-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 107-1 https://www.debian.org/ [email protected] Adam D. Barratt September 13th, 2016 - -------------------------------------------------------------------------
Upcoming Debian 8 Update (8.6) An update to Debian 8 is scheduled for Saturday, September 17th, 2016. As of now it will include the following bug fixes. They can be found in "jessie-proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "jessie-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "[email protected]" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bugfixes - ---------------------- This stable update adds a few important corrections to the following packages: Package Reason adblock-plus New upstream release, compatible with firefox-esr apache2 Fix race condition and logical error in init script; remove links to manpages.debian.org in default index.html; mod_socache_memcache: Increase idle timeout to 15s to allow keep-alive connections; mod_proxy_fcgi: Fix wrong behaviour with 304 responses; correct systemd-sysv-generator behaviour; mod_proxy_html: Add missing config file mods-available/proxy_html.conf audiofile Fix buffer overflow when changing both sample format and number of channels [CVE-2015-7747] automake-1.14 Avoid insecure use of /tmp/ in install-sh backintime Add missing dependency on python-dbus backuppc Fix regressions from samba update to 4.2 base-files Update for the point release biber Fix breakage triggered by point release update of perl cacti Fix SQL injection in tree.php [CVE-2016-3172] and graph_view.php [CVE-2016-3659]; fix authentication bypass [CVE-2016-2313]; fix regression in the fix for CVE-2016-2313 that broke guest user logins ccache Upstream bug-fix release clamav Don't fail if AllowSupplementaryGroups is still set in the config file cmake Fix FindOpenSSL module to detect OpenSSL 1.0.1t conkeror Support Firefox 44 and later debian-edu-config Move from Iceweasel to Firefox ESR; adjust ldap-tools/ldap-debian-edu-install to be compliant with systemd now that unit samba.service is masked; dhclient-exit-hooks.d/hostname: adjust for the case of a dedicated LTSP server; adjust cf.krb5client to ensure that cfengine runs are idempotent; move code to cleanup /usr/share/pam-configs/krb5 diversion from postinst to preinst to ease upgrades from old wheezy installations; don't purge libnss-mdns as cups now needs mdns for automatic printer detection debian-edu-doc Update Debian Edu Jessie and Wheezy manuals from the wiki debian-security-support Update included support data; add support for marking packages as losing support at a future date dietlibc Fix insecure default PATH dwarfutils Security fixes [CVE-2015-8538 CVE-2015-8750 CVE-2016-2050 CVE-2016-2091 CVE-2016-5034 CVE-2016-5036 CVE-2016-5038 CVE-2016-5039 CVE-2016-5042] e2fsprogs Disable prompts for time skew which is fudged in e2fsck; fix potential corruption of Hurd file systems by e2fsck, pointer bugs that could cause crashes in e2fsck and resize2fs exim4 Fix cutthrough bug with body lines having a single dot; fix crash on "exim -be '${if crypteq{xxx}{\$aaa}{yes}{no}}'"; improve NEWS file; backport missing upstream patch to actually make $initial_cwd expansion work file Fix buffer over-write in finfo_open with malformed magic file [CVE-2015-8865] firegestures New upstream release, compatible with firefox-esr flashplugin-nonfree update-flashplugin-nonfree: Delete old get-upstream-version.pl from cache fusionforge Remove dependency on Mediawiki plugin from fusionforge-full metapackage glibc Fix assertion failure with unconnectable name server addresses (regression introduced by CVE-2015-7547 fix); fix *context functions on s390x; fix a buffer overflow in the glob function [CVE-2016-1234], a stack overflow in nss_dns_getnetbyname_r [CVE-2016-3075], a stack overflow in getaddrinfo function [CVE-2016-3706], a stack overflow in Sun RPC clntudp_call() [CVE-2016-4429]; update from upstream stable branch; fix open and openat functions with O_TMPFILE; fix backtrace hang on armel/armhf, possibly causing a minor denial-of-service vulnerability [CVE-2016-6323]; fix mtr on systems using only IPv6 nameservers gnome-maps New upstream release; use the Mapbox tile server, instead of the no longer supported MapQuest server gnome-sudoku Don't generate the same puzzle sequence every time gnupg gpgv: Tweak default options for extra security; g10: Fix checking key for signature validation gnupg2 gpgv: Tweak default options for extra security; g10: Fix checking key for signature validation greasemonkey New upstream release, compatible with firefox-esr intel-microcode New upstream release jakarta-jmeter Really install the templates; fix an error with libxstream-java >= 1.4.9 when loading the templates javatools Return correct architecture string for ppc64el in java-arch.sh kamailio Fix libssl version check libbusiness-creditcard-perl Adjust to changes in credit card ranges and processing of various companies libcss-dom-perl Work around Encode changes included in perl and libencode-perl stable updates libdatetime-timezone-perl Update included data to 2016e libdevel-declare-perl Fix breakage caused by change in perl stable update libnet-ssleay-perl Fix build failure with openssl 1.0.1t-1+deb8u1 libquota-perl Adapt platform detection to work with Linux 4.x libtool Fix multi-arch co-installability [amd64 i386] libxml2 Fix a problem unparsing URIs without a host part like qemu:///system; this unbreaks libvirt, libsys-virt-perl and others linux New upstream stable release lxc Make sure stretch/sid containers have an init system, after init 1.34 dropped the `Essential: yes` header mozilla-noscript New upstream release, compatible with firefox-esr nullmailer Do not keep relayhost data in debconf database longer than strictly needed open-iscsi Init script: wait a bit after iSCSI devices have appeared, working around a race condition in which dependent devices can appear only after the initial udev settle has returned; open-iscsi-udeb: update initramfs after copying configuration to target system openssl Fix length check for CRLs; enable asm optimisation for s390x ovirt-guest-agent Install ovirt-guest-agent.py executable; change owner of log directory to ovirtagent in postinst piuparts Fix build failure (don't test the current Debian release status, tracking that is distro-info-data's problem) policykit-1 several bug-fixes; fix heap corruption [CVE-2015-3255], local authenticated denial of service [CVE-2015-4625] and issue with invalid object paths in RegisterAuthenticationAgent [CVE-2015-3218] publicsuffix New upstream release pypdf2 Fix infinite loop in readObject() function python-django Bugfix update to 1.7.11 python2.7 Address StartTLS stripping attack in smtplib [CVE-2016-0772], integer overflow in zipimporter [CVE-2016-5636], HTTP header injection [CVE-2016-5699] quassel Fix remote DoS in quassel core with invalid handshake data [CVE-2016-4414] ruby-eventmachine Fix remotely triggerable crash due to FD handling ruby2.1 DL::dlopen should not open a library with tainted library name in safe mode [CVE-2009-5147]; Fiddle handles should not call functions with tainted function names [CVE-2015-7551] sendmail Do not abort with an assertion if the connection to an LDAP server is lost; ensure sendmail {client_port} is set correctly on little endian machines sqlite3 Fix tempdir selection vulnerability [CVE-2016-6153], segfault following heavy SAVEPOINT usage systemd Use the right timeout for stop processes we fork; don't reset log level to NOTICE if we get quiet on the kernel cmdline; fix prepare priority queue comparison function in sd-event; update links to kernel.org cgroup documentation; don't start console-getty.service when /dev/console is missing; order systemd-user-sessions.service after nss-user-lookup.target and network.target tabmixplus New upstream release, compatible with firefox-esr tcpreplay Handle frames of 65535 octets size, add a size check [CVE-2016-6160] tor Update the set of authority directory servers tzdata New upstream release; update to 2016e unbound Init script fixes: add "pidfile" magic comment; call start-stop-daemon with --retry for 'stop' action util-vserver Rebuild against dietlibc 0.33~cvs20120325-6+deb8u1, fixing insecure default PATH vorbis-tools Fix large alloca on bad AIFF input to oggenc [CVE-2015-6749], Validate count of channels in the header [CVE-2014-9638 CVE-2014-9639], fix segmentation fault in vcut wget By default, on server redirects to a FTP resource, use the original URL to get the local file name [CVE-2016-4971] wpa Security updates relating to invalid characters [CVE-2016-4476, CVE-2016-4477] yaws Fix HTTP_PROXY cgi env injection [CVE-2016-1000108] zabbix Fix mysql.size shell command injection in zabbix-agent [CVE-2016-4338] A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/stable.html> Removed packages - ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason minit Unmaintained and outdated trn Security issues; replaced by trn4 If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "[email protected]". -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJX2C5NAAoJEJ2wI1VW+M+tz74QAIf+bKj1MAIepYDiRaOjQpC2 Zffo7KCdncAjoeCjPoiv5/DBeMkrWd39uOl1TNmle2seqamYjaI/ARHHZxX13ibL dwAWFKOZAxDEIEHcOvroLsu0dCjfuVHVB3mPSpSkV1/gLJ4vi6FecmmuKDKty8xb GhLDBxPWN91E09JqPeeevQQ3f5CAPmDBAITTQeyBNCDTPBoFE80z+Rx2awDBD9GT +/6gjf7dBKm/ImACpeAeQn1oLBo6bMGVISTluXalNpBqK/pfNbtFgX6oyyWATfcf XTn7TNcDz74XcbuAe/9xQicEbCxlC31Qyxj0WgN2dbCmwJDZctvcGBGTqKEVH8bj hI8iTWYBOmCH5euEfY3xo1KgA8/2KQHnUq5Li2egTislRRjwkXQFB4hMy9NO2VkG WqS1HTUJvd3FOOVK5Hc87o3Vmit1j6vfVLJHi5hYIYkSA5GqthRsKpvYpPn2u86m ghCPdWPut5Pdby2vuYYc0LKJufwkRxjMjyVxKP7mlHaUGQwojzOm5F8UtVyB2S0C xNNcciQovTfbMeUZxzoGdbkhKa3GM/g4SwpMWau+lRt3ZWunaqTj3xYJUBQUGdu/ CjOfqVixr+/Ndq35paWf4c4KwRPiqWY/x9DP3vg6D1P4Q+ZyXHxg098/cfXX11yo /rfY07WBFiF6qKQC14Ut =l+5d -----END PGP SIGNATURE-----
