Updated Debian 9: 9.6 released

November 10th, 2018

The Debian project is pleased to announce the sixth update of its stable distribution Debian 9 (codename stretch). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included. There is no need to throw away old stretch media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package Reason
accerciser Fix accessing items without a compositor; fix Python console; add missing dependency on python3-xlib
apache2 mod_http2: Fix DoS by worker exhaustion [CVE-2018-1333] and by continuous SETTINGS [CVE-2018-11763]; mod_proxy_fcgi: Fix segfault
base-files Update /etc/debian_version for the point release
brltty Fix polkit authentication
canna Fix file conflict between canna-dbgsym and canna-utils-dbgsym
cargo New package to support Firefox ESR60 build
clamav New upstream release; fix HWP integer overflow, infinite loop vulnerability [CVE-2018-0360]; fix PDF object length check issue, unreasonably long time to parse relatively small file [CVE-2018-0361]; new upstream version; fix Denial-of-Service issue [CVE-2018-15378]; fix infinite loop in dpkg-reconfigure
confuse Fix an out of bound read in trim_whitespace [CVE-2018-14447]
debian-installer Update for -8 kernel ABI
debian-installer-netboot-images Rebuild for the point release
dnsmasq trust-anchors.conf: include latest DNS trust anchor KSK-2017
dom4j Fix XML injection attack [CVE-2018-1000632]; compile with source/target 1.5 to fix a compilation issue with String.format
dpdk New upstream stable release
dropbear Fix user enumeration vulnerability [CVE-2018-15599]
easytag Fix OGG corruption
enigmail Add compatibility with newer Thunderbird versions
espeakup espeakup.service: Automatically load speakup_soft on daemon startup
fastforward Fix segfaults on 64-bit architectures
firetray Add compatibility with newer Thunderbird versions
firmware-nonfree Fix security issues in Broadcom wifi firmware [CVE-2016-0801 CVE-2017-0561 CVE-2017-9417 CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080 CVE-2017-13081]; re-add transitional packages for firmware-{adi,ralink}
fofix-dfsg Fix error at startup
fuse Whitelist autofs and FAT as valid mountpoint filesystems
ganeti Properly verify SSL certificates during VM export; sign generated certificates using SHA256 instead of SHA1; make bash completions autoloadable
globus-gsi-credential Fix issue with voms proxy and openssl 1.1
gnupg2 Security fixes; backport functionality required for new enigmail
gnutls28 Fix security issues [CVE-2018-10844 CVE-2018-10845]
gphoto2-cffi Make python3-gphoto2cffi work again
grub2 grub-mknetdir: Add support for ARM64 EFI; change the default TSC calibration method to pmtimer on EFI systems
hdparm Only enable APM on disks that advertise it
https-everywhere Backport new upstream version, for compatibility with Firefox ESR 60
i3-wm Fix crash upon restart when using marks
iipimage Fix Apache configuration
jhead Fix security issues [CVE-2018-17088 CVE-2018-16554]
lastpass-cli Backport hardcoded certificate pins from lastpass-cli 1.3.1 to reflect changes in hosted Lastpass.com service
ldap2zone Fix endless loop checking zone serial
libcgroup Fix world-accessible (and writeable) log files [CVE-2018-14348]
libclamunrar New upstream release
libdap Fix libdap-doc contents
libdatetime-timezone-perl Update included data
libgd2 Bmp: check return value in gdImageBmpPtr [CVE-2018-1000222]; fix potential infinite loop in gdImageCreateFromGifCtx [CVE-2018-5711]
libmail-deliverystatus-bounceparser-perl Remove non-distributable sample spam and viruses
libmspack Fix out-of-bounds write [CVE-2018-18584] and acceptance of blank filenames [CVE-2018-18585]
libopenmpt Fix up11: Out-of-bounds read loading IT / MO3 files with many pattern loops [CVE-2018-10017]
libseccomp Add support for Linux 4.9 syscalls: preadv2, pwritev2, pkey_mprotect, pkey_alloc and pkey_free; add support for statx
libtirpc rendezvous_request: check the makefd_xprt return value [CVE-2018-14622]
libx11 Fix several security isses [CVE-2018-14598 CVE-2018-14599 CVE-2018-14600]
libxcursor Fix a denial of service or potentially code execution via a one-byte heap overflow [CVE-2015-9262]
libxml-stream-perl Provide a default CA path
libxml-structured-perl Add missing build and runtime dependency on libxml-parser-perl
linux Xen: Fix boot regression in PV domains; xen-netfront: Fix regressions; ext4: fix false negatives *and* false positives in ext4_check_descriptors(); udeb: Add virtio_console to virtio-modules; cdc_ncm: avoid padding beyond end of skb; revert sit: reload iphdr in ipip6_rcv; new upstream release
lxcfs Revert uptime virtualization, fixing process start times
magicmaze Depend on fonts-isabella now that ttf-isabella is a virtual package
mailman Fix arbitrary text injection vulnerability in Mailman CGIs [CVE-2018-13796]
multipath-tools Avoid deadlock in udev triggers
nagstamon Address IcingaWeb2 Basic auth issue
network-manager libnm: Fix accessing enabled and metered properties; fix out-of-bounds heap write in dhcpv6 option handling [CVE-2018-15688] and various other issues in the sd-network based dhcp=internal plugin
network-manager-applet libnma/pygobject: libnma/NMA must use libnm/NM instead of legacy libraries
ola Fix typo in /etc/init.d/rdm_test_server; fix filename for jquery in rdm test server static HTML files
opensc Fix unbounded recursion and several out-of-bounds reads or writes [CVE-2018-16391 CVE-2018-16392 CVE-2018-16393 CVE-2018-16418 CVE-2018-16419 CVE-2018-16420 CVE-2018-16421 CVE-2018-16422 CVE-2018-16423 CVE-2018-16424 CVE-2018-16425 CVE-2018-16426 CVE-2018-16427]
pkgsel Install new dependencies when safe-upgrade (default) is selected
publicsuffix Update included data
python-django Default to supporting Spatialite >= 4.2
python-imaplib2 Install the correct module for Python 3; don't use TIMEOUT_MAX
rustc Enable building on further architectures: arm64, armel, armhf, i386, ppc64el, s390x
sddm Honour PAM's ambient supplemental groups; add missing utmp/wtmp/btmp handling
serf Fix NULL pointer dereference
soundconverter Fix opus vbr setting
spamassassin New upstream release; fix denial of service [CVE-2017-15705], remote code execution [CVE-2018-11780], code injection [CVE-2018-11781] and unsafe usage of . in @INC [CVE-2016-1238]; fix spamd service management on package upgrades
spice-gtk Fix flexible array buffer overflow [CVE-2018-10873]
sqlcipher Avoid a crash when opening a file
subversion Fix a regression introduced in the fixes for SHA1 collisions, where commits would incorrectly fail with a Filesystem is corrupt error if the delta length is a multiple of 16K
systemd networkd: Do not fail manager_connect_bus() if dbus is not active yet; dhcp6: Make sure we have enough space for the DHCP6 option header [CVE-2018-15688]
systraq Invert logic in order to exit successfully in case /e/s/Makefile is missing
tomcat-native Fix OSCP responder issue that made it possible for users to authenticate with revoked certificates when using mutual TLS [CVE-2018-8019 CVE-2018-8020]
tor Directory authority changes: retire Bifroest bridge authority, in favour of Serge; add an IPv6 address for the dannenberg directory authority
tzdata New upstream release
ublock-origin Backport new upstream version, for compatibility with Firefox ESR 60
unbound Fix vulnerability in the processing of wildcard synthesized NSEC records [CVE-2017-15105]
vagrant Support VirtualBox 5.2
vmtk python-vmtk: Add the missing dependency on python-vtk6
wesnoth-1.12 Disallow loading lua bytecode via load/dofile [CVE-2018-1999023]
wpa Ignore unauthenticated encrypted EAPOL-Key data [CVE-2018-14526]
x11vnc Fix two buffer overflows
xapian-core Fix glass backend bug with long-lived cursors on a table in a WritableDatabase which could incorrectly lead to DatabaseCorruptError being thrown when the database was actually OK
xmotd Avoid crash with hardening flags
xorg-server GLX: do not pick sRGB config for 32-bit RGBA visual - fixes various blending issues with kwin and Mesa >= 18.0 (i.e. Mesa from stretch-backports)
zutils Fix a buffer overrun in zcat [CVE-2018-1000637]

