Debian stretch Openstack images changelog 9.13.40-20220607 Updates in 2 source package(s), 4 binary package(s): Source dpkg, binaries: dpkg:amd64 dpkg:arm64 dpkg (1.18.26) stretch-security; urgency=medium [ Guillem Jover ] * Perl modules: - Dpkg::Source::Archive: Prevent directory traversal for in-place extracts. Reported by Max Justicz . Fixes CVE-2022-1664. - Document textdomain() and ngettext() replacement functions in Dpkg::Gettext POD. [ Updated man pages translations ] * German (Helge Kreutzmann). Source glib2.0, binaries: libglib2.0-0:amd64 libglib2.0-0:arm64 glib2.0 (2.50.3-2+deb9u3) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2021-28153: When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.) * Fix CVE-2021-27218: If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform, the length would be truncated modulo 2**32, causing unintended length truncation. * Fix CVE-2021-27219: The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption. -- Steve McIntyre <93sam@debian.org> Tue, 07 Jun 2022 14:59:03 +0000 9.13.39-20220524 Updates in 1 source package(s), 2 binary package(s): Source rsyslog, binaries: rsyslog:amd64 rsyslog:arm64 rsyslog (8.24.0-1+deb9u3) stretch-security; urgency=high * Non-maintainer upload by the LTS Security Team. * Fix flaky tests/dynstats_prevent_premature_eviction.sh through upstream backports. rsyslog (8.24.0-1+deb9u2) stretch-security; urgency=high * Non-maintainer upload by the LTS Security Team. * CVE-2018-16881: a denial of service vulnerability was found in rsyslog in the imptcp module. An attacker could send a specially crafted message to the imptcp socket, which would cause rsyslog to crash. * CVE-2022-24903: modules for TCP syslog reception have a potential heap buffer overflow when octet-counted framing is used. This can result in a segfault or some other malfunction. -- Steve McIntyre <93sam@debian.org> Tue, 24 May 2022 16:15:16 +0000 9.13.38-20220517 Updates in 3 source package(s), 16 binary package(s): Source libxml2, binaries: libxml2:amd64 libxml2:arm64 libxml2 (2.9.4+dfsg1-2.2+deb9u7) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2022-29824: Felix Wilhelm discovered that libxml2 did not correctly check for integer overflows or used wrong types for buffer sizes. This could result in out-of-bounds writes or other memory errors when working on large, multi-gigabyte buffers. Source openssl, binaries: libssl1.1:amd64 openssl:amd64 libssl1.1:arm64 openssl:arm64 openssl (1.1.0l-1~deb9u6) stretch-security; urgency=medium * Non-maintainer upload by the LTS Security Team. * CVE-2022-1292: Do not use shell to invoke openssl in c_rehash. Source vim, binaries: vim:amd64 vim-common:amd64 vim-runtime:amd64 vim-tiny:amd64 xxd:amd64 vim:arm64 vim-common:arm64 vim-runtime:arm64 vim-tiny:arm64 xxd:arm64 vim (2:8.0.0197-4+deb9u6) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2022-0572, CVE-2022-0261, CVE-2022-0351, CVE-2022-0413, CVE-2022-0443, CVE-2022-1616, CVE-2022-1619, CVE-2022-1621, CVE-2022-1154. Multiple security vulnerabilities have been discovered in vim, an enhanced vi editor. Buffer overflows, out-of-bounds reads and use-after-free may lead to a denial-of-service (application crash) or other unspecified impact. -- Steve McIntyre <93sam@debian.org> Tue, 17 May 2022 11:19:07 +0000 9.13.37-20220411 Updates in 4 source package(s), 8 binary package(s): Source gzip, binaries: gzip:amd64 gzip:arm64 gzip (1.6-5+deb9u1) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * Add patch to avoid exploit via multi-newline file namesfix. (Fixes: CVE-2022-1271) (Closes: #1009168) Source libxml2, binaries: libxml2:amd64 libxml2:arm64 libxml2 (2.9.4+dfsg1-2.2+deb9u6) stretch-security; urgency=medium * Non-maintainer upload by the LTS Security Team. * CVE-2022-23308: use-after-free of ID and IDREF attributes. * CVE-2017-16932: infinite recursion in parameter entities. * CVE-2017-5969: NULL pointer deref in xmlDumpElementContent. * CVE-2017-5130: integer overflow in memory debug code. * CVE-2016-9318: improve handling of context input_id. Source qemu, binaries: qemu-utils:amd64 qemu-utils:arm64 qemu (1:2.8+dfsg-6+deb9u17) stretch-security; urgency=medium * Non-maintainer upload by the LTS team. * CVE-2021-3593: out-of-bounds read or memory disclosure in udp6_input. * CVE-2021-3748: use-after-free in the virtio-net device. * CVE-2021-3930: off-by-one in the SCSI device leading to denial of service. * CVE-2021-20196: null pointer dereference in the floppy disk emulation. * CVE-2022-26354: invalid elements left in the virtqueue in vhost-vsock. Source xz-utils, binaries: liblzma5:amd64 liblzma5:arm64 xz-utils (5.2.2-1.2+deb9u1) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * Add patch to fix fix escaping of malicious filenames. (ZDI-CAN-16587) (Fixes: CVE-2022-1271) (Closes: #1009167) -- Steve McIntyre <93sam@debian.org> Mon, 11 Apr 2022 23:23:07 +0000 9.13.36-20220403 Updates in 2 source package(s), 4 binary package(s): Source tzdata, binaries: tzdata:amd64 tzdata:arm64 tzdata (2021a-0+deb9u3) stretch-security; urgency=medium * Cherry-pick patches from 2021a-0+deb10u4 (tzdata 2022a), thanks to Aurelien Jarno: - 06-palestine-dst2.patch: Palestine will spring forward on 2022-03-27, not -03-26. Source zlib, binaries: zlib1g:amd64 zlib1g:arm64 zlib (1:1.2.8.dfsg-5+deb9u1) stretch-security; urgency=medium * Non-maintainer upload by the LTS Security Team. * CVE-2018-25032: Fix a bug that can crash deflate on some input when using Z_FIXED (Closes: #1008265) -- Steve McIntyre <93sam@debian.org> Sun, 03 Apr 2022 12:50:16 +0000 9.13.35-20220320 Updates in 4 source package(s), 12 binary package(s): Source bind9, binaries: libdns-export162:amd64 libisc-export160:amd64 libdns-export162:arm64 libisc-export160:arm64 bind9 (1:9.10.3.dfsg.P4-12.3+deb9u12) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * Regression update for CVE-2021-25220: Properly initialize variables before using them. (Closes: #1007945) bind9 (1:9.10.3.dfsg.P4-12.3+deb9u11) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2021-25220: When using forwarders, bogus NS records supplied by, or via, those forwarders may be cached and used by named if it needs to recurse for any reason, causing it to obtain and pass on potentially incorrect answers. Source debian-archive-keyring, binaries: debian-archive-keyring:amd64 debian-archive-keyring:arm64 debian-archive-keyring (2017.5+deb9u2) stretch-security; urgency=medium * Non-maintainer upload by the LTS Security Team. * Add Debian Automatic Signing Key (11/bullseye) * Add Debian Stable Release Key (11/bullseye) * Add Debian Security Archive Automatic Signing Key (11/bullseye) Source openssl, binaries: libssl1.1:amd64 openssl:amd64 libssl1.1:arm64 openssl:arm64 openssl (1.1.0l-1~deb9u5) stretch-security; urgency=medium * Non-maintainer upload by the LTS team. * CVE-2019-1551: overflow in the x64_64 Montgomery squaring procedure. * CVE-2022-0778: infinite loop in BN_mod_sqrt. Source openssl1.0, binaries: libssl1.0.2:amd64 libssl1.0.2:arm64 openssl1.0 (1.0.2u-1~deb9u7) stretch-security; urgency=medium * Non-maintainer upload by the LTS team. * CVE-2022-0778: infinite loop in BN_mod_sqrt. -- Steve McIntyre <93sam@debian.org> Sun, 20 Mar 2022 13:11:12 +0000 9.13.34-20220312 Updates in 3 source package(s), 14 binary package(s): Source expat, binaries: libexpat1:amd64 libexpat1:arm64 expat (2.2.0-2+deb9u5) stretch-security; urgency=medium * Non-maintainer upload by the LTS team. * Run the upstream tests during the build. * CVE-2022-25235: arbitrary code execution due to malformed 2- and 3-byte UTF-8. * CVE-2022-25236: arbitrary code execution due to namespace-separator characters. * CVE-2022-25313: stack exhaustion in build_model. * CVE-2022-25315: integer overflow in storeRawNames. * Include follow-up fix for CVE-2022-25236. * Fix build issue in the tests of CVE-2022-23852. Source linux-latest, binaries: linux-image-amd64:amd64 linux-image-arm64:arm64 linux-latest (80+deb9u16) stretch-security; urgency=high * Update to 4.9.0-18 * linux-image: Add NEWS for unprivileged eBPF change linux-latest (80+deb9u15) stretch-security; urgency=medium * Update to 4.9.0-17 linux-latest (80+deb9u14) stretch-security; urgency=medium * Update to 4.9.0-16 linux-latest (80+deb9u13) stretch-security; urgency=medium * Update to 4.9.0-15 linux-latest (80+deb9u12) stretch-security; urgency=high * debian/control: Point Vcs URLs to Salsa * Update to 4.9.0-14 linux-latest (80+deb9u11) stretch; urgency=medium * Update to 4.9.0-13 linux-latest (80+deb9u10) stretch; urgency=medium * Update to 4.9.0-12 linux-latest (80+deb9u9) stretch; urgency=medium * Update to 4.9.0-11 linux-latest (80+deb9u8) stretch; urgency=medium * Update to 4.9.0-10 linux-latest (80+deb9u7) stretch; urgency=medium * Update to 4.9.0-9 linux-latest (80+deb9u6) stretch-security; urgency=high * Update to 4.9.0-8 linux-latest (80+deb9u5) stretch; urgency=medium * Update to 4.9.0-7 linux-latest (80+deb9u4) stretch-security; urgency=high * Update to 4.9.0-6 linux-latest (80+deb9u3) stretch-security; urgency=high * Update to 4.9.0-5 linux-latest (80+deb9u2) stretch; urgency=medium * Update to 4.9.0-4 linux-latest (80+deb9u1) stretch; urgency=medium * Revert changes to debug symbol meta-packages (Closes: #866691) linux-latest (80) unstable; urgency=medium * Re-introduce xen-linux-system-amd64 *again* as transitional package (Closes: #857039) * Update to 4.9.0-3 linux-latest (79) unstable; urgency=medium * Update to 4.9.0-2 linux-latest (78) unstable; urgency=medium * debian/rules: Use dpkg-parsechangelog -S option to select fields * linux-image: Delete NEWS for version 76 about vsyscall changes, now reverted * Update to 4.9.0-1 linux-latest (77) unstable; urgency=medium * Update to 4.8.0-2 * Use debhelper compatibility level 9 * Re-introduce xen-linux-system packages, accidentally dropped in version 75 linux-latest (76) unstable; urgency=medium * Update to 4.8.0-1 * linux-image-{686-pae,amd64}: Delete old NEWS * linux-image: Add back-dated NEWS for conntrack helpers change in Linux 4.7 (Closes: #839632) * linux-image: Add NEWS for security hardening config changes for Linux 4.8 linux-latest (75) unstable; urgency=medium * Update to 4.7.0-1 * Rename and move debug symbol meta-packages to the debug archive * debian/control: Set priority of transitional packages to extra * debian/control: Update Standards-Version to 3.9.8; no changes needed linux-latest (74) unstable; urgency=medium * Update to 4.6.0-1 linux-latest (73) unstable; urgency=medium * Update to 4.5.0-2 linux-latest (72) unstable; urgency=medium * Update to 4.5.0-1 linux-latest (71) unstable; urgency=medium * Update to 4.4.0-1 - Change linux-{image,headers}-{kirkwood,orion5x} to transitional packages linux-latest (70) unstable; urgency=medium * Change linux-{image,headers}-586 to transitional packages linux-latest (69) unstable; urgency=medium * Update to 4.3.0-1 linux-latest (68) unstable; urgency=medium * Update to 4.2.0-1 * debian/bin/gencontrol.py: Use Python 3 linux-latest (67) unstable; urgency=medium * Adjust for migration to git: - Add .gitignore file - debian/control: Update Vcs-* fields * .gitignore: Ignore linux-perf build directory * Update to 4.1.0-2 * Change source format to 3.0 (native) so that .git directory is excluded by default linux-latest (66) unstable; urgency=medium * Update to 4.1.0-1 * Rename linux-tools to linux-perf, providing linux-tools as a transitional package linux-latest (65) unstable; urgency=medium * Update to 4.0.0-2 linux-latest (64) unstable; urgency=medium * Update to 4.0.0-1 * Stop generating linux-{headers,image}-486 transitional packages * debian/control: Build-Depend on linux-headers-*-all, so that after an ABI bump linux is auto-built before linux-latest on each architecture. (Closes: #746618) linux-latest (63) unstable; urgency=medium * Update to 3.16.0-4 - Change linux-{image,headers}-486 to transitional packages linux-latest (62) unstable; urgency=medium * Update to 3.16-3 (Closes: #766078) linux-latest (61) unstable; urgency=medium * Update to 3.16-2 linux-latest (60) unstable; urgency=medium * linux-image-{686-pae,amd64}: Add backdated NEWS for introduction of xz compression affecting Xen (Closes: #727736) * Update to 3.16-1 linux-latest (59) unstable; urgency=medium * Update to 3.14-2 linux-latest (58) unstable; urgency=medium * Rebuild to include arm64 and ppc64el architectures linux-latest (57) unstable; urgency=medium * Suppress lintian warnings about linux-image-dbg metapackages not looking like debug info packages * debian/control: Update Standards-Version to 3.9.5; no changes needed * Update to 3.14-1 linux-latest (56) unstable; urgency=medium * Update to 3.13-1 linux-latest (55) unstable; urgency=low * Update to 3.12-1 linux-latest (54) unstable; urgency=low * Update to 3.11-2 linux-latest (53) unstable; urgency=low * Add linux-image--dbg metapackages, providing the virtual package linux-latest-image-dbg * Update standards-version to 3.9.4; no changes required * Change section and priority fields to match archive overrides * Update to 3.11-1 * Stop providing virtual package linux-headers linux-latest (52) unstable; urgency=low * Update to 3.10-3 linux-latest (51) unstable; urgency=low * Update to 3.10-2 linux-latest (50) unstable; urgency=low * Update to 3.10-1 linux-latest (49) unstable; urgency=low * Update to 3.9-1 linux-latest (48) unstable; urgency=low * Update to 3.8-2 (Closes: #708842) linux-latest (47) unstable; urgency=low * Update to 3.8-1 * Remove transitional packages provided in wheezy linux-latest (46) unstable; urgency=low * Set Priority: extra, as currently overridden in the archive (Closes: #689846) * Add Czech debconf template translation (Michal Šimůnek) (Closes: #685501) * Update to 3.2.0-4 (Closes: #688222, #689864) linux-latest (45) unstable; urgency=low * Update to 3.2.0-3 linux-latest (44) unstable; urgency=high [ Ben Hutchings ] * Update debconf template translations: - Add Polish (Michał Kułach) (Closes: #659571) - Add Turkish (Mert Dirik) (Closes: #660119) * Update standards-version to 3.9.3: - Do not move packages to the 'metapackages' section, as that will cause APT not to auto-remove their dependencies * Move transitional packages to the section 'oldlibs', so that APT will treat the replacement packages as manually installed * Update to 3.2.0-2 * Stop generating linux-{headers,image}-2.6- transitional packages for flavours added since Linux 3.0 linux-latest (43) unstable; urgency=low * Add Vcs-{Svn,Browser} fields * Add debconf template translations: - Danish (Joe Hansen) (Closes: #656642) - Spanish (Slime Siabef) (Closes: #654681) - Italian (Stefano Canepa) (Closes: #657386) * [s390] Update the check for flavours without modules, removing the useless linux-headers{,-2.6}-s390x-tape packages linux-latest (42) unstable; urgency=low * Rename source package to linux-latest * Add debconf template translations: - Portugese (Miguel Figueiredo) (Closes: #651123) - Serbian latin (Zlatan Todoric) (Closes: #635895) - Russian (Yuri Kozlov) (Closes: #652431) - Japanese (Nobuhiro Iwamatsu) (Closes: #655687) * Update to 3.2.0-1 linux-latest-2.6 (41) unstable; urgency=low * Remove dependency on module makefiles in linux-support package * Update to 3.1.0-1 linux-latest-2.6 (40) unstable; urgency=low * Add debconf template translations: - Serbian cyrillic (Zlatan Todoric) (Closes: #635893) - German (Holger Wansing) (Closes: #637764) - French (Debian French l10n team) (Closes: #636624) - Swedish (Martin Bagge) (Closes: #640058) - Dutch (Jeroen Schot) (Closes: #640115) - Catalan (Innocent De Marchi) (Closes: #642109) * Update to 3.0.0-2 linux-latest-2.6 (39) unstable; urgency=low * Update to 3.0.0-1 linux-latest-2.6 (38) experimental; urgency=low * Correct xen-linux-system transitional package names linux-latest-2.6 (37) experimental; urgency=low * Update to 3.0.0-rc5 * Restore xen-linux-system- packages * Remove common description text from linux-image-2.6- packages linux-latest-2.6 (36) experimental; urgency=low * Update to 3.0.0-rc1 - Add linux-doc, linux-headers-, linux-source and linux-tools packages - Change *-2.6-* to transitional packages linux-latest-2.6 (35.1) unstable; urgency=low [ Bastian Blank ] * Update to 2.6.39-2. linux-latest-2.6 (35) unstable; urgency=low * Update to 2.6.39-1 - Change linux-image{,-2.6}-686{,-bigmem} to transitional packages linux-latest-2.6 (34) unstable; urgency=low * [hppa] Update to 2.6.38-2a linux-latest-2.6 (33) unstable; urgency=low * Update to 2.6.38-2 linux-latest-2.6 (32) unstable; urgency=low * Update to 2.6.38-1 linux-latest-2.6 (31) unstable; urgency=low * Update to 2.6.37-2 linux-latest-2.6 (30) unstable; urgency=low * Update to 2.6.37-1 linux-latest-2.6 (29) unstable; urgency=low * Add xen-linux-system-2.6-* meta-packages (Closes: #402414) * Add bug presubj message for image meta packages directing users to the real image packages (Closes: #549591) * Fix repetition in description of linux-image-2.6-xen-amd64 (Closes: #598648) * [x86] Correct lists of suitable processors linux-latest-2.6 (28) unstable; urgency=low * Move NEWS from linux-2.6, since apt-listchanges only shows it for upgraded packages * Add linux-tools-2.6 meta package * Change versions for linux-doc-2.6 and linux-source-2.6 to match those of the other meta packages linux-latest-2.6 (27) unstable; urgency=low * Really build linux-doc-2.6 and linux-source-2.6 meta packages linux-latest-2.6 (26) unstable; urgency=low [ Joachim Breitner ] * Create linux-doc-2.6 and linux-source-2.6 meta packages (Closes: 347284) [ Ben Hutchings ] * Update to 2.6.32-5. * Update standards-version to 3.8.4; no changes required. * Explicitly describe all packages as meta-packages. linux-latest-2.6 (25) unstable; urgency=high * Update package description templates in line with linux-2.6. * Update to 2.6.32-3. * Set urgency to 'high' since this must transition with linux-2.6. linux-latest-2.6 (24) unstable; urgency=low * Update to 2.6.32-2. linux-latest-2.6 (23) unstable; urgency=low * Update to 2.6.32-trunk. linux-latest-2.6 (22) unstable; urgency=low * Update to 2.6.31-1. linux-latest-2.6 (21) unstable; urgency=low [ Bastian Blank ] * Update to 2.6.30-2. [ Ben Hutchings ] * Add myself to uploaders. linux-latest-2.6 (20) unstable; urgency=low * Move into kernel section. * Update to 2.6.30-1. linux-latest-2.6 (19) unstable; urgency=low * Update to 2.6.29-2. * Use debhelper compat level 7. * Update copyright file. linux-latest-2.6 (18) unstable; urgency=low * Update to 2.6.29-1. * Use dh_prep. * Remove lenny transition packages. linux-latest-2.6 (17) unstable; urgency=low * Use correct part of the config for image type. * Add description parts to all image packages. linux-latest-2.6 (16) unstable; urgency=low * Rebuild to pick up new images linux-latest-2.6 (15) unstable; urgency=low * Update to 2.6.26-1. * Make linux-image-* complete meta packages. linux-latest-2.6 (14) unstable; urgency=low * Update to 2.6.25-2. linux-latest-2.6 (13) unstable; urgency=low * Add transitional packages for k7. linux-latest-2.6 (12) unstable; urgency=low * Update to 2.6.24-1. linux-latest-2.6 (11) unstable; urgency=low * Update to 2.6.22-3. linux-latest-2.6 (10) unstable; urgency=low * Update to 2.6.22-2. linux-latest-2.6 (9) unstable; urgency=low * Update to 2.6.22-1. linux-latest-2.6 (8) unstable; urgency=low * Update to 2.6.21-2. * Add modules meta packages. * Provide linux-latest-modules-*. (closes: #428783) linux-latest-2.6 (7) unstable; urgency=low * Update to 2.6.21-1. * Remove etch transition packages. linux-latest-2.6 (6) unstable; urgency=low * Update to 2.6.18-4. * i386: Add amd64 transition packages. linux-latest-2.6 (5) unstable; urgency=low * Update to 2.6.18-3. Source vim, binaries: vim:amd64 vim-common:amd64 vim-runtime:amd64 vim-tiny:amd64 xxd:amd64 vim:arm64 vim-common:arm64 vim-runtime:arm64 vim-tiny:arm64 xxd:arm64 vim (2:8.0.0197-4+deb9u5) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2021-3984, CVE-2021-4019, CVE-2021-4069, CVE-2021-4193, CVE-2022-0213, CVE-2022-0319, CVE-2022-0368, CVE-2022-0554 CVE-2022-0361, CVE-2022-0408, CVE-2022-0685, CVE-2022-0714, CVE-2022-0359, CVE-2021-4192, CVE-2021-3872, CVE-2021-3927, CVE-2021-3928, CVE-2021-3973, CVE-2021-3974 and CVE-2022-0729. Multiple security vulnerabilities have been discovered in vim, an enhanced vi editor. Buffer overflows, out-of-bounds reads and Null pointer derefrences may lead to a denial-of-service (application crash) or other unspecified impact. -- Steve McIntyre <93sam@debian.org> Sat, 12 Mar 2022 13:10:48 +0000 9.13.33-20220214 Updates in 1 source package(s), 8 binary package(s): Source python2.7, binaries: libpython2.7-minimal:amd64 libpython2.7-stdlib:amd64 python2.7:amd64 python2.7-minimal:amd64 libpython2.7-minimal:arm64 libpython2.7-stdlib:arm64 python2.7:arm64 python2.7-minimal:arm64 python2.7 (2.7.13-2+deb9u6) stretch-security; urgency=medium * Non-maintainer upload by the LTS Security Team. * CVE-2021-4189: Make ftplib not trust the PASV response. * CVE-2021-3177: Replace snprintf with Python unicode formatting in ctypes param reprs. -- Steve McIntyre <93sam@debian.org> Tue, 15 Feb 2022 02:03:10 +0000 9.13.32-20220131 Updates in 3 source package(s), 14 binary package(s): Source expat, binaries: libexpat1:amd64 libexpat1:arm64 expat (2.2.0-2+deb9u4) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, CVE-2022-23852, CVE-2022-23990 and CVE-2021-45960. Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact. Source lxml, binaries: python-lxml:amd64 python-lxml:arm64 lxml (3.7.1-1+deb9u5) stretch-security; urgency=high * Non-maintainer upload by the LTS Team. * Add patch to prevent "@import" from re-occurring in the CSS after replacements, e.g. "@@importimport" and remove SVG image data URLs since they can embed script content. (Fixes: CVE-2021-43818) (Closes: #1001885) Source vim, binaries: vim:amd64 vim-common:amd64 vim-runtime:amd64 vim-tiny:amd64 xxd:amd64 vim:arm64 vim-common:arm64 vim-runtime:arm64 vim-tiny:arm64 xxd:arm64 vim (2:8.0.0197-4+deb9u4) stretch-security; urgency=medium * Non-maintainer upload by the LTS Security Team. * CVE-2017-17087. Fix swap file permission issue. * CVE-2019-20807. Prevent execution of arbitrary OS commands in restricted mode in rvim. * CVE-2021-3778. Fix Heap-based Buffer Overflow with invalid utf-8 character. * CVE-2021-3796. Fix heap Use-After-Free memory error. -- Steve McIntyre <93sam@debian.org> Mon, 31 Jan 2022 13:41:46 +0000 9.13.31-20211221 Updates in 3 source package(s), 6 binary package(s): Source gmp, binaries: libgmp10:amd64 libgmp10:arm64 gmp (2:6.1.2+dfsg-1+deb9u1) stretch-security; urgency=medium * Non-maintainer upload by the LTS Security Team. * Avoid bit size overflows. CVE-2021-43618 (Closes: #994405) Source linux-latest, binaries: linux-image-amd64:amd64 linux-image-arm64:arm64 linux-latest (80+deb9u15) stretch-security; urgency=medium * Update to 4.9.0-17 linux-latest (80+deb9u14) stretch-security; urgency=medium * Update to 4.9.0-16 linux-latest (80+deb9u13) stretch-security; urgency=medium * Update to 4.9.0-15 linux-latest (80+deb9u12) stretch-security; urgency=high * debian/control: Point Vcs URLs to Salsa * Update to 4.9.0-14 linux-latest (80+deb9u11) stretch; urgency=medium * Update to 4.9.0-13 linux-latest (80+deb9u10) stretch; urgency=medium * Update to 4.9.0-12 linux-latest (80+deb9u9) stretch; urgency=medium * Update to 4.9.0-11 linux-latest (80+deb9u8) stretch; urgency=medium * Update to 4.9.0-10 linux-latest (80+deb9u7) stretch; urgency=medium * Update to 4.9.0-9 linux-latest (80+deb9u6) stretch-security; urgency=high * Update to 4.9.0-8 linux-latest (80+deb9u5) stretch; urgency=medium * Update to 4.9.0-7 linux-latest (80+deb9u4) stretch-security; urgency=high * Update to 4.9.0-6 linux-latest (80+deb9u3) stretch-security; urgency=high * Update to 4.9.0-5 linux-latest (80+deb9u2) stretch; urgency=medium * Update to 4.9.0-4 linux-latest (80+deb9u1) stretch; urgency=medium * Revert changes to debug symbol meta-packages (Closes: #866691) linux-latest (80) unstable; urgency=medium * Re-introduce xen-linux-system-amd64 *again* as transitional package (Closes: #857039) * Update to 4.9.0-3 linux-latest (79) unstable; urgency=medium * Update to 4.9.0-2 linux-latest (78) unstable; urgency=medium * debian/rules: Use dpkg-parsechangelog -S option to select fields * linux-image: Delete NEWS for version 76 about vsyscall changes, now reverted * Update to 4.9.0-1 linux-latest (77) unstable; urgency=medium * Update to 4.8.0-2 * Use debhelper compatibility level 9 * Re-introduce xen-linux-system packages, accidentally dropped in version 75 linux-latest (76) unstable; urgency=medium * Update to 4.8.0-1 * linux-image-{686-pae,amd64}: Delete old NEWS * linux-image: Add back-dated NEWS for conntrack helpers change in Linux 4.7 (Closes: #839632) * linux-image: Add NEWS for security hardening config changes for Linux 4.8 linux-latest (75) unstable; urgency=medium * Update to 4.7.0-1 * Rename and move debug symbol meta-packages to the debug archive * debian/control: Set priority of transitional packages to extra * debian/control: Update Standards-Version to 3.9.8; no changes needed linux-latest (74) unstable; urgency=medium * Update to 4.6.0-1 linux-latest (73) unstable; urgency=medium * Update to 4.5.0-2 linux-latest (72) unstable; urgency=medium * Update to 4.5.0-1 linux-latest (71) unstable; urgency=medium * Update to 4.4.0-1 - Change linux-{image,headers}-{kirkwood,orion5x} to transitional packages linux-latest (70) unstable; urgency=medium * Change linux-{image,headers}-586 to transitional packages linux-latest (69) unstable; urgency=medium * Update to 4.3.0-1 linux-latest (68) unstable; urgency=medium * Update to 4.2.0-1 * debian/bin/gencontrol.py: Use Python 3 linux-latest (67) unstable; urgency=medium * Adjust for migration to git: - Add .gitignore file - debian/control: Update Vcs-* fields * .gitignore: Ignore linux-perf build directory * Update to 4.1.0-2 * Change source format to 