Updated Debian 9: 9.5 released
July 14th, 2018
The Debian project is pleased to announce the fifth update of its
stable distribution Debian 9 (codename stretch
).
This point release mainly adds corrections for security issues,
along with a few adjustments for serious problems. Security advisories
have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian
9 but only updates some of the packages included. There is
no need to throw away old stretch
media. After installation,
packages can be upgraded to the current versions using an up-to-date Debian
mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
Package | Reason |
---|---|
2ping | Add missing dependency on python-pkg-resources |
abiword | Resolve binary file conflict between abiword-dbgsym and abiword-plugin-grammar-dbgsym |
adminer | Don't allow connections to privileged ports [CVE-2018-7667] |
animals | Fix incorrect file permissions that made the game unusable |
apache2 | Upgrade mod_http and mod_proxy_http2 to the versions from 2.4.33, fixing segfaults, high memory usage and potential crash [CVE-2018-1302]; make the apache-htcacheclean init script actually use /etc/default/apache-htcacheclean for its config |
auto-complete-el | Add upstream fix for emacs25; adjust the emacs dependencies to the emacs versions in stretch; set auto-complete-el.emacsen-compat to silence installation warning |
awffull | Do not use removed options in /etc/cron.daily/awffull |
ax25-tools | Avoid segmentation fault at runtime |
base-files | Update for the point release |
blktrace | Fix buffer overflow in btt [CVE-2018-10689] |
ca-certificates | Update Mozilla CA bundle to version 2.22; bug fixes |
camo | Add missing dependency on openssl |
cffi | Add missing files for cffi-libffi and cffi-toolchain; add several missing dependencies |
check-postgres | Update testsuite to handle pg_get_indexdef() now always including the schema name |
clamav | New upstream version; don't fail on recently removed config options |
clustershell | Add missing dependency on python-pkg-resources |
debian-installer | Update for -7 kernel ABI |
debian-installer-netboot-images | Rebuild for the point release |
debian-security-support | Update included data |
dehydrated | Fix failure to create fullchain.pem |
devscripts | uscan: fix the new package version regex for filenamemangle; debsign: fix bash completion; bts: support the new ftbfstag; uscan: support HTTPS in the sf.net redirector; debcheckout: support salsa.debian.org; debdiff: sort shlibs files before comparing, reducing diff noise; uscan: actually support --copy |
disc-cover | Fix perl error when running disc-cover |
discover | Use correct type for the length parameter of the getline() call |
django-xmlrpc | Fix python3 dependencies |
dosbox | Fix crashes with core=dynamic |
dpdk | New upstream stable update |
dpkg | Fix integer overflow in deb(5) format version parser; fix directory traversal with dpkg-deb --raw-extract; add support for riscv64 CPU; do not normalize args past a passthrough stop word in Dpkg::Getopt; parse start-stop-daemon usernames and groupnames starting with digits correctly; always use the binary version for the .buildinfo filename |
dput-ng | Add jessie-backports-sloppy and stretch-backports targets; include 'testing' in the rm-managed suites and 'oldstable' in protected distributions; add ports-master profile; FTP: parse and use optional [:port] part for fqdn |
elastix | Rebuild with ITK that has been built with gcc 6 |
email2trac | Fix detection of Trac 1.2 |
faad2 | Fix several DoS issues via crafted MP4 files [CVE-2017-9218 CVE-2017-9219 CVE-2017-9220 CVE-2017-9221 CVE-2017-9222 CVE-2017-9223 CVE-2017-9253 CVE-2017-9254 CVE-2017-9255 CVE-2017-9256 CVE-2017-9257] |
faker | Add missing dependency on python-ipaddress |
fastkml | Add missing dependency on pkg-resources |
file | Avoid reading past the end of buffer [CVE-2018-10360] |
freedink-dfarc | Fix directory traversal in D-Mod extractor [CVE-2018-0496] |
ganeti | Properly verify SSL certificates during VM export |
ghostscript | Fix segfault with fuzzing file in gxht_thresh_image_init(); fix buffer overflow in fill_threshold_buffer [CVE-2016-10317]; pdfwrite - Guard against trying to output an infinite number [CVE-2018-10194] |
git-annex | Security fixes [CVE-2018-10857 CVE-2018-10859] |
glx-alternatives | New upstream version |
gridengine | Use correct paths to qmon pixmaps; fix FTBFS on armhf |
intel-microcode | Update included microcode, including fixes for Spectre v2 [CVE-2017-5715] |
jdresolve | Fix incompatibility with libnet-dns-perl in Debian 8 and later |
libb64 | Rebuild with PIE |
libdate-holidays-de-perl | Mark Reformation Day as a holiday in Niedersachsen and Bremen |
