Updated Debian 8: 8.2 released
September 5th, 2015
The Debian project is pleased to announce the second update of its
stable distribution Debian 8 (codename jessie
).
This update mainly adds corrections for security problems to the stable
release, along with a few adjustments for serious problems. Security advisories
were published separately and are referenced where applicable.
Please note that this update does not constitute a new version of Debian
8 but only updates some of the packages included. There is
no need to throw away old jessie
CDs or DVDs but only to update
via an up-to-date Debian mirror after an installation, to cause any out of
date packages to be updated.
Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.
New installation media and CD and DVD images containing updated packages will be available soon at the regular locations.
Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
Package | Reason |
---|---|
akonadi | Fix a bug that caused old files to be kept when they should be removed |
apache2 | Fix conffile logic for wheezy to jessie upgrades; fix -D[efined] or <Define>[d] variables lifetime accross restarts; mpm_event: Fix process deadlock when shutting down a worker; mpm_event: Fix crashes due to various race conditions |
apt | Parse specific-arch dependencies correctly on single-arch systems; remove first package seen is native packageassumption; fix endless loop in apt-get update that can cause all disk space to be used |
bareos | Fix backup corruption on multi-volume jobs; add autopkgtests |
base-files | Update for the point release |
binutils-mingw-w64 | Apply upstream fix to handle Visual Studio DLLs |
bird | Correctly migrate bird6.conf from bird6 package |
cron | Cron.service: Use KillMode=process to kill only the daemon, not running jobs |
cross-gcc | Require bash in rules.template makefile |
dbus | Fix a memory leak when GetConnectionCredentials is called; stop dbus-monitor replying to org.freedesktop.DBus.Peer messages, including those that another process should have replied to |
debian-installer | Add image for Seagate DockStar; add symlinks for OpenRD variants; append DTB for LaCie NAS devices that require it |
debian-installer-launcher | Set the menu icon text in the source package to read Install Debian jessie |
debian-installer-netboot-images | Rebuild against new debian-installer |
designate | Fix mDNS DoS through incorrect handling of large RecordSets [CVE-2015-5695] |
dovecot | Fix SSL/TLS handshake failures leading to a crash of the login process with newer versions of OpenSSL [CVE-2015-3420]; fix mbox corruption issue |
ejabberd | Fix logging of nicknames in muc logs and parsing of ldap_dn_filteroption; postinst: restart on upgrade; logrotate: don't signal a non-running daemon |
flash-kernel | Combine i.MX53 QSB and LOCO board entries, they are the same thing and the LOCO variant was missing DTB information, possibly causing issues during wheezy to jessie upgrades |
fusiondirectory | Access javascript libraries via a path relative to FusionDirectory's base path |
glibc | Fix pthread_mutex_trylock with lock elision; fix gprof entry point on ppc64el; fix a buffer overflow in getanswer_r [CVE-2015-1781] |
glusterfs | Stop creating UNIX domain sockets as FIFOs on NFS |
gnome-terminal | Open new tabs in working directory, rather than home directory |
gnutls28 | Fix a crash in VIA PadLock asm; fix GNUTLS-SA-2015-2, which allowed MD5 signatures (which are disabled by default) in the ServerKeyExchange message |
gosa | Fix idGenerator for patterns like {%sn[3-6}-{%givenName[3-6]}; enable CSV / LDIF import on (non-Debian-Edu) clean installations by default |
groovy2 | Fix remote execution of untrusted code and possible DoS vulnerability [CVE-2015-3253] |
grub-installer | Correctly propagate grub-installer/force-efi-extra-removable to installed system |
gtk+3.0 | Fix several crashes |
haproxy | Fix a segfault when parsing a configuration file containing disabled proxy sections |
how-can-i-help | Use HTTPS to connect to UDD |
kic | configure: Do not add -L without argument to $LIBS |
lame | Enable functions with SSE instructions to maintain their own properly aligned stack. Fixes crashes when called from the ocaml bindings |
libdatetime-timezone-perl | New upstream release |
libgee-0.8 | Fix default value of --enable-consistency-check, otherwise a very expensive debug option is turned on by default and would make a lot of applications unusably slow |
libio-socket-ssl-perl | Make PublicSuffix::_default_data thread safe |
libisocodes | Fix GLib critical warning if the environment variable LANGUAGE is not set |
libvirt | Teach virt-aa-helper to use TEMPLATE.qemu if the domain is kvm or kqemu; fix crash on live migration; allow access to libnl-3 configuration; report original error when QMP probing fails with new QEMU |
linux-ftpd-ssl | Fix NLST of empty directory results in segfault |
lynx-cur | Use gnutls_set_default_priority() instead of a custom priority string, so fixing GNUTLS-SA-2015-2 in GnuTLS does not break SSL support in lynx |
mesa | Disable asynchronous DMA on radeonsi which can cause lockups |
motif | Disable fix for upstream bug #1565 which caused segfaults in ddd and xpdf |
mozilla-gnome-keyring | Restore compatibility with newer Iceweasel versions |
nbd | Fix authfile parsing |
nss | Fix certificate chain generation to prefer stronger/newer certificates over weaker/older certs |
ocl-icd | Fix clSVMFree never called in OpenCL ICD |
pdf.js | Drop xul-ext-pdf.js package since it's not compatible with iceweasel 38 |
postgresql-9.1 | New upstream release |
postgresql-9.4 | New upstream release |
prosody | Fix CNAME resolution |
python-apt | Work around a cyclic reference from Cache to its methods; LFS fixes; fix splitting of multi-lines Binary fields in dsc files; arch-qualify in compare_to_version_in_cache(); fix apt.Package.installed_files for multi-arch packages |
python-keystoneclient | Fix S3token incorrect condition expression for ssl_insecure [CVE-2015-1852] |
python-keystonemiddleware | Fix S3Token TLS cert verification option not honored [CVE-2015-1852] |
python-reportlab | Correctly handle PNGs containing transparency |
python-swiftclient | Add missing dependency on python-pkg-resources |
r-cran-rcurl | Build-Depend on libcurl4-openssl-dev, fixing issues with PEM certificate bundles |
rawtherapee | Fix dcraw imput sanitization errors [CVE-2015-3885] |
requestpolicy | Restore compatibility with newer Iceweasel versions |
rsyslog | Disable transactions in ompgsql as they were not working properly |
ruby2.1 | Fix Request hijacking vulnerability in Rubygems [CVE-2015-3900] |
syslinux | Fix booting on some Chromebooks |
systemd | Disable default DNS servers in systemd-resolve; use strictly versioned dependendency on libsystemd-dev for the transitional dev packages; udev: Increase udev event timeout to 180s |
tabmixplus | Restore compatibility with newer Iceweasel versions |
tcpdump | Fix -Z confirmation log being sent to stdout, where it can get mixed with pcap stream data if '-w -' is used |
torrus | Revert broken patch refresh, thereby fixing rrdup_notify |
tzdata | New upstream release |
ufraw | Fix buffer overflow in ljpeg_start [CVE-2015-3885] |
unattended-upgrades | Make optional automatic-reboot work again; really fix adding of jessie-security |
wesnoth-1.10 | Disallow inclusion of .pbl files from WML [CVE-2015-5069, CVE-2015-5070] |
xemacs21 | Conflict against old transitional packages to make absolutely sure that they are removed before we try to upgrade; remove dependency from support to binary package since the binary package already has the equivalent dependency |
xserver-xorg-video-modesetting | Don't pretend to support rotation |
Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
Package | Reason |
---|---|
criu | Fast-moving target, too difficult to keep updated |
dactyl | Incompatible with newer Iceweasel versions |
fullscreen-extension | Incompatible with newer Iceweasel versions |
netty3.1 | Dependency for non-present jetty |
php-zend-xml | Security issues; useless in Debian |
rubyfilter | Broken (empty) package |
Debian Installer
The installer has been updated to add support for Seagate DockStar devices and to include the fixes incorporated into stable by the point release.URLs
The complete lists of packages that have changed with this revision:
The current stable distribution:
Proposed updates to the stable distribution:
stable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.