Updated Debian 9: 9.12 released
February 8th, 2020
The Debian project is pleased to announce the twelfth update of its
oldstable distribution Debian 9 (codename stretch
).
This point release mainly adds corrections for security issues,
along with a few adjustments for serious problems. Security advisories
have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of Debian
9 but only updates some of the packages included. There is
no need to throw away old stretch
media. After installation,
packages can be upgraded to the current versions using an up-to-date Debian
mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This oldstable update adds a few important corrections to the following packages:
Package | Reason |
---|---|
base-files | Update for the point release |
cargo | New upstream version, to support Firefox ESR backports; fix bootstrap for armhf |
clamav | New upstream release; fix denial of service issue [CVE-2019-15961]; remove ScanOnAccess option, replacing with clamonacc |
cups | Fix validation of default language in ippSetValuetag [CVE-2019-2228] |
debian-installer | Rebuild against oldstable-proposed-updates; set gfxpayload=keep in submenus too, to fix unreadable fonts on hidpi displays in netboot images booted with EFI; update USE_UDEBS_FROM default from unstable to stretch, to help users performing local builds |
debian-installer-netboot-images | Rebuild against stretch-proposed-updates |
debian-security-support | Update security support status of several packages |
dehydrated | New upstream release; use ACMEv2 API by default |
dispmua | New upstream release compatible with Thunderbird 68 |
dpdk | New upstream stable release; fix vhost regression introduced by the fix for CVE-2019-14818 |
fence-agents | Fix incomplete removal of fence_amt_ws |
fig2dev | Allow Fig v2 text strings ending with multiple ^A [CVE-2019-19555] |
flightcrew | Security fixes [CVE-2019-13032 CVE-2019-13241] |
freetype | Correctly handle deltas in TrueType GX fonts, fixing rendering of variable hinted fonts in Chromium and Firefox |
glib2.0 | Ensure libdbus clients can authenticate with a GDBusServer like the one in ibus |
gnustep-base | Fix UDP amplification vulnerability |
italc | Security fixes [CVE-2018-15126 CVE-2018-15127 CVE-2018-20019 CVE-2018-20020 CVE-2018-20021 CVE-2018-20022 CVE-2018-20023 CVE-2018-20024 CVE-2018-20748 CVE-2018-20749 CVE-2018-20750 CVE-2018-6307 CVE-2018-7225 CVE-2019-15681] |
libdate-holidays-de-perl | Mark International Childrens Day (Sep 20th) as a holiday in Thuringia from 2019 onwards |
libdatetime-timezone-perl | Update included data |
libidn | Fix denial of service vulnerability in Punycode handling [CVE-2017-14062] |
libjaxen-java | Fix build failure by allowing test failures |
libofx | Fix NULL pointer dereference issue [CVE-2019-9656] |
libole-storage-lite-perl | Fix interpretation of years from 2020 onwards |
libparse-win32registry-perl | Fix interpretation of years from 2020 onwards |
libperl4-corelibs-perl | Fix interpretation of years from 2020 onwards |
libpst | Fix detection of get_current_dir_name and return truncation |
libsixel | Fix several security issues [CVE-2018-19756 CVE-2018-19757 CVE-2018-19759 CVE-2018-19761 CVE-2018-19762 CVE-2018-19763 CVE-2019-3573 CVE-2019-3574] |
libsolv | Fix heap buffer overflow [CVE-2019-20387] |
libtest-mocktime-perl | Fix interpretation of years from 2020 onwards |
libtimedate-perl | Fix interpretation of years from 2020 onwards |
libvncserver | RFBserver: don't leak stack memory to the remote [CVE-2019-15681]; resolve a freeze during connection closure and a segmentation fault on multi-threaded VNC servers; fix issue connecting to VMWare servers; fix crashing of x11vnc when vncviewer connects |
libxslt | Fix dangling pointer in xsltCopyText [CVE-2019-18197] |
limnoria | Fix remote information disclosure and possibly remote code execution in the Math plugin [CVE-2019-19010] |
linux | New upstream stable release |
linux-latest | Update for Linux kernel ABI 4.9.0-12 |
llvm-toolchain-7 | Disable the gold linker from s390x; bootstrap with -fno-addrsig, stretch's binutils doesn't work with it on mips64el |
mariadb-10.1 | New upstream stable release [CVE-2019-2974 CVE-2020-2574] |
monit | Implement position independent CSRF cookie value |
node-fstream | Clobber a Link if it's in the way of a File [CVE-2019-13173] |
node-mixin-deep | Fix prototype polution [CVE-2018-3719 CVE-2019-10746] |
nodejs-mozilla | New package to support Firefox ESR backports |
nvidia-graphics-drivers-legacy-340xx | New upstream stable release |
nyancat | Rebuild in a clean environment to add the systemd unit for nyancat-server |
openjpeg2 | Fix heap overflow [CVE-2018-21010], integer overflow [CVE-2018-20847] and division by zero [CVE-2016-9112] |
perl | Fix interpretation of years from 2020 onwards |
php-horde | Fix stored cross-site scripting issue in Horde Cloud Block [CVE-2019-12095] |
postfix | New upstream stable release; work around poor TCP loopback performance |
postgresql-9.6 | New upstream release |
proftpd-dfsg | Fix NULL pointer dereference in CRL checks [CVE-2019-19269] |
pykaraoke | Fix path to fonts |
python-acme | Switch to POST-as-GET protocol |
python-cryptography | Fix test suite failures when built against newer OpenSSL versions |
python-flask-rdf | Fix missing dependencies in python3-flask-rdf |
python-pgmagick | Handle version detection of graphicsmagick security updates that identify themselves as version 1.4 |
python-werkzeug | Ensure Docker containers have unique debugger PINs [CVE-2019-14806] |
ros-ros-comm | Fix buffer overflow issue [CVE-2019-13566]; fix integer overflow [CVE-2019-13445] |
ruby-encryptor | Ignore test failures, fixing build failures |
rust-cbindgen | New package to support Firefox ESR backports |
rustc | New upstream version, to support Firefox ESR backports |
safe-rm | Prevent installation in (and thereby breaking of) merged /usr environments |
sorl-thumbnail | Workaround a pgmagick exception |
sssd | sysdb: sanitize search filter input [CVE-2017-12173] |
tigervnc | Security updates [CVE-2019-15691 CVE-2019-15692 CVE-2019-15693 CVE-2019-15694 CVE-2019-15695] |
tightvnc | Security fixes [CVE-2014-6053 CVE-2018-20021 CVE-2018-20022 CVE-2018-20748 CVE-2018-7225 CVE-2019-8287 CVE-2019-15678 CVE-2019-15679 CVE-2019-15680 CVE-2019-15681] |
tmpreaper | Add --protect '/tmp/systemd-private*/*'to cron job to prevent breaking systemd services that have PrivateTmp=true |
tzdata | New upstream release |
ublock-origin | New upstream version, compatible with Firefox ESR68 |
unhide | Fix stack exhaustion |
x2goclient | Strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths in scp mode; fixes regression with newer libssh versions with fixes for CVE-2019-14889 applied |
xml-security-c | Fix DSA verification crashes OpenSSL on invalid combinations of key content |
Security Updates
This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
Package | Reason |
---|---|
firetray | Incompatible with current Thunderbird versions |
koji | Security issues |
python-lamson | Broken by changes in python-daemon |
radare2 | Security issues; upstream do not offer stable support |
ruby-simple-form | Unused; security issues |
trafficserver | Unsupportable |
Debian Installer
The installer has been updated to include the fixes incorporated into oldstable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current oldstable distribution:
Proposed updates to the oldstable distribution:
oldstable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.