---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 176-1 https://www.debian.org/ debian-release@lists.debian.org Adam D. Barratt February 3rd, 2020 ---------------------------------------------------------------------------- Upcoming Debian 9 Update (9.12) An update to Debian 9 is scheduled for Saturday, February 8th, 2020. As of now it will include the following bug fixes. They can be found in "stretch-proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "stretch-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This oldstable update adds a few important corrections to the following packages: Package Reason ------- ------ base-files Update for the point release cargo New upstream version, to support firefox-esr backports clamav New upstream release; fix denial of service issue [CVE-2019-15961]; remove ScanOnAccess option, replacing with clamonacc cups Fix validation of default language in ippSetValuetag [CVE-2019-2228] debian-security-support Update security support status of several packages dehydrated New upstream release; use ACMEv2 API by default dispmua New upstream release compatible with Thunderbird 68 dpdk New upstream stable release; fix vhost regression introduced by the fix for CVE-2019-14818 fence-agents Fix incomplete removal of fence_amt_ws fig2dev Allow Fig v2 text strings ending with multiple ^A [CVE-2019-19555] flightcrew Security fixes [CVE-2019-13032 CVE-2019-13241] freetype Correctly handle deltas in TrueType GX fonts, fixing rendering of variable hinted fonts in Chromium and Firefox glib2.0 Ensure libdbus clients can authenticate with a GDBusServer like the one in ibus gnustep-base Fix UDP amplification vulnerability italc Security fixes [CVE-2018-15126 CVE-2018-15127 CVE-2018-20019 CVE-2018-20020 CVE-2018-20021 CVE-2018-20022 CVE-2018-20023 CVE-2018-20024 CVE-2018-20748 CVE-2018-20749 CVE-2018-20750 CVE-2018-6307 CVE-2018-7225 CVE-2019-15681] libdate-holidays-de-perl Mark International Childrens Day (Sep 20th) as a holiday in Thuringia from 2019 onwards libdatetime-timezone-perl Update included data libidn Fix denial of service vulnerability in Punycode handling [CVE-2017-14062] libjaxen-java Fix build failure by allowing test failures libofx Fix NULL pointer dereference issue [CVE-2019-9656] libole-storage-lite-perl Fix interpretation of years from 2020 onwards libparse-win32registry- Fix interpretation of years from 2020 onwards perl libperl4-corelibs-perl Fix interpretation of years from 2020 onwards libpst Fix detection of get_current_dir_name and return truncation libsixel Fix several security issues [CVE-2018-19756 CVE-2018-19757 CVE-2018-19759 CVE-2018-19761 CVE-2018-19762 CVE-2018-19763 CVE-2019-3573 CVE-2019-3574] libsolv Fix heap buffer overflow [CVE-2019-20387] libtest-mocktime-perl Fix interpretation of years from 2020 onwards libtimedate-perl Fix interpretation of years from 2020 onwards libvncserver rfbserver: don't leak stack memory to the remote [CVE-2019-15681]; resolve a freeze during connection closure and a segmentation fault on multi-threaded VNC servers; fix issue connecting to VMWare servers; fix crashing of x11vnc when vncviewer connects libxslt Fix dangling pointer in xsltCopyText [CVE-2019-18197] limnoria Fix remote information disclosure and possibly remote code execution in the Math plugin [CVE-2019-19010] linux New upstream stable release linux-latest Update for Linux kernel ABI 4.9.0-12 llvm-toolchain-7 Disable the gold linker from s390x; bootstrap with -fno-addrsig, stretch's binutils doesn't work with it on mips64el mariadb-10.1 New upstream stable release [CVE-2019-2974 CVE-2020-2574] monit Implement position independent CSRF cookie value node-fstream Clobber a Link if it's in the way of a File [CVE-2019-13173] node-mixin-deep Fix prototype polution [CVE-2018-3719 CVE-2019-10746] nodejs-mozilla New package to support firefox-esr backports nvidia-graphics-drivers- New upstream stable release legacy-340xx nyancat Rebuild in a clean environment to add the systemd unit for nyancat-server openjpeg2 Fix heap overflow [CVE-2018-21010], integer overflow [CVE-2018-20847] and division by zero [CVE-2016-9112] perl Fix interpretation of years from 2020 onwards php-horde Fix stored cross-site scripting issue in Horde Cloud Block [CVE-2019-12095] postfix New upstream stable release; work around poor TCP loopback performance postgresql-9.6 New upstream release proftpd-dfsg Fix NULL pointer dereference in CRL checks [CVE-2019-19269] pykaraoke Fix path to fonts python-acme Switch to POST-as-GET protocol python-cryptography Fix test suite failures when built against newer OpenSSL versions python-flask-rdf Fix missing dependencies in python3-flask-rdf python-pgmagick Handle version detection of graphicsmagick security updates that identify themselves as version 1.4 python-werkzeug Ensure Docker containers have unique debugger PINs [CVE-2019-14806] ros-ros-comm Fix buffer overflow issue [CVE-2019-13566]; fix integer overflow [CVE-2019-13445] ruby-encryptor Ignore test failures, fixing build failures rust-cbindgen New package to support firefox-esr backports rustc New upstream version, to support firefox-esr backports safe-rm Prevent installation in (and thereby breaking of) merged /usr environments sorl-thumbnail Workaround a pgmagick exception sssd sysdb: sanitize search filter input [CVE-2017-12173] tigervnc Security updates [CVE-2019-15691 CVE-2019-15692 CVE-2019-15693 CVE-2019-15694 CVE-2019-15695] tightvnc Security fixes [CVE-2014-6053 2019-8287 CVE-2018-20021 CVE-2018-20022 CVE-2018-20748 CVE-2018-7225 CVE-2019-15678 CVE-2019-15679 CVE-2019-15680 CVE-2019-15681 CVE-2019-8287] tmpreaper Add `--protect '/tmp/systemd-private*/*'` to cron job to prevent breaking systemd services that have PrivateTmp=true tzdata New upstream release ublock-origin New upstream version, compatible with Firefox ESR68 unhide Fix stack exhaustion x2goclient Strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths in scp mode; fixes regression with newer libssh versions with fixes for CVE-2019-14889 applied xml-security-c Fix "DSA verification crashes OpenSSL on invalid combinations of key content" A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/oldstable.html> Removed packages ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason ------- ------ firetray Incompatible with current Thunderbird versions koji Security issues python-lamson Broken by changes in python-daemon ruby-simple-form Unused; security issues trafficserver Unsupportable If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part