Updated Debian 9: 9.5 released

July 14th, 2018

The Debian project is pleased to announce the fifth update of its stable distribution Debian 9 (codename stretch). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included. There is no need to throw away old stretch media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package Reason
2ping Add missing dependency on python-pkg-resources
abiword Resolve binary file conflict between abiword-dbgsym and abiword-plugin-grammar-dbgsym
adminer Don't allow connections to privileged ports [CVE-2018-7667]
animals Fix incorrect file permissions that made the game unusable
apache2 Upgrade mod_http and mod_proxy_http2 to the versions from 2.4.33, fixing segfaults, high memory usage and potential crash [CVE-2018-1302]; make the apache-htcacheclean init script actually use /etc/default/apache-htcacheclean for its config
auto-complete-el Add upstream fix for emacs25; adjust the emacs dependencies to the emacs versions in stretch; set auto-complete-el.emacsen-compat to silence installation warning
awffull Do not use removed options in /etc/cron.daily/awffull
ax25-tools Avoid segmentation fault at runtime
base-files Update for the point release
blktrace Fix buffer overflow in btt [CVE-2018-10689]
ca-certificates Update Mozilla CA bundle to version 2.22; bug fixes
camo Add missing dependency on openssl
cffi Add missing files for cffi-libffi and cffi-toolchain; add several missing dependencies
check-postgres Update testsuite to handle pg_get_indexdef() now always including the schema name
clamav New upstream version; don't fail on recently removed config options
clustershell Add missing dependency on python-pkg-resources
debian-installer Update for -7 kernel ABI
debian-installer-netboot-images Rebuild for the point release
debian-security-support Update included data
dehydrated Fix failure to create fullchain.pem
devscripts uscan: fix the new package version regex for filenamemangle; debsign: fix bash completion; bts: support the new ftbfs tag; uscan: support HTTPS in the sf.net redirector; debcheckout: support salsa.debian.org; debdiff: sort shlibs files before comparing, reducing diff noise; uscan: actually support --copy
disc-cover Fix perl error when running disc-cover
discover Use correct type for the length parameter of the getline() call
django-xmlrpc Fix python3 dependencies
dosbox Fix crashes with core=dynamic
dpdk New upstream stable update
dpkg Fix integer overflow in deb(5) format version parser; fix directory traversal with dpkg-deb --raw-extract; add support for riscv64 CPU; do not normalize args past a passthrough stop word in Dpkg::Getopt; parse start-stop-daemon usernames and groupnames starting with digits correctly; always use the binary version for the .buildinfo filename
dput-ng Add jessie-backports-sloppy and stretch-backports targets; include 'testing' in the rm-managed suites and 'oldstable' in protected distributions; add ports-master profile; FTP: parse and use optional [:port] part for fqdn
elastix Rebuild with ITK that has been built with gcc 6
email2trac Fix detection of Trac 1.2
faad2 Fix several DoS issues via crafted MP4 files [CVE-2017-9218 CVE-2017-9219 CVE-2017-9220 CVE-2017-9221 CVE-2017-9222 CVE-2017-9223 CVE-2017-9253 CVE-2017-9254 CVE-2017-9255 CVE-2017-9256 CVE-2017-9257]
faker Add missing dependency on python-ipaddress
fastkml Add missing dependency on pkg-resources
file Avoid reading past the end of buffer [CVE-2018-10360]
freedink-dfarc Fix directory traversal in D-Mod extractor [CVE-2018-0496]
ganeti Properly verify SSL certificates during VM export
ghostscript Fix segfault with fuzzing file in gxht_thresh_image_init(); fix buffer overflow in fill_threshold_buffer [CVE-2016-10317]; pdfwrite - Guard against trying to output an infinite number [CVE-2018-10194]
git-annex Security fixes [CVE-2018-10857 CVE-2018-10859]
glx-alternatives New upstream version
gridengine Use correct paths to qmon pixmaps; fix FTBFS on armhf
intel-microcode Update included microcode, including fixes for Spectre v2 [CVE-2017-5715]
jdresolve Fix incompatibility with libnet-dns-perl in Debian 8 and later
libb64 Rebuild with PIE
libdate-holidays-de-perl Mark Reformation Day as a holiday in Niedersachsen and Bremen
libdatetime-timezone-perl Update included data
libextractor Various security fixes [CVE-2017-15266 CVE-2017-15267 CVE-2017-15600 CVE-2017-15601 CVE-2017-15602 CVE-2017-15922 CVE-2017-17440]
libipc-run-perl Fix memory leak
liblouis Fix buffer overflow [CVE-2018-11410]; fix several buffer overflows [CVE-2018-11440 CVE-2018-11577 CVE-2018-11683 CVE-2018-11684 CVE-2018-11685 2018-12085]
libosmium Output coordinate with value of -2^31 correctly; fix buffers larger than 2^32 bytes
linux New upstream stable release 4.9.110
linux-latest Update to -7 kernel ABI
llvm-toolchain-4.0 New package for rust backports; fix build on s390x
local-apt-repository Stop breaking apt when the package is removed but not purged
loook Fix handling of password protected files
miniupnpd Fix DoS [CVE-2017-1000494]
nss-pam-ldapd Increase size of hostname buffer
nvidia-graphics-drivers New upstream version
obfsproxy Don't install the broken AppArmor profile
openldap Fix an out-of-sync issue with delta-syncrepl replication in multi-master environments; really fix upgrades when the config contains backslash-escaped special characters
openstack-debian-images Set CloudStack after OpenStack in the datasource_list, to avoid a 120s delay in cloud-init when booting a machine in an OpenStack cloud
patch Fix arbitrary command execution in ed-style patches [CVE-2018-1000156]
piglit Fix missing dependency on python-mako
postgresql-9.6 New upstream release
postgresql-common Prevent upgrading/removing server packages from stopping other major version clusters when running systemd
psad Add missing dependencies on net-tools and iproute2
pysurfer Add missing dependency on python-matplotlib
python-cluster Add missing dependency on pkg-resources
python-pyorick Fix import failure by adding missing dependency on python3-numpy
python-scruffy Add missing dependencies on pkg-resources
r-cran-mi Add missing dependency on r-cran-arm
redis Correct RunTimeDirectory -> RuntimeDirectory typo in systemd .service files
reportbug Notify the security team or LTS team about a possible regression if reporting a bug against a package containing a security fix
rustc New upstream release to support Firefox ESR
salt Fix salt-ssh minion copied over configuration from the Salt Master without adjusting permissions [CVE-2017-8109]
shared-mime-info Switch dpkg trigger to noawait, fixing upgrade issues from jessie
showq Fix prefix, so application actually works
source-highlight Fix dependency on libboost-regex-dev
starplot Fix startup crash
subversion Reject commits which would introduce hash collisions with existing data, thus addressing the SHA1/shattered issue
sus Update to new version, technically identical to SUSv4 + TC1 + TC2
systemd networkd-ndisc: Handle missing MTU gracefully; allow RemoveIPC= to be set in the unit file not only via D-Bus; nspawn: Add missing -E to getopt_long'; login: Respect --no-wall when cancelling a shutdown request
tclreadline Fix shared library build on ppc64el
thefuck Add missing dependency on pkg-resources
tinyproxy Do not stop listening after SIGHUP; fix configuration file path; add missing dependency on adduser
tlslite-ng Verify MAC even if the padding is 1 byte long
tzdata New upstream release
unison Rebuild with stretch's ocaml
variety Fix shell injection on deleting files to trash; fix shell injection in filter and clock with specially crafted filenames; harden ImageMagick calls against potential shell injection
xapian-core Fix MSet::snippet() to escape HTML in all cases [CVE-2018-499]
xerces-c Fix Denial of Service via external DTD reference [CVE-2017-12627]; fix a regression that forced gcc to use SSE2, even on platforms that do not support it
xrdp Fix off-by-one error which could lead to crashes

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package
DSA-4010 git-annex
DSA-4064 chromium-browser
DSA-4113 libvorbis
DSA-4133 isc-dhcp
DSA-4134 util-linux
DSA-4135 samba
DSA-4136 curl
DSA-4137 libvirt
DSA-4138 mbedtls
DSA-4139 firefox-esr
DSA-4140 libvorbis
DSA-4141 libvorbisidec
DSA-4142 uwsgi
DSA-4143 firefox-esr
DSA-4144 openjdk-8
DSA-4145 gitlab
DSA-4146 plexus-utils
DSA-4148 kamailio
DSA-4150 icu
DSA-4151 librelp
DSA-4152 mupdf
DSA-4153 firefox-esr
DSA-4155 thunderbird
DSA-4156 drupal7
DSA-4157 openssl
DSA-4158 openssl1.0
DSA-4159 remctl
DSA-4160 libevt
DSA-4161 python-django
DSA-4162 irssi
DSA-4163 beep
DSA-4164 apache2
DSA-4165 ldap-account-manager
DSA-4167 sharutils
DSA-4169 pcs
DSA-4170 pjproject
DSA-4171 ruby-loofah
DSA-4172 perl
DSA-4173 r-cran-readxl
DSA-4174 corosync
DSA-4175 freeplane
DSA-4177 libsdl2-image
DSA-4178 libreoffice
DSA-4180 drupal7
DSA-4181 roundcube
DSA-4183 tor
DSA-4184 sdl-image1.2
DSA-4185 openjdk-8
DSA-4188 linux
DSA-4189 quassel
DSA-4190 jackson-databind
DSA-4191 redmine
DSA-4192 libmad
DSA-4193 wordpress
DSA-4194 lucene-solr
DSA-4195 wget
DSA-4196 linux
DSA-4197 wavpack
DSA-4198 prosody
DSA-4199 firefox-esr
DSA-4200 kwallet-pam
DSA-4201 xen
DSA-4202 curl
DSA-4203 vlc
DSA-4203 phonon-backend-vlc
DSA-4203 goldencheetah
DSA-4206 gitlab
DSA-4206 ruby-omniauth-auth0
DSA-4207 packagekit
DSA-4208 procps
DSA-4209 thunderbird
DSA-4210 xen
DSA-4211 xdg-utils
DSA-4212 git
DSA-4213 qemu
DSA-4214 zookeeper
DSA-4215 batik
DSA-4216 prosody
DSA-4217 wireshark
DSA-4218 memcached
DSA-4219 jruby
DSA-4220 firefox-esr
DSA-4221 libvncserver
DSA-4222 gnupg2
DSA-4223 gnupg1
DSA-4226 perl
DSA-4227 plexus-archiver
DSA-4228 spip
DSA-4229 strongswan
DSA-4230 redis
DSA-4231 libgcrypt20
DSA-4232 xen
DSA-4233 bouncycastle
DSA-4234 lava-server
DSA-4235 firefox-esr
DSA-4236 xen
DSA-4238 exiv2
DSA-4239 gosa
DSA-4240 php7.0
DSA-4241 libsoup2.4

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
libnet-whois-perl Broken
mlbviewer No longer works due to content provider changes
python-uniconvertor Unusable; requires unpackaged dependency
singularity-container Not security supportable
undertow Unsupportable; several security issues; alternatives exist
visionegg Unusable; requires no longer available numpy.oldnumeric

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/stretch/ChangeLog

The current stable distribution:

http://ftp.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates

stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/

Security announcements and information:

https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.