----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 151-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
November 5th, 2018
----------------------------------------------------------------------------
Upcoming Debian 9 Update (9.6)
An update to Debian 9 is scheduled for Saturday, November 10th, 2018. As
of now it will include the following bug fixes. They can be found in
"stretch-proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "stretch-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
accerciser Fix accessing items without a compositor; fix
Python console; add missing dependency on
python3-xlib
apache2 mod_http2: Fix DoS by worker exhaustion
[CVE-2018-1333] and by continuous SETTINGS
[CVE-2018-11763]; mod_proxy_fcgi: Fix segfault
base-files Update /etc/debian_version for the point
release
brltty Fix polkit authentication
canna Fix file conflict between canna-dbgsym and
canna-utils-dbgsym
cargo New package to support Firefox ESR60 build
clamav New upstream release; fix HWP integer overflow,
infinite loop vulnerability [CVE-2018-0360];
fix PDF object length check issue, unreasonably
long time to parse relatively small file
[CVE-2018-0361]; new upstream version; fix
Denial-of-Service issue [CVE-2018-15378]; fix
infinite loop in dpkg-reconfigure
confuse Fix an out of bound read in trim_whitespace
[CVE-2018-14447]
dnsmasq Trust-anchors.conf: include latest DNS trust
anchor KSK-2017
dom4j Fix XML injection attack [CVE-2018-1000632];
compile with source/target 1.5 to fix a
compilation issue with String.format
dpdk New upstream stable release
dropbear Fix user enumeration vulnerability
[CVE-2018-15599]
easytag Fix OGG corruption
enigmail Add compatibility with newer Thunderbird
versions
espeakup espeakup.service: Automatically load
speakup_soft on daemon startup
fastforward Fix segfaults on 64-bit architectures
firetray Add compatibility with newer Thunderbird
versions
firmware-nonfree Fix security issues in Broadcom wifi firmware
[CVE-2016-0801 CVE-2017-0561 CVE-2017-9417
CVE-2017-13077 CVE-2017-13078 CVE-2017-13079
CVE-2017-13080 CVE-2017-13081]; re-add
transitional packages for firmware-{adi,ralink}
fofix-dfsg Fix error at startup
fuse Whitelist autofs and FAT as valid mountpoint
filesystems
ganeti Properly verify SSL certificates during VM
export; sign generated certificates using
SHA256 instead of SHA1; make bash completions
autoloadable
globus-gsi-credential Fix issue with voms proxy and openssl 1.1
gnupg2 Security fixes; backport functionality required
for new enigmail
gnutls28 Fix security issues [CVE-2018-10844
CVE-2018-10845]
gphoto2-cffi Make python3-gphoto2cffi work again
grub2 grub-mknetdir: Add support for ARM64 EFI;
change the default TSC calibration method to
pmtimer on EFI systems
hdparm Only enable APM on disks that advertise it
https-everywhere Backport new upstream version, for
compatibility with Firefox ESR 60
i3-wm Fix crash upon restart when using marks
iipimage Fix Apache configuration
jhead Fix security issues [CVE-2018-17088
CVE-2018-16554]
lastpass-cli Backport hardcoded certificate pins from
lastpass-cli 1.3.1 to reflect changes in hosted
Lastpass.com service
ldap2zone Fix endless loop checking zone serial
libcgroup Fix world-accessible (and writeable) log files
[CVE-2018-14348]
libclamunrar New upstream release
libdap Fix libdap-doc contents
libdatetime-timezone-perl Update included data
libgd2 Bmp: check return value in gdImageBmpPtr
[CVE-2018-1000222]; fix potential infinite loop
in gdImageCreateFromGifCtx [CVE-2018-5711]
libmail-deliverystatus- Remove non-distributable sample spam and
bounceparser-perl viruses
libmspack Fix out-of-bounds write [CVE-2018-18584] and
acceptance of "blank" filenames
[CVE-2018-18585]
libopenmpt Fix "up11: Out-of-bounds read loading IT / MO3
files with many pattern loops" [CVE-2018-10017]
libseccomp Add support for Linux 4.9 syscalls: preadv2,
pwritev2, pkey_mprotect, pkey_alloc and
pkey_free; add support for statx
libtirpc rendezvous_request: check the makefd_xprt
return value [CVE-2018-14622]
libx11 Fix several security isses [CVE-2018-14598
CVE-2018-14599 CVE-2018-14600]
libxcursor Fix a denial of service or potentially code
execution via a one-byte heap overflow
[CVE-2015-9262]
libxml-stream-perl Provide a default CA path
libxml-structured-perl Add missing build and runtime dependency on
libxml-parser-perl
linux Xen: Fix boot regression in PV domains; xen-
netfront: Fix regressions; ext4: fix false
negatives *and* false positives in
ext4_check_descriptors(); udeb: Add
virtio_console to virtio-modules; cdc_ncm:
avoid padding beyond end of skb; revert "sit:
reload iphdr in ipip6_rcv"; new upstream
release
lxcfs Revert uptime virtualization, fixing process
start times
magicmaze Depend on fonts-isabella now that ttf-isabella
is a virtual package
mailman Fix arbitrary text injection vulnerability in
Mailman CGIs [CVE-2018-13796]
multipath-tools Avoid deadlock in udev triggers
nagstamon Address IcingaWeb2 Basic auth issue
network-manager libnm: Fix accessing enabled and metered
properties; fix out-of-bounds heap write in
dhcpv6 option handling [CVE-2018-15688] and
various other issues in the sd-network based
dhcp=internal plugin
network-manager-applet libnma/pygobject: libnma/NMA must use libnm/NM
instead of legacy libraries
ola Fix typo in /etc/init.d/rdm_test_server; fix
filename for jquery in rdm test server static
HTML files
opensc Fix unbounded recursion and several out-of-
bounds reads or writes [CVE-2018-16391
