Uppdaterad Debian 9; 9.10 utgiven

7 september 2019

Debianprojektet presenterar stolt sin tionde uppdatering till dess gamla stabila utgåva Debian 9 (med kodnamnet stretch). Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem, tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner har redan publicerats separat och refereras när de finns tillgängliga.

Vänligen notera att punktutgåvan inte innebär en ny version av Debian 9 utan endast uppdaterar några av de inkluderade paketen. Det behövs inte kastas bort gamla media av stretch. Efter installationen kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad Debianspegling..

Dom som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.

Nya installationsavbildningar kommer snart att finnas tillgängliga på dom vanliga platserna.

En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:

https://www.debian.org/mirror/list

Blandade felrättningar

Denna uppdatering av den gamla stabila utgåvan lägger till några viktiga felrättningar till följande paket:

Paket Orsak
base-files Update for the point release; add VERSION_CODENAME to os-release
basez Properly decode base64url encoded strings
biomaj-watcher Fix upgrades from jessie to stretch
c-icap-modules Add support for clamav 0.101.1
chaosreader Add missing dependency on libnet-dns-perl
clamav New upstream stable release: add scan time limit to mitigate against zip-bombs [CVE-2019-12625]; fix out-of-bounds write within the NSIS bzip2 library [CVE-2019-12900]
corekeeper Do not use a world-writable /var/crash with the dumper script; handle older versions of the Linux kernel in a safer way; do not truncate core names for executables with spaces
cups Fix multiple security/disclosure issues - SNMP buffer overflows [CVE-2019-8696 CVE-2019-8675], IPP buffer overflow, Denial of Service and memory disclosure issues in the scheduler
dansguardian Add support for clamav 0.101
dar Rebuild to update built-using packages
debian-archive-keyring Add buster keys; remove wheezy keys
fence-agents Fix denial of service issue [CVE-2019-10153]
fig2dev Do not segfault on circle/half circle arrowheads with a magnification larger than 42 [CVE-2019-14275]
fribidi Fix right-to-left output in debian-installer text mode
fusiondirectory Stricter checks on LDAP lookups; add missing dependency on php-xml
gettext Stop xgettext() from crashing when run with --its=FILE option
glib2.0 Create directory and file with restrictive permissions when using the GKeyfileSettingsBackend [CVE-2019-13012]; avoid buffer read overrun when formatting error messages for invalid UTF-8 in GMarkup [CVE-2018-16429]; avoid NULL dereference when parsing invalid GMarkup with a malformed closing tag not paired with an opening tag [CVE-2018-16429]
gocode gocode-auto-complete-el: Make pre-dependency on auto-complete-el versioned to fix upgrades from jessie to stretch
groonga Mitigate privilege escalation by changing the owner and group of logs with su option
grub2 Fixes for Xen UEFI support
gsoap Fix denial of service issue if a server application is built with the -DWITH_COOKIES flag [CVE-2019-7659]; fix issue with DIME protocol receiver and malformed DIME headers
gthumb Fix double-free bug [CVE-2018-18718]
havp Add support for clamav 0.101.1
icu Fix segfault in pkgdata command
koji Fix SQL injection issue [CVE-2018-1002161]; properly validate SCM paths [CVE-2017-1002153]
lemonldap-ng Fix cross-domain authentication regression; fix XML external entity vulnerability
libcaca Fix integer overflow issues [CVE-2018-20545 CVE-2018-20546 CVE-2018-20547 CVE-2018-20548 CVE-2018-20549]
libclamunrar New upstream stable release
libconvert-units-perl No-change rebuild with fixed version number
libdatetime-timezone-perl Update included data
libebml Apply upstream fixes for heap-based buffer over-reads
libevent-rpc-perl Fix build failure due to expired test SSL certificates
libgd2 Fix uninitialized read in gdImageCreateFromXbm [CVE-2019-11038]
