------------------------------------------------------------------------
The Debian Project https://www.debian.org/
Updated Debian 9: 9.8 released press@debian.org
February 16th, 2019 https://www.debian.org/News/2019/20190216
------------------------------------------------------------------------


The Debian project is pleased to announce the eighth update of its
stable distribution Debian 9 (codename "stretch"). This point release
mainly adds corrections for security issues, along with a few
adjustments for serious problems. Security advisories have already been
published separately and are referenced where available.

Please note that the point release does not constitute a new version of
Debian 9 but only updates some of the packages included. There is no
need to throw away old "stretch" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list



Miscellaneous Bugfixes
----------------------

This stable update adds a few important corrections to the following
packages:

+--------------------------+------------------------------------------+
| Package | Reason |
+--------------------------+------------------------------------------+
| arc [1] | Fix directory traversal bugs [CVE-2015- |
| | 9275], arcdie crash when called with |
| | more than 1 variable argument and |
| | version 1 arc header reading |
| | |
| astroml-addons [2] | Fix Python 3 dependencies |
| | |
| base-files [3] | Update for the point release |
| | |
| c3p0 [4] | Fix XML External Entity vulnerability |
| | [CVE-2018-20433] |
| | |
| ca-certificates-java [5] | Fix temporary jvm-*.cfg generation on |
| | armhf |
| | |
| chkrootkit [6] | Fix regular expression for filtering out |
| | dhcpd and dhclient as false positives |
| | from the packet sniffer test |
| | |
| compactheader [7] | Update to work with newer Thunderbird |
| | versions |
| | |
| courier [8] | Fix @piddir@ substitution |
| | |
| cups [9] | Security fixes [CVE-2017-18248 CVE-2018- |
| | 4700] |
| | |
| debian-edu-config [10] | Fix configuration of personal web pages; |
| | re-enable offline installation of a |
| | combi server including diskless |
| | workstation support; enable Chromium |
| | homepage setting at installation time |
| | and via LDAP |
| | |
| debian-installer [11] | Rebuild for the point release |
| | |
| debian-installer- | Rebuild against proposed-updates |
| netboot-images [12] | |
| | |
| debian-security- | Update support status of various |
| support [13] | packages |
| | |
| dnspython [14] | Fix error when parsing nsec3 bitmap from |
| | text |
| | |
| egg [15] | Skip emacsen-install for unsupported |
| | xemacs21 |
| | |
| erlang [16] | Do not install Erlang mode for XEmacs |
| | |
| espeakup [17] | debian/espeakup.service: Fix |
| | compatibility with older versions of |
| | systemd |
| | |
| freerdp [18] | Fix security issues [CVE-2018-8786 |
| | CVE-2018-8787 CVE-2018-8788]; add |
| | CredSSP v3 and RDP proto v6 support |
| | |
| ganeti-os-noop [19] | Fix size detection for non-block devices |
| | |
| glibc [20] | Fix several security isses [CVE-2017- |
| | 15670 CVE-2017-15671 CVE-2017-15804 |
| | CVE-2017-1000408 CVE-2017-1000409 |
| | CVE-2017-16997 CVE-2017-18269 CVE-2018- |
| | 11236 CVE-2018-11237]; avoid |
| | segmentation faults on CPUs with AVX512- |
| | F; fix a use after free in |
| | pthread_create(); check for postgresql |
| | in NSS check; fix pthread_cond_wait() in |
| | the pshared case on non-x86. |
| | |
| gnulib [21] | vasnprintf: Fix heap memory overrun bug |
| | [CVE-2018-17942] |
| | |
| gnupg2 [22] | Avoid crash when importing without a TTY |
| | |
| graphite-api [23] | Fix RequiresMountsFor spelling in |
| | systemd service |
| | |
| grokmirror [24] | Add missing dependency on python-pkg- |
| | resources |
| | |
| gvrng [25] | Fix permissions problem that prevented |
| | starting gvrng; generate correct Python |
| | dependencies |
| | |
| ibus [26] | Fix multi-arch installation by removing |
| | the gir package's Python dependency |
| | |
| icinga2 [27] | Fix timestamps being stored as local |
| | time in PostgreSQL |
| | |
| intel-microcode [28] | Add accumulated fixes for Westmere EP |
| | (signature 0x206c2) [Intel SA-00161 |
| | CVE-2018-3615 CVE-2018-3620 CVE-2018- |
| | 3646 Intel SA-00115 CVE-2018-3639 |
| | CVE-2018-3640 Intel SA-0088 CVE-2017- |
| | 5753 CVE-2017-5754] |
| | |
| isort [29] | Fix Python dependencies |
| | |
| jdupes [30] | Fix potential crash on ARM |
| | |
| kmodpy [31] | Remove incorrect Multi-Arch: same from |
| | python-kmodpy |
| | |
| libapache2-mod- | Don't allow sections in user |
| perl2 [32] | controlled configuration [CVE-2011-2767] |
| | |
| libb2 [33] | Detect if the system can use AVX before |
| | actually using it |
| | |
| libdatetime-timezone- | Update included data |
| perl [34] | |
| | |
| libemail-address-list- | Fix DoS vulnerability [CVE-2018-18898] |
| perl [35] | |
| | |
| libemail-address- | Fix DoS vulnerabilities [CVE-2015-7686 |
| perl [36] | CVE-2018-12558] |
| | |
| libgpod [37] | python-gpod: Add missing dependency on |
| | python-gobject-2 |
| | |
| libssh [38] | Fix broken server-side keyboard- |
| | interactive authentication |
| | |
| linux [39] | New upstream release; new upstream |
| | version; fix build failures on arm64 and |
| | mips*; libceph: fix |
| | CEPH_FEATURE_CEPHX_V2 check in |
| | calc_signature() |
| | |
| linux-igd [40] | Make the init script require $network |
| | |
| lttng-modules [41] | Fix build on linux-rt 4.9 kernels and |
| | kernels >= 4.9.0-3 |
| | |
| mistral [42] | Fix "std.ssh action may disclose |
| | presence of arbitrary files" [CVE-2018- |
| | 16849] |
| | |
| monkeysign [43] | Fix security issue [CVE-2018-12020]; |
| | actually send multiple emails instead of |
| | a single one |
| | |
| mpqc [44] | Also install sc-libtool |
| | |
| nvidia-graphics- | New upstream release |
| drivers [45] | |
| | |
| nvidia-modprobe [46] | New upstream release |
| | |
| nvidia-persistenced [47] | New upstream release |
| | |
| nvidia-settings [48] | New upstream release |
| | |
| nvidia-xconfig [49] | New upstream release |
| | |
| openni2 [50] | Fix armhf baseline violation and armel |
| | FTBFS caused by NEON usage |
| | |
| openvpn [51] | Fix NCP behaviour on TLS reconnect, |
| | causing "AEAD Decrypt error: cipher |
| | final failed" errors |
| | |
| parsedatetime [52] | Add support for Python 3 |
| | |
| pdns [53] | Fix security issues [CVE-2018-1046 |
| | CVE-2018-10851]; fix MySQL queries with |
| | stored procedures; fix LDAP, Lua, |
| | OpenDBX backends not finding domains |
| | |
| pdns-recursor [54] | Fix security issues [CVE-2018-10851 |
| | CVE-2018-14626 CVE-2018-14644] |
| | |
| photocollage [55] | Add missing dependency on gir1.2-gtk-3.0 |
| | |
| postfix [56] | New upstream stable release; avoid |
| | postconf failures when postfix-instance- |
| | generator runs during boot |
| | |
| postgresql-9.6 [57] | New upstream release |
| | |
| postgrey [58] | No change rebuild |
| | |
| pylint-django [59] | Fix Python 3 dependencies |
| | |
| python-acme [60] | Backport newer version for tls-sni-01 |
| | deprecation |
| | |
| python-arpy [61] | Fix Python 3 dependencies |
| | |
| python-certbot [62] | Backport newer version for tls-sni-01 |
| | deprecation |
| | |
| python-certbot- | Update for deprecation of tls-sni-01 |
| apache [63] | |
| | |
| python-certbot- | Update for deprecation of tls-sni-01 |
| nginx [64] | |
| | |
| python-hypothesis [65] | Fix (inverted) dependencies of python3- |
| | hypothesis and python-hypothesis-doc |
| | |
| python-josepy [66] | New package, required by Certbot |
| | |
| pyzo [67] | Add missing dependency on python3-pkg- |
| | resources |
| | |
| r-cran-readxl [68] | Fix crash bugs [CVE-2018-20450 CVE-2018- |
| | 20452] |
| | |
| rtkit [69] | Move dbus and polkit from Recommends to |
| | Depends |
| | |
| ruby-rack [70] | Fix a possible cross-site scripting |
| | vulnerability [CVE-2018-16471] |
| | |
| samba [71] | New upstream release; s3:ntlm_auth: fix |
| | memory leak in manage_gensec_request(); |
| | ignore nmbd start errors when there is |
| | no non-loopback interface or no local |
| | IPv4 non-loopback interface; fix |
| | CVE-2018-14629 regression on a non-CNAME |
| | record |
| | |
| sl-modem [72] | Support Linux versions > 3 |
| | |
| sogo-connector [73] | Update to work with newer Thunderbird |
| | versions |
| | |
| sox [74] | Really apply fixes for CVE-2014-8145 |
| | |
| ssh-agent-filter [75] | Fix two-byte out-of-bounds stack write |
| | |
| supercollider [76] | Disable support for XEmacs and Emacs |
| |