------------------------------------------------------------------------
The Debian Project https://www.debian.org/ Updated Debian 9: 9.2 released [email protected] October 7th, 2017 https://www.debian.org/News/2017/20171007 ------------------------------------------------------------------------


The Debian project is pleased to announce the second update of its
stable distribution Debian 9 (codename "stretch"). This point release
mainly adds corrections for security issues, along with a few
adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of
Debian 9 but only updates some of the packages included. There is no
need to throw away old "stretch" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list


As a special case for this point release, those using the "apt-get" tool
to perform the upgrade will need to ensure that the "dist-upgrade"
command is used, in order to update to the latest kernel packages. Users
of other tools such as "apt" and "aptitude" should use the "upgrade"
command.


Miscellaneous Bugfixes
----------------------

Due to an oversight while preparing the point release, the usual
update to the "base-files" package to reflect the new version was
unfortunately not included. An updated package will be made available
via "stretch-updates" in the near future.

This stable update adds a few important corrections to the following
packages:

+--------------------------+------------------------------------------+
| Package | Reason | +--------------------------+------------------------------------------+
| apt [1] | Fix issues in apt-daily-upgrade; fix a |
| | possible crash in the mirror method |
| | |
| at-spi2-core [2] | Fix crash on switching windows |
| | |
| bareos [3] | Fix permissions of bareos-dir logrotate |
| | config on upgrade; fix file corruption |
| | when using SHA1 signature |
| | |
| bind9 [4] | Import support for DNSSEC KSK-2017 |
| | |
| bridge-utils [5] | Fix a problem with some vlan interfaces |
| | not being created |
| | |
| caja [6] | Fix excessive CPU use while loading |
| | background image |
| | |
| chrony [7] | Do not pass 'burst' command to chronyc |
| | |
| cross-gcc [8] | Fix outdated support for gcc 6.3.0-18 |
| | |
| cvxopt [9] | Remove the unneccessary and non-working |
| | compatibility layer for lpx_main() |
| | |
| db5.3 [10] | Do not access DB_CONFIG when db_home is |
| | not set [CVE-2017-10140] |
| | |
| dbus [11] | New upstream stable release |
| | |
| debian-edu-doc [12] | Merge stretch related documentation and |
| | translation updates; update Debian Edu |
| | Stretch manual from the wiki; replace |
| | existing boot menu screenshots with |
| | recent ones from the wiki |
| | |
| debian-installer [13] | Update Linux kernel ABI to 4 |
| | |
| debian-installer- | Rebuild against proposed-updates |
| netboot-images [14] | |
| | |
| desktop-base [15] | Fix XML syntax errors in gnome wallpaper |
| | description files making Joy wallpapers |
| | unavailable by default; ensure postinst |
| | doesn’t fail on upgrade even when an |
| | incomplete theme pack is active |
| | |
| dns-root-data [16] | Update root.hints to 2017072601 version; |
| | change the state of KSK-2017 to VALID |
| | |
| dnsdist [17] | Security fixes [CVE-2016-7069 CVE-2017- |
| | 7557] |
| | |
| dnsviz [18] | Cherry-pick upstream fixes related to |
| | root.hints and root.keys changes |
| | |
| dose3 [19] | Fix versioned provides support - |
| | packages that provide the same virtual |
| | package in different versions, or that |
| | provide the same versioned virtual |
| | package as a real package, are co- |
| | installable |
| | |
| ecl [20] | Add missing dependency on libffi-dev |
| | |
| erlang-p1-tls [21] | Fix ECDH curves |
| | |
| evolution [22] | Fix hang on right click in composer |
| | window |
| | |
| expect [23] | Properly check for EOF, to avoid losing |
| | input |
| | |
| fife [24] | Fix memory leak |
| | |
| flatpak [25] | New upstream stable release; prevent |
| | deploying files with inappropriate |
| | permissions; restore compatibility with |
| | libostree 2017.7 |
| | |
| freerdp [26] | Enable TLS >= 1.1 support |
| | |
| gnome-exe- | Switch to msitools' msiinfo for |
| thumbnailer [27] | ProductVersion fetching, replacing the |
| | insecure VBScript-based parsing |
| | [CVE-2017-11421]; fix unreadable white- |
| | on-white text on version labels |
| | |
| gnupg2 [28] | Fix dirmngr issues with broken reverse |
| | DNS, assertion when using "tofu- |
| | default-policy ask" , multiple issues |
| | with scdaemon, avoid spurious warnings |
| | when sharing a keybox with gpg >= 2.1.20 |
| | |
| gnutls28 [29] | Fix OCSP verification errors, especially |
| | with ECDSA signatures |
| | |
| gosa-plugin- | Fix parent constructor calls, for |
| mailaddress [30] | compatibility with PHP7 |
| | |
| gsoap [31] | Fix integer overflow via large XML |
| | document [CVE-2017-9765] |
| | |
| haveged [32] | Start haveged.service after systemd- |
| | tmpfiles-setup.service has been run |
| | |
| ipsec-tools [33] | Security fix [CVE-2016-10396] |
| | |
| irssi [34] | Fix null pointer dereference [CVE-2017- |
| | 10965], use-after-free condition for |
| | nicklist [CVE-2017-10966] |
| | |
| kanatest [35] | Remove DISABLE_DEPRECATED flags, they |
| | cause implicit pointer conversion and |
| | thus a segmentation fault on startup |
| | |
| kdepim [36] | Fix "send Later with Delay bypasses |
| | OpenPGP" [CVE-2017-9604] |
| | |
| kf5-messagelib [37] | Fix "send Later with Delay bypasses |
| | OpenPGP" [CVE-2017-9604] |
| | |
| krb5 [38] | Fix security issue where remote |
| | authenticated attackers can crash the |
| | KDC [CVE-2017-11368]; fix startup if |
| | getaddrinfo() returns a wildcard v6 |
| | address and handling of explicitly |
| | specified v4 wildcard address; fix SRV |
| | lookups to respect udp_preference_limit |
| | |