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package
DSA-4074 imagemagick
DSA-4103 chromium-browser
DSA-4182 chromium-browser
DSA-4237 chromium-browser
DSA-4242 ruby-sprockets
DSA-4243 cups
DSA-4244 thunderbird
DSA-4245 imagemagick
DSA-4246 mailman
DSA-4247 ruby-rack-protection
DSA-4248 blender
DSA-4249 ffmpeg
DSA-4250 wordpress
DSA-4251 vlc
DSA-4252 znc
DSA-4253 network-manager-vpnc
DSA-4254 slurm-llnl
DSA-4256 chromium-browser
DSA-4257 fuse
DSA-4258 ffmpeg
DSA-4260 libmspack
DSA-4261 vim-syntastic
DSA-4262 symfony
DSA-4263 cgit
DSA-4264 python-django
DSA-4265 xml-security-c
DSA-4266 linux
DSA-4267 kamailio
DSA-4268 openjdk-8
DSA-4269 postgresql-9.6
DSA-4270 gdm3
DSA-4271 samba
DSA-4272 linux
DSA-4273 intel-microcode
DSA-4274 xen
DSA-4275 keystone
DSA-4276 php-horde-image
DSA-4277 mutt
DSA-4278 jetty9
DSA-4279 linux
DSA-4279 linux-latest
DSA-4280 openssh
DSA-4281 tomcat8
DSA-4282 trafficserver
DSA-4283 ruby-json-jwt
DSA-4284 lcms2
DSA-4285 sympa
DSA-4286 curl
DSA-4287 firefox-esr
DSA-4288 ghostscript
DSA-4289 chromium-browser
DSA-4290 libextractor
DSA-4291 mgetty
DSA-4292 kamailio
DSA-4293 discount
DSA-4294 ghostscript
DSA-4295 thunderbird
DSA-4296 mbedtls
DSA-4297 chromium-browser
DSA-4298 hylafax
DSA-4299 texlive-bin
DSA-4300 libarchive-zip-perl
DSA-4301 mediawiki
DSA-4302 openafs
DSA-4303 okular
DSA-4304 firefox-esr
DSA-4305 strongswan
DSA-4306 python2.7
DSA-4307 python3.5
DSA-4308 linux
DSA-4309 strongswan
DSA-4310 firefox-esr
DSA-4311 git
DSA-4312 tinc
DSA-4313 linux
DSA-4314 net-snmp
DSA-4315 wireshark
DSA-4316 imagemagick
DSA-4317 otrs2
DSA-4318 moin
DSA-4319 spice
DSA-4320 asterisk
DSA-4321 graphicsmagick
DSA-4322 libssh
DSA-4323 drupal7
DSA-4324 firefox-esr
DSA-4325 mosquitto
DSA-4326 openjdk-8
DSA-4327 thunderbird
DSA-4328 xorg-server
DSA-4329 teeworlds
DSA-4331 curl

