Updated Debian 9: 9.9 released

April 27th, 2019

The Debian project is pleased to announce the ninth update of its stable distribution Debian 9 (codename stretch). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included. There is no need to throw away old stretch media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

As a special case for this point release, those using the apt-get tool to perform the upgrade will need to ensure that the dist-upgrade command is used, in order to update to the latest kernel packages. Users of other tools such as apt and aptitude should use the upgrade command.

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package	Reason
audiofile	Fix denial of service [CVE-2018-13440] and buffer overflow issues [CVE-2018-17095]
base-files	Update for the point release
bwa	Fix buffer overflow [CVE-2019-10269]
ca-certificates-java	Fix bashisms in postinst and jks-keystore
cernlib	Apply optimization flag -O to Fortran modules instead of -O2 which generates broken code; fix build failure on arm64 by disabling PIE for Fortran executables
choose-mirror	Update included mirror list
chrony	Fix logging of measurements and statistics, and stopping of chronyd, on some platforms when seccomp filtering is enabled
ckermit	Drop OpenSSL version check
clamav	Fix out-of-bounds heap access when scanning PDF documents [CVE-2019-1787], PE files packed using Aspack [CVE-2019-1789] or OLE2 files [CVE-2019-1788]
dansguardian	Add missingok to logrotate configuration
debian-installer	Rebuild against proposed-updates
debian-installer-netboot-images	Rebuild against proposed-updates
debian-security-support	Update support statuses
diffoscope	Fix tests to work with Ghostscript 9.26
dns-root-data	Update root data to 2019031302
dnsruby	Add new root key (KSK-2017); ruby 2.3.0 deprecates TimeoutError, use Timeout::Error
dpdk	New upstream stable release
edk2	Fix buffer overflow in BlockIo service [CVE-2018-12180]; DNS: Check received packet size before using [CVE-2018-12178]; fix stack overflow with corrupted BMP [CVE-2018-12181]
firmware-nonfree	atheros / iwlwifi: update BlueTooth firmware [CVE-2018-5383]
flatpak	Reject all ioctls that the kernel will interpret as TIOCSTI [CVE-2019-10063]
geant321	Rebuild against cernlib with fixed Fortran optmisations
gnome-chemistry-utils	Stop building the obsolete gcu-plugin package
gocode	gocode-auto-complete-el: Promote auto-complete-el to Pre-Depends to ensure successful upgrades
gpac	Fix buffer overflows [CVE-2018-7752 CVE-2018-20762], heap overflows [CVE-2018-13005 CVE-2018-13006 CVE-2018-20761], out-of-bounds writes [CVE-2018-20760 CVE-2018-20763]
icedtea-web	Stop building the browser plugin, no longer works with Firefox 60
igraph	Fix a crash when loading malformed GraphML files [CVE-2018-20349]
jabref	Fix XML External Entity attack [CVE-2018-1000652]
java-common	Remove the default-java-plugin package, as the icedtea-web Xul plugin is being removed
jquery	Prevent Object.prototype pollution [CVE-2019-11358]
kauth	Fix insecure handling of arguments in helpers [CVE-2019-7443]
libdate-holidays-de-perl	Add March 8th (from 2019 onwards) and May 8th (2020 only) as public holidays (Berlin only)
libdatetime-timezone-perl	Update included data
libreoffice	Introduce next Japanese gengou era 'Reiwa'; make -core conflict against openjdk-8-jre-headless (= 8u181-b13-2~deb9u1), which had a broken ClassPathURLCheck
linux	New upstream stable version
linux-latest	Update for -9 kernel ABI
mariadb-10.1	New upstream stable version
mclibs	Rebuild against cernlib with fixed Fortran optmisations
ncmpc	Fix NULL pointer dereference [CVE-2018-9240]
node-superagent	Fix ZIP bomb attacks [CVE-2017-16129]; fix syntax error
nvidia-graphics-drivers	New upstream stable release [CVE-2018-6260]
nvidia-settings	New upstream stable release
obs-build	Do not allow writing to files in the host system [CVE-2017-14804]
paw	Rebuild against cernlib with fixed Fortran optmisations
perlbrew	Allow HTTPS CPAN URLs
postfix	New upstream stable release
postgresql-9.6	New upstream stable release
psk31lx	Make version sort correctly to avoid potential upgrade issues
publicsuffix	Update included data
pyca	Add missingok to logrotate configuration
python-certbot	Revert to debhelper compat 9, to ensure systemd timers are correctly started
python-cryptography	Remove BIO_callback_ctrl: The prototype differs with the OpenSSL's definition of it after it was changed (fixed) within OpenSSL
python-django-casclient	Apply django 1.10 middleware fix; python(3)-django-casclient: fix missing dependencies on python(3)-django
python-mode	Remove support for xemacs21
python-pip	Properly catch requests' HTTPError in index.py
python-pykmip	Fix potential denial of service issue [CVE-2018-1000872]
r-cran-igraph	Fix denial of service via crafted object [CVE-2018-20349]
rails	Fix information disclosure issues [CVE-2018-16476 CVE-2019-5418], denial of service issue [CVE-2019-5419]
rsync	Several security fixes for zlib [CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843]
ruby-i18n	Prevent a remote denial-of-service vulnerability [CVE-2014-10077]
ruby2.3	Fix FTBFS
runc	Fix root privilege escalation vulnerability [CVE-2019-5736]
systemd	journald: fix assertion failure on journal_file_link_data; tmpfiles: fix e to support shell style globs; mount-util: accept that name_to_handle_at() might fail with EPERM; automount: ack automount requests even when already mounted [CVE-2018-1049]; fix potential root privilege escalation [CVE-2018-15686]
twitter-bootstrap3	Fix cross site scripting issue in tooltips or popovers [CVE-2019-8331]
tzdata	New upstream release
unzip	Fix buffer overflow in password protected ZIP archives [CVE-2018-1000035]
vcftools	Fix information disclosure [CVE-2018-11099] and denial of service [CVE-2018-11129 CVE-2018-11130] via crafted files
vips	Fix NULL function pointer dereference [CVE-2018-7998], uninitialised memory access [CVE-2019-6976]
waagent	New upstream release, with many Azure fixes [CVE-2019-0804]
yorick-av	Rescale frame timestamps; set VBV buffer size for MPEG1/2 files
zziplib	Fix invalid memory access [CVE-2018-6381], bus error [CVE-2018-6540], out-of-bounds read [CVE-2018-7725], crash via crafted zip file [CVE-2018-7726], memory leak [CVE-2018-16548]; reject ZIP file if the size of the central directory and/or the offset of start of central directory point beyond the end of the ZIP file [CVE-2018-6484, CVE-2018-6541, CVE-2018-6869]

