Uppdaterad Debian 8: 8.6 utgiven
17 september 2016
Debianprojektet presenterar stolt den sjätte uppdateringen av sin
stabila distribution Debian 8 (med kodnamn jessie
).
Denna uppdatering lägger huvudsakligen till rättningar till säkerhetsproblem
till den stabila utgåvan, tillsammans med några korrigeringar för
allvarliga problem. Säkerhetsbulletiner har redan publicerats separat och
refereras när de finns tillgängliga.
Vänligen notera att denna uppdatering inte innebär en ny version av Debian
8 utan endast uppdaterar några av de inkluderade paketen. Det finns
ingen anledning att kasta bort gamla jessie
-CDs eller DVD-skivor
utan allt som behövs är att uppdatera via en uppdaterad Debianspegling efter
en installation, för att få alla inaktuella paket uppdaterade.
De som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket och de flesta uppdateringar från security.debian.org inkluderas i denna uppdatering.
Ny installationsmedia och CD- och DVD-avbildningar med uppdaterade paket kommer snart att finnas tillgängliga på de vanliga platserna.
En uppgradering online till denna revision görs vanligtvis genom att peka paketverktyget aptitude (eller apt) (se manualsidan för sources.list(5)) mot en av Debians många FTP eller HTTP-speglingar. En fullständig lista över speglingar finns tillgänglig på:
Blandade felrättningar
Denna uppdatering av den stabila utgåvan lägger till några viktiga paket:
Paket | Orsak |
---|---|
adblock-plus | New upstream release, compatible with firefox-esr |
apache2 | Fix race condition and logical error in init script; remove links to manpages.debian.org in default index.html; mod_socache_memcache: Increase idle timeout to 15s to allow keep-alive connections; mod_proxy_fcgi: Fix wrong behaviour with 304 responses; correct systemd-sysv-generator behaviour; mod_proxy_html: Add missing config file mods-available/proxy_html.conf |
audiofile | Fix buffer overflow when changing both sample format and number of channels [CVE-2015-7747] |
automake-1.14 | Avoid insecure use of /tmp/ in install-sh |
backintime | Add missing dependency on python-dbus |
backuppc | Fix regressions from samba update to 4.2 |
base-files | Update for the point release |
biber | Fix breakage triggered by point release update of perl |
cacti | Fix sql injection in tree.php [CVE-2016-3172] and graph_view.php [CVE-2016-3659]; fix authentication bypass [CVE-2016-2313] |
ccache | Upstream bug-fix release |
clamav | Don't fail if AllowSupplementaryGroups is still set in the configuration file |
cmake | Fix FindOpenSSL module to detect OpenSSL 1.0.1t |
conkeror | Support Firefox 44 and later |
debian-edu-config | Move from Iceweasel to Firefox ESR; adjust ldap-tools/ldap-debian-edu-install to be compliant with systemd now that unit samba.service is masked; dhclient-exit-hooks.d/hostname: adjust for the case of a dedicated LTSP server; adjust cf.krb5client to ensure that cfengine runs are idempotent; move code to cleanup /usr/share/pam-configs/krb5 diversion from postinst to preinst to ease upgrades from old wheezy installations; don't purge libnss-mdns as cups now needs mdns for automatic printer detection |
debian-edu-doc | Update Debian Edu jessie and wheezy manuals from the wiki |
debian-installer | Rebuild against proposed-updates |
debian-installer-netboot-images | Rebuild for the point release |
debian-security-support | Update included support data; add support for marking packages as losing support at a future date |
dietlibc | Fix insecure default PATH |
dwarfutils | Security fixes [CVE-2015-8538 CVE-2015-8750 CVE-2016-2050 CVE-2016-2091 CVE-2016-5034 CVE-2016-5036 CVE-2016-5038 CVE-2016-5039 CVE-2016-5042] |
e2fsprogs | Disable prompts for time skew which is fudged in e2fsck; fix potential corruption of Hurd file systems by e2fsck, pointer bugs that could cause crashes in e2fsck and resize2fs |
