------------------------------------------------------------------------
The Debian Project
https://www.debian.org/ Updated Debian 9: 9.12 released
press@debian.org February 8th, 2020
https://www.debian.org/News/2020/2020020802 ------------------------------------------------------------------------
The Debian project is pleased to announce the twelth update of its
oldstable distribution Debian 9 (codename "stretch"). This point release
mainly adds corrections for security issues, along with a few
adjustments for serious problems. Security advisories have already been published separately and are referenced where available.
Please note that the point release does not constitute a new version of
Debian 9 but only updates some of the packages included. There is no
need to throw away old "stretch" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.
Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:
https://www.debian.org/mirror/list
Miscellaneous Bugfixes
----------------------
This oldstable update adds a few important corrections to the following packages:
+----------------------------+----------------------------------------+
| Package | Reason | +----------------------------+----------------------------------------+
| base-files [1] | Update for the point release |
| | |
| cargo [2] | New upstream version, to support |
| | Firefox ESR backports; fix bootstrap |
| | for armhf |
| | |
| clamav [3] | New upstream release; fix denial of |
| | service issue [CVE-2019-15961]; remove |
| | ScanOnAccess option, replacing with |
| | clamonacc |
| | |
| cups [4] | Fix validation of default language in |
| | ippSetValuetag [CVE-2019-2228] |
| | |
| debian-installer [5] | Rebuild against oldstable-proposed- |
| | updates; set gfxpayload=keep in |
| | submenus too, to fix unreadable fonts |
| | on hidpi displays in netboot images |
| | booted with EFI; update USE_UDEBS_FROM |
| | default from unstable to stretch, to |
| | help users performing local builds |
| | |
| debian-installer-netboot- | Rebuild against stretch-proposed- |
| images [6] | updates |
| | |
| debian-security- | Update security support status of |
| support [7] | several packages |
| | |
| dehydrated [8] | New upstream release; use ACMEv2 API |
| | by default |
| | |
| dispmua [9] | New upstream release compatible with |
| | Thunderbird 68 |
| | |
| dpdk [10] | New upstream stable release; fix vhost |
| | regression introduced by the fix for |
| | CVE-2019-14818 |
| | |
| fence-agents [11] | Fix incomplete removal of fence_amt_ws |
| | |
| fig2dev [12] | Allow Fig v2 text strings ending with |
| | multiple ^A [CVE-2019-19555] |
| | |
| flightcrew [13] | Security fixes [CVE-2019-13032 |
| | CVE-2019-13241] |
| | |
| freetype [14] | Correctly handle deltas in TrueType GX |
| | fonts, fixing rendering of variable |
| | hinted fonts in Chromium and Firefox |
| | |
| glib2.0 [15] | Ensure libdbus clients can |
| | authenticate with a GDBusServer like |
| | the one in ibus |
| | |
| gnustep-base [16] | Fix UDP amplification vulnerability |
| | |
| italc [17] | Security fixes [CVE-2018-15126 |
| | CVE-2018-15127 CVE-2018-20019 |
| | CVE-2018-20020 CVE-2018-20021 |
| | CVE-2018-20022 CVE-2018-20023 |
| | CVE-2018-20024 CVE-2018-20748 |
| | CVE-2018-20749 CVE-2018-20750 |
| | CVE-2018-6307 CVE-2018-7225 CVE-2019- |
| | 15681] |
| | |
| libdate-holidays-de- | Mark International Childrens Day (Sep |
| perl [18] | 20th) as a holiday in Thuringia from |
| | 2019 onwards |
| | |
| libdatetime-timezone- | Update included data |
| perl [19] | |
| | |
