Uppdaterad Debian 9; 9.4 utgiven

10 mars 2018

Debianprojektet presenterar stolt sin fjärde uppdatering till dess stabila utgåva Debian 9 (med kodnamnet stretch). Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem, tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner har redan publicerats separat och refereras när de finns tillgängliga.

Vänligen notera att punktutgåvan inte innebär en ny version av Debian 9 utan endast uppdaterar några av de inkluderade paketen. Det behövs inte kastas bort gamla media av stretch. Efter installationen kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad Debianspegling..

De som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.

Nya installationsavbildningar kommer snart att finnas tillgängliga på de vanliga platserna.

En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:

https://www.debian.org/mirror/list

Blandade felrättningar

Denna uppdatering av den stabila utgåvan lägger till några viktiga felrättningar till följande paket:

Paket	Orsak
acme-tiny	Fix outdated version of the subscriber agreement
activity-log-manager	Add missing dependency on python-zeitgeist
agenda.app	Fix creation of tasks and appointments
apparmor	Move the features file to /usr/share/apparmor-features; pin the AppArmor feature set to Stretch's kernel
auto-apt-proxy	Move apt configuration away on removal, and put it back on reinstalls
bareos	Fix backups failing with No Volume name given
base-files	Update for the point release
cappuccino	Add missing dependency on gir1.2-gtk-3.0
cerealizer	Fix Python3 dependencies
clamav	New upstream release; security update [CVE-2017-6418 CVE-2017-6420 CVE-2017-12374 CVE-2017-12375 CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379 CVE-2017-12380]
cron	Properly transition system jobs to system_cronjob_t SELinux context and stop relying on refpolicy specific identifiers
cups	Fix execution of arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding [CVE-2017-18190]
dbus	New upstream release; raise file descriptor limit sooner, fixing a regression in local DoS fix
debian-edu-config	Pre-configure Chromium Webbrowser system-wide to auto-detect the http proxy settings via WPAD; allow joining of Windows 10 clients to the Samba NT4-style domain
debian-installer	Bump Linux kernel version from 4.9.0-4 to 4.9.0-6
debian-installer-netboot-images	Update to 20170615+deb9u3 images, from stretch-proposed-updates
directfb	Fix architecture-based filter to actually install drivers
dpdk	Update to new stable point release
espeakup	udeb: fix case where card 0 does not have an id or where cards have non-contiguous indexes; use English by default; use card id in installed system to avoid issues with card detection ordering
exam	Fix Python3 dependencies
flatpak	New upstream release; fix a D-Bus filtering bypass in flatpak-dbus-proxy; ignore unrecognised permission strings, instead of failing; do not allow legacy eavesdropping on the D-Bus session bus
fuse-zip	Fix writeback fail with libzip 1.0
glade	Fix possible infinite loop
glibc	Do not update /etc/nsswitch.conf when its content already matches the default; debian/script.in/nohwcap.sh: always check for all optimized packages as multiarch allows one to install foreign architectures; avoid use-after-free read access in clntudp_call [CVE-2017-12133]; define collation for Malayalam chillu characters and correct collation of U+0D36 and U+0D37 Malayalam characters; fix invalid cast in group merging affecting ppc64 and s390x; fix compatibility with Intel C++ __regcall calling convention; install the libc-otherbuild postinst and postrm in the libc6-i686 transitional package, to make sure /etc/ld.so.nohwcap is correctly removed after an upgrade
global	Gozilla: quote URLs before passing them to BROWSER [CVE-2017-17531]
gnumail	Stop linking to OpenSSL
golang-github-go-ldap-ldap	Require explicit intention for empty password
gosa-plugin-pwreset	Fix deprecated constructor call
grilo-plugins	Fix Radio France source
hdf5	Fix javahelper invocation
inputlirc	Include input-event-codes.h instead of input.h, fixing build failure
intercal	Recompile with PIE
java-atk-wrapper	Fix iterator initialization; fix missing reference for children
kildclient	Drop support for user-defined browsers [CVE-2017-17511]
libdate-holidays-de-perl	Mark Reformation Day as a holiday in Hamburg and Schleswig-Holstein from 2018 onwards
