Updated Debian 8: 8.6 released
September 17th, 2016
The Debian project is pleased to announce the sixth update of its
stable distribution Debian 8 (codename jessie
).
This update mainly adds corrections for security problems to the stable
release, along with a few adjustments for serious problems. Security advisories
were already published separately and are referenced where available.
Please note that this update does not constitute a new version of Debian
8 but only updates some of the packages included. There is
no need to throw away old jessie
CDs or DVDs but only to update
via an up-to-date Debian mirror after an installation, to cause any out of
date packages to be updated.
Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.
New installation media and CD and DVD images containing updated packages will be available soon at the regular locations.
Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bug Fixes
This stable update adds a few important corrections to the following packages:
Package | Reason |
---|---|
adblock-plus | New upstream release, compatible with firefox-esr |
apache2 | Fix race condition and logical error in init script; remove links to manpages.debian.org in default index.html; mod_socache_memcache: Increase idle timeout to 15s to allow keep-alive connections; mod_proxy_fcgi: Fix wrong behaviour with 304 responses; correct systemd-sysv-generator behaviour; mod_proxy_html: Add missing config file mods-available/proxy_html.conf |
audiofile | Fix buffer overflow when changing both sample format and number of channels [CVE-2015-7747] |
automake-1.14 | Avoid insecure use of /tmp/ in install-sh |
backintime | Add missing dependency on python-dbus |
backuppc | Fix regressions from samba update to 4.2 |
base-files | Update for the point release |
biber | Fix breakage triggered by point release update of perl |
cacti | Fix sql injection in tree.php [CVE-2016-3172] and graph_view.php [CVE-2016-3659]; fix authentication bypass [CVE-2016-2313] |
ccache | Upstream bug-fix release |
clamav | Don't fail if AllowSupplementaryGroups is still set in the configuration file |
cmake | Fix FindOpenSSL module to detect OpenSSL 1.0.1t |
conkeror | Support Firefox 44 and later |
debian-edu-config | Move from Iceweasel to Firefox ESR; adjust ldap-tools/ldap-debian-edu-install to be compliant with systemd now that unit samba.service is masked; dhclient-exit-hooks.d/hostname: adjust for the case of a dedicated LTSP server; adjust cf.krb5client to ensure that cfengine runs are idempotent; move code to cleanup /usr/share/pam-configs/krb5 diversion from postinst to preinst to ease upgrades from old wheezy installations; don't purge libnss-mdns as cups now needs mdns for automatic printer detection |
debian-edu-doc | Update Debian Edu jessie and wheezy manuals from the wiki |
debian-installer | Rebuild against proposed-updates |
debian-installer-netboot-images | Rebuild for the point release |
debian-security-support | Update included support data; add support for marking packages as losing support at a future date |
dietlibc | Fix insecure default PATH |
dwarfutils | Security fixes [CVE-2015-8538 CVE-2015-8750 CVE-2016-2050 CVE-2016-2091 CVE-2016-5034 CVE-2016-5036 CVE-2016-5038 CVE-2016-5039 CVE-2016-5042] |
e2fsprogs | Disable prompts for time skew which is fudged in e2fsck; fix potential corruption of Hurd file systems by e2fsck, pointer bugs that could cause crashes in e2fsck and resize2fs |
exim4 | Fix cutthrough bug with body lines having a single dot; fix crash on exim -be '${if crypteq{xxx}{\$aaa}{yes}{no}}'; improve NEWS file; backport missing upstream patch to actually make $initial_cwd expansion work |
file | Fix buffer over-write in finfo_open with malformed magic file [CVE-2015-8865] |
firegestures | New upstream release, compatible with firefox-esr |
flashplugin-nonfree | Update-flashplugin-nonfree: Delete old get-upstream-version.pl from cache |
fusionforge | Remove dependency on Mediawiki plugin from fusionforge-full metapackage |
gdcm | Fix integer overflow [CVE-2015-8396] and denial of service [CVE-2015-8397] |
glibc | Fix assertion failure with unconnectable name server addresses (regression introduced by CVE-2015-7547 fix); fix *context functions on s390x; fix a buffer overflow in the glob function [CVE-2016-1234], a stack overflow in nss_dns_getnetbyname_r [CVE-2016-3075], a stack overflow in getaddrinfo function [CVE-2016-3706], a stack overflow in Sun RPC clntudp_call() [CVE-2016-4429]; update from upstream stable branch; fix open and openat functions with O_TMPFILE; fix backtrace hang on armel/armhf, possibly causing a minor denial of service vulnerability [CVE-2016-6323]; fix mtr on systems using only IPv6 nameservers |
gnome-maps | New upstream release; use the Mapbox tile server, instead of the no longer supported MapQuest server |
gnome-sudoku | Don't generate the same puzzle sequence every time |
gnupg | gpgv: Tweak default options for extra security; g10: Fix checking key for signature validation |
gnupg2 | gpgv: Tweak default options for extra security; g10: Fix checking key for signature validation |
greasemonkey | New upstream release, compatible with firefox-esr |
intel-microcode | New upstream release |