| libidn [20] | Fix denial of service vulnerability in |
| | Punycode handling [CVE-2017-14062] |
| | |
| libjaxen-java [21] | Fix build failure by allowing test |
| | failures |
| | |
| libofx [22] | Fix NULL pointer dereference issue |
| | [CVE-2019-9656] |
| | |
| libole-storage-lite- | Fix interpretation of years from 2020 |
| perl [23] | onwards |
| | |
| libparse-win32registry- | Fix interpretation of years from 2020 |
| perl [24] | onwards |
| | |
| libperl4-corelibs- | Fix interpretation of years from 2020 |
| perl [25] | onwards |
| | |
| libpst [26] | Fix detection of get_current_dir_name |
| | and return truncation |
| | |
| libsixel [27] | Fix several security issues [CVE-2018- |
| | 19756 CVE-2018-19757 CVE-2018-19759 |
| | CVE-2018-19761 CVE-2018-19762 |
| | CVE-2018-19763 CVE-2019-3573 CVE-2019- |
| | 3574] |
| | |
| libsolv [28] | Fix heap buffer overflow [CVE-2019- |
| | 20387] |
| | |
| libtest-mocktime-perl [29] | Fix interpretation of years from 2020 |
| | onwards |
| | |
| libtimedate-perl [30] | Fix interpretation of years from 2020 |
| | onwards |
| | |
| libvncserver [31] | RFBserver: don't leak stack memory to |
| | the remote [CVE-2019-15681]; resolve a |
| | freeze during connection closure and a |
| | segmentation fault on multi-threaded |
| | VNC servers; fix issue connecting to |
| | VMWare servers; fix crashing of x11vnc |
| | when vncviewer connects |
| | |
| libxslt [32] | Fix dangling pointer in xsltCopyText |
| | [CVE-2019-18197] |
| | |
| limnoria [33] | Fix remote information disclosure and |
| | possibly remote code execution in the |
| | Math plugin [CVE-2019-19010] |
| | |
| linux [34] | New upstream stable release |
| | |
| linux-latest [35] | Update for Linux kernel ABI 4.9.0-12 |
| | |
| llvm-toolchain-7 [36] | Disable the gold linker from s390x; |
| | bootstrap with -fno-addrsig, stretch's |
| | binutils doesn't work with it on |
| | mips64el |
| | |
| mariadb-10.1 [37] | New upstream stable release [CVE-2019- |
| | 2974 CVE-2020-2574] |
| | |
| monit [38] | Implement position independent CSRF |
| | cookie value |
| | |
| node-fstream [39] | Clobber a Link if it's in the way of a |
| | File [CVE-2019-13173] |
| | |
| node-mixin-deep [40] | Fix prototype polution [CVE-2018-3719 |
| | CVE-2019-10746] |
| | |
| nodejs-mozilla [41] | New package to support Firefox ESR |
| | backports |
| | |
| nvidia-graphics-drivers- | New upstream stable release |
| legacy-340xx [42] | |
| | |
| nyancat [43] | Rebuild in a clean environment to add |
| | the systemd unit for nyancat-server |
| | |
| openjpeg2 [44] | Fix heap overflow [CVE-2018-21010], |
| | integer overflow [CVE-2018-20847] and |
| | division by zero [CVE-2016-9112] |
| | |
| perl [45] | Fix interpretation of years from 2020 |
| | onwards |
| | |
| php-horde [46] | Fix stored cross-site scripting issue |
| | in Horde Cloud Block [CVE-2019-12095] |
| | |
| postfix [47] | New upstream stable release; work |
| | around poor TCP loopback performance |
| | |
| postgresql-9.6 [48] | New upstream release |
| | |
| proftpd-dfsg [49] | Fix NULL pointer dereference in CRL |
| | checks [CVE-2019-19269] |
| | |
| pykaraoke [50] | Fix path to fonts |
| | |
| python-acme [51] | Switch to POST-as-GET protocol |
| | |
| python-cryptography [52] | Fix test suite failures when built |
| | against newer OpenSSL versions |
| | |
| python-flask-rdf [53] | Fix missing dependencies in python3- |
| | flask-rdf |
| | |
| python-pgmagick [54] | Handle version detection of |
| | graphicsmagick security updates that |
| | identify themselves as version 1.4 |
| | |
