Uppdaterad Debian 9; 9.13 utgiven
18 juli 2020
Debianprojektet presenterar stolt sin trettonde (och slutliga) uppdatering till dess
gamla stabila utgåva Debian 9 (med kodnamnet stretch
).
Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem,
tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner
har redan publicerats separat och refereras när de finns tillgängliga.
Efter denna punktutgåva kommer Debians säkerhetsgrupp och utgåvegruppen inte längre ge ut uppdateringar av Debian 9. Användare som vill fortsätta få säkerhetsstöd bör uppdatera till Debian 10, eller se https://wiki.debian.org/LTS för detaljer om underuppsättningen av arkitekturer och paket som stöds av projektet för långtidsstöd.
Vänligen notera att punktutgåvan inte innebär en ny version av Debian
9 utan endast uppdaterar några av de inkluderade paketen. Det behövs
inte kastas bort gamla media av stretch
. Efter installationen
kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad
Debianspegling..
De som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.
Nya installationsavbildningar kommer snart att finnas tillgängliga på de vanliga platserna.
En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:
Blandade felrättningar
Denna uppdatering av den gamla stabila utgåvan lägger till några viktiga felrättningar till följande paket:
| Paket | Orsak |
|---|---|
| acmetool | Rebuild against recent golang to pick up security fixes |
| atril | dvi: Mitigate command injection attacks by quoting filename [CVE-2017-1000159]; fix overflow checks in tiff backend [CVE-2019-1010006]; tiff: Handle failure from TIFFReadRGBAImageOriented [CVE-2019-11459] |
| bacula | Add transitional package bacula-director-common, avoiding loss of /etc/bacula/bacula-dir.conf when purged; make PID files owned by root |
| base-files | Update /etc/debian_version for the point release |
| batik | Fix server-side request forgery via xlink:href attributes [CVE-2019-17566] |
| c-icap-modules | Support ClamAV 0.102 |
| ca-certificates | Update Mozilla CA bundle to 2.40, blacklist distrusted Symantec roots and expired AddTrust External Root; remove e-mail only certificates |
| chasquid | Rebuild against recent golang to pick up security fixes |
| checkstyle | Fix XML External Entity injection issue [CVE-2019-9658 CVE-2019-10782] |
| clamav | New upstream release [CVE-2020-3123]; security fixes [CVE-2020-3327 CVE-2020-3341] |
| compactheader | New upstream version, compatible with newer Thunderbird versions |
| cram | Ignore test failures to fix build issues |
| csync2 | Fail HELLO command when SSL is required |
| cups | Fix heap buffer overflow [CVE-2020-3898] and the `ippReadIO` function may under-read an extension field[CVE-2019-8842] |
| dbus | New upstream stable release; prevent a denial of service issue [CVE-2020-12049]; prevent use-after-free if two usernames share a uid |
| debian-installer | Update for the 4.9.0-13 Linux kernel ABI |
| debian-installer-netboot-images | Rebuild against stretch-proposed-updates |
| debian-security-support | Update support status of several packages |
| erlang | Fix use of weak TLS ciphers [CVE-2020-12872] |
| exiv2 | Fix denial of service issue [CVE-2018-16336]; fix over-restrictive fix for CVE-2018-10958 and CVE-2018-10999 |
| fex | Security update |
| file-roller | Security fix [CVE-2020-11736] |
| fwupd | New upstream release; use a CNAME to redirect to the correct CDN for metadata; do not abort startup if the XML metadata file is invalid; add the Linux Foundation public GPG keys for firmware and metadata; raise the metadata limit to 10MB |
| glib-networking | Return bad identity error if identity is unset [CVE-2020-13645] |
