Uppdaterad Debian 9; 9.4 utgiven
10 mars 2018
Debianprojektet presenterar stolt sin fjärde uppdatering till dess
stabila utgåva Debian 9 (med kodnamnet stretch
).
Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem,
tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner
har redan publicerats separat och refereras när de finns tillgängliga.
Vänligen notera att punktutgåvan inte innebär en ny version av Debian
9 utan endast uppdaterar några av de inkluderade paketen. Det behövs
inte kastas bort gamla media av stretch
. Efter installationen
kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad
Debianspegling..
De som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.
Nya installationsavbildningar kommer snart att finnas tillgängliga på de vanliga platserna.
En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:
Blandade felrättningar
Denna uppdatering av den stabila utgåvan lägger till några viktiga felrättningar till följande paket:
Paket | Orsak |
---|---|
acme-tiny | Fix outdated version of the subscriber agreement |
activity-log-manager | Add missing dependency on python-zeitgeist |
agenda.app | Fix creation of tasks and appointments |
apparmor | Move the features file to /usr/share/apparmor-features; pin the AppArmor feature set to Stretch's kernel |
auto-apt-proxy | Move apt configuration away on removal, and put it back on reinstalls |
bareos | Fix backups failing with No Volume name given |
base-files | Update for the point release |
cappuccino | Add missing dependency on gir1.2-gtk-3.0 |
cerealizer | Fix Python3 dependencies |
clamav | New upstream release; security update [CVE-2017-6418 CVE-2017-6420 CVE-2017-12374 CVE-2017-12375 CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379 CVE-2017-12380] |
cron | Properly transition system jobs to system_cronjob_t SELinux context and stop relying on refpolicy specific identifiers |
cups | Fix execution of arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding [CVE-2017-18190] |
dbus | New upstream release; raise file descriptor limit sooner, fixing a regression in local DoS fix |
debian-edu-config | Pre-configure Chromium Webbrowser system-wide to auto-detect the http proxy settings via WPAD; allow joining of Windows 10 clients to the Samba NT4-style domain |
debian-installer | Bump Linux kernel version from 4.9.0-4 to 4.9.0-6 |
debian-installer-netboot-images | Update to 20170615+deb9u3 images, from stretch-proposed-updates |
directfb | Fix architecture-based filter to actually install drivers |
dpdk | Update to new stable point release |
espeakup | udeb: fix case where card 0 does not have an id or where cards have non-contiguous indexes; use English by default; use card id in installed system to avoid issues with card detection ordering |
exam | Fix Python3 dependencies |
flatpak | New upstream release; fix a D-Bus filtering bypass in flatpak-dbus-proxy; ignore unrecognised permission strings, instead of failing; do not allow legacy eavesdropping on the D-Bus session bus |
fuse-zip | Fix writeback fail with libzip 1.0 |
glade | Fix possible infinite loop |
glibc | Do not update /etc/nsswitch.conf when its content already matches the default; debian/script.in/nohwcap.sh: always check for all optimized packages as multiarch allows one to install foreign architectures; avoid use-after-free read access in clntudp_call [CVE-2017-12133]; define collation for Malayalam chillu characters and correct collation of U+0D36 and U+0D37 Malayalam characters; fix invalid cast in group merging affecting ppc64 and s390x; fix compatibility with Intel C++ __regcall calling convention; install the libc-otherbuild postinst and postrm in the libc6-i686 transitional package, to make sure /etc/ld.so.nohwcap is correctly removed after an upgrade |
global | Gozilla: quote URLs before passing them to BROWSER [CVE-2017-17531] |
gnumail | Stop linking to OpenSSL |
golang-github-go-ldap-ldap | Require explicit intention for empty password |
gosa-plugin-pwreset | Fix deprecated constructor call |
grilo-plugins | Fix Radio France source |
hdf5 | Fix javahelper invocation |
inputlirc | Include input-event-codes.h instead of input.h, fixing build failure |
intercal | Recompile with PIE |
java-atk-wrapper | Fix iterator initialization; fix missing reference for children |
kildclient | Drop support for user-defined browsers [CVE-2017-17511] |
libdate-holidays-de-perl | Mark Reformation Day as a holiday in Hamburg and Schleswig-Holstein from 2018 onwards |
libdatetime-timezone-perl | New upstream version |
libhibernate-validator-java | Fix potential privilege escalation by circumventing security manager permissions [CVE-2017-7536] |
libperlx-assert-perl | Add missing dependencies on libkeyword-simple-perl, libdevel-declare-perl |
libreoffice | Let FunctionAccess execute WEBSERVICE; use the right error code on WEBSERVICE() failures |
libvhdi | Add missing Python3 dependency |
libvirt | QEMU: shared disks with cache=directsync should be safe for migration; avoid överbelastning reading from QEMU monitor [CVE-2018-5748] |
linux | New upstream version |
lxc | Fix the creation of testing and unstable containers by including iproute2rather than iproute |
mapproxy | Fix Cross Site Scripting (XSS) issue in demo service [CVE-2017-1000426] |
mosquitto | Fix persistence file being world-readable [CVE-2017-9868] |
mpi4py | Support current version of libmpi |
ncurses | Fix buffertspill in the _nc_write_entry function [CVE-2017-16879] |
needrestart | Fix switching to list mode if debconf is run non-interactively |
ntp | Increase stack size to at least 32kB |
nvidia-graphics-drivers-legacy-304xx | New upstream release |
nvidia-graphics-drivers-legacy-340xx | New upstream release |
nvidia-modprobe | New upstream release; run setuid(0) before forking modprobe to preserve privileges through shell invocations and recursive modprobe calls |
nvidia-persistenced | New upstream release |
nvidia-settings | New upstream release; fix a bug that prevented changes to stereo eye assignment from getting applied from the nvidia-settings control panel |
nvidia-xconfig | New upstream release; fix a regression that prevented nvidia-xconfig from querying some GPUs, e.g. when running `nvidia-xconfig -a` |
ocfs2-tools | Migrate from using rcS to standard runlevels |
opendmarc | Update opendmarc service file so changes in opendmarc.conf are used |
openssh | Fix in read-only mode, sftp-server was incorrectly permitting creation of zero-length files[CVE-2017-15906] |
osinfo-db | Update included data |
pdns-recursor | Rebuild against publicsuffix 20171028.2055-0+deb9u1 |
postfix | New upstream bugfix release; don't log warnings that some restriction returns OK, when the access map DISCARD feature is in effect; add missing dynamicmaps support in the Postfix sendmail command; fix sending to some sites with TLSA 2 X Xrecords |
postgresql-9.6 | New upstream version |
publicsuffix | Update included data |
python-evtx | Fix missing Python3 dependency |
python-hacking | Fix Python3 dependencies |
python-hkdf | Fix Python3 dependencies |
python-mimeparse | Fix Python3 dependencies |
python-pyperclip | Fix Python3 dependencies |
python-spake2 | Fix Python3 dependencies |
qtpass | Fix insecure built-in password generator [CVE-2017-18021] |
quota | Prevent quotacheck from running into an endless loop |
reportbug | Don't send mail to secure-testing-team@lists.alioth.debian.org any more |
rpy | Rebuild against r-base 3.3 |
ruby-redis-store | Allow unsafe objects to be loaded from redis [CVE-2017-1000248] |
salt | Fix katalogtraversering vulnerability on salt-master via crafted minion IDs [CVE-2017-12791], directory traversal vulnerability in minion id validation in SaltStack [CVE-2017-14695], remote överbelastning with a specially crafted authentication request [CVE-2017-14696]; check if data[return] is dict type |
slic3r | Patch use libline in all installed binaries; workaround missing GL_MULTISAMPLE macro; fix importing binary STLs on big-endian architectures |
soundtouch | Security fixes [CVE-2017-9258 CVE-2017-9259 CVE-2017-9260] |
systemd | networkd: Handle MTU field in IPv6 RA; add a linker script to help prevent symbol collisions, particularly with PAM modules; resolved: Fix loop on packets with pseudo dns types [CVE-2017-15908]; machinectl: Don't output No machines.with --no-legend option |
tzdata | New upstream version |
ust | Fix loading of Python agent library |
uwsgi | Fix stack-based buffertspill in uwsgi_expand_path function [CVE-2018-6758] |
vagrant | Download boxes from app.vagrantcloud.com instead of the deprecated atlas.hashicorp.com |
vdirsyncer | Fix discovery of Google contacts |
virt-what | Unbreak virt detection on arm/aarch64 |
w3m | Fix stack overflow [CVE-2018-6196], null deref [CVE-2018-6197], /tmp file races [CVE-2018-6198] |
waagent | New upstream version |
webkit2gtk | New upstream stable release |
xchain | Fix dependency on wish |
xrdp | Fix security issue [CVE-2017-16927]; fix high CPU load on ssl_tls_accept |
Säkerhetsuppdateringar
Denna revision lägger till följande säkerhetsuppdateringar till den stabila utgåvan. Säkerhetsgruppen har redan givit ut bullentiner för var och en av dessa uppdateringar:
Borttagna paket
Följande paket har tagits bort på grund av omständigheter utom vår kontroll:
Paket | Orsak |
---|---|
dolibarr | Too much work to maintain it properly in Debian |
electrum | Security issues; broken due to upstream changes |
jirc | Broken with stretch's libpoe-filter-xml-perl |
pgmodeler | Incompatible with stretch's Postgresql |
seelablet | Abandoned upstream; broken |
Debianinstalleraren
Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den stabila utgåvan med denna punktutgåva.
URLer
Den fullständiga listan på paket som har förändrats i denna revision:
Den aktuella stabila utgåvan:
Föreslagna uppdateringar till den stabila utgåvan:
Information om den stabila utgåvan (versionsfakta, kända problem osv.):
Säkerhetsbulletiner och information:
Om Debian
Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.
Kontaktinformation
För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org>, eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.