----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 144-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
July 9th, 2018
----------------------------------------------------------------------------
Upcoming Debian 9 Update (9.5)
An update to Debian 9 is scheduled for Saturday, July 14th, 2018. As of now
it will include the following bug fixes. They can be found in "stretch-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "stretch-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
2ping Add missing dependency on python-pkg-resources
abiword Resolve binary file conflict between abiword-
dbgsym and abiword-plugin-grammar-dbgsym
adminer Don't allow connections to privileged ports
[CVE-2018-7667]
animals Fix incorrect file permissions that made the
game unusable
apache2 Upgrade mod_http and mod_proxy_http2 to the
versions from 2.4.33, fixing segfaults, high
memory usage and potential crash
[CVE-2018-1302]; make the apache-htcacheclean
init script actually use /etc/default/apache-
htcacheclean for its config
auto-complete-el Add upstream fix for emacs25; adjust the emacs
dependencies to the emacs versions in stretch;
set auto-complete-el.emacsen-compat to silence
installation warning
awffull Do not use removed options in
/etc/cron.daily/awffull
ax25-tools Avoid segmentation fault at runtime
base-files Update for the point release
blktrace Fix buffer overflow in btt [CVE-2018-10689]
ca-certificates Update Mozilla CA bundle to version 2.22 and
bug fixes
camo Add missing dependency on openssl
cffi Add missing files for cffi-libffi and cffi-
toolchain; add several missing dependencies
check-postgres Update testsuite to handle pg_get_indexdef()
now always including the schema name
clamav New upstream version; don't fail on recently
removed config options
clustershell Add missing dependency on python-pkg-resources
debian-security-support Update included data
dehydrated Fix failure to create fullchain.pem
devscripts uscan: fix the new package version regex for
filenamemangle; debsign: fix bash completion;
bts: support the new "ftbfs" tag; uscan:
support HTTPS in the sf.net redirector;
debcheckout: support salsa.debian.org; debdiff:
sort shlibs files before comparing, reducing
diff noise; uscan: actually support --copy
disc-cover Fix perl error when running disc-cover
discover Use correct type for the length parameter of
the getline() call
django-xmlrpc Fix python3 dependencies
dosbox Fix crashes with core=dynamic
dpdk New upstream stable update
dpkg Fix integer overflow in deb(5) format version
parser; fix directory traversal with dpkg-deb
--raw-extract; add support for riscv64 CPU; do
not normalize args past a passthrough stop word
in Dpkg::Getopt; parse start-stop-daemon
usernames and groupnames starting with digits
correctly; always use the binary version for
the .buildinfo filename
dput-ng Add jessie-backports-sloppy and stretch-
backports targets; include 'testing' in the rm-
managed suites and 'oldstable' in "protected
distributions"; add ports-master profile; FTP:
parse and use optional [:port] part for fqdn
elastix Rebuild with ITK that has been built with gcc 6
email2trac Fix detection of Trac 1.2
faad2 Fix several DoS issues via crafted MP4 files
[CVE-2017-9218 CVE-2017-9219 CVE-2017-9220
CVE-2017-9221 CVE-2017-9222 CVE-2017-9223
CVE-2017-9253 CVE-2017-9254 CVE-2017-9255
CVE-2017-9256 CVE-2017-9257]
faker Add missing dependency on python-ipaddress
fastkml Add missing dependency on pkg-resources
file Avoid reading past the end of buffer
[CVE-2018-10360]
freedink-dfarc Fix directory traversal in D-Mod extractor
[CVE-2018-0496]
ganeti Properly verify SSL certificates during VM
export
ghostscript Fix segfault with fuzzing file in
gxht_thresh_image_init(); fix buffer overflow
in fill_threshold_buffer [CVE-2016-10317];
pdfwrite - Guard against trying to output an
infinite number [CVE-2018-10194]
git-annex Security fixes [CVE-2018-10857 CVE-2018-10859]
glx-alternatives New upstream version
grid-engine Use correct paths to qmon pixmaps
intel-microcode Update included microcode, including fixes for
Spectre v2 [CVE-2017-5715]
jdresolve Fix incompatibility with libnet-dns-perl in
Debian 8 and later
libb64 Rebuild with PIE
libdate-holidays-de-perl Mark Reformation Day as a holiday in
