----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 168-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
September 3rd, 2019
----------------------------------------------------------------------------
Upcoming Debian 9 Update (9.10)
An update to Debian 9 is scheduled for Saturday, September 7th, 2019. As of
now it will include the following bug fixes. They can be found in "stretch-
proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "stretch-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This oldstable update adds a few important corrections to the following
packages:
Package Reason
------- ------
base-files Update for the point release; add
VERSION_CODENAME to os-release
basez Properly decode base64url encoded strings
biomaj-watcher Fix upgrades from jessie to stretch
c-icap-modules Add support for clamav 0.101.1
chaosreader Add missing dependency on libnet-dns-perl
clamav New upstream stable release; new upstream
stable release with security fixes - add scan
time limit to mitigate against zip-bombs
[CVE-2019-12625]; fix out-of-bounds write
within the NSIS bzip2 library [CVE-2019-12900]
corekeeper Do not use a world-writable /var/crash with the
dumper script; handle older versions of the
Linux kernel in a safer way; do not truncate
core names for executables with spaces
cups Fix multiple security/disclosure issues - SNMP
buffer overflows [CVE-2019-8696 CVE-2019-8675],
IPP buffer overflow, Denial of Service and
memory disclosure issues in the scheduler
dansguardian Add support for clamav 0.101
dar Rebuild to update "built-using" packages
debian-archive-keyring Add buster keys; remove wheezy keys
fence-agents Security fix [CVE-2019-10153]
fig2dev Do not segfault on circle/half circle
arrowheads with a magnification larger than 42
[CVE-2019-14275]
fribidi Fix right-to-left output in text edition of d-i
fusiondirectory Stricter checks on LDAP lookups; fix missing
dependency on php-xml
gettext Stop xgettext() from crashing when run with
--its=FILE option
glib2.0 Create directory and file with restrictive
permissions when using the reate directory and
file with restrictive permissions when using
the [CVE-2019-13012]; avoid buffer read overrun
when formatting error messages for invalid
UTF-8 in GMarkup [CVE-2018-16429]; avoid NULL
dereference when parsing invalid GMarkup with a
malformed closing tag not paired with an
opening tag [CVE-2018-16429]
gocode Gocode-auto-complete-el: Make Pre-Depends:
auto-complete-el versioned to fix upgrades from
jessie to stretch
groonga Mitigate privilege escalation by changing the
owner and group of logs with "su" option
grub2 Fixes for Xen UEFI support
gsoap Fix denial of service issue if a server
application is built with the -DWITH_COOKIES
flag [CVE-2019-7659]; fix issue with DIME
protocol receiver and malformed DIME headers
gthumb Fix double-free bug [CVE-2018-18718]
havp Add support for clamav 0.101.1
icu Fix segfault in pkgdata command
koji Fix SQL injection issue [CVE-2018-1002161];
properly validate SCM paths [CVE-2017-1002153]
lemonldap-ng Fix cross-domain authentication regression; fix
XML external entity vulnerability
libcaca Fix integer overflow issues [CVE-2018-20545
CVE-2018-20546 CVE-2018-20547 CVE-2018-20548
CVE-2018-20549]
libclamunrar New upstream stable release
libconvert-units-perl No-change rebuild with fixed version number
libdatetime-timezone-perl Update included data
libebml Apply upstream fixes for heap-based buffer
over-reads
libevent-rpc-perl Fix FTBFS due to expired test SSL certificates
libgd2 Fix uninitialized read in gdImageCreateFromXbm
[CVE-2019-11038]
libgovirt Regenerate test certificates with expiration
date far in the future to avoid test failures
librecad Fix denial of service via crafted file
[CVE-2018-19105]
libsdl2-image Multiple security issues
libthrift-java Fix bypass of SASL negotiation isComplete
validation [CVE-2018-1320]
libtk-img Stop using internal copies of Jpeg, Zlib and
PixarLog codecs, fixing crashes
libu2f-host Fix filling out of initresp [CVE-2019-9578]
libxslt Fix security framework bypass [CVE-2019-11068];
fix uninitialized read of xsl:number token
[CVE-2019-13117]; fix uninitialized read with
UTF-8 grouping chars [CVE-2019-13118]
linux New upstream stable release
linux-latest Update for -11 kernel ABI
liquidsoap Fix compilation with Ocaml 4.02
llvm-toolchain-7 New package to support building new Firefox
versions
mariadb-10.1 New upstream stable release; security fixes
[CVE-2019-2737 CVE-2019-2739 CVE-2019-2740
CVE-2019-2805 CVE-2019-2627 CVE-2019-2614]
minissdpd Prevent a use-after-free vulnerability that
would allow a remote attacker to crash the
process [CVE-2019-12106]
miniupnpd Security fixes
mitmproxy Blacklist tests that require Internet access;
prevent insertion of unwanted upper-bound
versioned dependencies
monkeysphere Fix build failure by updating the tests to
accommodate an updated GnuPG in stretch now
producing a different output
nasm-mozilla New package to support building new Firefox
versions
ncbi-tools6 Repackage without non-free data/UniVec.*
node-growl Sanitize input before passing it to exec
node-ws Restrict upload size [CVE-2016-10542]
open-vm-tools Fix possible security issue with the
permissions of the intermediate staging
directory and path
openldap Security fixes
openssh Fix deadlock in key matching
passwordsafe Don't install localization files under an extra
subdirectory
pound Fix request smuggling via crafted headers
[CVE-2016-10711]
prelink Rebuild to update "built-using" packages
python-clamav Add support for clamav 0.101.1
reportbug Update release names, following Buster release
resiprocate Resolve an installation issue with libssl-dev
and --install-recommends
sash Rebuild to update "built-using" packages
sdl-image1.2 Fix buffer overflows [CVE-2018-3977
CVE-2019-5058 CVE-2019-5052], out-of-bounds
access [CVE-2019-12216 CVE-2019-12217
CVE-2019-12218 CVE-2019-12219 CVE-2019-12220
CVE-2019-12221 CVE-2019-12222 CVE-2019-5051]
signing-party Fix unsafe shell call enabling shell injection
via a User ID [CVE-2019-11627]
slurm-llnl Fix potential heap overflow on 32-bit systems
[CVE-2019-6438]
sox Fix several security issues [CVE-2019-8354
CVE-2019-8355 CVE-2019-8356 CVE-2019-8357
927906 CVE-2019-1010004 CVE-2017-18189 881121
CVE-2017-15642 882144 CVE-2017-15372 878808
CVE-2017-15371 878809 CVE-2017-15370 878810
CVE-2017-11359 CVE-2017-11358 CVE-2017-11332
systemd Do not stop ndisc client in case of
configuration error
t-digest No-change rebuild to avoid reuse of pre-epoch
version 3.0-1
tenshi Fix PID file issue allows local users to kill
arbitrary processes [CVE-2017-11746]
tzdata New upstream release
unzip Fix incorrect parsing of 64-bit values in
fileio.c; fix zip-bomb issues [CVE-2019-13232]
usbutils Update USB ID list
xymon Fix several (server only) security issues
[CVE-2019-13273 CVE-2019-13274 CVE-2019-13451
CVE-2019-13452 CVE-2019-13455 CVE-2019-13484
CVE-2019-13485 CVE-2019-13486]
yubico-piv-tool Fix security issues [CVE-2018-14779
CVE-2018-14780]
z3 Do not set the SONAME of libz3java.so to
libz3.so.4
zfs-auto-snapshot Make cronjobs exit silently after package
removal
zsh Rebuild to update "built-using" packages
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/oldstable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
pump Unmaintained; security issues
teeworlds Security issues; incompatible with current
servers
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part