------------------------------------------------------------------------
The Debian Project https://www.debian.org/ Updated Debian 9: 9.1 released press@debian.org
July 22nd, 2017 https://www.debian.org/News/2017/20170722 ------------------------------------------------------------------------


The Debian project is pleased to announce the first update of its stable distribution Debian 9 (codename "stretch"). This point release mainly
adds corrections for security issues, along with a few adjustments for
serious problems. Security advisories have already been published
separately and are referenced where available.

Please note that the point release does not constitute a new version of
Debian 9 but only updates some of the packages included. There is no
need to throw away old "stretch" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list



Miscellaneous Bugfixes
----------------------

This stable update adds a few important corrections to the following
packages:

+--------------------------+------------------------------------------+
| Package | Reason | +--------------------------+------------------------------------------+
| 3dchess [1] | Reduce wasteful CPU consumption |
| | |
| adwaita-icon-theme [2] | Fix malformed send-to-symbolic icon |
| | |
| anope [3] | Fix incorrect mail-transport-agent |
| | relationship |
| | |
| apt [4] | Reset failure reason when connection was |
| | successful, so later errors are reported |
| | as such and not as "connection failure" |
| | warnings; http: A response with Content- |
| | Length: 0 has no content, so don't try |
| | to read it; use port from SRV record |
| | instead of initial port |
| | |
| avogadro [5] | Update eigen3 patches |
| | |
| base-files [6] | Update for the 9.1 point release |
| | |
| c-ares [7] | Security fix [CVE-2017-1000381] |
| | |
| debian-edu-doc [8] | Update Debian Edu Stretch manual from |
| | the wiki; update translations |
| | |
| debsecan [9] | Add support for stretch and buster; |
| | Python needs https_proxy for proxy |
| | configuration with https:// URLs |
| | |
| devscripts [10] | debchange: target stretch-backports with |
| | --bpo; support $codename{,-{proposed- |
| | updates,security}}; bts: add support for |
| | the new "a11y" tag |
| | |
| dgit [11] | Multiple bugfixes |
| | |
| dovecot [12] | Fix syntax errors when sending Solr |
| | queries |
| | |
| dwarfutils [13] | Security fixes [CVE-2017-9052 CVE-2017- |
| | 9053 CVE-2017-9054 CVE-2017-9055 |
| | CVE-2017-9998] |
| | |
| fpc [14] | Fix conversion from local time to UTC |
| | |
| galternatives [15] | Fix blank window when displaying |
| | properties |
| | |
| geolinks [16] | Fix python3 dependencies |
| | |
| gnats [17] | gnats-user: do not fail to purge if / |
| | var/lib/gnats/gnats-db is not empty |
| | |
| gnome-settings- | Do not add the "US" keyboard layout by |
| daemon [18] | default for new users, for some reason, |
| | this layout was preferred over the |
| | system configured one on the first |
| | login; preserve NumLock state between |
| | sessions by default |
| | |
| gnuplot [19] | Fix memory corruption vulnerability |
| | |
| gnutls28 [20] | Fix breakage with AES-GCM in-place |
| | encryption and decryption on aarch64 |
| | |
| grub-installer [21] | Fix support for systems with a large |
| | number of disks |
| | |
| intel-microcode [22] | Update included microcode |
| | |
| libclamunrar [23] | Fix arbitrary memory write [CVE-2012- |
| | 6706] |
| | |
| libopenmpt [24] | Security fixes: out-of-bounds read while |
| | loading a malfomed PLM file; arbitrary |
| | code execution by a crafted PSM file |
| | [CVE-2017-11311]; various security fixes |
| | |
| libquicktime [25] | Security fixes [CVE-2017-9122 CVE-2017- |
| | 9123 CVE-2017-9124 CVE-2017-9125 |
| | CVE-2017-9126 CVE-2017-9127 CVE-2017- |
| | 9128] |
| | |
| linux-latest [26] | Revert changes to debug symbol meta- |
| | packages |
| | |
| nagios-nrpe [27] | Restore previous SSL defaults |
| | |
| nvidia-graphics- | Bump Pre-Depends: nvidia-installer- |
| drivers [28] | cleanup to (>= 20151021) for smoother |
| | upgrades from jessie |
| | |
| octave-ocs [29] | Fix loading package functions |
| | |
| open-iscsi [30] | Speed up Debian Installer when iSCSI is |
| | not used |
| | |
| openssh [31] | Fix incoming compression statistics |
| | |
| openstack-debian- | Also add security updates for non |
| images [32] | wheezy/jessie |
| | |
| os-prober [33] | EFI - look for "dos" instead of |
| | "msdos" |
| | |
| osinfo-db [34] | Improve support for Stretch and Jessie |
| | |
| partman-base [35] | Protect the firmware area on all mmcblk |
| | devices (and not only on mmcblk0) from |
| | being clobbered during guided |
| | partitioning |
| | |
| pdns-recursor [36] | Add 2017 DNSSEC root key |
| | |
| perl [37] | Backport various Getopt-Long fixes from |
| | upstream 2.49..2.51; backport upstream |
| | patch fixing regexp "Malformed UTF-8 |
| | character" ; apply upstream base.pm no- |
| | dot-in-inc fix |
| | |
| phpunit [38] | Security fix: arbitrary PHP code |
| | execution via HTTP POST |
| | |
| protozero [39] | Fix data_view equality operator |
| | |
| pulseaudio [40] | Fix copyright file |
| | |
| pykde4 [41] | Drop bindings for plasma webview |
| | bindings; they're obsolete and non- |
| | functional |
| | |
| python-colorlog [42] | Fix python3 dependencies |
| | |
| python-imaplib2 [43] | Fix python3 dependencies |
| | |
| python-plumbum [44] | Fix python3 dependencies |
| | |
| qgis [45] | Fix missing Breaks/Replaces against |
| | python-qgis-common |
| | |
| request-tracker4 [46] | Handle configuration permissions |
| | correctly following RT_SiteConfig.d |
| | changes |
| | |
| retext [47] | Backport upstream fix for crash in |
| | XSettings code; fix syntax in appdata |
| | XML file |
| | |
| rkhunter [48] | Disable remote updates [CVE-2017-7480] |
| | |
| socat [49] | Fix signals leading to possible 100% CPU |
| | usage |
| | |
| squashfs-tools [50] | Fix corruption of large files; fix rare |
| | race condition |
| | |
| systemd [51] | Fix out-of-bounds write in systemd- |
| | resolved [CVE-2017-9445]; be truly quiet |
| | in systemctl -q is-enabled; improve |
| | RLIMIT_NOFILE handling; debian/extra/ |
| | rules: Use updated U2F ruleset |
| | |
| thermald [52] | Add Broadwell-GT3E and Kabylake support |
| | |
| unrar-nonfree [53] | Add bound checks for VMSF_DELTA, |
| | VMSF_RGB and VMSF_AUDIO paramters |
| | [CVE-2012-6706] |
| | |
| win32-loader [54] | Replace all mirror urls with |
| | deb.debian.org; drop bz2 compression for |
| | source |
| | | +--------------------------+------------------------------------------+

