[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 168-1] Upcoming Debian 9 Update (9.10)

Debian Stable Updates Announcement SUA 168-1         https://www.debian.org/
debian-release@lists.debian.org                              Adam D. Barratt
September 3rd, 2019

Upcoming Debian 9 Update (9.10)

An update to Debian 9 is scheduled for Saturday, September 7th, 2019. As of
now it will include the following bug fixes. They can be found in "stretch-
proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "stretch-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.

The point release will also include a rebuild of debian-installer.

Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following

  Package                    Reason
  -------                    ------

  base-files                 Update for the point release; add
                             VERSION_CODENAME to os-release

  basez                      Properly decode base64url encoded strings

  biomaj-watcher             Fix upgrades from jessie to stretch

  c-icap-modules             Add support for clamav 0.101.1

  chaosreader                Add missing dependency on libnet-dns-perl

  clamav                     New upstream stable release; new upstream
                             stable release with security fixes - add scan
                             time limit to mitigate against zip-bombs
                             [CVE-2019-12625]; fix out-of-bounds write
                             within the NSIS bzip2 library [CVE-2019-12900]

  corekeeper                 Do not use a world-writable /var/crash with the
                             dumper script; handle older versions of the
                             Linux kernel in a safer way; do not truncate
                             core names for executables with spaces

  cups                       Fix multiple security/disclosure issues - SNMP
                             buffer overflows [CVE-2019-8696 CVE-2019-8675],
                             IPP buffer overflow, Denial of Service and
                             memory disclosure issues in the scheduler

  dansguardian               Add support for clamav 0.101

  dar                        Rebuild to update "built-using" packages

  debian-archive-keyring     Add buster keys; remove wheezy keys

  fence-agents               Security fix [CVE-2019-10153]

  fig2dev                    Do not segfault on circle/half circle
                             arrowheads with a magnification larger than 42

  fribidi                    Fix right-to-left output in text edition of d-i

  fusiondirectory            Stricter checks on LDAP lookups; fix missing
                             dependency on php-xml

  gettext                    Stop xgettext() from crashing when run with
                             --its=FILE option

  glib2.0                    Create directory and file with restrictive
                             permissions when using the reate directory and
                             file with restrictive permissions when using
                             the [CVE-2019-13012]; avoid buffer read overrun
                             when formatting error messages for invalid
                             UTF-8 in GMarkup [CVE-2018-16429]; avoid NULL
                             dereference when parsing invalid GMarkup with a
                             malformed closing tag not paired with an
                             opening tag [CVE-2018-16429]

  gocode                     Gocode-auto-complete-el: Make Pre-Depends:
                             auto-complete-el versioned to fix upgrades from
                             jessie to stretch

  groonga                    Mitigate privilege escalation by changing the
                             owner and group of logs with "su" option

  grub2                      Fixes for Xen UEFI support

  gsoap                      Fix denial of service issue if a server
                             application is built with the -DWITH_COOKIES
                             flag [CVE-2019-7659]; fix issue with DIME
                             protocol receiver and malformed DIME headers

  gthumb                     Fix double-free bug [CVE-2018-18718]

  havp                       Add support for clamav 0.101.1

  icu                        Fix segfault in pkgdata command

  koji                       Fix SQL injection issue [CVE-2018-1002161];
                             properly validate SCM paths [CVE-2017-1002153]

  lemonldap-ng               Fix cross-domain authentication regression; fix
                             XML external entity vulnerability

  libcaca                    Fix integer overflow issues [CVE-2018-20545
                             CVE-2018-20546 CVE-2018-20547 CVE-2018-20548

  libclamunrar               New upstream stable release

  libconvert-units-perl      No-change rebuild with fixed version number

  libdatetime-timezone-perl  Update included data

  libebml                    Apply upstream fixes for heap-based buffer

  libevent-rpc-perl          Fix FTBFS due to expired test SSL certificates

  libgd2                     Fix uninitialized read in gdImageCreateFromXbm

  libgovirt                  Regenerate test certificates with expiration
                             date far in the future to avoid test failures

  librecad                   Fix denial of service via crafted file

  libsdl2-image              Multiple security issues

  libthrift-java             Fix bypass of SASL negotiation isComplete
                             validation [CVE-2018-1320]

