Updated Debian 9: 9.13 released
July 18th, 2020
The Debian project is pleased to announce the thirteenth (and final) update of its
oldstable distribution Debian 9 (codename stretch
).
This point release mainly adds corrections for security issues,
along with a few adjustments for serious problems. Security advisories
have already been published separately and are referenced where available.
After this point release, Debian's Security and Release Teams will no longer be producing updates for Debian 9. Users wishing to continue to receive security support should upgrade to Debian 10, or see https://wiki.debian.org/LTS for details about the subset of architectures and packages covered by the Long Term Support project.
Please note that the point release does not constitute a new version of Debian
9 but only updates some of the packages included. There is
no need to throw away old stretch
media. After installation,
packages can be upgraded to the current versions using an up-to-date Debian
mirror.
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This oldstable update adds a few important corrections to the following packages:
Package | Reason |
---|---|
acmetool | Rebuild against recent golang to pick up security fixes |
atril | dvi: Mitigate command injection attacks by quoting filename [CVE-2017-1000159]; fix overflow checks in tiff backend [CVE-2019-1010006]; tiff: Handle failure from TIFFReadRGBAImageOriented [CVE-2019-11459] |
bacula | Add transitional package bacula-director-common, avoiding loss of /etc/bacula/bacula-dir.conf when purged; make PID files owned by root |
base-files | Update /etc/debian_version for the point release |
batik | Fix server-side request forgery via xlink:href attributes [CVE-2019-17566] |
c-icap-modules | Support ClamAV 0.102 |
ca-certificates | Update Mozilla CA bundle to 2.40, blacklist distrusted Symantec roots and expired AddTrust External Root; remove e-mail only certificates |
chasquid | Rebuild against recent golang to pick up security fixes |
checkstyle | Fix XML External Entity injection issue [CVE-2019-9658 CVE-2019-10782] |
clamav | New upstream release [CVE-2020-3123]; security fixes [CVE-2020-3327 CVE-2020-3341] |
compactheader | New upstream version, compatible with newer Thunderbird versions |
cram | Ignore test failures to fix build issues |
csync2 | Fail HELLO command when SSL is required |
cups | Fix heap buffer overflow [CVE-2020-3898] and the `ippReadIO` function may under-read an extension field[CVE-2019-8842] |
dbus | New upstream stable release; prevent a denial of service issue [CVE-2020-12049]; prevent use-after-free if two usernames share a uid |
debian-installer | Update for the 4.9.0-13 Linux kernel ABI |
debian-installer-netboot-images | Rebuild against stretch-proposed-updates |
debian-security-support | Update support status of several packages |
erlang | Fix use of weak TLS ciphers [CVE-2020-12872] |
exiv2 | Fix denial of service issue [CVE-2018-16336]; fix over-restrictive fix for CVE-2018-10958 and CVE-2018-10999 |
fex | Security update |
file-roller | Security fix [CVE-2020-11736] |
fwupd | New upstream release; use a CNAME to redirect to the correct CDN for metadata; do not abort startup if the XML metadata file is invalid; add the Linux Foundation public GPG keys for firmware and metadata; raise the metadata limit to 10MB |
glib-networking | Return bad identity error if identity is unset [CVE-2020-13645] |
gnutls28 | Fix memory corruption issue [CVE-2019-3829]; fix memory leak; add support for zero length session tickets, fix connection errors on TLS1.2 sessions to some hosting providers |
gosa | Tighten check on LDAP success/failure [CVE-2019-11187]; fix compatibility with newer PHP versions; backport several other patches; replace (un)serialize with json_encode/json_decode to mitigate PHP object injection [CVE-2019-14466] |
heartbleeder | Rebuild against recent golang to pick up security fixes |
intel-microcode | Downgrade some microcodes to previously released revisions, working around hangs on boot on Skylake-U/Y and Skylake Xeon E3 |
iptables-persistent | Don't fail if modprobe does |
jackson-databind | Fix multiple security issues affecting BeanDeserializerFactory [CVE-2020-9548 CVE-2020-9547 CVE-2020-9546 CVE-2020-8840 CVE-2020-14195 CVE-2020-14062 CVE-2020-14061 CVE-2020-14060 CVE-2020-11620 CVE-2020-11619 CVE-2020-11113 CVE-2020-11112 CVE-2020-11111 CVE-2020-10969 CVE-2020-10968 CVE-2020-10673 CVE-2020-10672 CVE-2019-20330 CVE-2019-17531 and CVE-2019-17267] |
libbusiness-hours-perl | Use explicit 4 digit years, fixing build and usage issues |
libclamunrar | New upstream stable release; add an unversioned meta-package |
libdbi | Comment out _error_handler() call again, fixing issues with consumers |
libembperl-perl | Handle error pages from Apache >= 2.4.40 |
libexif | Security fixes [CVE-2016-6328 CVE-2017-7544 CVE-2018-20030 CVE-2020-12767 CVE-2020-0093]; security fixes [CVE-2020-13112 CVE-2020-13113 CVE-2020-13114]; fix a buffer read overflow [CVE-2020-0182] and an unsigned integer overflow [CVE-2020-0198] |
