Updated Debian 8: 8.10 released

December 9th, 2017

The Debian project is pleased to announce the tenth update of its oldstable distribution Debian 8 (codename jessie). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 8 but only updates some of the packages included. There is no need to throw away old jessie media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following packages:

Package Reason
bareos Fix permissions of bareos-dir logrotate config; fix file corruption when using SHA1 signature
base-files Update for the point release
bind9 Import upcoming DNSSEC KSK-2017
cups Disable SSLv3 and RC4 by default to address POODLE vulnerability
db Do not access DB_CONFIG when db_home is not set [CVE-2017-10140]
db5.3 Do not access DB_CONFIG when db_home is not set [CVE-2017-10140]
debian-installer Rebuild for the point release
debian-installer-netboot-images Rebuild for the point release
debmirror Tolerate unknown lines in *.diff/Index; mirror DEP-11 metadata files; prefer xz over gz, and cope with either being missing; mirror and validate InRelease files
dns-root-data Update root.hints to 2017072601 version; add KSK-2017 to root.key file
dput dput.cf: replace security-master.debian.org with ftp.upload.security.debian.org
dwww Fix Last-Modified header name
elog Update patch 0005_elogd_CVE-2016-6342_fix to grant access as normal user
flightgear Fix arbitrary file overwrite vulnerability [CVE-2017-13709]
gsoap Fix integer overflow via large XML document [CVE-2017-9765]
hexchat Fix segmentation fault following /server command
icu Fix double free in createMetazoneMappings() [CVE-2017-14952]
kdepim Fix send Later with Delay bypasses OpenPGP [CVE-2017-9604]
kedpm Fix information leak via command history file [CVE-2017-8296]
keyringer Handle subkeys without expiration date and public keys listed multiple times
krb5 Security fixes - remote authenticated attackers can crash the KDC [CVE-2017-11368]; kdc crash on restrict_anon_to_tgt [CVE-2016-3120]; remote DOS with ldap for authenticated attackers [CVE-2016-3119]; prevent requires_preauth bypass [CVE-2015-2694]
libdatetime-timezone-perl Update included data
libdbi Re-enable error handler call in dbi_result_next_row()
libembperl-perl Change hard dependency on mod_perl in zembperl.load to Recommends, fixing an installation failure when libapache2-mod-perl2 is not installed
libio-socket-ssl-perl Fix segfault using malformed client certificates
liblouis Fix multiple stack-based buffer overflows [CVE-2014-8184]
libofx Security fixes [CVE-2017-2816 CVE-2017-14731]
libwnckmm Tighten dependencies between packages; use jquery.js from libjs-jquery
libwpd Security fix [CVE-2017-14226]
libx11 Fix insufficient validation of data from the X server can cause out of boundary memory read (XGetImage()) or write (XListFonts()) [CVE-2016-7942 CVE-2016-7943]
libxfixes Fix integer overflow on illegal server response [CVE-2016-7944]
libxi Fix insufficient validation of data from the X server can cause out of boundary memory access or endless loops [CVE-2016-7945 CVE-2016-7946]
libxrandr Avoid out of boundary accesses on illegal responses [CVE-2016-7947 CVE-2016-7948]
libxtst Fix insufficient validation of data from the X server can cause out of boundary memory access or endless loops [CVE-2016-7951 CVE-2016-7952]
libxv Fix protocol handling issues in libXv [CVE-2016-5407]
libxvmc Avoid buffer underflow on empty strings [CVE-2016-7953]
linux New stable kernel version 3.16.51
ncurses Fix various crash bugs in the tic library and the tic binary [CVE-2017-10684 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-13728 CVE-2017-13729 CVE-2017-13730 CVE-2017-13731 CVE-2017-13732 CVE-2017-13734 CVE-2017-13733]
openssh Test configuration before starting or reloading sshd under systemd; make -- before the hostname terminate argument processing after the hostname too
pdns Add missing check on API operations [CVE-2017-15091]
pdns-recursor Fix configuration file injection in the API [CVE-2017-15093]
postgresql-9.4 New upstream bugfix release
python-tablib Securely load YAML [CVE-2017-2810]
request-tracker4 Fix regression in previous security release where incorrect SHA256 passwords could trigger an error
ruby-ox Avoid crash with invalid XML passed to Oj.parse_obj() [CVE-2017-15928]
sam2p Fix several integer overflow or heap-based buffer overflow issues [CVE-2017-14628 CVE-2017-14629 CVE-2017-14630 CVE-2017-14631 CVE-2017-14636 CVE-2017-14637 CVE-2017-16663]
slurm-llnl Fix security issue caused by insecure file path handling triggered by the failure of a Prolog script [CVE-2016-10030]
sudo Fix arbitrary terminal access [CVE-2017-1000368]
syslinux Fix boot problem for old BIOS firmware by correcting C/H/S order
tor Add Bastet directory authority; update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 country database; fix a memset() off the end of an array when packing cells
transfig Add input sanitisation on FIG files [CVE-2017-16899]; sanitize input of fill patterns
tzdata New upstream release
unbound Fix install of trust anchor when two anchors are present; include root trust anchor id 20326
weechat logger: call strftime before replacing buffer local variables [CVE-2017-14727]

Security Updates

This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package
DSA-3904 bind9
DSA-3908 nginx
DSA-3909 samba
DSA-3913 apache2
DSA-3914 imagemagick
DSA-3916 atril
DSA-3917 catdoc
DSA-3921 enigmail
DSA-3922 mysql-5.5
DSA-3924 varnish
DSA-3928 firefox-esr
DSA-3929 libsoup2.4
DSA-3930 freeradius
DSA-3932 subversion
DSA-3933 pjproject
DSA-3934 git
DSA-3935 postgresql-9.4
DSA-3937 zabbix
DSA-3938 libgd2
DSA-3939 botan1.10
DSA-3940 cvs
DSA-3942 supervisor
DSA-3943 gajim
DSA-3945 linux
DSA-3946 libmspack
DSA-3947 newsbeuter
DSA-3948 ioquake3
DSA-3949 augeas
DSA-3950 libraw
DSA-3951 smb4k
DSA-3952 libxml2
DSA-3956 connman
DSA-3958 fontforge
DSA-3960 gnupg
DSA-3961 libgd2
DSA-3962 strongswan
DSA-3963 mercurial
DSA-3964 asterisk
DSA-3969 xen
DSA-3970 emacs24
DSA-3971 tcpdump
DSA-3972 bluez
DSA-3973 wordpress-shibboleth
DSA-3974 tomcat8
DSA-3976 freexl
DSA-3977 newsbeuter
DSA-3978 gdk-pixbuf
DSA-3979 pyjwt
DSA-3980 apache2
DSA-3981 linux
DSA-3982 perl
DSA-3983 samba
DSA-3984 git
DSA-3986 ghostscript
DSA-3987 firefox-esr
DSA-3988 libidn2-0
DSA-3989 dnsmasq
DSA-3990 asterisk
DSA-3992 curl
DSA-3995 libxfont
DSA-3997 wordpress
DSA-3998 nss
DSA-3999 wpa
DSA-4000 xorg-server
DSA-4002 mysql-5.5
DSA-4004 jackson-databind
DSA-4006 mupdf
DSA-4007 curl
DSA-4008 wget
DSA-4011 quagga
DSA-4012 libav
DSA-4013 openjpeg2
DSA-4016 irssi
DSA-4018 openssl
DSA-4021 otrs2
DSA-4022 libreoffice
DSA-4025 libpam4j
DSA-4026 bchunk
DSA-4027 postgresql-9.4
DSA-4029 postgresql-common
DSA-4033 konversation
DSA-4035 firefox-esr
DSA-4037 jackson-databind
DSA-4038 shibboleth-sp2
DSA-4039 opensaml2
DSA-4040 imagemagick
DSA-4041 procmail
DSA-4042 libxml-libxml-perl
DSA-4043 samba
DSA-4045 vlc
DSA-4046 libspring-ldap-java
DSA-4047 otrs2
DSA-4051 curl
DSA-4052 bzr

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
libnet-ping-external-perl Unmaintained, security issues
aiccu Useless since shutdown of SixXS

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/jessie/ChangeLog

The current oldstable distribution:

http://ftp.debian.org/debian/dists/oldstable/

Proposed updates to the oldstable distribution:

http://ftp.debian.org/debian/dists/oldstable-proposed-updates

oldstable distribution information (release notes, errata etc.):

https://www.debian.org/releases/oldstable/

Security announcements and information:

https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.