Niedersachsen and Bremen
libdatetime-timezone-perl Update included data
libextractor Various security fixes [CVE-2017-15266
CVE-2017-15267 CVE-2017-15600 CVE-2017-15601
CVE-2017-15602 CVE-2017-15922 CVE-2017-17440]
libipc-run-perl Fix memory leak
liblouis Fix buffer overflow [CVE-2018-11410]; fix
several buffer overflows [CVE-2018-11440
CVE-2018-11577 CVE-2018-11683 CVE-2018-11684
CVE-2018-11685 2018-12085]
libosmium Output coordinate with value of -2^31
correctly; fix buffers larger than 2^32 bytes
linux New upstream stable version 4.9.110
linux-latest Update to -7 ABI
llvm-toolchain-4.0 New package for rust backports
local-apt-repository Stop breaking apt when the package is removed
but not purged
loook Fix handling password protected files
miniupnpd Fix Denial of Service issue [CVE-2017-1000494]
nss-pam-ldapd Increase size of hostname buffer
nvidia-graphics-drivers New upstream version
obfsproxy Don't install the broken AppArmor profile
openldap Fix an out-of-sync issue with delta-syncrepl
replication in multi-master environments;
really fix upgrades when the config contains
backslash-escaped special characters
openstack-debian-images Set CloudStack after OpenStack in the
datasource_list, to avoid a 120s delay in
cloud-init when booting a machine in an
OpenStack cloud
patch Fix arbitrary command execution in ed-style
patches [CVE-2018-1000156]
piglit Fix missing dependency on python-mako
postgresql-9.6 New upstream version
postgresql-common Prevent upgrading/removing server packages from
stopping other major version clusters when
running systemd
psad Add missing dependencies on net-tools and
iproute2
pysurfer Add missing dependency on python-matplotlib
python-cluster Add missing dependency on pkg-resources
python-pyorick Fix import failure by adding missing dependency
on python3-numpy
python-scruffy Add missing dependencies on pkg-resources
r-cran-mi Add missing dependency on r-cran-arm
redis Correct RunTimeDirectory -> RuntimeDirectory
typo in systemd .service files
reportbug Notify the security team or LTS team about a
possible regression if reporting a bug against
a package containing a security fix
rustc New upstream release to support Firefox ESR
salt Fix "salt-ssh minion copied over configuration
from the Salt Master without adjusting
permissions" [CVE-2017-8109]
shared-mime-info Switch dpkg trigger to noawait, fixing upgrade
issues from jessie
showq Fix prefix, so application actually works
source-highlight Fix dependency on libboost-regex-dev
starplot Fix startup crash
subversion Reject commits which would introduce hash
collisions with existing data, thus addressing
the SHA1/shattered issue
sus Update to new version, technically identical to
SUSv4 + TC1 + TC2
systemd networkd-ndisc: Handle missing MTU gracefully;
allow RemoveIPC= to be set in the unit file not
only via D-Bus; nspawn: Add missing -E to
getopt_long'; login: Respect --no-wall when
cancelling a shutdown request
tclreadline Fix shared library build on ppc64el
thefuck Add missing dependency on pkg-resources
tinyproxy Do not stop listening after SIGHUP; fix
configuration file path; add missing dependency
on adduser
tlslite-ng Verify MAC even if the padding is 1 byte long
tzdata New upstream release
unison Rebuild with stretch's ocaml
variety Fix shell injection on deleting files to trash;
fix shell injection in filter and clock with
specially crafted filenames; harden ImageMagick
calls against potential shell injection
xapian-core Fix MSet::snippet() to escape HTML in all cases
[CVE-2018-499]
xerces-c Fix Denial of Service via external DTD
reference [CVE-2017-12627]; fix a regression
that forced gcc to use SSE2, even on platforms
that do not support it
xrdp Fix off-by-one error which could lead to
crashes
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
libnet-whois-perl Broken
mlbviewer No longer works due to content provider changes
python-uniconvertor Unusable; requires unpackaged dependency
singularity-container Not security supportable
undertow Unsupportable; several security issues;
alternatives exist
visionegg Unusable; requires no longer available
numpy.oldnumeric
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".Attachment:
signature.asc
Description: This is a digitally signed message part