exim4 | Fix cutthrough bug with body lines having a single dot; fix crash on exim -be '${if crypteq{xxx}{\$aaa}{yes}{no}}'; improve NEWS file; backport missing upstream patch to actually make $initial_cwd expansion work |
file | Fix buffer over-write in finfo_open with malformed magic file [CVE-2015-8865] |
firegestures | New upstream release, compatible with firefox-esr |
flashplugin-nonfree | Update-flashplugin-nonfree: Delete old get-upstream-version.pl from cache |
fusionforge | Remove dependency on Mediawiki plugin from fusionforge-full metapackage |
gdcm | Fix integer overflow [CVE-2015-8396] and denial of service [CVE-2015-8397] |
glibc | Fix assertion failure with unconnectable name server addresses (regression introduced by CVE-2015-7547 fix); fix *context functions on s390x; fix a buffer overflow in the glob function [CVE-2016-1234], a stack overflow in nss_dns_getnetbyname_r [CVE-2016-3075], a stack overflow in getaddrinfo function [CVE-2016-3706], a stack overflow in Sun RPC clntudp_call() [CVE-2016-4429]; update from upstream stable branch; fix open and openat functions with O_TMPFILE; fix backtrace hang on armel/armhf, possibly causing a minor denial of service vulnerability [CVE-2016-6323]; fix mtr on systems using only IPv6 nameservers |
gnome-maps | New upstream release; use the Mapbox tile server, instead of the no longer supported MapQuest server |
gnome-sudoku | Don't generate the same puzzle sequence every time |
gnupg | gpgv: Tweak default options for extra security; g10: Fix checking key for signature validation |
gnupg2 | gpgv: Tweak default options for extra security; g10: Fix checking key for signature validation |
greasemonkey | New upstream release, compatible with firefox-esr |
intel-microcode | New upstream release |
jakarta-jmeter | Really install the templates; fix an error with libxstream-java >= 1.4.9 when loading the templates |
javatools | Return correct architecture string for ppc64el in java-arch.sh |
kamailio | Fix libssl version check |
libbusiness-creditcard-perl | Adjust to changes in credit card ranges and processing of various companies |
libcss-dom-perl | Work around Encode changes included in perl and libencode-perl stable updates |
libdatetime-timezone-perl | Update included data to 2016e; new upstream release |
libdevel-declare-perl | Fix breakage caused by change in perl stable update |
libnet-ssleay-perl | Fix build failure with openssl 1.0.1t-1+deb8u1 |
libquota-perl | Adapt platform detection to work with Linux 4.x |
libtool | Fix multi-arch co-installability [amd64 i386] |
libxml2 | Fix a problem unparsing URIs without a host part like qemu:///system; this unbreaks libvirt, libsys-virt-perl and others |
linux | New upstream stable release |
lxc | Make sure stretch/sid containers have an init system, after init 1.34 dropped the 'Essential: yes' header |
mariadb-10.0 | New upstream release, including security fix [CVE-2016-6662] |
mozilla-noscript | New upstream release, compatible with firefox-esr |
nullmailer | Do not keep relayhost data in debconf database longer than strictly needed |
open-iscsi | Init script: wait a bit after iSCSI devices have appeared, working around a race condition in which dependent devices can appear only after the initial udev settle has returned; open-iscsi-udeb: update initramfs after copying configuration to target system |
openssl | Fix length check for CRLs; enable asm optimisation for s390x |
ovirt-guest-agent | Install ovirt-guest-agent.py executable; change owner of log directory to ovirtagent in postinst |
piuparts | Fix build failure (don't test the current Debian release status, tracking that is distro-info-data's problem) |
policykit-1 | Several bug-fixes: fix heap corruption [CVE-2015-3255], local authenticated denial of service [CVE-2015-4625] and issue with invalid object paths in RegisterAuthenticationAgent [CVE-2015-3218] |
publicsuffix | New upstream release |
pypdf2 | Fix infinite loop in readObject() function |
python-django | Bug-fix update to 1.7.11 |
python2.7 | Address StartTLS stripping attack in smtplib [CVE-2016-0772], integer overflow in zipimporter [CVE-2016-5636], HTTP header injection [CVE-2016-5699] |
quassel | Fix remote DoS in quassel core with invalid handshake data [CVE-2016-4414] |
ruby-eventmachine | Fix remotely triggerable crash due to FD handling |
ruby2.1 | dl::dlopen should not open a library with tainted library name in safe mode [CVE-2009-5147]; Fiddle handles should not call functions with tainted function names [CVE-2015-7551] |
sendmail | Do not abort with an assertion if the connection to an LDAP server is lost; ensure sendmail {client_port} is set correctly on little endian machines |
sqlite3 | Fix tempdir selection vulnerability [CVE-2016-6153], segfault following heavy SAVEPOINT usage |
systemd | Use the right timeout for stop processes we fork; don't reset log level to NOTICE if we get quiet on the kernel cmdline; fix prepare priority queue comparison function in sd-event; update links to kernel.org cgroup documentation; don't start console-getty.service when /dev/console is missing; order systemd-user-sessions.service after nss-user-lookup.target and network.target |
tabmixplus | New upstream release, compatible with firefox-esr |
tcpreplay | Handle frames of 65535 octets size, add a size check [CVE-2016-6160] |
tor | Update the set of authority directory servers |
tzdata | New upstream release; update to 2016e |
unbound | Init script fixes: add pidfilemagic comment; call start-stop-daemon with --retry for 'stop' action |
util-vserver | Rebuild against dietlibc 0.33~cvs20120325-6+deb8u1, fixing insecure default PATH |
vorbis-tools | Fix large alloca on bad AIFF input to oggenc [CVE-2015-6749], Validate count of channels in the header [CVE-2014-9638 CVE-2014-9639], fix segmentation fault in vcut |
vtk | Rebuild to fix Java paths [ppc64el] |
wget | By default, on server redirects to a FTP resource, use the original URL to get the local file name [CVE-2016-4971] |
wpa | Security updates relating to invalid characters [CVE-2016-4476, CVE-2016-4477] |
yaws | Fix HTTP_PROXY cgi env injection [CVE-2016-1000108] |
zabbix | Fix mysql.size shell command injection in zabbix-agent [CVE-2016-4338] |
Paketet mariadb-10.0
misslyckades att bygga på powerpc-arkitekturen,
men har inkluderats i punktutgåvan för att tillåta snabbare släpp av rättningen
för CVE-2016-6662, som inte hade avslöjats i tid för uppladdningen. Om en
rättning för byggfelet blir tillgänglig för nästa DSA för mariadb-10.0,
kommer ett uppdaterat paket att göras tillgängligt via jessie-updates
.
Säkerhetsuppdateringar
Denna revision lägger till följande säkerhetsuppdateringar till den stabila utgåvan. Säkerhetsgruppen har redan givit ut bulletiner för var och en av dessa uppdateringar.
Borttagna paket
Följande paket har tagits bort på grund av omständigheter utom vår kontroll:
Paket | Orsak |
---|---|
minit | Ej underhållen och utdaterad |
trn | Säkerhetsproblem; ersatt av trn4 |
Debianinstalleraren
Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den stabila stabila utgåvan med denna punktutgåva.
URLer
Den fullständiga listan på paket som har förändrats med denna revision:
Den nuvarande stabila utgåvan:
Föreslagna uppdateringar till den stabila utgåvan:
Information om den stabila stabila utgåvan (versionsfakta, kända problem, osv.):
Säkerhetsbulletiner och information:
Om Debian
Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.
Kontaktinformation
För mer information, besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org>, eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.