Uppdaterad Debian 9; 9.10 utgiven
7 september 2019
Debianprojektet presenterar stolt sin tionde uppdatering till dess
gamla stabila utgåva Debian 9 (med kodnamnet stretch
).
Denna punktutgåva lägger huvudsakligen till rättningar för säkerhetsproblem,
tillsammans med ytterligare rättningar för allvarliga problem. Säkerhetsbulletiner
har redan publicerats separat och refereras när de finns tillgängliga.
Vänligen notera att punktutgåvan inte innebär en ny version av Debian
9 utan endast uppdaterar några av de inkluderade paketen. Det behövs
inte kastas bort gamla media av stretch
. Efter installationen
kan paket uppgraderas till de aktuella versionerna genom att använda en uppdaterad
Debianspegling..
De som frekvent installerar uppdateringar från security.debian.org kommer inte att behöva uppdatera många paket, och de flesta av sådana uppdateringar finns inkluderade i punktutgåvan.
Nya installationsavbildningar kommer snart att finnas tillgängliga på de vanliga platserna.
En uppgradering av en existerande installation till denna revision kan utföras genom att peka pakethanteringssystemet på en av Debians många HTTP-speglingar. En utförlig lista på speglingar finns på:
Blandade felrättningar
Denna uppdatering av den gamla stabila utgåvan lägger till några viktiga felrättningar till följande paket:
Paket | Orsak |
---|---|
base-files | Update for the point release; add VERSION_CODENAME to os-release |
basez | Properly decode base64url encoded strings |
biomaj-watcher | Fix upgrades from jessie to stretch |
c-icap-modules | Add support for clamav 0.101.1 |
chaosreader | Add missing dependency on libnet-dns-perl |
clamav | New upstream stable release: add scan time limit to mitigate against zip-bombs [CVE-2019-12625]; fix out-of-bounds write within the NSIS bzip2 library [CVE-2019-12900] |
corekeeper | Do not use a world-writable /var/crash with the dumper script; handle older versions of the Linux kernel in a safer way; do not truncate core names for executables with spaces |
cups | Fix multiple security/disclosure issues - SNMP buffer overflows [CVE-2019-8696 CVE-2019-8675], IPP buffer overflow, Denial of Service and memory disclosure issues in the scheduler |
dansguardian | Add support for clamav 0.101 |
dar | Rebuild to update built-usingpackages |
debian-archive-keyring | Add buster keys; remove wheezy keys |
fence-agents | Fix denial of service issue [CVE-2019-10153] |
fig2dev | Do not segfault on circle/half circle arrowheads with a magnification larger than 42 [CVE-2019-14275] |
fribidi | Fix right-to-left output in debian-installer text mode |
fusiondirectory | Stricter checks on LDAP lookups; add missing dependency on php-xml |
gettext | Stop xgettext() from crashing when run with --its=FILE option |
glib2.0 | Create directory and file with restrictive permissions when using the GKeyfileSettingsBackend [CVE-2019-13012]; avoid buffer read overrun when formatting error messages for invalid UTF-8 in GMarkup [CVE-2018-16429]; avoid NULL dereference when parsing invalid GMarkup with a malformed closing tag not paired with an opening tag [CVE-2018-16429] |
gocode | gocode-auto-complete-el: Make pre-dependency on auto-complete-el versioned to fix upgrades from jessie to stretch |
groonga | Mitigate privilege escalation by changing the owner and group of logs with suoption |
grub2 | Fixes for Xen UEFI support |
gsoap | Fix denial of service issue if a server application is built with the -DWITH_COOKIES flag [CVE-2019-7659]; fix issue with DIME protocol receiver and malformed DIME headers |
gthumb | Fix double-free bug [CVE-2018-18718] |
havp | Add support for clamav 0.101.1 |
icu | Fix segfault in pkgdata command |
koji | Fix SQL injection issue [CVE-2018-1002161]; properly validate SCM paths [CVE-2017-1002153] |
lemonldap-ng | Fix cross-domain authentication regression; fix XML external entity vulnerability |
libcaca | Fix integer overflow issues [CVE-2018-20545 CVE-2018-20546 CVE-2018-20547 CVE-2018-20548 CVE-2018-20549] |
libclamunrar | New upstream stable release |
libconvert-units-perl | No-change rebuild with fixed version number |
libdatetime-timezone-perl | Update included data |
libebml | Apply upstream fixes for heap-based buffer over-reads |
libevent-rpc-perl | Fix build failure due to expired test SSL certificates |
libgd2 | Fix uninitialized read in gdImageCreateFromXbm [CVE-2019-11038] |
libgovirt | Re-generate test certificates with expiration date far in the future to avoid test failures |
librecad | Fix denial of service via crafted file [CVE-2018-19105] |
libsdl2-image | Fix multiple security issues |
libthrift-java | Fix bypass of SASL negotiation [CVE-2018-1320] |
libtk-img | Stop using internal copies of JPEG, Zlib and PixarLog codecs, fixing crashes |
libu2f-host | Fix stack memory leak [CVE-2019-9578] |