libdatetime-timezone-perl	New upstream version
libhibernate-validator-java	Fix potential privilege escalation by circumventing security manager permissions [CVE-2017-7536]
libperlx-assert-perl	Add missing dependencies on libkeyword-simple-perl, libdevel-declare-perl
libreoffice	Let FunctionAccess execute WEBSERVICE; use the right error code on WEBSERVICE() failures
libvhdi	Add missing Python3 dependency
libvirt	QEMU: shared disks with cache=directsync should be safe for migration; avoid överbelastning reading from QEMU monitor [CVE-2018-5748]
linux	New upstream version
lxc	Fix the creation of testing and unstable containers by including iproute2 rather than iproute
mapproxy	Fix Cross Site Scripting (XSS) issue in demo service [CVE-2017-1000426]
mosquitto	Fix persistence file being world-readable [CVE-2017-9868]
mpi4py	Support current version of libmpi
ncurses	Fix buffertspill in the _nc_write_entry function [CVE-2017-16879]
needrestart	Fix switching to list mode if debconf is run non-interactively
ntp	Increase stack size to at least 32kB
nvidia-graphics-drivers-legacy-304xx	New upstream release
nvidia-graphics-drivers-legacy-340xx	New upstream release
nvidia-modprobe	New upstream release; run setuid(0) before forking modprobe to preserve privileges through shell invocations and recursive modprobe calls
nvidia-persistenced	New upstream release
nvidia-settings	New upstream release; fix a bug that prevented changes to stereo eye assignment from getting applied from the nvidia-settings control panel
nvidia-xconfig	New upstream release; fix a regression that prevented nvidia-xconfig from querying some GPUs, e.g. when running `nvidia-xconfig -a`
ocfs2-tools	Migrate from using rcS to standard runlevels
opendmarc	Update opendmarc service file so changes in opendmarc.conf are used
openssh	Fix in read-only mode, sftp-server was incorrectly permitting creation of zero-length files [CVE-2017-15906]
osinfo-db	Update included data
pdns-recursor	Rebuild against publicsuffix 20171028.2055-0+deb9u1
postfix	New upstream bugfix release; don't log warnings that some restriction returns OK, when the access map DISCARD feature is in effect; add missing dynamicmaps support in the Postfix sendmail command; fix sending to some sites with TLSA 2 X X records
postgresql-9.6	New upstream version
publicsuffix	Update included data
python-evtx	Fix missing Python3 dependency
python-hacking	Fix Python3 dependencies
python-hkdf	Fix Python3 dependencies
python-mimeparse	Fix Python3 dependencies
python-pyperclip	Fix Python3 dependencies
python-spake2	Fix Python3 dependencies
qtpass	Fix insecure built-in password generator [CVE-2017-18021]
quota	Prevent quotacheck from running into an endless loop
reportbug	Don't send mail to secure-testing-team@lists.alioth.debian.org any more
rpy	Rebuild against r-base 3.3
ruby-redis-store	Allow unsafe objects to be loaded from redis [CVE-2017-1000248]
salt	Fix katalogtraversering vulnerability on salt-master via crafted minion IDs [CVE-2017-12791], directory traversal vulnerability in minion id validation in SaltStack [CVE-2017-14695], remote överbelastning with a specially crafted authentication request [CVE-2017-14696]; check if data[return] is dict type
slic3r	Patch use lib line in all installed binaries; workaround missing GL_MULTISAMPLE macro; fix importing binary STLs on big-endian architectures
soundtouch	Security fixes [CVE-2017-9258 CVE-2017-9259 CVE-2017-9260]
systemd	networkd: Handle MTU field in IPv6 RA; add a linker script to help prevent symbol collisions, particularly with PAM modules; resolved: Fix loop on packets with pseudo dns types [CVE-2017-15908]; machinectl: Don't output No machines. with --no-legend option
tzdata	New upstream version
ust	Fix loading of Python agent library
uwsgi	Fix stack-based buffertspill in uwsgi_expand_path function [CVE-2018-6758]
vagrant	Download boxes from app.vagrantcloud.com instead of the deprecated atlas.hashicorp.com
vdirsyncer	Fix discovery of Google contacts
virt-what	Unbreak virt detection on arm/aarch64
w3m	Fix stack overflow [CVE-2018-6196], null deref [CVE-2018-6197], /tmp file races [CVE-2018-6198]
waagent	New upstream version
webkit2gtk	New upstream stable release
xchain	Fix dependency on wish
xrdp	Fix security issue [CVE-2017-16927]; fix high CPU load on ssl_tls_accept

