----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 156-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
February 12th, 2019
----------------------------------------------------------------------------
Upcoming Debian 9 Update (9.8)
An update to Debian 9 is scheduled for Saturday, February 16th, 2019. As
of now it will include the following bug fixes. They can be found in
"stretch-proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "stretch-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
arc Fix directory traversal bugs [CVE-2015-9275],
arcdie crash when called with more then 1
variable argument and version 1 arc header
reading
astroml-addons Fix Python 3 dependencies
base-files Update for the point release
c3p0 Fix XML External Entity vulnerability
[CVE-2018-20433]
ca-certificates-java Fix temporary jvm-*.cfg generation on armhf
chkrootkit Fix regular expression for filtering out dhcpd
and dhclient as false positives from the packet
sniffer test
compactheader Update to work with newer Thunderbird versions
courier Fix @piddir@ substitution
cups Security fixes [CVE-2017-18248 CVE-2018-4700]
debian-edu-config Fix configuration of personal web pages; re-
enable offline installation of a combi server
including diskless workstation support; enable
Chromium homepage setting at installation time
and via LDAP
debian-installer Rebuild for the point release
debian-security-support Update support status of various packages
dnspython Fix error when parsing nsec3 bitmap from text
egg Skip emacsen-install for unsupported xemacs21
erlang Do not install Erlang mode for XEmacs
espeakup debian/espeakup.service: Fix compatibility with
older versions of systemd
freerdp Fix security issues [CVE-2018-8786
CVE-2018-8787 CVE-2018-8788]; add CredSSP v3
and RDP proto v6 support
ganeti-os-noop Fix size detection for non-block devices
glibc Fix several security isses [CVE-2017-15670
CVE-2017-15671 CVE-2017-15804 CVE-2017-1000408
CVE-2017-1000409 CVE-2017-16997 CVE-2017-18269
CVE-2018-11236 CVE-2018-11237]; avoid
segmentation faults on CPUs with AVX512-F; fix
a use after free in pthread_create(); check for
postgresql in NSS check; fix
pthread_cond_wait() in the pshared case on
non-x86.
glx-alternatives Add diversion and alternative for
libGLX_indirect.so.0; avoid confusing
diagnostic message if no nvidia alternative is
available
gnulib vasnprintf: Fix heap memory overrun bug
[CVE-2018-17942]
gnupg2 Avoid crash when importing without a TTY
graphite-api Fix RequiresMountsFor spelling in systemd
service
grokmirror Add missing dependency on python-pkg-resources
gvrng Fix permissions problem that prevented starting
gvrng; generate correct Python dependencies
ibus Fix multi-arch installation by removing the gir
package's Python dependency
icedtea-web Stop building the browser plugin, no longer
works with Firefox 60
icinga2 Fix timestamps being stored as local time in
PostgreSQL
intel-microcode Add accumulated fixes for Westmere EP
(signature 0x206c2) [Intel SA-00161
CVE-2018-3615 CVE-2018-3620 CVE-2018-3646 Intel
SA-00115 CVE-2018-3639 CVE-2018-3640 Intel
SA-0088 CVE-2017-5753 CVE-2017-5754]
isort Fix Python dependencies
jdupes Fix potential crash on ARM
kmodpy Remove incorrect Multi-Arch: same from python-
kmodpy
libapache2-mod-perl2 Don't allow <Perl> sections in user controlled
configuration [CVE-2011-2767]
libb2 Detect if the system can use AVX before
actually using it
libdatetime-timezone-perl Update included data
libemail-address-list-perl Fix DoS vulnerability [CVE-2018-18898]
libemail-address-perl Fix DoS vulnerabilities [CVE-2015-7686
CVE-2018-12558]
libgpod python-gpod: Add missing dependency on python-
gobject-2
libssh Fix broken server-side keyboard-interactive
authentication
linux New upstream release
linux-igd Make the init script require $network
lttng-modules Fix build on linux-rt 4.9 kernels and kernels
>= 4.9.0-3
mistral Fix "std.ssh action may disclose presence of
arbitrary files" [CVE-2018-16849]
monkeysign Fix security issue [CVE-2018-12020]; actually
send multiple emails instead of a single one
mpqc Also install sc-libtool
nvidia-graphics-drivers New upstream release
nvidia-modprobe New upstream release
nvidia-persistenced New upstream release
nvidia-settings New upstream release
nvidia-xconfig New upstream release
openni2 Fix armhf baseline violation and armel FTBFS
caused by NEON usage
openvpn Fix NCP behaviour on TLS reconnect, causing
"AEAD Decrypt error: cipher final failed"
errors
parsedatetime Add support for python3
pdns Fix security issues [CVE-2018-1046
CVE-2018-10851]; fix MySQL queries with stored
procedures; fix ldap, lua, opendbx backend not
finding domains
pdns-recursor Fix security issues [CVE-2018-10851
CVE-2018-14626 CVE-2018-14644]
photocollage Add missing dependency on gir1.2-gtk-3.0
postfix New upstream stable release; avoid postconf
failures when postfix-instance-generator runs
during boot; update watch file
postgresql-9.6 New upstream release
postgrey Create /var/run/postgrey if it does not exist;
revert the 1.36-3+deb9u1 change due to
regression
pylint-django Fix Python 3 dependencies
python-acme Backport newer version for tls-sni-01
deprecation
python-arpy Correct substitution variable for Python 3
interpreter depends
python-certbot Backport newer version for tls-sni-01
deprecation
python-certbot-apache Update for deprecation of tls-sni-01
python-certbot-nginx Update for deprecation of tls-sni-01
python-hypothesis Fix dependencies of python3-hypothesis
and python-hypothesis-doc
python-josepy New certbot dependency
pyzo Add missing dependency on python3-pkg-resources
r-cran-readxl Fix crash bugs [CVE-2018-20450 CVE-2018-20452]
rtkit Move dbus and polkit from Recommends to Depends
ruby-rack Fix a possible XSS vulnerability
[CVE-2018-16471]
samba New upstream release; s3:ntlm_auth: fix memory
leak in manage_gensec_request(); ignore nmbd
start errors when there is no non-loopback
interface or no local IPv4 non-loopback
interface; fix CVE-2018-14629 regression on a
non-CNAME record
sl-modem Support Linux versions > 3
sogo-connector Update to work with newer Thunderbird versions
sox Really apply fixes for CVE-2014-8145
ssh-agent-filter Fix two-byte out-of-bounds stack write
supercollider Disable support for XEmacs and Emacs <= 23
sympa Remove /etc/sympa/sympa.conf-smime.in from
conffiles; use full path for head command in
Sympa configuration file
twitter-bootstrap3 Fix multiple security vulnerabilities
[CVE-2018-14040 CVE-2018-14041 CVE-2018-14042]
tzdata New upstream release
uglifyjs Fix manpage contents
uriparser Fix multiple security vulnerabilties
[CVE-2018-19198 CVE-2018-19199 CVE-2018-19200]
vm Drop support for xemacs21
vulture Add missing dependency on python3-pkg-resources
wayland Fix possible integer overflow [CVE-2017-16612]
wicd Always depend on net-tools, rather than
alternatives
wvstreams Work around stack corruption
xapian-core Fix leaks of freelist blocks in corner cases,
which then get reported as
"DatabaseCorruptError" by Database::check()
xkeycaps Prevent segfault in commands.c when more than 8
keysyms per key are present
yosys Fix "ModuleNotFoundError: No module named
'smtio'"
z3 Remove incorrect Multi-Arch: same from
python-z3
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
adblock-plus Incompatible with newer firefox-esr versions
calendar-exchange-provider Incompatible with newer Thunderbird versions
cookie-monster Incompatible with newer firefox-esr versions
corebird Broken by Twitter API changes
debian-buttons Incompatible with newer firefox-esr versions
debian-parl Depends on broken / removed Firefox plugins
firefox-branding-iceweasel Incompatible with newer firefox-esr versions
firefox-kwallet5 Incompatible with newer firefox-esr versions
flashblock Incompatible with newer firefox-esr versions
flickrbackup Incompatible with current Flickr API
imap-acl-extension Incompatible with newer firefox-esr versions
mozilla-dom-inspector Incompatible with newer firefox-esr versions
mozilla-noscript Incompatible with newer firefox-esr versions
mozilla-password-editor Incompatible with newer firefox-esr versions
mozvoikko Incompatible with newer firefox-esr versions
personaplus Incompatible with newer firefox-esr versions
python-formalchemy Unusable, fails to import in Python
refcontrol Incompatible with newer firefox-esr versions
requestpolicy Incompatible with newer firefox-esr versions
spice-xpi Incompatible with newer firefox-esr versions
toggle-proxy Incompatible with newer firefox-esr versions
y-u-no-validate Incompatible with newer firefox-esr versions
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".Attachment:
signature.asc
Description: This is a digitally signed message part