libvncserver | Fix heap overflow [CVE-2019-15690] |
linux | New upstream stable release; update ABI to 4.9.0-13 |
linux-latest | Update for 4.9.0-13 kernel ABI |
mariadb-10.1 | New upstream stable release; security fixes [CVE-2020-2752 CVE-2020-2812 CVE-2020-2814] |
megatools | Add support for the new format of mega.nz links |
mod-gnutls | Avoid deprecated ciphersuites in test suite; fix test failures when combined with Apache's fix for CVE-2019-10092 |
mongo-tools | Rebuild against recent golang to pick up security fixes |
neon27 | Treat OpenSSL-related test failures as non-fatal |
nfs-utils | Fix potential file overwrite vulnerability [CVE-2019-3689]; don't make all of /var/lib/nfs owned by the statd user |
nginx | Fix error page request smuggling vulnerability [CVE-2019-20372] |
node-url-parse | Sanitize paths and hosts before parsing [CVE-2018-3774] |
nvidia-graphics-drivers | New upstream stable release; new upstream stable release; security fixes [CVE-2020-5963 CVE-2020-5967] |
pcl | Fix missing dependency on libvtk6-qt-dev |
perl | Fix multiple regular expression related security issues [CVE-2020-10543 CVE-2020-10878 CVE-2020-12723] |
php-horde | Fix cross-site scripting vulnerability [CVE-2020-8035] |
php-horde-data | Fix authenticated remote code execution vulnerability [CVE-2020-8518] |
php-horde-form | Fix authenticated remote code execution vulnerability [CVE-2020-8866] |
php-horde-gollem | Fix cross-site scripting vulnerability in breadcrumb output [CVE-2020-8034] |
php-horde-trean | Fix authenticated remote code execution vulnerability [CVE-2020-8865] |
phpmyadmin | Several security fixes [CVE-2018-19968 CVE-2018-19970 CVE-2018-7260 CVE-2019-11768 CVE-2019-12616 CVE-2019-6798 CVE-2019-6799 CVE-2020-10802 CVE-2020-10803 CVE-2020-10804 CVE-2020-5504] |
postfix | New upstream stable release |
proftpd-dfsg | Fix handling SSH_MSG_IGNORE packets |
python-icalendar | Fix Python3 dependencies |
rails | Fix possible cross-site scripting via Javascript escape helper [CVE-2020-5267] |
rake | Fix command injection vulnerability [CVE-2020-8130] |
roundcube | Fix cross-site scripting issue via HTML messages with malicious svg/namespace [CVE-2020-15562] |
ruby-json | Fix unsafe object creation vulnerability [CVE-2020-10663] |
ruby2.3 | Fix unsafe object creation vulnerability [CVE-2020-10663] |
sendmail | Fix finding the queue runner control process in split daemonmode, NOQUEUE: connect from (null), removal failure when using BTRFS |
sogo-connector | New upstream version, compatible with newer Thunderbird versions |
ssvnc | Fix out-of-bounds write [CVE-2018-20020], infinite loop [CVE-2018-20021], improper initialisation [CVE-2018-20022], potential denial-of-service [CVE-2018-20024] |
storebackup | Fix possible privilege escalation vulnerability [CVE-2020-7040] |
swt-gtk | Fix missing dependency on libwebkitgtk-1.0-0 |
tinyproxy | Create PID file before dropping privileges to non-root account [CVE-2017-11747] |
tzdata | New upstream stable release |
websockify | Fix missing dependency on python{3,}-pkg-resources |
wpa | Fix AP mode PMF disconnection protection bypass [CVE-2019-16275]; fix MAC randomisation issues with some cards |
xdg-utils | Sanitise window name before sending it over D-Bus; correctly handle directories with names containing spaces; create the applicationsdirectory if needed |
xml-security-c | Fix length calculation in the concat method |
xtrlock | Fix blocking of (some) multitouch devices while locked [CVE-2016-10894] |
Security Updates
This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
Package | Reason |
---|---|
certificatepatrol | Incompatible with newer Firefox ESR versions |
colorediffs-extension | Incompatible with newer Thunderbird versions |
dynalogin | Depends on to-be-removed simpleid |
enigmail | Incompatible with newer Thunderbird versions |
firefox-esr | [armel] No longer supported (requires nodejs) |
firefox-esr | [mips mipsel mips64el] No longer supported (needs newer rustc) |
getlive | Broken due to Hotmail changes |
gplaycli | Broken by Google API changes |
kerneloops | Upstream service no longer available |
libmicrodns | Security issues |
libperlspeak-perl | Security issues; unmaintained |
mathematica-fonts | Relies on unavailable download location |
pdns-recursor | Security issues; unsupported |
predictprotein | Depends on to-be-removed profphd |
profphd | Unusable |
quotecolors | Incompatible with newer Thunderbird versions |
selenium-firefoxdriver | Incompatible with newer Firefox ESR versions |
simpleid | Does not work with PHP7 |
simpleid-ldap | Depends on to-be-removed simpleid |
torbirdy | Incompatible with newer Thunderbird versions |
weboob | Unmaintained; already removed from later releases |
yahoo2mbox | Broken for several years |
Debian Installer
The installer has been updated to include the fixes incorporated into oldstable by the point release.
URLs
The complete lists of packages that have changed with this revision:
The current oldstable distribution:
Proposed updates to the oldstable distribution:
oldstable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.