Updated Debian 9: 9.12 released

February 8th, 2020

The Debian project is pleased to announce the twelfth update of its oldstable distribution Debian 9 (codename stretch). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included. There is no need to throw away old stretch media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:


Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following packages:

Package Reason
base-files Update for the point release
cargo New upstream version, to support Firefox ESR backports; fix bootstrap for armhf
clamav New upstream release; fix denial of service issue [CVE-2019-15961]; remove ScanOnAccess option, replacing with clamonacc
cups Fix validation of default language in ippSetValuetag [CVE-2019-2228]
debian-installer Rebuild against oldstable-proposed-updates; set gfxpayload=keep in submenus too, to fix unreadable fonts on hidpi displays in netboot images booted with EFI; update USE_UDEBS_FROM default from unstable to stretch, to help users performing local builds
debian-installer-netboot-images Rebuild against stretch-proposed-updates
debian-security-support Update security support status of several packages
dehydrated New upstream release; use ACMEv2 API by default
dispmua New upstream release compatible with Thunderbird 68
dpdk New upstream stable release; fix vhost regression introduced by the fix for CVE-2019-14818
fence-agents Fix incomplete removal of fence_amt_ws
fig2dev Allow Fig v2 text strings ending with multiple ^A [CVE-2019-19555]
flightcrew Security fixes [CVE-2019-13032 CVE-2019-13241]
freetype Correctly handle deltas in TrueType GX fonts, fixing rendering of variable hinted fonts in Chromium and Firefox
glib2.0 Ensure libdbus clients can authenticate with a GDBusServer like the one in ibus
gnustep-base Fix UDP amplification vulnerability
italc Security fixes [CVE-2018-15126 CVE-2018-15127 CVE-2018-20019 CVE-2018-20020 CVE-2018-20021 CVE-2018-20022 CVE-2018-20023 CVE-2018-20024 CVE-2018-20748 CVE-2018-20749 CVE-2018-20750 CVE-2018-6307 CVE-2018-7225 CVE-2019-15681]
libdate-holidays-de-perl Mark International Childrens Day (Sep 20th) as a holiday in Thuringia from 2019 onwards
libdatetime-timezone-perl Update included data
libidn Fix denial of service vulnerability in Punycode handling [CVE-2017-14062]
libjaxen-java Fix build failure by allowing test failures
libofx Fix NULL pointer dereference issue [CVE-2019-9656]
libole-storage-lite-perl Fix interpretation of years from 2020 onwards
libparse-win32registry-perl Fix interpretation of years from 2020 onwards
libperl4-corelibs-perl Fix interpretation of years from 2020 onwards
libpst Fix detection of get_current_dir_name and return truncation
libsixel Fix several security issues [CVE-2018-19756 CVE-2018-19757 CVE-2018-19759 CVE-2018-19761 CVE-2018-19762 CVE-2018-19763 CVE-2019-3573 CVE-2019-3574]
libsolv Fix heap buffer overflow [CVE-2019-20387]
libtest-mocktime-perl Fix interpretation of years from 2020 onwards
libtimedate-perl Fix interpretation of years from 2020 onwards
libvncserver RFBserver: don't leak stack memory to the remote [CVE-2019-15681]; resolve a freeze during connection closure and a segmentation fault on multi-threaded VNC servers; fix issue connecting to VMWare servers; fix crashing of x11vnc when vncviewer connects
libxslt Fix dangling pointer in xsltCopyText [CVE-2019-18197]
limnoria Fix remote information disclosure and possibly remote code execution in the Math plugin [CVE-2019-19010]
linux New upstream stable release
linux-latest Update for Linux kernel ABI 4.9.0-12
llvm-toolchain-7 Disable the gold linker from s390x; bootstrap with -fno-addrsig, stretch's binutils doesn't work with it on mips64el
mariadb-10.1 New upstream stable release [CVE-2019-2974 CVE-2020-2574]
monit Implement position independent CSRF cookie value
node-fstream Clobber a Link if it's in the way of a File [CVE-2019-13173]
node-mixin-deep Fix prototype polution [CVE-2018-3719 CVE-2019-10746]
nodejs-mozilla New package to support Firefox ESR backports
nvidia-graphics-drivers-legacy-340xx New upstream stable release
nyancat Rebuild in a clean environment to add the systemd unit for nyancat-server
openjpeg2 Fix heap overflow [CVE-2018-21010], integer overflow [CVE-2018-20847] and division by zero [CVE-2016-9112]
perl Fix interpretation of years from 2020 onwards
php-horde Fix stored cross-site scripting issue in Horde Cloud Block [CVE-2019-12095]
postfix New upstream stable release; work around poor TCP loopback performance
postgresql-9.6 New upstream release
proftpd-dfsg Fix NULL pointer dereference in CRL checks [CVE-2019-19269]
pykaraoke Fix path to fonts
python-acme Switch to POST-as-GET protocol
python-cryptography Fix test suite failures when built against newer OpenSSL versions
python-flask-rdf Fix missing dependencies in python3-flask-rdf
python-pgmagick Handle version detection of graphicsmagick security updates that identify themselves as version 1.4
python-werkzeug Ensure Docker containers have unique debugger PINs [CVE-2019-14806]
ros-ros-comm Fix buffer overflow issue [CVE-2019-13566]; fix integer overflow [CVE-2019-13445]
ruby-encryptor Ignore test failures, fixing build failures
rust-cbindgen New package to support Firefox ESR backports
rustc New upstream version, to support Firefox ESR backports
safe-rm Prevent installation in (and thereby breaking of) merged /usr environments
sorl-thumbnail Workaround a pgmagick exception
sssd sysdb: sanitize search filter input [CVE-2017-12173]
tigervnc Security updates [CVE-2019-15691 CVE-2019-15692 CVE-2019-15693 CVE-2019-15694 CVE-2019-15695]
tightvnc Security fixes [CVE-2014-6053 CVE-2018-20021 CVE-2018-20022 CVE-2018-20748 CVE-2018-7225 CVE-2019-8287 CVE-2019-15678 CVE-2019-15679 CVE-2019-15680 CVE-2019-15681]
tmpreaper Add --protect '/tmp/systemd-private*/*' to cron job to prevent breaking systemd services that have PrivateTmp=true
tzdata New upstream release
ublock-origin New upstream version, compatible with Firefox ESR68
unhide Fix stack exhaustion
x2goclient Strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths in scp mode; fixes regression with newer libssh versions with fixes for CVE-2019-14889 applied
xml-security-c Fix DSA verification crashes OpenSSL on invalid combinations of key content

Security Updates

This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package
DSA-4474 firefox-esr
DSA-4479 firefox-esr
DSA-4509 apache2
DSA-4509 subversion
DSA-4511 nghttp2
DSA-4516 firefox-esr
DSA-4517 exim4
DSA-4518 ghostscript
DSA-4519 libreoffice
DSA-4522 faad2
DSA-4523 thunderbird
DSA-4525 ibus
DSA-4526 opendmarc
DSA-4528 bird
DSA-4529 php7.0
DSA-4530 expat
DSA-4531 linux
DSA-4532 spip
DSA-4535 e2fsprogs
DSA-4537 file-roller
DSA-4539 openssl
DSA-4540 openssl1.0
DSA-4541 libapreq2
DSA-4542 jackson-databind
DSA-4543 sudo
DSA-4545 mediawiki
DSA-4547 tcpdump
DSA-4548 openjdk-8
DSA-4549 firefox-esr
DSA-4550 file
DSA-4552 php7.0
DSA-4554 ruby-loofah
DSA-4555 pam-python
DSA-4557 libarchive
DSA-4559 proftpd-dfsg
DSA-4560 simplesamlphp
DSA-4564 linux
DSA-4565 intel-microcode
DSA-4567 dpdk
DSA-4568 postgresql-common
DSA-4569 ghostscript
DSA-4571 thunderbird
DSA-4573 symfony
DSA-4574 redmine
DSA-4576 php-imagick
DSA-4578 libvpx
DSA-4580 firefox-esr
DSA-4581 git
DSA-4582 davical
DSA-4584 spamassassin
DSA-4585 thunderbird
DSA-4587 ruby2.3
DSA-4588 python-ecdsa
DSA-4589 debian-edu-config
DSA-4590 cyrus-imapd
DSA-4591 cyrus-sasl2
DSA-4592 mediawiki
DSA-4593 freeimage
DSA-4594 openssl1.0
DSA-4595 debian-lan-config
DSA-4596 tomcat8
DSA-4596 tomcat-native
DSA-4597 netty
DSA-4598 python-django
DSA-4600 firefox-esr
DSA-4601 ldm
DSA-4602 xen
DSA-4603 thunderbird
DSA-4604 cacti
DSA-4607 openconnect
DSA-4609 python-apt
DSA-4611 opensmtpd
DSA-4612 prosody-modules
DSA-4614 sudo
DSA-4615 spamassassin

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
firetray Incompatible with current Thunderbird versions
koji Security issues
python-lamson Broken by changes in python-daemon
radare2 Security issues; upstream do not offer stable support
ruby-simple-form Unused; security issues
trafficserver Unsupportable

Debian Installer

The installer has been updated to include the fixes incorporated into oldstable by the point release.


The complete lists of packages that have changed with this revision:


The current oldstable distribution:


Proposed updates to the oldstable distribution:


oldstable distribution information (release notes, errata etc.):


Security announcements and information:


About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.