[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 184-1] Upcoming Debian 9 Update (9.13)

Debian Stable Updates Announcement SUA 184-1         https://www.debian.org/
debian-release@lists.debian.org                              Adam D. Barratt
July 13th, 2020

Upcoming Debian 9 Update (9.13)

The final point release for Debian 9 is scheduled for Saturday, July 18th,
2020. As of now it will include the following bug fixes. They can be found
in "stretch-proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "stretch-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.

Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following

  Package                    Reason
  -------                    ------

  acmetool                   Rebuild against recent golang to pick up
                             security fixes

  atril                      dvi: Mitigate command injection attacks by
                             quoting filename [CVE-2017-1000159]; fix
                             overflow checks in tiff backend
                             [CVE-2019-1010006]; tiff: Handle failure from
                             TIFFReadRGBAImageOriented [CVE-2019-11459]

  bacula                     Add transitional package bacula-director-
                             common, avoiding loss of /etc/bacula/bacula-
                             dir.conf when purged; make PID files owned by

  base-files                 Update /etc/debian_version for the point

  batik                      Fix server-side request forgery via xlink:href
                             attributes [CVE-2019-17566]

  c-icap-modules             Support ClamAV 0.102

  ca-certificates            Update Mozilla CA bundle to 2.40, blacklist
                             distrusted Symantec roots and expired "AddTrust
                             External Root"; remove e-mail only certificates

  chasquid                   Rebuild against recent golang to pick up
                             security fixes

  checkstyle                 Fix XML External Entity injection issue
                             [CVE-2019-9658 CVE-2019-10782]

  clamav                     New upstream release [CVE-2020-3123]; security
                             fixes [CVE-2020-3327 CVE-2020-3341]

  compactheader              New upstream version, compatible with newer
                             Thunderbird versions

  cram                       Ignore test failures to fix build issues

  csync2                     Fail HELLO command when SSL is required

  cups                       Fix heap buffer overflow [CVE-2020-3898] and
                             "the `ippReadIO` function may under-read an
                             extension field" [CVE-2019-8842]

  dbus                       New upstream stable release; prevent a denial
                             of service issue [CVE-2020-12049]; prevent use-
                             after-free if two usernames share a uid

  debian-installer           Update for the 4.9.0-13 Linux kernel ABI

  debian-installer-netboot-  Update for the 4.9.0-13 Linux kernel ABI

  debian-security-support    Update support status of several packages

  erlang                     Fix use of weak TLS ciphers [CVE-2020-12872]

  exiv2                      Fix denial of service issue [CVE-2018-16336];
                             fix over-restrictive fix for CVE-2018-10958 and

  fex                        Security update

  file-roller                Security fix [CVE-2020-11736]

  fwupd                      New upstream release; use a CNAME to redirect
                             to the correct CDN for metadata; do not abort
                             startup if the XML metadata file is invalid;
                             add the Linux Foundation public GPG keys for
                             firmware and metadata; raise the metadata limit
                             to 10MB

  glib-networking            Return bad identity error if identity is unset

  gnutls28                   Fix memory corruption issue [CVE-2019-3829];
                             fix memory leak; add support for zero length
                             session tickets, fix connection errors on
                             TLS1.2 sessions to some hosting providers

  gosa                       Tighten check on LDAP success/failure
                             [CVE-2019-11187]; fix compatibility with newer
                             PHP versions; backport several other patches;
                             replace (un)serialize with
                             json_encode/json_decode to mitigate PHP object
                             injection [CVE-2019-14466]

  heartbleeder               Rebuild against recent golang to pick up
                             security fixes

  intel-microcode            Downgrade some microcodes to previously
                             released revisions, working around hangs on
                             boot on Skylake-U/Y and Skylake Xeon E3

  iptables-persistent        Don't fail if modprobe does

  jackson-databind           Fix multiple security issues affecting
                             BeanDeserializerFactory [CVE-2020-9548
                             CVE-2020-9547 CVE-2020-9546 CVE-2020-8840
                             CVE-2020-14195 CVE-2020-14062 CVE-2020-14061
                             CVE-2020-14060 CVE-2020-11620 CVE-2020-11619
                             CVE-2020-11113 CVE-2020-11112 CVE-2020-11111
                             CVE-2020-10969 CVE-2020-10968 CVE-2020-10673
                             CVE-2020-10672 CVE-2019-20330 CVE-2019-17531
                             and CVE-2019-17267]

  libbusiness-hours-perl     Use explicit 4 digit years, fixing build and
                             usage issues

  libclamunrar               New upstream stable release; add an unversioned

  libdbi                     Comment out _error_handler() call again, fixing
                             issues with consumers

  libembperl-perl            Handle error pages from Apache >= 2.4.40

  libexif                    Security fixes [CVE-2016-6328 CVE-2017-7544
                             CVE-2018-20030 CVE-2020-12767 CVE-2020-0093
                             CVE-2020-13112 CVE-2020-13113 CVE-2020-13114];
                             fix a buffer read overflow [CVE-2020-0182] and
                             an unsigned integer overflow [CVE-2020-0198]

  libvncserver               Fix heap overflow [CVE-2019-15690]

