Uppdaterad Debian 9; 9.4 utgiven

10 mars 2018

Debianprojektet presenterar stolt sin fjärde uppdatering till dess stabila utgåva Debian 9 (med kodnamnet stretch). Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem, tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner har redan publicerats separat och refereras när de finns tillgängliga.

Vänligen notera att punktutgåvan inte innebär en ny version av Debian 9 utan endast uppdaterar några av de inkluderade paketen. Det behövs inte kastas bort gamla media av stretch. Efter installationen kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad Debianspegling..

Dom som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.

Nya installationsavbildningar kommer snart att finnas tillgängliga på dom vanliga platserna.

En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:

https://www.debian.org/mirror/list

Blandade felrättningar

Denna uppdatering av den stabila utgåvan lägger till några viktiga felrättningar till följande paket:

Paket Orsak
acme-tiny Fix outdated version of the subscriber agreement
activity-log-manager Add missing dependency on python-zeitgeist
agenda.app Fix creation of tasks and appointments
apparmor Move the features file to /usr/share/apparmor-features; pin the AppArmor feature set to Stretch's kernel
auto-apt-proxy Move apt configuration away on removal, and put it back on reinstalls
bareos Fix backups failing with No Volume name given
base-files Update for the point release
cappuccino Add missing dependency on gir1.2-gtk-3.0
cerealizer Fix Python3 dependencies
clamav New upstream release; security update [CVE-2017-6418 CVE-2017-6420 CVE-2017-12374 CVE-2017-12375 CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379 CVE-2017-12380]
cron Properly transition system jobs to system_cronjob_t SELinux context and stop relying on refpolicy specific identifiers
cups Fix execution of arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding [CVE-2017-18190]
dbus New upstream release; raise file descriptor limit sooner, fixing a regression in local DoS fix
debian-edu-config Pre-configure Chromium Webbrowser system-wide to auto-detect the http proxy settings via WPAD; allow joining of Windows 10 clients to the Samba NT4-style domain
debian-installer Bump Linux kernel version from 4.9.0-4 to 4.9.0-6
debian-installer-netboot-images Update to 20170615+deb9u3 images, from stretch-proposed-updates
directfb Fix architecture-based filter to actually install drivers
dpdk Update to new stable point release
espeakup udeb: fix case where card 0 does not have an id or where cards have non-contiguous indexes; use English by default; use card id in installed system to avoid issues with card detection ordering
exam Fix Python3 dependencies
flatpak New upstream release; fix a D-Bus filtering bypass in flatpak-dbus-proxy; ignore unrecognised permission strings, instead of failing; do not allow legacy eavesdropping on the D-Bus session bus
fuse-zip Fix writeback fail with libzip 1.0
glade Fix possible infinite loop
glibc Do not update /etc/nsswitch.conf when its content already matches the default; debian/script.in/nohwcap.sh: always check for all optimized packages as multiarch allows one to install foreign architectures; avoid use-after-free read access in clntudp_call [CVE-2017-12133]; define collation for Malayalam chillu characters and correct collation of U+0D36 and U+0D37 Malayalam characters; fix invalid cast in group merging affecting ppc64 and s390x; fix compatibility with Intel C++ __regcall calling convention; install the libc-otherbuild postinst and postrm in the libc6-i686 transitional package, to make sure /etc/ld.so.nohwcap is correctly removed after an upgrade
global Gozilla: quote URLs before passing them to BROWSER [CVE-2017-17531]
gnumail Stop linking to OpenSSL
golang-github-go-ldap-ldap Require explicit intention for empty password
gosa-plugin-pwreset Fix deprecated constructor call
grilo-plugins Fix Radio France source
hdf5 Fix javahelper invocation
inputlirc Include input-event-codes.h instead of input.h, fixing build failure
intercal Recompile with PIE
java-atk-wrapper Fix iterator initialization; fix missing reference for children
kildclient Drop support for user-defined browsers [CVE-2017-17511]
libdate-holidays-de-perl Mark Reformation Day as a holiday in Hamburg and Schleswig-Holstein from 2018 onwards