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
adblock-plus-element-hiding-helper Incompatible with newer firefox-esr versions
all-in-one-sidebar Incompatible with newer firefox-esr versions
autofill-forms Incompatible with newer firefox-esr versions
automatic-save-folder Incompatible with newer firefox-esr versions
classic-theme-restorer Incompatible with newer firefox-esr versions
colorfultabs Incompatible with newer firefox-esr versions
custom-tab-width Incompatible with newer firefox-esr versions
dactyl Incompatible with newer firefox-esr versions
downthemall Incompatible with newer firefox-esr versions
dvips-fontdata-n2bk Empty package
firebug Incompatible with newer firefox-esr versions
firegestures Incompatible with newer firefox-esr versions
firexpath Incompatible with newer firefox-esr versions
flashgot Incompatible with newer firefox-esr versions
form-history-control Incompatible with newer firefox-esr versions
foxyproxy Incompatible with newer firefox-esr versions
gitlab Open security issues, hard to backport fixes
greasemonkey Incompatible with newer firefox-esr versions
intel-processor-trace [s390x] Only useful on Intel architectures
itsalltext Incompatible with newer firefox-esr versions
knot-resolver Security issues, hard to backport fixes
lightbeam Incompatible with newer firefox-esr versions
livehttpheaders Incompatible with newer firefox-esr versions
lyz Incompatible with newer firefox-esr versions
npapi-vlc Incompatible with newer firefox-esr versions
nukeimage Incompatible with newer firefox-esr versions
openinbrowser Incompatible with newer firefox-esr versions
perspectives-extension Incompatible with newer firefox-esr versions
pwdhash Incompatible with newer firefox-esr versions
python-facebook Broken due to upstream changes
python-tvrage Useless after tvrage.com shutdown
reloadevery Incompatible with newer firefox-esr versions
sage-extension Incompatible with newer firefox-esr versions
scrapbook Incompatible with newer firefox-esr versions
self-destructing-cookies Incompatible with newer firefox-esr versions
spdy-indicator Incompatible with newer firefox-esr versions
status-4-evar Incompatible with newer firefox-esr versions
stylish Incompatible with newer firefox-esr versions
tabmixplus Incompatible with newer firefox-esr versions
tree-style-tab Incompatible with newer firefox-esr versions
ubiquity-extension Incompatible with newer firefox-esr versions
uppity Incompatible with newer firefox-esr versions
useragentswitcher Incompatible with newer firefox-esr versions
video-without-flash Incompatible with newer firefox-esr versions
webdeveloper Incompatible with newer firefox-esr versions
xul-ext-monkeysphere Incompatible with newer firefox-esr versions

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/stretch/ChangeLog

The current stable distribution:

http://ftp.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates

stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/

Security announcements and information:

https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.