---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 151-1 https://www.debian.org/ debian-release@lists.debian.org Adam D. Barratt November 5th, 2018 ---------------------------------------------------------------------------- Upcoming Debian 9 Update (9.6) An update to Debian 9 is scheduled for Saturday, November 10th, 2018. As of now it will include the following bug fixes. They can be found in "stretch-proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "stretch-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: Package Reason ------- ------ accerciser Fix accessing items without a compositor; fix Python console; add missing dependency on python3-xlib apache2 mod_http2: Fix DoS by worker exhaustion [CVE-2018-1333] and by continuous SETTINGS [CVE-2018-11763]; mod_proxy_fcgi: Fix segfault base-files Update /etc/debian_version for the point release brltty Fix polkit authentication canna Fix file conflict between canna-dbgsym and canna-utils-dbgsym cargo New package to support Firefox ESR60 build clamav New upstream release; fix HWP integer overflow, infinite loop vulnerability [CVE-2018-0360]; fix PDF object length check issue, unreasonably long time to parse relatively small file [CVE-2018-0361]; new upstream version; fix Denial-of-Service issue [CVE-2018-15378]; fix infinite loop in dpkg-reconfigure confuse Fix an out of bound read in trim_whitespace [CVE-2018-14447] dnsmasq Trust-anchors.conf: include latest DNS trust anchor KSK-2017 dom4j Fix XML injection attack [CVE-2018-1000632]; compile with source/target 1.5 to fix a compilation issue with String.format dpdk New upstream stable release dropbear Fix user enumeration vulnerability [CVE-2018-15599] easytag Fix OGG corruption enigmail Add compatibility with newer Thunderbird versions espeakup espeakup.service: Automatically load speakup_soft on daemon startup fastforward Fix segfaults on 64-bit architectures firetray Add compatibility with newer Thunderbird versions firmware-nonfree Fix security issues in Broadcom wifi firmware [CVE-2016-0801 CVE-2017-0561 CVE-2017-9417 CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080 CVE-2017-13081]; re-add transitional packages for firmware-{adi,ralink} fofix-dfsg Fix error at startup fuse Whitelist autofs and FAT as valid mountpoint filesystems ganeti Properly verify SSL certificates during VM export; sign generated certificates using SHA256 instead of SHA1; make bash completions autoloadable globus-gsi-credential Fix issue with voms proxy and openssl 1.1 gnupg2 Security fixes; backport functionality required for new enigmail gnutls28 Fix security issues [CVE-2018-10844 CVE-2018-10845] gphoto2-cffi Make python3-gphoto2cffi work again grub2 grub-mknetdir: Add support for ARM64 EFI; change the default TSC calibration method to pmtimer on EFI systems hdparm Only enable APM on disks that advertise it https-everywhere Backport new upstream version, for compatibility with Firefox ESR 60 i3-wm Fix crash upon restart when using marks iipimage Fix Apache configuration jhead Fix security issues [CVE-2018-17088 CVE-2018-16554] lastpass-cli Backport hardcoded certificate pins from lastpass-cli 1.3.1 to reflect changes in hosted Lastpass.com service ldap2zone Fix endless loop checking zone serial libcgroup Fix world-accessible (and writeable) log files [CVE-2018-14348] libclamunrar New upstream release libdap Fix libdap-doc contents libdatetime-timezone-perl Update included data libgd2 Bmp: check return value in gdImageBmpPtr [CVE-2018-1000222]; fix potential infinite loop in gdImageCreateFromGifCtx [CVE-2018-5711] libmail-deliverystatus- Remove non-distributable sample spam and bounceparser-perl viruses libmspack Fix out-of-bounds write [CVE-2018-18584] and acceptance of "blank" filenames [CVE-2018-18585] libopenmpt Fix "up11: Out-of-bounds read loading IT / MO3 files with many pattern loops" [CVE-2018-10017] libseccomp Add support for Linux 4.9 syscalls: preadv2, pwritev2, pkey_mprotect, pkey_alloc and pkey_free; add support for statx libtirpc rendezvous_request: check the makefd_xprt return value [CVE-2018-14622] libx11 Fix several security isses [CVE-2018-14598 CVE-2018-14599 CVE-2018-14600] libxcursor Fix a denial of service or potentially code execution via a one-byte heap overflow [CVE-2015-9262] libxml-stream-perl Provide a default CA path libxml-structured-perl Add missing build and runtime dependency on libxml-parser-perl linux Xen: Fix boot regression in PV domains; xen- netfront: Fix regressions; ext4: fix false negatives *and* false positives in ext4_check_descriptors(); udeb: Add virtio_console to virtio-modules; cdc_ncm: avoid padding beyond end of skb; revert "sit: reload iphdr in ipip6_rcv"; new upstream release lxcfs Revert uptime virtualization, fixing process start times magicmaze Depend on fonts-isabella now that ttf-isabella is a virtual package mailman Fix arbitrary text injection vulnerability in Mailman CGIs [CVE-2018-13796] multipath-tools Avoid deadlock in udev triggers nagstamon Address IcingaWeb2 Basic auth issue network-manager libnm: Fix accessing enabled and metered properties; fix out-of-bounds heap write in dhcpv6 option handling [CVE-2018-15688] and various other issues in the sd-network based dhcp=internal plugin network-manager-applet libnma/pygobject: libnma/NMA must use libnm/NM instead of legacy libraries ola Fix typo in /etc/init.d/rdm_test_server; fix filename for jquery in rdm test server static HTML files opensc Fix unbounded recursion and several out-of- bounds reads or writes [CVE-2018-16391 CVE-2018-16392 CVE-2018-16393 