| gnutls28 | Fix memory corruption issue [CVE-2019-3829]; fix memory leak; add support for zero length session tickets, fix connection errors on TLS1.2 sessions to some hosting providers |
| gosa | Tighten check on LDAP success/failure [CVE-2019-11187]; fix compatibility with newer PHP versions; backport several other patches; replace (un)serialize with json_encode/json_decode to mitigate PHP object injection [CVE-2019-14466] |
| heartbleeder | Rebuild against recent golang to pick up security fixes |
| intel-microcode | Downgrade some microcodes to previously released revisions, working around hangs on boot on Skylake-U/Y and Skylake Xeon E3 |
| iptables-persistent | Don't fail if modprobe does |
| jackson-databind | Fix multiple security issues affecting BeanDeserializerFactory [CVE-2020-9548 CVE-2020-9547 CVE-2020-9546 CVE-2020-8840 CVE-2020-14195 CVE-2020-14062 CVE-2020-14061 CVE-2020-14060 CVE-2020-11620 CVE-2020-11619 CVE-2020-11113 CVE-2020-11112 CVE-2020-11111 CVE-2020-10969 CVE-2020-10968 CVE-2020-10673 CVE-2020-10672 CVE-2019-20330 CVE-2019-17531 and CVE-2019-17267] |
| libbusiness-hours-perl | Use explicit 4 digit years, fixing build and usage issues |
| libclamunrar | New upstream stable release; add an unversioned meta-package |
| libdbi | Comment out _error_handler() call again, fixing issues with consumers |
| libembperl-perl | Handle error pages from Apache >= 2.4.40 |
| libexif | Security fixes [CVE-2016-6328 CVE-2017-7544 CVE-2018-20030 CVE-2020-12767 CVE-2020-0093]; security fixes [CVE-2020-13112 CVE-2020-13113 CVE-2020-13114]; fix a buffer read overflow [CVE-2020-0182] and an unsigned integer overflow [CVE-2020-0198] |
| libvncserver | Fix heap overflow [CVE-2019-15690] |
| linux | New upstream stable release; update ABI to 4.9.0-13 |
| linux-latest | Update for 4.9.0-13 kernel ABI |
| mariadb-10.1 | New upstream stable release; security fixes [CVE-2020-2752 CVE-2020-2812 CVE-2020-2814] |
| megatools | Add support for the new format of mega.nz links |
| mod-gnutls | Avoid deprecated ciphersuites in test suite; fix test failures when combined with Apache's fix for CVE-2019-10092 |
| mongo-tools | Rebuild against recent golang to pick up security fixes |
| neon27 | Treat OpenSSL-related test failures as non-fatal |
| nfs-utils | Fix potential file overwrite vulnerability [CVE-2019-3689]; don't make all of /var/lib/nfs owned by the statd user |
| nginx | Fix error page request smuggling vulnerability [CVE-2019-20372] |
| node-url-parse | Sanitize paths and hosts before parsing [CVE-2018-3774] |
| nvidia-graphics-drivers | New upstream stable release; new upstream stable release; security fixes [CVE-2020-5963 CVE-2020-5967] |
| pcl | Fix missing dependency on libvtk6-qt-dev |
| perl | Fix multiple regular expression related security issues [CVE-2020-10543 CVE-2020-10878 CVE-2020-12723] |
| php-horde | Fix cross-site scripting vulnerability [CVE-2020-8035] |
| php-horde-data | Fix authenticated remote code execution vulnerability [CVE-2020-8518] |
| php-horde-form | Fix authenticated remote code execution vulnerability [CVE-2020-8866] |
| php-horde-gollem | Fix cross-site scripting vulnerability in breadcrumb output [CVE-2020-8034] |
| php-horde-trean | Fix authenticated remote code execution vulnerability [CVE-2020-8865] |
| phpmyadmin | Several security fixes [CVE-2018-19968 CVE-2018-19970 CVE-2018-7260 CVE-2019-11768 CVE-2019-12616 CVE-2019-6798 CVE-2019-6799 CVE-2020-10802 CVE-2020-10803 CVE-2020-10804 CVE-2020-5504] |
| postfix | New upstream stable release |
| proftpd-dfsg | Fix handling SSH_MSG_IGNORE packets |
| python-icalendar | Fix Python3 dependencies |
| rails | Fix possible cross-site scripting via Javascript escape helper [CVE-2020-5267] |
