JARVIS
Das Debian Projekt hat seine Debian Projekte Jessie (8.10) und Stretch (9.3) aktualisiert und über 60 Sicherheitslücken geschlossen und dieverse Bugfixe durchgeführt.
Debian Stretch 9.3 Release
| Package | Reason |
|---|---|
| abiword | Fix flickering |
| base-files | Update for the point release |
| berusky | Fix startup crash with certain video card configurations |
| charmtimetracker | Fix missing binary dependency on libqt5sql5-sqlite |
| corebird | Increase maximum length of tweet to 280 characters |
| dbus | When parsing dbus-daemon configuration, don’t delay startup if high-quality entropy is not yet available; when using the Monitoring interface, match message filters that specify a destination correctly; increase listen() backlog of AF_UNIX sockets to the maximum possible, minimizing failed connections under heavy load |
| debian-edu-doc | Merge stretch related documentation and translation updates from unstable and the wiki; documentation/common/edu.css.xml: improve HTML manual readability |
| debian-installer | Rebuild for the point release |
| dehydrated | Update subscriber license agreement URL |
| doit | Add Breaks: nikola (<< 7.6.0-1~) to ensure its removal on upgrades from jessie |
| eclipse-titan | Rebuild against current stretch GCC |
| fig2dev | Add input sanitisation on FIG files [CVE-2017-16899]; sanitize input of fill patterns |
| flickcurl | Fix oauth token fetching; prevent double free corruption during authentication |
| flightgear | Prevent malicious add-ons from overriding arbitrary files [CVE-2017-13709] |
| ganeti | Backport upstream support for non-DSA SSH keys; fix failover from dead nodes when using extstorage; fix instance import/export/move with current socat versions |
| gdm3 | Backport several patches to fix XDMCP support |
| getmail4 | Fix issue related to malformed fingerprints |
| grok | Fix pointer aliasing bug; libgrok-dev: add missing dependencies on libgrok1 and libtokyocabinet-dev |
| gunicorn | Drop unnecessary Pre-Dependson dpkg-dev which was causing gunicorn and python-gunicorn to bring in a compiler as a dependency |
| icu | Fix double free in createMetazoneMappings() [CVE-2017-14952] |
| inn2 | [i386] Rebuild to pick up correct path to gzip binary |
| iproute2 | Fix segfault in tcwith iptables 1.6 |
| jdcal | Fix Python3 dependencies |
| kde-gtk-config | Fix preview buttons in KDE-GTK-config UI |
| lasi | liblasi-dev: add missing dependencies on libpango1.0-dev and libfreetype6-dev |
| libdatetime-timezone-perl | Update included data |
| libdbd-firebird-perl | Fix fetching of decimal(x,y) values between -1 and 0 |
| libdbi | Re-enable error handler call in dbi_result_next_row() |
| liblog-log4perl-perl | Work around Perl 5.24 no longer allowing syswrite and utf8 together |
| liblouis | Fix buffer overflow and use-after-free issues [CVE-2017-13738 CVE-2017-13739 CVE-2017-13740 CVE-2017-13741 CVE-2017-13742 CVE-2017-13743 CVE-2017-13744] |
| libmpd | libmpd-dev: Add the missing dependency on libglib2.0-dev |
| libofx | Security fixes [CVE-2017-2816 CVE-2017-14731] |
| libxkbcommon | libxkbcommon-x11-dev: add missing dependency on libxkbcommon-dev |
| libxsettings-client | Add missing libxsettings-client-dev -> libxsettings-dev dependency |
| linux | xen/time: do not decrease steal time after live migration on xen; new stable kernel version 4.9.65 |
| live-config | Configure autologin for KDE / Plasma live images |
| lxc | Don’t hardcode list of valid Debian releases, allowing the creation of containers for stable, buster, testing and unstable; don’t insert C.* locales into /etc/locale.gen |
| mongodb | Fix segfault/FTBFS on ARM64 with 48-bit virtual addresses, spidermonkey GC segfault when built with GCC 6; mongodb.service: start after network.target |
| openssh | Test configuration before starting or reloading sshd under systemd; adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme; make —before the hostname terminate argument processing after the hostname too |
| pdns | Fix incorrect qname casing in NSEC3 generation; add missing check on API operations [CVE-2017-15091] |
| pdns-recursor | Security fixes: insufficient validation of DNSSEC signatures [CVE-2017-15090]; Cross-Site Scripting in the web interface [CVE-2017-15092]; configuration file injection in the API [CVE-2017-15093]; memory leak in DNSSEC parsing [CVE-2017-15094] |
