Uppdaterad Debian 9; 9.13 utgiven

18 juli 2020

Debianprojektet presenterar stolt sin trettonde (och slutliga) uppdatering till dess gamla stabila utgåva Debian 9 (med kodnamnet stretch). Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem, tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner har redan publicerats separat och refereras när de finns tillgängliga.

Efter denna punktutgåva kommer Debians säkerhetsgrupp och utgåvegruppen inte längre ge ut uppdateringar av Debian 9. Användare som vill fortsätta få säkerhetsstöd bör uppdatera till Debian 10, eller se https://wiki.debian.org/LTS för detaljer om underuppsättningen av arkitekturer och paket som stöds av projektet för långtidsstöd.

Vänligen notera att punktutgåvan inte innebär en ny version av Debian 9 utan endast uppdaterar några av de inkluderade paketen. Det behövs inte kastas bort gamla media av stretch. Efter installationen kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad Debianspegling..

Dom som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.

Nya installationsavbildningar kommer snart att finnas tillgängliga på dom vanliga platserna.

En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:

https://www.debian.org/mirror/list

Blandade felrättningar

Denna uppdatering av den gamla stabila utgåvan lägger till några viktiga felrättningar till följande paket:

Paket Orsak
acmetool Rebuild against recent golang to pick up security fixes
atril dvi: Mitigate command injection attacks by quoting filename [CVE-2017-1000159]; fix overflow checks in tiff backend [CVE-2019-1010006]; tiff: Handle failure from TIFFReadRGBAImageOriented [CVE-2019-11459]
bacula Add transitional package bacula-director-common, avoiding loss of /etc/bacula/bacula-dir.conf when purged; make PID files owned by root
base-files Update /etc/debian_version for the point release
batik Fix server-side request forgery via xlink:href attributes [CVE-2019-17566]
c-icap-modules Support ClamAV 0.102
ca-certificates Update Mozilla CA bundle to 2.40, blacklist distrusted Symantec roots and expired AddTrust External Root; remove e-mail only certificates
chasquid Rebuild against recent golang to pick up security fixes
checkstyle Fix XML External Entity injection issue [CVE-2019-9658 CVE-2019-10782]
clamav New upstream release [CVE-2020-3123]; security fixes [CVE-2020-3327 CVE-2020-3341]
compactheader New upstream version, compatible with newer Thunderbird versions
cram Ignore test failures to fix build issues
csync2 Fail HELLO command when SSL is required
cups Fix heap buffer overflow [CVE-2020-3898] and the `ippReadIO` function may under-read an extension field [CVE-2019-8842]
dbus New upstream stable release; prevent a denial of service issue [CVE-2020-12049]; prevent use-after-free if two usernames share a uid
debian-installer Update for the 4.9.0-13 Linux kernel ABI
debian-installer-netboot-images Rebuild against stretch-proposed-updates
debian-security-support Update support status of several packages
erlang Fix use of weak TLS ciphers [CVE-2020-12872]
exiv2 Fix denial of service issue [CVE-2018-16336]; fix over-restrictive fix for CVE-2018-10958 and CVE-2018-10999
fex Security update
file-roller Security fix [CVE-2020-11736]
fwupd New upstream release; use a CNAME to redirect to the correct CDN for metadata; do not abort startup if the XML metadata file is invalid; add the Linux Foundation public GPG keys for firmware and metadata; raise the metadata limit to 10MB
glib-networking Return bad identity error if identity is unset [CVE-2020-13645]
gnutls28 Fix memory corruption issue [CVE-2019-3829]; fix memory leak; add support for zero length session tickets, fix connection errors on TLS1.2 sessions to some hosting providers
gosa Tighten check on LDAP success/failure [CVE-2019-11187]; fix compatibility with newer PHP versions; backport several other patches; replace (un)serialize with json_encode/json_decode to mitigate PHP object injection [CVE-2019-14466]
heartbleeder Rebuild against recent golang to pick up security fixes
intel-microcode Downgrade some microcodes to previously released revisions, working around hangs on boot on Skylake-U/Y and Skylake Xeon E3
iptables-persistent Don't fail if modprobe does