libdatetime-timezone-perl New upstream version
libhibernate-validator-java Fix potential privilege escalation by circumventing security manager permissions [CVE-2017-7536]
libperlx-assert-perl Add missing dependencies on libkeyword-simple-perl, libdevel-declare-perl
libreoffice Let FunctionAccess execute WEBSERVICE; use the right error code on WEBSERVICE() failures
libvhdi Add missing Python3 dependency
libvirt QEMU: shared disks with cache=directsync should be safe for migration; avoid överbelastning reading from QEMU monitor [CVE-2018-5748]
linux New upstream version
lxc Fix the creation of testing and unstable containers by including iproute2 rather than iproute
mapproxy Fix Cross Site Scripting (XSS) issue in demo service [CVE-2017-1000426]
mosquitto Fix persistence file being world-readable [CVE-2017-9868]
mpi4py Support current version of libmpi
ncurses Fix buffertspill in the _nc_write_entry function [CVE-2017-16879]
needrestart Fix switching to list mode if debconf is run non-interactively
ntp Increase stack size to at least 32kB
nvidia-graphics-drivers-legacy-304xx New upstream release
nvidia-graphics-drivers-legacy-340xx New upstream release
nvidia-modprobe New upstream release; run setuid(0) before forking modprobe to preserve privileges through shell invocations and recursive modprobe calls
nvidia-persistenced New upstream release
nvidia-settings New upstream release; fix a bug that prevented changes to stereo eye assignment from getting applied from the nvidia-settings control panel
nvidia-xconfig New upstream release; fix a regression that prevented nvidia-xconfig from querying some GPUs, e.g. when running `nvidia-xconfig -a`
ocfs2-tools Migrate from using rcS to standard runlevels
opendmarc Update opendmarc service file so changes in opendmarc.conf are used
openssh Fix in read-only mode, sftp-server was incorrectly permitting creation of zero-length files [CVE-2017-15906]
osinfo-db Update included data
pdns-recursor Rebuild against publicsuffix 20171028.2055-0+deb9u1
postfix New upstream bugfix release; don't log warnings that some restriction returns OK, when the access map DISCARD feature is in effect; add missing dynamicmaps support in the Postfix sendmail command; fix sending to some sites with TLSA 2 X X records
postgresql-9.6 New upstream version
publicsuffix Update included data
python-evtx Fix missing Python3 dependency
python-hacking Fix Python3 dependencies
python-hkdf Fix Python3 dependencies
python-mimeparse Fix Python3 dependencies
python-pyperclip Fix Python3 dependencies
python-spake2 Fix Python3 dependencies
qtpass Fix insecure built-in password generator [CVE-2017-18021]
quota Prevent quotacheck from running into an endless loop
reportbug Don't send mail to secure-testing-team@lists.alioth.debian.org any more
rpy Rebuild against r-base 3.3
ruby-redis-store Allow unsafe objects to be loaded from redis [CVE-2017-1000248]
salt Fix katalogtraversering vulnerability on salt-master via crafted minion IDs [CVE-2017-12791], directory traversal vulnerability in minion id validation in SaltStack [CVE-2017-14695], remote överbelastning with a specially crafted authentication request [CVE-2017-14696]; check if data[return] is dict type
slic3r Patch use lib line in all installed binaries; workaround missing GL_MULTISAMPLE macro; fix importing binary STLs on big-endian architectures
soundtouch Security fixes [CVE-2017-9258 CVE-2017-9259 CVE-2017-9260]
systemd networkd: Handle MTU field in IPv6 RA; add a linker script to help prevent symbol collisions, particularly with PAM modules; resolved: Fix loop on packets with pseudo dns types [CVE-2017-15908]; machinectl: Don't output No machines. with --no-legend option
tzdata New upstream version
ust Fix loading of Python agent library
uwsgi Fix stack-based buffertspill in uwsgi_expand_path function [CVE-2018-6758]
vagrant Download boxes from app.vagrantcloud.com instead of the deprecated atlas.hashicorp.com
vdirsyncer Fix discovery of Google contacts
virt-what Unbreak virt detection on arm/aarch64
w3m Fix stack overflow [CVE-2018-6196], null deref [CVE-2018-6197], /tmp file races [CVE-2018-6198]
waagent New upstream version
webkit2gtk New upstream stable release
xchain Fix dependency on wish
xrdp Fix security issue [CVE-2017-16927]; fix high CPU load on ssl_tls_accept

Säkerhetsuppdateringar

Denna revision lägger till följande säkerhetsuppdateringar till den stabila utgåvan. Säkerhetsgruppen har redan givit ut bullentiner för var och en av dessa uppdateringar:

Bulletin-ID Paket
DSA-4054 tor
DSA-4055 heimdal
DSA-4056 nova
DSA-4057 erlang
DSA-4058 optipng
DSA-4059 libxcursor
DSA-4060 wireshark
DSA-4061 thunderbird
DSA-4062 firefox-esr
DSA-4063 pdns-recursor
DSA-4065 openssl1.0
DSA-4066 otrs2
DSA-4067 openafs
DSA-4068 rsync
DSA-4069 otrs2
DSA-4070 enigmail
DSA-4071 sensible-utils
DSA-4072 bouncycastle
DSA-4073 linux
DSA-4075 thunderbird
DSA-4076 asterisk
DSA-4077 gimp
DSA-4078 linux
DSA-4078 linux-latest
DSA-4079 poppler
DSA-4080 php7.0
DSA-4083 poco
DSA-4084 gifsicle
DSA-4086 libxml2
DSA-4087 transmission
DSA-4088 gdk-pixbuf
DSA-4089 bind9
DSA-4090 wordpress
DSA-4092 awstats
DSA-4093 openocd
DSA-4094 smarty3
DSA-4095 gcab
DSA-4096 firefox-esr
DSA-4097 poppler
DSA-4098 curl
DSA-4099 ffmpeg
DSA-4100 tiff
DSA-4101 wireshark
DSA-4102 thunderbird
DSA-4104 p7zip
DSA-4105 mpv
DSA-4106 libtasn1-6
DSA-4107 django-anymail
DSA-4108 mailman
DSA-4109 ruby-omniauth
DSA-4110 exim4
DSA-4111 libreoffice
DSA-4112 xen
DSA-4114 jackson-databind
DSA-4115 quagga
DSA-4116 plasma-workspace
DSA-4118 tomcat-native
DSA-4120 linux-latest
DSA-4120 linux
DSA-4121 gcc-6
DSA-4122 squid3
DSA-4123 drupal7
DSA-4124 lucene-solr
DSA-4125 wavpack
DSA-4126 xmltooling
DSA-4127 simplesamlphp
DSA-4128 trafficserver
DSA-4129 freexl
DSA-4130 dovecot
DSA-4131 xen
DSA-4132 libvpx

Borttagna paket

Följande paket har tagits bort på grund av omständigheter utom vår kontroll:

Paket Orsak
dolibarr Too much work to maintain it properly in Debian
electrum Security issues; broken due to upstream changes
jirc Broken with stretch's libpoe-filter-xml-perl
pgmodeler Incompatible with stretch's Postgresql
seelablet Abandoned upstream; broken

Debianinstalleraren

Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den stabila utgåvan med denna punktutgåva.

URLer

Den fullständiga listan på paket som har förändrats i denna revision:

http://ftp.debian.org/debian/dists/stretch/ChangeLog

Den aktuella stabila utgåvan:

http://ftp.debian.org/debian/dists/stable/

Föreslagna uppdateringar till den stabila utgåvan:

http://ftp.debian.org/debian/dists/proposed-updates

Information om den stabila utgåvan (versionsfakta, kända problem osv.):

https://www.debian.org/releases/stable/

Säkerhetsbulletiner och information:

https://security.debian.org/

Om Debian

Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.

Kontaktinformation

För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org>, eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.