| postgresql-9.6 | Upstream bugfix release |
| publicsuffix | Update included data |
| pyosmium | Upstream bugfix release: handler functions not called when using replication service or when using Reader instead of file |
| python-diff-match-patch | Add missing python3 dependency on Python 3 package |
| python-inflect | Fix Python 3 dependencies |
| python-tablib | Safely load YAML [CVE-2017-2810] |
| python2.7 | Fix integer overflow in PyString_DecodeEscape [CVE-2017-1000158]; support all groups in TLS communication |
| qtcurve | Fix crashes by using strncmp() instead of memcmp() |
| ruby-httparty | Relax dependency version in gem dependency on json |
| ruby-ox | Avoid crash with invalid XML passed to Oj.parse_obj() [CVE-2017-15928] |
| ruby-pygments.rb | Avoid closing too many files when mentos starts, which can cause build failures in other packages on slower systems |
| schroot | Fix bash completion file; add systemd service file with Type=oneshot to avoid timeout issues with too many open sessions |
| simutrans | Enable sound for simutrans again. Switch from SDL to mixer_sdl backend |
| sitesummary | Adjust nagios kernel version checking module to work with 4.x kernels |
| slic3r | Fix missing dependency on perlapi-* |
| spamassassin | Disable bb.barracudacentral.org; update the systemd unit file to use the same pid file as was used in the sysvinit script; update systemd unit dependencies to include network and syslog; fix inappropriate invocation of invoke-rc.d in cron script |
| sqldeveloper-package | Fix build failure |
| sqlite3 | Fix heap-based buffer over-read via undersized RTree blobs [CVE-2017-10989] |
| syslinux | Fix btrfs logical to physical block address mapping; fix boot problem for old BIOS firmware by correct C/H/S order; support ext4 64bit feature |
| tdbcodbc | Fix bug in ODBC library search |
| tor | Add Bastetdirectory authority; fix a timing-based assertion failure; update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 country database |
| tzdata | New upstream release |
| udftools | Fix path to pktsetup in udftools init script |
| weechat | logger: call strftime before replacing buffer local variables[CVE-2017-14727] |
| xml2 | Fix corruption when dealing with UTF-8 files, usage string for 2csv tool |
| xrdp | Fix high CPU load on SSL shutdown |
| zsh | Rebuild to pull in updated libraries for zsh-static |
Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
| Package | Reason |
|---|---|
| libnet-ping-external-perl | Unmaintained, security issues |
Quelle: https://www.debian.org/News/2017/2017120902
Debian Jessie 8.10 Release
Miscellaneous Bugfixes
This oldstable update adds a few important corrections to the following packages:
| Package | Reason |
|---|---|
| bareos | Fix permissions of bareos-dir logrotate config; fix file corruption when using SHA1 signature |
| base-files | Update for the point release |
| bind9 | Import upcoming DNSSEC KSK-2017 |
| cups | Disable SSLv3 and RC4 by default to address POODLE vulnerability |
| db | Do not access DB_CONFIG when db_home is not set [CVE-2017-10140] |
| db5.3 | Do not access DB_CONFIG when db_home is not set [CVE-2017-10140] |
| debian-installer | Rebuild for the point release |
| debian-installer-netboot-images | Rebuild for the point release |
| debmirror | Tolerate unknown lines in *.diff/Index; mirror DEP-11 metadata files; prefer xz over gz, and cope with either being missing; mirror and validate InRelease files |
| dns-root-data | Update root.hints to 2017072601 version; add KSK-2017 to root.key file |
| dput | dput.cf: replace security-master.debian.org with ftp.upload.security.debian.org |
| dwww | Fix Last-Modifiedheader name |
| elog | Update patch 0005_elogd_CVE-2016-6342_fix to grant access as normal user |
| flightgear | Fix arbitrary file overwrite vulnerability [CVE-2017-13709] |
| gsoap | Fix integer overflow via large XML document [CVE-2017-9765] |
| hexchat | Fix segmentation fault following /server command |
| icu | Fix double free in createMetazoneMappings() [CVE-2017-14952] |
| kdepim | Fix send Later with Delay bypasses OpenPGP[CVE-2017-9604] |
| kedpm | Fix information leak via command history file [CVE-2017-8296] |
| keyringer | Handle subkeys without expiration date and public keys listed multiple times |