libdatetime-timezone-perl | Update included data |
libextractor | Various security fixes [CVE-2017-15266 CVE-2017-15267 CVE-2017-15600 CVE-2017-15601 CVE-2017-15602 CVE-2017-15922 CVE-2017-17440] |
libipc-run-perl | Fix memory leak |
liblouis | Fix buffer overflow [CVE-2018-11410]; fix several buffer overflows [CVE-2018-11440 CVE-2018-11577 CVE-2018-11683 CVE-2018-11684 CVE-2018-11685 2018-12085] |
libosmium | Output coordinate with value of -2^31 correctly; fix buffers larger than 2^32 bytes |
linux | New upstream stable release 4.9.110 |
linux-latest | Update to -7 kernel ABI |
llvm-toolchain-4.0 | New package for rust backports; fix build on s390x |
local-apt-repository | Stop breaking apt when the package is removed but not purged |
loook | Fix handling of password protected files |
miniupnpd | Fix DoS [CVE-2017-1000494] |
nss-pam-ldapd | Increase size of hostname buffer |
nvidia-graphics-drivers | New upstream version |
obfsproxy | Don't install the broken AppArmor profile |
openldap | Fix an out-of-sync issue with delta-syncrepl replication in multi-master environments; really fix upgrades when the config contains backslash-escaped special characters |
openstack-debian-images | Set CloudStack after OpenStack in the datasource_list, to avoid a 120s delay in cloud-init when booting a machine in an OpenStack cloud |
patch | Fix arbitrary command execution in ed-style patches [CVE-2018-1000156] |
piglit | Fix missing dependency on python-mako |
postgresql-9.6 | New upstream release |
postgresql-common | Prevent upgrading/removing server packages from stopping other major version clusters when running systemd |
psad | Add missing dependencies on net-tools and iproute2 |
pysurfer | Add missing dependency on python-matplotlib |
python-cluster | Add missing dependency on pkg-resources |
python-pyorick | Fix import failure by adding missing dependency on python3-numpy |
python-scruffy | Add missing dependencies on pkg-resources |
r-cran-mi | Add missing dependency on r-cran-arm |
redis | Correct RunTimeDirectory -> RuntimeDirectory typo in systemd .service files |
reportbug | Notify the security team or LTS team about a possible regression if reporting a bug against a package containing a security fix |
rustc | New upstream release to support Firefox ESR |
salt | Fix salt-ssh minion copied over configuration from the Salt Master without adjusting permissions[CVE-2017-8109] |
shared-mime-info | Switch dpkg trigger to noawait, fixing upgrade issues from jessie |
showq | Fix prefix, so application actually works |
source-highlight | Fix dependency on libboost-regex-dev |
starplot | Fix startup crash |
subversion | Reject commits which would introduce hash collisions with existing data, thus addressing the SHA1/shattered issue |
sus | Update to new version, technically identical to SUSv4 + TC1 + TC2 |
systemd | networkd-ndisc: Handle missing MTU gracefully; allow RemoveIPC= to be set in the unit file not only via D-Bus; nspawn: Add missing -E to getopt_long'; login: Respect --no-wall when cancelling a shutdown request |
tclreadline | Fix shared library build on ppc64el |
thefuck | Add missing dependency on pkg-resources |
tinyproxy | Do not stop listening after SIGHUP; fix configuration file path; add missing dependency on adduser |
tlslite-ng | Verify MAC even if the padding is 1 byte long |
tzdata | New upstream release |
unison | Rebuild with stretch's ocaml |
variety | Fix shell injection on deleting files to trash; fix shell injection in filter and clock with specially crafted filenames; harden ImageMagick calls against potential shell injection |
xapian-core | Fix MSet::snippet() to escape HTML in all cases [CVE-2018-499] |
xerces-c | Fix Denial of Service via external DTD reference [CVE-2017-12627]; fix a regression that forced gcc to use SSE2, even on platforms that do not support it |
xrdp | Fix off-by-one error which could lead to crashes |
Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
Package | Reason |
---|---|
libnet-whois-perl | Broken |
mlbviewer | No longer works due to content provider changes |
python-uniconvertor | Unusable; requires unpackaged dependency |
singularity-container | Not security supportable |
undertow | Unsupportable; several security issues; alternatives exist |
visionegg | Unusable; requires no longer available numpy.oldnumeric |
Debian Installer
The installer has been updated to include the fixes incorporated into stable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current stable distribution:
Proposed updates to the stable distribution:
stable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.