| lava-tool [39] | Add missing dependency on python- |
| | simplejson |
| | |
| librsb [40] | Fix a few severe bugs leading to |
| | numerically wrong results |
| | |
| libselinux [41] | Rebuild with new sbuild to fix changelog |
| | date |
| | |
| libsolv [42] | Fix dependencies on Python 3 modules |
| | |
| libwpd [43] | Fix denial of service issue |
| | [CVE-2017-14226] |
| | |
| linux [44] | New upstream stable version |
| | |
| linux-latest [45] | Update to 4.9.0-4 |
| | |
| lzma [46] | Rebuild with new sbuild to fix changelog |
| | date |
| | |
| mailman [47] | Fix broken dependencies in |
| | contrib/SpamAssassin.py |
| | |
| mate-power-manager [48] | Don't abort on unknown DBus signal name |
| | |
| mate-themes [49] | Fix font colour of URL bar in Google |
| | Chrome |
| | |
| mate-tweak [50] | Add missing dependency on python3-gi |
| | |
| ncurses [51] | Fix various crash bugs in the tic |
| | library and the tic binary |
| | [CVE-2017-10684 CVE-2017-10685 |
| | CVE-2017-11112 CVE-2017-11113 |
| | CVE-2017-13728 CVE-2017-13729 |
| | CVE-2017-13730 CVE-2017-13731 |
| | CVE-2017-13732 CVE-2017-13734 |
| | CVE-2017-13733] |
| | |
| nettle [52] | Rebuild with new sbuild to fix changelog |
| | date |
| | |
| node-brace- | Fix regular expression denial of service |
| expansion [53] | issue |
| | |
| node-dateformat [54] | Set TZ=UTC for tests to fix build |
| | failure |
| | |
| ntp [55] | Build and install /usr/bin/sntp |
| | |
| nvidia-graphics- | New upstream long lived branch release |
| drivers [56] | 375.82 - security fixes [CVE-2017-6257 |
| | CVE-2017-6259], add support for the |
| | following GPUs: GeForce GTX 1080 with |
| | Max-Q Design, GeForce GTX 1070 with Max- |
| | Q Design, GeForce GTX 1060 with Max-Q |
| | Design; nvidia-kernel-dkms: Honor |
| | parallel setting from dkms |
| | |
| open-vm-tools [57] | Randomly generate temporary directory |
| | name [CVE-2015-5191] |
| | |
| opendkim [58] | Start as root and drop privileges in |
| | opendkim for proper key file ownership |
| | |
| openldap [59] | Relax the dependency of libldap-2.4-2 on |
| | libldap-common to also permit later |
| | versions; fix upgrade failure when |
| | olcSuffix contains a backslash; avoid |
| | reading the value of the |
| | LDAP_OPT_X_TLS_REQUIRE_CERT option from |
| | previously freed memory; fix potential |
| | endless replication loop in a multi- |
| | master delta-syncrepl scenario with 3 or |
| | more nodes; fix memory corruption caused |
| | by calling sasl_client_init() multiple |
| | times and possibly concurrently |
| | |
| openvpn [60] | Fix broken reconnects due to wrong push |
| | digest calculation |
| | |
| osinfo-db [61] | Update distribution information |
| | |
| pcb-rnd [62] | Fix execution of code via a maliciously |
| | formed design file |
| | |
| postfix [63] | New upstream stable version - send |
| | single character variable names to |
| | milters without {}; prevent MIME |
| | downgrade of Postfix-generated message/ |
| | delivery status; work around Berkeley DB |
| | attempting to read settings from |
| | "DB_CONFIG" file |
| | |
| python-pampy [64] | Fix dependencies on Python 3 modules |
| | |
| request-tracker4 [65] | Fix regression in previous security |
| | release where incorrect SHA256 passwords |
| | could trigger an error |
| | |
| ruby-gnome2 [66] | ruby- |
| | {gdk3,gtksourceview2,pango,poppler}: Add |
| | missing dependencies |
| | |
| samba [67] | Ensure SMB signing enforced [CVE-2017- |
| | 12150]; keep required encryption across |
| | SMB3 DFS redirects [CVE-2017-12151]; fix |
| | server memory information leak over SMB1 |
| | [CVE-2017-12163]; new upstream release; |
| | fix libpam-winbind.prerm to be |
| | multiarch-safe; add missing logrotate |
| | for /var/log/samba/log.samba; fix |
| | outdated DNS Root servers; fix "Non- |
| | kerberos logins fails on winbind 4.X |
| | when krb5_auth is configured in PAM" |
| | |
| smplayer [68] | Fix connections to YouTube |
| | |
| speech-dispatcher [69] | Make spd-conf work again |
| | |
| suricata [70] | Limit the number of recursive calls in |
| | the DER/ASN.1 decoder to avoid stack |
| | overflows |
| | |
| swift [71] | New upstream stable release |
| | |
| tbdialout [72] | Include leading plus symbol when using |
| | tel: URI scheme |
| | |
| tiny-initramfs [73] | Add missing dependency on cpio |
| | |
| topal [74] | Fix misuse of sed character class syntax |
| | |
| torsocks [75] | Fix check_addr() to return either 0 or 1 |
| | |
| trace-cmd [76] | Fix segfault while processing certain |
| | trace files |
| | |
| unbound [77] | Fix install of trust anchor when two |
| | anchors are present; depend on dns-root- |
| | data (>= 2017072601~) for KSK-2017 |
| | |
| unknown-horizons [78] | Fix memory leak |
| | |
| up-imapproxy [79] | Correct systemd service file |
| | |
| vim [80] | Fix several crashes / illegal memory |
| | accesses [CVE-2017-11109] |
| | |
| waagent [81] | New upstream release, with support for |
| | Azure Stack |
| | |
| webkit2gtk [82] | Upstream security and bugfix release |
| | [CVE-2017-2538 CVE-2017-7052 CVE-2017- |
| | 7018 CVE-2017-7030 CVE-2017-7034 |
| | CVE-2017-7037 CVE-2017-7039 CVE-2017- |
| | 7046 CVE-2017-7048 CVE-2017-7055 |
| | CVE-2017-7056 CVE-2017-7061 CVE-2017- |
| | 7064] |
| | |
| whois [83] | Fix whois referrals |
| | for .com, .net, .jobs, .bz, .cc and .tv; |
| | add several new Indian TLD servers; |
| | update the list of gTLDs |
| | |
| wrk [84] | Fix build failures |
| | |
| xfonts-ayu [85] | Fix generation of bold and italic fonts |
| | |
| xkeyboard-config [86] | Move Indic layouts back to the main |
| | layout list, enabling their use again |
| | |
| yadm [87] | Fix race condition which could allow |
| | access to private PGP and SSH keys |
| | [CVE-2017-11353] |
| | | +--------------------------+------------------------------------------+

