Debian 9 更新：9.4 發佈

2018年03月10日

Debian 項目很高興地宣佈 Debian 9 穩定版本的第四次更新（代號stretch）。此次小版本更新主要添加了對安全問題的修正補丁，以及為一些嚴重問題所作的調整。安全通告已單獨發佈，並會在適當的情況下予以引用。

請注意，此更新並不是 Debian 9 的新版本，它僅更新了所包含的一些套件。沒有必要丟棄舊的stretch的安裝介質。在安裝之後，只需使用最新的 Debian 映射站台更新舊的套件即可。

經常從 security.debian.org 安裝更新的使用者將不必更新許多套件，因本更新中包含了 security.debian.org 的大多數更新。

新的安裝映射站台即將於常規的位置予以提供。

只需令套件管理系統指向 Debian 的許多 HTTP 映射站台之一，您便能夠把已有的系統升級至本次更新版本。詳盡的映射站台列表可以在以下網址處獲得：

https://www.debian.org/mirror/list

雜項錯誤修正

此穩定版更新為以下套件添加了一些重要的修正：

套件	原因
acme-tiny	修復訂閱者協議過時的問題
activity-log-manager	添加缺失的依賴關係 python-zeitgeist
agenda.app	修復創建任務和會議的功能
apparmor	將 features 文件移至 /usr/share/apparmor-features；將 AppArmor 功能集和 Stretch 核心相對應
auto-apt-proxy	在刪除套件時移走配置文件，重新安裝時再將其移回
bareos	修復備份時出錯並提示 No Volume name given 的問題
base-files	為小版本更新提供文件
cappuccino	添加缺失的依賴 gir1.2-gtk-3.0
cerealizer	修復 Python3 依賴
clamav	新上游發行版本；安全更新 [CVE-2017-6418 CVE-2017-6420 CVE-2017-12374 CVE-2017-12375 CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379 CVE-2017-12380]
cron	Properly transition system jobs to system_cronjob_t SELinux context and stop relying on refpolicy specific identifiers
cups	Fix execution of arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding [CVE-2017-18190]
dbus	新上游發行版本; raise file descriptor limit sooner, fixing a regression in local DoS fix
debian-edu-config	Pre-configure Chromium Webbrowser system-wide to auto-detect the http proxy settings via WPAD; allow joining of Windows 10 clients to the Samba NT4-style domain
debian-installer	將 Linux 核心版本從 4.9.0-4 跳至 4.9.0-6
debian-installer-netboot-images	Update to 20170615+deb9u3 images, from stretch-proposed-updates
directfb	Fix architecture-based filter to actually install drivers
dpdk	Update to new stable point release
espeakup	udeb: fix case where card 0 does not have an id or where cards have non-contiguous indexes; use English by default; use card id in installed system to avoid issues with card detection ordering
exam	修復 Python3 依賴關係
flatpak	新上游發行版本; fix a D-Bus filtering bypass in flatpak-dbus-proxy; ignore unrecognised permission strings, instead of failing; do not allow legacy eavesdropping on the D-Bus session bus
fuse-zip	Fix writeback fail with libzip 1.0
glade	修復可能的死循環
glibc	Do not update /etc/nsswitch.conf when its content already matches the default; debian/script.in/nohwcap.sh: always check for all optimized packages as multiarch allows one to install foreign architectures; avoid use-after-free read access in clntudp_call [CVE-2017-12133]; define collation for Malayalam chillu characters and correct collation of U+0D36 and U+0D37 Malayalam characters; fix invalid cast in group merging affecting ppc64 and s390x; fix compatibility with Intel C++ __regcall calling convention; install the libc-otherbuild postinst and postrm in the libc6-i686 transitional package, to make sure /etc/ld.so.nohwcap is correctly removed after an upgrade
global	Gozilla: quote URLs before passing them to BROWSER [CVE-2017-17531]
gnumail	不再鏈接至 OpenSSL
golang-github-go-ldap-ldap	Require explicit intention for empty password
gosa-plugin-pwreset	Fix deprecated constructor call
grilo-plugins	Fix Radio France source
hdf5	修復 javahelper 調用
inputlirc	Include input-event-codes.h instead of input.h, fixing build failure
intercal	帶 PIE 參數重新編譯
java-atk-wrapper	Fix iterator initialization; fix missing reference for children
kildclient	Drop support for user-defined browsers [CVE-2017-17511]
libdate-holidays-de-perl	Mark Reformation Day as a holiday in Hamburg and Schleswig-Holstein from 2018 onwards
libdatetime-timezone-perl	新上游發行版本
libhibernate-validator-java	Fix potential privilege escalation by circumventing security manager permissions [CVE-2017-7536]
libperlx-assert-perl	Add missing dependencies on libkeyword-simple-perl, libdevel-declare-perl
libreoffice	Let FunctionAccess execute WEBSERVICE; use the right error code on WEBSERVICE() failures
libvhdi	Add missing Python3 dependency
libvirt	QEMU: shared disks with cache=directsync should be safe for migration; avoid denial of service reading from QEMU monitor [CVE-2018-5748]
linux	新上游版本
lxc	Fix the creation of testing and unstable containers by including iproute2 rather than iproute
mapproxy	Fix Cross Site Scripting (XSS) issue in demo service [CVE-2017-1000426]
mosquitto	Fix persistence file being world-readable [CVE-2017-9868]
mpi4py	Support current version of libmpi
ncurses	Fix buffer overflow in the _nc_write_entry function [CVE-2017-16879]
needrestart	Fix switching to list mode if debconf is run non-interactively
ntp	Increase stack size to at least 32kB
nvidia-graphics-drivers-legacy-304xx	新上游發行版本
nvidia-graphics-drivers-legacy-340xx	新上游發行版本
nvidia-modprobe	新上游發行版本; run setuid(0) before forking modprobe to preserve privileges through shell invocations and recursive modprobe calls
nvidia-persistenced	新上游發行版本
nvidia-settings	新上游發行版本; fix a bug that prevented changes to stereo eye assignment from getting applied from the nvidia-settings control panel
nvidia-xconfig	新上游發行版本; fix a regression that prevented nvidia-xconfig from querying some GPUs, e.g. when running `nvidia-xconfig -a`
ocfs2-tools	Migrate from using rcS to standard runlevels
opendmarc	Update opendmarc service file so changes in opendmarc.conf are used
openssh	Fix in read-only mode, sftp-server was incorrectly permitting creation of zero-length files [CVE-2017-15906]
osinfo-db	更新內含的數據
pdns-recursor	為 publicsuffix 20171028.2055-0+deb9u1 而重新構建
postfix	New upstream bugfix release; don't log warnings that some restriction returns OK, when the access map DISCARD feature is in effect; add missing dynamicmaps support in the Postfix sendmail command; fix sending to some sites with TLSA 2 X X records
postgresql-9.6	新上游版本
publicsuffix	更新包含的數據
python-evtx	修復缺失的 Python3 依賴關係
python-hacking	修復 Python3 依賴關係
python-hkdf	修復 Python3 依賴關係
python-mimeparse	修復 Python3 依賴關係
python-pyperclip	修復 Python3 依賴關係
python-spake2	修復 Python3 依賴關係
qtpass	修復不安全的內建密碼生成器 [CVE-2017-18021]
quota	Prevent quotacheck from running into an endless loop
reportbug	不要將郵件發送至 secure-testing-team@lists.alioth.debian.org
rpy	為 r-base 3.3 重新構建
ruby-redis-store	允許不安全的對象加載至 redis 中 [CVE-2017-1000248]
salt	Fix directory traversal vulnerability on salt-master via crafted minion IDs [CVE-2017-12791], directory traversal vulnerability in minion id validation in SaltStack [CVE-2017-14695], remote Denial of Service with a specially crafted authentication request [CVE-2017-14696]; check if data[return] is dict type
slic3r	Patch use lib line in all installed binaries; workaround missing GL_MULTISAMPLE macro; fix importing binary STLs on big-endian architectures
soundtouch	安全修復 [CVE-2017-9258 CVE-2017-9259 CVE-2017-9260]
systemd	networkd: Handle MTU field in IPv6 RA; add a linker script to help prevent symbol collisions, particularly with PAM modules; resolved: Fix loop on packets with pseudo dns types [CVE-2017-15908]; machinectl: Don't output No machines. with --no-legend option
tzdata	新上游版本
ust	修復對 Python agent 庫的加載
uwsgi	Fix stack-based buffer overflow in uwsgi_expand_path function [CVE-2018-6758]
vagrant	Download boxes from app.vagrantcloud.com instead of the deprecated atlas.hashicorp.com
vdirsyncer	修復對谷歌聯繫人的自動發現功能
virt-what	Unbreak virt detection on arm/aarch64
w3m	修復棧溢出 [CVE-2018-6196]、對空指針的解引用 [CVE-2018-6197]、/tmp 文件衝突 [CVE-2018-6198]
waagent	新上游版本
webkit2gtk	新上游穩定釋出版本
xchain	修復對wish的依賴
xrdp	修復安全問題 [CVE-2017-16927]；修復 ssl_tls_accept 的高 CPU 佔用問題

安全更新

此修訂版本將以下安全更新添加到了穩定發行版本中。安全團隊已經分別為這些更新發布了通告：

通告編號	套件
DSA-4054	tor
DSA-4055	heimdal
DSA-4056	nova
DSA-4057	erlang
DSA-4058	optipng
DSA-4059	libxcursor
DSA-4060	wireshark
DSA-4061	thunderbird
DSA-4062	firefox-esr
DSA-4063	pdns-recursor
DSA-4065	openssl1.0
DSA-4066	otrs2
DSA-4067	openafs
DSA-4068	rsync
DSA-4069	otrs2
DSA-4070	enigmail
DSA-4071	sensible-utils
DSA-4072	bouncycastle
DSA-4073	linux
DSA-4075	thunderbird
DSA-4076	asterisk
DSA-4077	gimp
DSA-4078	linux
DSA-4078	linux-latest
DSA-4079	poppler
DSA-4080	php7.0
DSA-4083	poco
DSA-4084	gifsicle
DSA-4086	libxml2
DSA-4087	transmission
DSA-4088	gdk-pixbuf
DSA-4089	bind9
DSA-4090	wordpress
DSA-4092	awstats
DSA-4093	openocd
DSA-4094	smarty3
DSA-4095	gcab
DSA-4096	firefox-esr
DSA-4097	poppler
DSA-4098	curl
DSA-4099	ffmpeg
DSA-4100	tiff
DSA-4101	wireshark
DSA-4102	thunderbird
DSA-4104	p7zip
DSA-4105	mpv
DSA-4106	libtasn1-6
DSA-4107	django-anymail
DSA-4108	mailman
DSA-4109	ruby-omniauth
DSA-4110	exim4
DSA-4111	libreoffice
DSA-4112	xen
DSA-4114	jackson-databind
DSA-4115	quagga
DSA-4116	plasma-workspace
DSA-4118	tomcat-native
DSA-4120	linux-latest
DSA-4120	linux
DSA-4121	gcc-6
DSA-4122	squid3
DSA-4123	drupal7
DSA-4124	lucene-solr
DSA-4125	wavpack
DSA-4126	xmltooling
DSA-4127	simplesamlphp
DSA-4128	trafficserver
DSA-4129	freexl
DSA-4130	dovecot
DSA-4131	xen
DSA-4132	libvpx

刪除的套件

由於我們無法控制的情況，以下套件已被刪除：

套件	原因
dolibarr	在 Debian 中進行維護工作量過大
electrum	安全問題；因上游變更而破損
jirc	與 stretch 中的 libpoe-filter-xml-perl 無法配合使用
pgmodeler	與 stretch 中的 Postgresql 不兼容
seelablet	上游放棄開發；已破損

Debian 安裝器

安裝器已經更新，以配合發佈時包含在穩定版本中的修正內容。

鏈接

此修訂版本中有更改的套件的完整列表：

http://ftp.debian.org/debian/dists/stretch/ChangeLog

當前穩定發行版：

http://ftp.debian.org/debian/dists/stable/

擬議的穩定發行版更新：

http://ftp.debian.org/debian/dists/proposed-updates

穩定發行版信息（發行說明，勘誤等）：

https://www.debian.org/releases/stable/

安全公告及信息：

https://www.debian.org/security/

關於 Debian

Debian 項目是一個自由軟體開發者組織，這些志願者為製作完全自由免費的 Debian 作業系統而自願貢獻時間和精力。

聯繫信息

更多信息，請訪問 Debian 主頁 https://www.debian.org/、發送郵件至 <press@debian.org> 或聯繫穩定版本發佈團隊 <debian-release@lists.debian.org>。