Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "stretch-updates".
Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes:
This stable update adds a few important corrections to the following
packages:
Package Reason
------- ------
audiofile Security issues [CVE-2018-13440 CVE-2018-17095]
base-files Update for the point release
bwa Security fix [CVE-2019-10269]
ca-certificates-java Fix bashisms in postinst and jks-keystore
cernlib Apply optimization flag -O to fortran modules
instead of -O2 which generates broken code; fix
FTBFS on arm64 by disabling PIE for Fortran
executables
choose-mirror Update included mirror list
chrony Fix logging of measurements and statistics, and
stopping of chronyd, on some platforms when
seccomp filtering is enabled
ckermit Drop OpenSSL version check
clamav Security updates: out-of-bounds heap read
condition may occur when scanning PDF documents
[CVE-2019-1787]; out-of-bounds heap read
condition may occur when scanning PE files
packed using Aspack [CVE-2019-1789]; out-of-
bounds heap write condition may occur when
scanning OLE2 files [CVE-2019-1788]
dansguardian Add "missingok" to logrotate configuration
debian-security-support Update support statuses
diffoscope Fix tests to work with Ghostscript 9.26
dns-root-data Update root data to 2019031302
dnsruby Add new root key (KSK-2017); ruby 2.3.0
deprecates TimeoutError, use Timeout::Error
dpdk New upstream release
edk2 Fix buffer overflow in BlockIo service
[CVE-2018-12180]; DNS: Check received packet
size before using [CVE-2018-12178]; fix stack
overflow with corrupted BMP [CVE-2018-12181]
firmware-nonfree atheros / iwlwifi: update BT firmware
[CVE-2018-5383]
flatpak Reject all ioctls that the kernel will
interpret as TIOCSTI [CVE-2019-10063]
geant321 Rebuild against cernlib with fixed Fortran
optmisations
gnome-chemistry-utils Drop the obsolete gcu-plugin package
gocode gocode-auto-complete-el: Promote auto-complete-
el to Pre-Depends
gpac Security fixes [CVE-2018-7752 CVE-2018-13005
CVE-2018-13006 CVE-2018-20760 CVE-2018-20761
CVE-2018-20762 CVE-2018-20763]
icedtea-web Stop building the browser plugin, as it no
longer works with Firefox 60
igraph Fix a crash when loading malformed GraphML
files [CVE-2018-20349]
jabref Fix XML External Entity attack
[CVE-2018-1000652]
java-common Remove default-java-plugin as the icedtea-web
Xul plugin is going away
jquery Prevent Object.prototype pollution
[CVE-2019-11358]
kauth Fix insecure handling of arguments in helpers
[CVE-2019-7443]
libdate-holidays-de-perl Add March 8th (from 2019 onwards) and May 8th
(2020 only) as public holidays (Berlin only)
libdatetime-timezone-perl Update included data
libreoffice Introduce next Japanese gengou era 'Reiwa';
make -core conflict against openjdk-8-jre-
headless (= 8u181-b13-2~deb9u1), which had a
broken ClassPathURLCheck
linux New upstream stable version
linux-latest Update for -9 kernel ABI
mariadb-10.1 New upstream release
mclibs Rebuild against cernlib with fixed Fortran
optmisations
ncmpc Fix NULL pointer dereference [CVE-2018-9240]
node-superagent Fix ZIP bomb attacks [CVE-2017-16129]
nvidia-graphics-drivers New upstream release [CVE‑2018‑6260]
nvidia-settings New upstream release
obs-build Do not allow writing to files in the host
system [CVE-2017-14804]
paw Rebuild against cernlib with fixed Fortran
optmisations
perlbrew Allow HTTPS CPAN URLs
postfix New upstream stable release
postgresql-9.6 New upstream version
psk31lx Make version sort correctly to avoid potential
upgrade issues
publicsuffix Update included data
pyca Add "missingok" to logrotate configuration
python-certbot Revert to debhelper compat 9, to ensure systemd
timers are correctly started
python-cryptography Remove BIO_callback_ctrl: The prototype differs
with the OpenSSL's definition of it after it
was changed (fixed) within OpenSSL
python-django-casclient Apply django 1.10 middleware fix;
python(3)-django-casclient: add missing
dependencies on python(3)-django
python-mode Remove support for xemacs21
python-pip Properly catch requests' HTTPError in index.py
python-pykmip Fix potential DoS error [CVE-2018-1000872]
r-cran-igraph Security fix [CVE-2018-20349]
rails Security fixes [CVE-2018-16476 CVE-2019-5418
CVE-2019-5419]
rsync Several security fixes for zlib [CVE-2016-9840
CVE-2016-9841 CVE-2016-9842 CVE-2016-9843]
ruby-i18n Prevent a remote denial-of-service
vulnerability [CVE-2014-10077]
ruby2.3 Fix build failure
runc Security fix [CVE-2019-5736]
systemd journald: fix assertion failure on
journal_file_link_data; tmpfiles: fix "e" to
support shell style globs; mount-util: accept
that name_to_handle_at() might fail with EPERM;
automount: ack automount requests even when
already mounted [CVE-2018-1049]; fix potential
root privilege escalation [CVE-2018-15686]
twitter-bootstrap3 Fix XSS in tooltip or popover [CVE-2019-8331]
tzdata New upstream rleease
unzip Fix buffer overflow in password protected ZIP
archives [CVE-2018-1000035]
vcftools Security fixes [CVE-2018-11099 CVE-2018-11129
CVE-2018-11130]
vips Fix NULL function pointer dereference
[CVE-2018-7998], uninitialised memory access
[CVE-2019-6976]
waagent New upstream release, with many Azure fixes
[CVE-2019-0804]
yorick-av Rescale frame timestamps; set VBV buffer size
for MPEG1/2 files
zziplib Fix invalid memory access in zzip_disk_fread
[CVE-2018-6381], bus error in
zzip_disk_findfirst function in zzip/mmapped.c
[CVE-2018-6540], out of bound read in
mmapped.c:zzip_disk_fread() [CVE-2018-7725],
crash via crafted zip file [CVE-2018-7726],
memory leak triggered in the function
__zzip_parse_root_directory in zip.c
[CVE-2018-16548]; reject ZIP file if the size
of the central directory and/or the offset of
start of central directory point beyond the end
of the ZIP file [CVE-2018-6484, CVE-2018-6541,
CVE-2018-6869]
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/stable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
------- ------
gcontactsync Incompatible with newer firefox-esr versions
google-tasks-sync Incompatible with newer firefox-esr versions
mozilla-gnome-kerying Incompatible with newer firefox-esr versions
tbdialout Incompatible with newer thunderbird versions
timeline Incompatible with newer thunderbird versions
If you encounter any issues, please don't hesitate to get in touch with the
Debian Release Team at "debian-release@lists.debian.org".