주의: 이 번역은 원문보다 오래되었습니다.
데비안 9 업데이트 : 9.4 릴리스
2018년 3월 10일
데비안 프로젝트는 안정 배포 데비안 9 (코드명 stretch
)의 4번째 업데이트를 알리게 되어 기쁩니다.
이 포인트 릴리스는 주로 보안 이슈에 대한 수정 및 심각한 문제에 대한 조정을 추가합니다.
보안 권고는 이미 별도로 알려졌으며 가능한 곳에 참조됩니다.
포인트 릴리스는 데비안 9의 새 버전을 구성하지 않으며
다만 포함된 패키지의 일부만 업데이트함을 주의하세요.
옛 stretch
매체를 던져버릴 필요는 없습니다.
설치 후에, 패키지는 최신 데비안 미러를 써서 현재 버전으로 업그레이드 될 수 있습니다.
security.debian.org로 부터 업데이트를 자주 설치하는 사람은 많은 패키지를 업데이트할 필요 없으며, 그런 업데이트 대부분이 포인트 릴리스에 포함되었습니다.
새 설치 이미지는 정규 위치에서 곧 사용 가능할 겁니다.
기존 설치를 이 리비전으로 업그레이드 하는 것은 데비안의 많은 http 미러에서 패키지 관리 시스템을 가리킴으로써 가능합니다. 포괄적인 미러 목록은 아래에서 가능합니다:
기타 버그 수정
이 안정 업데이트는 아래 패키지에서 몇 중요한 수정을 합니다:
| 패키지 | 이유 |
|---|---|
| acme-tiny | Fix outdated version of the subscriber agreement |
| activity-log-manager | Add missing dependency on python-zeitgeist |
| agenda.app | Fix creation of tasks and appointments |
| apparmor | Move the features file to /usr/share/apparmor-features; pin the AppArmor feature set to Stretch's kernel |
| auto-apt-proxy | Move apt configuration away on removal, and put it back on reinstalls |
| bareos | Fix backups failing with No Volume name given |
| base-files | Update for the point release |
| cappuccino | Add missing dependency on gir1.2-gtk-3.0 |
| cerealizer | Fix Python3 dependencies |
| clamav | New upstream release; security update [CVE-2017-6418 CVE-2017-6420 CVE-2017-12374 CVE-2017-12375 CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379 CVE-2017-12380] |
| cron | Properly transition system jobs to system_cronjob_t SELinux context and stop relying on refpolicy specific identifiers |
| cups | Fix execution of arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding [CVE-2017-18190] |
| dbus | New upstream release; raise file descriptor limit sooner, fixing a regression in local DoS fix |
| debian-edu-config | Pre-configure Chromium Webbrowser system-wide to auto-detect the http proxy settings via WPAD; allow joining of Windows 10 clients to the Samba NT4-style domain |
| debian-installer | Bump Linux kernel version from 4.9.0-4 to 4.9.0-6 |
| debian-installer-netboot-images | Update to 20170615+deb9u3 images, from stretch-proposed-updates |
| directfb | Fix architecture-based filter to actually install drivers |
| dpdk | Update to new stable point release |
| espeakup | udeb: fix case where card 0 does not have an id or where cards have non-contiguous indexes; use English by default; use card id in installed system to avoid issues with card detection ordering |
| exam | Fix Python3 dependencies |
| flatpak | New upstream release; fix a D-Bus filtering bypass in flatpak-dbus-proxy; ignore unrecognised permission strings, instead of failing; do not allow legacy eavesdropping on the D-Bus session bus |
| fuse-zip | Fix writeback fail with libzip 1.0 |
| glade | Fix possible infinite loop |
| glibc | Do not update /etc/nsswitch.conf when its content already matches the default; debian/script.in/nohwcap.sh: always check for all optimized packages as multiarch allows one to install foreign architectures; avoid use-after-free read access in clntudp_call [CVE-2017-12133]; define collation for Malayalam chillu characters and correct collation of U+0D36 and U+0D37 Malayalam characters; fix invalid cast in group merging affecting ppc64 and s390x; fix compatibility with Intel C++ __regcall calling convention; install the libc-otherbuild postinst and postrm in the libc6-i686 transitional package, to make sure /etc/ld.so.nohwcap is correctly removed after an upgrade |
| global | Gozilla: quote URLs before passing them to BROWSER [CVE-2017-17531] |
| gnumail | Stop linking to OpenSSL |
| golang-github-go-ldap-ldap | Require explicit intention for empty password |
| gosa-plugin-pwreset | Fix deprecated constructor call |
| grilo-plugins | Fix Radio France source |
| hdf5 | Fix javahelper invocation |
| inputlirc | Include input-event-codes.h instead of input.h, fixing build failure |
| intercal | Recompile with PIE |
| java-atk-wrapper | Fix iterator initialization; fix missing reference for children |
| kildclient | Drop support for user-defined browsers [CVE-2017-17511] |
| libdate-holidays-de-perl | Mark Reformation Day as a holiday in Hamburg and Schleswig-Holstein from 2018 onwards |
| libdatetime-timezone-perl | New upstream version |
| libhibernate-validator-java | Fix potential privilege escalation by circumventing security manager permissions [CVE-2017-7536] |
| libperlx-assert-perl | Add missing dependencies on libkeyword-simple-perl, libdevel-declare-perl |
| libreoffice | Let FunctionAccess execute WEBSERVICE; use the right error code on WEBSERVICE() failures |
| libvhdi | Add missing Python3 dependency |
| libvirt | QEMU: shared disks with cache=directsync should be safe for migration; avoid denial of service reading from QEMU monitor [CVE-2018-5748] |
| linux | New upstream version |
| lxc | Fix the creation of testing and unstable containers by including iproute2rather than iproute |
| mapproxy | Fix Cross Site Scripting (XSS) issue in demo service [CVE-2017-1000426] |
| mosquitto | Fix persistence file being world-readable [CVE-2017-9868] |
| mpi4py | Support current version of libmpi |
| ncurses | Fix buffer overflow in the _nc_write_entry function [CVE-2017-16879] |
| needrestart | Fix switching to list mode if debconf is run non-interactively |
| ntp | Increase stack size to at least 32kB |
| nvidia-graphics-drivers-legacy-304xx | New upstream release |
| nvidia-graphics-drivers-legacy-340xx | New upstream release |
| nvidia-modprobe | New upstream release; run setuid(0) before forking modprobe to preserve privileges through shell invocations and recursive modprobe calls |
| nvidia-persistenced | New upstream release |
| nvidia-settings | New upstream release; fix a bug that prevented changes to stereo eye assignment from getting applied from the nvidia-settings control panel |
| nvidia-xconfig | New upstream release; fix a regression that prevented nvidia-xconfig from querying some GPUs, e.g. when running `nvidia-xconfig -a` |
| ocfs2-tools | Migrate from using rcS to standard runlevels |
| opendmarc | Update opendmarc service file so changes in opendmarc.conf are used |
| openssh | Fix in read-only mode, sftp-server was incorrectly permitting creation of zero-length files[CVE-2017-15906] |
| osinfo-db | Update included data |
| pdns-recursor | Rebuild against publicsuffix 20171028.2055-0+deb9u1 |
| postfix | New upstream bugfix release; don't log warnings that some restriction returns OK, when the access map DISCARD feature is in effect; add missing dynamicmaps support in the Postfix sendmail command; fix sending to some sites with TLSA 2 X Xrecords |
| postgresql-9.6 | New upstream version |
| publicsuffix | Update included data |
| python-evtx | Fix missing Python3 dependency |
| python-hacking | Fix Python3 dependencies |
| python-hkdf | Fix Python3 dependencies |
| python-mimeparse | Fix Python3 dependencies |
| python-pyperclip | Fix Python3 dependencies |
| python-spake2 | Fix Python3 dependencies |
| qtpass | Fix insecure built-in password generator [CVE-2017-18021] |
| quota | Prevent quotacheck from running into an endless loop |
| reportbug | Don't send mail to secure-testing-team@lists.alioth.debian.org any more |
| rpy | Rebuild against r-base 3.3 |
| ruby-redis-store | Allow unsafe objects to be loaded from redis [CVE-2017-1000248] |
| salt | Fix directory traversal vulnerability on salt-master via crafted minion IDs [CVE-2017-12791], directory traversal vulnerability in minion id validation in SaltStack [CVE-2017-14695], remote Denial of Service with a specially crafted authentication request [CVE-2017-14696]; check if data[return] is dict type |
| slic3r | Patch use libline in all installed binaries; workaround missing GL_MULTISAMPLE macro; fix importing binary STLs on big-endian architectures |
| soundtouch | Security fixes [CVE-2017-9258 CVE-2017-9259 CVE-2017-9260] |
| systemd | networkd: Handle MTU field in IPv6 RA; add a linker script to help prevent symbol collisions, particularly with PAM modules; resolved: Fix loop on packets with pseudo dns types [CVE-2017-15908]; machinectl: Don't output No machines.with --no-legend option |
| tzdata | New upstream version |
| ust | Fix loading of Python agent library |
| uwsgi | Fix stack-based buffer overflow in uwsgi_expand_path function [CVE-2018-6758] |
| vagrant | Download boxes from app.vagrantcloud.com instead of the deprecated atlas.hashicorp.com |
| vdirsyncer | Fix discovery of Google contacts |
| virt-what | Unbreak virt detection on arm/aarch64 |
| w3m | Fix stack overflow [CVE-2018-6196], null deref [CVE-2018-6197], /tmp file races [CVE-2018-6198] |
| waagent | New upstream version |
| webkit2gtk | New upstream stable release |
| xchain | Fix dependency on wish |
| xrdp | Fix security issue [CVE-2017-16927]; fix high CPU load on ssl_tls_accept |
보안 업데이트
이 리비전은 아래 보안 업데이트를 안정 릴리스에 추가합니다. 보안 팀은 이미 이 업데이트 각각에 대한 경보를 이미 냈습니다:
삭제된 패키지
아래 패키지들은 우리의 통제를 넘어서 삭제되었습니다:
| 패키지 | 이유 |
|---|---|
| dolibarr | Too much work to maintain it properly in Debian |
| electrum | Security issues; broken due to upstream changes |
| jirc | Broken with stretch's libpoe-filter-xml-perl |
| pgmodeler | Incompatible with stretch's Postgresql |
| seelablet | Abandoned upstream; broken |
데비안 설치프로그램
설치프로그램은 안정본에 통합된 수정을 포인트 릴리스에 의해 포함하도록 업데이트 되었습니다.
URLs
이 리비전으로 바뀐 패키지 전체 목록 :
현재 안정 배포:
안정 배포에 제안된 업데이트:
안정 배포 정보(릴리스 노트, 정오표 등.):
보안 알림과 정보:
데비안에 대해
데비안 프로젝트는 완전히 자유로운 운영체제 데비안을 만들기 위해 그들의 시간과 노력을 자원한 자유 소프트웨어 개발자 모임입니다.
연락처 정보
더 많은 정보는, 데비안 웹 페이지 https://www.debian.org/를 방문하거나, <press@debian.org>에 메일을 보내거나, 안정 릴리스 팀 <debian-release@lists.debian.org>에 문의하세요.