3.0 (native) so that .git directory is excluded by default linux-latest (66) unstable; urgency=medium * Update to 4.1.0-1 * Rename linux-tools to linux-perf, providing linux-tools as a transitional package linux-latest (65) unstable; urgency=medium * Update to 4.0.0-2 linux-latest (64) unstable; urgency=medium * Update to 4.0.0-1 * Stop generating linux-{headers,image}-486 transitional packages * debian/control: Build-Depend on linux-headers-*-all, so that after an ABI bump linux is auto-built before linux-latest on each architecture. (Closes: #746618) linux-latest (63) unstable; urgency=medium * Update to 3.16.0-4 - Change linux-{image,headers}-486 to transitional packages linux-latest (62) unstable; urgency=medium * Update to 3.16-3 (Closes: #766078) linux-latest (61) unstable; urgency=medium * Update to 3.16-2 linux-latest (60) unstable; urgency=medium * linux-image-{686-pae,amd64}: Add backdated NEWS for introduction of xz compression affecting Xen (Closes: #727736) * Update to 3.16-1 linux-latest (59) unstable; urgency=medium * Update to 3.14-2 linux-latest (58) unstable; urgency=medium * Rebuild to include arm64 and ppc64el architectures linux-latest (57) unstable; urgency=medium * Suppress lintian warnings about linux-image-dbg metapackages not looking like debug info packages * debian/control: Update Standards-Version to 3.9.5; no changes needed * Update to 3.14-1 linux-latest (56) unstable; urgency=medium * Update to 3.13-1 linux-latest (55) unstable; urgency=low * Update to 3.12-1 linux-latest (54) unstable; urgency=low * Update to 3.11-2 linux-latest (53) unstable; urgency=low * Add linux-image--dbg metapackages, providing the virtual package linux-latest-image-dbg * Update standards-version to 3.9.4; no changes required * Change section and priority fields to match archive overrides * Update to 3.11-1 * Stop providing virtual package linux-headers linux-latest (52) unstable; urgency=low * Update to 3.10-3 linux-latest (51) unstable; urgency=low * Update to 3.10-2 linux-latest (50) unstable; urgency=low * Update to 3.10-1 linux-latest (49) unstable; urgency=low * Update to 3.9-1 linux-latest (48) unstable; urgency=low * Update to 3.8-2 (Closes: #708842) linux-latest (47) unstable; urgency=low * Update to 3.8-1 * Remove transitional packages provided in wheezy linux-latest (46) unstable; urgency=low * Set Priority: extra, as currently overridden in the archive (Closes: #689846) * Add Czech debconf template translation (Michal Šimůnek) (Closes: #685501) * Update to 3.2.0-4 (Closes: #688222, #689864) linux-latest (45) unstable; urgency=low * Update to 3.2.0-3 linux-latest (44) unstable; urgency=high [ Ben Hutchings ] * Update debconf template translations: - Add Polish (Michał Kułach) (Closes: #659571) - Add Turkish (Mert Dirik) (Closes: #660119) * Update standards-version to 3.9.3: - Do not move packages to the 'metapackages' section, as that will cause APT not to auto-remove their dependencies * Move transitional packages to the section 'oldlibs', so that APT will treat the replacement packages as manually installed * Update to 3.2.0-2 * Stop generating linux-{headers,image}-2.6- transitional packages for flavours added since Linux 3.0 linux-latest (43) unstable; urgency=low * Add Vcs-{Svn,Browser} fields * Add debconf template translations: - Danish (Joe Hansen) (Closes: #656642) - Spanish (Slime Siabef) (Closes: #654681) - Italian (Stefano Canepa) (Closes: #657386) * [s390] Update the check for flavours without modules, removing the useless linux-headers{,-2.6}-s390x-tape packages linux-latest (42) unstable; urgency=low * Rename source package to linux-latest * Add debconf template translations: - Portugese (Miguel Figueiredo) (Closes: #651123) - Serbian latin (Zlatan Todoric) (Closes: #635895) - Russian (Yuri Kozlov) (Closes: #652431) - Japanese (Nobuhiro Iwamatsu) (Closes: #655687) * Update to 3.2.0-1 linux-latest-2.6 (41) unstable; urgency=low * Remove dependency on module makefiles in linux-support package * Update to 3.1.0-1 linux-latest-2.6 (40) unstable; urgency=low * Add debconf template translations: - Serbian cyrillic (Zlatan Todoric) (Closes: #635893) - German (Holger Wansing) (Closes: #637764) - French (Debian French l10n team) (Closes: #636624) - Swedish (Martin Bagge) (Closes: #640058) - Dutch (Jeroen Schot) (Closes: #640115) - Catalan (Innocent De Marchi) (Closes: #642109) * Update to 3.0.0-2 linux-latest-2.6 (39) unstable; urgency=low * Update to 3.0.0-1 linux-latest-2.6 (38) experimental; urgency=low * Correct xen-linux-system transitional package names linux-latest-2.6 (37) experimental; urgency=low * Update to 3.0.0-rc5 * Restore xen-linux-system- packages * Remove common description text from linux-image-2.6- packages linux-latest-2.6 (36) experimental; urgency=low * Update to 3.0.0-rc1 - Add linux-doc, linux-headers-, linux-source and linux-tools packages - Change *-2.6-* to transitional packages linux-latest-2.6 (35.1) unstable; urgency=low [ Bastian Blank ] * Update to 2.6.39-2. linux-latest-2.6 (35) unstable; urgency=low * Update to 2.6.39-1 - Change linux-image{,-2.6}-686{,-bigmem} to transitional packages linux-latest-2.6 (34) unstable; urgency=low * [hppa] Update to 2.6.38-2a linux-latest-2.6 (33) unstable; urgency=low * Update to 2.6.38-2 linux-latest-2.6 (32) unstable; urgency=low * Update to 2.6.38-1 linux-latest-2.6 (31) unstable; urgency=low * Update to 2.6.37-2 linux-latest-2.6 (30) unstable; urgency=low * Update to 2.6.37-1 linux-latest-2.6 (29) unstable; urgency=low * Add xen-linux-system-2.6-* meta-packages (Closes: #402414) * Add bug presubj message for image meta packages directing users to the real image packages (Closes: #549591) * Fix repetition in description of linux-image-2.6-xen-amd64 (Closes: #598648) * [x86] Correct lists of suitable processors linux-latest-2.6 (28) unstable; urgency=low * Move NEWS from linux-2.6, since apt-listchanges only shows it for upgraded packages * Add linux-tools-2.6 meta package * Change versions for linux-doc-2.6 and linux-source-2.6 to match those of the other meta packages linux-latest-2.6 (27) unstable; urgency=low * Really build linux-doc-2.6 and linux-source-2.6 meta packages linux-latest-2.6 (26) unstable; urgency=low [ Joachim Breitner ] * Create linux-doc-2.6 and linux-source-2.6 meta packages (Closes: 347284) [ Ben Hutchings ] * Update to 2.6.32-5. * Update standards-version to 3.8.4; no changes required. * Explicitly describe all packages as meta-packages. linux-latest-2.6 (25) unstable; urgency=high * Update package description templates in line with linux-2.6. * Update to 2.6.32-3. * Set urgency to 'high' since this must transition with linux-2.6. linux-latest-2.6 (24) unstable; urgency=low * Update to 2.6.32-2. linux-latest-2.6 (23) unstable; urgency=low * Update to 2.6.32-trunk. linux-latest-2.6 (22) unstable; urgency=low * Update to 2.6.31-1. linux-latest-2.6 (21) unstable; urgency=low [ Bastian Blank ] * Update to 2.6.30-2. [ Ben Hutchings ] * Add myself to uploaders. linux-latest-2.6 (20) unstable; urgency=low * Move into kernel section. * Update to 2.6.30-1. linux-latest-2.6 (19) unstable; urgency=low * Update to 2.6.29-2. * Use debhelper compat level 7. * Update copyright file. linux-latest-2.6 (18) unstable; urgency=low * Update to 2.6.29-1. * Use dh_prep. * Remove lenny transition packages. linux-latest-2.6 (17) unstable; urgency=low * Use correct part of the config for image type. * Add description parts to all image packages. linux-latest-2.6 (16) unstable; urgency=low * Rebuild to pick up new images linux-latest-2.6 (15) unstable; urgency=low * Update to 2.6.26-1. * Make linux-image-* complete meta packages. linux-latest-2.6 (14) unstable; urgency=low * Update to 2.6.25-2. linux-latest-2.6 (13) unstable; urgency=low * Add transitional packages for k7. linux-latest-2.6 (12) unstable; urgency=low * Update to 2.6.24-1. linux-latest-2.6 (11) unstable; urgency=low * Update to 2.6.22-3. linux-latest-2.6 (10) unstable; urgency=low * Update to 2.6.22-2. linux-latest-2.6 (9) unstable; urgency=low * Update to 2.6.22-1. linux-latest-2.6 (8) unstable; urgency=low * Update to 2.6.21-2. * Add modules meta packages. * Provide linux-latest-modules-*. (closes: #428783) linux-latest-2.6 (7) unstable; urgency=low * Update to 2.6.21-1. * Remove etch transition packages. linux-latest-2.6 (6) unstable; urgency=low * Update to 2.6.18-4. * i386: Add amd64 transition packages. linux-latest-2.6 (5) unstable; urgency=low * Update to 2.6.18-3. Source rsyslog, binaries: rsyslog:amd64 rsyslog:arm64 rsyslog (8.24.0-1+deb9u1) stretch-security; urgency=medium * Non-maintainer upload by the LTS team. * CVE-2019-17041: Heap overflow in the AIX message parser. * CVE-2019-17042: Heap overflow in the Cisco log message parser. -- Steve McIntyre <93sam@debian.org> Tue, 21 Dec 2021 22:28:05 +0000 9.13.31-20211129 Updates in 1 source package(s), 2 binary package(s): Source tar, binaries: tar:amd64 tar:arm64 tar (1.29b-1.1+deb9u1) stretch-security; urgency=medium * Non-maintainer upload by the LTS team. * CVE-2018-20482: Infinite loop when --sparse is used with file shrinkage during read access. -- Steve McIntyre <93sam@debian.org> Mon, 29 Nov 2021 15:13:31 +0000 9.13.30-20211105 Updates in 2 source package(s), 12 binary package(s): Source bind9, binaries: libdns-export162:amd64 libisc-export160:amd64 libdns-export162:arm64 libisc-export160:arm64 bind9 (1:9.10.3.dfsg.P4-12.3+deb9u10) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2021-25219: In BIND exploitation of broken authoritative servers using a flaw in response processing can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it possible for its internal data structures to grow almost infinitely, which may cause significant delays in client query processing. * Fix CVE-2018-5740: "deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an assertion failure in name.c. Source python3.5, binaries: libpython3.5-minimal:amd64 libpython3.5-stdlib:amd64 python3.5:amd64 python3.5-minimal:amd64 libpython3.5-minimal:arm64 libpython3.5-stdlib:arm64 python3.5:arm64 python3.5-minimal:arm64 python3.5 (3.5.3-1+deb9u5) stretch-security; urgency=high * Non-maintainer upload by the LTS Security Team. * Add patch to fix http client infinite line reading (DoS) after a HTTP 100 Continuefix. (Fixes: CVE-2021-3737) * Add patch to fix ReDoS in urllib AbstractBasicAuthHandler. (Fixes: CVE-2021-3733) -- Steve McIntyre <93sam@debian.org> Fri, 05 Nov 2021 18:53:14 +0000 9.13.29-20211031 Updates in 4 source package(s), 8 binary package(s): Source cron, binaries: cron:amd64 cron:arm64 cron (3.0pl1-128+deb9u2) stretch-security; urgency=medium * Non-maintainer upload by the LTS team. [ Christian Kastner ] * SECURITY: Fix bypass of /etc/cron.{allow,deny} on failure to open If these files exist, then they must be readable by the user executing crontab(1). Users will now be denied by default if they aren't. (LP: #1813833) * SECURITY: Fix for possible DoS by use-after-free A user reported a use-after-free condition in the cron daemon, leading to a possible Denial-of-Service scenario by crashing the daemon. (CVE-2019-9706) (Closes: #809167) * SECURITY: DoS: Fix unchecked return of calloc() Florian Weimer discovered that a missing check for the return value of calloc() could crash the daemon, which could be triggered by a very large crontab created by a user. (CVE-2019-9704) * Enforce maximum crontab line count of 10000 to prevent a malicious user from creating an excessivly large crontab. The daemon will log a warning for existing files, and crontab(1) will refuse to create new ones. (CVE-2019-9705) * SECURITY: group crontab to root escalation via postinst as described by Alexander Peslyak (Solar Designer) in http://www.openwall.com/lists/oss-security/2017/06/08/3 (CVE-2017-9525) * Add d/NEWS altering to the new 10000 lines limit. Source elfutils, binaries: libelf1:amd64 libelf1:arm64 elfutils (0.168-1+deb9u1) stretch-security; urgency=medium * Non-maintainer upload by the LTS team. * CVE-2018-16062: dwarf_getaranges in dwarf_getaranges.c in libdw allowed a denial of service (heap-based buffer over-read) via a crafted file. * CVE-2018-16402: libelf/elf_end.c in allowed to cause a denial of service (double free and application crash) because it tried to decompress twice. * CVE-2018-18310: An invalid memory address dereference libdwfl allowed a denial of service (application crash) via a crafted file. * CVE-2018-18520: A use-after-free in recursive ELF ar files allowed a denial of service (application crash) via a crafted file. * CVE-2018-18521: A divide-by-zero in arlib_add_symbols() allowed a denial of service (application crash) via a crafted file. * CVE-2019-7150: A segmentation fault could occur due to dwfl_segment_report_module() not checking whether the dyn data read from a core file is truncated. * CVE-2019-7665: NT_PLATFORM core notes contain a zero terminated string allowed a denial of service (application crash) via a crafted file. Source icu, binaries: libicu57:amd64 libicu57:arm64 icu (57.1-6+deb9u5) stretch-security; urgency=high * CVE-2020-21913: Prevent a potential use-after-free vulnerability in the pkg_createWithAssemblyCode function. Source tzdata, binaries: tzdata:amd64 tzdata:arm64 tzdata (2021a-0+deb9u2) stretch-security; urgency=medium * Cherry-pick patches from 2021a-0+deb10u2 and 2021a-0+deb10u3 (tzdata 2021b-2021e), thanks Aurelien Jarno: - 04-fiji-dst.patch: Fiji suspends DST for the 2021/2022 season. - 05-palestine-dst.patch: Palestine will fall back 2021-10-29 (not 2021-10-30) at 01:00. - 01-no-leap-second-2021-12-31.patch: No leap second on 2021-12-31 as per IERS Bulletin C 62. - 02-samoa-dst.patch: Samoa no longer observes DST. - 03-jordan-dst.patch: Jordan now starts DST on February's last Thursday. -- Steve McIntyre <93sam@debian.org> Sun, 31 Oct 2021 05:13:24 +0000 9.13.28-20211002 Updates in 3 source package(s), 14 binary package(s): Source krb5, binaries: libgssapi-krb5-2:amd64 libk5crypto3:amd64 libkrb5-3:amd64 libkrb5support0:amd64 libgssapi-krb5-2:arm64 libk5crypto3:arm64 libkrb5-3:arm64 libkrb5support0:arm64 krb5 (1.15-1+deb9u3) stretch-security; urgency=medium * Non-maintainer upload by the LTS team. * CVE-2018-5729, CVE-2018-5730: Fix flaws in LDAP DN checking. * CVE-2018-20217: Ignore password attributes for S4U2Self requests. * CVE-2021-37750: Fix KDC null deref on TGS inner body null server. Source openssl, binaries: libssl1.1:amd64 openssl:amd64 libssl1.1:arm64 openssl:arm64 openssl (1.1.0l-1~deb9u4) stretch-security; urgency=high * Non-maintainer upload by the LTS Team. * CVE-2021-3712 Read buffer overruns processing ASN.1 strings Source openssl1.0, binaries: libssl1.0.2:amd64 libssl1.0.2:arm64 openssl1.0 (1.0.2u-1~deb9u6) stretch-security; urgency=high * Non-maintainer upload by the LTS Team. * CVE-2021-3712 Read buffer overruns processing ASN.1 strings -- Steve McIntyre <93sam@debian.org> Sat, 02 Oct 2021 17:51:12 +0000 9.13.27-20210919 Updates in 4 source package(s), 10 binary package(s): Source gnutls28, binaries: libgnutls30:amd64 libgnutls30:arm64 gnutls28 (3.5.8-5+deb9u6) stretch-security; urgency=high * Non-maintainer upload by the LTS Security Team. * Fix verification error with alternate chains. Closes: #961889 Addresses issue with Let's Encrypt certificates starting 2021-10-01. https://lists.debian.org/debian-lts/2021/09/msg00008.html Source nettle, binaries: libhogweed4:amd64 libnettle6:amd64 libhogweed4:arm64 libnettle6:arm64 nettle (3.3-1+deb9u1) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2021-20305: A flaw was found in Nettle, where several Nettle signature verification functions (EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability. * Fix CVE-2021-3580: A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service. Source openssl1.0, binaries: libssl1.0.2:amd64 libssl1.0.2:arm64 openssl1.0 (1.0.2u-1~deb9u5) stretch-security; urgency=high * Non-maintainer upload by the LTS Security Team. * Fix verification error with alternate chains. Addresses issue with Let's Encrypt certificates starting 2021-10-01. https://lists.debian.org/debian-lts/2021/09/msg00008.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961889 Source qemu, binaries: qemu-utils:amd64 qemu-utils:arm64 qemu (1:2.8+dfsg-6+deb9u16) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * Revert patch for CVE-2021-3592: It was found that the patch for CVE-2021-3592 introduced a regression which prevented ssh connections to the host system. (Closes: #994080) qemu (1:2.8+dfsg-6+deb9u15) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2021-3713: An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU. The device uses the guest supplied stream number unchecked, which can lead to out-of-bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host. * Fix CVE-2021-3682: A flaw was found in the USB redirector device emulation of QEMU. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. * Fix CVE-2021-3527: A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. * Fix CVE-2021-3594: An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. * Fix CVE-2021-3592: An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and could occur while processing a udp packet that is smaller than the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host. The highest threat from this vulnerability is to data confidentiality. * Fix CVE-2021-3595: An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. -- Steve McIntyre <93sam@debian.org> Sun, 19 Sep 2021 16:36:11 +0000 9.13.26-20210722 Updates in 3 source package(s), 18 binary package(s): Source klibc, binaries: klibc-utils:amd64 libklibc:amd64 klibc-utils:arm64 libklibc:arm64 klibc (2.0.4-9+deb9u1) stretch-security; urgency=high * Never clean files in quilt status directory * debian/rules: Use $(MAKE) for recursive make * debian/rules: Change override_dh_auto_test rule to actually run tests * Apply security fixes from 2.0.9 (Closes: #989505): - malloc: Set errno on failure - malloc: Fail if requested size > PTRDIFF_MAX (CVE-2021-31873) - calloc: Fail if multiplication overflows (CVE-2021-31870) - cpio: Fix possible integer overflow on 32-bit systems (CVE-2021-31872) - cpio: Fix possible crash on 64-bit systems (CVE-2021-31871) Source linux, binaries: linux-image-4.9.0-16-amd64:amd64 linux-image-4.9.0-16-arm64:arm64 linux (4.9.272-2) stretch-security; urgency=high * can: bcm: fix infoleak in struct bcm_msg_head (CVE-2021-34693) * can: bcm: delay release of struct bcm_op after synchronize_rcu() (CVE-2021-3609) * lib/string.c: add multibyte memset function * [armel,armhf] ensure the signal page contains defined contents (CVE-2021-21781) * proc: Track /proc/$pid/attr/ opener mm_struct (Closes: #990072) * seq_file: Disallow extremely large seq buffer allocations (CVE-2021-33909) Source systemd, binaries: libpam-systemd:amd64 libsystemd0:amd64 libudev1:amd64 systemd:amd64 systemd-sysv:amd64 udev:amd64 libpam-systemd:arm64 libsystemd0:arm64 libudev1:arm64 systemd:arm64 systemd-sysv:arm64 udev:arm64 systemd (232-25+deb9u13) stretch-security; urgency=high * Non-maintainer upload by the Security Team. * string-util: add delete_trailing_chars() and skip_leading_chars() helpers * basic/unit-name: do not use strdupa() on a path (CVE-2021-33910) -- Steve McIntyre <93sam@debian.org> Fri, 23 Jul 2021 01:10:47 +0000 9.13.25-20210628 Updates in 1 source package(s), 2 binary package(s): Source libgcrypt20, binaries: libgcrypt20:amd64 libgcrypt20:arm64 libgcrypt20 (1.7.6-2+deb9u4) stretch-security; urgency=high * Non-maintainer upload by the LTS Team. * CVE-2021-33560 34_cipher-Fix-ElGamal-encryption-for-other-implementati.patch from upstream LIBGCRYPT-1.8-BRANCH: Fix weak ElGamal encryption with keys *not* generated by GnuPG/libgcrypt. -- Steve McIntyre <93sam@debian.org> Mon, 28 Jun 2021 15:04:04 +0000 9.13.24-20210623 Updates in 2 source package(s), 6 binary package(s): Source linux-latest, binaries: linux-image-amd64:amd64 linux-image-arm64:arm64 linux-latest (80+deb9u14) stretch-security; urgency=medium * Update to 4.9.0-16 linux-latest (80+deb9u13) stretch-security; urgency=medium * Update to 4.9.0-15 linux-latest (80+deb9u12) stretch-security; urgency=high * debian/control: Point Vcs URLs to Salsa * Update to 4.9.0-14 linux-latest (80+deb9u11) stretch; urgency=medium * Update to 4.9.0-13 linux-latest (80+deb9u10) stretch; urgency=medium * Update to 4.9.0-12 linux-latest (80+deb9u9) stretch; urgency=medium * Update to 4.9.0-11 linux-latest (80+deb9u8) stretch; urgency=medium * Update to 4.9.0-10 linux-latest (80+deb9u7) stretch; urgency=medium * Update to 4.9.0-9 linux-latest (80+deb9u6) stretch-security; urgency=high * Update to 4.9.0-8 linux-latest (80+deb9u5) stretch; urgency=medium * Update to 4.9.0-7 linux-latest (80+deb9u4) stretch-security; urgency=high * Update to 4.9.0-6 linux-latest (80+deb9u3) stretch-security; urgency=high * Update to 4.9.0-5 linux-latest (80+deb9u2) stretch; urgency=medium * Update to 4.9.0-4 linux-latest (80+deb9u1) stretch; urgency=medium * Revert changes to debug symbol meta-packages (Closes: #866691) linux-latest (80) unstable; urgency=medium * Re-introduce xen-linux-system-amd64 *again* as transitional package (Closes: #857039) * Update to 4.9.0-3 linux-latest (79) unstable; urgency=medium * Update to 4.9.0-2 linux-latest (78) unstable; urgency=medium * debian/rules: Use dpkg-parsechangelog -S option to select fields * linux-image: Delete NEWS for version 76 about vsyscall changes, now reverted * Update to 4.9.0-1 linux-latest (77) unstable; urgency=medium * Update to 4.8.0-2 * Use debhelper compatibility level 9 * Re-introduce xen-linux-system packages, accidentally dropped in version 75 linux-latest (76) unstable; urgency=medium * Update to 4.8.0-1 * linux-image-{686-pae,amd64}: Delete old NEWS * linux-image: Add back-dated NEWS for conntrack helpers change in Linux 4.7 (Closes: #839632) * linux-image: Add NEWS for security hardening config changes for Linux 4.8 linux-latest (75) unstable; urgency=medium * Update to 4.7.0-1 * Rename and move debug symbol meta-packages to the debug archive * debian/control: Set priority of transitional packages to extra * debian/control: Update Standards-Version to 3.9.8; no changes needed linux-latest (74) unstable; urgency=medium * Update to 4.6.0-1 linux-latest (73) unstable; urgency=medium * Update to 4.5.0-2 linux-latest (72) unstable; urgency=medium * Update to 4.5.0-1 linux-latest (71) unstable; urgency=medium * Update to 4.4.0-1 - Change linux-{image,headers}-{kirkwood,orion5x} to transitional packages linux-latest (70) unstable; urgency=medium * Change linux-{image,headers}-586 to transitional packages linux-latest (69) unstable; urgency=medium * Update to 4.3.0-1 linux-latest (68) unstable; urgency=medium * Update to 4.2.0-1 * debian/bin/gencontrol.py: Use Python 3 linux-latest (67) unstable; urgency=medium * Adjust for migration to git: - Add .gitignore file - debian/control: Update Vcs-* fields * .gitignore: Ignore linux-perf build directory * Update to 4.1.0-2 * Change source format to 3.0 (native) so that .git directory is excluded by default linux-latest (66) unstable; urgency=medium * Update to 4.1.0-1 * Rename linux-tools to linux-perf, providing linux-tools as a transitional package linux-latest (65) unstable; urgency=medium * Update to 4.0.0-2 linux-latest (64) unstable; urgency=medium * Update to 4.0.0-1 * Stop generating linux-{headers,image}-486 transitional packages * debian/control: Build-Depend on linux-headers-*-all, so that after an ABI bump linux is auto-built before linux-latest on each architecture. (Closes: #746618) linux-latest (63) unstable; urgency=medium * Update to 3.16.0-4 - Change linux-{image,headers}-486 to transitional packages linux-latest (62) unstable; urgency=medium * Update to 3.16-3 (Closes: #766078) linux-latest (61) unstable; urgency=medium * Update to 3.16-2 linux-latest (60) unstable; urgency=medium * linux-image-{686-pae,amd64}: Add backdated NEWS for introduction of xz compression affecting Xen (Closes: #727736) * Update to 3.16-1 linux-latest (59) unstable; urgency=medium * Update to 3.14-2 linux-latest (58) unstable; urgency=medium * Rebuild to include arm64 and ppc64el architectures linux-latest (57) unstable; urgency=medium * Suppress lintian warnings about linux-image-dbg metapackages not looking like debug info packages * debian/control: Update Standards-Version to 3.9.5; no changes needed * Update to 3.14-1 linux-latest (56) unstable; urgency=medium * Update to 3.13-1 linux-latest (55) unstable; urgency=low * Update to 3.12-1 linux-latest (54) unstable; urgency=low * Update to 3.11-2 linux-latest (53) unstable; urgency=low * Add linux-image--dbg metapackages, providing the virtual package linux-latest-image-dbg * Update standards-version to 3.9.4; no changes required * Change section and priority fields to match archive overrides * Update to 3.11-1 * Stop providing virtual package linux-headers linux-latest (52) unstable; urgency=low * Update to 3.10-3 linux-latest (51) unstable; urgency=low * Update to 3.10-2 linux-latest (50) unstable; urgency=low * Update to 3.10-1 linux-latest (49) unstable; urgency=low * Update to 3.9-1 linux-latest (48) unstable; urgency=low * Update to 3.8-2 (Closes: #708842) linux-latest (47) unstable; urgency=low * Update to 3.8-1 * Remove transitional packages provided in wheezy linux-latest (46) unstable; urgency=low * Set Priority: extra, as currently overridden in the archive (Closes: #689846) * Add Czech debconf template translation (Michal Šimůnek) (Closes: #685501) * Update to 3.2.0-4 (Closes: #688222, #689864) linux-latest (45) unstable; urgency=low * Update to 3.2.0-3 linux-latest (44) unstable; urgency=high [ Ben Hutchings ] * Update debconf template translations: - Add Polish (Michał Kułach) (Closes: #659571) - Add Turkish (Mert Dirik) (Closes: #660119) * Update standards-version to 3.9.3: - Do not move packages to the 'metapackages' section, as that will cause APT not to auto-remove their