Updated Debian 9: 9.13 released

July 18th, 2020

The Debian project is pleased to announce the thirteenth (and final) update of its oldstable distribution Debian 9 (codename stretch). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

After this point release, Debian's Security and Release Teams will no longer be producing updates for Debian 9. Users wishing to continue to receive security support should upgrade to Debian 10, or see https://wiki.debian.org/LTS for details about the subset of architectures and packages covered by the Long Term Support project.

Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included. There is no need to throw away old stretch media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following packages:

Package Reason
acmetool Rebuild against recent golang to pick up security fixes
atril dvi: Mitigate command injection attacks by quoting filename [CVE-2017-1000159]; fix overflow checks in tiff backend [CVE-2019-1010006]; tiff: Handle failure from TIFFReadRGBAImageOriented [CVE-2019-11459]
bacula Add transitional package bacula-director-common, avoiding loss of /etc/bacula/bacula-dir.conf when purged; make PID files owned by root
base-files Update /etc/debian_version for the point release
batik Fix server-side request forgery via xlink:href attributes [CVE-2019-17566]
c-icap-modules Support ClamAV 0.102
ca-certificates Update Mozilla CA bundle to 2.40, blacklist distrusted Symantec roots and expired AddTrust External Root; remove e-mail only certificates
chasquid Rebuild against recent golang to pick up security fixes
checkstyle Fix XML External Entity injection issue [CVE-2019-9658 CVE-2019-10782]
clamav New upstream release [CVE-2020-3123]; security fixes [CVE-2020-3327 CVE-2020-3341]
compactheader New upstream version, compatible with newer Thunderbird versions
cram Ignore test failures to fix build issues
csync2 Fail HELLO command when SSL is required
cups Fix heap buffer overflow [CVE-2020-3898] and the `ippReadIO` function may under-read an extension field [CVE-2019-8842]
dbus New upstream stable release; prevent a denial of service issue [CVE-2020-12049]; prevent use-after-free if two usernames share a uid
debian-installer Update for the 4.9.0-13 Linux kernel ABI
debian-installer-netboot-images Rebuild against stretch-proposed-updates
debian-security-support Update support status of several packages
erlang Fix use of weak TLS ciphers [CVE-2020-12872]
exiv2 Fix denial of service issue [CVE-2018-16336]; fix over-restrictive fix for CVE-2018-10958 and CVE-2018-10999
fex Security update
file-roller Security fix [CVE-2020-11736]
fwupd New upstream release; use a CNAME to redirect to the correct CDN for metadata; do not abort startup if the XML metadata file is invalid; add the Linux Foundation public GPG keys for firmware and metadata; raise the metadata limit to 10MB
glib-networking Return bad identity error if identity is unset [CVE-2020-13645]
gnutls28 Fix memory corruption issue [CVE-2019-3829]; fix memory leak; add support for zero length session tickets, fix connection errors on TLS1.2 sessions to some hosting providers
gosa Tighten check on LDAP success/failure [CVE-2019-11187]; fix compatibility with newer PHP versions; backport several other patches; replace (un)serialize with json_encode/json_decode to mitigate PHP object injection [CVE-2019-14466]
heartbleeder Rebuild against recent golang to pick up security fixes
intel-microcode Downgrade some microcodes to previously released revisions, working around hangs on boot on Skylake-U/Y and Skylake Xeon E3
iptables-persistent Don't fail if modprobe does
jackson-databind Fix multiple security issues affecting BeanDeserializerFactory [CVE-2020-9548 CVE-2020-9547 CVE-2020-9546 CVE-2020-8840 CVE-2020-14195 CVE-2020-14062 CVE-2020-14061 CVE-2020-14060 CVE-2020-11620 CVE-2020-11619 CVE-2020-11113 CVE-2020-11112 CVE-2020-11111 CVE-2020-10969 CVE-2020-10968 CVE-2020-10673 CVE-2020-10672 CVE-2019-20330 CVE-2019-17531 and CVE-2019-17267]
