Debian 9 更新:9.4 發佈
2018年03月10日
Debian 項目很高興地宣佈 Debian 9 穩定版本的第四次更新(代號stretch
)。此次小版本更新主要添加了對安全問題的修正補丁,以及為一些嚴重問題所作的調整。
安全通告已單獨發佈,並會在適當的情況下予以引用。
請注意,此更新並不是 Debian 9 的新版本,它僅更新了所包含的一些套件。沒有必要丟棄舊的stretch
的安裝介質。在安裝之後,只需使用最新的 Debian
映射站台更新舊的套件即可。
經常從 security.debian.org 安裝更新的用户將不必更新許多套件,因本更新中包含了 security.debian.org 的大多數更新。
新的安裝映射站台即將於常規的位置予以提供。
只需令套件管理系統指向 Debian 的許多 HTTP 映射站台之一,您便能夠把已有的系統升級至本次更新版本。詳盡的映射站台列表可以在以下網址處獲得:
雜項錯誤修正
此穩定版更新為以下套件添加了一些重要的修正:
套件 | 原因 |
---|---|
acme-tiny | 修復訂閲者協議過時的問題 |
activity-log-manager | 添加缺失的依賴關係 python-zeitgeist |
agenda.app | 修復創建任務和會議的功能 |
apparmor | 將 features 文件移至 /usr/share/apparmor-features;將 AppArmor 功能集和 Stretch 核心相對應 |
auto-apt-proxy | 在刪除套件時移走配置文件,重新安裝時再將其移回 |
bareos | 修復備份時出錯並提示 No Volume name given的問題 |
base-files | 為小版本更新提供文件 |
cappuccino | 添加缺失的依賴 gir1.2-gtk-3.0 |
cerealizer | 修復 Python3 依賴 |
clamav | 新上游發行版本;安全更新 [CVE-2017-6418 CVE-2017-6420 CVE-2017-12374 CVE-2017-12375 CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379 CVE-2017-12380] |
cron | Properly transition system jobs to system_cronjob_t SELinux context and stop relying on refpolicy specific identifiers |
cups | Fix execution of arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding [CVE-2017-18190] |
dbus | 新上游發行版本; raise file descriptor limit sooner, fixing a regression in local DoS fix |
debian-edu-config | Pre-configure Chromium Webbrowser system-wide to auto-detect the http proxy settings via WPAD; allow joining of Windows 10 clients to the Samba NT4-style domain |
debian-installer | 將 Linux 核心版本從 4.9.0-4 跳至 4.9.0-6 |
debian-installer-netboot-images | Update to 20170615+deb9u3 images, from stretch-proposed-updates |
directfb | Fix architecture-based filter to actually install drivers |
dpdk | Update to new stable point release |
espeakup | udeb: fix case where card 0 does not have an id or where cards have non-contiguous indexes; use English by default; use card id in installed system to avoid issues with card detection ordering |
exam | 修復 Python3 依賴關係 |
flatpak | 新上游發行版本; fix a D-Bus filtering bypass in flatpak-dbus-proxy; ignore unrecognised permission strings, instead of failing; do not allow legacy eavesdropping on the D-Bus session bus |
fuse-zip | Fix writeback fail with libzip 1.0 |
glade | 修復可能的死循環 |
glibc | Do not update /etc/nsswitch.conf when its content already matches the default; debian/script.in/nohwcap.sh: always check for all optimized packages as multiarch allows one to install foreign architectures; avoid use-after-free read access in clntudp_call [CVE-2017-12133]; define collation for Malayalam chillu characters and correct collation of U+0D36 and U+0D37 Malayalam characters; fix invalid cast in group merging affecting ppc64 and s390x; fix compatibility with Intel C++ __regcall calling convention; install the libc-otherbuild postinst and postrm in the libc6-i686 transitional package, to make sure /etc/ld.so.nohwcap is correctly removed after an upgrade |
global | Gozilla: quote URLs before passing them to BROWSER [CVE-2017-17531] |
gnumail | 不再鏈接至 OpenSSL |
golang-github-go-ldap-ldap | Require explicit intention for empty password |
gosa-plugin-pwreset | Fix deprecated constructor call |
grilo-plugins | Fix Radio France source |
hdf5 | 修復 javahelper 調用 |
inputlirc | Include input-event-codes.h instead of input.h, fixing build failure |
intercal | 帶 PIE 參數重新編譯 |
java-atk-wrapper | Fix iterator initialization; fix missing reference for children |
kildclient | Drop support for user-defined browsers [CVE-2017-17511] |
libdate-holidays-de-perl | Mark Reformation Day as a holiday in Hamburg and Schleswig-Holstein from 2018 onwards |
libdatetime-timezone-perl | 新上游發行版本 |
libhibernate-validator-java | Fix potential privilege escalation by circumventing security manager permissions [CVE-2017-7536] |
libperlx-assert-perl | Add missing dependencies on libkeyword-simple-perl, libdevel-declare-perl |
libreoffice | Let FunctionAccess execute WEBSERVICE; use the right error code on WEBSERVICE() failures |
libvhdi | Add missing Python3 dependency |
libvirt | QEMU: shared disks with cache=directsync should be safe for migration; avoid denial of service reading from QEMU monitor [CVE-2018-5748] |