Säkerhetsuppdateringar

Denna revision lägger till följande säkerhetsuppdateringar till den stabila utgåvan. Säkerhetsgruppen har redan givit ut bullentiner för var och en av dessa uppdateringar:

Bulletin-ID	Paket
DSA-4054	tor
DSA-4055	heimdal
DSA-4056	nova
DSA-4057	erlang
DSA-4058	optipng
DSA-4059	libxcursor
DSA-4060	wireshark
DSA-4061	thunderbird
DSA-4062	firefox-esr
DSA-4063	pdns-recursor
DSA-4065	openssl1.0
DSA-4066	otrs2
DSA-4067	openafs
DSA-4068	rsync
DSA-4069	otrs2
DSA-4070	enigmail
DSA-4071	sensible-utils
DSA-4072	bouncycastle
DSA-4073	linux
DSA-4075	thunderbird
DSA-4076	asterisk
DSA-4077	gimp
DSA-4078	linux
DSA-4078	linux-latest
DSA-4079	poppler
DSA-4080	php7.0
DSA-4083	poco
DSA-4084	gifsicle
DSA-4086	libxml2
DSA-4087	transmission
DSA-4088	gdk-pixbuf
DSA-4089	bind9
DSA-4090	wordpress
DSA-4092	awstats
DSA-4093	openocd
DSA-4094	smarty3
DSA-4095	gcab
DSA-4096	firefox-esr
DSA-4097	poppler
DSA-4098	curl
DSA-4099	ffmpeg
DSA-4100	tiff
DSA-4101	wireshark
DSA-4102	thunderbird
DSA-4104	p7zip
DSA-4105	mpv
DSA-4106	libtasn1-6
DSA-4107	django-anymail
DSA-4108	mailman
DSA-4109	ruby-omniauth
DSA-4110	exim4
DSA-4111	libreoffice
DSA-4112	xen
DSA-4114	jackson-databind
DSA-4115	quagga
DSA-4116	plasma-workspace
DSA-4118	tomcat-native
DSA-4120	linux-latest
DSA-4120	linux
DSA-4121	gcc-6
DSA-4122	squid3
DSA-4123	drupal7
DSA-4124	lucene-solr
DSA-4125	wavpack
DSA-4126	xmltooling
DSA-4127	simplesamlphp
DSA-4128	trafficserver
DSA-4129	freexl
DSA-4130	dovecot
DSA-4131	xen
DSA-4132	libvpx

Borttagna paket

Följande paket har tagits bort på grund av omständigheter utom vår kontroll:

Paket	Orsak
dolibarr	Too much work to maintain it properly in Debian
electrum	Security issues; broken due to upstream changes
jirc	Broken with stretch's libpoe-filter-xml-perl
pgmodeler	Incompatible with stretch's Postgresql
seelablet	Abandoned upstream; broken

Debianinstalleraren

Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den stabila utgåvan med denna punktutgåva.

URLer

Den fullständiga listan på paket som har förändrats i denna revision:

http://ftp.debian.org/debian/dists/stretch/ChangeLog

Den aktuella stabila utgåvan:

http://ftp.debian.org/debian/dists/stable/

Föreslagna uppdateringar till den stabila utgåvan:

http://ftp.debian.org/debian/dists/proposed-updates

Information om den stabila utgåvan (versionsfakta, kända problem osv.):

https://www.debian.org/releases/stable/

Säkerhetsbulletiner och information:

https://www.debian.org/security/

Om Debian

Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.

Kontaktinformation

För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org>, eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.