---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 184-1 https://www.debian.org/ debian-release@lists.debian.org Adam D. Barratt July 13th, 2020 ---------------------------------------------------------------------------- Upcoming Debian 9 Update (9.13) The final point release for Debian 9 is scheduled for Saturday, July 18th, 2020. As of now it will include the following bug fixes. They can be found in "stretch-proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "stretch-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. Miscellaneous Bugfixes ---------------------- This oldstable update adds a few important corrections to the following packages: Package Reason ------- ------ acmetool Rebuild against recent golang to pick up security fixes atril dvi: Mitigate command injection attacks by quoting filename [CVE-2017-1000159]; fix overflow checks in tiff backend [CVE-2019-1010006]; tiff: Handle failure from TIFFReadRGBAImageOriented [CVE-2019-11459] bacula Add transitional package bacula-director- common, avoiding loss of /etc/bacula/bacula- dir.conf when purged; make PID files owned by root base-files Update /etc/debian_version for the point release batik Fix server-side request forgery via xlink:href attributes [CVE-2019-17566] c-icap-modules Support ClamAV 0.102 ca-certificates Update Mozilla CA bundle to 2.40, blacklist distrusted Symantec roots and expired "AddTrust External Root"; remove e-mail only certificates chasquid Rebuild against recent golang to pick up security fixes checkstyle Fix XML External Entity injection issue [CVE-2019-9658 CVE-2019-10782] clamav New upstream release [CVE-2020-3123]; security fixes [CVE-2020-3327 CVE-2020-3341] compactheader New upstream version, compatible with newer Thunderbird versions cram Ignore test failures to fix build issues csync2 Fail HELLO command when SSL is required cups Fix heap buffer overflow [CVE-2020-3898] and "the `ippReadIO` function may under-read an extension field" [CVE-2019-8842] dbus New upstream stable release; prevent a denial of service issue [CVE-2020-12049]; prevent use- after-free if two usernames share a uid debian-installer Update for the 4.9.0-13 Linux kernel ABI debian-installer-netboot- Update for the 4.9.0-13 Linux kernel ABI images debian-security-support Update support status of several packages erlang Fix use of weak TLS ciphers [CVE-2020-12872] exiv2 Fix denial of service issue [CVE-2018-16336]; fix over-restrictive fix for CVE-2018-10958 and CVE-2018-10999 fex Security update file-roller Security fix [CVE-2020-11736] fwupd New upstream release; use a CNAME to redirect to the correct CDN for metadata; do not abort startup if the XML metadata file is invalid; add the Linux Foundation public GPG keys for firmware and metadata; raise the metadata limit to 10MB glib-networking Return bad identity error if identity is unset [CVE-2020-13645] gnutls28 Fix memory corruption issue [CVE-2019-3829]; fix memory leak; add support for zero length session tickets, fix connection errors on TLS1.2 sessions to some hosting providers gosa Tighten check on LDAP success/failure [CVE-2019-11187]; fix compatibility with newer PHP versions; backport several other patches; replace (un)serialize with json_encode/json_decode to mitigate PHP object injection [CVE-2019-14466] heartbleeder Rebuild against recent golang to pick up security fixes intel-microcode Downgrade some microcodes to previously released revisions, working around hangs on boot on Skylake-U/Y and Skylake Xeon E3 iptables-persistent Don't fail if modprobe does jackson-databind Fix multiple security issues affecting BeanDeserializerFactory [CVE-2020-9548 CVE-2020-9547 CVE-2020-9546 CVE-2020-8840 CVE-2020-14195 CVE-2020-14062 CVE-2020-14061 CVE-2020-14060 CVE-2020-11620 CVE-2020-11619 CVE-2020-11113 CVE-2020-11112 CVE-2020-11111 CVE-2020-10969 CVE-2020-10968 CVE-2020-10673 CVE-2020-10672 CVE-2019-20330 CVE-2019-17531 and CVE-2019-17267] libbusiness-hours-perl Use explicit 4 digit years, fixing build and usage issues libclamunrar New upstream stable release; add an unversioned meta-package libdbi Comment out _error_handler() call again, fixing issues with consumers libembperl-perl Handle error pages from Apache >= 2.4.40 libexif Security fixes [CVE-2016-6328 CVE-2017-7544 CVE-2018-20030 CVE-2020-12767 CVE-2020-0093 CVE-2020-13112 CVE-2020-13113 CVE-2020-13114]; fix a buffer read overflow [CVE-2020-0182] and an unsigned integer overflow [CVE-2020-0198] libvncserver Fix heap overflow [CVE-2019-15690] linux New upstream stable