dependencies * Move transitional packages to the section 'oldlibs', so that APT will treat the replacement packages as manually installed * Update to 3.2.0-2 * Stop generating linux-{headers,image}-2.6- transitional packages for flavours added since Linux 3.0 linux-latest (43) unstable; urgency=low * Add Vcs-{Svn,Browser} fields * Add debconf template translations: - Danish (Joe Hansen) (Closes: #656642) - Spanish (Slime Siabef) (Closes: #654681) - Italian (Stefano Canepa) (Closes: #657386) * [s390] Update the check for flavours without modules, removing the useless linux-headers{,-2.6}-s390x-tape packages linux-latest (42) unstable; urgency=low * Rename source package to linux-latest * Add debconf template translations: - Portugese (Miguel Figueiredo) (Closes: #651123) - Serbian latin (Zlatan Todoric) (Closes: #635895) - Russian (Yuri Kozlov) (Closes: #652431) - Japanese (Nobuhiro Iwamatsu) (Closes: #655687) * Update to 3.2.0-1 linux-latest-2.6 (41) unstable; urgency=low * Remove dependency on module makefiles in linux-support package * Update to 3.1.0-1 linux-latest-2.6 (40) unstable; urgency=low * Add debconf template translations: - Serbian cyrillic (Zlatan Todoric) (Closes: #635893) - German (Holger Wansing) (Closes: #637764) - French (Debian French l10n team) (Closes: #636624) - Swedish (Martin Bagge) (Closes: #640058) - Dutch (Jeroen Schot) (Closes: #640115) - Catalan (Innocent De Marchi) (Closes: #642109) * Update to 3.0.0-2 linux-latest-2.6 (39) unstable; urgency=low * Update to 3.0.0-1 linux-latest-2.6 (38) experimental; urgency=low * Correct xen-linux-system transitional package names linux-latest-2.6 (37) experimental; urgency=low * Update to 3.0.0-rc5 * Restore xen-linux-system- packages * Remove common description text from linux-image-2.6- packages linux-latest-2.6 (36) experimental; urgency=low * Update to 3.0.0-rc1 - Add linux-doc, linux-headers-, linux-source and linux-tools packages - Change *-2.6-* to transitional packages linux-latest-2.6 (35.1) unstable; urgency=low [ Bastian Blank ] * Update to 2.6.39-2. linux-latest-2.6 (35) unstable; urgency=low * Update to 2.6.39-1 - Change linux-image{,-2.6}-686{,-bigmem} to transitional packages linux-latest-2.6 (34) unstable; urgency=low * [hppa] Update to 2.6.38-2a linux-latest-2.6 (33) unstable; urgency=low * Update to 2.6.38-2 linux-latest-2.6 (32) unstable; urgency=low * Update to 2.6.38-1 linux-latest-2.6 (31) unstable; urgency=low * Update to 2.6.37-2 linux-latest-2.6 (30) unstable; urgency=low * Update to 2.6.37-1 linux-latest-2.6 (29) unstable; urgency=low * Add xen-linux-system-2.6-* meta-packages (Closes: #402414) * Add bug presubj message for image meta packages directing users to the real image packages (Closes: #549591) * Fix repetition in description of linux-image-2.6-xen-amd64 (Closes: #598648) * [x86] Correct lists of suitable processors linux-latest-2.6 (28) unstable; urgency=low * Move NEWS from linux-2.6, since apt-listchanges only shows it for upgraded packages * Add linux-tools-2.6 meta package * Change versions for linux-doc-2.6 and linux-source-2.6 to match those of the other meta packages linux-latest-2.6 (27) unstable; urgency=low * Really build linux-doc-2.6 and linux-source-2.6 meta packages linux-latest-2.6 (26) unstable; urgency=low [ Joachim Breitner ] * Create linux-doc-2.6 and linux-source-2.6 meta packages (Closes: 347284) [ Ben Hutchings ] * Update to 2.6.32-5. * Update standards-version to 3.8.4; no changes required. * Explicitly describe all packages as meta-packages. linux-latest-2.6 (25) unstable; urgency=high * Update package description templates in line with linux-2.6. * Update to 2.6.32-3. * Set urgency to 'high' since this must transition with linux-2.6. linux-latest-2.6 (24) unstable; urgency=low * Update to 2.6.32-2. linux-latest-2.6 (23) unstable; urgency=low * Update to 2.6.32-trunk. linux-latest-2.6 (22) unstable; urgency=low * Update to 2.6.31-1. linux-latest-2.6 (21) unstable; urgency=low [ Bastian Blank ] * Update to 2.6.30-2. [ Ben Hutchings ] * Add myself to uploaders. linux-latest-2.6 (20) unstable; urgency=low * Move into kernel section. * Update to 2.6.30-1. linux-latest-2.6 (19) unstable; urgency=low * Update to 2.6.29-2. * Use debhelper compat level 7. * Update copyright file. linux-latest-2.6 (18) unstable; urgency=low * Update to 2.6.29-1. * Use dh_prep. * Remove lenny transition packages. linux-latest-2.6 (17) unstable; urgency=low * Use correct part of the config for image type. * Add description parts to all image packages. linux-latest-2.6 (16) unstable; urgency=low * Rebuild to pick up new images linux-latest-2.6 (15) unstable; urgency=low * Update to 2.6.26-1. * Make linux-image-* complete meta packages. linux-latest-2.6 (14) unstable; urgency=low * Update to 2.6.25-2. linux-latest-2.6 (13) unstable; urgency=low * Add transitional packages for k7. linux-latest-2.6 (12) unstable; urgency=low * Update to 2.6.24-1. linux-latest-2.6 (11) unstable; urgency=low * Update to 2.6.22-3. linux-latest-2.6 (10) unstable; urgency=low * Update to 2.6.22-2. linux-latest-2.6 (9) unstable; urgency=low * Update to 2.6.22-1. linux-latest-2.6 (8) unstable; urgency=low * Update to 2.6.21-2. * Add modules meta packages. * Provide linux-latest-modules-*. (closes: #428783) linux-latest-2.6 (7) unstable; urgency=low * Update to 2.6.21-1. * Remove etch transition packages. linux-latest-2.6 (6) unstable; urgency=low * Update to 2.6.18-4. * i386: Add amd64 transition packages. linux-latest-2.6 (5) unstable; urgency=low * Update to 2.6.18-3. Source python-urllib3, binaries: python-urllib3:amd64 python3-urllib3:amd64 python-urllib3:arm64 python3-urllib3:arm64 python-urllib3 (1.19.1-1+deb9u1) stretch-security; urgency=medium * Non-maintainer upload by the Debian LTS Team. * Fix CVE-2018-20060, CVE-2019-11236, CVE-2019-11324 CVE-2020-26137 -- Steve McIntyre <93sam@debian.org> Wed, 23 Jun 2021 13:35:34 +0000 9.13.23-20210604 Updates in 1 source package(s), 4 binary package(s): Source isc-dhcp, binaries: isc-dhcp-client:amd64 isc-dhcp-common:amd64 isc-dhcp-client:arm64 isc-dhcp-common:arm64 isc-dhcp (4.3.5-3+deb9u2) stretch-security; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2021-25217: denial of service in server and client via application crash when parsing lease information. -- Steve McIntyre <93sam@debian.org> Fri, 04 Jun 2021 12:00:23 +0000 9.13.22-20210531 Updates in 2 source package(s), 4 binary package(s): Source libxml2, binaries: libxml2:amd64 libxml2:arm64 libxml2 (2.9.4+dfsg1-2.2+deb9u5) stretch-security; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2021-3541 Fix for "Parameter Laughs"-attack, that is similar to the "Billion Laughs"-attacks found earlier in libexpat. Source lz4, binaries: liblz4-1:amd64 liblz4-1:arm64 lz4 (0.0~r131-2+deb9u1) stretch-security; urgency=high * CVE-2021-3520: Fix a potential memory corruption vulnerability that could be exploited with a negative memmove(3) size argument. (Closes: #987856) -- Steve McIntyre <93sam@debian.org> Mon, 31 May 2021 16:21:18 +0000 9.13.21-20210511 Updates in 1 source package(s), 2 binary package(s): Source libxml2, binaries: libxml2:amd64 libxml2:arm64 libxml2 (2.9.4+dfsg1-2.2+deb9u4) stretch-security; urgency=medium * Non-maintainer upload by the LTS team. * CVE-2021-3516: use-after-free in xmlEncodeEntitiesInternal * CVE-2021-3517: heap-based buffer overflow in xmlEncodeEntitiesInternal * CVE-2021-3518: use-after-free in xmlXIncludeDoProcess * CVE-2021-3537: NULL pointer dereference in xmlValidBuildAContentModel -- Steve McIntyre <93sam@debian.org> Wed, 12 May 2021 00:53:25 +0000 9.13.20-20210507 Updates in 5 source package(s), 24 binary package(s): Source qemu, binaries: qemu-utils:amd64 qemu-utils:arm64 qemu (1:2.8+dfsg-6+deb9u14) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2021-20257: net: e1000: infinite loop while processing transmit descriptors * Fix CVE-2021-20255: A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. * Fix CVE-2021-20203: An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. * Fix CVE-2021-3416: A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario. * Fix CVE-2021-3409/CVE-2020-17380: The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or potential code execution. * Fix CVE-2021-3392: A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req' from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Source python3.5, binaries: libpython3.5-minimal:amd64 libpython3.5-stdlib:amd64 python3.5:amd64 python3.5-minimal:amd64 libpython3.5-minimal:arm64 libpython3.5-stdlib:arm64 python3.5:arm64 python3.5-minimal:arm64 python3.5 (3.5.3-1+deb9u4) stretch-security; urgency=medium * Non-maintainer