| krb5 | Security fixes – remote authenticated attackers can crash the KDC [CVE-2017-11368]; kdc crash on restrict_anon_to_tgt [CVE-2016-3120]; remote DOS with ldap for authenticated attackers [CVE-2016-3119]; prevent requires_preauth bypass [CVE-2015-2694] |
| libdatetime-timezone-perl | Update included data |
| libdbi | Re-enable error handler call in dbi_result_next_row() |
| libembperl-perl | Change hard dependency on mod_perl in zembperl.load to Recommends, fixing an installation failure when libapache2-mod-perl2 is not installed |
| libio-socket-ssl-perl | Fix segfault using malformed client certificates |
| liblouis | Fix multiple stack-based buffer overflows [CVE-2014-8184] |
| libofx | Security fixes [CVE-2017-2816 CVE-2017-14731] |
| libwnckmm | Tighten dependencies between packages; use jquery.js from libjs-jquery |
| libwpd | Security fix [CVE-2017-14226] |
| libx11 | Fix insufficient validation of data from the X server can cause out of boundary memory read (XGetImage()) or write (XListFonts())[CVE-2016-7942 CVE-2016-7943] |
| libxfixes | Fix integer overflow on illegal server response [CVE-2016-7944] |
| libxi | Fix insufficient validation of data from the X server can cause out of boundary memory access or endless loops[CVE-2016-7945 CVE-2016-7946] |
| libxrandr | Avoid out of boundary accesses on illegal responses [CVE-2016-7947 CVE-2016-7948] |
| libxtst | Fix insufficient validation of data from the X server can cause out of boundary memory access or endless loops[CVE-2016-7951 CVE-2016-7952] |
| libxv | Fix protocol handling issues in libXv [CVE-2016-5407] |
| libxvmc | Avoid buffer underflow on empty strings [CVE-2016-7953] |
| linux | New stable kernel version 3.16.51 |
| ncurses | Fix various crash bugs in the tic library and the tic binary [CVE-2017-10684 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-13728 CVE-2017-13729 CVE-2017-13730 CVE-2017-13731 CVE-2017-13732 CVE-2017-13734 CVE-2017-13733] |
| openssh | Test configuration before starting or reloading sshd under systemd; make —before the hostname terminate argument processing after the hostname too |
| pdns | Add missing check on API operations [CVE-2017-15091] |
| pdns-recursor | Fix configuration file injection in the API [CVE-2017-15093] |
| postgresql-9.4 | New upstream bugfix release |
| python-tablib | Securely load YAML [CVE-2017-2810] |
| request-tracker4 | Fix regression in previous security release where incorrect SHA256 passwords could trigger an error |
| ruby-ox | Avoid crash with invalid XML passed to Oj.parse_obj() [CVE-2017-15928] |
| sam2p | Fix several integer overflow or heap-based buffer overflow issues [CVE-2017-14628 CVE-2017-14629 CVE-2017-14630 CVE-2017-14631 CVE-2017-14636 CVE-2017-14637 CVE-2017-16663] |
| slurm-llnl | Fix security issue caused by insecure file path handling triggered by the failure of a Prolog script [CVE-2016-10030] |
| sudo | Fix arbitrary terminal access [CVE-2017-1000368] |
| syslinux | Fix boot problem for old BIOS firmware by correcting C/H/S order |
| tor | Add Bastetdirectory authority; update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 country database; fix a memset() off the end of an array when packing cells |
| transfig | Add input sanitisation on FIG files [CVE-2017-16899]; sanitize input of fill patterns |
| tzdata | New upstream release |
| unbound | Fix install of trust anchor when two anchors are present; include root trust anchor id 20326 |
| weechat | logger: call strftime before replacing buffer local variables[CVE-2017-14727] |
Security Updates
This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
| Package | Reason |
|---|---|
| libnet-ping-external-perl | Unmaintained, security issues |
| aiccu | Useless since shutdown of SixXS |
Quelle: https://www.debian.org/News/2017/20171209
Interessiert in verschiedenste IT Themen, schreibe ich in diesem Blog über Software, Hardware, Smart Home, Games und vieles mehr. Ich berichte z.B. über die Installation und Konfiguration von Software als auch von Problemen mit dieser. News sind ebenso spannend, sodass ich auch über Updates, Releases und Neuigkeiten aus der IT berichte. Letztendlich nutze ich Taste-of-IT als eigene Dokumentation und Anlaufstelle bei wiederkehrenden Themen. Ich hoffe ich kann dich ebenso informieren und bei Problemen eine schnelle Lösung anbieten. Wer meinen Aufwand unterstützen möchte, kann gerne eine Tasse oder Pod Kaffe per PayPal spenden – vielen Dank.