release; update ABI to 4.9.0-13 linux-latest Update for 4.9.0-13 kernel ABI mariadb-10.1 New upstream stable release; security fixes [CVE-2020-2752 CVE-2020-2812 CVE-2020-2814] megatools Add support for the new format of mega.nz links mod-gnutls Avoid deprecated ciphersuites in test suite; fix test failures when combined with Apache's fix for CVE-2019-10092 mongo-tools Rebuild against recent golang to pick up security fixes neon27 Treat OpenSSL-related test failures as non- fatal nfs-utils Fix potential file overwrite vulnerability [CVE-2019-3689]; don't make all of /var/lib/nfs owned by the statd user nginx Fix error page request smuggling vulnerability [CVE-2019-20372] node-url-parse Sanitize paths and hosts before parsing [CVE-2018-3774] nvidia-graphics-drivers New upstream stable release; security fixes [CVE-2020-5963 CVE-2020-5967] pcl Fix missing dependency on libvtk6-qt-dev perl Fix multiple regular expression related security issues [CVE-2020-10543 CVE-2020-10878 CVE-2020-12723] php-horde Fix cross-site scripting vulnerability [CVE-2020-8035] php-horde-data Fix authenticated remote code execution vulnerability [CVE-2020-8518] php-horde-form Fix authenticated remote code execution vulnerability [CVE-2020-8866] php-horde-gollem Fix cross-site scripting vulnerability in breadcrumb output [CVE-2020-8034] php-horde-trean Fix authenticated remote code execution vulnerability [CVE-2020-8865] phpmyadmin Several security fixes [CVE-2018-19968 CVE-2018-19970 CVE-2018-7260 CVE-2019-11768 CVE-2019-12616 CVE-2019-6798 CVE-2019-6799 CVE-2020-10802 CVE-2020-10803 CVE-2020-10804 CVE-2020-5504] postfix New upstream stable release proftpd-dfsg Fix handling SSH_MSG_IGNORE packets python-icalendar Fix Python3 dependencies rails Fix possible cross-site scripting via Javascript escape helper [CVE-2020-5267] rake Fix command injection vulnerability [CVE-2020-8130] roundcube Fix cross-site scripting issue via HTML messages with malicious svg/namespace [CVE-2020-15562] ruby-json Fix unsafe object creation vulnerability [CVE-2020-10663] ruby2.3 Fix unsafe object creation vulnerability [CVE-2020-10663] sendmail Fix finding the queue runner control process in "split daemon" mode, "NOQUEUE: connect from (null)", removal failure when using BTRFS sogo-connector New upstream version, compatible with newer Thunderbird versions ssvnc Fix out-of-bounds write [CVE-2018-20020], infinite loop [CVE-2018-20021], improper initialisation [CVE-2018-20022], potential denial-of-service [CVE-2018-20024] storebackup Fix possible privilege escalation vulnerability [CVE-2020-7040] swt-gtk Fix missing dependency on libwebkitgtk-1.0-0 tinyproxy Create PID file before dropping privileges to non-root account [CVE-2017-11747] tzdata New upstream stable release websockify Fix missing dependency on python{3,}-pkg- resources wpa Fix AP mode PMF disconnection protection bypass [CVE-2019-16275]; fix MAC randomisation issues with some cards xdg-utils Sanitise window name before sending it over D-Bus; correctly handle directories with names containing spaces; create the "applications" directory if needed xml-security-c Fix length calculation in the concat method xtrlock Fix blocking of (some) multitouch devices while locked [CVE-2016-10894] A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/oldstable.html> Removed packages ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason ------- ------ certificatepatrol Incompatible with newer Firefox ESR versions colorediffs-extension Incompatible with newer Thunderbird versions dynalogin Depends on to-be-removed simpleid enigmail Incompatible with newer Thunderbird versions firefox-esr [armel] No longer supported (requires nodejs) firefox-esr [mips mipsel No longer supported (needs newer rustc) mips64el] getlive Broken due to Hotmail changes gplaycli Broken by Google API changes kerneloops Upstream service no longer available libmicrodns Security issues libperlspeak-perl Security issues; unmaintained mathematica-fonts Relies on unavailable download location pdns-recursor Security issues; unsupported predictprotein Depends on to-be-removed profphd profphd Unusable quotecolors Incompatible with newer Thunderbird versions selenium-firefoxdriver Incompatible with newer Firefox ESR versions simpleid Does not work with PHP7 simpleid-ldap Depends on to-be-removed simpleid torbirdy Incompatible with newer Thunderbird versions weboob Unmaintained; already removed from later releases yahoo2mbox Broken for several years If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part