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID	Package
DSA-4259	ruby2.3
DSA-4332	ruby2.3
DSA-4341	mariadb-10.1
DSA-4373	coturn
DSA-4374	qtbase-opensource-src
DSA-4377	rssh
DSA-4385	dovecot
DSA-4387	openssh
DSA-4388	mosquitto
DSA-4389	libu2f-host
DSA-4390	flatpak
DSA-4391	firefox-esr
DSA-4392	thunderbird
DSA-4393	systemd
DSA-4394	rdesktop
DSA-4396	ansible
DSA-4397	ldb
DSA-4398	php7.0
DSA-4399	ikiwiki
DSA-4400	openssl1.0
DSA-4401	wordpress
DSA-4402	mumble
DSA-4403	php7.0
DSA-4405	openjpeg2
DSA-4406	waagent
DSA-4407	xmltooling
DSA-4408	liblivemedia
DSA-4409	neutron
DSA-4410	openjdk-8
DSA-4411	firefox-esr
DSA-4412	drupal7
DSA-4413	ntfs-3g
DSA-4414	libapache2-mod-auth-mellon
DSA-4415	passenger
DSA-4416	wireshark
DSA-4417	firefox-esr
DSA-4418	dovecot
DSA-4419	twig
DSA-4420	thunderbird
DSA-4422	apache2
DSA-4423	putty
DSA-4424	pdns
DSA-4425	wget
DSA-4426	tryton-server
DSA-4427	samba
DSA-4428	systemd
DSA-4429	spip
DSA-4430	wpa
DSA-4431	libssh2
DSA-4432	ghostscript
DSA-4433	ruby2.3
DSA-4434	drupal7

Removed packages

The following packages were removed due to circumstances beyond our control:

Package	Reason
gcontactsync	Incompatible with newer firefox-esr versions
google-tasks-sync	Incompatible with newer firefox-esr versions
mozilla-gnome-kerying	Incompatible with newer firefox-esr versions
tbdialout	Incompatible with newer thunderbird versions
timeline	Incompatible with newer thunderbird versions

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/stretch/ChangeLog

The current stable distribution:

http://ftp.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates

stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/

Security announcements and information:

https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.