libgovirt Re-generate test certificates with expiration date far in the future to avoid test failures
librecad Fix denial of service via crafted file [CVE-2018-19105]
libsdl2-image Fix multiple security issues
libthrift-java Fix bypass of SASL negotiation [CVE-2018-1320]
libtk-img Stop using internal copies of JPEG, Zlib and PixarLog codecs, fixing crashes
libu2f-host Fix stack memory leak [CVE-2019-9578]
libxslt Fix security framework bypass [CVE-2019-11068]; fix uninitialized read of xsl:number token [CVE-2019-13117]; fix uninitialized read with UTF-8 grouping chars [CVE-2019-13118]
linux New upstream version with ABI bump; security fixes [CVE-2015-8553 CVE-2017-5967 CVE-2018-20509 CVE-2018-20510 CVE-2018-20836 CVE-2018-5995 CVE-2019-11487 CVE-2019-3882]
linux-latest Update for 4.9.0-11 kernel ABI
liquidsoap Fix compilation with Ocaml 4.02
llvm-toolchain-7 New package to support building new Firefox versions
mariadb-10.1 New upstream stable release; security fixes [CVE-2019-2737 CVE-2019-2739 CVE-2019-2740 CVE-2019-2805 CVE-2019-2627 CVE-2019-2614]
minissdpd Prevent a use-after-free vulnerability that would allow a remote attacker to crash the process [CVE-2019-12106]
miniupnpd Fix denial of service issues [CVE-2019-12108 CVE-2019-12109 CVE-2019-12110]; fix information leak [CVE-2019-12107]
mitmproxy Blacklist tests that require Internet access; prevent insertion of unwanted upper-bound versioned dependencies
monkeysphere Fix build failure by updating the tests to accommodate an updated GnuPG in stretch now producing a different output
nasm-mozilla New package to support building new Firefox versions
ncbi-tools6 Repackage without non-free data/UniVec.*
node-growl Sanitize input before passing it to exec
node-ws Restrict upload size [CVE-2016-10542]
open-vm-tools Fix possible security issue with the permissions of the intermediate staging directory and path
openldap Restrict rootDN proxyauthz to its own databases [CVE-2019-13057]; enforce sasl_ssf ACL statement on every connection [CVE-2019-13565]; fix slapo-rwm to not free original filter when rewritten filter is invalid
openssh Fix deadlock in key matching
passwordsafe Don't install localization files under an extra subdirectory
pound Fix request smuggling via crafted headers [CVE-2016-10711]
prelink Rebuild to update built-using packages
python-clamav Add support for clamav 0.101.1
reportbug Update release names, following buster release
resiprocate Resolve an installation issue with libssl-dev and --install-recommends
sash Rebuild to update built-using packages
sdl-image1.2 Fix buffer overflows [CVE-2018-3977 CVE-2019-5058 CVE-2019-5052], out-of-bounds access [CVE-2019-12216 CVE-2019-12217 CVE-2019-12218 CVE-2019-12219 CVE-2019-12220 CVE-2019-12221 CVE-2019-12222 CVE-2019-5051]
signing-party Fix unsafe shell call enabling shell injection via a User ID [CVE-2019-11627]
slurm-llnl Fix potential heap overflow on 32-bit systems [CVE-2019-6438]
sox Fix several security issues [CVE-2019-8354 CVE-2019-8355 CVE-2019-8356 CVE-2019-8357 927906 CVE-2019-1010004 CVE-2017-18189 881121 CVE-2017-15642 882144 CVE-2017-15372 878808 CVE-2017-15371 878809 CVE-2017-15370 878810 CVE-2017-11359 CVE-2017-11358 CVE-2017-11332
systemd Do not stop ndisc client in case of configuration error
t-digest No-change rebuild to avoid re-use of pre-epoch version 3.0-1
tenshi Fix PID file issue that allows local users to kill arbitrary processes [CVE-2017-11746]
tzdata New upstream release
unzip Fix incorrect parsing of 64-bit values in fileio.c; fix zip-bomb issues [CVE-2019-13232]
usbutils Update USB ID list
xymon Fix several (server only) security issues [CVE-2019-13273 CVE-2019-13274 CVE-2019-13451 CVE-2019-13452 CVE-2019-13455 CVE-2019-13484 CVE-2019-13485 CVE-2019-13486]
yubico-piv-tool Fix security issues [CVE-2018-14779 CVE-2018-14780]
z3 Do not set the SONAME of libz3java.so to libz3.so.4
zfs-auto-snapshot Make cron jobs exit silently after package removal
zsh Rebuild to update built-using packages