  libtk-img                  Stop using internal copies of Jpeg, Zlib and
                             PixarLog codecs, fixing crashes

  libu2f-host                Fix filling out of initresp [CVE-2019-9578]

  libxslt                    Fix security framework bypass [CVE-2019-11068];
                             fix uninitialized read of xsl:number token
                             [CVE-2019-13117]; fix uninitialized read with
                             UTF-8 grouping chars [CVE-2019-13118]

  linux                      New upstream stable release

  linux-latest               Update for -11 kernel ABI

  liquidsoap                 Fix compilation with Ocaml 4.02

  llvm-toolchain-7           New package to support building new Firefox

  mariadb-10.1               New upstream stable release; security fixes
                             [CVE-2019-2737 CVE-2019-2739 CVE-2019-2740
                             CVE-2019-2805 CVE-2019-2627 CVE-2019-2614]

  minissdpd                  Prevent a use-after-free vulnerability that
                             would allow a remote attacker to crash the
                             process [CVE-2019-12106]

  miniupnpd                  Security fixes

  mitmproxy                  Blacklist tests that require Internet access;
                             prevent insertion of unwanted upper-bound
                             versioned dependencies

  monkeysphere               Fix build failure by updating the tests to
                             accommodate an updated GnuPG in stretch now
                             producing a different output

  nasm-mozilla               New package to support building new Firefox

  ncbi-tools6                Repackage without non-free data/UniVec.*

  node-growl                 Sanitize input before passing it to exec

  node-ws                    Restrict upload size [CVE-2016-10542]

  open-vm-tools              Fix possible security issue with the
                             permissions of the intermediate staging
                             directory and path

  openldap                   Security fixes

  openssh                    Fix deadlock in key matching

  passwordsafe               Don't install localization files under an extra

  pound                      Fix request smuggling via crafted headers

  prelink                    Rebuild to update "built-using" packages

  python-clamav              Add support for clamav 0.101.1

  reportbug                  Update release names, following Buster release

  resiprocate                Resolve an installation issue with libssl-dev
                             and --install-recommends

  sash                       Rebuild to update "built-using" packages

  sdl-image1.2               Fix buffer overflows [CVE-2018-3977
                             CVE-2019-5058 CVE-2019-5052], out-of-bounds
                             access [CVE-2019-12216 CVE-2019-12217
                             CVE-2019-12218 CVE-2019-12219 CVE-2019-12220
                             CVE-2019-12221 CVE-2019-12222 CVE-2019-5051]

  signing-party              Fix unsafe shell call enabling shell injection
                             via a User ID [CVE-2019-11627]

  slurm-llnl                 Fix potential heap overflow on 32-bit systems

  sox                        Fix several security issues [CVE-2019-8354
                             CVE-2019-8355 CVE-2019-8356 CVE-2019-8357
                             927906 CVE-2019-1010004 CVE-2017-18189 881121
                             CVE-2017-15642 882144 CVE-2017-15372 878808
                             CVE-2017-15371 878809 CVE-2017-15370 878810
                             CVE-2017-11359 CVE-2017-11358 CVE-2017-11332

  systemd                    Do not stop ndisc client in case of
                             configuration error

  t-digest                   No-change rebuild to avoid reuse of pre-epoch
                             version 3.0-1

  tenshi                     Fix PID file issue allows local users to kill
                             arbitrary processes [CVE-2017-11746]

  tzdata                     New upstream release

  unzip                      Fix incorrect parsing of 64-bit values in
                             fileio.c; fix zip-bomb issues [CVE-2019-13232]

  usbutils                   Update USB ID list

  xymon                      Fix several (server only) security issues
                             [CVE-2019-13273 CVE-2019-13274 CVE-2019-13451
                             CVE-2019-13452 CVE-2019-13455 CVE-2019-13484
                             CVE-2019-13485 CVE-2019-13486]

  yubico-piv-tool            Fix security issues [CVE-2018-14779

  z3                         Do not set the SONAME of libz3java.so to

  zfs-auto-snapshot          Make cronjobs exit silently after package

  zsh                        Rebuild to update "built-using" packages

A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:


Removed packages

The following packages will be removed due to circumstances beyond our

  Package                    Reason
  -------                    ------

  pump                       Unmaintained; security issues

  teeworlds                  Security issues; incompatible with current

If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: