diff options
author | Donald Norwood <donald@debian.org> | 2019-09-07 12:20:05 -0400 |
---|---|---|
committer | Donald Norwood <donald@debian.org> | 2019-09-07 12:20:05 -0400 |
commit | e4ed70c64d6201a5e78c3cd6c3dc0de000e2eb9d (patch) | |
tree | 5d421c087b16e7f6dc22b1a7ec045cf93eda2dd0 /english/News | |
parent | 402d50ce47bc20bacbe089dc02cfe7154385569d (diff) |
Release point announcements for 10.1 and 9.10
Diffstat (limited to 'english/News')
-rw-r--r-- | english/News/2019/20190907_2.wml | 277 |
1 files changed, 277 insertions, 0 deletions
diff --git a/english/News/2019/20190907_2.wml b/english/News/2019/20190907_2.wml new file mode 100644 index 00000000000..a6864b2b051 --- /dev/null +++ b/english/News/2019/20190907_2.wml @@ -0,0 +1,277 @@ +<define-tag pagetitle>Updated Debian 9: 9.10 released</define-tag> +<define-tag release_date>2019-09-07</define-tag> +#use wml::debian::news +# $Id: + +<define-tag release>9</define-tag> +<define-tag codename>stretch</define-tag> +<define-tag revision>9.10</define-tag> + +<define-tag dsa> + <tr><td align="center"><a href="$(HOME)/security/%0/dsa-%1">DSA-%1</a></td> + <td align="center"><: + my @p = (); + for my $p (split (/,\s*/, "%2")) { + push (@p, sprintf ('<a href="https://packages.debian.org/src:%s">%s</a>', $p, $p)); + } + print join (", ", @p); +:></td></tr> +</define-tag> + +<define-tag correction> + <tr><td><a href="https://packages.debian.org/src:%0">%0</a></td> <td>%1</td></tr> +</define-tag> + +<define-tag srcpkg><a href="https://packages.debian.org/src:%0">%0</a></define-tag> + +<p>The Debian project is pleased to announce the tenth update of its +oldstable distribution Debian <release> (codename <q><codename></q>). +This point release mainly adds corrections for security issues, +along with a few adjustments for serious problems. Security advisories +have already been published separately and are referenced where available.</p> + +<p>Please note that the point release does not constitute a new version of Debian +<release> but only updates some of the packages included. There is +no need to throw away old <q><codename></q> media. After installation, +packages can be upgraded to the current versions using an up-to-date Debian +mirror.</p> + +<p>Those who frequently install updates from security.debian.org won't have +to update many packages, and most such updates are +included in the point release.</p> + +<p>New installation images will be available soon at the regular locations.</p> + +<p>Upgrading an existing installation to this revision can be achieved by +pointing the package management system at one of Debian's many HTTP mirrors. +A comprehensive list of mirrors is available at:</p> + +<div class="center"> + <a href="$(HOME)/mirror/list">https://www.debian.org/mirror/list</a> +</div> + + +<h2>Miscellaneous Bugfixes</h2> + +<p>This oldstable update adds a few important corrections to the following packages:</p> + +<table border=0> +<tr><th>Package</th> <th>Reason</th></tr> +<correction base-files "Update for the point release; add VERSION_CODENAME to os-release"> +<correction basez "Properly decode base64url encoded strings"> +<correction biomaj-watcher "Fix upgrades from jessie to stretch"> +<correction c-icap-modules "Add support for clamav 0.101.1"> +<correction chaosreader "Add missing dependency on libnet-dns-perl"> +<correction clamav "New upstream stable release: add scan time limit to mitigate against zip-bombs [CVE-2019-12625]; fix out-of-bounds write within the NSIS bzip2 library [CVE-2019-12900]"> +<correction corekeeper "Do not use a world-writable /var/crash with the dumper script; handle older versions of the Linux kernel in a safer way; do not truncate core names for executables with spaces"> +<correction cups "Fix multiple security/disclosure issues - SNMP buffer overflows [CVE-2019-8696 CVE-2019-8675], IPP buffer overflow, Denial of Service and memory disclosure issues in the scheduler"> +<correction dansguardian "Add support for clamav 0.101"> +<correction dar "Rebuild to update <q>built-using</q> packages"> +<correction debian-archive-keyring "Add buster keys; remove wheezy keys"> +<correction fence-agents "Fix denial of service issue [CVE-2019-10153]"> +<correction fig2dev "Do not segfault on circle/half circle arrowheads with a magnification larger than 42 [CVE-2019-14275]"> +<correction fribidi "Fix right-to-left output in debian-installer text mode"> +<correction fusiondirectory "Stricter checks on LDAP lookups; add missing dependency on php-xml"> +<correction gettext "Stop xgettext() from crashing when run with --its=FILE option"> +<correction glib2.0 "Create directory and file with restrictive permissions when using the GKeyfileSettingsBackend [CVE-2019-13012]; avoid buffer read overrun when formatting error messages for invalid UTF-8 in GMarkup [CVE-2018-16429]; avoid NULL dereference when parsing invalid GMarkup with a malformed closing tag not paired with an opening tag [CVE-2018-16429]"> +<correction gocode "gocode-auto-complete-el: Make pre-dependency on auto-complete-el versioned to fix upgrades from jessie to stretch"> +<correction groonga "Mitigate privilege escalation by changing the owner and group of logs with <q>su</q> option"> +<correction grub2 "Fixes for Xen UEFI support"> +<correction gsoap "Fix denial of service issue if a server application is built with the -DWITH_COOKIES flag [CVE-2019-7659]; fix issue with DIME protocol receiver and malformed DIME headers"> +<correction gthumb "Fix double-free bug [CVE-2018-18718]"> +<correction havp "Add support for clamav 0.101.1"> +<correction icu "Fix segfault in pkgdata command"> +<correction koji "Fix SQL injection issue [CVE-2018-1002161]; properly validate SCM paths [CVE-2017-1002153]"> +<correction lemonldap-ng "Fix cross-domain authentication regression; fix XML external entity vulnerability"> +<correction libcaca "Fix integer overflow issues [CVE-2018-20545 CVE-2018-20546 CVE-2018-20547 CVE-2018-20548 CVE-2018-20549]"> +<correction libclamunrar "New upstream stable release"> +<correction libconvert-units-perl "No-change rebuild with fixed version number"> +<correction libdatetime-timezone-perl "Update included data"> +<correction libebml "Apply upstream fixes for heap-based buffer over-reads"> +<correction libevent-rpc-perl "Fix build failure due to expired test SSL certificates"> +<correction libgd2 "Fix uninitialized read in gdImageCreateFromXbm [CVE-2019-11038]"> +<correction libgovirt "Re-generate test certificates with expiration date far in the future to avoid test failures"> +<correction librecad "Fix denial of service via crafted file [CVE-2018-19105]"> +<correction libsdl2-image "Fix multiple security issues"> +<correction libthrift-java "Fix bypass of SASL negotiation [CVE-2018-1320]"> +<correction libtk-img "Stop using internal copies of JPEG, Zlib and PixarLog codecs, fixing crashes"> +<correction libu2f-host "Fix stack memory leak [CVE-2019-9578]"> +<correction libxslt "Fix security framework bypass [CVE-2019-11068]; fix uninitialized read of xsl:number token [CVE-2019-13117]; fix uninitialized read with UTF-8 grouping chars [CVE-2019-13118]"> +<correction linux "New upstream version with ABI bump; security fixes [CVE-2015-8553 CVE-2017-5967 CVE-2018-20509 CVE-2018-20510 CVE-2018-20836 CVE-2018-5995 CVE-2019-11487 CVE-2019-3882]"> +<correction linux-latest "Update for 4.9.0-11 kernel ABI"> +<correction liquidsoap "Fix compilation with Ocaml 4.02"> +<correction llvm-toolchain-7 "New package to support building new Firefox versions"> +<correction mariadb-10.1 "New upstream stable release; security fixes [CVE-2019-2737 CVE-2019-2739 CVE-2019-2740 CVE-2019-2805 CVE-2019-2627 CVE-2019-2614]"> +<correction minissdpd "Prevent a use-after-free vulnerability that would allow a remote attacker to crash the process [CVE-2019-12106]"> +<correction miniupnpd "Fix denial of service issues [CVE-2019-12108 CVE-2019-12109 CVE-2019-12110]; fix information leak [CVE-2019-12107]"> +<correction mitmproxy "Blacklist tests that require Internet access; prevent insertion of unwanted upper-bound versioned dependencies"> +<correction monkeysphere "Fix build failure by updating the tests to accommodate an updated GnuPG in stretch now producing a different output"> +<correction nasm-mozilla "New package to support building new Firefox versions"> +<correction ncbi-tools6 "Repackage without non-free data/UniVec.*"> +<correction node-growl "Sanitize input before passing it to exec"> +<correction node-ws "Restrict upload size [CVE-2016-10542]"> +<correction open-vm-tools "Fix possible security issue with the permissions of the intermediate staging directory and path"> +<correction openldap "Restrict rootDN proxyauthz to its own databases [CVE-2019-13057]; enforce sasl_ssf ACL statement on every connection [CVE-2019-13565]; fix slapo-rwm to not free original filter when rewritten filter is invalid"> +<correction openssh "Fix deadlock in key matching"> +<correction passwordsafe "Don't install localization files under an extra subdirectory"> +<correction pound "Fix request smuggling via crafted headers [CVE-2016-10711]"> +<correction prelink "Rebuild to update <q>built-using</q> packages"> +<correction python-clamav "Add support for clamav 0.101.1"> +<correction reportbug "Update release names, following buster release"> +<correction resiprocate "Resolve an installation issue with libssl-dev and --install-recommends"> +<correction sash "Rebuild to update <q>built-using</q> packages"> +<correction sdl-image1.2 "Fix buffer overflows [CVE-2018-3977 CVE-2019-5058 CVE-2019-5052], out-of-bounds access [CVE-2019-12216 CVE-2019-12217 CVE-2019-12218 CVE-2019-12219 CVE-2019-12220 CVE-2019-12221 CVE-2019-12222 CVE-2019-5051]"> +<correction signing-party "Fix unsafe shell call enabling shell injection via a User ID [CVE-2019-11627]"> +<correction slurm-llnl "Fix potential heap overflow on 32-bit systems [CVE-2019-6438]"> +<correction sox "Fix several security issues [CVE-2019-8354 CVE-2019-8355 CVE-2019-8356 CVE-2019-8357 927906 CVE-2019-1010004 CVE-2017-18189 881121 CVE-2017-15642 882144 CVE-2017-15372 878808 CVE-2017-15371 878809 CVE-2017-15370 878810 CVE-2017-11359 CVE-2017-11358 CVE-2017-11332"> +<correction systemd "Do not stop ndisc client in case of configuration error"> +<correction t-digest "No-change rebuild to avoid re-use of pre-epoch version 3.0-1"> +<correction tenshi "Fix PID file issue that allows local users to kill arbitrary processes [CVE-2017-11746]"> +<correction tzdata "New upstream release"> +<correction unzip "Fix incorrect parsing of 64-bit values in fileio.c; fix zip-bomb issues [CVE-2019-13232]"> +<correction usbutils "Update USB ID list"> +<correction xymon "Fix several (server only) security issues [CVE-2019-13273 CVE-2019-13274 CVE-2019-13451 CVE-2019-13452 CVE-2019-13455 CVE-2019-13484 CVE-2019-13485 CVE-2019-13486]"> +<correction yubico-piv-tool "Fix security issues [CVE-2018-14779 CVE-2018-14780]"> +<correction z3 "Do not set the SONAME of libz3java.so to libz3.so.4"> +<correction zfs-auto-snapshot "Make cron jobs exit silently after package removal"> +<correction zsh "Rebuild to update <q>built-using</q> packages"> +</table> + + +<h2>Security Updates</h2> + + +<p>This revision adds the following security updates to the oldstable release. +The Security Team has already released an advisory for each of these +updates:</p> + +<table border=0> +<tr><th>Advisory ID</th> <th>Package</th></tr> +<dsa 2019 4435 libpng1.6> +<dsa 2019 4436 imagemagick> +<dsa 2019 4437 gst-plugins-base1.0> +<dsa 2019 4438 atftp> +<dsa 2019 4439 postgresql-9.6> +<dsa 2019 4440 bind9> +<dsa 2019 4441 symfony> +<dsa 2019 4442 cups-filters> +<dsa 2019 4442 ghostscript> +<dsa 2019 4443 samba> +<dsa 2019 4444 linux> +<dsa 2019 4445 drupal7> +<dsa 2019 4446 lemonldap-ng> +<dsa 2019 4447 intel-microcode> +<dsa 2019 4448 firefox-esr> +<dsa 2019 4449 ffmpeg> +<dsa 2019 4450 wpa> +<dsa 2019 4451 thunderbird> +<dsa 2019 4452 jackson-databind> +<dsa 2019 4453 openjdk-8> +<dsa 2019 4454 qemu> +<dsa 2019 4455 heimdal> +<dsa 2019 4456 exim4> +<dsa 2019 4457 evolution> +<dsa 2019 4458 cyrus-imapd> +<dsa 2019 4459 vlc> +<dsa 2019 4460 mediawiki> +<dsa 2019 4461 zookeeper> +<dsa 2019 4462 dbus> +<dsa 2019 4463 znc> +<dsa 2019 4464 thunderbird> +<dsa 2019 4465 linux> +<dsa 2019 4466 firefox-esr> +<dsa 2019 4467 vim> +<dsa 2019 4468 php-horde-form> +<dsa 2019 4469 libvirt> +<dsa 2019 4470 pdns> +<dsa 2019 4471 thunderbird> +<dsa 2019 4472 expat> +<dsa 2019 4473 rdesktop> +<dsa 2019 4475 openssl> +<dsa 2019 4475 openssl1.0> +<dsa 2019 4476 python-django> +<dsa 2019 4477 zeromq3> +<dsa 2019 4478 dosbox> +<dsa 2019 4480 redis> +<dsa 2019 4481 ruby-mini-magick> +<dsa 2019 4482 thunderbird> +<dsa 2019 4483 libreoffice> +<dsa 2019 4485 openjdk-8> +<dsa 2019 4487 neovim> +<dsa 2019 4488 exim4> +<dsa 2019 4489 patch> +<dsa 2019 4490 subversion> +<dsa 2019 4491 proftpd-dfsg> +<dsa 2019 4492 postgresql-9.6> +<dsa 2019 4494 kconfig> +<dsa 2019 4498 python-django> +<dsa 2019 4499 ghostscript> +<dsa 2019 4501 libreoffice> +<dsa 2019 4504 vlc> +<dsa 2019 4505 nginx> +<dsa 2019 4506 qemu> +<dsa 2019 4509 apache2> +<dsa 2019 4510 dovecot> +</table> + + +<h2>Removed packages</h2> + +<p>The following packages were removed due to circumstances beyond our control:</p> + +<table border=0> +<tr><th>Package</th> <th>Reason</th></tr> +<correction pump "Unmaintained; security issues"> +<correction teeworlds "Security issues; incompatible with current servers"> + +</table> + +<h2>Debian Installer</h2> +<p>The installer has been updated to include the fixes incorporated +into oldstable by the point release.</p> + +<h2>URLs</h2> + +<p>The complete lists of packages that have changed with this revision:</p> + +<div class="center"> + <url "http://ftp.debian.org/debian/dists/<downcase <codename>>/ChangeLog"> +</div> + +<p>The current oldstable distribution:</p> + +<div class="center"> + <url "http://ftp.debian.org/debian/dists/oldstable/"> +</div> + +<p>Proposed updates to the oldstable distribution:</p> + +<div class="center"> + <url "http://ftp.debian.org/debian/dists/oldstable-proposed-updates"> +</div> + +<p>oldstable distribution information (release notes, errata etc.):</p> + +<div class="center"> + <a + href="$(HOME)/releases/oldstable/">https://www.debian.org/releases/oldstable/</a> +</div> + +<p>Security announcements and information:</p> + +<div class="center"> + <a href="$(HOME)/security/">https://www.debian.org/security/</a> +</div> + +<h2>About Debian</h2> + +<p>The Debian Project is an association of Free Software developers who +volunteer their time and effort in order to produce the completely +free operating system Debian.</p> + +<h2>Contact Information</h2> + +<p>For further information, please visit the Debian web pages at +<a href="$(HOME)/">https://www.debian.org/</a>, send mail to +<press@debian.org>, or contact the stable release team at +<debian-release@lists.debian.org>.</p> |