[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 144-1] Upcoming Debian 9 Update (9.5)

Debian Stable Updates Announcement SUA 144-1         https://www.debian.org/
debian-release@lists.debian.org                              Adam D. Barratt
July 9th, 2018

Upcoming Debian 9 Update (9.5)

An update to Debian 9 is scheduled for Saturday, July 14th, 2018. As of now
it will include the following bug fixes. They can be found in "stretch-
proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "stretch-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.

The point release will also include a rebuild of debian-installer.

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following

  Package                    Reason
  -------                    ------

  2ping                      Add missing dependency on python-pkg-resources

  abiword                    Resolve binary file conflict between abiword-
                             dbgsym and abiword-plugin-grammar-dbgsym

  adminer                    Don't allow connections to privileged ports

  animals                    Fix incorrect file permissions that made the
                             game unusable

  apache2                    Upgrade mod_http and mod_proxy_http2 to the
                             versions from 2.4.33, fixing segfaults, high
                             memory usage and potential crash
                             [CVE-2018-1302]; make the apache-htcacheclean
                             init script actually use /etc/default/apache-
                             htcacheclean for its config

  auto-complete-el           Add upstream fix for emacs25; adjust the emacs
                             dependencies to the emacs versions in stretch;
                             set auto-complete-el.emacsen-compat to silence
                             installation warning

  awffull                    Do not use removed options in

  ax25-tools                 Avoid segmentation fault at runtime

  base-files                 Update for the point release

  blktrace                   Fix buffer overflow in btt [CVE-2018-10689]

  ca-certificates            Update Mozilla CA bundle to version 2.22 and
                             bug fixes

  camo                       Add missing dependency on openssl

  cffi                       Add missing files for cffi-libffi and cffi-
                             toolchain; add several missing dependencies

  check-postgres             Update testsuite to handle pg_get_indexdef()
                             now always including the schema name

  clamav                     New upstream version; don't fail on recently
                             removed config options

  clustershell               Add missing dependency on python-pkg-resources

  debian-security-support    Update included data

  dehydrated                 Fix failure to create fullchain.pem

  devscripts                 uscan: fix the new package version regex for
                             filenamemangle; debsign: fix bash completion;
                             bts: support the new "ftbfs" tag; uscan:
                             support HTTPS in the sf.net redirector;
                             debcheckout: support salsa.debian.org; debdiff:
                             sort shlibs files before comparing, reducing
                             diff noise; uscan: actually support --copy

  disc-cover                 Fix perl error when running disc-cover

  discover                   Use correct type for the length parameter of
                             the getline() call

  django-xmlrpc              Fix python3 dependencies

  dosbox                     Fix crashes with core=dynamic

  dpdk                       New upstream stable update

  dpkg                       Fix integer overflow in deb(5) format version
                             parser; fix directory traversal with dpkg-deb
                             --raw-extract; add support for riscv64 CPU; do
                             not normalize args past a passthrough stop word
                             in Dpkg::Getopt; parse start-stop-daemon
                             usernames and groupnames starting with digits
                             correctly; always use the binary version for
                             the .buildinfo filename

  dput-ng                    Add jessie-backports-sloppy and stretch-
                             backports targets; include 'testing' in the rm-
                             managed suites and 'oldstable' in "protected
                             distributions"; add ports-master profile; FTP:
                             parse and use optional [:port] part for fqdn

  elastix                    Rebuild with ITK that has been built with gcc 6

  email2trac                 Fix detection of Trac 1.2

  faad2                      Fix several DoS issues via crafted MP4 files
                             [CVE-2017-9218 CVE-2017-9219 CVE-2017-9220
                             CVE-2017-9221 CVE-2017-9222 CVE-2017-9223
                             CVE-2017-9253 CVE-2017-9254 CVE-2017-9255
                             CVE-2017-9256 CVE-2017-9257]

  faker                      Add missing dependency on python-ipaddress

  fastkml                    Add missing dependency on pkg-resources

  file                       Avoid reading past the end of buffer

  freedink-dfarc             Fix directory traversal in D-Mod extractor

  ganeti                     Properly verify SSL certificates during VM

  ghostscript                Fix segfault with fuzzing file in
                             gxht_thresh_image_init(); fix buffer overflow
                             in fill_threshold_buffer [CVE-2016-10317];
                             pdfwrite - Guard against trying to output an
                             infinite number [CVE-2018-10194]

  git-annex                  Security fixes [CVE-2018-10857 CVE-2018-10859]

  glx-alternatives           New upstream version

  grid-engine                Use correct paths to qmon pixmaps

  intel-microcode            Update included microcode, including fixes for
                             Spectre v2 [CVE-2017-5715]

  jdresolve                  Fix incompatibility with libnet-dns-perl in
                             Debian 8 and later