1: https://packages.debian.org/src:3dchess
2: https://packages.debian.org/src:adwaita-icon-theme
3: https://packages.debian.org/src:anope
4: https://packages.debian.org/src:apt
5: https://packages.debian.org/src:avogadro
6: https://packages.debian.org/src:base-files
7: https://packages.debian.org/src:c-ares
8: https://packages.debian.org/src:debian-edu-doc
9: https://packages.debian.org/src:debsecan
10: https://packages.debian.org/src:devscripts
11: https://packages.debian.org/src:dgit
12: https://packages.debian.org/src:dovecot
13: https://packages.debian.org/src:dwarfutils
14: https://packages.debian.org/src:fpc
15: https://packages.debian.org/src:galternatives
16: https://packages.debian.org/src:geolinks
17: https://packages.debian.org/src:gnats
18: https://packages.debian.org/src:gnome-settings-daemon
19: https://packages.debian.org/src:gnuplot
20: https://packages.debian.org/src:gnutls28
21: https://packages.debian.org/src:grub-installer
22: https://packages.debian.org/src:intel-microcode
23: https://packages.debian.org/src:libclamunrar
24: https://packages.debian.org/src:libopenmpt
25: https://packages.debian.org/src:libquicktime
26: https://packages.debian.org/src:linux-latest
27: https://packages.debian.org/src:nagios-nrpe
28: https://packages.debian.org/src:nvidia-graphics-drivers
29: https://packages.debian.org/src:octave-ocs
30: https://packages.debian.org/src:open-iscsi
31: https://packages.debian.org/src:openssh
32: https://packages.debian.org/src:openstack-debian-images
33: https://packages.debian.org/src:os-prober
34: https://packages.debian.org/src:osinfo-db
35: https://packages.debian.org/src:partman-base
36: https://packages.debian.org/src:pdns-recursor
37: https://packages.debian.org/src:perl
38: https://packages.debian.org/src:phpunit
39: https://packages.debian.org/src:protozero
40: https://packages.debian.org/src:pulseaudio
41: https://packages.debian.org/src:pykde4
42: https://packages.debian.org/src:python-colorlog
43: https://packages.debian.org/src:python-imaplib2
44: https://packages.debian.org/src:python-plumbum
45: https://packages.debian.org/src:qgis
46: https://packages.debian.org/src:request-tracker4
47: https://packages.debian.org/src:retext
48: https://packages.debian.org/src:rkhunter
49: https://packages.debian.org/src:socat
50: https://packages.debian.org/src:squashfs-tools
51: https://packages.debian.org/src:systemd
52: https://packages.debian.org/src:thermald
53: https://packages.debian.org/src:unrar-nonfree
54: https://packages.debian.org/src:win32-loader