| python-werkzeug [55] | Ensure Docker containers have unique |
| | debugger PINs [CVE-2019-14806] |
| | |
| ros-ros-comm [56] | Fix buffer overflow issue [CVE-2019- |
| | 13566]; fix integer overflow |
| | [CVE-2019-13445] |
| | |
| ruby-encryptor [57] | Ignore test failures, fixing build |
| | failures |
| | |
| rust-cbindgen [58] | New package to support Firefox ESR |
| | backports |
| | |
| rustc [59] | New upstream version, to support |
| | Firefox ESR backports |
| | |
| safe-rm [60] | Prevent installation in (and thereby |
| | breaking of) merged /usr environments |
| | |
| sorl-thumbnail [61] | Workaround a pgmagick exception |
| | |
| sssd [62] | sysdb: sanitize search filter input |
| | [CVE-2017-12173] |
| | |
| tigervnc [63] | Security updates [CVE-2019-15691 |
| | CVE-2019-15692 CVE-2019-15693 |
| | CVE-2019-15694 CVE-2019-15695] |
| | |
| tightvnc [64] | Security fixes [CVE-2014-6053 2019- |
| | 8287 CVE-2018-20021 CVE-2018-20022 |
| | CVE-2018-20748 CVE-2018-7225 CVE-2019- |
| | 15678 CVE-2019-15679 CVE-2019-15680 |
| | CVE-2019-15681 CVE-2019-8287] |
| | |
| tmpreaper [65] | Add "--protect '/tmp/systemd- |
| | private*/*'" to cron job to prevent |
| | breaking systemd services that have |
| | PrivateTmp=true |
| | |
| tzdata [66] | New upstream release |
| | |
| ublock-origin [67] | New upstream version, compatible with |
| | Firefox ESR68 |
| | |
| unhide [68] | Fix stack exhaustion |
| | |
| x2goclient [69] | Strip ~/, ~user{,/}, ${HOME}{,/} and |
| | $HOME{,/} from destination paths in |
| | scp mode; fixes regression with newer |
| | libssh versions with fixes for |
| | CVE-2019-14889 applied |
| | |
| xml-security-c [70] | Fix "DSA verification crashes OpenSSL |
| | on invalid combinations of key |
| | content" |
| | | +----------------------------+----------------------------------------+
1:
https://packages.debian.org/src:base-files
2:
https://packages.debian.org/src:cargo
3:
https://packages.debian.org/src:clamav
4:
https://packages.debian.org/src:cups
5:
https://packages.debian.org/src:debian-installer
6:
https://packages.debian.org/src:debian-installer-netboot-images
7:
https://packages.debian.org/src:debian-security-support
8:
https://packages.debian.org/src:dehydrated
9:
https://packages.debian.org/src:dispmua
10:
https://packages.debian.org/src:dpdk
11:
https://packages.debian.org/src:fence-agents
12:
https://packages.debian.org/src:fig2dev
13:
https://packages.debian.org/src:flightcrew
14:
https://packages.debian.org/src:freetype
15:
https://packages.debian.org/src:glib2.0
16:
https://packages.debian.org/src:gnustep-base
17:
https://packages.debian.org/src:italc
18:
https://packages.debian.org/src:libdate-holidays-de-perl
19:
https://packages.debian.org/src:libdatetime-timezone-perl
20:
https://packages.debian.org/src:libidn
21:
https://packages.debian.org/src:libjaxen-java
22:
https://packages.debian.org/src:libofx
23:
https://packages.debian.org/src:libole-storage-lite-perl
24:
https://packages.debian.org/src:libparse-win32registry-perl
25:
https://packages.debian.org/src:libperl4-corelibs-perl
26:
https://packages.debian.org/src:libpst
27:
https://packages.debian.org/src:libsixel
28:
https://packages.debian.org/src:libsolv
29:
https://packages.debian.org/src:libtest-mocktime-perl
30:
https://packages.debian.org/src:libtimedate-perl
31:
https://packages.debian.org/src:libvncserver
32:
https://packages.debian.org/src:libxslt
33:
https://packages.debian.org/src:limnoria
34:
https://packages.debian.org/src:linux
35:
https://packages.debian.org/src:linux-latest
36:
https://packages.debian.org/src:llvm-toolchain-7
