Debian 9 更新:9.3 发布

2017年12月09日

Debian 项目很高兴地宣布 Debian 9 稳定版本的第三次更新(代号stretch)。此次小版本更新主要添加了对安全问题的修正补丁,以及为一些严重问题所作的调整。 安全建议已单独发布,并会在适当的情况下予以引用。

请注意,此更新并不是 Debian 9 的新版本,其仅更新了所包含的一些软件包。没有必要丢弃旧的stretch的安装介质。在安装之后,只需使用最新的 Debian 镜像更新旧的软件包即可。

经常从 security.debian.org 安装更新的用户将不必更新许多软件包,因本更新中包含了 security.debian.org 的大多数更新。

新的安装镜像即将于常规的位置予以提供。

通过将软件包管理系统指向 Debian 的许多 HTTP 镜像站点之一,您可以将已有的系统升级至本次更新版本。详尽的镜像列表可以在以下网址处获得:

https://www.debian.org/mirror/list

杂项错误修正

此稳定版更新为以下软件包添加了一些重要的修正:

软件包 原因
abiword Fix flickering
base-files 为小版本更新提供文件
berusky Fix startup crash with certain video card configurations
charmtimetracker 补充缺失的二进制依赖 libqt5sql5-sqlite
corebird 将推文最大长度增加到 280 字符
dbus When parsing dbus-daemon configuration, don't delay startup if high-quality entropy is not yet available; when using the Monitoring interface, match message filters that specify a destination correctly; increase listen() backlog of AF_UNIX sockets to the maximum possible, minimizing failed connections under heavy load
debian-edu-doc Merge stretch related documentation and translation updates from unstable and the wiki; documentation/common/edu.css.xml: improve HTML manual readability
debian-installer 为小版本更新重新构建
dehydrated Update subscriber license agreement URL
doit Add Breaks: nikola (<< 7.6.0-1~) to ensure its removal on upgrades from jessie
eclipse-titan Rebuild against current stretch GCC
fig2dev Add input sanitisation on FIG files [CVE-2017-16899]; sanitize input of fill patterns
flickcurl Fix oauth token fetching; prevent double free corruption during authentication
flightgear Prevent malicious add-ons from overriding arbitrary files [CVE-2017-13709]
ganeti Backport upstream support for non-DSA SSH keys; fix failover from dead nodes when using extstorage; fix instance import/export/move with current socat versions
gdm3 Backport several patches to fix XDMCP support
getmail4 Fix issue related to malformed fingerprints
grok Fix pointer aliasing bug; libgrok-dev: add missing dependencies on libgrok1 and libtokyocabinet-dev
gunicorn Drop unnecessary Pre-Depends on dpkg-dev which was causing gunicorn and python-gunicorn to bring in a compiler as a dependency
icu Fix double free in createMetazoneMappings() [CVE-2017-14952]
inn2 [i386] Rebuild to pick up correct path to gzip binary
iproute2 Fix segfault in tc with iptables 1.6
jdcal 修复 Python3 依赖
kde-gtk-config Fix preview buttons in KDE-GTK-config UI
lasi liblasi-dev: add missing dependencies on libpango1.0-dev and libfreetype6-dev
libdatetime-timezone-perl 更新包含的数据
libdbd-firebird-perl Fix fetching of decimal(x,y) values between -1 and 0
libdbi Re-enable error handler call in dbi_result_next_row()
liblog-log4perl-perl Work around Perl 5.24 no longer allowing syswrite and utf8 together
liblouis Fix buffer overflow and use-after-free issues [CVE-2017-13738 CVE-2017-13739 CVE-2017-13740 CVE-2017-13741 CVE-2017-13742 CVE-2017-13743 CVE-2017-13744]
libmpd libmpd-dev: Add the missing dependency on libglib2.0-dev
libofx 安全修复 [CVE-2017-2816 CVE-2017-14731]
libxkbcommon libxkbcommon-x11-dev: add missing dependency on libxkbcommon-dev
libxsettings-client 添加缺失的 libxsettings-client-dev -> libxsettings-dev 依赖
linux xen/time: do not decrease steal time after live migration on xen; new stable kernel version 4.9.65
live-config Configure autologin for KDE / Plasma live images
lxc Don't hardcode list of valid Debian releases, allowing the creation of containers for stable, buster, testing and unstable; don't insert C.* locales into /etc/locale.gen
mongodb Fix segfault/FTBFS on ARM64 with 48-bit virtual addresses, spidermonkey GC segfault when built with GCC 6; mongodb.service: start after network.target
openssh Test configuration before starting or reloading sshd under systemd; adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme; make -- before the hostname terminate argument processing after the hostname too
pdns Fix incorrect qname casing in NSEC3 generation; add missing check on API operations [CVE-2017-15091]
pdns-recursor Security fixes: insufficient validation of DNSSEC signatures [CVE-2017-15090]; Cross-Site Scripting in the web interface [CVE-2017-15092]; configuration file injection in the API [CVE-2017-15093]; memory leak in DNSSEC parsing [CVE-2017-15094]
postgresql-9.6 上游新的问题修复版本
publicsuffix 更新包含的数据
pyosmium Upstream bugfix release: handler functions not called when using replication service or when using Reader instead of file
python-diff-match-patch Add missing python3 dependency on Python 3 package
python-inflect 修复 Python 3 依赖
python-tablib 安全地加载 YAML [CVE-2017-2810]
python2.7 Fix integer overflow in PyString_DecodeEscape [CVE-2017-1000158]; support all groups in TLS communication
qtcurve Fix crashes by using strncmp() instead of memcmp()
ruby-httparty Relax dependency version in gem dependency on json
ruby-ox Avoid crash with invalid XML passed to Oj.parse_obj() [CVE-2017-15928]
ruby-pygments.rb Avoid closing too many files when mentos starts, which can cause build failures in other packages on slower systems
schroot Fix bash completion file; add systemd service file with Type=oneshot to avoid timeout issues with too many open sessions
simutrans Enable sound for simutrans again. Switch from SDL to mixer_sdl backend
sitesummary Adjust nagios kernel version checking module to work with 4.x kernels
slic3r Fix missing dependency on perlapi-*
spamassassin Disable bb.barracudacentral.org; update the systemd unit file to use the same pid file as was used in the sysvinit script; update systemd unit dependencies to include network and syslog; fix inappropriate invocation of invoke-rc.d in cron script
sqldeveloper-package 修复构建失败问题
sqlite3 Fix heap-based buffer over-read via undersized RTree blobs [CVE-2017-10989]
syslinux Fix btrfs logical to physical block address mapping; fix boot problem for old BIOS firmware by correct C/H/S order; support ext4 64bit feature
tdbcodbc 修复 ODBC 库搜索中的问题
tor Add Bastet directory authority; fix a timing-based assertion failure; update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 country database
tzdata 新上游版本
udftools Fix path to pktsetup in udftools init script
weechat logger: call strftime before replacing buffer local variables [CVE-2017-14727]
xml2 修复处理 UTF-8 文件时文件损坏问题,更新 2csv 工具的使用帮助字符串
xrdp 修复在 SSL 断线时的高 CPU 负载问题
zsh 重构建以为 zsh-static 更新库

