Updated Debian 9: 9.4 released

March 10th, 2018

The Debian project is pleased to announce the fourth update of its stable distribution Debian 9 (codename stretch ). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included. There is no need to throw away old stretch media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package Reason acme-tiny Fix outdated version of the subscriber agreement activity-log-manager Add missing dependency on python-zeitgeist agenda.app Fix creation of tasks and appointments apparmor Move the features file to /usr/share/apparmor-features; pin the AppArmor feature set to Stretch's kernel auto-apt-proxy Move apt configuration away on removal, and put it back on reinstalls bareos Fix backups failing with No Volume name given base-files Update for the point release cappuccino Add missing dependency on gir1.2-gtk-3.0 cerealizer Fix Python3 dependencies clamav New upstream release; security update [CVE-2017-6418 CVE-2017-6420 CVE-2017-12374 CVE-2017-12375 CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379 CVE-2017-12380] cron Properly transition system jobs to system_cronjob_t SELinux context and stop relying on refpolicy specific identifiers cups Fix execution of arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding [CVE-2017-18190] dbus New upstream release; raise file descriptor limit sooner, fixing a regression in local DoS fix debian-edu-config Pre-configure Chromium Webbrowser system-wide to auto-detect the http proxy settings via WPAD; allow joining of Windows 10 clients to the Samba NT4-style domain debian-installer Bump Linux kernel version from 4.9.0-4 to 4.9.0-6 debian-installer-netboot-images Update to 20170615+deb9u3 images, from stretch-proposed-updates directfb Fix architecture-based filter to actually install drivers dpdk Update to new stable point release espeakup udeb: fix case where card 0 does not have an id or where cards have non-contiguous indexes; use English by default; use card id in installed system to avoid issues with card detection ordering exam Fix Python3 dependencies flatpak New upstream release; fix a D-Bus filtering bypass in flatpak-dbus-proxy; ignore unrecognised permission strings, instead of failing; do not allow legacy eavesdropping on the D-Bus session bus fuse-zip Fix writeback fail with libzip 1.0 glade Fix possible infinite loop glibc Do not update /etc/nsswitch.conf when its content already matches the default; debian/script.in/nohwcap.sh: always check for all optimized packages as multiarch allows one to install foreign architectures; avoid use-after-free read access in clntudp_call [CVE-2017-12133]; define collation for Malayalam chillu characters and correct collation of U+0D36 and U+0D37 Malayalam characters; fix invalid cast in group merging affecting ppc64 and s390x; fix compatibility with Intel C++ __regcall calling convention; install the libc-otherbuild postinst and postrm in the libc6-i686 transitional package, to make sure /etc/ld.so.nohwcap is correctly removed after an upgrade global Gozilla: quote URLs before passing them to BROWSER [CVE-2017-17531] gnumail Stop linking to OpenSSL golang-github-go-ldap-ldap Require explicit intention for empty password gosa-plugin-pwreset Fix deprecated constructor call grilo-plugins Fix Radio France source hdf5 Fix javahelper invocation inputlirc Include input-event-codes.h instead of input.h, fixing build failure intercal Recompile with PIE java-atk-wrapper Fix iterator initialization; fix missing reference for children kildclient Drop support for user-defined browsers [CVE-2017-17511] libdate-holidays-de-perl Mark Reformation Day as a holiday in Hamburg and Schleswig-Holstein from 2018 onwards libdatetime-timezone-perl New upstream version libhibernate-validator-java Fix potential privilege escalation by circumventing security manager permissions [CVE-2017-7536] libperlx-assert-perl Add missing dependencies on libkeyword-simple-perl, libdevel-declare-perl libreoffice Let FunctionAccess execute WEBSERVICE; use the right error code on WEBSERVICE() failures libvhdi Add missing Python3 dependency libvirt QEMU: shared disks with cache=directsync should be safe for migration; avoid denial of service reading from QEMU monitor [CVE-2018-5748] linux New upstream version lxc Fix the creation of testing and unstable containers by including iproute2 rather than iproute mapproxy Fix Cross Site Scripting (XSS) issue in demo service [CVE-2017-1000426] mosquitto Fix persistence file being world-readable [CVE-2017-9868] mpi4py Support current version of libmpi ncurses Fix buffer overflow in the _nc_write_entry function [CVE-2017-16879] needrestart Fix switching to list mode if debconf is run non-interactively ntp Increase stack size to at least 32kB nvidia-graphics-drivers-legacy-304xx New upstream release nvidia-graphics-drivers-legacy-340xx New upstream release nvidia-modprobe New upstream release; run setuid(0) before forking modprobe to preserve privileges through shell invocations and recursive modprobe calls nvidia-persistenced New upstream release nvidia-settings New upstream release; fix a bug that prevented changes to stereo eye assignment from getting applied from the nvidia-settings control panel nvidia-xconfig New upstream release; fix a regression that prevented nvidia-xconfig from querying some GPUs, e.g. when running `nvidia-xconfig -a` ocfs2-tools Migrate from using rcS to standard runlevels opendmarc Update opendmarc service file so changes in opendmarc.conf are used openssh Fix in read-only mode, sftp-server was incorrectly permitting creation of zero-length files [CVE-2017-15906] osinfo-db Update included data pdns-recursor Rebuild against publicsuffix 20171028.2055-0+deb9u1 postfix New upstream bugfix release; don't log warnings that some restriction returns OK, when the access map DISCARD feature is in effect; add missing dynamicmaps support in the Postfix sendmail command; fix sending to some sites with TLSA 2 X X records postgresql-9.6 New upstream version publicsuffix Update included data python-evtx Fix missing Python3 dependency python-hacking Fix Python3 dependencies python-hkdf Fix Python3 dependencies python-mimeparse Fix Python3 dependencies python-pyperclip Fix Python3 dependencies python-spake2 Fix Python3 dependencies qtpass Fix insecure built-in password generator [CVE-2017-18021] quota Prevent quotacheck from running into an endless loop reportbug Don't send mail to secure-testing-team@lists.alioth.debian.org any more rpy Rebuild against r-base 3.3 ruby-redis-store Allow unsafe objects to be loaded from redis [CVE-2017-1000248] salt Fix directory traversal vulnerability on salt-master via crafted minion IDs [CVE-2017-12791], directory traversal vulnerability in minion id validation in SaltStack [CVE-2017-14695], remote Denial of Service with a specially crafted authentication request [CVE-2017-14696]; check if data[return] is dict type slic3r Patch use lib line in all installed binaries; workaround missing GL_MULTISAMPLE macro; fix importing binary STLs on big-endian architectures soundtouch Security fixes [CVE-2017-9258 CVE-2017-9259 CVE-2017-9260] systemd networkd: Handle MTU field in IPv6 RA; add a linker script to help prevent symbol collisions, particularly with PAM modules; resolved: Fix loop on packets with pseudo dns types [CVE-2017-15908]; machinectl: Don't output No machines. with --no-legend option tzdata New upstream version ust Fix loading of Python agent library uwsgi Fix stack-based buffer overflow in uwsgi_expand_path function [CVE-2018-6758] vagrant Download boxes from app.vagrantcloud.com instead of the deprecated atlas.hashicorp.com vdirsyncer Fix discovery of Google contacts virt-what Unbreak virt detection on arm/aarch64 w3m Fix stack overflow [CVE-2018-6196], null deref [CVE-2018-6197], /tmp file races [CVE-2018-6198] waagent New upstream version webkit2gtk New upstream stable release xchain Fix dependency on wish xrdp Fix security issue [CVE-2017-16927]; fix high CPU load on ssl_tls_accept

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason dolibarr Too much work to maintain it properly in Debian electrum Security issues; broken due to upstream changes jirc Broken with stretch's libpoe-filter-xml-perl pgmodeler Incompatible with stretch's Postgresql seelablet Abandoned upstream; broken

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

The current stable distribution:

Proposed updates to the stable distribution:

stable distribution information (release notes, errata etc.):

Security announcements and information:

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.