linux | 新上游版本 |
lxc | Fix the creation of testing and unstable containers by including iproute2rather than iproute |
mapproxy | Fix Cross Site Scripting (XSS) issue in demo service [CVE-2017-1000426] |
mosquitto | Fix persistence file being world-readable [CVE-2017-9868] |
mpi4py | Support current version of libmpi |
ncurses | Fix buffer overflow in the _nc_write_entry function [CVE-2017-16879] |
needrestart | Fix switching to list mode if debconf is run non-interactively |
ntp | Increase stack size to at least 32kB |
nvidia-graphics-drivers-legacy-304xx | 新上游發行版本 |
nvidia-graphics-drivers-legacy-340xx | 新上游發行版本 |
nvidia-modprobe | 新上游發行版本; run setuid(0) before forking modprobe to preserve privileges through shell invocations and recursive modprobe calls |
nvidia-persistenced | 新上游發行版本 |
nvidia-settings | 新上游發行版本; fix a bug that prevented changes to stereo eye assignment from getting applied from the nvidia-settings control panel |
nvidia-xconfig | 新上游發行版本; fix a regression that prevented nvidia-xconfig from querying some GPUs, e.g. when running `nvidia-xconfig -a` |
ocfs2-tools | Migrate from using rcS to standard runlevels |
opendmarc | Update opendmarc service file so changes in opendmarc.conf are used |
openssh | Fix in read-only mode, sftp-server was incorrectly permitting creation of zero-length files[CVE-2017-15906] |
osinfo-db | 更新內含的數據 |
pdns-recursor | 為 publicsuffix 20171028.2055-0+deb9u1 而重新構建 |
postfix | New upstream bugfix release; don't log warnings that some restriction returns OK, when the access map DISCARD feature is in effect; add missing dynamicmaps support in the Postfix sendmail command; fix sending to some sites with TLSA 2 X Xrecords |
postgresql-9.6 | 新上游版本 |
publicsuffix | 更新包含的數據 |
python-evtx | 修復缺失的 Python3 依賴關係 |
python-hacking | 修復 Python3 依賴關係 |
python-hkdf | 修復 Python3 依賴關係 |
python-mimeparse | 修復 Python3 依賴關係 |
python-pyperclip | 修復 Python3 依賴關係 |
python-spake2 | 修復 Python3 依賴關係 |
qtpass | 修復不安全的內建密碼生成器 [CVE-2017-18021] |
quota | Prevent quotacheck from running into an endless loop |
reportbug | 不要將郵件發送至 secure-testing-team@lists.alioth.debian.org |
rpy | 為 r-base 3.3 重新構建 |
ruby-redis-store | 允許不安全的對象加載至 redis 中 [CVE-2017-1000248] |
salt | Fix directory traversal vulnerability on salt-master via crafted minion IDs [CVE-2017-12791], directory traversal vulnerability in minion id validation in SaltStack [CVE-2017-14695], remote Denial of Service with a specially crafted authentication request [CVE-2017-14696]; check if data[return] is dict type |
slic3r | Patch use libline in all installed binaries; workaround missing GL_MULTISAMPLE macro; fix importing binary STLs on big-endian architectures |
soundtouch | 安全修復 [CVE-2017-9258 CVE-2017-9259 CVE-2017-9260] |
systemd | networkd: Handle MTU field in IPv6 RA; add a linker script to help prevent symbol collisions, particularly with PAM modules; resolved: Fix loop on packets with pseudo dns types [CVE-2017-15908]; machinectl: Don't output No machines.with --no-legend option |
tzdata | 新上游版本 |
ust | 修復對 Python agent 庫的加載 |
uwsgi | Fix stack-based buffer overflow in uwsgi_expand_path function [CVE-2018-6758] |
vagrant | Download boxes from app.vagrantcloud.com instead of the deprecated atlas.hashicorp.com |
vdirsyncer | 修復對谷歌聯繫人的自動發現功能 |
virt-what | Unbreak virt detection on arm/aarch64 |
w3m | 修復棧溢出 [CVE-2018-6196]、對空指針的解引用 [CVE-2018-6197]、/tmp 文件衝突 [CVE-2018-6198] |
waagent | 新上游版本 |
webkit2gtk | 新上游穩定釋出版本 |
xchain | 修復對wish的依賴 |
xrdp | 修復安全問題 [CVE-2017-16927];修復 ssl_tls_accept 的高 CPU 佔用問題 |
安全更新
此修訂版本將以下安全更新添加到了穩定發行版本中。安全團隊已經分別為這些更新發布了通告:
刪除的套件
由於我們無法控制的情況,以下套件已被刪除:
套件 | 原因 |
---|---|
dolibarr | 在 Debian 中進行維護工作量過大 |
electrum | 安全問題;因上游變更而破損 |
jirc | 與 stretch 中的 libpoe-filter-xml-perl 無法配合使用 |
pgmodeler | 與 stretch 中的 Postgresql 不兼容 |
seelablet | 上游放棄開發;已破損 |
Debian 安裝器
安裝器已經更新,以配合發佈時包含在穩定版本中的修正內容。
鏈接
此修訂版本中有更改的套件的完整列表:
當前穩定發行版:
擬議的穩定發行版更新:
穩定發行版信息(發行説明,勘誤等):
安全公告及信息:
關於 Debian
Debian 項目是一個自由軟件開發者組織,這些志願者為製作完全自由免費的 Debian 操作系統而自願貢獻時間和精力。
聯繫信息
更多信息,請訪問 Debian 主頁 https://www.debian.org/、發送郵件至 <press@debian.org> 或聯繫穩定版本發佈團隊 <debian-release@lists.debian.org>。