libxslt | Fix security framework bypass [CVE-2019-11068]; fix uninitialized read of xsl:number token [CVE-2019-13117]; fix uninitialized read with UTF-8 grouping chars [CVE-2019-13118] |
linux | New upstream version with ABI bump; security fixes [CVE-2015-8553 CVE-2017-5967 CVE-2018-20509 CVE-2018-20510 CVE-2018-20836 CVE-2018-5995 CVE-2019-11487 CVE-2019-3882] |
linux-latest | Update for 4.9.0-11 kernel ABI |
liquidsoap | Fix compilation with Ocaml 4.02 |
llvm-toolchain-7 | New package to support building new Firefox versions |
mariadb-10.1 | New upstream stable release; security fixes [CVE-2019-2737 CVE-2019-2739 CVE-2019-2740 CVE-2019-2805 CVE-2019-2627 CVE-2019-2614] |
minissdpd | Prevent a use-after-free vulnerability that would allow a remote attacker to crash the process [CVE-2019-12106] |
miniupnpd | Fix denial of service issues [CVE-2019-12108 CVE-2019-12109 CVE-2019-12110]; fix information leak [CVE-2019-12107] |
mitmproxy | Blacklist tests that require Internet access; prevent insertion of unwanted upper-bound versioned dependencies |
monkeysphere | Fix build failure by updating the tests to accommodate an updated GnuPG in stretch now producing a different output |
nasm-mozilla | New package to support building new Firefox versions |
ncbi-tools6 | Repackage without non-free data/UniVec.* |
node-growl | Sanitize input before passing it to exec |
node-ws | Restrict upload size [CVE-2016-10542] |
open-vm-tools | Fix possible security issue with the permissions of the intermediate staging directory and path |
openldap | Restrict rootDN proxyauthz to its own databases [CVE-2019-13057]; enforce sasl_ssf ACL statement on every connection [CVE-2019-13565]; fix slapo-rwm to not free original filter when rewritten filter is invalid |
openssh | Fix deadlock in key matching |
passwordsafe | Don't install localization files under an extra subdirectory |
pound | Fix request smuggling via crafted headers [CVE-2016-10711] |
prelink | Rebuild to update built-usingpackages |
python-clamav | Add support for clamav 0.101.1 |
reportbug | Update release names, following buster release |
resiprocate | Resolve an installation issue with libssl-dev and --install-recommends |
sash | Rebuild to update built-usingpackages |
sdl-image1.2 | Fix buffer overflows [CVE-2018-3977 CVE-2019-5058 CVE-2019-5052], out-of-bounds access [CVE-2019-12216 CVE-2019-12217 CVE-2019-12218 CVE-2019-12219 CVE-2019-12220 CVE-2019-12221 CVE-2019-12222 CVE-2019-5051] |
signing-party | Fix unsafe shell call enabling shell injection via a User ID [CVE-2019-11627] |
slurm-llnl | Fix potential heap overflow on 32-bit systems [CVE-2019-6438] |
sox | Fix several security issues [CVE-2019-8354 CVE-2019-8355 CVE-2019-8356 CVE-2019-8357 927906 CVE-2019-1010004 CVE-2017-18189 881121 CVE-2017-15642 882144 CVE-2017-15372 878808 CVE-2017-15371 878809 CVE-2017-15370 878810 CVE-2017-11359 CVE-2017-11358 CVE-2017-11332 |
systemd | Do not stop ndisc client in case of configuration error |
t-digest | No-change rebuild to avoid re-use of pre-epoch version 3.0-1 |
tenshi | Fix PID file issue that allows local users to kill arbitrary processes [CVE-2017-11746] |
tzdata | New upstream release |
unzip | Fix incorrect parsing of 64-bit values in fileio.c; fix zip-bomb issues [CVE-2019-13232] |
usbutils | Update USB ID list |
xymon | Fix several (server only) security issues [CVE-2019-13273 CVE-2019-13274 CVE-2019-13451 CVE-2019-13452 CVE-2019-13455 CVE-2019-13484 CVE-2019-13485 CVE-2019-13486] |
yubico-piv-tool | Fix security issues [CVE-2018-14779 CVE-2018-14780] |
z3 | Do not set the SONAME of libz3java.so to libz3.so.4 |
zfs-auto-snapshot | Make cron jobs exit silently after package removal |
zsh | Rebuild to update built-usingpackages |
Säkerhetsuppdateringar
Denna revision lägger till följande säkerhetsuppdateringar till den gamla stabila utgåvan. Säkerhetsgruppen har redan släppt bulletiner för alla dessa uppdateringar:
Borttagna paket
Följande paket har tagits bort på grund av omständigheter utom vår kontroll:
Paket | Orsak |
---|---|
pump | Unmaintained; security issues |
teeworlds | Security issues; incompatible with current servers |
Debianinstalleraren
Installeraren har uppdaterats för att inkludera rättningarna som har inkluderats i den gamla stabila utgåvan med denna punktutgåva.
URLer
Den fullständiga listan på paket som har förändrats i denna revision:
Den aktuella gamla stabila utgåvan:
Föreslagna uppdateringar till den gamla stabila utgåvan:
Information om den gamla stabila utgåvan (versionsfakta, kända problem osv.):
Säkerhetsbulletiner och information:
Om Debian
Debianprojektet är en grupp utvecklare av Fri mjukvara som donerar sin tid och kraft för att producera det helt fria operativsystemet Debian.
Kontaktinformation
För ytterligare information, vänligen besök Debians webbplats på https://www.debian.org/, skicka e-post till <press@debian.org>, eller kontakta gruppen för stabila utgåvor på <debian-release@lists.debian.org>.