Debian 9 更新:9.4 发布

2018年03月10日

Debian 项目很高兴地宣布 Debian 9 稳定版本的第四次更新(代号stretch)。此次小版本更新主要添加了对安全问题的修正补丁,以及为一些严重问题所作的调整。 安全通告已单独发布,并会在适当的情况下予以引用。

请注意,此更新并不是 Debian 9 的新版本,它仅更新了所包含的一些软件包。没有必要丢弃旧的stretch的安装介质。在安装之后,只需使用最新的 Debian 镜像更新旧的软件包即可。

经常从 security.debian.org 安装更新的用户将不必更新许多软件包,因本更新中包含了 security.debian.org 的大多数更新。

新的安装镜像即将于常规的位置予以提供。

只需令软件包管理系统指向 Debian 的许多 HTTP 镜像站点之一,您便能够把已有的系统升级至本次更新版本。详尽的镜像列表可以在以下网址处获得:

https://www.debian.org/mirror/list

杂项错误修正

此稳定版更新为以下软件包添加了一些重要的修正:

软件包 原因
acme-tiny 修复订阅者协议过时的问题
activity-log-manager 添加缺失的依赖关系 python-zeitgeist
agenda.app 修复创建任务和会议的功能
apparmor 将 features 文件移至 /usr/share/apparmor-features;将 AppArmor 功能集和 Stretch 内核相对应
auto-apt-proxy 在删除软件包时移走配置文件,重新安装时再将其移回
bareos 修复备份时出错并提示 No Volume name given 的问题
base-files 为小版本更新提供文件
cappuccino 添加缺失的依赖 gir1.2-gtk-3.0
cerealizer 修复 Python3 依赖
clamav 新上游发行版本;安全更新 [CVE-2017-6418 CVE-2017-6420 CVE-2017-12374 CVE-2017-12375 CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379 CVE-2017-12380]
cron Properly transition system jobs to system_cronjob_t SELinux context and stop relying on refpolicy specific identifiers
cups Fix execution of arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding [CVE-2017-18190]
dbus 新上游发行版本; raise file descriptor limit sooner, fixing a regression in local DoS fix
debian-edu-config Pre-configure Chromium Webbrowser system-wide to auto-detect the http proxy settings via WPAD; allow joining of Windows 10 clients to the Samba NT4-style domain
debian-installer 将 Linux 内核版本从 4.9.0-4 跳至 4.9.0-6
debian-installer-netboot-images Update to 20170615+deb9u3 images, from stretch-proposed-updates
directfb Fix architecture-based filter to actually install drivers
dpdk Update to new stable point release
espeakup udeb: fix case where card 0 does not have an id or where cards have non-contiguous indexes; use English by default; use card id in installed system to avoid issues with card detection ordering
exam 修复 Python3 依赖关系
flatpak 新上游发行版本; fix a D-Bus filtering bypass in flatpak-dbus-proxy; ignore unrecognised permission strings, instead of failing; do not allow legacy eavesdropping on the D-Bus session bus
fuse-zip Fix writeback fail with libzip 1.0
glade 修复可能的死循环
glibc Do not update /etc/nsswitch.conf when its content already matches the default; debian/script.in/nohwcap.sh: always check for all optimized packages as multiarch allows one to install foreign architectures; avoid use-after-free read access in clntudp_call [CVE-2017-12133]; define collation for Malayalam chillu characters and correct collation of U+0D36 and U+0D37 Malayalam characters; fix invalid cast in group merging affecting ppc64 and s390x; fix compatibility with Intel C++ __regcall calling convention; install the libc-otherbuild postinst and postrm in the libc6-i686 transitional package, to make sure /etc/ld.so.nohwcap is correctly removed after an upgrade
global Gozilla: quote URLs before passing them to BROWSER [CVE-2017-17531]
gnumail 不再链接至 OpenSSL
golang-github-go-ldap-ldap Require explicit intention for empty password
gosa-plugin-pwreset Fix deprecated constructor call
grilo-plugins Fix Radio France source
hdf5 修复 javahelper 调用
inputlirc Include input-event-codes.h instead of input.h, fixing build failure
intercal 带 PIE 参数重新编译
java-atk-wrapper Fix iterator initialization; fix missing reference for children
kildclient Drop support for user-defined browsers [CVE-2017-17511]
libdate-holidays-de-perl Mark Reformation Day as a holiday in Hamburg and Schleswig-Holstein from 2018 onwards
libdatetime-timezone-perl 新上游发行版本
libhibernate-validator-java Fix potential privilege escalation by circumventing security manager permissions [CVE-2017-7536]
libperlx-assert-perl Add missing dependencies on libkeyword-simple-perl, libdevel-declare-perl
libreoffice Let FunctionAccess execute WEBSERVICE; use the right error code on WEBSERVICE() failures
libvhdi Add missing Python3 dependency
libvirt QEMU: shared disks with cache=directsync should be safe for migration; avoid denial of service reading from QEMU monitor [CVE-2018-5748]
linux 新上游版本
lxc Fix the creation of testing and unstable containers by including iproute2 rather than iproute
mapproxy Fix Cross Site Scripting (XSS) issue in demo service [CVE-2017-1000426]
mosquitto Fix persistence file being world-readable [CVE-2017-9868]
mpi4py Support current version of libmpi
ncurses Fix buffer overflow in the _nc_write_entry function [CVE-2017-16879]
needrestart Fix switching to list mode if debconf is run non-interactively
ntp Increase stack size to at least 32kB
nvidia-graphics-drivers-legacy-304xx 新上游发行版本
nvidia-graphics-drivers-legacy-340xx 新上游发行版本
nvidia-modprobe 新上游发行版本; run setuid(0) before forking modprobe to preserve privileges through shell invocations and recursive modprobe calls
nvidia-persistenced 新上游发行版本
nvidia-settings 新上游发行版本; fix a bug that prevented changes to stereo eye assignment from getting applied from the nvidia-settings control panel
nvidia-xconfig 新上游发行版本; fix a regression that prevented nvidia-xconfig from querying some GPUs, e.g. when running `nvidia-xconfig -a`
ocfs2-tools Migrate from using rcS to standard runlevels
opendmarc Update opendmarc service file so changes in opendmarc.conf are used
openssh Fix in read-only mode, sftp-server was incorrectly permitting creation of zero-length files [CVE-2017-15906]
osinfo-db 更新内含的数据
pdns-recursor 为 publicsuffix 20171028.2055-0+deb9u1 而重新构建
postfix New upstream bugfix release; don't log warnings that some restriction returns OK, when the access map DISCARD feature is in effect; add missing dynamicmaps support in the Postfix sendmail command; fix sending to some sites with TLSA 2 X X records
postgresql-9.6 新上游版本
publicsuffix 更新包含的数据
python-evtx 修复缺失的 Python3 依赖关系
python-hacking 修复 Python3 依赖关系
python-hkdf 修复 Python3 依赖关系
python-mimeparse 修复 Python3 依赖关系
python-pyperclip 修复 Python3 依赖关系
python-spake2 修复 Python3 依赖关系
qtpass 修复不安全的内建密码生成器 [CVE-2017-18021]
quota Prevent quotacheck from running into an endless loop
reportbug 不要将邮件发送至 secure-testing-team@lists.alioth.debian.org
rpy 为 r-base 3.3 重新构建
ruby-redis-store 允许不安全的对象加载至 redis 中 [CVE-2017-1000248]
salt Fix directory traversal vulnerability on salt-master via crafted minion IDs [CVE-2017-12791], directory traversal vulnerability in minion id validation in SaltStack [CVE-2017-14695], remote Denial of Service with a specially crafted authentication request [CVE-2017-14696]; check if data[return] is dict type
slic3r Patch use lib line in all installed binaries; workaround missing GL_MULTISAMPLE macro; fix importing binary STLs on big-endian architectures
soundtouch 安全修复 [CVE-2017-9258 CVE-2017-9259 CVE-2017-9260]
systemd networkd: Handle MTU field in IPv6 RA; add a linker script to help prevent symbol collisions, particularly with PAM modules; resolved: Fix loop on packets with pseudo dns types [CVE-2017-15908]; machinectl: Don't output No machines. with --no-legend option
tzdata 新上游版本
ust 修复对 Python agent 库的加载
uwsgi Fix stack-based buffer overflow in uwsgi_expand_path function [CVE-2018-6758]
vagrant Download boxes from app.vagrantcloud.com instead of the deprecated atlas.hashicorp.com
vdirsyncer 修复对谷歌联系人的自动发现功能
virt-what Unbreak virt detection on arm/aarch64
w3m 修复栈溢出 [CVE-2018-6196]、对空指针的解引用 [CVE-2018-6197]、/tmp 文件冲突 [CVE-2018-6198]
waagent 新上游版本
webkit2gtk 新上游稳定释出版本
xchain 修复对wish的依赖
xrdp 修复安全问题 [CVE-2017-16927];修复 ssl_tls_accept 的高 CPU 占用问题