| rake | Fix command injection vulnerability [CVE-2020-8130] |
| roundcube | Fix cross-site scripting issue via HTML messages with malicious svg/namespace [CVE-2020-15562] |
| ruby-json | Fix unsafe object creation vulnerability [CVE-2020-10663] |
| ruby2.3 | Fix unsafe object creation vulnerability [CVE-2020-10663] |
| sendmail | Fix finding the queue runner control process in split daemonmode, NOQUEUE: connect from (null), removal failure when using BTRFS |
| sogo-connector | New upstream version, compatible with newer Thunderbird versions |
| ssvnc | Fix out-of-bounds write [CVE-2018-20020], infinite loop [CVE-2018-20021], improper initialisation [CVE-2018-20022], potential denial-of-service [CVE-2018-20024] |
| storebackup | Fix possible privilege escalation vulnerability [CVE-2020-7040] |
| swt-gtk | Fix missing dependency on libwebkitgtk-1.0-0 |
| tinyproxy | Create PID file before dropping privileges to non-root account [CVE-2017-11747] |
| tzdata | New upstream stable release |
| websockify | Fix missing dependency on python{3,}-pkg-resources |
| wpa | Fix AP mode PMF disconnection protection bypass [CVE-2019-16275]; fix MAC randomisation issues with some cards |
| xdg-utils | Sanitise window name before sending it over D-Bus; correctly handle directories with names containing spaces; create the applicationsdirectory if needed |
| xml-security-c | Fix length calculation in the concat method |
| xtrlock | Fix blocking of (some) multitouch devices while locked [CVE-2016-10894] |
Säkerhetsuppdateringar
Denna revision lägger till följande säkerhetsuppdateringar till den gamla stabila utgåvan. Säkerhetsgruppen har redan släppt bulletiner för alla dessa uppdateringar:
Borttagna paket
Följande paket har tagits bort på grund av omständigheter utom vår kontroll:
| Paket | Orsak |
|---|---|
| certificatepatrol | Incompatible with newer Firefox ESR versions |
| colorediffs-extension | Incompatible with newer Thunderbird versions |
| dynalogin | Depends on to-be-removed simpleid |
| enigmail | Incompatible with newer Thunderbird versions |
| firefox-esr | [armel] No longer supported (requires nodejs) |
| firefox-esr | [mips mipsel mips64el] No longer supported (needs newer rustc) |
| getlive | Broken due to Hotmail changes |
| gplaycli | Broken by Google API changes |
| kerneloops | Upstream service no longer available |
| libmicrodns | Security issues |
| libperlspeak-perl | Security issues; unmaintained |
| mathematica-fonts | Relies on unavailable download location |
| pdns-recursor | Security issues; unsupported |
| predictprotein | Depends on to-be-removed profphd |
| profphd | Unusable |
| quotecolors | Incompatible with newer Thunderbird versions |
| selenium-firefoxdriver | Incompatible with newer Firefox ESR versions |
| simpleid | Does not work with PHP7 |
| simpleid-ldap | Depends on to-be-removed simpleid |
| torbirdy | Incompatible with newer Thunderbird versions |
| weboob | Unmaintained; already removed from later releases |
| yahoo2mbox | Broken for several years |
Debianinstalleraren
Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den gamla stabila utgåvan med denna punktutgåva.
URLer
Den fullständiga listan på paket som har förändrats i denna revision:
Den aktuella gamla stabila utgåvan:
Föreslagna uppdateringar till den gamla stabila utgåvan:
Information om den gamla stabila utgåvan (versionsfakta, kända problem osv.):
Säkerhetsbulletiner och information:
Om Debian
Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.
Kontaktinformation
För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org>, eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.