Updated Debian 9: 9.5 released

July 14th, 2018

The Debian project is pleased to announce the fifth update of its stable distribution Debian 9 (codename stretch ). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included. There is no need to throw away old stretch media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package Reason 2ping Add missing dependency on python-pkg-resources abiword Resolve binary file conflict between abiword-dbgsym and abiword-plugin-grammar-dbgsym adminer Don't allow connections to privileged ports [CVE-2018-7667] animals Fix incorrect file permissions that made the game unusable apache2 Upgrade mod_http and mod_proxy_http2 to the versions from 2.4.33, fixing segfaults, high memory usage and potential crash [CVE-2018-1302]; make the apache-htcacheclean init script actually use /etc/default/apache-htcacheclean for its config auto-complete-el Add upstream fix for emacs25; adjust the emacs dependencies to the emacs versions in stretch; set auto-complete-el.emacsen-compat to silence installation warning awffull Do not use removed options in /etc/cron.daily/awffull ax25-tools Avoid segmentation fault at runtime base-files Update for the point release blktrace Fix buffer overflow in btt [CVE-2018-10689] ca-certificates Update Mozilla CA bundle to version 2.22; bug fixes camo Add missing dependency on openssl cffi Add missing files for cffi-libffi and cffi-toolchain; add several missing dependencies check-postgres Update testsuite to handle pg_get_indexdef() now always including the schema name clamav New upstream version; don't fail on recently removed config options clustershell Add missing dependency on python-pkg-resources debian-installer Update for -7 kernel ABI debian-installer-netboot-images Rebuild for the point release debian-security-support Update included data dehydrated Fix failure to create fullchain.pem devscripts uscan: fix the new package version regex for filenamemangle; debsign: fix bash completion; bts: support the new ftbfs tag; uscan: support HTTPS in the sf.net redirector; debcheckout: support salsa.debian.org; debdiff: sort shlibs files before comparing, reducing diff noise; uscan: actually support --copy disc-cover Fix perl error when running disc-cover discover Use correct type for the length parameter of the getline() call django-xmlrpc Fix python3 dependencies dosbox Fix crashes with core=dynamic dpdk New upstream stable update dpkg Fix integer overflow in deb(5) format version parser; fix directory traversal with dpkg-deb --raw-extract; add support for riscv64 CPU; do not normalize args past a passthrough stop word in Dpkg::Getopt; parse start-stop-daemon usernames and groupnames starting with digits correctly; always use the binary version for the .buildinfo filename dput-ng Add jessie-backports-sloppy and stretch-backports targets; include 'testing' in the rm-managed suites and 'oldstable' in protected distributions ; add ports-master profile; FTP: parse and use optional [:port] part for fqdn elastix Rebuild with ITK that has been built with gcc 6 email2trac Fix detection of Trac 1.2 faad2 Fix several DoS issues via crafted MP4 files [CVE-2017-9218 CVE-2017-9219 CVE-2017-9220 CVE-2017-9221 CVE-2017-9222 CVE-2017-9223 CVE-2017-9253 CVE-2017-9254 CVE-2017-9255 CVE-2017-9256 CVE-2017-9257] faker Add missing dependency on python-ipaddress fastkml Add missing dependency on pkg-resources file Avoid reading past the end of buffer [CVE-2018-10360] freedink-dfarc Fix directory traversal in D-Mod extractor [CVE-2018-0496] ganeti Properly verify SSL certificates during VM export ghostscript Fix segfault with fuzzing file in gxht_thresh_image_init(); fix buffer overflow in fill_threshold_buffer [CVE-2016-10317]; pdfwrite - Guard against trying to output an infinite number [CVE-2018-10194] git-annex Security fixes [CVE-2018-10857 CVE-2018-10859] glx-alternatives New upstream version gridengine Use correct paths to qmon pixmaps; fix FTBFS on armhf intel-microcode Update included microcode, including fixes for Spectre v2 [CVE-2017-5715] jdresolve Fix incompatibility with libnet-dns-perl in Debian 8 and later libb64 Rebuild with PIE libdate-holidays-de-perl Mark Reformation Day as a holiday in Niedersachsen and Bremen libdatetime-timezone-perl Update included data libextractor Various security fixes [CVE-2017-15266 CVE-2017-15267 CVE-2017-15600 CVE-2017-15601 CVE-2017-15602 CVE-2017-15922 CVE-2017-17440] libipc-run-perl Fix memory leak liblouis Fix buffer overflow [CVE-2018-11410]; fix several buffer overflows [CVE-2018-11440 CVE-2018-11577 CVE-2018-11683 CVE-2018-11684 CVE-2018-11685 2018-12085] libosmium Output coordinate with value of -2^31 correctly; fix buffers larger than 2^32 bytes linux New upstream stable release 4.9.110 linux-latest Update to -7 kernel ABI llvm-toolchain-4.0 New package for rust backports; fix build on s390x local-apt-repository Stop breaking apt when the package is removed but not purged loook Fix handling of password protected files miniupnpd Fix DoS [CVE-2017-1000494] nss-pam-ldapd Increase size of hostname buffer nvidia-graphics-drivers New upstream version obfsproxy Don't install the broken AppArmor profile openldap Fix an out-of-sync issue with delta-syncrepl replication in multi-master environments; really fix upgrades when the config contains backslash-escaped special characters openstack-debian-images Set CloudStack after OpenStack in the datasource_list, to avoid a 120s delay in cloud-init when booting a machine in an OpenStack cloud patch Fix arbitrary command execution in ed-style patches [CVE-2018-1000156] piglit Fix missing dependency on python-mako postgresql-9.6 New upstream release postgresql-common Prevent upgrading/removing server packages from stopping other major version clusters when running systemd psad Add missing dependencies on net-tools and iproute2 pysurfer Add missing dependency on python-matplotlib python-cluster Add missing dependency on pkg-resources python-pyorick Fix import failure by adding missing dependency on python3-numpy python-scruffy Add missing dependencies on pkg-resources r-cran-mi Add missing dependency on r-cran-arm redis Correct RunTimeDirectory -> RuntimeDirectory typo in systemd .service files reportbug Notify the security team or LTS team about a possible regression if reporting a bug against a package containing a security fix rustc New upstream release to support Firefox ESR salt Fix salt-ssh minion copied over configuration from the Salt Master without adjusting permissions [CVE-2017-8109] shared-mime-info Switch dpkg trigger to noawait, fixing upgrade issues from jessie showq Fix prefix, so application actually works source-highlight Fix dependency on libboost-regex-dev starplot Fix startup crash subversion Reject commits which would introduce hash collisions with existing data, thus addressing the SHA1/shattered issue sus Update to new version, technically identical to SUSv4 + TC1 + TC2 systemd networkd-ndisc: Handle missing MTU gracefully; allow RemoveIPC= to be set in the unit file not only via D-Bus; nspawn: Add missing -E to getopt_long'; login: Respect --no-wall when cancelling a shutdown request tclreadline Fix shared library build on ppc64el thefuck Add missing dependency on pkg-resources tinyproxy Do not stop listening after SIGHUP; fix configuration file path; add missing dependency on adduser tlslite-ng Verify MAC even if the padding is 1 byte long tzdata New upstream release unison Rebuild with stretch's ocaml variety Fix shell injection on deleting files to trash; fix shell injection in filter and clock with specially crafted filenames; harden ImageMagick calls against potential shell injection xapian-core Fix MSet::snippet() to escape HTML in all cases [CVE-2018-499] xerces-c Fix Denial of Service via external DTD reference [CVE-2017-12627]; fix a regression that forced gcc to use SSE2, even on platforms that do not support it xrdp Fix off-by-one error which could lead to crashes

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason libnet-whois-perl Broken mlbviewer No longer works due to content provider changes python-uniconvertor Unusable; requires unpackaged dependency singularity-container Not security supportable undertow Unsupportable; several security issues; alternatives exist visionegg Unusable; requires no longer available numpy.oldnumeric

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

The current stable distribution:

Proposed updates to the stable distribution:

stable distribution information (release notes, errata etc.):

Security announcements and information:

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.