Updated Debian 8: 8.9 released

July 22nd, 2017

The Debian project is pleased to announce the ninth update of its oldstable distribution Debian 8 (codename jessie). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 8 but only updates some of the packages included. There is no need to throw away old jessie media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:


Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following packages:

Package Reason
3dchess Reduce wasteful CPU consumption
apt-cacher Prevent HTTP response splitting with encoded newlines in request [CVE-2017-7443]; make sure /var/run/apt-cacher exists
base-files Update for the 8.9 point release
boinc Improve adjusting OOM score; fix security issue with xhost
c-ares Security fix [CVE-2017-1000381]
cfitsio Fix crashes related to improper memory handling
chkrootkit Fix segmentation fault; fix missing dependency on openssh-client; add Built-Using field
cqrlog tools/cqrlog-apparmor-fix, debian/postrm: Check for /etc/init.d/apparmor before restarting apparmor
debconf Use File::Temp instead of the deprecated POSIX::tmpnam() in Debconf::TmpFile
debian-archive-keyring Add stretch keys, and move squeeze keys to removed keyring
debian-installer Rebuild against proposed-updates
debian-installer-netboot-images Rebuild against proposed-updates
debian-security-support Update support status of various packages; update translations
debootstrap Add support for Buster and Bullseye
eterm Fix integer overflow preventing the shell from starting/stopping properly
flightgear Prevent overriding arbitrary files from the save-flightplan FGCommand [CVE-2017-8921]
galternatives Fix blank properties page
gitolite3 Fix missing dependency on openssh-client
gnats gnats-user: do not fail to purge if /var/lib/gnats/gnats-db is not empty
gnutls28 Improve check for /dev/urandom uniqueness
gtk+2.0 Backport patch from GTK+3 to fix stuck grabs in some situations
init-select Check for /usr/lib/init-select/get-init before calling it
intel-microcode Update included microcode
libapache2-mod-perl2 Fix test suite for compatibility with latest Apache 2 updates
libcgi-application-plugin-anytemplate-perl Fix missing dependency on one of libclone-perl and libclone-pp-perl
libclamunrar Fix arbitrary memory write [CVE-2012-6706]
libdata-faker-perl Run the test suite under a specific locale
libdvdnav Use proper error handling when position cannot be detected
libhtml-microformats-perl Fix missing dependency on libmodule-pluggable-perl
libhttp-proxy-perl Fix broken 'via' handling
libonig Fix multiple invalid pointer dereference, out-of-bounds write memory corruption and stack buffer overflow issues [CVE-2017-9224 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 CVE-2017-9229]
libosinfo Add support for jessie and stretch
libsys-syscall-perl Add support for more architectures
libterralib Remove superfluous Conflicts/Replaces: libterralib3 since that causes problems upgrading to stretch which has that package
libx11-protocol-other-perl Disable buggy test
lxterminal Security fix: improper use of /tmp for a socket file
netcfg IPv6 autoconfiguration: fix NTP server name handling; stop queueing rdnssd's installation with IPv6 setups
offlineimap Prevent the usage of maxage (broken and may result in data loss)
os-prober EFI: fix check on ID_PART_ENTRY_SCHEME, to look for dos instead of msdos; make Windows Vista detection more robust; add support for Windows 10
pam Rebuild to fix multi-arch differences
partman-ext3 Force ext3|ext4 filesystem creation with -F so that D-I doesn't hang when re-using an existing partition in some situations
perl Apply upstream base.pm no-dot-in-inc fix
polarssl Fix freeing of memory allocated on stack when validating a public key with a secp224k1 curve [CVE-2017-2784]
proftpd-dfsg Fix TLSDHParamFile directive appears ignored because unexpected DH is chosen [CVE-2016-3125], AllowChrootSymlinks off does not check entire DefaultRoot path for symlinks [CVE-2017-7418]
python-colorlog Fix python3 dependencies
python-plumbum Fix python3 dependencies
rkhunter Disable remote updates [CVE-2017-7480]
shutter Fix insecure use of perl exec() [CVE-2016-10081] and system()
tcpdf Security fix: disallow tcpdf calls in HTML [CVE-2017-6100]
unrar-nonfree Security fix: add bound checks for VMSF_DELTA, VMSF_RGB and VMSF_AUDIO paramters [CVE-2012-6706]
w3m Fix multiple buffer overflows, use after free issues and an infinite loop
xarchiver Fix possible data loss due to shell metacharacters
xfce4-weather-plugin Adapt to new weather website APIs

Security Updates

This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package
DSA-3742 flightgear
DSA-3793 shadow
DSA-3840 mysql-connector-java
DSA-3841 libxstream-java
DSA-3842 tomcat7
DSA-3843 tomcat8
DSA-3844 tiff
DSA-3845 libtirpc
DSA-3845 rpcbind
DSA-3846 libytnef
DSA-3847 xen
DSA-3848 git
DSA-3849 kde4libs
DSA-3850 rtmpdump
DSA-3851 postgresql-9.4
DSA-3852 squirrelmail
DSA-3853 bitlbee
DSA-3854 bind9
DSA-3855 jbig2dec
DSA-3856 deluge
DSA-3857 mysql-connector-java
DSA-3859 dropbear
DSA-3860 samba
DSA-3861 libtasn1-6
DSA-3862 puppet
DSA-3863 imagemagick
DSA-3864 fop
DSA-3865 mosquitto
DSA-3866 strongswan
DSA-3867 sudo
DSA-3868 openldap
DSA-3869 tnef
DSA-3870 wordpress
DSA-3871 zookeeper
DSA-3872 nss
DSA-3873 perl
DSA-3874 ettercap
DSA-3875 libmwaw
DSA-3876 otrs2
DSA-3877 tor
DSA-3878 zziplib
DSA-3879 libosip2
DSA-3880 libgcrypt20
DSA-3882 request-tracker4
DSA-3883 rt-authen-externalauth
DSA-3884 gnutls28
DSA-3885 irssi
DSA-3886 linux
DSA-3887 glibc
DSA-3888 exim4
DSA-3889 libffi
DSA-3891 tomcat8
DSA-3892 tomcat7
DSA-3893 jython
DSA-3894 graphite2
DSA-3896 apache2
DSA-3897 drupal7
DSA-3898 expat
DSA-3899 vlc
DSA-3900 openvpn
DSA-3901 libgcrypt20
DSA-3903 tiff
DSA-3904 bind9
DSA-3905 xorg-server
DSA-3907 spice
DSA-3910 knot
DSA-3911 evince
DSA-3912 heimdal

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
ears Requires unavailable python-musicbrainz
gnuvd Broken by upstream site changes
hbro Segfaults on all usage
hbro-contrib Build-depends on to-be-removed hbro
lshell Security issues
pgsnap Incompatible with current PostgreSQL versions
python-django-authority Incompatible with Django 1.7
rant Broken

Debian Installer

The installer has been updated to include the fixes incorporated into oldstable by the point release.


The complete lists of packages that have changed with this revision:


The current oldstable distribution:


Proposed updates to the oldstable distribution:


oldstable distribution information (release notes, errata etc.):


Security announcements and information:


About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.