Updated Debian 8: 8.9 released

July 22nd, 2017

The Debian project is pleased to announce the ninth update of its oldstable distribution Debian 8 (codename jessie). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 8 but only updates some of the packages included. There is no need to throw away old jessie media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following packages:

Package	Reason
3dchess	Reduce wasteful CPU consumption
apt-cacher	Prevent HTTP response splitting with encoded newlines in request [CVE-2017-7443]; make sure /var/run/apt-cacher exists
base-files	Update for the 8.9 point release
boinc	Improve adjusting OOM score; fix security issue with xhost
c-ares	Security fix [CVE-2017-1000381]
cfitsio	Fix crashes related to improper memory handling
chkrootkit	Fix segmentation fault; fix missing dependency on openssh-client; add Built-Using field
cqrlog	tools/cqrlog-apparmor-fix, debian/postrm: Check for /etc/init.d/apparmor before restarting apparmor
debconf	Use File::Temp instead of the deprecated POSIX::tmpnam() in Debconf::TmpFile
debian-archive-keyring	Add stretch keys, and move squeeze keys to removed keyring
debian-installer	Rebuild against proposed-updates
debian-installer-netboot-images	Rebuild against proposed-updates
debian-security-support	Update support status of various packages; update translations
debootstrap	Add support for Buster and Bullseye
eterm	Fix integer overflow preventing the shell from starting/stopping properly
flightgear	Prevent overriding arbitrary files from the save-flightplan FGCommand [CVE-2017-8921]
galternatives	Fix blank properties page
gitolite3	Fix missing dependency on openssh-client
gnats	gnats-user: do not fail to purge if /var/lib/gnats/gnats-db is not empty
gnutls28	Improve check for /dev/urandom uniqueness
gtk+2.0	Backport patch from GTK+3 to fix stuck grabs in some situations
init-select	Check for /usr/lib/init-select/get-init before calling it
intel-microcode	Update included microcode
libapache2-mod-perl2	Fix test suite for compatibility with latest Apache 2 updates
libcgi-application-plugin-anytemplate-perl	Fix missing dependency on one of libclone-perl and libclone-pp-perl
libclamunrar	Fix arbitrary memory write [CVE-2012-6706]
libdata-faker-perl	Run the test suite under a specific locale
libdvdnav	Use proper error handling when position cannot be detected
libhtml-microformats-perl	Fix missing dependency on libmodule-pluggable-perl
libhttp-proxy-perl	Fix broken 'via' handling
libonig	Fix multiple invalid pointer dereference, out-of-bounds write memory corruption and stack buffer overflow issues [CVE-2017-9224 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 CVE-2017-9229]
libosinfo	Add support for jessie and stretch
libsys-syscall-perl	Add support for more architectures
libterralib	Remove superfluous Conflicts/Replaces: libterralib3 since that causes problems upgrading to stretch which has that package
libx11-protocol-other-perl	Disable buggy test
lxterminal	Security fix: improper use of /tmp for a socket file
netcfg	IPv6 autoconfiguration: fix NTP server name handling; stop queueing rdnssd's installation with IPv6 setups
offlineimap	Prevent the usage of maxage (broken and may result in data loss)
os-prober	EFI: fix check on ID_PART_ENTRY_SCHEME, to look for dos instead of msdos; make Windows Vista detection more robust; add support for Windows 10
pam	Rebuild to fix multi-arch differences
partman-ext3	Force ext3\|ext4 filesystem creation with -F so that D-I doesn't hang when re-using an existing partition in some situations
perl	Apply upstream base.pm no-dot-in-inc fix
polarssl	Fix freeing of memory allocated on stack when validating a public key with a secp224k1 curve [CVE-2017-2784]
proftpd-dfsg	Fix TLSDHParamFile directive appears ignored because unexpected DH is chosen [CVE-2016-3125], AllowChrootSymlinks off does not check entire DefaultRoot path for symlinks [CVE-2017-7418]
python-colorlog	Fix python3 dependencies
python-plumbum	Fix python3 dependencies
rkhunter	Disable remote updates [CVE-2017-7480]
shutter	Fix insecure use of perl exec() [CVE-2016-10081] and system()
tcpdf	Security fix: disallow tcpdf calls in HTML [CVE-2017-6100]
unrar-nonfree	Security fix: add bound checks for VMSF_DELTA, VMSF_RGB and VMSF_AUDIO paramters [CVE-2012-6706]
w3m	Fix multiple buffer overflows, use after free issues and an infinite loop
xarchiver	Fix possible data loss due to shell metacharacters
xfce4-weather-plugin	Adapt to new weather website APIs

Security Updates

This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:

Advisory ID	Package
DSA-3742	flightgear
DSA-3793	shadow
DSA-3840	mysql-connector-java
DSA-3841	libxstream-java
DSA-3842	tomcat7
DSA-3843	tomcat8
DSA-3844	tiff
DSA-3845	libtirpc
DSA-3845	rpcbind
DSA-3846	libytnef
DSA-3847	xen
DSA-3848	git
DSA-3849	kde4libs
DSA-3850	rtmpdump
DSA-3851	postgresql-9.4
DSA-3852	squirrelmail
DSA-3853	bitlbee
DSA-3854	bind9
DSA-3855	jbig2dec
DSA-3856	deluge
DSA-3857	mysql-connector-java
DSA-3859	dropbear
DSA-3860	samba
DSA-3861	libtasn1-6
DSA-3862	puppet
DSA-3863	imagemagick
DSA-3864	fop
DSA-3865	mosquitto
DSA-3866	strongswan
DSA-3867	sudo
DSA-3868	openldap
DSA-3869	tnef
DSA-3870	wordpress
DSA-3871	zookeeper
DSA-3872	nss
DSA-3873	perl
DSA-3874	ettercap
DSA-3875	libmwaw
DSA-3876	otrs2
DSA-3877	tor
DSA-3878	zziplib
DSA-3879	libosip2
DSA-3880	libgcrypt20
DSA-3882	request-tracker4
DSA-3883	rt-authen-externalauth
DSA-3884	gnutls28
DSA-3885	irssi
DSA-3886	linux
DSA-3887	glibc
DSA-3888	exim4
DSA-3889	libffi
DSA-3891	tomcat8
DSA-3892	tomcat7
DSA-3893	jython
DSA-3894	graphite2
DSA-3896	apache2
DSA-3897	drupal7
DSA-3898	expat
DSA-3899	vlc
DSA-3900	openvpn
DSA-3901	libgcrypt20
DSA-3903	tiff
DSA-3904	bind9
DSA-3905	xorg-server
DSA-3907	spice
DSA-3910	knot
DSA-3911	evince
DSA-3912	heimdal

Removed packages

The following packages were removed due to circumstances beyond our control:

Package	Reason
ears	Requires unavailable python-musicbrainz
gnuvd	Broken by upstream site changes
hbro	Segfaults on all usage
hbro-contrib	Build-depends on to-be-removed hbro
lshell	Security issues
pgsnap	Incompatible with current PostgreSQL versions
python-django-authority	Incompatible with Django 1.7
rant	Broken

Debian Installer

The installer has been updated to include the fixes incorporated into oldstable by the point release.

URLs

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/jessie/ChangeLog

The current oldstable distribution:

http://ftp.debian.org/debian/dists/oldstable/

Proposed updates to the oldstable distribution:

http://ftp.debian.org/debian/dists/oldstable-proposed-updates

oldstable distribution information (release notes, errata etc.):

https://www.debian.org/releases/oldstable/

Security announcements and information:

https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.