----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 184-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
July 13th, 2020
----------------------------------------------------------------------------
Upcoming Debian 9 Update (9.13)
The final point release for Debian 9 is scheduled for Saturday, July 18th,
2020. As of now it will include the following bug fixes. They can be found
in "stretch-proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "stretch-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
Miscellaneous Bugfixes
----------------------
This oldstable update adds a few important corrections to the following
packages:
Package Reason
------- ------
acmetool Rebuild against recent golang to pick up
security fixes
atril dvi: Mitigate command injection attacks by
quoting filename [CVE-2017-1000159]; fix
overflow checks in tiff backend
[CVE-2019-1010006]; tiff: Handle failure from
TIFFReadRGBAImageOriented [CVE-2019-11459]
bacula Add transitional package bacula-director-
common, avoiding loss of /etc/bacula/bacula-
dir.conf when purged; make PID files owned by
root
base-files Update /etc/debian_version for the point
release
batik Fix server-side request forgery via xlink:href
attributes [CVE-2019-17566]
c-icap-modules Support ClamAV 0.102
ca-certificates Update Mozilla CA bundle to 2.40, blacklist
distrusted Symantec roots and expired "AddTrust
External Root"; remove e-mail only certificates
chasquid Rebuild against recent golang to pick up
security fixes
checkstyle Fix XML External Entity injection issue
[CVE-2019-9658 CVE-2019-10782]
clamav New upstream release [CVE-2020-3123]; security
fixes [CVE-2020-3327 CVE-2020-3341]
compactheader New upstream version, compatible with newer
Thunderbird versions
cram Ignore test failures to fix build issues
csync2 Fail HELLO command when SSL is required
cups Fix heap buffer overflow [CVE-2020-3898] and
"the `ippReadIO` function may under-read an
extension field" [CVE-2019-8842]
dbus New upstream stable release; prevent a denial
of service issue [CVE-2020-12049]; prevent use-
after-free if two usernames share a uid
debian-installer Update for the 4.9.0-13 Linux kernel ABI
debian-installer-netboot- Update for the 4.9.0-13 Linux kernel ABI
images
debian-security-support Update support status of several packages
erlang Fix use of weak TLS ciphers [CVE-2020-12872]
exiv2 Fix denial of service issue [CVE-2018-16336];
fix over-restrictive fix for CVE-2018-10958 and
CVE-2018-10999
fex Security update
file-roller Security fix [CVE-2020-11736]
fwupd New upstream release; use a CNAME to redirect
to the correct CDN for metadata; do not abort
startup if the XML metadata file is invalid;
add the Linux Foundation public GPG keys for
firmware and metadata; raise the metadata limit
to 10MB
glib-networking Return bad identity error if identity is unset
[CVE-2020-13645]
gnutls28 Fix memory corruption issue [CVE-2019-3829];
fix memory leak; add support for zero length
session tickets, fix connection errors on
TLS1.2 sessions to some hosting providers
gosa Tighten check on LDAP success/failure
[CVE-2019-11187]; fix compatibility with newer
PHP versions; backport several other patches;
replace (un)serialize with
json_encode/json_decode to mitigate PHP object
injection [CVE-2019-14466]
heartbleeder Rebuild against recent golang to pick up
security fixes
intel-microcode Downgrade some microcodes to previously
released revisions, working around hangs on
boot on Skylake-U/Y and Skylake Xeon E3
iptables-persistent Don't fail if modprobe does
jackson-databind Fix multiple security issues affecting
BeanDeserializerFactory [CVE-2020-9548
CVE-2020-9547 CVE-2020-9546 CVE-2020-8840
CVE-2020-14195 CVE-2020-14062 CVE-2020-14061
CVE-2020-14060 CVE-2020-11620 CVE-2020-11619
CVE-2020-11113 CVE-2020-11112 CVE-2020-11111
CVE-2020-10969 CVE-2020-10968 CVE-2020-10673
CVE-2020-10672 CVE-2019-20330 CVE-2019-17531
and CVE-2019-17267]
libbusiness-hours-perl Use explicit 4 digit years, fixing build and
usage issues
libclamunrar New upstream stable release; add an unversioned
meta-package
libdbi Comment out _error_handler() call again, fixing
issues with consumers
libembperl-perl Handle error pages from Apache >= 2.4.40
libexif Security fixes [CVE-2016-6328 CVE-2017-7544
CVE-2018-20030 CVE-2020-12767 CVE-2020-0093
CVE-2020-13112 CVE-2020-13113 CVE-2020-13114];
fix a buffer read overflow [CVE-2020-0182] and
an unsigned integer overflow [CVE-2020-0198]
libvncserver Fix heap overflow [CVE-2019-15690]