Säkerhetsuppdateringar

Denna revision lägger till följande säkerhetsuppdateringar till den gamla stabila utgåvan. Säkerhetsgruppen har redan släppt bulletiner för alla dessa uppdateringar:

Bulletin-ID Paket
DSA-4435 libpng1.6
DSA-4436 imagemagick
DSA-4437 gst-plugins-base1.0
DSA-4438 atftp
DSA-4439 postgresql-9.6
DSA-4440 bind9
DSA-4441 symfony
DSA-4442 cups-filters
DSA-4442 ghostscript
DSA-4443 samba
DSA-4444 linux
DSA-4445 drupal7
DSA-4446 lemonldap-ng
DSA-4447 intel-microcode
DSA-4448 firefox-esr
DSA-4449 ffmpeg
DSA-4450 wpa
DSA-4451 thunderbird
DSA-4452 jackson-databind
DSA-4453 openjdk-8
DSA-4454 qemu
DSA-4455 heimdal
DSA-4456 exim4
DSA-4457 evolution
DSA-4458 cyrus-imapd
DSA-4459 vlc
DSA-4460 mediawiki
DSA-4461 zookeeper
DSA-4462 dbus
DSA-4463 znc
DSA-4464 thunderbird
DSA-4465 linux
DSA-4466 firefox-esr
DSA-4467 vim
DSA-4468 php-horde-form
DSA-4469 libvirt
DSA-4470 pdns
DSA-4471 thunderbird
DSA-4472 expat
DSA-4473 rdesktop
DSA-4475 openssl
DSA-4475 openssl1.0
DSA-4476 python-django
DSA-4477 zeromq3
DSA-4478 dosbox
DSA-4480 redis
DSA-4481 ruby-mini-magick
DSA-4482 thunderbird
DSA-4483 libreoffice
DSA-4485 openjdk-8
DSA-4487 neovim
DSA-4488 exim4
DSA-4489 patch
DSA-4490 subversion
DSA-4491 proftpd-dfsg
DSA-4492 postgresql-9.6
DSA-4494 kconfig
DSA-4498 python-django
DSA-4499 ghostscript
DSA-4501 libreoffice
DSA-4504 vlc
DSA-4505 nginx
DSA-4506 qemu
DSA-4509 apache2
DSA-4510 dovecot

Borttagna paket

Följande paket har tagits bort på grund av omständigheter utom vår kontroll:

Paket Orsak
pump Unmaintained; security issues
teeworlds Security issues; incompatible with current servers

Debianinstalleraren

Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den gamla stabila utgåvan med denna punktutgåva.

URLer

Den fullständiga listan på paket som har förändrats i denna revision:

http://ftp.debian.org/debian/dists/stretch/ChangeLog

Den aktuella gamla stabila utgåvan:

http://ftp.debian.org/debian/dists/oldstable/

Föreslagna uppdateringar till den gamla stabila utgåvan:

http://ftp.debian.org/debian/dists/oldstable-proposed-updates

Information om den gamla stabila utgåvan (versionsfakta, kända problem osv.):

https://www.debian.org/releases/oldstable/

Säkerhetsbulletiner och information:

https://www.debian.org/security/

Om Debian

Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.

Kontaktinformation

För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org>, eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.