37:
https://packages.debian.org/src:mariadb-10.1
38:
https://packages.debian.org/src:monit
39:
https://packages.debian.org/src:node-fstream
40:
https://packages.debian.org/src:node-mixin-deep
41:
https://packages.debian.org/src:nodejs-mozilla
42:
https://packages.debian.org/src:nvidia-graphics-drivers-legacy-340xx
43:
https://packages.debian.org/src:nyancat
44:
https://packages.debian.org/src:openjpeg2
45:
https://packages.debian.org/src:perl
46:
https://packages.debian.org/src:php-horde
47:
https://packages.debian.org/src:postfix
48:
https://packages.debian.org/src:postgresql-9.6
49:
https://packages.debian.org/src:proftpd-dfsg
50:
https://packages.debian.org/src:pykaraoke
51:
https://packages.debian.org/src:python-acme
52:
https://packages.debian.org/src:python-cryptography
53:
https://packages.debian.org/src:python-flask-rdf
54:
https://packages.debian.org/src:python-pgmagick
55:
https://packages.debian.org/src:python-werkzeug
56:
https://packages.debian.org/src:ros-ros-comm
57:
https://packages.debian.org/src:ruby-encryptor
58:
https://packages.debian.org/src:rust-cbindgen
59:
https://packages.debian.org/src:rustc
60:
https://packages.debian.org/src:safe-rm
61:
https://packages.debian.org/src:sorl-thumbnail
62:
https://packages.debian.org/src:sssd
63:
https://packages.debian.org/src:tigervnc
64:
https://packages.debian.org/src:tightvnc
65:
https://packages.debian.org/src:tmpreaper
66:
https://packages.debian.org/src:tzdata
67:
https://packages.debian.org/src:ublock-origin
68:
https://packages.debian.org/src:unhide
69:
https://packages.debian.org/src:x2goclient
70:
https://packages.debian.org/src:xml-security-c
Security Updates
----------------
This revision adds the following security updates to the oldstable
release. The Security Team has already released an advisory for each of
these updates:
+----------------+-------------------------+
| Advisory ID | Package | +----------------+-------------------------+
| DSA-4474 [71] | firefox-esr [72] |
| | |
| DSA-4479 [73] | firefox-esr [74] |
| | |
| DSA-4509 [75] | apache2 [76] |
| | |
| DSA-4509 [77] | subversion [78] |
| | |
| DSA-4511 [79] | nghttp2 [80] |
| | |
| DSA-4516 [81] | firefox-esr [82] |
| | |
| DSA-4517 [83] | exim4 [84] |
| | |
| DSA-4518 [85] | ghostscript [86] |
| | |
| DSA-4519 [87] | libreoffice [88] |
| | |
| DSA-4522 [89] | faad2 [90] |
| | |
| DSA-4523 [91] | thunderbird [92] |
| | |
| DSA-4525 [93] | ibus [94] |
| | |
| DSA-4526 [95] | opendmarc [96] |
| | |
| DSA-4528 [97] | bird [98] |
| | |
| DSA-4529 [99] | php7.0 [100] |
| | |
| DSA-4530 [101] | expat [102] |
| | |
| DSA-4531 [103] | linux [104] |
| | |
| DSA-4532 [105] | spip [106] |
| | |
| DSA-4535 [107] | e2fsprogs [108] |
| | |
| DSA-4537 [109] | file-roller [110] |
| | |
| DSA-4539 [111] | openssl [112] |
| | |
| DSA-4540 [113] | openssl1.0 [114] |
| | |
| DSA-4541 [115] | libapreq2 [116] |
| | |
| DSA-4542 [117] | jackson-databind [118] |
| | |
| DSA-4543 [119] | sudo [120] |
| | |
| DSA-4545 [121] | mediawiki [122] |
| | |
| DSA-4547 [123] | tcpdump [124] |
| | |
| DSA-4548 [125] | openjdk-8 [126] |
| | |
| DSA-4549 [127] | firefox-esr [128] |
| | |
| DSA-4550 [129] | file [130] |
| | |
| DSA-4552 [131] | php7.0 [132] |
| | |
| DSA-4554 [133] | ruby-loofah [134] |
| | |
| DSA-4555 [135] | pam-python [136] |
| | |
| DSA-4557 [137] | libarchive [138] |
| | |
| DSA-4559 [139] | proftpd-dfsg [140] |
| | |
| DSA-4560 [141] | simplesamlphp [142] |
| | |
| DSA-4564 [143] | linux [144] |
| | |
| DSA-4565 [145] | intel-microcode [146] |
| | |
| DSA-4567 [147] | dpdk [148] |
| | |