jackson-databind Fix multiple security issues affecting BeanDeserializerFactory [CVE-2020-9548 CVE-2020-9547 CVE-2020-9546 CVE-2020-8840 CVE-2020-14195 CVE-2020-14062 CVE-2020-14061 CVE-2020-14060 CVE-2020-11620 CVE-2020-11619 CVE-2020-11113 CVE-2020-11112 CVE-2020-11111 CVE-2020-10969 CVE-2020-10968 CVE-2020-10673 CVE-2020-10672 CVE-2019-20330 CVE-2019-17531 and CVE-2019-17267]
libbusiness-hours-perl Use explicit 4 digit years, fixing build and usage issues
libclamunrar New upstream stable release; add an unversioned meta-package
libdbi Comment out _error_handler() call again, fixing issues with consumers
libembperl-perl Handle error pages from Apache >= 2.4.40
libexif Security fixes [CVE-2016-6328 CVE-2017-7544 CVE-2018-20030 CVE-2020-12767 CVE-2020-0093]; security fixes [CVE-2020-13112 CVE-2020-13113 CVE-2020-13114]; fix a buffer read overflow [CVE-2020-0182] and an unsigned integer overflow [CVE-2020-0198]
libvncserver Fix heap overflow [CVE-2019-15690]
linux New upstream stable release; update ABI to 4.9.0-13
linux-latest Update for 4.9.0-13 kernel ABI
mariadb-10.1 New upstream stable release; security fixes [CVE-2020-2752 CVE-2020-2812 CVE-2020-2814]
megatools Add support for the new format of mega.nz links
mod-gnutls Avoid deprecated ciphersuites in test suite; fix test failures when combined with Apache's fix for CVE-2019-10092
mongo-tools Rebuild against recent golang to pick up security fixes
neon27 Treat OpenSSL-related test failures as non-fatal
nfs-utils Fix potential file overwrite vulnerability [CVE-2019-3689]; don't make all of /var/lib/nfs owned by the statd user
nginx Fix error page request smuggling vulnerability [CVE-2019-20372]
node-url-parse Sanitize paths and hosts before parsing [CVE-2018-3774]
nvidia-graphics-drivers New upstream stable release; new upstream stable release; security fixes [CVE-2020-5963 CVE-2020-5967]
pcl Fix missing dependency on libvtk6-qt-dev
perl Fix multiple regular expression related security issues [CVE-2020-10543 CVE-2020-10878 CVE-2020-12723]
php-horde Fix cross-site scripting vulnerability [CVE-2020-8035]
php-horde-data Fix authenticated remote code execution vulnerability [CVE-2020-8518]
php-horde-form Fix authenticated remote code execution vulnerability [CVE-2020-8866]
php-horde-gollem Fix cross-site scripting vulnerability in breadcrumb output [CVE-2020-8034]
php-horde-trean Fix authenticated remote code execution vulnerability [CVE-2020-8865]
phpmyadmin Several security fixes [CVE-2018-19968 CVE-2018-19970 CVE-2018-7260 CVE-2019-11768 CVE-2019-12616 CVE-2019-6798 CVE-2019-6799 CVE-2020-10802 CVE-2020-10803 CVE-2020-10804 CVE-2020-5504]
postfix New upstream stable release
proftpd-dfsg Fix handling SSH_MSG_IGNORE packets
python-icalendar Fix Python3 dependencies
rails Fix possible cross-site scripting via Javascript escape helper [CVE-2020-5267]
rake Fix command injection vulnerability [CVE-2020-8130]
roundcube Fix cross-site scripting issue via HTML messages with malicious svg/namespace [CVE-2020-15562]
ruby-json Fix unsafe object creation vulnerability [CVE-2020-10663]
ruby2.3 Fix unsafe object creation vulnerability [CVE-2020-10663]
sendmail Fix finding the queue runner control process in split daemon mode, NOQUEUE: connect from (null), removal failure when using BTRFS
sogo-connector New upstream version, compatible with newer Thunderbird versions
ssvnc Fix out-of-bounds write [CVE-2018-20020], infinite loop [CVE-2018-20021], improper initialisation [CVE-2018-20022], potential denial-of-service [CVE-2018-20024]
storebackup Fix possible privilege escalation vulnerability [CVE-2020-7040]
swt-gtk Fix missing dependency on libwebkitgtk-1.0-0
tinyproxy Create PID file before dropping privileges to non-root account [CVE-2017-11747]
tzdata New upstream stable release
websockify Fix missing dependency on python{3,}-pkg-resources
wpa Fix AP mode PMF disconnection protection bypass [CVE-2019-16275]; fix MAC randomisation issues with some cards
xdg-utils Sanitise window name before sending it over D-Bus; correctly handle directories with names containing spaces; create the applications directory if needed
xml-security-c Fix length calculation in the concat method
xtrlock Fix blocking of (some) multitouch devices while locked [CVE-2016-10894]