安全更新

此修订版本将以下安全更新添加到了稳定发行版本中。安全团队已经分别为这些更新发布了通告:

通告编号 软件包
DSA-4054 tor
DSA-4055 heimdal
DSA-4056 nova
DSA-4057 erlang
DSA-4058 optipng
DSA-4059 libxcursor
DSA-4060 wireshark
DSA-4061 thunderbird
DSA-4062 firefox-esr
DSA-4063 pdns-recursor
DSA-4065 openssl1.0
DSA-4066 otrs2
DSA-4067 openafs
DSA-4068 rsync
DSA-4069 otrs2
DSA-4070 enigmail
DSA-4071 sensible-utils
DSA-4072 bouncycastle
DSA-4073 linux
DSA-4075 thunderbird
DSA-4076 asterisk
DSA-4077 gimp
DSA-4078 linux
DSA-4078 linux-latest
DSA-4079 poppler
DSA-4080 php7.0
DSA-4083 poco
DSA-4084 gifsicle
DSA-4086 libxml2
DSA-4087 transmission
DSA-4088 gdk-pixbuf
DSA-4089 bind9
DSA-4090 wordpress
DSA-4092 awstats
DSA-4093 openocd
DSA-4094 smarty3
DSA-4095 gcab
DSA-4096 firefox-esr
DSA-4097 poppler
DSA-4098 curl
DSA-4099 ffmpeg
DSA-4100 tiff
DSA-4101 wireshark
DSA-4102 thunderbird
DSA-4104 p7zip
DSA-4105 mpv
DSA-4106 libtasn1-6
DSA-4107 django-anymail
DSA-4108 mailman
DSA-4109 ruby-omniauth
DSA-4110 exim4
DSA-4111 libreoffice
DSA-4112 xen
DSA-4114 jackson-databind
DSA-4115 quagga
DSA-4116 plasma-workspace
DSA-4118 tomcat-native
DSA-4120 linux-latest
DSA-4120 linux
DSA-4121 gcc-6
DSA-4122 squid3
DSA-4123 drupal7
DSA-4124 lucene-solr
DSA-4125 wavpack
DSA-4126 xmltooling
DSA-4127 simplesamlphp
DSA-4128 trafficserver
DSA-4129 freexl
DSA-4130 dovecot
DSA-4131 xen
DSA-4132 libvpx

删除的软件包

由于我们无法控制的情况,以下软件包已被删除:

软件包 原因
dolibarr 在 Debian 中进行维护工作量过大
electrum 安全问题;因上游变更而破损
jirc 与 stretch 中的 libpoe-filter-xml-perl 无法配合使用
pgmodeler 与 stretch 中的 Postgresql 不兼容
seelablet 上游放弃开发;已破损

Debian 安装器

安装器已经更新,以配合发布时包含在稳定版本中的修正内容。

链接

此修订版本中有更改的软件包的完整列表:

http://ftp.debian.org/debian/dists/stretch/ChangeLog

当前稳定发行版:

http://ftp.debian.org/debian/dists/stable/

拟议的稳定发行版更新:

http://ftp.debian.org/debian/dists/proposed-updates

稳定发行版信息(发行说明,勘误等):

https://www.debian.org/releases/stable/

安全公告及信息:

https://security.debian.org/

关于 Debian

Debian 项目是一个自由软件开发者组织,这些志愿者为制作完全自由免费的 Debian 操作系统而自愿贡献时间和精力。

联系信息

更多信息,请访问 Debian 主页 https://www.debian.org/、发送邮件至 <press@debian.org> 或联系稳定版本发布团队 <debian-release@lists.debian.org>。