Menü Schließen

Debian Security und Bugfix Release für Stretch und Jessie

Logo debian

Das Debian Projekt hat seine Debian Projekte Jessie (8.10) und Stretch (9.3) aktualisiert und über 60 Sicherheitslücken geschlossen und dieverse Bugfixe durchgeführt.

Debian Stretch 9.3 Release

PackageReason
abiwordFix flickering
base-filesUpdate for the point release
beruskyFix startup crash with certain video card configurations
charmtimetrackerFix missing binary dependency on libqt5sql5-sqlite
corebirdIncrease maximum length of tweet to 280 characters
dbusWhen parsing dbus-daemon configuration, don’t delay startup if high-quality entropy is not yet available; when using the Monitoring interface, match message filters that specify a destination correctly; increase listen() backlog of AF_UNIX sockets to the maximum possible, minimizing failed connections under heavy load
debian-edu-docMerge stretch related documentation and translation updates from unstable and the wiki; documentation/common/edu.css.xml: improve HTML manual readability
debian-installerRebuild for the point release
dehydratedUpdate subscriber license agreement URL
doitAdd Breaks: nikola (<< 7.6.0-1~) to ensure its removal on upgrades from jessie
eclipse-titanRebuild against current stretch GCC
fig2devAdd input sanitisation on FIG files [CVE-2017-16899]; sanitize input of fill patterns
flickcurlFix oauth token fetching; prevent double free corruption during authentication
flightgearPrevent malicious add-ons from overriding arbitrary files [CVE-2017-13709]
ganetiBackport upstream support for non-DSA SSH keys; fix failover from dead nodes when using extstorage; fix instance import/export/move with current socat versions
gdm3Backport several patches to fix XDMCP support
getmail4Fix issue related to malformed fingerprints
grokFix pointer aliasing bug; libgrok-dev: add missing dependencies on libgrok1 and libtokyocabinet-dev
gunicornDrop unnecessary Pre-Depends on dpkg-dev which was causing gunicorn and python-gunicorn to bring in a compiler as a dependency
icuFix double free in createMetazoneMappings() [CVE-2017-14952]
inn2[i386] Rebuild to pick up correct path to gzip binary
iproute2Fix segfault in tc with iptables 1.6
jdcalFix Python3 dependencies
kde-gtk-configFix preview buttons in KDE-GTK-config UI
lasiliblasi-dev: add missing dependencies on libpango1.0-dev and libfreetype6-dev
libdatetime-timezone-perlUpdate included data
libdbd-firebird-perlFix fetching of decimal(x,y) values between -1 and 0
libdbiRe-enable error handler call in dbi_result_next_row()
liblog-log4perl-perlWork around Perl 5.24 no longer allowing syswrite and utf8 together
liblouisFix buffer overflow and use-after-free issues [CVE-2017-13738 CVE-2017-13739 CVE-2017-13740 CVE-2017-13741 CVE-2017-13742 CVE-2017-13743 CVE-2017-13744]
libmpdlibmpd-dev: Add the missing dependency on libglib2.0-dev
libofxSecurity fixes [CVE-2017-2816 CVE-2017-14731]
libxkbcommonlibxkbcommon-x11-dev: add missing dependency on libxkbcommon-dev
libxsettings-clientAdd missing libxsettings-client-dev -> libxsettings-dev dependency
linuxxen/time: do not decrease steal time after live migration on xen; new stable kernel version 4.9.65
live-configConfigure autologin for KDE / Plasma live images
lxcDon’t hardcode list of valid Debian releases, allowing the creation of containers for stable, buster, testing and unstable; don’t insert C.* locales into /etc/locale.gen
mongodbFix segfault/FTBFS on ARM64 with 48-bit virtual addresses, spidermonkey GC segfault when built with GCC 6; mongodb.service: start after network.target
opensshTest configuration before starting or reloading sshd under systemd; adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme; make  before the hostname terminate argument processing after the hostname too
pdnsFix incorrect qname casing in NSEC3 generation; add missing check on API operations [CVE-2017-15091]
pdns-recursorSecurity fixes: insufficient validation of DNSSEC signatures [CVE-2017-15090]; Cross-Site Scripting in the web interface [CVE-2017-15092]; configuration file injection in the API [CVE-2017-15093]; memory leak in DNSSEC parsing [CVE-2017-15094]
postgresql-9.6Upstream bugfix release
publicsuffixUpdate included data
pyosmiumUpstream bugfix release: handler functions not called when using replication service or when using Reader instead of file
python-diff-match-patchAdd missing python3 dependency on Python 3 package
python-inflectFix Python 3 dependencies
python-tablibSafely load YAML [CVE-2017-2810]
python2.7Fix integer overflow in PyString_DecodeEscape [CVE-2017-1000158]; support all groups in TLS communication
qtcurveFix crashes by using strncmp() instead of memcmp()
ruby-httpartyRelax dependency version in gem dependency on json
ruby-oxAvoid crash with invalid XML passed to Oj.parse_obj() [CVE-2017-15928]
ruby-pygments.rbAvoid closing too many files when mentos starts, which can cause build failures in other packages on slower systems
schrootFix bash completion file; add systemd service file with Type=oneshot to avoid timeout issues with too many open sessions
simutransEnable sound for simutrans again. Switch from SDL to mixer_sdl backend
sitesummaryAdjust nagios kernel version checking module to work with 4.x kernels
slic3rFix missing dependency on perlapi-*
spamassassinDisable bb.barracudacentral.org; update the systemd unit file to use the same pid file as was used in the sysvinit script; update systemd unit dependencies to include network and syslog; fix inappropriate invocation of invoke-rc.d in cron script
sqldeveloper-packageFix build failure
sqlite3Fix heap-based buffer over-read via undersized RTree blobs [CVE-2017-10989]
syslinuxFix btrfs logical to physical block address mapping; fix boot problem for old BIOS firmware by correct C/H/S order; support ext4 64bit feature
tdbcodbcFix bug in ODBC library search
torAdd Bastet directory authority; fix a timing-based assertion failure; update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 country database
tzdataNew upstream release
udftoolsFix path to pktsetup in udftools init script
weechatlogger: call strftime before replacing buffer local variables [CVE-2017-14727]
xml2Fix corruption when dealing with UTF-8 files, usage string for 2csv tool
xrdpFix high CPU load on SSL shutdown
zshRebuild to pull in updated libraries for zsh-static

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory IDPackage
DSA-3989dnsmasq
DSA-3990asterisk
DSA-3991qemu
DSA-3992curl
DSA-3993tor
DSA-3994nautilus
DSA-3995libxfont
DSA-3996ffmpeg
DSA-3997wordpress
DSA-3998nss
DSA-3999wpa
DSA-4000xorg-server
DSA-4001yadifa
DSA-4003libvirt
DSA-4004jackson-databind
DSA-4006mupdf
DSA-4007curl
DSA-4008wget
DSA-4009shadowsocks-libev
DSA-4011quagga
DSA-4013openjpeg2
DSA-4014thunderbird
DSA-4015openjdk-8
DSA-4016irssi
DSA-4017openssl1.0
DSA-4018openssl
DSA-4019imagemagick
DSA-4020chromium-browser
DSA-4021otrs2
DSA-4023slurm-llnl
DSA-4024chromium-browser
DSA-4025libpam4j
DSA-4026bchunk
DSA-4028postgresql-9.6
DSA-4029postgresql-common
DSA-4030roundcube
DSA-4031ruby2.3
DSA-4032imagemagick
DSA-4033konversation
DSA-4034varnish
DSA-4035firefox-esr
DSA-4036mediawiki
DSA-4037jackson-databind
DSA-4038shibboleth-sp2
DSA-4039opensaml2
DSA-4041procmail
DSA-4042libxml-libxml-perl
DSA-4043samba
DSA-4044swauth
DSA-4045vlc
DSA-4047otrs2
DSA-4049ffmpeg
DSA-4050xen
DSA-4051curl
DSA-4052bzr
DSA-4053exim4

Removed packages

The following packages were removed due to circumstances beyond our control:

PackageReason
libnet-ping-external-perlUnmaintained, security issues

Quelle: https://www.debian.org/News/2017/2017120902

Debian Jessie 8.10 Release

Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following packages:

PackageReason
bareosFix permissions of bareos-dir logrotate config; fix file corruption when using SHA1 signature
base-filesUpdate for the point release
bind9Import upcoming DNSSEC KSK-2017
cupsDisable SSLv3 and RC4 by default to address POODLE vulnerability
dbDo not access DB_CONFIG when db_home is not set [CVE-2017-10140]
db5.3Do not access DB_CONFIG when db_home is not set [CVE-2017-10140]
debian-installerRebuild for the point release
debian-installer-netboot-imagesRebuild for the point release
debmirrorTolerate unknown lines in *.diff/Index; mirror DEP-11 metadata files; prefer xz over gz, and cope with either being missing; mirror and validate InRelease files
dns-root-dataUpdate root.hints to 2017072601 version; add KSK-2017 to root.key file
dputdput.cf: replace security-master.debian.org with ftp.upload.security.debian.org
dwwwFix Last-Modified header name
elogUpdate patch 0005_elogd_CVE-2016-6342_fix to grant access as normal user
flightgearFix arbitrary file overwrite vulnerability [CVE-2017-13709]
gsoapFix integer overflow via large XML document [CVE-2017-9765]
hexchatFix segmentation fault following /server command
icuFix double free in createMetazoneMappings() [CVE-2017-14952]
kdepimFix send Later with Delay bypasses OpenPGP [CVE-2017-9604]
kedpmFix information leak via command history file [CVE-2017-8296]
keyringerHandle subkeys without expiration date and public keys listed multiple times
krb5Security fixes – remote authenticated attackers can crash the KDC [CVE-2017-11368]; kdc crash on restrict_anon_to_tgt [CVE-2016-3120]; remote DOS with ldap for authenticated attackers [CVE-2016-3119]; prevent requires_preauth bypass [CVE-2015-2694]
libdatetime-timezone-perlUpdate included data
libdbiRe-enable error handler call in dbi_result_next_row()
libembperl-perlChange hard dependency on mod_perl in zembperl.load to Recommends, fixing an installation failure when libapache2-mod-perl2 is not installed
libio-socket-ssl-perlFix segfault using malformed client certificates
liblouisFix multiple stack-based buffer overflows [CVE-2014-8184]
libofxSecurity fixes [CVE-2017-2816 CVE-2017-14731]
libwnckmmTighten dependencies between packages; use jquery.js from libjs-jquery
libwpdSecurity fix [CVE-2017-14226]
libx11Fix insufficient validation of data from the X server can cause out of boundary memory read (XGetImage()) or write (XListFonts()) [CVE-2016-7942 CVE-2016-7943]
libxfixesFix integer overflow on illegal server response [CVE-2016-7944]
libxiFix insufficient validation of data from the X server can cause out of boundary memory access or endless loops [CVE-2016-7945 CVE-2016-7946]
libxrandrAvoid out of boundary accesses on illegal responses [CVE-2016-7947 CVE-2016-7948]
libxtstFix insufficient validation of data from the X server can cause out of boundary memory access or endless loops [CVE-2016-7951 CVE-2016-7952]
libxvFix protocol handling issues in libXv [CVE-2016-5407]
libxvmcAvoid buffer underflow on empty strings [CVE-2016-7953]
linuxNew stable kernel version 3.16.51
ncursesFix various crash bugs in the tic library and the tic binary [CVE-2017-10684 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-13728 CVE-2017-13729 CVE-2017-13730 CVE-2017-13731 CVE-2017-13732 CVE-2017-13734 CVE-2017-13733]
opensshTest configuration before starting or reloading sshd under systemd; make  before the hostname terminate argument processing after the hostname too
pdnsAdd missing check on API operations [CVE-2017-15091]
pdns-recursorFix configuration file injection in the API [CVE-2017-15093]
postgresql-9.4New upstream bugfix release
python-tablibSecurely load YAML [CVE-2017-2810]
request-tracker4Fix regression in previous security release where incorrect SHA256 passwords could trigger an error
ruby-oxAvoid crash with invalid XML passed to Oj.parse_obj() [CVE-2017-15928]
sam2pFix several integer overflow or heap-based buffer overflow issues [CVE-2017-14628 CVE-2017-14629 CVE-2017-14630 CVE-2017-14631 CVE-2017-14636 CVE-2017-14637 CVE-2017-16663]
slurm-llnlFix security issue caused by insecure file path handling triggered by the failure of a Prolog script [CVE-2016-10030]
sudoFix arbitrary terminal access [CVE-2017-1000368]
syslinuxFix boot problem for old BIOS firmware by correcting C/H/S order
torAdd Bastet directory authority; update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 country database; fix a memset() off the end of an array when packing cells
transfigAdd input sanitisation on FIG files [CVE-2017-16899]; sanitize input of fill patterns
tzdataNew upstream release
unboundFix install of trust anchor when two anchors are present; include root trust anchor id 20326
weechatlogger: call strftime before replacing buffer local variables [CVE-2017-14727]

Security Updates

This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:

Advisory IDPackage
DSA-3904bind9
DSA-3908nginx
DSA-3909samba
DSA-3913apache2
DSA-3914imagemagick
DSA-3916atril
DSA-3917catdoc
DSA-3921enigmail
DSA-3922mysql-5.5
DSA-3924varnish
DSA-3928firefox-esr
DSA-3929libsoup2.4
DSA-3930freeradius
DSA-3932subversion
DSA-3933pjproject
DSA-3934git
DSA-3935postgresql-9.4
DSA-3937zabbix
DSA-3938libgd2
DSA-3939botan1.10
DSA-3940cvs
DSA-3942supervisor
DSA-3943gajim
DSA-3945linux
DSA-3946libmspack
DSA-3947newsbeuter
DSA-3948ioquake3
DSA-3949augeas
DSA-3950libraw
DSA-3951smb4k
DSA-3952libxml2
DSA-3956connman
DSA-3958fontforge
DSA-3960gnupg
DSA-3961libgd2
DSA-3962strongswan
DSA-3963mercurial
DSA-3964asterisk
DSA-3969xen
DSA-3970emacs24
DSA-3971tcpdump
DSA-3972bluez
DSA-3973wordpress-shibboleth
DSA-3974tomcat8
DSA-3976freexl
DSA-3977newsbeuter
DSA-3978gdk-pixbuf
DSA-3979pyjwt
DSA-3980apache2
DSA-3981linux
DSA-3982perl
DSA-3983samba
DSA-3984git
DSA-3986ghostscript
DSA-3987firefox-esr
DSA-3988libidn2-0
DSA-3989dnsmasq
DSA-3990asterisk
DSA-3992curl
DSA-3995libxfont
DSA-3997wordpress
DSA-3998nss
DSA-3999wpa
DSA-4000xorg-server
DSA-4002mysql-5.5
DSA-4004jackson-databind
DSA-4006mupdf
DSA-4007curl
DSA-4008wget
DSA-4011quagga
DSA-4012libav
DSA-4013openjpeg2
DSA-4016irssi
DSA-4018openssl
DSA-4021otrs2
DSA-4022libreoffice
DSA-4025libpam4j
DSA-4026bchunk
DSA-4027postgresql-9.4
DSA-4029postgresql-common
DSA-4033konversation
DSA-4035firefox-esr
DSA-4037jackson-databind
DSA-4038shibboleth-sp2
DSA-4039opensaml2
DSA-4040imagemagick
DSA-4041procmail
DSA-4042libxml-libxml-perl
DSA-4043samba
DSA-4045vlc
DSA-4046libspring-ldap-java
DSA-4047otrs2
DSA-4051curl
DSA-4052bzr

Removed packages

The following packages were removed due to circumstances beyond our control:

PackageReason
libnet-ping-external-perlUnmaintained, security issues
aiccuUseless since shutdown of SixXS

Quelle: https://www.debian.org/News/2017/20171209

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert