Updated Debian 8: 8.7 released

January 14th, 2017

The Debian project is pleased to announce the seventh update of its stable distribution Debian 8 (codename jessie). This update mainly adds corrections for security problems to the stable release, along with a few adjustments for serious problems. Security advisories were already published separately and are referenced where available.

Please note that this update does not constitute a new version of Debian 8 but only updates some of the packages included. There is no need to throw away old jessie CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated.

Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

New installation media and CD and DVD images containing updated packages will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package Reason
ark Stop crashing on exit when being used solely as a KPart
asterisk Fix security issue due to non-printable ASCII chars treated as whitespace [CVE-2016-9938]
asused Use created fields instead of changed, in line with changes to source data
base-files Change /etc/debian_version to 8.7
bash Fix arbitrary code execution via malicious hostname [CVE-2016-0634] and specially crafted SHELLOPTS+PS4 variables allows command substitution [CVE-2016-7543]
ca-certificates Update Mozilla certificate authority bundle to version 2.9; postinst: run update-certificates without hooks to initially populate /etc/ssl/certs
cairo Fix DoS via using SVG to generate invalid pointers [CVE-2016-9082]
ccache [amd64] Rebuild in a clean environment
ceph Fix short CORS request issue [CVE-2016-9579], mon DoS [CVE-2016-5009], anonymous read on ACL [CVE-2016-7031], RGW DoS [CVE-2016-8626]
chirp Disable reporting of telemetry by default
cyrus-imapd-2.4 Fix LIST GROUP support
darktable Fix integer overflow in ljpeg_start() [CVE-2015-3885]
dbus Fix potential format string vulnerability; dbus.prerm: ensure that dbus.socket is stopped before removal
debian-edu-doc Update Debian Edu Jessie manual from the wiki; fix (da|nl) Jessie manual PO files to get the PDF manuals built; translation updates
debian-edu-install Update version number to 8+edu1
debian-installer Rebuild for the point release
debian-installer-netboot-images Rebuild for the point release
duck Fix loading of code from untrusted location [CVE-2016-1239]
e2fsprogs Rebuild against dietlibc 0.33~cvs20120325-6+deb8u1, to pick up included security fixes
ebook-speaker Fix hint about installing html2text to read html files
elog Fix posting entry as arbitrary username [CVE-2016-6342]
evolution-data-server Fix premature drop of connection with reduced TCP window sizes and resulting loss of data
exim4 Fix GnuTLS memory leak
file Fix memory leak in magic loader
ganeti-instance-debootstrap Fix losetup invocations by replacing -s with --show
glibc Do not unconditionally use the fsqrt instruction on 64-bit PowerPC CPUs; fix a regression introduced by cvs-resolv-ipv6-nameservers.diff in hesiod; disable lock elision (aka Intel TSX) on x86 architectures
glusterfs Quota: Fix could not start auxiliary mount issue
gnutls28 Fix incorrect certificate validation when using OCSP responses [GNUTLS-SA-2016-3 / CVE-2016-7444]; ensure compatibility with CVE-2016-6489-patched nettle
hplip Use full gpg key fingerprint when fetching key from keyservers [CVE-2015-0839]
ieee-data Disable monthly update cron job
intel-microcode Update microcode
irssi Fix information exposure issue via buf.pl and /upgrade [CVE-2016-7553]; fix NULL pointer dereference in the nickcmp function [CVE-2017-5193], use-after-free when receiving invalid nick message [CVE-2017-5194] and out-of-bounds read in certain incomplete control codes [CVE-2017-5195]
isenkram Download firmware using curl; use HTTPS when downloading modaliases; change mirror from http.debian.net to httpredir.debian.org
jq Fix heap buffer overflow [CVE-2015-8863] and stack exhaustion [CVE-2016-4074]
libclamunrar Fix out-of-band access
libdatetime-timezone-perl Update to 2016h; update included data to 2016i; update to 2016j; update to 2016g
libfcgi-perl Fix numerous connections cause segfault DoS [CVE-2012-6687]
libio-socket-ssl-perl Fix issue with incorrect unreadable SSL_key_file error when using filesystem ACLs
libmateweather Switch from discontinued weather.noaa.gov to aviationweather.gov
libphp-adodb Fix XSS vulnerability [CVE-2016-4855] and SQL injection issue [CVE-2016-7405]
libpng Fix null pointer deference issue [CVE-2016-10087]
libwmf Fix allocating huge block of memory [CVE-2016-9011]
linkchecker Fix HTTPS checks
linux Update to stable 3.16.39; add chaoskey driver, backported from 4.8, support for n25q256a11 SPI flash device; security,perf: Allow unprivileged use of perf_event_open to be disabled; several bug and security fixes
lxc Attach: do not send procfd to attached process [CVE-2016-8649]; remount bind mounts if read-only flag is provided; fix Alpine Linux container creation
mapserver Fix FTBFS with php >= 5.6.25; fix information leak via error messages [CVE-2016-9839]
mdadm Allow '--grow --continue' to successfully reshape an array when using backup space on a 'spare' device
metar Update report URL
minissdpd Fix improper validation of array index vulnerability [CVE-2016-3178 CVE-2016-3179]
monotone Change the sigpipe test case to write 1M of test data to increase chances of overflowing the pipe buffer
most Fix shell injection attack when opening lzma-compressed files [CVE-2016-1253]
mpg123 Fix DoS with crafted ID3v2 tags
musl Fix integer overflow [CVE-2016-8859]
nbd Stop mixing global flags into the flags field that gets sent to the kernel, so that connecting to nbd-server >= 3.9 does not cause every export to be (incorrectly) marked as read-only
nettle Protect against potential side-channel attacks against exponentiation operations [CVE-2016-6489]
nss-pam-ldapd Have init script stop action only return when nslcd has actually stopped
nvidia-graphics-drivers Update to new driver version, including security fixes [CVE-2016-8826 CVE-2016-7382 CVE-2016-7389]
nvidia-graphics-drivers-legacy-304xx Update to new driver version, including security fixes [CVE-2016-8826 CVE-2016-7382 CVE-2016-7389]
nvidia-graphics-modules Rebuild against nvidia-kernel-source 340.101
openbox Add libxcursor-dev build-dependency to fix loading of startup notifications; replace getgrent with getgroups so as not to enumerate all groups at startup
opendkim Fix relaxed canonicalization of folded headers, which broke signatures
pam Fix handling of loginuid in containers
pgpdump Fix endless loop parsing specially crafted input in read_binary [CVE-2016-4021] and buffer overrun in read_radix64
postgresql-9.4 New upstream release
postgresql-common Pg_upgradecluster: Properly upgrade databases with non-login role owners; pg_ctlcluster: Protect against symlink in /var/log/postgresql/ allowing the creation of arbitrary files elsewhere [CVE-2016-1255]
potrace Security fixes [CVE-2016-8694 CVE-2016-8695 CVE-2016-8696 CVE-2016-8697 CVE-2016-8698 CVE-2016-8699 CVE-2016-8700 CVE-2016-8701 CVE-2016-8702 CVE-2016-8703]
python-crypto Raise a warning when IV is used with ECB or CTR and ignore the IV [CVE-2013-7459]
python-werkzeug Fix XSS issue in debugger
qtbase-opensource-src Prevent bad-ptrs deref in QNetworkConfigurationManagerPrivate; fix X11 tray icons on some desktops
rawtherapee Fix buffer overflow in dcraw [CVE-2015-8366]
redmine Handle dependency check failure when triggered, to avoid breaking in the middle of dist-upgrades; avoid opening database configuration that are not readable
samba Fix client side SMB2/3 required signing can be downgraded [CVE-2016-2119], various regressions introduced by the 4.2.10 security fixes, segfault with clustering
sed Ensure consistent permissions with different umasks
shutter Fix insecure usage of system() [CVE-2015-0854]
sniffit Security fix [CVE-2014-5439]
suckless-tools Fix SEGV in slock when user's account has been disabled [CVE-2016-6866]
sympa Fix logrotate configuration so that sympa is not left in a confused state when systemd is used
systemd Don't return any error in manager_dispatch_notify_fd() [CVE-2016-7796]; core: Rework logic to determine when we decide to add automatic deps for mounts; various ordering fixes for ifupdown; systemctl: Fix argument handling when invoked as shutdown; localed: tolerate absence of /etc/default/keyboard; systemctl, loginctl, etc.: Don't start polkit agent when running as root
tevent New upstream version, required for samba
tre Fix regex integer overflow in buffer size computations [CVE-2016-8859]
tzdata Update included data to 2016h; update to 2016g; update to 2016j; update included data to 2016i
unrtf Fix buffer overflow in various cmd_ functions [CVE-2016-10091]
w3m Several security fixes [CVE-2016-9430 CVE-2016-9434 CVE-2016-9438 CVE-2016-9440 CVE-2016-9441 CVE-2016-9423 CVE-2016-9431 CVE-2016-9424 CVE-2016-9432 CVE-2016-9433 CVE-2016-9437 CVE-2016-9422 CVE-2016-9435 CVE-2016-9436 CVE-2016-9426 CVE-2016-9425 CVE-2016-9428 CVE-2016-9442 CVE-2016-9443 CVE-2016-9429 CVE-2016-9621 CVE-2016-9439 CVE-2016-9622 CVE-2016-9623 CVE-2016-9624 CVE-2016-9625 CVE-2016-9626 CVE-2016-9627 CVE-2016-9628 CVE-2016-9629 CVE-2016-9631 CVE-2016-9630 CVE-2016-9632 CVE-2016-9633]
wireless-regdb Update included data
wot Remove plugin due to privacy issues
xwax Replace ffmpeg with avconv from libav-tools
zookeeper Fix buffer overflow via the input command when using the cmd: batch mode syntax [CVE-2016-5017]

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package
DSA-3636 collectd
DSA-3665 openjpeg2
DSA-3666 mysql-5.5
DSA-3667 chromium-browser
DSA-3668 mailman
DSA-3669 tomcat7
DSA-3670 tomcat8
DSA-3671 wireshark
DSA-3672 irssi
DSA-3673 openssl
DSA-3674 firefox-esr
DSA-3675 imagemagick
DSA-3676 unadf
DSA-3677 libarchive
DSA-3678 python-django
DSA-3679 jackrabbit
DSA-3680 bind9
DSA-3681 wordpress
DSA-3682 c-ares
DSA-3683 chromium-browser
DSA-3684 libdbd-mysql-perl
DSA-3685 libav
DSA-3686 icedove
DSA-3687 nspr
DSA-3688 nss
DSA-3689 php5
DSA-3691 ghostscript
DSA-3692 freeimage
DSA-3693 libgd2
DSA-3694 tor
DSA-3695 quagga
DSA-3696 linux
DSA-3697 kdepimlibs
DSA-3698 php5
DSA-3700 asterisk
DSA-3701 nginx
DSA-3702 tar
DSA-3703 bind9
DSA-3704 memcached
DSA-3705 curl
DSA-3706 mysql-5.5
DSA-3709 libxslt
DSA-3710 pillow
DSA-3712 terminology
DSA-3713 gst-plugins-bad0.10
DSA-3714 akonadi
DSA-3715 moin
DSA-3716 firefox-esr
DSA-3717 gst-plugins-bad0.10
DSA-3717 gst-plugins-bad1.0
DSA-3718 drupal7
DSA-3719 wireshark
DSA-3720 tomcat8
DSA-3721 tomcat7
DSA-3722 vim
DSA-3723 gst-plugins-good1.0
DSA-3724 gst-plugins-good0.10
DSA-3725 icu
DSA-3726 imagemagick
DSA-3727 hdf5
DSA-3728 firefox-esr
DSA-3729 xen
DSA-3731 chromium-browser
DSA-3732 php-ssh2
DSA-3732 php5
DSA-3733 apt
DSA-3734 firefox-esr
DSA-3735 game-music-emu
DSA-3736 libupnp
DSA-3737 php5
DSA-3738 tomcat7
DSA-3739 tomcat8
DSA-3740 samba
DSA-3741 tor
DSA-3743 python-bottle
DSA-3744 libxml2
DSA-3745 squid3
DSA-3747 exim4
DSA-3748 libcrypto++
DSA-3749 dcmtk
DSA-3750 libphp-phpmailer
DSA-3751 libgd2
DSA-3752 pcsc-lite
DSA-3753 libvncserver
DSA-3754 tomcat7
DSA-3755 tomcat8

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
dotclear Security issues
sogo Security issues

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/jessie/ChangeLog

The current stable distribution:

http://ftp.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates

stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/

Security announcements and information:

https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.