Updated Debian 9: 9.6 released
November 10th, 2018
The Debian project is pleased to announce the sixth update of its
stable distribution Debian 9 (codename stretch
).
This point release mainly adds corrections for security issues,
along with a few adjustments for serious problems. Security advisories
have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian
9 but only updates some of the packages included. There is
no need to throw away old stretch
media. After installation,
packages can be upgraded to the current versions using an up-to-date Debian
mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
Package | Reason |
---|---|
accerciser | Fix accessing items without a compositor; fix Python console; add missing dependency on python3-xlib |
apache2 | mod_http2: Fix DoS by worker exhaustion [CVE-2018-1333] and by continuous SETTINGS [CVE-2018-11763]; mod_proxy_fcgi: Fix segfault |
base-files | Update /etc/debian_version for the point release |
brltty | Fix polkit authentication |
canna | Fix file conflict between canna-dbgsym and canna-utils-dbgsym |
cargo | New package to support Firefox ESR60 build |
clamav | New upstream release; fix HWP integer overflow, infinite loop vulnerability [CVE-2018-0360]; fix PDF object length check issue, unreasonably long time to parse relatively small file [CVE-2018-0361]; new upstream version; fix Denial-of-Service issue [CVE-2018-15378]; fix infinite loop in dpkg-reconfigure |
confuse | Fix an out of bound read in trim_whitespace [CVE-2018-14447] |
debian-installer | Update for -8 kernel ABI |
debian-installer-netboot-images | Rebuild for the point release |
dnsmasq | trust-anchors.conf: include latest DNS trust anchor KSK-2017 |
dom4j | Fix XML injection attack [CVE-2018-1000632]; compile with source/target 1.5 to fix a compilation issue with String.format |
dpdk | New upstream stable release |
dropbear | Fix user enumeration vulnerability [CVE-2018-15599] |
easytag | Fix OGG corruption |
enigmail | Add compatibility with newer Thunderbird versions |
espeakup | espeakup.service: Automatically load speakup_soft on daemon startup |
fastforward | Fix segfaults on 64-bit architectures |
firetray | Add compatibility with newer Thunderbird versions |
firmware-nonfree | Fix security issues in Broadcom wifi firmware [CVE-2016-0801 CVE-2017-0561 CVE-2017-9417 CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080 CVE-2017-13081]; re-add transitional packages for firmware-{adi,ralink} |
fofix-dfsg | Fix error at startup |
fuse | Whitelist autofs and FAT as valid mountpoint filesystems |
ganeti | Properly verify SSL certificates during VM export; sign generated certificates using SHA256 instead of SHA1; make bash completions autoloadable |
globus-gsi-credential | Fix issue with voms proxy and openssl 1.1 |
gnupg2 | Security fixes; backport functionality required for new enigmail |
gnutls28 | Fix security issues [CVE-2018-10844 CVE-2018-10845] |
gphoto2-cffi | Make python3-gphoto2cffi work again |
grub2 | grub-mknetdir: Add support for ARM64 EFI; change the default TSC calibration method to pmtimer on EFI systems |
hdparm | Only enable APM on disks that advertise it |
https-everywhere | Backport new upstream version, for compatibility with Firefox ESR 60 |
i3-wm | Fix crash upon restart when using marks |
iipimage | Fix Apache configuration |
jhead | Fix security issues [CVE-2018-17088 CVE-2018-16554] |
lastpass-cli | Backport hardcoded certificate pins from lastpass-cli 1.3.1 to reflect changes in hosted Lastpass.com service |
ldap2zone | Fix endless loop checking zone serial |
libcgroup | Fix world-accessible (and writeable) log files [CVE-2018-14348] |
libclamunrar | New upstream release |
libdap | Fix libdap-doc contents |
libdatetime-timezone-perl | Update included data |
libgd2 | Bmp: check return value in gdImageBmpPtr [CVE-2018-1000222]; fix potential infinite loop in gdImageCreateFromGifCtx [CVE-2018-5711] |
libmail-deliverystatus-bounceparser-perl | Remove non-distributable sample spam and viruses |
libmspack | Fix out-of-bounds write [CVE-2018-18584] and acceptance of blankfilenames [CVE-2018-18585] |
libopenmpt | Fix up11: Out-of-bounds read loading IT / MO3 files with many pattern loops[CVE-2018-10017] |
libseccomp | Add support for Linux 4.9 syscalls: preadv2, pwritev2, pkey_mprotect, pkey_alloc and pkey_free; add support for statx |
libtirpc | rendezvous_request: check the makefd_xprt return value [CVE-2018-14622] |
libx11 | Fix several security isses [CVE-2018-14598 CVE-2018-14599 CVE-2018-14600] |
libxcursor | Fix a denial of service or potentially code execution via a one-byte heap overflow [CVE-2015-9262] |
libxml-stream-perl | Provide a default CA path |
libxml-structured-perl | Add missing build and runtime dependency on libxml-parser-perl |
linux | Xen: Fix boot regression in PV domains; xen-netfront: Fix regressions; ext4: fix false negatives *and* false positives in ext4_check_descriptors(); udeb: Add virtio_console to virtio-modules; cdc_ncm: avoid padding beyond end of skb; revert sit: reload iphdr in ipip6_rcv; new upstream release |
lxcfs | Revert uptime virtualization, fixing process start times |
magicmaze | Depend on fonts-isabella now that ttf-isabella is a virtual package |
mailman | Fix arbitrary text injection vulnerability in Mailman CGIs [CVE-2018-13796] |
multipath-tools | Avoid deadlock in udev triggers |
nagstamon | Address IcingaWeb2 Basic auth issue |
network-manager | libnm: Fix accessing enabled and metered properties; fix out-of-bounds heap write in dhcpv6 option handling [CVE-2018-15688] and various other issues in the sd-network based dhcp=internal plugin |
network-manager-applet | libnma/pygobject: libnma/NMA must use libnm/NM instead of legacy libraries |
ola | Fix typo in /etc/init.d/rdm_test_server; fix filename for jquery in rdm test server static HTML files |
opensc | Fix unbounded recursion and several out-of-bounds reads or writes [CVE-2018-16391 CVE-2018-16392 CVE-2018-16393 CVE-2018-16418 CVE-2018-16419 CVE-2018-16420 CVE-2018-16421 CVE-2018-16422 CVE-2018-16423 CVE-2018-16424 CVE-2018-16425 CVE-2018-16426 CVE-2018-16427] |
pkgsel | Install new dependencies when safe-upgrade (default) is selected |
publicsuffix | Update included data |
python-django | Default to supporting Spatialite >= 4.2 |
python-imaplib2 | Install the correct module for Python 3; don't use TIMEOUT_MAX |
rustc | Enable building on further architectures: arm64, armel, armhf, i386, ppc64el, s390x |
sddm | Honour PAM's ambient supplemental groups; add missing utmp/wtmp/btmp handling |
serf | Fix NULL pointer dereference |
soundconverter | Fix opus vbr setting |
spamassassin | New upstream release; fix denial of service [CVE-2017-15705], remote code execution [CVE-2018-11780], code injection [CVE-2018-11781] and unsafe usage of .in @INC [CVE-2016-1238]; fix spamd service management on package upgrades |
spice-gtk | Fix flexible array buffer overflow [CVE-2018-10873] |
sqlcipher | Avoid a crash when opening a file |
subversion | Fix a regression introduced in the fixes for SHA1 collisions, where commits would incorrectly fail with a Filesystem is corrupterror if the delta length is a multiple of 16K |
systemd | networkd: Do not fail manager_connect_bus() if dbus is not active yet; dhcp6: Make sure we have enough space for the DHCP6 option header [CVE-2018-15688] |
systraq | Invert logic in order to exit successfully in case /e/s/Makefile is missing |
tomcat-native | Fix OSCP responder issue that made it possible for users to authenticate with revoked certificates when using mutual TLS [CVE-2018-8019 CVE-2018-8020] |
tor | Directory authority changes: retire Bifroestbridge authority, in favour of Serge; add an IPv6 address for the dannenbergdirectory authority |
tzdata | New upstream release |
ublock-origin | Backport new upstream version, for compatibility with Firefox ESR 60 |
unbound | Fix vulnerability in the processing of wildcard synthesized NSEC records [CVE-2017-15105] |
vagrant | Support VirtualBox 5.2 |
vmtk | python-vmtk: Add the missing dependency on python-vtk6 |
wesnoth-1.12 | Disallow loading lua bytecode via load/dofile [CVE-2018-1999023] |
wpa | Ignore unauthenticated encrypted EAPOL-Key data [CVE-2018-14526] |
x11vnc | Fix two buffer overflows |
xapian-core | Fix glass backend bug with long-lived cursors on a table in a WritableDatabase which could incorrectly lead to DatabaseCorruptError being thrown when the database was actually OK |
xmotd | Avoid crash with hardening flags |
xorg-server | GLX: do not pick sRGB config for 32-bit RGBA visual - fixes various blending issues with kwin and Mesa >= 18.0 (i.e. Mesa from stretch-backports) |
zutils | Fix a buffer overrun in zcat [CVE-2018-1000637] |
Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
Package | Reason |
---|---|
adblock-plus-element-hiding-helper | Incompatible with newer firefox-esr versions |
all-in-one-sidebar | Incompatible with newer firefox-esr versions |
autofill-forms | Incompatible with newer firefox-esr versions |
automatic-save-folder | Incompatible with newer firefox-esr versions |
classic-theme-restorer | Incompatible with newer firefox-esr versions |
colorfultabs | Incompatible with newer firefox-esr versions |
custom-tab-width | Incompatible with newer firefox-esr versions |
dactyl | Incompatible with newer firefox-esr versions |
downthemall | Incompatible with newer firefox-esr versions |
dvips-fontdata-n2bk | Empty package |
firebug | Incompatible with newer firefox-esr versions |
firegestures | Incompatible with newer firefox-esr versions |
firexpath | Incompatible with newer firefox-esr versions |
flashgot | Incompatible with newer firefox-esr versions |
form-history-control | Incompatible with newer firefox-esr versions |
foxyproxy | Incompatible with newer firefox-esr versions |
gitlab | Open security issues, hard to backport fixes |
greasemonkey | Incompatible with newer firefox-esr versions |
intel-processor-trace | [s390x] Only useful on Intel architectures |
itsalltext | Incompatible with newer firefox-esr versions |
knot-resolver | Security issues, hard to backport fixes |
lightbeam | Incompatible with newer firefox-esr versions |
livehttpheaders | Incompatible with newer firefox-esr versions |
lyz | Incompatible with newer firefox-esr versions |
npapi-vlc | Incompatible with newer firefox-esr versions |
nukeimage | Incompatible with newer firefox-esr versions |
openinbrowser | Incompatible with newer firefox-esr versions |
perspectives-extension | Incompatible with newer firefox-esr versions |
pwdhash | Incompatible with newer firefox-esr versions |
python-facebook | Broken due to upstream changes |
python-tvrage | Useless after tvrage.com shutdown |
reloadevery | Incompatible with newer firefox-esr versions |
sage-extension | Incompatible with newer firefox-esr versions |
scrapbook | Incompatible with newer firefox-esr versions |
self-destructing-cookies | Incompatible with newer firefox-esr versions |
spdy-indicator | Incompatible with newer firefox-esr versions |
status-4-evar | Incompatible with newer firefox-esr versions |
stylish | Incompatible with newer firefox-esr versions |
tabmixplus | Incompatible with newer firefox-esr versions |
tree-style-tab | Incompatible with newer firefox-esr versions |
ubiquity-extension | Incompatible with newer firefox-esr versions |
uppity | Incompatible with newer firefox-esr versions |
useragentswitcher | Incompatible with newer firefox-esr versions |
video-without-flash | Incompatible with newer firefox-esr versions |
webdeveloper | Incompatible with newer firefox-esr versions |
xul-ext-monkeysphere | Incompatible with newer firefox-esr versions |
Debian Installer
The installer has been updated to include the fixes incorporated into stable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current stable distribution:
Proposed updates to the stable distribution:
stable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.