally signed message part