----------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 176-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
February 3rd, 2020
----------------------------------------------------------------------------
Upcoming Debian 9 Update (9.12)
An update to Debian 9 is scheduled for Saturday, February 8th, 2020. As
of now it will include the following bug fixes. They can be found in
"stretch-proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are also
already available through "stretch-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of them
by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This oldstable update adds a few important corrections to the following
packages:
Package Reason
------- ------
base-files Update for the point release
cargo New upstream version, to support firefox-esr
backports
clamav New upstream release; fix denial of service
issue [CVE-2019-15961]; remove ScanOnAccess
option, replacing with clamonacc
cups Fix validation of default language in
ippSetValuetag [CVE-2019-2228]
debian-security-support Update security support status of several
packages
dehydrated New upstream release; use ACMEv2 API by
default
dispmua New upstream release compatible with
Thunderbird 68
dpdk New upstream stable release; fix vhost
regression introduced by the fix for
CVE-2019-14818
fence-agents Fix incomplete removal of fence_amt_ws
fig2dev Allow Fig v2 text strings ending with multiple
^A [CVE-2019-19555]
flightcrew Security fixes [CVE-2019-13032 CVE-2019-13241]
freetype Correctly handle deltas in TrueType GX fonts,
fixing rendering of variable hinted fonts in
Chromium and Firefox
glib2.0 Ensure libdbus clients can authenticate with a
GDBusServer like the one in ibus
gnustep-base Fix UDP amplification vulnerability
italc Security fixes [CVE-2018-15126 CVE-2018-15127
CVE-2018-20019 CVE-2018-20020 CVE-2018-20021
CVE-2018-20022 CVE-2018-20023 CVE-2018-20024
CVE-2018-20748 CVE-2018-20749 CVE-2018-20750
CVE-2018-6307 CVE-2018-7225 CVE-2019-15681]
libdate-holidays-de-perl Mark International Childrens Day (Sep 20th) as
a holiday in Thuringia from 2019 onwards
libdatetime-timezone-perl Update included data
libidn Fix denial of service vulnerability in Punycode
handling [CVE-2017-14062]
libjaxen-java Fix build failure by allowing test failures
libofx Fix NULL pointer dereference issue
[CVE-2019-9656]
libole-storage-lite-perl Fix interpretation of years from 2020 onwards
libparse-win32registry- Fix interpretation of years from 2020 onwards
perl
libperl4-corelibs-perl Fix interpretation of years from 2020 onwards
libpst Fix detection of get_current_dir_name and
return truncation
libsixel Fix several security issues [CVE-2018-19756
CVE-2018-19757 CVE-2018-19759 CVE-2018-19761
CVE-2018-19762 CVE-2018-19763 CVE-2019-3573
CVE-2019-3574]
libsolv Fix heap buffer overflow [CVE-2019-20387]
libtest-mocktime-perl Fix interpretation of years from 2020 onwards
libtimedate-perl Fix interpretation of years from 2020 onwards
libvncserver rfbserver: don't leak stack memory to the
remote [CVE-2019-15681]; resolve a freeze
during connection closure and a segmentation
fault on multi-threaded VNC servers; fix issue
connecting to VMWare servers; fix crashing of
x11vnc when vncviewer connects
libxslt Fix dangling pointer in xsltCopyText
[CVE-2019-18197]
limnoria Fix remote information disclosure and possibly
remote code execution in the Math plugin
[CVE-2019-19010]
linux New upstream stable release
linux-latest Update for Linux kernel ABI 4.9.0-12
llvm-toolchain-7 Disable the gold linker from s390x; bootstrap
with -fno-addrsig, stretch's binutils doesn't
work with it on mips64el
mariadb-10.1 New upstream stable release [CVE-2019-2974
CVE-2020-2574]
monit Implement position independent CSRF cookie
value
node-fstream Clobber a Link if it's in the way of a File
[CVE-2019-13173]
node-mixin-deep Fix prototype polution [CVE-2018-3719
CVE-2019-10746]
nodejs-mozilla New package to support firefox-esr backports
nvidia-graphics-drivers- New upstream stable release
legacy-340xx
nyancat Rebuild in a clean environment to add the
systemd unit for nyancat-server
openjpeg2 Fix heap overflow [CVE-2018-21010], integer
overflow [CVE-2018-20847] and division by zero
[CVE-2016-9112]
perl Fix interpretation of years from 2020 onwards
php-horde Fix stored cross-site scripting issue in Horde
Cloud Block [CVE-2019-12095]
postfix New upstream stable release; work around poor
TCP loopback performance
postgresql-9.6 New upstream release
proftpd-dfsg Fix NULL pointer dereference in CRL checks
[CVE-2019-19269]
pykaraoke Fix path to fonts
python-acme Switch to POST-as-GET protocol
python-cryptography Fix test suite failures when built against
newer OpenSSL versions
python-flask-rdf Fix missing dependencies in python3-flask-rdf
python-pgmagick Handle version detection of graphicsmagick
security updates that identify themselves as
version 1.4
python-werkzeug Ensure Docker containers have unique debugger
PINs [CVE-2019-14806]
ros-ros-comm Fix buffer overflow issue [CVE-2019-13566]; fix
integer overflow [CVE-2019-13445]
ruby-encryptor Ignore test failures, fixing build failures
rust-cbindgen New package to support firefox-esr backports
rustc New upstream version, to support firefox-esr
backports
safe-rm Prevent installation in (and thereby breaking
of) merged /usr environments
sorl-thumbnail Workaround a pgmagick exception
sssd sysdb: sanitize search filter input
[CVE-2017-12173]
tigervnc Security updates [CVE-2019-15691 CVE-2019-15692
CVE-2019-15693 CVE-2019-15694 CVE-2019-15695]
tightvnc Security fixes [CVE-2014-6053 2019-8287
CVE-2018-20021 CVE-2018-20022 CVE-2018-20748
CVE-2018-7225 CVE-2019-15678 CVE-2019-15679
CVE-2019-15680 CVE-2019-15681 CVE-2019-8287]
tmpreaper Add `--protect '/tmp/systemd-private*/*'` to
cron job to prevent breaking systemd services
that have PrivateTmp=true
tzdata New upstream release
ublock-origin New upstream version, compatible with Firefox
ESR68
unhide Fix stack exhaustion
x2goclient Strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/}
from destination paths in scp mode; fixes
regression with newer libssh versions with
fixes for CVE-2019-14889 applied
xml-security-c Fix "DSA verification crashes OpenSSL on
invalid combinations of key content"
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/oldstable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
firetray Incompatible with current Thunderbird versions
koji Security issues
python-lamson Broken by changes in python-daemon
ruby-simple-form Unused; security issues
trafficserver Unsupportable
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part