Säkerhetsuppdateringar

Denna revision lägger till följande säkerhetsuppdateringar till den gamla stabila utgåvan. Säkerhetsgruppen har redan släppt bulletiner för alla dessa uppdateringar:

Bulletin-ID Paket
DSA-4005 openjfx
DSA-4255 ant
DSA-4352 chromium-browser
DSA-4379 golang-1.7
DSA-4380 golang-1.8
DSA-4395 chromium
DSA-4421 chromium
DSA-4616 qemu
DSA-4617 qtbase-opensource-src
DSA-4618 libexif
DSA-4619 libxmlrpc3-java
DSA-4620 firefox-esr
DSA-4621 openjdk-8
DSA-4622 postgresql-9.6
DSA-4624 evince
DSA-4625 thunderbird
DSA-4628 php7.0
DSA-4629 python-django
DSA-4630 python-pysaml2
DSA-4631 pillow
DSA-4632 ppp
DSA-4633 curl
DSA-4634 opensmtpd
DSA-4635 proftpd-dfsg
DSA-4637 network-manager-ssh
DSA-4639 firefox-esr
DSA-4640 graphicsmagick
DSA-4642 thunderbird
DSA-4646 icu
DSA-4647 bluez
DSA-4648 libpam-krb5
DSA-4650 qbittorrent
DSA-4653 firefox-esr
DSA-4655 firefox-esr
DSA-4656 thunderbird
DSA-4657 git
DSA-4659 git
DSA-4660 awl
DSA-4663 python-reportlab
DSA-4664 mailman
DSA-4666 openldap
DSA-4668 openjdk-8
DSA-4670 tiff
DSA-4671 vlc
DSA-4673 tomcat8
DSA-4674 roundcube
DSA-4675 graphicsmagick
DSA-4676 salt
DSA-4677 wordpress
DSA-4678 firefox-esr
DSA-4683 thunderbird
DSA-4685 apt
DSA-4686 apache-log4j1.2
DSA-4687 exim4
DSA-4688 dpdk
DSA-4689 bind9
DSA-4692 netqmail
DSA-4693 drupal7
DSA-4695 firefox-esr
DSA-4698 linux
DSA-4700 roundcube
DSA-4701 intel-microcode
DSA-4702 thunderbird
DSA-4703 mysql-connector-java
DSA-4704 vlc
DSA-4705 python-django
DSA-4706 drupal7
DSA-4707 mutt
DSA-4711 coturn
DSA-4713 firefox-esr
DSA-4715 imagemagick
DSA-4717 php7.0
DSA-4718 thunderbird

Borttagna paket

Följande paket har tagits bort på grund av omständigheter utom vår kontroll:

Paket Orsak
certificatepatrol Incompatible with newer Firefox ESR versions
colorediffs-extension Incompatible with newer Thunderbird versions
dynalogin Depends on to-be-removed simpleid
enigmail Incompatible with newer Thunderbird versions
firefox-esr [armel] No longer supported (requires nodejs)
firefox-esr [mips mipsel mips64el] No longer supported (needs newer rustc)
getlive Broken due to Hotmail changes
gplaycli Broken by Google API changes
kerneloops Upstream service no longer available
libmicrodns Security issues
libperlspeak-perl Security issues; unmaintained
mathematica-fonts Relies on unavailable download location
pdns-recursor Security issues; unsupported
predictprotein Depends on to-be-removed profphd
profphd Unusable
quotecolors Incompatible with newer Thunderbird versions
selenium-firefoxdriver Incompatible with newer Firefox ESR versions
simpleid Does not work with PHP7
simpleid-ldap Depends on to-be-removed simpleid
torbirdy Incompatible with newer Thunderbird versions
weboob Unmaintained; already removed from later releases
yahoo2mbox Broken for several years

Debianinstalleraren

Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den gamla stabila utgåvan med denna punktutgåva.

URLer

Den fullständiga listan på paket som har förändrats i denna revision:

http://ftp.debian.org/debian/dists/stretch/ChangeLog

Den aktuella gamla stabila utgåvan:

http://ftp.debian.org/debian/dists/oldstable/

Föreslagna uppdateringar till den gamla stabila utgåvan:

http://ftp.debian.org/debian/dists/oldstable-proposed-updates

Information om den gamla stabila utgåvan (versionsfakta, kända problem osv.):

https://www.debian.org/releases/oldstable/

Säkerhetsbulletiner och information:

https://www.debian.org/security/

Om Debian

Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.

Kontaktinformation

För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org>, eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.