Updated Debian 8: 8.11 released
June 23rd, 2018
The Debian project is pleased to announce the eleventh (and final)
update of its oldstable distribution Debian 8 (codename jessie
).
This point release mainly adds corrections for security issues,
along with a few adjustments for serious problems. Security advisories
have already been published separately and are referenced where available.
After this point release, Debian's Security and Release Teams will no longer be producing updates for Debian 8. Users wishing to continue to receive security support should upgrade to Debian 9, or see https://wiki.debian.org/LTS for details about the subset of architectures and packages covered by the Long Term Support project.
The packages for some architectures for DSA 3746, DSA 3944, DSA 3968, DSA 4010, DSA 4014, DSA 4061, DSA 4075, DSA 4102, DSA 4155, DSA 4209 and DSA 4218 are not included in this point release for technical reasons. All other security updates released during the lifetime of "jessie" that have not previously been part of a point release are included in this update.
Please note that the point release does not constitute a new version of Debian
8 but only updates some of the packages included. There is
no need to throw away old jessie
media. After installation,
packages can be upgraded to the current versions using an up-to-date Debian
mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This oldstable update adds a few important corrections to the following packages:
Package | Reason |
---|---|
adminer | Don't allow connections to privileged ports [CVE-2018-7667] |
base-files | Update for the point release |
blktrace | Fix buffer overflow in btt [CVE-2018-10689] |
bwm-ng | Explicitly build without libstatgrab support |
clamav | Security update [CVE-2017-6418 CVE-2017-6420 CVE-2017-12374 CVE-2017-12375 CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379 CVE-2017-12380]; fix temporary file cleanup issue; new upstream release; new upstream version |
debian-installer | Rebuild for the point release |
debian-installer-netboot-images | Rebuild for the point release |
debian-security-support | Update package data |
dh-make-perl | Support Contents file without header |
dns-root-data | Update IANA DNSSEC files to 2017-02-02 versions |
faad2 | Fix several DoS issues via crafted MP4 files [CVE-2017-9218 CVE-2017-9219 CVE-2017-9220 CVE-2017-9221 CVE-2017-9222 CVE-2017-9223 CVE-2017-9253 CVE-2017-9254 CVE-2017-9255 CVE-2017-9256 CVE-2017-9257] |
file | Avoid reading past the end of a buffer [CVE-2018-10360] |
ghostscript | Fix segfault with fuzzing file in gxht_thresh_image_init; fix buffer overflow in fill_threshold_buffer [CVE-2016-10317]; pdfwrite - Guard against trying to output an infinite number [CVE-2018-10194] |
intel-microcode | Update included microcode, including fixes for Spectre v2 [CVE-2017-5715] |
lame | Fix security issues by switching to use I/O routines from sndfile [CVE-2017-15018 CVE-2017-15045 CVE-2017-15046 CVE-2017-9869 CVE-2017-9870 CVE-2017-9871 CVE-2017-9872] |
libdatetime-timezone-perl | Update included data |
libextractor | Various security fixes [CVE-2017-15266 CVE-2017-15267 CVE-2017-15600 CVE-2017-15601 CVE-2017-15602 CVE-2017-15922 CVE-2017-17440] |
libipc-run-perl | Fix memory leak |
linux | New upstream stable release |
mactelnet | Security fix [CVE-2016-7115] |
ncurses | Fix buffer overflow in the _nc_write_entry function [CVE-2017-16879] |
nvidia-graphics-drivers | New upstream version |
nvidia-graphics-drivers-legacy-304xx | Update to latest driver |
openafs | Fix kernel module build against linux 3.16.51-3+deb8u1 kernels after security update-induced ABI changes |
openldap | Fix upgrade failure when olcSuffix contains a backslash; fix memory corruption caused by calling sasl_client_init() multiple times |
patch | Fix arbitrary command execution in ed-style patches [CVE-2018-1000156] |
postgresql-9.4 | New upstream release |
psensor | Fix directory traversal issue [CVE-2014-10073] |
python-mimeparse | Fix python3-mimeparse's dependencies |
rar | Strip statically linked rar and install the dynamically linked version instead |
reportbug | Stop CCing secure-testing-team@lists.alioth.debian.org |
sam2p | Fix multiple invalid frees and buffer-overflow vulnerabilities [CVE-2018-7487 CVE-2018-7551 CVE-2018-7552 CVE-2018-7553 CVE-2018-7554] |
slurm-llnl | Fix upgrade issue from wheezy |
soundtouch | Security fixes [CVE-2017-9258 CVE-2017-9259 CVE-2017-9260] |
subversion | Fix crashes with Perl bindings, commonly seen when using git-svn |
tzdata | Update included data |
user-mode-linux | Rebuild against current jessie kernel |
virtualbox-guest-additions-iso | Fix multiple security issues [CVE-2016-0592 CVE-2016-0495 CVE-2015-8104 CVE-2015-7183 CVE-2015-5307 CVE-2015-7183 CVE-2015-4813 CVE-2015-4896 CVE-2015-3456] |
xerces-c | Fix Denial of Service via external DTD reference [CVE-2017-12627] |
zsh | Rebuild against libraries currently in jessie |
Security Updates
This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
Package | Reason |
---|---|
dolibarr | Too much work to maintain it properly in Debian |
electrum | No longer able to connect to the network |
jirc | Broken with jessie's libpoe-filter-xml-perl |
nvidia-graphics-modules | License problem; incompatible with current kernel ABI |
openstreetmap-client | Broken |
redmine | No longer security supported |
redmine-plugin-pretend | Depends on redmine |
redmine-plugin-recaptcha | Depends on redmine |
redmine-recaptcha | Depends on redmine |
youtube-dl | Incompatible YouTube API changes |
Debian Installer
The installer has been updated to include the fixes incorporated into oldstable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current oldstable distribution:
Proposed updates to the oldstable distribution:
oldstable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.