  libb64                     Rebuild with PIE

  libdate-holidays-de-perl   Mark Reformation Day as a holiday in
                             Niedersachsen and Bremen

  libdatetime-timezone-perl  Update included data

  libextractor               Various security fixes [CVE-2017-15266
                             CVE-2017-15267 CVE-2017-15600 CVE-2017-15601
                             CVE-2017-15602 CVE-2017-15922 CVE-2017-17440]

  libipc-run-perl            Fix memory leak

  liblouis                   Fix buffer overflow [CVE-2018-11410]; fix
                             several buffer overflows [CVE-2018-11440
                             CVE-2018-11577 CVE-2018-11683 CVE-2018-11684
                             CVE-2018-11685 2018-12085]

  libosmium                  Output coordinate with value of -2^31
                             correctly; fix buffers larger than 2^32 bytes

  linux                      New upstream stable version 4.9.110

  linux-latest               Update to -7 ABI

  llvm-toolchain-4.0         New package for rust backports

  local-apt-repository       Stop breaking apt when the package is removed
                             but not purged

  loook                      Fix handling password protected files

  miniupnpd                  Fix Denial of Service issue [CVE-2017-1000494]

  nss-pam-ldapd              Increase size of hostname buffer

  nvidia-graphics-drivers    New upstream version

  obfsproxy                  Don't install the broken AppArmor profile

  openldap                   Fix an out-of-sync issue with delta-syncrepl
                             replication in multi-master environments;
                             really fix upgrades when the config contains
                             backslash-escaped special characters

  openstack-debian-images    Set CloudStack after OpenStack in the
                             datasource_list, to avoid a 120s delay in
                             cloud-init when booting a machine in an
                             OpenStack cloud

  patch                      Fix arbitrary command execution in ed-style
                             patches [CVE-2018-1000156]

  piglit                     Fix missing dependency on python-mako

  postgresql-9.6             New upstream version

  postgresql-common          Prevent upgrading/removing server packages from
                             stopping other major version clusters when
                             running systemd

  psad                       Add missing dependencies on net-tools and

  pysurfer                   Add missing dependency on python-matplotlib

  python-cluster             Add missing dependency on pkg-resources

  python-pyorick             Fix import failure by adding missing dependency
                             on python3-numpy

  python-scruffy             Add missing dependencies on pkg-resources

  r-cran-mi                  Add missing dependency on r-cran-arm

  redis                      Correct RunTimeDirectory -> RuntimeDirectory
                             typo in systemd .service files

  reportbug                  Notify the security team or LTS team about a
                             possible regression if reporting a bug against
                             a package containing a security fix

  rustc                      New upstream release to support Firefox ESR

  salt                       Fix "salt-ssh minion copied over configuration
                             from the Salt Master without adjusting
                             permissions" [CVE-2017-8109]

  shared-mime-info           Switch dpkg trigger to noawait, fixing upgrade
                             issues from jessie

  showq                      Fix prefix, so application actually works

  source-highlight           Fix dependency on libboost-regex-dev

  starplot                   Fix startup crash

  subversion                 Reject commits which would introduce hash
                             collisions with existing data, thus addressing
                             the SHA1/shattered issue

  sus                        Update to new version, technically identical to
                             SUSv4 + TC1 + TC2

  systemd                    networkd-ndisc: Handle missing MTU gracefully;
                             allow RemoveIPC= to be set in the unit file not
                             only via D-Bus; nspawn: Add missing -E to
                             getopt_long'; login: Respect --no-wall when
                             cancelling a shutdown request

  tclreadline                Fix shared library build on ppc64el

  thefuck                    Add missing dependency on pkg-resources

  tinyproxy                  Do not stop listening after SIGHUP; fix
                             configuration file path; add missing dependency
                             on adduser

  tlslite-ng                 Verify MAC even if the padding is 1 byte long

  tzdata                     New upstream release

  unison                     Rebuild with stretch's ocaml

  variety                    Fix shell injection on deleting files to trash;
                             fix shell injection in filter and clock with
                             specially crafted filenames; harden ImageMagick
                             calls against potential shell injection

  xapian-core                Fix MSet::snippet() to escape HTML in all cases

  xerces-c                   Fix Denial of Service via external DTD
                             reference [CVE-2017-12627]; fix a regression
                             that forced gcc to use SSE2, even on platforms
                             that do not support it

  xrdp                       Fix off-by-one error which could lead to

A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:


Removed packages

The following packages will be removed due to circumstances beyond our

  Package                    Reason
  -------                    ------

  libnet-whois-perl          Broken

  mlbviewer                  No longer works due to content provider changes

  python-uniconvertor        Unusable; requires unpackaged dependency

  singularity-container      Not security supportable

  undertow                   Unsupportable; several security issues;
                             alternatives exist

  visionegg                  Unusable; requires no longer available

If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: