Uppdaterad Debian 9; 9.6 utgiven
10 november 2018
Debianprojektet presenterar stolt sin sjätte uppdatering till dess
stabila utgåva Debian 9 (med kodnamnet stretch
).
Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem,
tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner
har redan publicerats separat och refereras när de finns tillgängliga.
Vänligen notera att punktutgåvan inte innebär en ny version av Debian
9 utan endast uppdaterar några av de inkluderade paketen. Det behövs
inte kastas bort gamla media av stretch
. Efter installationen
kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad
Debianspegling..
De som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.
Nya installationsavbildningar kommer snart att finnas tillgängliga på de vanliga platserna.
En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:
Blandade felrättningar
Denna uppdatering av den stabila utgåvan lägger till några viktiga felrättningar till följande paket:
Paket | Orsak |
---|---|
accerciser | Fix accessing items without a compositor; fix Python console; add missing dependency on python3-xlib |
apache2 | mod_http2: Fix DoS by worker exhaustion [CVE-2018-1333] and by continuous SETTINGS [CVE-2018-11763]; mod_proxy_fcgi: Fix segfault |
base-files | Update /etc/debian_version for the point release |
brltty | Fix polkit authentication |
canna | Fix file conflict between canna-dbgsym and canna-utils-dbgsym |
cargo | New package to support Firefox ESR60 build |
clamav | New upstream release; fix HWP integer overflow, infinite loop vulnerability [CVE-2018-0360]; fix PDF object length check issue, unreasonably long time to parse relatively small file [CVE-2018-0361]; new upstream version; fix Denial-of-Service issue [CVE-2018-15378]; fix infinite loop in dpkg-reconfigure |
confuse | Fix an out of bound read in trim_whitespace [CVE-2018-14447] |
debian-installer | Update for -8 kernel ABI |
debian-installer-netboot-images | Rebuild for the point release |
dnsmasq | trust-anchors.conf: include latest DNS trust anchor KSK-2017 |
dom4j | Fix XML injection attack [CVE-2018-1000632]; compile with source/target 1.5 to fix a compilation issue with String.format |
dpdk | New upstream stable release |
dropbear | Fix user enumeration vulnerability [CVE-2018-15599] |
easytag | Fix OGG corruption |
enigmail | Add compatibility with newer Thunderbird versions |
espeakup | espeakup.service: Automatically load speakup_soft on daemon startup |
fastforward | Fix segfaults on 64-bit architectures |
firetray | Add compatibility with newer Thunderbird versions |
firmware-nonfree | Fix security issues in Broadcom wifi firmware [CVE-2016-0801 CVE-2017-0561 CVE-2017-9417 CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080 CVE-2017-13081]; re-add transitional packages for firmware-{adi,ralink} |
fofix-dfsg | Fix error at startup |
fuse | Whitelist autofs and FAT as valid mountpoint filesystems |
ganeti | Properly verify SSL certificates during VM export; sign generated certificates using SHA256 instead of SHA1; make bash completions autoloadable |
globus-gsi-credential | Fix issue with voms proxy and openssl 1.1 |
gnupg2 | Security fixes; backport functionality required for new enigmail |
gnutls28 | Fix security issues [CVE-2018-10844 CVE-2018-10845] |
gphoto2-cffi | Make python3-gphoto2cffi work again |
grub2 | grub-mknetdir: Add support for ARM64 EFI; change the default TSC calibration method to pmtimer on EFI systems |
hdparm | Only enable APM on disks that advertise it |
https-everywhere | Backport new upstream version, for compatibility with Firefox ESR 60 |
i3-wm | Fix crash upon restart when using marks |
iipimage | Fix Apache configuration |
jhead | Fix security issues [CVE-2018-17088 CVE-2018-16554] |
lastpass-cli | Backport hardcoded certificate pins from lastpass-cli 1.3.1 to reflect changes in hosted Lastpass.com service |
ldap2zone | Fix endless loop checking zone serial |
libcgroup | Fix world-accessible (and writeable) log files [CVE-2018-14348] |
libclamunrar | New upstream release |
libdap | Fix libdap-doc contents |
libdatetime-timezone-perl | Update included data |
libgd2 | Bmp: check return value in gdImageBmpPtr [CVE-2018-1000222]; fix potential infinite loop in gdImageCreateFromGifCtx [CVE-2018-5711] |
libmail-deliverystatus-bounceparser-perl | Remove non-distributable sample spam and viruses |
libmspack | Fix out-of-bounds write [CVE-2018-18584] and acceptance of blankfilenames [CVE-2018-18585] |
libopenmpt | Fix up11: Out-of-bounds read loading IT / MO3 files with many pattern loops[CVE-2018-10017] |
libseccomp | Add support for Linux 4.9 syscalls: preadv2, pwritev2, pkey_mprotect, pkey_alloc and pkey_free; add support for statx |
libtirpc | rendezvous_request: check the makefd_xprt return value [CVE-2018-14622] |
libx11 | Fix several security isses [CVE-2018-14598 CVE-2018-14599 CVE-2018-14600] |
libxcursor | Fix a denial of service or potentially code execution via a one-byte heap overflow [CVE-2015-9262] |
libxml-stream-perl | Provide a default CA path |
libxml-structured-perl | Add missing build and runtime dependency on libxml-parser-perl |
linux | Xen: Fix boot regression in PV domains; xen-netfront: Fix regressions; ext4: fix false negatives *and* false positives in ext4_check_descriptors(); udeb: Add virtio_console to virtio-modules; cdc_ncm: avoid padding beyond end of skb; revert sit: reload iphdr in ipip6_rcv; new upstream release |
lxcfs | Revert uptime virtualization, fixing process start times |
magicmaze | Depend on fonts-isabella now that ttf-isabella is a virtual package |
mailman | Fix arbitrary text injection vulnerability in Mailman CGIs [CVE-2018-13796] |
multipath-tools | Avoid deadlock in udev triggers |
nagstamon | Address IcingaWeb2 Basic auth issue |
network-manager | libnm: Fix accessing enabled and metered properties; fix out-of-bounds heap write in dhcpv6 option handling [CVE-2018-15688] and various other issues in the sd-network based dhcp=internal plugin |
network-manager-applet | libnma/pygobject: libnma/NMA must use libnm/NM instead of legacy libraries |
ola | Fix typo in /etc/init.d/rdm_test_server; fix filename for jquery in rdm test server static HTML files |
opensc | Fix unbounded recursion and several out-of-bounds reads or writes [CVE-2018-16391 CVE-2018-16392 CVE-2018-16393 CVE-2018-16418 CVE-2018-16419 CVE-2018-16420 CVE-2018-16421 CVE-2018-16422 CVE-2018-16423 CVE-2018-16424 CVE-2018-16425 CVE-2018-16426 CVE-2018-16427] |
pkgsel | Install new dependencies when safe-upgrade (default) is selected |
publicsuffix | Update included data |
python-django | Default to supporting Spatialite >= 4.2 |
python-imaplib2 | Install the correct module for Python 3; don't use TIMEOUT_MAX |
rustc | Enable building on further architectures: arm64, armel, armhf, i386, ppc64el, s390x |
sddm | Honour PAM's ambient supplemental groups; add missing utmp/wtmp/btmp handling |
serf | Fix NULL pointer dereference |
soundconverter | Fix opus vbr setting |
spamassassin | New upstream release; fix denial of service [CVE-2017-15705], remote code execution [CVE-2018-11780], code injection [CVE-2018-11781] and unsafe usage of .in @INC [CVE-2016-1238]; fix spamd service management on package upgrades |
spice-gtk | Fix flexible array buffer overflow [CVE-2018-10873] |
sqlcipher | Avoid a crash when opening a file |
subversion | Fix a regression introduced in the fixes for SHA1 collisions, where commits would incorrectly fail with a Filesystem is corrupterror if the delta length is a multiple of 16K |
systemd | networkd: Do not fail manager_connect_bus() if dbus is not active yet; dhcp6: Make sure we have enough space for the DHCP6 option header [CVE-2018-15688] |
systraq | Invert logic in order to exit successfully in case /e/s/Makefile is missing |
tomcat-native | Fix OSCP responder issue that made it possible for users to authenticate with revoked certificates when using mutual TLS [CVE-2018-8019 CVE-2018-8020] |
tor | Directory authority changes: retire Bifroestbridge authority, in favour of Serge; add an IPv6 address for the dannenbergdirectory authority |
tzdata | New upstream release |
ublock-origin | Backport new upstream version, for compatibility with Firefox ESR 60 |
unbound | Fix vulnerability in the processing of wildcard synthesized NSEC records [CVE-2017-15105] |
vagrant | Support VirtualBox 5.2 |
vmtk | python-vmtk: Add the missing dependency on python-vtk6 |
wesnoth-1.12 | Disallow loading lua bytecode via load/dofile [CVE-2018-1999023] |
wpa | Ignore unauthenticated encrypted EAPOL-Key data [CVE-2018-14526] |
x11vnc | Fix two buffer overflows |
xapian-core | Fix glass backend bug with long-lived cursors on a table in a WritableDatabase which could incorrectly lead to DatabaseCorruptError being thrown when the database was actually OK |
xmotd | Avoid crash with hardening flags |
xorg-server | GLX: do not pick sRGB config for 32-bit RGBA visual - fixes various blending issues with kwin and Mesa >= 18.0 (i.e. Mesa from stretch-backports) |
zutils | Fix a buffer overrun in zcat [CVE-2018-1000637] |
Säkerhetsuppdateringar
Denna revision lägger till följande säkerhetsuppdateringar till den stabila utgåvan. Säkerhetsgruppen har redan släppt bulletiner för alla dessa uppdateringar:
Borttagna paket
Följande paket har tagits bort på grund av omständigheter utom vår kontroll:
Paket | Orsak |
---|---|
adblock-plus-element-hiding-helper | Incompatible with newer firefox-esr versions |
all-in-one-sidebar | Incompatible with newer firefox-esr versions |
autofill-forms | Incompatible with newer firefox-esr versions |
automatic-save-folder | Incompatible with newer firefox-esr versions |
classic-theme-restorer | Incompatible with newer firefox-esr versions |
colorfultabs | Incompatible with newer firefox-esr versions |
custom-tab-width | Incompatible with newer firefox-esr versions |
dactyl | Incompatible with newer firefox-esr versions |
downthemall | Incompatible with newer firefox-esr versions |
dvips-fontdata-n2bk | Empty package |
firebug | Incompatible with newer firefox-esr versions |
firegestures | Incompatible with newer firefox-esr versions |
firexpath | Incompatible with newer firefox-esr versions |
flashgot | Incompatible with newer firefox-esr versions |
form-history-control | Incompatible with newer firefox-esr versions |
foxyproxy | Incompatible with newer firefox-esr versions |
gitlab | Open security issues, hard to backport fixes |
greasemonkey | Incompatible with newer firefox-esr versions |
intel-processor-trace | [s390x] Only useful on Intel architectures |
itsalltext | Incompatible with newer firefox-esr versions |
knot-resolver | Security issues, hard to backport fixes |
lightbeam | Incompatible with newer firefox-esr versions |
livehttpheaders | Incompatible with newer firefox-esr versions |
lyz | Incompatible with newer firefox-esr versions |
npapi-vlc | Incompatible with newer firefox-esr versions |
nukeimage | Incompatible with newer firefox-esr versions |
openinbrowser | Incompatible with newer firefox-esr versions |
perspectives-extension | Incompatible with newer firefox-esr versions |
pwdhash | Incompatible with newer firefox-esr versions |
python-facebook | Broken due to upstream changes |
python-tvrage | Useless after tvrage.com shutdown |
reloadevery | Incompatible with newer firefox-esr versions |
sage-extension | Incompatible with newer firefox-esr versions |
scrapbook | Incompatible with newer firefox-esr versions |
self-destructing-cookies | Incompatible with newer firefox-esr versions |
spdy-indicator | Incompatible with newer firefox-esr versions |
status-4-evar | Incompatible with newer firefox-esr versions |
stylish | Incompatible with newer firefox-esr versions |
tabmixplus | Incompatible with newer firefox-esr versions |
tree-style-tab | Incompatible with newer firefox-esr versions |
ubiquity-extension | Incompatible with newer firefox-esr versions |
uppity | Incompatible with newer firefox-esr versions |
useragentswitcher | Incompatible with newer firefox-esr versions |
video-without-flash | Incompatible with newer firefox-esr versions |
webdeveloper | Incompatible with newer firefox-esr versions |
xul-ext-monkeysphere | Incompatible with newer firefox-esr versions |
Debianinstalleraren
Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den stabila utgåvan med denna punktutgåva.
URLer
Den fullständiga listan på paket som har förändrats i denna revision:
Den aktuella stabila utgåvan:
Föreslagna uppdateringar till den stabila utgåvan:
Information om den stabila utgåvan (versionsfakta, kända problem osv.):
Säkerhetsbulletiner och information:
Om Debian
Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.
Kontaktinformation
För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org>, eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.