[SUA 127-1] Upcoming Debian 9 Update (9.2)

To: debian-stable-announce@lists.debian.org

Subject: [SUA 127-1] Upcoming Debian 9 Update (9.2)

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Mon, 02 Oct 2017 21:43:13 +0100

Message-id: <[🔎] 1506976993.18586.26.camel@adam-barratt.org.uk>

Mail-followup-to: debian-release@lists.debian.org

Reply-to: debian-release@lists.debian.org

------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 127-1 https://www.debian.org/ debian-release@lists.debian.org Adam D. Barratt October 2nd, 2017 ------------------------------------------------------------------------- Upcoming Debian 9 Update (9.2) An update to Debian 9 is scheduled for Saturday, October 7th, 2017. As of now it will include the following bug fixes. They can be found in "stretch-proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "stretch-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: Package Reason apt Fix issues in apt-daily-upgrade; fix a possible crash in the mirror method at-spi2-core Fix crash on switching windows bareos Fix permissions of bareos-dir logrotate config on upgrade; fix file corruption when using SHA1 signature bind9 Import DNSSEC KSK-2017 bridge-utils Fix a problem with some VLAN interfaces not being created caja Fix excessive CPU use while loading background image chrony Do not pass 'burst' command to chronyc cross-gcc Fix outdated support for gcc 6.3.0-18 cvxopt Remove the unneccessary and non-working compatibility layer for lpx_main() db5.3 Do not access DB_CONFIG when db_home is not set [CVE-2017-10140] dbus New upstream stable release debian-edu-doc Merge stretch related documentation and translation updates; update Debian Edu Stretch manual from the wiki; replace existing boot menu screenshots with recent ones from the wiki debian-installer Update Linux kernel ABI to 4 debian-installer-netboot Rebuild for the point release -images desktop-base Fix XML syntax errors in gnome wallpaper description files making Joy wallpapers unavailable by default; ensure postinst doesnâ€™t fail on upgrade even when an incomplete theme pack is active dns-root-data Update root.hints to 2017072601 version; change the state of KSK-2017 to VALID dnsdist Security fixes [CVE-2016-7069 CVE-2017-7557] dnsviz Cherry-pick upstream fixes related to root.hints and root.keys changes dose3 Fix versioned provides support - packages that provide the same virtual package in different versions, or that provide the same versioned virtual package as a real package, are co-installable ecl Add missing dependency on libffi-dev erlang-p1-tls Fix ECDH curves evolution Fix hangs on right click in composer window expect Properly check for EOF, to avoid losing input fife Fix memory leak flatpak New upstream stable release; prevent deploying files with inappropriate permissions; restore compatibility with libostree 2017.7 freerdp Enable TLS >= 1.1 support gnome-exe-thumbnailer Switch to msitools' msiinfo for ProductVersion fetching, replacing the insecure VBScript-based parsing [CVE-2017-11421]; fix unreadable white-on-white text on version labels gnupg2 Fix dirmngr issues with broken reverse DNS, assertion when using "tofu-default-policy ask", multiple issues with scdaemon, avoid spurious warnings when sharing a keybox with gpg >= 2.1.20 gnutls28 Fix OCSP verification errors, especially with ecdsa signatures gosa-plugin-mailaddress Fix parent constructor calls, for compatibility with PHP7 gsoap Fix integer overflow via large XML document [CVE-2017-9765] haveged Start haveged.service after systemd-tmpfiles-setup.service has been run ipsec-tools Security fix [CVE-2016-10396] irssi Fix null pointer dereference [CVE-2017-10965], use-after-free condition for nicklist [CVE-2017-10966] kanatest Remove DISABLE_DEPRECATED flags, they cause implicit pointer conversion and thus a segmentation fault on startup kdepim Fix "send Later with Delay bypasses OpenPGP" [CVE-2017-9604] kf5-messagelib Fix "send Later with Delay bypasses OpenPGP" [CVE-2017-9604] krb5 Fix security issue where remote authenticated attackers can crash the KDC [CVE-2017-11368]; fix startup if getaddrinfo() returns a wildcard v6 address and handling of explicitly specified v4 wildcard address; fix SRV lookups to respect udp_preference_limit lava-tool Add missing dependency: python-simplejson librsb Fix a few severe bugs leading to numerically wrong results libselinux Rebuild with new sbuild to fix changelog date libsolv Fix dependencies on Python 3 modules libwpd Fix denial of service issue [CVE-2017-14226] linux New upstream stable version linux-latest Update to 4.9.0-4 lzma Rebuild with new sbuild to fix changelog date mailman Fix broken dependencies in contrib/SpamAssassin.py mate-power-manager Don't abort on unknown DBus signal name mate-themes Fix font colour of URL bar in Google Chrome mate-tweak Add missing dependency on python3-gi ncurses Fix various crash bugs in the tic library and the tic binary [CVE-2017-10684 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-13728 CVE-2017-13729 CVE-2017-13730 CVE-2017-13731 CVE-2017-13732 CVE-2017-13734 CVE-2017-13733] nettle Rebuild with new sbuild to fix changelog date node-brace-expansion Fix regular expression denial of service issue node-dateformat Set TZ=UTC for tests to fix build failure ntp Build and install /usr/bin/sntp nvidia-graphics-drivers New upstream long lived branch release 375.82 - security fixes [CVE-2017-6257 CVE-2017-6259], add support for the following GPUs: GeForce GTX 1080 with Max-Q Design, GeForce GTX 1070 with Max-Q Design, GeForce GTX 1060 with Max-Q Design; nvidia-kernel-dkms: Honor parallel setting from dkms open-vm-tools Randomly generate tmp directory name [CVE-2015-5191] opendkim Start as root and drop privileges in opendkim for proper key file ownership openldap Relax the dependency of libldap-2.4-2 on libldap-common to also permit later versions; fix upgrade failure when olcSuffix contains a backslash; avoid reading the value of the LDAP_OPT_X_TLS_REQUIRE_CERT option from previously freed memory; fix potential endless replication loop in a multi-master delta-syncrepl scenario with 3 or more nodes; fix memory corruption caused by calling sasl_client_init() multiple times and possibly concurrently openvpn Fix broken reconnects due to wrong push digest calculation osinfo-db Update distribution information pcb-rnd Fix execution of code from a maliciously formed design file postfix New upstream stable version - send single character variable names to milters without {}; prevent MIME downgrade of Postfix-generated message/delivery status; work around Berkeley DB attempting to read settings from "DB_CONFIG" file python-pampy Fix dependencies on Python 3 modules request-tracker4 Fix regression in previous security release where incorrect SHA256 passwords could trigger an error ruby-gnome2 Ruby-{gdk3,gtksourceview2,pango,poppler}: Add missing dependencies samba Ensure SMB signing enforced [CVE-2017-12150]; keep required encryption across SMB3 dfs redirects [CVE-2017-12151]; fix server memory information leak over SMB1 [CVE-2017-12163]; new upstream release; fix libpam-winbind.prerm to be multiarch-safe; add missing logrotate for /var/log/samba/log.samba; fix outdated DNS Root servers; fix "Non-kerberos logins fails on winbind 4.X when krb5_auth is configured in PAM" smplayer Fix connections to YouTube speech-dispatcher Make spd-conf work again suricata Limit the number of recursive calls in the DER/ASN.1 decoder to avoid stack overflows swift New upstream stable release tbdialout Include leading plus symbol with tel: URI scheme tiny-initramfs Add missing dependency on cpio topal Fix misuse of sed character class syntax torsocks Fix check_addr() to return either 0 or 1 trace-cmd Fix segfault while processing certain trace files unbound Fix install of trust anchor when two anchors are present; depend on dns-root-data (>= 2017072601~) for KSK-2017 unknown-horizons Fix memory leak up-imapproxy Correct systemd service file vim Fix several crashes / illegal memory accesses [CVE-2017-11109] waagent New upstream release, with support for Azure Stack webkit2gtk Upstream security and bugfix release [CVE-2017-2538 CVE-2017-7052 CVE-2017-7018 CVE-2017-7030 CVE-2017-7034 CVE-2017-7037 CVE-2017-7039 CVE-2017-7046 CVE-2017-7048 CVE-2017-7055 CVE-2017-7056 CVE-2017-7061 CVE-2017-7064] whois Fix whois referrals for .com, .net, .jobs, .bz, .cc and .tv; add several new Indian TLD servers; update the list of gTLDs wrk Fix build failures xfonts-ayu Fix generation of bold and italic fonts xkeyboard-config Move Indic layouts back to the main layout list, enabling their use again yadm Fix race condition which could allow access to private PGP and SSH keys [CVE-2017-11353] A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/stable.html> If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".