| DSA-4568 [149] | postgresql-common [150] |
| | |
| DSA-4569 [151] | ghostscript [152] |
| | |
| DSA-4571 [153] | thunderbird [154] |
| | |
| DSA-4573 [155] | symfony [156] |
| | |
| DSA-4574 [157] | redmine [158] |
| | |
| DSA-4576 [159] | php-imagick [160] |
| | |
| DSA-4578 [161] | libvpx [162] |
| | |
| DSA-4580 [163] | firefox-esr [164] |
| | |
| DSA-4581 [165] | git [166] |
| | |
| DSA-4582 [167] | davical [168] |
| | |
| DSA-4584 [169] | spamassassin [170] |
| | |
| DSA-4585 [171] | thunderbird [172] |
| | |
| DSA-4587 [173] | ruby2.3 [174] |
| | |
| DSA-4588 [175] | python-ecdsa [176] |
| | |
| DSA-4589 [177] | debian-edu-config [178] |
| | |
| DSA-4590 [179] | cyrus-imapd [180] |
| | |
| DSA-4591 [181] | cyrus-sasl2 [182] |
| | |
| DSA-4592 [183] | mediawiki [184] |
| | |
| DSA-4593 [185] | freeimage [186] |
| | |
| DSA-4594 [187] | openssl1.0 [188] |
| | |
| DSA-4595 [189] | debian-lan-config [190] |
| | |
| DSA-4596 [191] | tomcat8 [192] |
| | |
| DSA-4596 [193] | tomcat-native [194] |
| | |
| DSA-4597 [195] | netty [196] |
| | |
| DSA-4598 [197] | python-django [198] |
| | |
| DSA-4600 [199] | firefox-esr [200] |
| | |
| DSA-4601 [201] | ldm [202] |
| | |
| DSA-4602 [203] | xen [204] |
| | |
| DSA-4603 [205] | thunderbird [206] |
| | |
| DSA-4604 [207] | cacti [208] |
| | |
| DSA-4607 [209] | openconnect [210] |
| | |
| DSA-4609 [211] | python-apt [212] |
| | |
| DSA-4611 [213] | opensmtpd [214] |
| | |
| DSA-4612 [215] | prosody-modules [216] |
| | |
| DSA-4614 [217] | sudo [218] |
| | |
| DSA-4615 [219] | spamassassin [220] |
| | | +----------------+-------------------------+
71:
https://www.debian.org/security/2019/dsa-4474
72:
https://packages.debian.org/src:firefox-esr
73:
https://www.debian.org/security/2019/dsa-4479
74:
https://packages.debian.org/src:firefox-esr
75:
https://www.debian.org/security/2019/dsa-4509
76:
https://packages.debian.org/src:apache2
77:
https://www.debian.org/security/2019/dsa-4509
78:
https://packages.debian.org/src:subversion
79:
https://www.debian.org/security/2019/dsa-4511
80:
https://packages.debian.org/src:nghttp2
81:
https://www.debian.org/security/2019/dsa-4516
82:
https://packages.debian.org/src:firefox-esr
83:
https://www.debian.org/security/2019/dsa-4517
84:
https://packages.debian.org/src:exim4
85:
https://www.debian.org/security/2019/dsa-4518
86:
https://packages.debian.org/src:ghostscript
87:
https://www.debian.org/security/2019/dsa-4519
88:
https://packages.debian.org/src:libreoffice
89:
https://www.debian.org/security/2019/dsa-4522
90:
https://packages.debian.org/src:faad2
91:
https://www.debian.org/security/2019/dsa-4523
92:
https://packages.debian.org/src:thunderbird
93:
https://www.debian.org/security/2019/dsa-4525
94:
https://packages.debian.org/src:ibus
95:
https://www.debian.org/security/2019/dsa-4526
96:
https://packages.debian.org/src:opendmarc
97:
https://www.debian.org/security/2019/dsa-4528
98:
https://packages.debian.org/src:bird
99:
https://www.debian.org/security/2019/dsa-4529
100:
https://packages.debian.org/src:php7.0
101:
https://www.debian.org/security/2019/dsa-4530
102:
https://packages.debian.org/src:expat
103:
https://www.debian.org/security/2019/dsa-4531
104:
https://packages.debian.org/src:linux
105:
https://www.debian.org/security/2019/dsa-4532
106:
https://packages.debian.org/src:spip
107:
https://www.debian.org/security/2019/dsa-4535
108:
https://packages.debian.org/src:e2fsprogs
109:
https://www.debian.org/security/2019/dsa-4537
110:
https://packages.debian.org/src:file-roller
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)