CVE-2018-16418 CVE-2018-16419 CVE-2018-16420 CVE-2018-16421 CVE-2018-16422 CVE-2018-16423 CVE-2018-16424 CVE-2018-16425 CVE-2018-16426 CVE-2018-16427] pkgsel Install new dependencies when safe-upgrade (default) is selected postgrey Create /var/run/postgrey if it does not exist publicsuffix Update included data python-django Default to supporting Spatialite >= 4.2 python-imaplib2 Install the correct module for Python 3; don't use TIMEOUT_MAX rustc Enable building on further architectures: arm64, armel, armhf, i386, ppc64el, s390x sddm Honour PAM's ambient supplemental groups; add missing utmp/wtmp/btmp handling serf Fix NULL pointer dereference soundconverter Fix opus vbr setting spamassassin New upstream release; fix denial of service [CVE-2017-15705], remote code execution [CVE-2018-11780], code injection [CVE-2018-11781] and unsafe usage of "." in @INC [CVE-2016-1238]; fix spamd service management on package upgrades spice-gtk Fix flexible array buffer overflow [CVE-2018-10873] sqlcipher Avoid a crash when opening a file subversion Fix a regression introduced in the fixes for SHA1 collisions, where commits would incorrectly fail with a "Filesystem is corrupt" error if the delta length is a multiple of 16K systemd Networkd: Do not fail manager_connect_bus() if dbus is not active yet; dhcp6: Make sure we have enough space for the DHCP6 option header [CVE-2018-15688] systraq Invert logic in order to exit successfully in case /e/s/Makefile is missing tomcat-native Fix OSCP responder issue that made it possible for users to authenticate with revoked certificates when using mutual TLS [CVE-2018-8019 CVE-2018-8020] tor Directory authority changes: retire "Bifroest" bridge authority, in favour of "Serge"; add an IPv6 address for the "dannenberg" directory authority tzdata New upstream release ublock-origin Backport new upstream version, for compatibility with Firefox ESR 60 unbound Fix vulnerability in the processing of wildcard synthesized NSEC records [CVE-2017-15105] vagrant Support VirtualBox 5.2 vmtk Python-vmtk: Add the missing dependency on python-vtk6 wesnoth-1.12 Disallow loading lua bytecode via load/dofile [CVE-2018-1999023] wpa Ignore unauthenticated encrypted EAPOL-Key data [CVE-2018-14526] x11vnc Fix two buffer overflows xapian-core Fix glass backend bug with long-lived cursors on a table in a WritableDatabase which could incorrectly lead to DatabaseCorruptError being thrown when the database was actually OK xmotd Avoid crash with hardening flags xorg-server GLX: do not pick sRGB config for 32-bit RGBA visual - fixes various blending issues with kwin and Mesa >= 18.0 (i.e. Mesa from stretch- backports) zutils Fix a buffer overrun in zcat [CVE-2018-1000637] A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/stable.html> Removed packages ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason ------- ------ adblock-plus-element- Incompatible with newer firefox-esr versions hiding-helper all-in-one-sidebar Incompatible with newer firefox-esr versions autofill-forms Incompatible with newer firefox-esr versions automatic-save-folder Incompatible with newer firefox-esr versions classic-theme-restorer Incompatible with newer firefox-esr versions colorfultabs Incompatible with newer firefox-esr versions custom-tab-width Incompatible with newer firefox-esr versions dactyl Incompatible with newer firefox-esr versions downthemall Incompatible with newer firefox-esr versions dvips-fontdata-n2bk Empty package firebug Incompatible with newer firefox-esr versions firegestures Incompatible with newer firefox-esr versions firexpath Incompatible with newer firefox-esr versions flashgot Incompatible with newer firefox-esr versions form-history-control Incompatible with newer firefox-esr versions foxyproxy Incompatible with newer firefox-esr versions gitlab Open security issues, hard to backport fixes greasemonkey Incompatible with newer firefox-esr versions intel-processor-trace Only useful on Intel architectures [s390x] itsalltext Incompatible with newer firefox-esr versions knot-resolver Security issues lightbeam Incompatible with newer firefox-esr versions livehttpheaders Incompatible with newer firefox-esr versions lyz Incompatible with newer firefox-esr versions npapi-vlc Incompatible with newer firefox-esr versions nukeimage Incompatible with newer firefox-esr versions openinbrowser Incompatible with newer firefox-esr versions perspectives-extension Incompatible with newer firefox-esr versions pwdhash Incompatible with newer firefox-esr versions python-facebook Broken due to upstream changes python-tvrage Useless after tvrage.com shutdown reloadevery Incompatible with newer firefox-esr versions sage-extension Incompatible with newer firefox-esr versions scrapbook Incompatible with newer firefox-esr versions self-destructing-cookies Incompatible with newer firefox-esr versions spdy-indicator Incompatible with newer firefox-esr versions status-4-evar Incompatible with newer firefox-esr versions stylish Incompatible with newer firefox-esr versions tabmixplus Incompatible with newer firefox-esr versions tree-style-tab Incompatible with newer firefox-esr versions ubiquity-extension Incompatible with newer firefox-esr versions uppity Incompatible with newer firefox-esr versions useragentswitcher Incompatible with newer firefox-esr versions video-without-flash Incompatible with newer firefox-esr versions webdeveloper Incompatible with newer firefox-esr versions xul-ext-monkeysphere Incompatible with newer firefox-esr versions If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part