linux New upstream stable release; update ABI to
4.9.0-13
linux-latest Update for 4.9.0-13 kernel ABI
mariadb-10.1 New upstream stable release; security fixes
[CVE-2020-2752 CVE-2020-2812 CVE-2020-2814]
megatools Add support for the new format of mega.nz links
mod-gnutls Avoid deprecated ciphersuites in test suite;
fix test failures when combined with Apache's
fix for CVE-2019-10092
mongo-tools Rebuild against recent golang to pick up
security fixes
neon27 Treat OpenSSL-related test failures as non-
fatal
nfs-utils Fix potential file overwrite vulnerability
[CVE-2019-3689]; don't make all of /var/lib/nfs
owned by the statd user
nginx Fix error page request smuggling vulnerability
[CVE-2019-20372]
node-url-parse Sanitize paths and hosts before parsing
[CVE-2018-3774]
nvidia-graphics-drivers New upstream stable release; security fixes
[CVE-2020-5963 CVE-2020-5967]
pcl Fix missing dependency on libvtk6-qt-dev
perl Fix multiple regular expression related
security issues [CVE-2020-10543 CVE-2020-10878
CVE-2020-12723]
php-horde Fix cross-site scripting vulnerability
[CVE-2020-8035]
php-horde-data Fix authenticated remote code execution
vulnerability [CVE-2020-8518]
php-horde-form Fix authenticated remote code execution
vulnerability [CVE-2020-8866]
php-horde-gollem Fix cross-site scripting vulnerability in
breadcrumb output [CVE-2020-8034]
php-horde-trean Fix authenticated remote code execution
vulnerability [CVE-2020-8865]
phpmyadmin Several security fixes [CVE-2018-19968
CVE-2018-19970 CVE-2018-7260 CVE-2019-11768
CVE-2019-12616 CVE-2019-6798 CVE-2019-6799
CVE-2020-10802 CVE-2020-10803 CVE-2020-10804
CVE-2020-5504]
postfix New upstream stable release
proftpd-dfsg Fix handling SSH_MSG_IGNORE packets
python-icalendar Fix Python3 dependencies
rails Fix possible cross-site scripting via
Javascript escape helper [CVE-2020-5267]
rake Fix command injection vulnerability
[CVE-2020-8130]
roundcube Fix cross-site scripting issue via HTML
messages with malicious svg/namespace
[CVE-2020-15562]
ruby-json Fix unsafe object creation vulnerability
[CVE-2020-10663]
ruby2.3 Fix unsafe object creation vulnerability
[CVE-2020-10663]
sendmail Fix finding the queue runner control process in
"split daemon" mode, "NOQUEUE: connect from
(null)", removal failure when using BTRFS
sogo-connector New upstream version, compatible with newer
Thunderbird versions
ssvnc Fix out-of-bounds write [CVE-2018-20020],
infinite loop [CVE-2018-20021], improper
initialisation [CVE-2018-20022], potential
denial-of-service [CVE-2018-20024]
storebackup Fix possible privilege escalation vulnerability
[CVE-2020-7040]
swt-gtk Fix missing dependency on libwebkitgtk-1.0-0
tinyproxy Create PID file before dropping privileges to
non-root account [CVE-2017-11747]
tzdata New upstream stable release
websockify Fix missing dependency on python{3,}-pkg-
resources
wpa Fix AP mode PMF disconnection protection bypass
[CVE-2019-16275]; fix MAC randomisation issues
with some cards
xdg-utils Sanitise window name before sending it over
D-Bus; correctly handle directories with names
containing spaces; create the "applications"
directory if needed
xml-security-c Fix length calculation in the concat method
xtrlock Fix blocking of (some) multitouch devices while
locked [CVE-2016-10894]
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/oldstable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
certificatepatrol Incompatible with newer Firefox ESR versions
colorediffs-extension Incompatible with newer Thunderbird versions
dynalogin Depends on to-be-removed simpleid
enigmail Incompatible with newer Thunderbird versions
firefox-esr [armel] No longer supported (requires nodejs)
firefox-esr [mips mipsel No longer supported (needs newer rustc)
mips64el]
getlive Broken due to Hotmail changes
gplaycli Broken by Google API changes
kerneloops Upstream service no longer available
libmicrodns Security issues
libperlspeak-perl Security issues; unmaintained
mathematica-fonts Relies on unavailable download location
pdns-recursor Security issues; unsupported
predictprotein Depends on to-be-removed profphd
profphd Unusable
quotecolors Incompatible with newer Thunderbird versions
selenium-firefoxdriver Incompatible with newer Firefox ESR versions
simpleid Does not work with PHP7
simpleid-ldap Depends on to-be-removed simpleid
torbirdy Incompatible with newer Thunderbird versions
weboob Unmaintained; already removed from later
releases
yahoo2mbox Broken for several years
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part