安全更新

此修订版本将以下安全更新添加到了稳定发行版本中。安全团队已经分别为这些更新发布了通告:

通告编号 软件包
DSA-3989 dnsmasq
DSA-3990 asterisk
DSA-3991 qemu
DSA-3992 curl
DSA-3993 tor
DSA-3994 nautilus
DSA-3995 libxfont
DSA-3996 ffmpeg
DSA-3997 wordpress
DSA-3998 nss
DSA-3999 wpa
DSA-4000 xorg-server
DSA-4001 yadifa
DSA-4003 libvirt
DSA-4004 jackson-databind
DSA-4006 mupdf
DSA-4007 curl
DSA-4008 wget
DSA-4009 shadowsocks-libev
DSA-4011 quagga
DSA-4013 openjpeg2
DSA-4014 thunderbird
DSA-4015 openjdk-8
DSA-4016 irssi
DSA-4017 openssl1.0
DSA-4018 openssl
DSA-4019 imagemagick
DSA-4020 chromium-browser
DSA-4021 otrs2
DSA-4023 slurm-llnl
DSA-4024 chromium-browser
DSA-4025 libpam4j
DSA-4026 bchunk
DSA-4028 postgresql-9.6
DSA-4029 postgresql-common
DSA-4030 roundcube
DSA-4031 ruby2.3
DSA-4032 imagemagick
DSA-4033 konversation
DSA-4034 varnish
DSA-4035 firefox-esr
DSA-4036 mediawiki
DSA-4037 jackson-databind
DSA-4038 shibboleth-sp2
DSA-4039 opensaml2
DSA-4041 procmail
DSA-4042 libxml-libxml-perl
DSA-4043 samba
DSA-4044 swauth
DSA-4045 vlc
DSA-4047 otrs2
DSA-4049 ffmpeg
DSA-4050 xen
DSA-4051 curl
DSA-4052 bzr
DSA-4053 exim4

已删除的软件包

由于我们无法控制的情况,以下软件包已被删除:

软件包 原因
libnet-ping-external-perl 无人维护,存在安全问题

Debian 安装器

安装器已经更新,以配合发布时包含在稳定版本中的修正内容。

链接

此修订版本中有更改的软件包的完整列表:

http://ftp.debian.org/debian/dists/stretch/ChangeLog

当前稳定发行版:

http://ftp.debian.org/debian/dists/stable/

拟议的稳定发行版更新:

http://ftp.debian.org/debian/dists/proposed-updates

稳定发行版信息(发行说明,勘误等):

https://www.debian.org/releases/stable/

安全公告及信息:

https://security.debian.org/

关于 Debian

Debian 项目是一个自由软件开发者组织,这些志愿者为制作完全自由免费的 Debian 操作系统而自愿贡献时间和精力。

联系信息

更多信息,请访问 Debian 主页 https://www.debian.org/,发送邮件至 <press@debian.org>,或联系稳定版本发布团队 <debian-release@lists.debian.org>。