CVE-2018-16392 CVE-2018-16393 CVE-2018-16418
CVE-2018-16419 CVE-2018-16420 CVE-2018-16421
CVE-2018-16422 CVE-2018-16423 CVE-2018-16424
CVE-2018-16425 CVE-2018-16426 CVE-2018-16427]
pkgsel Install new dependencies when safe-upgrade
(default) is selected
postgrey Create /var/run/postgrey if it does not exist
publicsuffix Update included data
python-django Default to supporting Spatialite >= 4.2
python-imaplib2 Install the correct module for Python 3; don't
use TIMEOUT_MAX
rustc Enable building on further architectures:
arm64, armel, armhf, i386, ppc64el, s390x
sddm Honour PAM's ambient supplemental groups; add
missing utmp/wtmp/btmp handling
serf Fix NULL pointer dereference
soundconverter Fix opus vbr setting
spamassassin New upstream release; fix denial of service
[CVE-2017-15705], remote code execution
[CVE-2018-11780], code injection
[CVE-2018-11781] and unsafe usage of "." in
@INC [CVE-2016-1238]; fix spamd service
management on package upgrades
spice-gtk Fix flexible array buffer overflow
[CVE-2018-10873]
sqlcipher Avoid a crash when opening a file
subversion Fix a regression introduced in the fixes for
SHA1 collisions, where commits would
incorrectly fail with a "Filesystem is corrupt"
error if the delta length is a multiple of 16K
systemd Networkd: Do not fail manager_connect_bus() if
dbus is not active yet; dhcp6: Make sure we
have enough space for the DHCP6 option header
[CVE-2018-15688]
systraq Invert logic in order to exit successfully in
case /e/s/Makefile is missing
tomcat-native Fix OSCP responder issue that made it possible
for users to authenticate with revoked
certificates when using mutual TLS
[CVE-2018-8019 CVE-2018-8020]
tor Directory authority changes: retire "Bifroest"
bridge authority, in favour of "Serge"; add an
IPv6 address for the "dannenberg" directory
authority
tzdata New upstream release
ublock-origin Backport new upstream version, for
compatibility with Firefox ESR 60
unbound Fix vulnerability in the processing of wildcard
synthesized NSEC records [CVE-2017-15105]
vagrant Support VirtualBox 5.2
vmtk Python-vmtk: Add the missing dependency on
python-vtk6
wesnoth-1.12 Disallow loading lua bytecode via load/dofile
[CVE-2018-1999023]
wpa Ignore unauthenticated encrypted EAPOL-Key data
[CVE-2018-14526]
x11vnc Fix two buffer overflows
xapian-core Fix glass backend bug with long-lived cursors
on a table in a WritableDatabase which could
incorrectly lead to DatabaseCorruptError being
thrown when the database was actually OK
xmotd Avoid crash with hardening flags
xorg-server GLX: do not pick sRGB config for 32-bit RGBA
visual - fixes various blending issues with
kwin and Mesa >= 18.0 (i.e. Mesa from stretch-
backports)
zutils Fix a buffer overrun in zcat [CVE-2018-1000637]
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
adblock-plus-element- Incompatible with newer firefox-esr versions
hiding-helper
all-in-one-sidebar Incompatible with newer firefox-esr versions
autofill-forms Incompatible with newer firefox-esr versions
automatic-save-folder Incompatible with newer firefox-esr versions
classic-theme-restorer Incompatible with newer firefox-esr versions
colorfultabs Incompatible with newer firefox-esr versions
custom-tab-width Incompatible with newer firefox-esr versions
dactyl Incompatible with newer firefox-esr versions
downthemall Incompatible with newer firefox-esr versions
dvips-fontdata-n2bk Empty package
firebug Incompatible with newer firefox-esr versions
firegestures Incompatible with newer firefox-esr versions
firexpath Incompatible with newer firefox-esr versions
flashgot Incompatible with newer firefox-esr versions
form-history-control Incompatible with newer firefox-esr versions
foxyproxy Incompatible with newer firefox-esr versions
gitlab Open security issues, hard to backport fixes
greasemonkey Incompatible with newer firefox-esr versions
intel-processor-trace Only useful on Intel architectures
[s390x]
itsalltext Incompatible with newer firefox-esr versions
knot-resolver Security issues
lightbeam Incompatible with newer firefox-esr versions
livehttpheaders Incompatible with newer firefox-esr versions
lyz Incompatible with newer firefox-esr versions
npapi-vlc Incompatible with newer firefox-esr versions
nukeimage Incompatible with newer firefox-esr versions
openinbrowser Incompatible with newer firefox-esr versions
perspectives-extension Incompatible with newer firefox-esr versions
pwdhash Incompatible with newer firefox-esr versions
python-facebook Broken due to upstream changes
python-tvrage Useless after tvrage.com shutdown
reloadevery Incompatible with newer firefox-esr versions
sage-extension Incompatible with newer firefox-esr versions
scrapbook Incompatible with newer firefox-esr versions
self-destructing-cookies Incompatible with newer firefox-esr versions
spdy-indicator Incompatible with newer firefox-esr versions
status-4-evar Incompatible with newer firefox-esr versions
stylish Incompatible with newer firefox-esr versions
tabmixplus Incompatible with newer firefox-esr versions
tree-style-tab Incompatible with newer firefox-esr versions
ubiquity-extension Incompatible with newer firefox-esr versions
uppity Incompatible with newer firefox-esr versions
useragentswitcher Incompatible with newer firefox-esr versions
video-without-flash Incompatible with newer firefox-esr versions
webdeveloper Incompatible with newer firefox-esr versions
xul-ext-monkeysphere Incompatible with newer firefox-esr versions
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part