Updated Debian 8: 8.11 released

June 23rd, 2018

The Debian project is pleased to announce the eleventh (and final) update of its oldstable distribution Debian 8 (codename jessie ). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

After this point release, Debian's Security and Release Teams will no longer be producing updates for Debian 8. Users wishing to continue to receive security support should upgrade to Debian 9, or see https://wiki.debian.org/LTS for details about the subset of architectures and packages covered by the Long Term Support project.

The packages for some architectures for DSA 3746, DSA 3944, DSA 3968, DSA 4010, DSA 4014, DSA 4061, DSA 4075, DSA 4102, DSA 4155, DSA 4209 and DSA 4218 are not included in this point release for technical reasons. All other security updates released during the lifetime of "jessie" that have not previously been part of a point release are included in this update.

Please note that the point release does not constitute a new version of Debian 8 but only updates some of the packages included. There is no need to throw away old jessie media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following packages:

Package Reason adminer Don't allow connections to privileged ports [CVE-2018-7667] base-files Update for the point release blktrace Fix buffer overflow in btt [CVE-2018-10689] bwm-ng Explicitly build without libstatgrab support clamav Security update [CVE-2017-6418 CVE-2017-6420 CVE-2017-12374 CVE-2017-12375 CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379 CVE-2017-12380]; fix temporary file cleanup issue; new upstream release; new upstream version debian-installer Rebuild for the point release debian-installer-netboot-images Rebuild for the point release debian-security-support Update package data dh-make-perl Support Contents file without header dns-root-data Update IANA DNSSEC files to 2017-02-02 versions faad2 Fix several DoS issues via crafted MP4 files [CVE-2017-9218 CVE-2017-9219 CVE-2017-9220 CVE-2017-9221 CVE-2017-9222 CVE-2017-9223 CVE-2017-9253 CVE-2017-9254 CVE-2017-9255 CVE-2017-9256 CVE-2017-9257] file Avoid reading past the end of a buffer [CVE-2018-10360] ghostscript Fix segfault with fuzzing file in gxht_thresh_image_init; fix buffer overflow in fill_threshold_buffer [CVE-2016-10317]; pdfwrite - Guard against trying to output an infinite number [CVE-2018-10194] intel-microcode Update included microcode, including fixes for Spectre v2 [CVE-2017-5715] lame Fix security issues by switching to use I/O routines from sndfile [CVE-2017-15018 CVE-2017-15045 CVE-2017-15046 CVE-2017-9869 CVE-2017-9870 CVE-2017-9871 CVE-2017-9872] libdatetime-timezone-perl Update included data libextractor Various security fixes [CVE-2017-15266 CVE-2017-15267 CVE-2017-15600 CVE-2017-15601 CVE-2017-15602 CVE-2017-15922 CVE-2017-17440] libipc-run-perl Fix memory leak linux New upstream stable release mactelnet Security fix [CVE-2016-7115] ncurses Fix buffer overflow in the _nc_write_entry function [CVE-2017-16879] nvidia-graphics-drivers New upstream version nvidia-graphics-drivers-legacy-304xx Update to latest driver openafs Fix kernel module build against linux 3.16.51-3+deb8u1 kernels after security update-induced ABI changes openldap Fix upgrade failure when olcSuffix contains a backslash; fix memory corruption caused by calling sasl_client_init() multiple times patch Fix arbitrary command execution in ed-style patches [CVE-2018-1000156] postgresql-9.4 New upstream release psensor Fix directory traversal issue [CVE-2014-10073] python-mimeparse Fix python3-mimeparse's dependencies rar Strip statically linked rar and install the dynamically linked version instead reportbug Stop CCing secure-testing-team@lists.alioth.debian.org sam2p Fix multiple invalid frees and buffer-overflow vulnerabilities [CVE-2018-7487 CVE-2018-7551 CVE-2018-7552 CVE-2018-7553 CVE-2018-7554] slurm-llnl Fix upgrade issue from wheezy soundtouch Security fixes [CVE-2017-9258 CVE-2017-9259 CVE-2017-9260] subversion Fix crashes with Perl bindings, commonly seen when using git-svn tzdata Update included data user-mode-linux Rebuild against current jessie kernel virtualbox-guest-additions-iso Fix multiple security issues [CVE-2016-0592 CVE-2016-0495 CVE-2015-8104 CVE-2015-7183 CVE-2015-5307 CVE-2015-7183 CVE-2015-4813 CVE-2015-4896 CVE-2015-3456] xerces-c Fix Denial of Service via external DTD reference [CVE-2017-12627] zsh Rebuild against libraries currently in jessie

Security Updates

This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason dolibarr Too much work to maintain it properly in Debian electrum No longer able to connect to the network jirc Broken with jessie's libpoe-filter-xml-perl nvidia-graphics-modules License problem; incompatible with current kernel ABI openstreetmap-client Broken redmine No longer security supported redmine-plugin-pretend Depends on redmine redmine-plugin-recaptcha Depends on redmine redmine-recaptcha Depends on redmine youtube-dl Incompatible YouTube API changes

Debian Installer

The installer has been updated to include the fixes incorporated into oldstable by the point release.

URLs

The complete lists of packages that have changed with this revision:

The current oldstable distribution:

Proposed updates to the oldstable distribution:

oldstable distribution information (release notes, errata etc.):

Security announcements and information:

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.