1: https://packages.debian.org/src:apt
2: https://packages.debian.org/src:at-spi2-core
3: https://packages.debian.org/src:bareos
4: https://packages.debian.org/src:bind9
5: https://packages.debian.org/src:bridge-utils
6: https://packages.debian.org/src:caja
7: https://packages.debian.org/src:chrony
8: https://packages.debian.org/src:cross-gcc
9: https://packages.debian.org/src:cvxopt
10: https://packages.debian.org/src:db5.3
11: https://packages.debian.org/src:dbus
12: https://packages.debian.org/src:debian-edu-doc
13: https://packages.debian.org/src:debian-installer
14: https://packages.debian.org/src:debian-installer-netboot-images
15: https://packages.debian.org/src:desktop-base
16: https://packages.debian.org/src:dns-root-data
17: https://packages.debian.org/src:dnsdist
18: https://packages.debian.org/src:dnsviz
19: https://packages.debian.org/src:dose3
20: https://packages.debian.org/src:ecl
21: https://packages.debian.org/src:erlang-p1-tls
22: https://packages.debian.org/src:evolution
23: https://packages.debian.org/src:expect
24: https://packages.debian.org/src:fife
25: https://packages.debian.org/src:flatpak
26: https://packages.debian.org/src:freerdp
27: https://packages.debian.org/src:gnome-exe-thumbnailer
28: https://packages.debian.org/src:gnupg2
29: https://packages.debian.org/src:gnutls28
30: https://packages.debian.org/src:gosa-plugin-mailaddress
31: https://packages.debian.org/src:gsoap
32: https://packages.debian.org/src:haveged
33: https://packages.debian.org/src:ipsec-tools
34: https://packages.debian.org/src:irssi
35: https://packages.debian.org/src:kanatest
36: https://packages.debian.org/src:kdepim
37: https://packages.debian.org/src:kf5-messagelib
38: https://packages.debian.org/src:krb5
39: https://packages.debian.org/src:lava-tool
40: https://packages.debian.org/src:librsb
41: https://packages.debian.org/src:libselinux
42: https://packages.debian.org/src:libsolv
43: https://packages.debian.org/src:libwpd
44: https://packages.debian.org/src:linux
45: https://packages.debian.org/src:linux-latest
46: https://packages.debian.org/src:lzma
47: https://packages.debian.org/src:mailman
48: https://packages.debian.org/src:mate-power-manager
49: https://packages.debian.org/src:mate-themes
50: https://packages.debian.org/src:mate-tweak
51: https://packages.debian.org/src:ncurses
52: https://packages.debian.org/src:nettle
53: https://packages.debian.org/src:node-brace-expansion
54: https://packages.debian.org/src:node-dateformat
55: https://packages.debian.org/src:ntp
56: https://packages.debian.org/src:nvidia-graphics-drivers
57: https://packages.debian.org/src:open-vm-tools
58: https://packages.debian.org/src:opendkim
59: https://packages.debian.org/src:openldap
60: https://packages.debian.org/src:openvpn
61: https://packages.debian.org/src:osinfo-db
62: https://packages.debian.org/src:pcb-rnd
63: https://packages.debian.org/src:postfix
64: https://packages.debian.org/src:python-pampy
65: https://packages.debian.org/src:request-tracker4
66: https://packages.debian.org/src:ruby-gnome2
67: https://packages.debian.org/src:samba
68: https://packages.debian.org/src:smplayer
69: https://packages.debian.org/src:speech-dispatcher
70: https://packages.debian.org/src:suricata
71: https://packages.debian.org/src:swift
72: https://packages.debian.org/src:tbdialout
73: https://packages.debian.org/src:tiny-initramfs
74: https://packages.debian.org/src:topal
75: https://packages.debian.org/src:torsocks
76: https://packages.debian.org/src:trace-cmd
77: https://packages.debian.org/src:unbound
78: https://packages.debian.org/src:unknown-horizons
79: https://packages.debian.org/src:up-imapproxy
80: https://packages.debian.org/src:vim
81: https://packages.debian.org/src:waagent
82: https://packages.debian.org/src:webkit2gtk
83: https://packages.debian.org/src:whois
84: https://packages.debian.org/src:wrk
85: https://packages.debian.org/src:xfonts-ayu
86: https://packages.debian.org/src:xkeyboard-config
87: https://packages.debian.org/src:yadm

Security Updates
----------------

This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:

+-----------------+-----------------------------+
| Advisory ID | Package | +-----------------+-----------------------------+
| DSA-3881 [88] | firefox-esr [89] |
| | |
| DSA-3898 [90] | expat [91] |
| | |
| DSA-3904 [92] | bind9 [93] |
| | |
| DSA-3909 [94] | samba [95] |
| | |
| DSA-3913 [96] | apache2 [97] |
| | |
| DSA-3914 [98] | imagemagick [99] |
| | |
| DSA-3915 [100] | ruby-mixlib-archive [101] |
| | |
| DSA-3916 [102] | atril [103] |
| | |
| DSA-3917 [104] | catdoc [105] |
| | |
| DSA-3919 [106] | openjdk-8 [107] |
| | |
| DSA-3920 [108] | qemu [109] |
| | |
| DSA-3921 [110] | enigmail [111] |
| | |
| DSA-3923 [112] | freerdp [113] |
| | |
| DSA-3924 [114] | varnish [115] |
| | |
| DSA-3925 [116] | qemu [117] |
| | |
| DSA-3926 [118] | chromium-browser [119] |
| | |
| DSA-3927 [120] | linux [121] |
| | |
| DSA-3928 [122] | firefox-esr [123] |
| | |
| DSA-3929 [124] | libsoup2.4 [125] |
| | |
| DSA-3930 [126] | freeradius [127] |
| | |
| DSA-3931 [128] | ruby-rack-cors [129] |
| | |
| DSA-3932 [130] | subversion [131] |
| | |
| DSA-3934 [132] | git [133] |
| | |
| DSA-3936 [134] | postgresql-9.6 [135] |
| | |
| DSA-3938 [136] | libgd2 [137] |
| | |
| DSA-3940 [138] | cvs [139] |
| | |
| DSA-3941 [140] | iortcw [141] |
| | |
| DSA-3942 [142] | supervisor [143] |
| | |

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)