Security Updates
----------------

This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:

+----------------+-----------------------+
| Advisory ID | Package | +----------------+-----------------------+
| DSA-3876 [55] | otrs2 [56] |
| | |
| DSA-3877 [57] | tor [58] |
| | |
| DSA-3882 [59] | request-tracker4 [60] |
| | |
| DSA-3884 [61] | gnutls28 [62] |
| | |
| DSA-3885 [63] | irssi [64] |
| | |
| DSA-3886 [65] | linux [66] |
| | |
| DSA-3887 [67] | glibc [68] |
| | |
| DSA-3888 [69] | exim4 [70] |
| | |
| DSA-3890 [71] | spip [72] |
| | |
| DSA-3891 [73] | tomcat8 [74] |
| | |
| DSA-3893 [75] | jython [76] |
| | |
| DSA-3895 [77] | flatpak [78] |
| | |
| DSA-3896 [79] | apache2 [80] |
| | |
| DSA-3897 [81] | drupal7 [82] |
| | |
| DSA-3900 [83] | openvpn [84] |
| | |
| DSA-3901 [85] | libgcrypt20 [86] |
| | |
| DSA-3902 [87] | jabberd2 [88] |
| | |
| DSA-3903 [89] | tiff [90] |
| | |
| DSA-3904 [91] | bind9 [92] |
| | |
| DSA-3905 [93] | xorg-server [94] |
| | |
| DSA-3906 [95] | undertow [96] |
| | |
| DSA-3907 [97] | spice [98] |
| | |
| DSA-3908 [99] | nginx [100] |
| | |
| DSA-3910 [101] | knot [102] |
| | |
| DSA-3911 [103] | evince [104] |
| | |
| DSA-3912 [105] | heimdal [106] |
| | | +----------------+-----------------------+