libbusiness-hours-perl Use explicit 4 digit years, fixing build and usage issues
libclamunrar New upstream stable release; add an unversioned meta-package
libdbi Comment out _error_handler() call again, fixing issues with consumers
libembperl-perl Handle error pages from Apache >= 2.4.40
libexif Security fixes [CVE-2016-6328 CVE-2017-7544 CVE-2018-20030 CVE-2020-12767 CVE-2020-0093]; security fixes [CVE-2020-13112 CVE-2020-13113 CVE-2020-13114]; fix a buffer read overflow [CVE-2020-0182] and an unsigned integer overflow [CVE-2020-0198]
libvncserver Fix heap overflow [CVE-2019-15690]
linux New upstream stable release; update ABI to 4.9.0-13
linux-latest Update for 4.9.0-13 kernel ABI
mariadb-10.1 New upstream stable release; security fixes [CVE-2020-2752 CVE-2020-2812 CVE-2020-2814]
megatools Add support for the new format of mega.nz links
mod-gnutls Avoid deprecated ciphersuites in test suite; fix test failures when combined with Apache's fix for CVE-2019-10092
mongo-tools Rebuild against recent golang to pick up security fixes
neon27 Treat OpenSSL-related test failures as non-fatal
nfs-utils Fix potential file overwrite vulnerability [CVE-2019-3689]; don't make all of /var/lib/nfs owned by the statd user
nginx Fix error page request smuggling vulnerability [CVE-2019-20372]
node-url-parse Sanitize paths and hosts before parsing [CVE-2018-3774]
nvidia-graphics-drivers New upstream stable release; new upstream stable release; security fixes [CVE-2020-5963 CVE-2020-5967]
pcl Fix missing dependency on libvtk6-qt-dev
perl Fix multiple regular expression related security issues [CVE-2020-10543 CVE-2020-10878 CVE-2020-12723]
php-horde Fix cross-site scripting vulnerability [CVE-2020-8035]
php-horde-data Fix authenticated remote code execution vulnerability [CVE-2020-8518]
php-horde-form Fix authenticated remote code execution vulnerability [CVE-2020-8866]
php-horde-gollem Fix cross-site scripting vulnerability in breadcrumb output [CVE-2020-8034]
php-horde-trean Fix authenticated remote code execution vulnerability [CVE-2020-8865]
phpmyadmin Several security fixes [CVE-2018-19968 CVE-2018-19970 CVE-2018-7260 CVE-2019-11768 CVE-2019-12616 CVE-2019-6798 CVE-2019-6799 CVE-2020-10802 CVE-2020-10803 CVE-2020-10804 CVE-2020-5504]
postfix New upstream stable release
proftpd-dfsg Fix handling SSH_MSG_IGNORE packets
python-icalendar Fix Python3 dependencies
rails Fix possible cross-site scripting via Javascript escape helper [CVE-2020-5267]
rake Fix command injection vulnerability [CVE-2020-8130]
roundcube Fix cross-site scripting issue via HTML messages with malicious svg/namespace [CVE-2020-15562]
ruby-json Fix unsafe object creation vulnerability [CVE-2020-10663]
ruby2.3 Fix unsafe object creation vulnerability [CVE-2020-10663]
sendmail Fix finding the queue runner control process in split daemon mode, NOQUEUE: connect from (null), removal failure when using BTRFS
sogo-connector New upstream version, compatible with newer Thunderbird versions
ssvnc Fix out-of-bounds write [CVE-2018-20020], infinite loop [CVE-2018-20021], improper initialisation [CVE-2018-20022], potential denial-of-service [CVE-2018-20024]
storebackup Fix possible privilege escalation vulnerability [CVE-2020-7040]
swt-gtk Fix missing dependency on libwebkitgtk-1.0-0
tinyproxy Create PID file before dropping privileges to non-root account [CVE-2017-11747]
tzdata New upstream stable release
websockify Fix missing dependency on python{3,}-pkg-resources
wpa Fix AP mode PMF disconnection protection bypass [CVE-2019-16275]; fix MAC randomisation issues with some cards
xdg-utils Sanitise window name before sending it over D-Bus; correctly handle directories with names containing spaces; create the applications directory if needed
xml-security-c Fix length calculation in the concat method
xtrlock Fix blocking of (some) multitouch devices while locked [CVE-2016-10894]

Security Updates

This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package
DSA-4005 openjfx
DSA-4255 ant
DSA-4352 chromium-browser
DSA-4379 golang-1.7
DSA-4380 golang-1.8
DSA-4395 chromium
DSA-4421 chromium
DSA-4616 qemu
DSA-4617 qtbase-opensource-src
DSA-4618 libexif
DSA-4619 libxmlrpc3-java
DSA-4620 firefox-esr
DSA-4621 openjdk-8
DSA-4622 postgresql-9.6
DSA-4624 evince
DSA-4625 thunderbird
DSA-4628 php7.0
DSA-4629 python-django
DSA-4630 python-pysaml2
DSA-4631 pillow
DSA-4632 ppp
DSA-4633 curl
DSA-4634 opensmtpd
DSA-4635 proftpd-dfsg
DSA-4637 network-manager-ssh
DSA-4639 firefox-esr
DSA-4640 graphicsmagick
DSA-4642 thunderbird
DSA-4646 icu
DSA-4647 bluez
DSA-4648 libpam-krb5
DSA-4650 qbittorrent
DSA-4653 firefox-esr
DSA-4655 firefox-esr
DSA-4656 thunderbird
DSA-4657 git
DSA-4659 git
DSA-4660 awl
DSA-4663 python-reportlab
DSA-4664 mailman
DSA-4666 openldap
DSA-4668 openjdk-8
DSA-4670 tiff
DSA-4671 vlc
DSA-4673 tomcat8
DSA-4674 roundcube
DSA-4675 graphicsmagick
DSA-4676 salt
DSA-4677 wordpress
DSA-4678 firefox-esr
DSA-4683 thunderbird
DSA-4685 apt
DSA-4686 apache-log4j1.2
DSA-4687 exim4
DSA-4688 dpdk
DSA-4689 bind9
DSA-4692 netqmail
DSA-4693 drupal7
DSA-4695 firefox-esr
DSA-4698 linux
DSA-4700 roundcube
DSA-4701 intel-microcode
DSA-4702 thunderbird
DSA-4703 mysql-connector-java
DSA-4704 vlc
DSA-4705 python-django
DSA-4706 drupal7
DSA-4707 mutt
DSA-4711 coturn
DSA-4713 firefox-esr
DSA-4715 imagemagick
DSA-4717 php7.0
DSA-4718 thunderbird

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
certificatepatrol Incompatible with newer Firefox ESR versions
colorediffs-extension Incompatible with newer Thunderbird versions
dynalogin Depends on to-be-removed simpleid
enigmail Incompatible with newer Thunderbird versions
firefox-esr [armel] No longer supported (requires nodejs)
firefox-esr [mips mipsel mips64el] No longer supported (needs newer rustc)
getlive Broken due to Hotmail changes
gplaycli Broken by Google API changes
kerneloops Upstream service no longer available
libmicrodns Security issues
libperlspeak-perl Security issues; unmaintained
mathematica-fonts Relies on unavailable download location
pdns-recursor Security issues; unsupported
predictprotein Depends on to-be-removed profphd
profphd Unusable
quotecolors Incompatible with newer Thunderbird versions
selenium-firefoxdriver Incompatible with newer Firefox ESR versions
simpleid Does not work with PHP7
simpleid-ldap Depends on to-be-removed simpleid
torbirdy Incompatible with newer Thunderbird versions
weboob Unmaintained; already removed from later releases
yahoo2mbox Broken for several years

Debian Installer

The installer has been updated to include the fixes incorporated into oldstable by the point release.

URLs

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/stretch/ChangeLog

The current oldstable distribution:

http://ftp.debian.org/debian/dists/oldstable/

Proposed updates to the oldstable distribution:

http://ftp.debian.org/debian/dists/oldstable-proposed-updates

oldstable distribution information (release notes, errata etc.):

https://www.debian.org/releases/oldstable/

Security announcements and information:

https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.