[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 176-1] Upcoming Debian 9 Update (9.12)

Debian Stable Updates Announcement SUA 176-1         https://www.debian.org/
debian-release@lists.debian.org                              Adam D. Barratt
February 3rd, 2020

Upcoming Debian 9 Update (9.12)

An update to Debian 9 is scheduled for Saturday, February 8th, 2020. As 
of now it will include the following bug fixes. They can be found in 
"stretch-proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "stretch-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.

The point release will also include a rebuild of debian-installer.

Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following

  Package                    Reason
  -------                    ------

  base-files                 Update for the point release

  cargo                      New upstream version, to support firefox-esr

  clamav                     New upstream release; fix denial of service
                             issue [CVE-2019-15961]; remove ScanOnAccess
                             option, replacing with clamonacc

  cups                       Fix validation of default language in
                             ippSetValuetag [CVE-2019-2228]

  debian-security-support    Update security support status of several

  dehydrated                 New upstream release; use ACMEv2 API by

  dispmua                    New upstream release compatible with
                             Thunderbird 68

  dpdk                       New upstream stable release; fix vhost
                             regression introduced by the fix for

  fence-agents               Fix incomplete removal of fence_amt_ws

  fig2dev                    Allow Fig v2 text strings ending with multiple
                             ^A [CVE-2019-19555]

  flightcrew                 Security fixes [CVE-2019-13032 CVE-2019-13241]

  freetype                   Correctly handle deltas in TrueType GX fonts,
                             fixing rendering of variable hinted fonts in
                             Chromium and Firefox

  glib2.0                    Ensure libdbus clients can authenticate with a
                             GDBusServer like the one in ibus

  gnustep-base               Fix UDP amplification vulnerability

  italc                      Security fixes [CVE-2018-15126 CVE-2018-15127
                             CVE-2018-20019 CVE-2018-20020 CVE-2018-20021
                             CVE-2018-20022 CVE-2018-20023 CVE-2018-20024
                             CVE-2018-20748 CVE-2018-20749 CVE-2018-20750
                             CVE-2018-6307 CVE-2018-7225 CVE-2019-15681]

  libdate-holidays-de-perl   Mark International Childrens Day (Sep 20th) as
                             a holiday in Thuringia from 2019 onwards

  libdatetime-timezone-perl  Update included data

  libidn                     Fix denial of service vulnerability in Punycode
                             handling [CVE-2017-14062]

  libjaxen-java              Fix build failure by allowing test failures

  libofx                     Fix NULL pointer dereference issue

  libole-storage-lite-perl   Fix interpretation of years from 2020 onwards

  libparse-win32registry-    Fix interpretation of years from 2020 onwards

  libperl4-corelibs-perl     Fix interpretation of years from 2020 onwards

  libpst                     Fix detection of get_current_dir_name and
                             return truncation

  libsixel                   Fix several security issues [CVE-2018-19756
                             CVE-2018-19757 CVE-2018-19759 CVE-2018-19761
                             CVE-2018-19762 CVE-2018-19763 CVE-2019-3573

  libsolv                    Fix heap buffer overflow [CVE-2019-20387]

  libtest-mocktime-perl      Fix interpretation of years from 2020 onwards

  libtimedate-perl           Fix interpretation of years from 2020 onwards

  libvncserver               rfbserver: don't leak stack memory to the
                             remote [CVE-2019-15681]; resolve a freeze
                             during connection closure and a segmentation
                             fault on multi-threaded VNC servers; fix issue
                             connecting to VMWare servers; fix crashing of
                             x11vnc when vncviewer connects

  libxslt                    Fix dangling pointer in xsltCopyText

  limnoria                   Fix remote information disclosure and possibly
                             remote code execution in the Math plugin

  linux                      New upstream stable release

  linux-latest               Update for Linux kernel ABI 4.9.0-12

  llvm-toolchain-7           Disable the gold linker from s390x; bootstrap
                             with -fno-addrsig, stretch's binutils doesn't
                             work with it on mips64el

  mariadb-10.1               New upstream stable release [CVE-2019-2974

  monit                      Implement position independent CSRF cookie

  node-fstream               Clobber a Link if it's in the way of a File

  node-mixin-deep            Fix prototype polution [CVE-2018-3719

  nodejs-mozilla             New package to support firefox-esr backports

  nvidia-graphics-drivers-   New upstream stable release

  nyancat                    Rebuild in a clean environment to add the
                             systemd unit for nyancat-server

  openjpeg2                  Fix heap overflow [CVE-2018-21010], integer
                             overflow [CVE-2018-20847] and division by zero

  perl                       Fix interpretation of years from 2020 onwards

  php-horde                  Fix stored cross-site scripting issue in Horde
                             Cloud Block [CVE-2019-12095]

  postfix                    New upstream stable release; work around poor
                             TCP loopback performance

  postgresql-9.6             New upstream release

  proftpd-dfsg               Fix NULL pointer dereference in CRL checks

  pykaraoke                  Fix path to fonts

  python-acme                Switch to POST-as-GET protocol

  python-cryptography        Fix test suite failures when built against
                             newer OpenSSL versions

  python-flask-rdf           Fix missing dependencies in python3-flask-rdf

  python-pgmagick            Handle version detection of graphicsmagick
                             security updates that identify themselves as
                             version 1.4

  python-werkzeug            Ensure Docker containers have unique debugger
                             PINs [CVE-2019-14806]

  ros-ros-comm               Fix buffer overflow issue [CVE-2019-13566]; fix
                             integer overflow [CVE-2019-13445]

  ruby-encryptor             Ignore test failures, fixing build failures

  rust-cbindgen              New package to support firefox-esr backports

  rustc                      New upstream version, to support firefox-esr

  safe-rm                    Prevent installation in (and thereby breaking
                             of) merged /usr environments

  sorl-thumbnail             Workaround a pgmagick exception

  sssd                       sysdb: sanitize search filter input

  tigervnc                   Security updates [CVE-2019-15691 CVE-2019-15692
                             CVE-2019-15693 CVE-2019-15694 CVE-2019-15695]

  tightvnc                   Security fixes [CVE-2014-6053 2019-8287
                             CVE-2018-20021 CVE-2018-20022 CVE-2018-20748
                             CVE-2018-7225 CVE-2019-15678 CVE-2019-15679
                             CVE-2019-15680 CVE-2019-15681 CVE-2019-8287]

  tmpreaper                  Add `--protect '/tmp/systemd-private*/*'` to
                             cron job to prevent breaking systemd services
                             that have PrivateTmp=true

  tzdata                     New upstream release

  ublock-origin              New upstream version, compatible with Firefox

  unhide                     Fix stack exhaustion

  x2goclient                 Strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/}
                             from destination paths in scp mode; fixes
                             regression with newer libssh versions with
                             fixes for CVE-2019-14889 applied

  xml-security-c             Fix "DSA verification crashes OpenSSL on
                             invalid combinations of key content"

A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:


Removed packages

The following packages will be removed due to circumstances beyond our

  Package                    Reason
  -------                    ------

  firetray                   Incompatible with current Thunderbird versions

  koji                       Security issues

  python-lamson              Broken by changes in python-daemon

  ruby-simple-form           Unused; security issues

  trafficserver              Unsupportable

If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: