[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 162-1] Upcoming Debian 9 Update (9.9)

Debian Stable Updates Announcement SUA 162-1         https://www.debian.org/
debian-release@lists.debian.org                              Adam D. Barratt
April 22nd, 2019

Upcoming Debian 9 Update (9.9)

An update to Debian 9 is scheduled for Saturday, April 27th, 2019. As of now
it will include the following bug fixes. They can be found in "stretch-
proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "stretch-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.

The point release will also include a rebuild of debian-installer.

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following

  Package                    Reason
  -------                    ------

  audiofile                  Security issues [CVE-2018-13440 CVE-2018-17095]

  base-files                 Update for the point release

  bwa                        Security fix [CVE-2019-10269]

  ca-certificates-java       Fix bashisms in postinst and jks-keystore

  cernlib                    Apply optimization flag -O to fortran modules
                             instead of -O2 which generates broken code; fix
                             FTBFS on arm64 by disabling PIE for Fortran

  choose-mirror              Update included mirror list

  chrony                     Fix logging of measurements and statistics, and
                             stopping of chronyd, on some platforms when
                             seccomp filtering is enabled

  ckermit                    Drop OpenSSL version check

  clamav                     Security updates: out-of-bounds heap read
                             condition may occur when scanning PDF documents
                             [CVE-2019-1787]; out-of-bounds heap read
                             condition may occur when scanning PE files
                             packed using Aspack [CVE-2019-1789]; out-of-
                             bounds heap write condition may occur when
                             scanning OLE2 files [CVE-2019-1788]

  dansguardian               Add "missingok" to logrotate configuration

  debian-security-support    Update support statuses

  diffoscope                 Fix tests to work with Ghostscript 9.26

  dns-root-data              Update root data to 2019031302

  dnsruby                    Add new root key (KSK-2017); ruby 2.3.0
                             deprecates TimeoutError, use Timeout::Error

  dpdk                       New upstream release

  edk2                       Fix buffer overflow in BlockIo service
                             [CVE-2018-12180]; DNS: Check received packet
                             size before using [CVE-2018-12178]; fix stack
                             overflow with corrupted BMP [CVE-2018-12181]

  firmware-nonfree           atheros / iwlwifi: update BT firmware

  flatpak                    Reject all ioctls that the kernel will
                             interpret as TIOCSTI [CVE-2019-10063]

  geant321                   Rebuild against cernlib with fixed Fortran

  gnome-chemistry-utils      Drop the obsolete gcu-plugin package

  gocode                     gocode-auto-complete-el: Promote auto-complete-
                             el to Pre-Depends

  gpac                       Security fixes [CVE-2018-7752 CVE-2018-13005
                             CVE-2018-13006 CVE-2018-20760 CVE-2018-20761
                             CVE-2018-20762 CVE-2018-20763]

  icedtea-web                Stop building the browser plugin, as it no
                             longer works with Firefox 60

  igraph                     Fix a crash when loading malformed GraphML
                             files [CVE-2018-20349]

  jabref                     Fix XML External Entity attack

  java-common                Remove default-java-plugin as the icedtea-web
                             Xul plugin is going away

  jquery                     Prevent Object.prototype pollution

  kauth                      Fix insecure handling of arguments in helpers

  libdate-holidays-de-perl   Add March 8th (from 2019 onwards) and May 8th
                             (2020 only) as public holidays (Berlin only)

  libdatetime-timezone-perl  Update included data

  libreoffice                Introduce next Japanese gengou era 'Reiwa';
                             make -core conflict against openjdk-8-jre-
                             headless (= 8u181-b13-2~deb9u1), which had a
                             broken ClassPathURLCheck

  linux                      New upstream stable version

  linux-latest               Update for -9 kernel ABI

  mariadb-10.1               New upstream release

  mclibs                     Rebuild against cernlib with fixed Fortran

  ncmpc                      Fix NULL pointer dereference [CVE-2018-9240]

  node-superagent            Fix ZIP bomb attacks [CVE-2017-16129]

  nvidia-graphics-drivers    New upstream release [CVE‑2018‑6260]

  nvidia-settings            New upstream release

  obs-build                  Do not allow writing to files in the host
                             system [CVE-2017-14804]

  paw                        Rebuild against cernlib with fixed Fortran

  perlbrew                   Allow HTTPS CPAN URLs

  postfix                    New upstream stable release

  postgresql-9.6             New upstream version

  psk31lx                    Make version sort correctly to avoid potential
                             upgrade issues

  publicsuffix               Update included data

  pyca                       Add "missingok" to logrotate configuration

  python-certbot             Revert to debhelper compat 9, to ensure systemd
                             timers are correctly started

  python-cryptography        Remove BIO_callback_ctrl: The prototype differs
                             with the OpenSSL's definition of it after it
                             was changed (fixed) within OpenSSL

  python-django-casclient    Apply django 1.10 middleware fix;
                             python(3)-django-casclient: add missing
                             dependencies on python(3)-django

  python-mode                Remove support for xemacs21

  python-pip                 Properly catch requests' HTTPError in index.py

  python-pykmip              Fix potential DoS error [CVE-2018-1000872]

  r-cran-igraph              Security fix [CVE-2018-20349]

  rails                      Security fixes [CVE-2018-16476 CVE-2019-5418

  rsync                      Several security fixes for zlib [CVE-2016-9840
                             CVE-2016-9841 CVE-2016-9842 CVE-2016-9843]

  ruby-i18n                  Prevent a remote denial-of-service
                             vulnerability [CVE-2014-10077]

  ruby2.3                    Fix build failure

  runc                       Security fix [CVE-2019-5736]

  systemd                    journald: fix assertion failure on
                             journal_file_link_data; tmpfiles: fix "e" to
                             support shell style globs; mount-util: accept
                             that name_to_handle_at() might fail with EPERM;
                             automount: ack automount requests even when
                             already mounted [CVE-2018-1049]; fix potential
                             root privilege escalation [CVE-2018-15686]

  twitter-bootstrap3         Fix XSS in tooltip or popover [CVE-2019-8331]

  tzdata                     New upstream rleease

  unzip                      Fix buffer overflow in password protected ZIP
                             archives [CVE-2018-1000035]

  vcftools                   Security fixes [CVE-2018-11099 CVE-2018-11129

  vips                       Fix NULL function pointer dereference
                             [CVE-2018-7998], uninitialised memory access

  waagent                    New upstream release, with many Azure fixes

  yorick-av                  Rescale frame timestamps; set VBV buffer size
                             for MPEG1/2 files

  zziplib                    Fix invalid memory access in zzip_disk_fread
                             [CVE-2018-6381], bus error in
                             zzip_disk_findfirst function in zzip/mmapped.c
                             [CVE-2018-6540], out of bound read in
                             mmapped.c:zzip_disk_fread() [CVE-2018-7725],
                             crash via crafted zip file [CVE-2018-7726],
                             memory leak triggered in the function
                             __zzip_parse_root_directory in zip.c
                             [CVE-2018-16548]; reject ZIP file if the size
                             of the central directory and/or the offset of
                             start of central directory point beyond the end
                             of the ZIP file [CVE-2018-6484, CVE-2018-6541,

A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:


Removed packages

The following packages will be removed due to circumstances beyond our

  Package                    Reason
  -------                    ------

  gcontactsync               Incompatible with newer firefox-esr versions

  google-tasks-sync          Incompatible with newer firefox-esr versions

  mozilla-gnome-kerying      Incompatible with newer firefox-esr versions

  tbdialout                  Incompatible with newer thunderbird versions

  timeline                   Incompatible with newer thunderbird versions

If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: