Updated Debian 9: 9.1 released

July 22nd, 2017

The Debian project is pleased to announce the first update of its stable distribution Debian 9 (codename stretch). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included. There is no need to throw away old stretch media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:


Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package Reason
3dchess Reduce wasteful CPU consumption
adwaita-icon-theme Fix malformed send-to-symbolic icon
anope Fix incorrect mail-transport-agent relationship
apt Reset failure reason when connection was successful, so later errors are reported as such and not as connection failure warnings; http: A response with Content-Length: 0 has no content, so don't try to read it; use port from SRV record instead of initial port
avogadro Update eigen3 patches
base-files Update for the 9.1 point release
c-ares Security fix [CVE-2017-1000381]
debian-edu-doc Update Debian Edu Stretch manual from the wiki; update translations
debsecan Add support for stretch and buster; Python needs https_proxy for proxy configuration with https:// URLs
devscripts debchange: target stretch-backports with --bpo; support $codename{,-{proposed-updates,security}}; bts: add support for the new a11y tag
dgit Multiple bugfixes
dovecot Fix syntax errors when sending Solr queries
dwarfutils Security fixes [CVE-2017-9052 CVE-2017-9053 CVE-2017-9054 CVE-2017-9055 CVE-2017-9998]
fpc Fix conversion from local time to UTC
galternatives Fix blank window when displaying properties
geolinks Fix python3 dependencies
gnats gnats-user: do not fail to purge if /var/lib/gnats/gnats-db is not empty
gnome-settings-daemon Do not add the US keyboard layout by default for new users, for some reason, this layout was preferred over the system configured one on the first login; preserve NumLock state between sessions by default
gnuplot Fix memory corruption vulnerability
gnutls28 Fix breakage with AES-GCM in-place encryption and decryption on aarch64
grub-installer Fix support for systems with a large number of disks
intel-microcode Update included microcode
libclamunrar Fix arbitrary memory write [CVE-2012-6706]
libopenmpt Security fixes: out-of-bounds read while loading a malfomed PLM file; arbitrary code execution by a crafted PSM file [CVE-2017-11311]; various security fixes
libquicktime Security fixes [CVE-2017-9122 CVE-2017-9123 CVE-2017-9124 CVE-2017-9125 CVE-2017-9126 CVE-2017-9127 CVE-2017-9128]
linux-latest Revert changes to debug symbol meta-packages
nagios-nrpe Restore previous SSL defaults
nvidia-graphics-drivers Bump Pre-Depends: nvidia-installer-cleanup to (>= 20151021) for smoother upgrades from jessie
octave-ocs Fix loading package functions
open-iscsi Speed up Debian Installer when iSCSI is not used
openssh Fix incoming compression statistics
openstack-debian-images Also add security updates for non wheezy/jessie
os-prober EFI - look for dos instead of msdos
osinfo-db Improve support for Stretch and Jessie
partman-base Protect the firmware area on all mmcblk devices (and not only on mmcblk0) from being clobbered during guided partitioning
pdns-recursor Add 2017 DNSSEC root key
perl Backport various Getopt-Long fixes from upstream 2.49..2.51; backport upstream patch fixing regexp Malformed UTF-8 character; apply upstream base.pm no-dot-in-inc fix
phpunit Security fix: arbitrary PHP code execution via HTTP POST
protozero Fix data_view equality operator
pulseaudio Fix copyright file
pykde4 Drop bindings for plasma webview bindings; they're obsolete and non-functional
python-colorlog Fix python3 dependencies
python-imaplib2 Fix python3 dependencies
python-plumbum Fix python3 dependencies
qgis Fix missing Breaks/Replaces against python-qgis-common
request-tracker4 Handle configuration permissions correctly following RT_SiteConfig.d changes
retext Backport upstream fix for crash in XSettings code; fix syntax in appdata XML file
rkhunter Disable remote updates [CVE-2017-7480]
socat Fix signals leading to possible 100% CPU usage
squashfs-tools Fix corruption of large files; fix rare race condition
systemd Fix out-of-bounds write in systemd-resolved [CVE-2017-9445]; be truly quiet in systemctl -q is-enabled; improve RLIMIT_NOFILE handling; debian/extra/rules: Use updated U2F ruleset
thermald Add Broadwell-GT3E and Kabylake support
unrar-nonfree Add bound checks for VMSF_DELTA, VMSF_RGB and VMSF_AUDIO paramters [CVE-2012-6706]
win32-loader Replace all mirror urls with deb.debian.org; drop bz2 compression for source

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package
DSA-3876 otrs2
DSA-3877 tor
DSA-3882 request-tracker4
DSA-3884 gnutls28
DSA-3885 irssi
DSA-3886 linux
DSA-3887 glibc
DSA-3888 exim4
DSA-3890 spip
DSA-3891 tomcat8
DSA-3893 jython
DSA-3895 flatpak
DSA-3896 apache2
DSA-3897 drupal7
DSA-3900 openvpn
DSA-3901 libgcrypt20
DSA-3902 jabberd2
DSA-3903 tiff
DSA-3904 bind9
DSA-3905 xorg-server
DSA-3906 undertow
DSA-3907 spice
DSA-3908 nginx
DSA-3910 knot
DSA-3911 evince
DSA-3912 heimdal

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
aiccu Useless since shutdown of SixXS

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.


The complete lists of packages that have changed with this revision:


The current stable distribution:


Proposed updates to the stable distribution:


stable distribution information (release notes, errata etc.):


Security announcements and information:


About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.