Updated Debian 9: 9.6 released

November 10th, 2018

The Debian project is pleased to announce the sixth update of its stable distribution Debian 9 (codename stretch ). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included. There is no need to throw away old stretch media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package Reason accerciser Fix accessing items without a compositor; fix Python console; add missing dependency on python3-xlib apache2 mod_http2: Fix DoS by worker exhaustion [CVE-2018-1333] and by continuous SETTINGS [CVE-2018-11763]; mod_proxy_fcgi: Fix segfault base-files Update /etc/debian_version for the point release brltty Fix polkit authentication canna Fix file conflict between canna-dbgsym and canna-utils-dbgsym cargo New package to support Firefox ESR60 build clamav New upstream release; fix HWP integer overflow, infinite loop vulnerability [CVE-2018-0360]; fix PDF object length check issue, unreasonably long time to parse relatively small file [CVE-2018-0361]; new upstream version; fix Denial-of-Service issue [CVE-2018-15378]; fix infinite loop in dpkg-reconfigure confuse Fix an out of bound read in trim_whitespace [CVE-2018-14447] debian-installer Update for -8 kernel ABI debian-installer-netboot-images Rebuild for the point release dnsmasq trust-anchors.conf: include latest DNS trust anchor KSK-2017 dom4j Fix XML injection attack [CVE-2018-1000632]; compile with source/target 1.5 to fix a compilation issue with String.format dpdk New upstream stable release dropbear Fix user enumeration vulnerability [CVE-2018-15599] easytag Fix OGG corruption enigmail Add compatibility with newer Thunderbird versions espeakup espeakup.service: Automatically load speakup_soft on daemon startup fastforward Fix segfaults on 64-bit architectures firetray Add compatibility with newer Thunderbird versions firmware-nonfree Fix security issues in Broadcom wifi firmware [CVE-2016-0801 CVE-2017-0561 CVE-2017-9417 CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080 CVE-2017-13081]; re-add transitional packages for firmware-{adi,ralink} fofix-dfsg Fix error at startup fuse Whitelist autofs and FAT as valid mountpoint filesystems ganeti Properly verify SSL certificates during VM export; sign generated certificates using SHA256 instead of SHA1; make bash completions autoloadable globus-gsi-credential Fix issue with voms proxy and openssl 1.1 gnupg2 Security fixes; backport functionality required for new enigmail gnutls28 Fix security issues [CVE-2018-10844 CVE-2018-10845] gphoto2-cffi Make python3-gphoto2cffi work again grub2 grub-mknetdir: Add support for ARM64 EFI; change the default TSC calibration method to pmtimer on EFI systems hdparm Only enable APM on disks that advertise it https-everywhere Backport new upstream version, for compatibility with Firefox ESR 60 i3-wm Fix crash upon restart when using marks iipimage Fix Apache configuration jhead Fix security issues [CVE-2018-17088 CVE-2018-16554] lastpass-cli Backport hardcoded certificate pins from lastpass-cli 1.3.1 to reflect changes in hosted Lastpass.com service ldap2zone Fix endless loop checking zone serial libcgroup Fix world-accessible (and writeable) log files [CVE-2018-14348] libclamunrar New upstream release libdap Fix libdap-doc contents libdatetime-timezone-perl Update included data libgd2 Bmp: check return value in gdImageBmpPtr [CVE-2018-1000222]; fix potential infinite loop in gdImageCreateFromGifCtx [CVE-2018-5711] libmail-deliverystatus-bounceparser-perl Remove non-distributable sample spam and viruses libmspack Fix out-of-bounds write [CVE-2018-18584] and acceptance of blank filenames [CVE-2018-18585] libopenmpt Fix up11: Out-of-bounds read loading IT / MO3 files with many pattern loops [CVE-2018-10017] libseccomp Add support for Linux 4.9 syscalls: preadv2, pwritev2, pkey_mprotect, pkey_alloc and pkey_free; add support for statx libtirpc rendezvous_request: check the makefd_xprt return value [CVE-2018-14622] libx11 Fix several security isses [CVE-2018-14598 CVE-2018-14599 CVE-2018-14600] libxcursor Fix a denial of service or potentially code execution via a one-byte heap overflow [CVE-2015-9262] libxml-stream-perl Provide a default CA path libxml-structured-perl Add missing build and runtime dependency on libxml-parser-perl linux Xen: Fix boot regression in PV domains; xen-netfront: Fix regressions; ext4: fix false negatives *and* false positives in ext4_check_descriptors(); udeb: Add virtio_console to virtio-modules; cdc_ncm: avoid padding beyond end of skb; revert sit: reload iphdr in ipip6_rcv ; new upstream release lxcfs Revert uptime virtualization, fixing process start times magicmaze Depend on fonts-isabella now that ttf-isabella is a virtual package mailman Fix arbitrary text injection vulnerability in Mailman CGIs [CVE-2018-13796] multipath-tools Avoid deadlock in udev triggers nagstamon Address IcingaWeb2 Basic auth issue network-manager libnm: Fix accessing enabled and metered properties; fix out-of-bounds heap write in dhcpv6 option handling [CVE-2018-15688] and various other issues in the sd-network based dhcp=internal plugin network-manager-applet libnma/pygobject: libnma/NMA must use libnm/NM instead of legacy libraries ola Fix typo in /etc/init.d/rdm_test_server; fix filename for jquery in rdm test server static HTML files opensc Fix unbounded recursion and several out-of-bounds reads or writes [CVE-2018-16391 CVE-2018-16392 CVE-2018-16393 CVE-2018-16418 CVE-2018-16419 CVE-2018-16420 CVE-2018-16421 CVE-2018-16422 CVE-2018-16423 CVE-2018-16424 CVE-2018-16425 CVE-2018-16426 CVE-2018-16427] pkgsel Install new dependencies when safe-upgrade (default) is selected publicsuffix Update included data python-django Default to supporting Spatialite >= 4.2 python-imaplib2 Install the correct module for Python 3; don't use TIMEOUT_MAX rustc Enable building on further architectures: arm64, armel, armhf, i386, ppc64el, s390x sddm Honour PAM's ambient supplemental groups; add missing utmp/wtmp/btmp handling serf Fix NULL pointer dereference soundconverter Fix opus vbr setting spamassassin New upstream release; fix denial of service [CVE-2017-15705], remote code execution [CVE-2018-11780], code injection [CVE-2018-11781] and unsafe usage of . in @INC [CVE-2016-1238]; fix spamd service management on package upgrades spice-gtk Fix flexible array buffer overflow [CVE-2018-10873] sqlcipher Avoid a crash when opening a file subversion Fix a regression introduced in the fixes for SHA1 collisions, where commits would incorrectly fail with a Filesystem is corrupt error if the delta length is a multiple of 16K systemd networkd: Do not fail manager_connect_bus() if dbus is not active yet; dhcp6: Make sure we have enough space for the DHCP6 option header [CVE-2018-15688] systraq Invert logic in order to exit successfully in case /e/s/Makefile is missing tomcat-native Fix OSCP responder issue that made it possible for users to authenticate with revoked certificates when using mutual TLS [CVE-2018-8019 CVE-2018-8020] tor Directory authority changes: retire Bifroest bridge authority, in favour of Serge ; add an IPv6 address for the dannenberg directory authority tzdata New upstream release ublock-origin Backport new upstream version, for compatibility with Firefox ESR 60 unbound Fix vulnerability in the processing of wildcard synthesized NSEC records [CVE-2017-15105] vagrant Support VirtualBox 5.2 vmtk python-vmtk: Add the missing dependency on python-vtk6 wesnoth-1.12 Disallow loading lua bytecode via load/dofile [CVE-2018-1999023] wpa Ignore unauthenticated encrypted EAPOL-Key data [CVE-2018-14526] x11vnc Fix two buffer overflows xapian-core Fix glass backend bug with long-lived cursors on a table in a WritableDatabase which could incorrectly lead to DatabaseCorruptError being thrown when the database was actually OK xmotd Avoid crash with hardening flags xorg-server GLX: do not pick sRGB config for 32-bit RGBA visual - fixes various blending issues with kwin and Mesa >= 18.0 (i.e. Mesa from stretch-backports) zutils Fix a buffer overrun in zcat [CVE-2018-1000637]

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason adblock-plus-element-hiding-helper Incompatible with newer firefox-esr versions all-in-one-sidebar Incompatible with newer firefox-esr versions autofill-forms Incompatible with newer firefox-esr versions automatic-save-folder Incompatible with newer firefox-esr versions classic-theme-restorer Incompatible with newer firefox-esr versions colorfultabs Incompatible with newer firefox-esr versions custom-tab-width Incompatible with newer firefox-esr versions dactyl Incompatible with newer firefox-esr versions downthemall Incompatible with newer firefox-esr versions dvips-fontdata-n2bk Empty package firebug Incompatible with newer firefox-esr versions firegestures Incompatible with newer firefox-esr versions firexpath Incompatible with newer firefox-esr versions flashgot Incompatible with newer firefox-esr versions form-history-control Incompatible with newer firefox-esr versions foxyproxy Incompatible with newer firefox-esr versions gitlab Open security issues, hard to backport fixes greasemonkey Incompatible with newer firefox-esr versions intel-processor-trace [s390x] Only useful on Intel architectures itsalltext Incompatible with newer firefox-esr versions knot-resolver Security issues, hard to backport fixes lightbeam Incompatible with newer firefox-esr versions livehttpheaders Incompatible with newer firefox-esr versions lyz Incompatible with newer firefox-esr versions npapi-vlc Incompatible with newer firefox-esr versions nukeimage Incompatible with newer firefox-esr versions openinbrowser Incompatible with newer firefox-esr versions perspectives-extension Incompatible with newer firefox-esr versions pwdhash Incompatible with newer firefox-esr versions python-facebook Broken due to upstream changes python-tvrage Useless after tvrage.com shutdown reloadevery Incompatible with newer firefox-esr versions sage-extension Incompatible with newer firefox-esr versions scrapbook Incompatible with newer firefox-esr versions self-destructing-cookies Incompatible with newer firefox-esr versions spdy-indicator Incompatible with newer firefox-esr versions status-4-evar Incompatible with newer firefox-esr versions stylish Incompatible with newer firefox-esr versions tabmixplus Incompatible with newer firefox-esr versions tree-style-tab Incompatible with newer firefox-esr versions ubiquity-extension Incompatible with newer firefox-esr versions uppity Incompatible with newer firefox-esr versions useragentswitcher Incompatible with newer firefox-esr versions video-without-flash Incompatible with newer firefox-esr versions webdeveloper Incompatible with newer firefox-esr versions xul-ext-monkeysphere Incompatible with newer firefox-esr versions

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

The current stable distribution:

Proposed updates to the stable distribution:

stable distribution information (release notes, errata etc.):

Security announcements and information:

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.