jakarta-jmeter | Really install the templates; fix an error with libxstream-java >= 1.4.9 when loading the templates |
javatools | Return correct architecture string for ppc64el in java-arch.sh |
kamailio | Fix libssl version check |
libbusiness-creditcard-perl | Adjust to changes in credit card ranges and processing of various companies |
libcss-dom-perl | Work around Encode changes included in perl and libencode-perl stable updates |
libdatetime-timezone-perl | Update included data to 2016e; new upstream release |
libdevel-declare-perl | Fix breakage caused by change in perl stable update |
libnet-ssleay-perl | Fix build failure with openssl 1.0.1t-1+deb8u1 |
libquota-perl | Adapt platform detection to work with Linux 4.x |
libtool | Fix multi-arch co-installability [amd64 i386] |
libxml2 | Fix a problem unparsing URIs without a host part like qemu:///system; this unbreaks libvirt, libsys-virt-perl and others |
linux | New upstream stable release |
lxc | Make sure stretch/sid containers have an init system, after init 1.34 dropped the 'Essential: yes' header |
mariadb-10.0 | New upstream release, including security fix [CVE-2016-6662] |
mozilla-noscript | New upstream release, compatible with firefox-esr |
nullmailer | Do not keep relayhost data in debconf database longer than strictly needed |
open-iscsi | Init script: wait a bit after iSCSI devices have appeared, working around a race condition in which dependent devices can appear only after the initial udev settle has returned; open-iscsi-udeb: update initramfs after copying configuration to target system |
openssl | Fix length check for CRLs; enable asm optimisation for s390x |
ovirt-guest-agent | Install ovirt-guest-agent.py executable; change owner of log directory to ovirtagent in postinst |
piuparts | Fix build failure (don't test the current Debian release status, tracking that is distro-info-data's problem) |
policykit-1 | Several bug-fixes: fix heap corruption [CVE-2015-3255], local authenticated denial of service [CVE-2015-4625] and issue with invalid object paths in RegisterAuthenticationAgent [CVE-2015-3218] |
publicsuffix | New upstream release |
pypdf2 | Fix infinite loop in readObject() function |
python-django | Bug-fix update to 1.7.11 |
python2.7 | Address StartTLS stripping attack in smtplib [CVE-2016-0772], integer overflow in zipimporter [CVE-2016-5636], HTTP header injection [CVE-2016-5699] |
quassel | Fix remote DoS in quassel core with invalid handshake data [CVE-2016-4414] |
ruby-eventmachine | Fix remotely triggerable crash due to FD handling |
ruby2.1 | dl::dlopen should not open a library with tainted library name in safe mode [CVE-2009-5147]; Fiddle handles should not call functions with tainted function names [CVE-2015-7551] |
sendmail | Do not abort with an assertion if the connection to an LDAP server is lost; ensure sendmail {client_port} is set correctly on little endian machines |
sqlite3 | Fix tempdir selection vulnerability [CVE-2016-6153], segfault following heavy SAVEPOINT usage |
systemd | Use the right timeout for stop processes we fork; don't reset log level to NOTICE if we get quiet on the kernel cmdline; fix prepare priority queue comparison function in sd-event; update links to kernel.org cgroup documentation; don't start console-getty.service when /dev/console is missing; order systemd-user-sessions.service after nss-user-lookup.target and network.target |
tabmixplus | New upstream release, compatible with firefox-esr |
tcpreplay | Handle frames of 65535 octets size, add a size check [CVE-2016-6160] |
tor | Update the set of authority directory servers |
tzdata | New upstream release; update to 2016e |
unbound | Init script fixes: add pidfilemagic comment; call start-stop-daemon with --retry for 'stop' action |
util-vserver | Rebuild against dietlibc 0.33~cvs20120325-6+deb8u1, fixing insecure default PATH |
vorbis-tools | Fix large alloca on bad AIFF input to oggenc [CVE-2015-6749], Validate count of channels in the header [CVE-2014-9638 CVE-2014-9639], fix segmentation fault in vcut |
vtk | Rebuild to fix Java paths [ppc64el] |
wget | By default, on server redirects to a FTP resource, use the original URL to get the local file name [CVE-2016-4971] |
wpa | Security updates relating to invalid characters [CVE-2016-4476, CVE-2016-4477] |
yaws | Fix HTTP_PROXY cgi env injection [CVE-2016-1000108] |
zabbix | Fix mysql.size shell command injection in zabbix-agent [CVE-2016-4338] |
The mariadb-10.0
package failed to build on the powerpc
architecture, but has been included in the point release to allow
quicker release of the fix for CVE-2016-6662, which had not been disclosed
at the time of the upload. If a fix for the build failure becomes
available before the next mariadb-10.0 DSA, an updated package may be
released via jessie-updates
.
Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
Package | Reason |
---|---|
minit | Unmaintained and outdated |
trn | Security issues; replaced by trn4 |
Debian Installer
The installer has been updated to include the fixes incorporated into stable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current stable distribution:
Proposed updates to the stable distribution:
stable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.