---------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 162-1 https://www.debian.org/ debian-release@lists.debian.org Adam D. Barratt April 22nd, 2019 ---------------------------------------------------------------------------- Upcoming Debian 9 Update (9.9) An update to Debian 9 is scheduled for Saturday, April 27th, 2019. As of now it will include the following bug fixes. They can be found in "stretch- proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "stretch-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: Package Reason ------- ------ audiofile Security issues [CVE-2018-13440 CVE-2018-17095] base-files Update for the point release bwa Security fix [CVE-2019-10269] ca-certificates-java Fix bashisms in postinst and jks-keystore cernlib Apply optimization flag -O to fortran modules instead of -O2 which generates broken code; fix FTBFS on arm64 by disabling PIE for Fortran executables choose-mirror Update included mirror list chrony Fix logging of measurements and statistics, and stopping of chronyd, on some platforms when seccomp filtering is enabled ckermit Drop OpenSSL version check clamav Security updates: out-of-bounds heap read condition may occur when scanning PDF documents [CVE-2019-1787]; out-of-bounds heap read condition may occur when scanning PE files packed using Aspack [CVE-2019-1789]; out-of- bounds heap write condition may occur when scanning OLE2 files [CVE-2019-1788] dansguardian Add "missingok" to logrotate configuration debian-security-support Update support statuses diffoscope Fix tests to work with Ghostscript 9.26 dns-root-data Update root data to 2019031302 dnsruby Add new root key (KSK-2017); ruby 2.3.0 deprecates TimeoutError, use Timeout::Error dpdk New upstream release edk2 Fix buffer overflow in BlockIo service [CVE-2018-12180]; DNS: Check received packet size before using [CVE-2018-12178]; fix stack overflow with corrupted BMP [CVE-2018-12181] firmware-nonfree atheros / iwlwifi: update BT firmware [CVE-2018-5383] flatpak Reject all ioctls that the kernel will interpret as TIOCSTI [CVE-2019-10063] geant321 Rebuild against cernlib with fixed Fortran optmisations gnome-chemistry-utils Drop the obsolete gcu-plugin package gocode gocode-auto-complete-el: Promote auto-complete- el to Pre-Depends gpac Security fixes [CVE-2018-7752 CVE-2018-13005 CVE-2018-13006 CVE-2018-20760 CVE-2018-20761 CVE-2018-20762 CVE-2018-20763] icedtea-web Stop building the browser plugin, as it no longer works with Firefox 60 igraph Fix a crash when loading malformed GraphML files [CVE-2018-20349] jabref Fix XML External Entity attack [CVE-2018-1000652] java-common Remove default-java-plugin as the icedtea-web Xul plugin is going away jquery Prevent Object.prototype pollution [CVE-2019-11358] kauth Fix insecure handling of arguments in helpers [CVE-2019-7443] libdate-holidays-de-perl Add March 8th (from 2019 onwards) and May 8th (2020 only) as public holidays (Berlin only) libdatetime-timezone-perl Update included data libreoffice Introduce next Japanese gengou era 'Reiwa'; make -core conflict against openjdk-8-jre- headless (= 8u181-b13-2~deb9u1), which had a broken ClassPathURLCheck linux New upstream stable version linux-latest Update for -9 kernel ABI mariadb-10.1 New upstream release mclibs Rebuild against cernlib with fixed Fortran optmisations ncmpc Fix NULL pointer dereference [CVE-2018-9240] node-superagent Fix ZIP bomb attacks [CVE-2017-16129] nvidia-graphics-drivers New upstream release [CVE‑2018‑6260] nvidia-settings New upstream release obs-build Do not allow writing to files in the host system [CVE-2017-14804] paw Rebuild against cernlib with fixed Fortran optmisations perlbrew Allow HTTPS CPAN URLs postfix New upstream stable release postgresql-9.6 New upstream version psk31lx Make version sort correctly to avoid potential upgrade issues publicsuffix Update included data pyca Add "missingok" to logrotate configuration python-certbot Revert to debhelper compat 9, to ensure systemd timers are correctly started python-cryptography Remove BIO_callback_ctrl: The prototype differs with the OpenSSL's definition of it after it was changed (fixed) within OpenSSL python-django-casclient Apply django 1.10 middleware fix; python(3)-django-casclient: add missing dependencies on python(3)-django python-mode Remove support for xemacs21 python-pip Properly catch requests' HTTPError in index.py python-pykmip Fix potential DoS error [CVE-2018-1000872] r-cran-igraph Security fix [CVE-2018-20349] rails Security fixes [CVE-2018-16476 CVE-2019-5418 CVE-2019-5419] rsync Several security fixes for zlib [CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843] ruby-i18n Prevent a remote denial-of-service vulnerability [CVE-2014-10077] ruby2.3 Fix build failure runc Security fix [CVE-2019-5736] systemd journald: fix assertion failure on journal_file_link_data; tmpfiles: fix "e" to support shell style globs; mount-util: accept that name_to_handle_at() might fail with EPERM; automount: ack automount requests even when already mounted [CVE-2018-1049]; fix potential root privilege escalation [CVE-2018-15686] twitter-bootstrap3 Fix XSS in tooltip or popover [CVE-2019-8331] tzdata New upstream rleease unzip Fix buffer overflow in password protected ZIP archives [CVE-2018-1000035] vcftools Security fixes [CVE-2018-11099 CVE-2018-11129 CVE-2018-11130] vips Fix NULL function pointer dereference [CVE-2018-7998], uninitialised memory access [CVE-2019-6976] waagent New upstream release, with many Azure fixes [CVE-2019-0804] yorick-av Rescale frame timestamps; set VBV buffer size for MPEG1/2 files zziplib Fix invalid memory access in zzip_disk_fread [CVE-2018-6381], bus error in zzip_disk_findfirst function in zzip/mmapped.c [CVE-2018-6540], out of bound read in mmapped.c:zzip_disk_fread() [CVE-2018-7725], crash via crafted zip file [CVE-2018-7726], memory leak triggered in the function __zzip_parse_root_directory in zip.c [CVE-2018-16548]; reject ZIP file if the size of the central directory and/or the offset of start of central directory point beyond the end of the ZIP file [CVE-2018-6484, CVE-2018-6541, CVE-2018-6869] A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/stable.html> Removed packages ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason ------- ------ gcontactsync Incompatible with newer firefox-esr versions google-tasks-sync Incompatible with newer firefox-esr versions mozilla-gnome-kerying Incompatible with newer firefox-esr versions tbdialout Incompatible with newer thunderbird versions timeline Incompatible with newer thunderbird versions If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part