  linux                      New upstream stable release; update ABI to

  linux-latest               Update for 4.9.0-13 kernel ABI

  mariadb-10.1               New upstream stable release; security fixes
                             [CVE-2020-2752 CVE-2020-2812 CVE-2020-2814]

  megatools                  Add support for the new format of mega.nz links

  mod-gnutls                 Avoid deprecated ciphersuites in test suite;
                             fix test failures when combined with Apache's
                             fix for CVE-2019-10092

  mongo-tools                Rebuild against recent golang to pick up
                             security fixes

  neon27                     Treat OpenSSL-related test failures as non-

  nfs-utils                  Fix potential file overwrite vulnerability
                             [CVE-2019-3689]; don't make all of /var/lib/nfs
                             owned by the statd user

  nginx                      Fix error page request smuggling vulnerability

  node-url-parse             Sanitize paths and hosts before parsing

  nvidia-graphics-drivers    New upstream stable release; security fixes
                             [CVE-2020-5963 CVE-2020-5967]

  pcl                        Fix missing dependency on libvtk6-qt-dev

  perl                       Fix multiple regular expression related
                             security issues [CVE-2020-10543 CVE-2020-10878

  php-horde                  Fix cross-site scripting vulnerability

  php-horde-data             Fix authenticated remote code execution
                             vulnerability [CVE-2020-8518]

  php-horde-form             Fix authenticated remote code execution
                             vulnerability [CVE-2020-8866]

  php-horde-gollem           Fix cross-site scripting vulnerability in
                             breadcrumb output [CVE-2020-8034]

  php-horde-trean            Fix authenticated remote code execution
                             vulnerability [CVE-2020-8865]

  phpmyadmin                 Several security fixes [CVE-2018-19968
                             CVE-2018-19970 CVE-2018-7260 CVE-2019-11768
                             CVE-2019-12616 CVE-2019-6798 CVE-2019-6799
                             CVE-2020-10802 CVE-2020-10803 CVE-2020-10804

  postfix                    New upstream stable release

  proftpd-dfsg               Fix handling SSH_MSG_IGNORE packets

  python-icalendar           Fix Python3 dependencies

  rails                      Fix possible cross-site scripting via
                             Javascript escape helper [CVE-2020-5267]

  rake                       Fix command injection vulnerability

  roundcube                  Fix cross-site scripting issue via HTML
                             messages with malicious svg/namespace

  ruby-json                  Fix unsafe object creation vulnerability

  ruby2.3                    Fix unsafe object creation vulnerability

  sendmail                   Fix finding the queue runner control process in
                             "split daemon" mode, "NOQUEUE: connect from
                             (null)", removal failure when using BTRFS

  sogo-connector             New upstream version, compatible with newer
                             Thunderbird versions

  ssvnc                      Fix out-of-bounds write [CVE-2018-20020],
                             infinite loop [CVE-2018-20021], improper
                             initialisation [CVE-2018-20022], potential
                             denial-of-service [CVE-2018-20024]

  storebackup                Fix possible privilege escalation vulnerability

  swt-gtk                    Fix missing dependency on libwebkitgtk-1.0-0

  tinyproxy                  Create PID file before dropping privileges to
                             non-root account [CVE-2017-11747]

  tzdata                     New upstream stable release

  websockify                 Fix missing dependency on python{3,}-pkg-

  wpa                        Fix AP mode PMF disconnection protection bypass
                             [CVE-2019-16275]; fix MAC randomisation issues
                             with some cards

  xdg-utils                  Sanitise window name before sending it over
                             D-Bus; correctly handle directories with names
                             containing spaces; create the "applications"
                             directory if needed

  xml-security-c             Fix length calculation in the concat method

  xtrlock                    Fix blocking of (some) multitouch devices while
                             locked [CVE-2016-10894]

A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:


Removed packages

The following packages will be removed due to circumstances beyond our

  Package                    Reason
  -------                    ------

  certificatepatrol          Incompatible with newer Firefox ESR versions

  colorediffs-extension      Incompatible with newer Thunderbird versions

  dynalogin                  Depends on to-be-removed simpleid

  enigmail                   Incompatible with newer Thunderbird versions

  firefox-esr [armel]        No longer supported (requires nodejs)

  firefox-esr [mips mipsel   No longer supported (needs newer rustc)

  getlive                    Broken due to Hotmail changes

  gplaycli                   Broken by Google API changes

  kerneloops                 Upstream service no longer available

  libmicrodns                Security issues

  libperlspeak-perl          Security issues; unmaintained

  mathematica-fonts          Relies on unavailable download location

  pdns-recursor              Security issues; unsupported

  predictprotein             Depends on to-be-removed profphd

  profphd                    Unusable

  quotecolors                Incompatible with newer Thunderbird versions

  selenium-firefoxdriver     Incompatible with newer Firefox ESR versions

  simpleid                   Does not work with PHP7

  simpleid-ldap              Depends on to-be-removed simpleid

  torbirdy                   Incompatible with newer Thunderbird versions

  weboob                     Unmaintained; already removed from later

  yahoo2mbox                 Broken for several years

If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: