Updated Debian 9: 9.3 released

December 9th, 2017

The Debian project is pleased to announce the third update of its stable distribution Debian 9 (codename stretch). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included. There is no need to throw away old stretch media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:


Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package Reason
abiword Fix flickering
base-files Update for the point release
berusky Fix startup crash with certain video card configurations
charmtimetracker Fix missing binary dependency on libqt5sql5-sqlite
corebird Increase maximum length of tweet to 280 characters
dbus When parsing dbus-daemon configuration, don't delay startup if high-quality entropy is not yet available; when using the Monitoring interface, match message filters that specify a destination correctly; increase listen() backlog of AF_UNIX sockets to the maximum possible, minimizing failed connections under heavy load
debian-edu-doc Merge stretch related documentation and translation updates from unstable and the wiki; documentation/common/edu.css.xml: improve HTML manual readability
debian-installer Rebuild for the point release
dehydrated Update subscriber license agreement URL
doit Add Breaks: nikola (<< 7.6.0-1~) to ensure its removal on upgrades from jessie
eclipse-titan Rebuild against current stretch GCC
fig2dev Add input sanitisation on FIG files [CVE-2017-16899]; sanitize input of fill patterns
flickcurl Fix oauth token fetching; prevent double free corruption during authentication
flightgear Prevent malicious add-ons from overriding arbitrary files [CVE-2017-13709]
ganeti Backport upstream support for non-DSA SSH keys; fix failover from dead nodes when using extstorage; fix instance import/export/move with current socat versions
gdm3 Backport several patches to fix XDMCP support
getmail4 Fix issue related to malformed fingerprints
grok Fix pointer aliasing bug; libgrok-dev: add missing dependencies on libgrok1 and libtokyocabinet-dev
gunicorn Drop unnecessary Pre-Depends on dpkg-dev which was causing gunicorn and python-gunicorn to bring in a compiler as a dependency
icu Fix double free in createMetazoneMappings() [CVE-2017-14952]
inn2 [i386] Rebuild to pick up correct path to gzip binary
iproute2 Fix segfault in tc with iptables 1.6
jdcal Fix Python3 dependencies
kde-gtk-config Fix preview buttons in KDE-GTK-config UI
lasi liblasi-dev: add missing dependencies on libpango1.0-dev and libfreetype6-dev
libdatetime-timezone-perl Update included data
libdbd-firebird-perl Fix fetching of decimal(x,y) values between -1 and 0
libdbi Re-enable error handler call in dbi_result_next_row()
liblog-log4perl-perl Work around Perl 5.24 no longer allowing syswrite and utf8 together
liblouis Fix buffer overflow and use-after-free issues [CVE-2017-13738 CVE-2017-13739 CVE-2017-13740 CVE-2017-13741 CVE-2017-13742 CVE-2017-13743 CVE-2017-13744]
libmpd libmpd-dev: Add the missing dependency on libglib2.0-dev
libofx Security fixes [CVE-2017-2816 CVE-2017-14731]
libxkbcommon libxkbcommon-x11-dev: add missing dependency on libxkbcommon-dev
libxsettings-client Add missing libxsettings-client-dev -> libxsettings-dev dependency
linux xen/time: do not decrease steal time after live migration on xen; new stable kernel version 4.9.65
live-config Configure autologin for KDE / Plasma live images
lxc Don't hardcode list of valid Debian releases, allowing the creation of containers for stable, buster, testing and unstable; don't insert C.* locales into /etc/locale.gen
mongodb Fix segfault/FTBFS on ARM64 with 48-bit virtual addresses, spidermonkey GC segfault when built with GCC 6; mongodb.service: start after network.target
openssh Test configuration before starting or reloading sshd under systemd; adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme; make -- before the hostname terminate argument processing after the hostname too
pdns Fix incorrect qname casing in NSEC3 generation; add missing check on API operations [CVE-2017-15091]
pdns-recursor Security fixes: insufficient validation of DNSSEC signatures [CVE-2017-15090]; Cross-Site Scripting in the web interface [CVE-2017-15092]; configuration file injection in the API [CVE-2017-15093]; memory leak in DNSSEC parsing [CVE-2017-15094]
postgresql-9.6 Upstream bugfix release
publicsuffix Update included data
pyosmium Upstream bugfix release: handler functions not called when using replication service or when using Reader instead of file
python-diff-match-patch Add missing python3 dependency on Python 3 package
python-inflect Fix Python 3 dependencies
python-tablib Safely load YAML [CVE-2017-2810]
python2.7 Fix integer overflow in PyString_DecodeEscape [CVE-2017-1000158]; support all groups in TLS communication
qtcurve Fix crashes by using strncmp() instead of memcmp()
ruby-httparty Relax dependency version in gem dependency on json
ruby-ox Avoid crash with invalid XML passed to Oj.parse_obj() [CVE-2017-15928]
ruby-pygments.rb Avoid closing too many files when mentos starts, which can cause build failures in other packages on slower systems
schroot Fix bash completion file; add systemd service file with Type=oneshot to avoid timeout issues with too many open sessions
simutrans Enable sound for simutrans again. Switch from SDL to mixer_sdl backend
sitesummary Adjust nagios kernel version checking module to work with 4.x kernels
slic3r Fix missing dependency on perlapi-*
spamassassin Disable bb.barracudacentral.org; update the systemd unit file to use the same pid file as was used in the sysvinit script; update systemd unit dependencies to include network and syslog; fix inappropriate invocation of invoke-rc.d in cron script
sqldeveloper-package Fix build failure
sqlite3 Fix heap-based buffer over-read via undersized RTree blobs [CVE-2017-10989]
syslinux Fix btrfs logical to physical block address mapping; fix boot problem for old BIOS firmware by correct C/H/S order; support ext4 64bit feature
tdbcodbc Fix bug in ODBC library search
tor Add Bastet directory authority; fix a timing-based assertion failure; update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 country database
tzdata New upstream release
udftools Fix path to pktsetup in udftools init script
weechat logger: call strftime before replacing buffer local variables [CVE-2017-14727]
xml2 Fix corruption when dealing with UTF-8 files, usage string for 2csv tool
xrdp Fix high CPU load on SSL shutdown
zsh Rebuild to pull in updated libraries for zsh-static

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package
DSA-3989 dnsmasq
DSA-3990 asterisk
DSA-3991 qemu
DSA-3992 curl
DSA-3993 tor
DSA-3994 nautilus
DSA-3995 libxfont
DSA-3996 ffmpeg
DSA-3997 wordpress
DSA-3998 nss
DSA-3999 wpa
DSA-4000 xorg-server
DSA-4001 yadifa
DSA-4003 libvirt
DSA-4004 jackson-databind
DSA-4006 mupdf
DSA-4007 curl
DSA-4008 wget
DSA-4009 shadowsocks-libev
DSA-4011 quagga
DSA-4013 openjpeg2
DSA-4014 thunderbird
DSA-4015 openjdk-8
DSA-4016 irssi
DSA-4017 openssl1.0
DSA-4018 openssl
DSA-4019 imagemagick
DSA-4020 chromium-browser
DSA-4021 otrs2
DSA-4023 slurm-llnl
DSA-4024 chromium-browser
DSA-4025 libpam4j
DSA-4026 bchunk
DSA-4028 postgresql-9.6
DSA-4029 postgresql-common
DSA-4030 roundcube
DSA-4031 ruby2.3
DSA-4032 imagemagick
DSA-4033 konversation
DSA-4034 varnish
DSA-4035 firefox-esr
DSA-4036 mediawiki
DSA-4037 jackson-databind
DSA-4038 shibboleth-sp2
DSA-4039 opensaml2
DSA-4041 procmail
DSA-4042 libxml-libxml-perl
DSA-4043 samba
DSA-4044 swauth
DSA-4045 vlc
DSA-4047 otrs2
DSA-4049 ffmpeg
DSA-4050 xen
DSA-4051 curl
DSA-4052 bzr
DSA-4053 exim4

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
libnet-ping-external-perl Unmaintained, security issues

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.


The complete lists of packages that have changed with this revision:


The current stable distribution:


Proposed updates to the stable distribution:


stable distribution information (release notes, errata etc.):


Security announcements and information:


About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.