Updated Debian 9: 9.10 released

September 7th, 2019

The Debian project is pleased to announce the tenth update of its oldstable distribution Debian 9 (codename stretch ). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included. There is no need to throw away old stretch media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following packages:

Package Reason base-files Update for the point release; add VERSION_CODENAME to os-release basez Properly decode base64url encoded strings biomaj-watcher Fix upgrades from jessie to stretch c-icap-modules Add support for clamav 0.101.1 chaosreader Add missing dependency on libnet-dns-perl clamav New upstream stable release: add scan time limit to mitigate against zip-bombs [CVE-2019-12625]; fix out-of-bounds write within the NSIS bzip2 library [CVE-2019-12900] corekeeper Do not use a world-writable /var/crash with the dumper script; handle older versions of the Linux kernel in a safer way; do not truncate core names for executables with spaces cups Fix multiple security/disclosure issues - SNMP buffer overflows [CVE-2019-8696 CVE-2019-8675], IPP buffer overflow, Denial of Service and memory disclosure issues in the scheduler dansguardian Add support for clamav 0.101 dar Rebuild to update built-using packages debian-archive-keyring Add buster keys; remove wheezy keys fence-agents Fix denial of service issue [CVE-2019-10153] fig2dev Do not segfault on circle/half circle arrowheads with a magnification larger than 42 [CVE-2019-14275] fribidi Fix right-to-left output in debian-installer text mode fusiondirectory Stricter checks on LDAP lookups; add missing dependency on php-xml gettext Stop xgettext() from crashing when run with --its=FILE option glib2.0 Create directory and file with restrictive permissions when using the GKeyfileSettingsBackend [CVE-2019-13012]; avoid buffer read overrun when formatting error messages for invalid UTF-8 in GMarkup [CVE-2018-16429]; avoid NULL dereference when parsing invalid GMarkup with a malformed closing tag not paired with an opening tag [CVE-2018-16429] gocode gocode-auto-complete-el: Make pre-dependency on auto-complete-el versioned to fix upgrades from jessie to stretch groonga Mitigate privilege escalation by changing the owner and group of logs with su option grub2 Fixes for Xen UEFI support gsoap Fix denial of service issue if a server application is built with the -DWITH_COOKIES flag [CVE-2019-7659]; fix issue with DIME protocol receiver and malformed DIME headers gthumb Fix double-free bug [CVE-2018-18718] havp Add support for clamav 0.101.1 icu Fix segfault in pkgdata command koji Fix SQL injection issue [CVE-2018-1002161]; properly validate SCM paths [CVE-2017-1002153] lemonldap-ng Fix cross-domain authentication regression; fix XML external entity vulnerability libcaca Fix integer overflow issues [CVE-2018-20545 CVE-2018-20546 CVE-2018-20547 CVE-2018-20548 CVE-2018-20549] libclamunrar New upstream stable release libconvert-units-perl No-change rebuild with fixed version number libdatetime-timezone-perl Update included data libebml Apply upstream fixes for heap-based buffer over-reads libevent-rpc-perl Fix build failure due to expired test SSL certificates libgd2 Fix uninitialized read in gdImageCreateFromXbm [CVE-2019-11038] libgovirt Re-generate test certificates with expiration date far in the future to avoid test failures librecad Fix denial of service via crafted file [CVE-2018-19105] libsdl2-image Fix multiple security issues libthrift-java Fix bypass of SASL negotiation [CVE-2018-1320] libtk-img Stop using internal copies of JPEG, Zlib and PixarLog codecs, fixing crashes libu2f-host Fix stack memory leak [CVE-2019-9578] libxslt Fix security framework bypass [CVE-2019-11068]; fix uninitialized read of xsl:number token [CVE-2019-13117]; fix uninitialized read with UTF-8 grouping chars [CVE-2019-13118] linux New upstream version with ABI bump; security fixes [CVE-2015-8553 CVE-2017-5967 CVE-2018-20509 CVE-2018-20510 CVE-2018-20836 CVE-2018-5995 CVE-2019-11487 CVE-2019-3882] linux-latest Update for 4.9.0-11 kernel ABI liquidsoap Fix compilation with Ocaml 4.02 llvm-toolchain-7 New package to support building new Firefox versions mariadb-10.1 New upstream stable release; security fixes [CVE-2019-2737 CVE-2019-2739 CVE-2019-2740 CVE-2019-2805 CVE-2019-2627 CVE-2019-2614] minissdpd Prevent a use-after-free vulnerability that would allow a remote attacker to crash the process [CVE-2019-12106] miniupnpd Fix denial of service issues [CVE-2019-12108 CVE-2019-12109 CVE-2019-12110]; fix information leak [CVE-2019-12107] mitmproxy Blacklist tests that require Internet access; prevent insertion of unwanted upper-bound versioned dependencies monkeysphere Fix build failure by updating the tests to accommodate an updated GnuPG in stretch now producing a different output nasm-mozilla New package to support building new Firefox versions ncbi-tools6 Repackage without non-free data/UniVec.* node-growl Sanitize input before passing it to exec node-ws Restrict upload size [CVE-2016-10542] open-vm-tools Fix possible security issue with the permissions of the intermediate staging directory and path openldap Restrict rootDN proxyauthz to its own databases [CVE-2019-13057]; enforce sasl_ssf ACL statement on every connection [CVE-2019-13565]; fix slapo-rwm to not free original filter when rewritten filter is invalid openssh Fix deadlock in key matching passwordsafe Don't install localization files under an extra subdirectory pound Fix request smuggling via crafted headers [CVE-2016-10711] prelink Rebuild to update built-using packages python-clamav Add support for clamav 0.101.1 reportbug Update release names, following buster release resiprocate Resolve an installation issue with libssl-dev and --install-recommends sash Rebuild to update built-using packages sdl-image1.2 Fix buffer overflows [CVE-2018-3977 CVE-2019-5058 CVE-2019-5052], out-of-bounds access [CVE-2019-12216 CVE-2019-12217 CVE-2019-12218 CVE-2019-12219 CVE-2019-12220 CVE-2019-12221 CVE-2019-12222 CVE-2019-5051] signing-party Fix unsafe shell call enabling shell injection via a User ID [CVE-2019-11627] slurm-llnl Fix potential heap overflow on 32-bit systems [CVE-2019-6438] sox Fix several security issues [CVE-2019-8354 CVE-2019-8355 CVE-2019-8356 CVE-2019-8357 927906 CVE-2019-1010004 CVE-2017-18189 881121 CVE-2017-15642 882144 CVE-2017-15372 878808 CVE-2017-15371 878809 CVE-2017-15370 878810 CVE-2017-11359 CVE-2017-11358 CVE-2017-11332 systemd Do not stop ndisc client in case of configuration error t-digest No-change rebuild to avoid re-use of pre-epoch version 3.0-1 tenshi Fix PID file issue that allows local users to kill arbitrary processes [CVE-2017-11746] tzdata New upstream release unzip Fix incorrect parsing of 64-bit values in fileio.c; fix zip-bomb issues [CVE-2019-13232] usbutils Update USB ID list xymon Fix several (server only) security issues [CVE-2019-13273 CVE-2019-13274 CVE-2019-13451 CVE-2019-13452 CVE-2019-13455 CVE-2019-13484 CVE-2019-13485 CVE-2019-13486] yubico-piv-tool Fix security issues [CVE-2018-14779 CVE-2018-14780] z3 Do not set the SONAME of libz3java.so to libz3.so.4 zfs-auto-snapshot Make cron jobs exit silently after package removal zsh Rebuild to update built-using packages

Security Updates

This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason pump Unmaintained; security issues teeworlds Security issues; incompatible with current servers

Debian Installer

The installer has been updated to include the fixes incorporated into oldstable by the point release.

URLs

The complete lists of packages that have changed with this revision:

The current oldstable distribution:

Proposed updates to the oldstable distribution:

oldstable distribution information (release notes, errata etc.):

Security announcements and information:

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.