Updated Debian 9: 9.9 released

April 27th, 2019

The Debian project is pleased to announce the ninth update of its stable distribution Debian 9 (codename stretch ). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available.

Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included. There is no need to throw away old stretch media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at:

As a special case for this point release, those using the apt-get tool to perform the upgrade will need to ensure that the dist-upgrade command is used, in order to update to the latest kernel packages. Users of other tools such as apt and aptitude should use the upgrade command.

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package Reason audiofile Fix denial of service [CVE-2018-13440] and buffer overflow issues [CVE-2018-17095] base-files Update for the point release bwa Fix buffer overflow [CVE-2019-10269] ca-certificates-java Fix bashisms in postinst and jks-keystore cernlib Apply optimization flag -O to Fortran modules instead of -O2 which generates broken code; fix build failure on arm64 by disabling PIE for Fortran executables choose-mirror Update included mirror list chrony Fix logging of measurements and statistics, and stopping of chronyd, on some platforms when seccomp filtering is enabled ckermit Drop OpenSSL version check clamav Fix out-of-bounds heap access when scanning PDF documents [CVE-2019-1787], PE files packed using Aspack [CVE-2019-1789] or OLE2 files [CVE-2019-1788] dansguardian Add missingok to logrotate configuration debian-installer Rebuild against proposed-updates debian-installer-netboot-images Rebuild against proposed-updates debian-security-support Update support statuses diffoscope Fix tests to work with Ghostscript 9.26 dns-root-data Update root data to 2019031302 dnsruby Add new root key (KSK-2017); ruby 2.3.0 deprecates TimeoutError, use Timeout::Error dpdk New upstream stable release edk2 Fix buffer overflow in BlockIo service [CVE-2018-12180]; DNS: Check received packet size before using [CVE-2018-12178]; fix stack overflow with corrupted BMP [CVE-2018-12181] firmware-nonfree atheros / iwlwifi: update BlueTooth firmware [CVE-2018-5383] flatpak Reject all ioctls that the kernel will interpret as TIOCSTI [CVE-2019-10063] geant321 Rebuild against cernlib with fixed Fortran optmisations gnome-chemistry-utils Stop building the obsolete gcu-plugin package gocode gocode-auto-complete-el: Promote auto-complete-el to Pre-Depends to ensure successful upgrades gpac Fix buffer overflows [CVE-2018-7752 CVE-2018-20762], heap overflows [CVE-2018-13005 CVE-2018-13006 CVE-2018-20761], out-of-bounds writes [CVE-2018-20760 CVE-2018-20763] icedtea-web Stop building the browser plugin, no longer works with Firefox 60 igraph Fix a crash when loading malformed GraphML files [CVE-2018-20349] jabref Fix XML External Entity attack [CVE-2018-1000652] java-common Remove the default-java-plugin package, as the icedtea-web Xul plugin is being removed jquery Prevent Object.prototype pollution [CVE-2019-11358] kauth Fix insecure handling of arguments in helpers [CVE-2019-7443] libdate-holidays-de-perl Add March 8th (from 2019 onwards) and May 8th (2020 only) as public holidays (Berlin only) libdatetime-timezone-perl Update included data libreoffice Introduce next Japanese gengou era 'Reiwa'; make -core conflict against openjdk-8-jre-headless (= 8u181-b13-2~deb9u1), which had a broken ClassPathURLCheck linux New upstream stable version linux-latest Update for -9 kernel ABI mariadb-10.1 New upstream stable version mclibs Rebuild against cernlib with fixed Fortran optmisations ncmpc Fix NULL pointer dereference [CVE-2018-9240] node-superagent Fix ZIP bomb attacks [CVE-2017-16129]; fix syntax error nvidia-graphics-drivers New upstream stable release [CVE-2018-6260] nvidia-settings New upstream stable release obs-build Do not allow writing to files in the host system [CVE-2017-14804] paw Rebuild against cernlib with fixed Fortran optmisations perlbrew Allow HTTPS CPAN URLs postfix New upstream stable release postgresql-9.6 New upstream stable release psk31lx Make version sort correctly to avoid potential upgrade issues publicsuffix Update included data pyca Add missingok to logrotate configuration python-certbot Revert to debhelper compat 9, to ensure systemd timers are correctly started python-cryptography Remove BIO_callback_ctrl: The prototype differs with the OpenSSL's definition of it after it was changed (fixed) within OpenSSL python-django-casclient Apply django 1.10 middleware fix; python(3)-django-casclient: fix missing dependencies on python(3)-django python-mode Remove support for xemacs21 python-pip Properly catch requests' HTTPError in index.py python-pykmip Fix potential denial of service issue [CVE-2018-1000872] r-cran-igraph Fix denial of service via crafted object [CVE-2018-20349] rails Fix information disclosure issues [CVE-2018-16476 CVE-2019-5418], denial of service issue [CVE-2019-5419] rsync Several security fixes for zlib [CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843] ruby-i18n Prevent a remote denial-of-service vulnerability [CVE-2014-10077] ruby2.3 Fix FTBFS runc Fix root privilege escalation vulnerability [CVE-2019-5736] systemd journald: fix assertion failure on journal_file_link_data; tmpfiles: fix e to support shell style globs; mount-util: accept that name_to_handle_at() might fail with EPERM; automount: ack automount requests even when already mounted [CVE-2018-1049]; fix potential root privilege escalation [CVE-2018-15686] twitter-bootstrap3 Fix cross site scripting issue in tooltips or popovers [CVE-2019-8331] tzdata New upstream release unzip Fix buffer overflow in password protected ZIP archives [CVE-2018-1000035] vcftools Fix information disclosure [CVE-2018-11099] and denial of service [CVE-2018-11129 CVE-2018-11130] via crafted files vips Fix NULL function pointer dereference [CVE-2018-7998], uninitialised memory access [CVE-2019-6976] waagent New upstream release, with many Azure fixes [CVE-2019-0804] yorick-av Rescale frame timestamps; set VBV buffer size for MPEG1/2 files zziplib Fix invalid memory access [CVE-2018-6381], bus error [CVE-2018-6540], out-of-bounds read [CVE-2018-7725], crash via crafted zip file [CVE-2018-7726], memory leak [CVE-2018-16548]; reject ZIP file if the size of the central directory and/or the offset of start of central directory point beyond the end of the ZIP file [CVE-2018-6484, CVE-2018-6541, CVE-2018-6869]

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason gcontactsync Incompatible with newer firefox-esr versions google-tasks-sync Incompatible with newer firefox-esr versions mozilla-gnome-kerying Incompatible with newer firefox-esr versions tbdialout Incompatible with newer thunderbird versions timeline Incompatible with newer thunderbird versions

Debian Installer

The installer has been updated to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

The current stable distribution:

Proposed updates to the stable distribution:

stable distribution information (release notes, errata etc.):

Security announcements and information:

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.