55: https://www.debian.org/security/2017/dsa-3876
56: https://packages.debian.org/src:otrs2
57: https://www.debian.org/security/2017/dsa-3877
58: https://packages.debian.org/src:tor
59: https://www.debian.org/security/2017/dsa-3882
60: https://packages.debian.org/src:request-tracker4
61: https://www.debian.org/security/2017/dsa-3884
62: https://packages.debian.org/src:gnutls28
63: https://www.debian.org/security/2017/dsa-3885
64: https://packages.debian.org/src:irssi
65: https://www.debian.org/security/2017/dsa-3886
66: https://packages.debian.org/src:linux
67: https://www.debian.org/security/2017/dsa-3887
68: https://packages.debian.org/src:glibc
69: https://www.debian.org/security/2017/dsa-3888
70: https://packages.debian.org/src:exim4
71: https://www.debian.org/security/2017/dsa-3890
72: https://packages.debian.org/src:spip
73: https://www.debian.org/security/2017/dsa-3891
74: https://packages.debian.org/src:tomcat8
75: https://www.debian.org/security/2017/dsa-3893
76: https://packages.debian.org/src:jython
77: https://www.debian.org/security/2017/dsa-3895
78: https://packages.debian.org/src:flatpak
79: https://www.debian.org/security/2017/dsa-3896
80: https://packages.debian.org/src:apache2
81: https://www.debian.org/security/2017/dsa-3897
82: https://packages.debian.org/src:drupal7
83: https://www.debian.org/security/2017/dsa-3900
84: https://packages.debian.org/src:openvpn
85: https://www.debian.org/security/2017/dsa-3901
86: https://packages.debian.org/src:libgcrypt20
87: https://www.debian.org/security/2017/dsa-3902
88: https://packages.debian.org/src:jabberd2
89: https://www.debian.org/security/2017/dsa-3903
90: https://packages.debian.org/src:tiff
91: https://www.debian.org/security/2017/dsa-3904
92: https://packages.debian.org/src:bind9
93: https://www.debian.org/security/2017/dsa-3905
94: https://packages.debian.org/src:xorg-server
95: https://www.debian.org/security/2017/dsa-3906
96: https://packages.debian.org/src:undertow
97: https://www.debian.org/security/2017/dsa-3907
98: https://packages.debian.org/src:spice
99: https://www.debian.org/security/2017/dsa-3908
100: https://packages.debian.org/src:nginx
101: https://www.debian.org/security/2017/dsa-3910
102: https://packages.debian.org/src:knot
103: https://www.debian.org/security/2017/dsa-3911
104: https://packages.debian.org/src:evince
105: https://www.debian.org/security/2017/dsa-3912
106: https://packages.debian.org/src:heimdal

Removed packages
----------------

The following packages were removed due to circumstances beyond our
control:

+-------------+---------------------------------+
| Package | Reason | +-------------+---------------------------------+
| aiccu [107] | Useless since shutdown of SixXS |
| | | +-------------+---------------------------------+

107: https://packages.debian.org/src:aiccu

Debian Installer
----------------

The installer has been updated to include the fixes incorporated into
stable by the point release.


URLs
----

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/stretch/ChangeLog


The current stable distribution:

http://ftp.debian.org/debian/dists/stable/


Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates


stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/


Security announcements and information:

https://security.debian.org/


About Debian
------------

The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free operating system Debian.


Contact Information
-------------------

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the
stable release team at <debian-release@lists.debian.org>.


-----BEGIN PGP SIGNATURE-----

iQEzBAABCgAdFiEEnM1rMZ2/jkCrGr0aia+CtznNIXoFAllzcZUACgkQia+CtznN IXoCcgf+OVwwrjUgxyAI9wUUgoTAaTn+WkDxGotbKKFZDVJP9Tur5Tvbhs6WIo3X u8p9BeZ06yjawXuuUR3jI+L9w1HdDi2cyhWH1tjcXnu2Iulsr8fDNnaCms41Xosu yuMTOK76XegmLTYytWEvw9eUL0QmC8oqiCJ/GcvJv4TSO4HQ75LraBGbPn0Lkzxh PnEyfqpSx7oNxOWqJ8lgfyAq/0vIanT7tbZ11GLEc9VQA8tbeTe03eqQEGLvcV58 rtPuvN2OeKm6Rrs7x9UTRqzK7QFY0eVB3PNIp2x0ThjaGWTomXzoi6r80smSAteb 13AMKKNaYSAPcvinT8dEmNG6igAKPQ==
=AAs2
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)