upload by the LTS Security Team. * CVE-2021-23336: only use '&' as a query string separator * CVE-2021-3426: remove the pydoc getfile feature * CVE-2021-3177: replace snprintf with Python unicode Source lxml, binaries: python-lxml:amd64 python-lxml:arm64 lxml (3.7.1-1+deb9u4) stretch-security; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2021-28957 Due to missing input sanitization, XSS is possible for the HTML5 formatcion attribute. Source bind9, binaries: libdns-export162:amd64 libisc-export160:amd64 libdns-export162:arm64 libisc-export160:arm64 bind9 (1:9.10.3.dfsg.P4-12.3+deb9u9) stretch-security; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2021-25214: A malformed incoming IXFR transfer could trigger an assertion failure in ``named``, causing it to quit abnormally. * CVE-2021-25215: ``named`` crashed when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query. * CVE-2021-25216: Compile with system provided SPNEGO * Ensure all resources are properly cleaned up when a call to gss_accept_sec_context() fails. Source python2.7, binaries: libpython2.7-minimal:amd64 libpython2.7-stdlib:amd64 python2.7:amd64 python2.7-minimal:amd64 libpython2.7-minimal:arm64 libpython2.7-stdlib:arm64 python2.7:arm64 python2.7-minimal:arm64 python2.7 (2.7.13-2+deb9u5) stretch-security; urgency=medium * Non-maintainer upload by the LTS Security Team. * Update keycert.pem to fix corresponding tests. * Disable some failing tests (see debian/TODO). * CVE-2021-23336: only use '&' as a query string separator. * CVE-2019-16935: Escape the server title of DocXMLRPCServer. * Add debian/.gitlab-ci.yml. -- Steve McIntyre <93sam@debian.org> Fri, 07 May 2021 06:15:15 +0000 9.13.19-20210320 Updates in 2 source package(s), 6 binary package(s): Source cloud-init, binaries: cloud-init:amd64 cloud-init:arm64 cloud-init (0.7.9-2+deb9u1) stretch-security; urgency=medium * Avoid logging generated passwords (CVE-2021-3429) (Closes: #985540) Source shadow, binaries: login:amd64 passwd:amd64 login:arm64 passwd:arm64 shadow (1:4.4-4.1+deb9u1) stretch-security; urgency=high * Non-maintainer upload by the LTS Security Team. * CVE-2017-20002: revert adding pts/0 and pts/1 to securetty. Adding pts/* defeats the purpose of securetty. Let containers add it if needed as described in #830255. (cherry-picked from 1:4.5-1) See also #877374 (previous proposed update) and #914957 (/etc/securetty will be dropped in bullseye). * CVE-2017-12424: the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts. (Closes: #756630) -- Steve McIntyre <93sam@debian.org> Sat, 20 Mar 2021 22:16:44 +0000 9.13.18-20210314 Updates in 1 source package(s), 2 binary package(s): Source ca-certificates, binaries: ca-certificates:amd64 ca-certificates:arm64 ca-certificates (20200601~deb9u2) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * mozilla/blacklist: Revert Symantec CA blacklist (#911289). Closes: #962596 The following root certificates were added back (+): + "GeoTrust Global CA" + "GeoTrust Primary Certification Authority" + "GeoTrust Primary Certification Authority - G2" + "GeoTrust Primary Certification Authority - G3" + "GeoTrust Universal CA" + "thawte Primary Root CA" + "thawte Primary Root CA - G2" + "thawte Primary Root CA - G3" + "VeriSign Class 3 Public Primary Certification Authority - G4" + "VeriSign Class 3 Public Primary Certification Authority - G5" + "VeriSign Universal Root Certification Authority" NOTE: due to bug #743339, CA certificates added back in this version won't automatically be trusted again on upgrade. Affected users may need to reconfigure the package to restore the desired state. -- Steve McIntyre <93sam@debian.org> Mon, 15 Mar 2021 01:07:03 +0000 9.13.17-20210308 Updates in 1 source package(s), 2 binary package(s): Source linux-latest, binaries: linux-image-amd64:amd64 linux-image-arm64:arm64 linux-latest (80+deb9u13) stretch-security; urgency=medium * Update kernel to 4.9.0-15 -- Steve McIntyre <93sam@debian.org> Tue, 09 Mar 2021 15:29:47 +0000 9.13.16-20210219 Updates in 6 source package(s), 16 binary package(s): Source openssl, binaries: libssl1.1:amd64 openssl:amd64 libssl1.1:arm64 openssl:arm64 openssl (1.1.0l-1~deb9u3) stretch-security; urgency=high * CVE-2021-23840: Prevent an issue where "Digital EnVeloPe" EVP-related calls could cause applications to behave incorrectly or crash. * CVE-2021-23841: Preevent an issue in the X509 certificate handler caused by the lack of error handling while parsing the "issuer" field. Source libbsd, binaries: libbsd0:amd64 libbsd0:arm64 libbsd (0.8.3-1+deb9u1) stretch-security; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2019-20367 A non-NUL terminated symbol name in the string table might result in a out-of-bounds read. Source qemu, binaries: qemu-utils:amd64 qemu-utils:arm64 qemu (1:2.8+dfsg-6+deb9u13) stretch-security; urgency=medium * Non-maintainer upload by the LTS Security Team. * CVE-2020-15469: a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference. * CVE-2020-15859: QEMU has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address. * CVE-2020-25084: QEMU has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked. * CVE-2020-28916: hw/net/e1000e_core.c has an infinite loop via an RX descriptor with a NULL buffer address. * CVE-2020-29130: slirp.c has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. * CVE-2020-29443: ide_atapi_cmd_reply_end in hw/ide/atapi.c allows out-of-bounds read access because a buffer index is not validated. * CVE-2021-20181: 9pfs: ZDI-CAN-10904: QEMU Plan 9 file system TOCTOU privilege escalation vulnerability. * CVE-2021-20221: aarch64: GIC: out-of-bound heap buffer access via an interrupt ID field. Source screen, binaries: screen:amd64 screen:arm64 screen (4.5.0-6+deb9u1) stretch-security; urgency=high * [CVE-2021-26937] Fix invalid write access and application crash or possibly unspecified other impact via a crafted UTF-8 character sequence. (Closes: #982435) Source bind9, binaries: libdns-export162:amd64 libisc-export160:amd64 libdns-export162:arm64 libisc-export160:arm64 bind9 (1:9.10.3.dfsg.P4-12.3+deb9u8) stretch-security; urgency=high * CVE-2020-8625: Prevent a buffer overflow attack in the GSSAPI ("Generic Security Services") security policy negotiation. (Closes: #983004) Source openssl1.0, binaries: libssl1.0.2:amd64 libssl1.0.2:arm64 openssl1.0 (1.0.2u-1~deb9u4) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * CVE-2021-23840: Prevent an issue where "Digital EnVeloPe" EVP-related calls could cause applications to behave incorrectly or even crash. * CVE-2021-23841: Preevent an issue in the X509 certificate handler, caused by the lack of error handling while parsing "issuer" fields. -- Steve McIntyre <93sam@debian.org> Fri, 19 Feb 2021 20:32:09 +0000 9.13.15-20210210 Updates in 2 source package(s), 4 binary package(s): Source gdisk, binaries: gdisk:amd64 gdisk:arm64 gdisk (1.0.1-1+deb9u1) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * Add patch to fix segfault on some weird data structures. (Fixes: CVE-2020-0256) * Add patch to fix a bug that could cause crash if a badly-formatted MBR disk was read. (Fixes: CVE-2021-0308) Source tzdata, binaries: tzdata:amd64 tzdata:arm64 tzdata (2021a-0+deb9u1) stretch-security; urgency=medium * New upstream version, affecting the following timestamp: - South Sudan changes from +03 to +02 on 2021-02-01. -- Steve McIntyre <93sam@debian.org> Wed, 10 Feb 2021 13:13:39 +0000 9.13.14-20210127 Updates in 1 source package(s), 2 binary package(s): Source sudo, binaries: sudo:amd64 sudo:arm64 sudo (1.8.19p1-2.1+deb9u3) stretch-security; urgency=high * Non-maintainer upload by the Security Team. * Heap-based buffer overflow (CVE-2021-3156) - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit - Add sudoedit flag checks in plugin that are consistent with front-end - Fix potential buffer overflow when unescaping backslashes in user_args - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL - Don't assume that argv is allocated as a single flat buffer -- Steve McIntyre <93sam@debian.org> Wed, 27 Jan 2021 21:29:22 +0000 9.13.13-20210106 Updates in 1 source package(s), 2 binary package(s): Source p11-kit, binaries: libp11-kit0:amd64 libp11-kit0:arm64 p11-kit (0.23.3-2+deb9u1) stretch-security; urgency=medium * Non-maintainer upload by the LTS team. * CVE-2020-29361: Multiple integer overflows. * CVE-2020-29362: Heap-based buffer over-read. -- Steve McIntyre <93sam@debian.org> Thu, 07 Dec 2020 21:34:23 +0000 9.13.12-20201230 Updates in 2 source package(s), 4 binary package(s): Source lxml, binaries: python-lxml:amd64 python-lxml:arm64 lxml (3.7.1-1+deb9u3) stretch-security; urgency=medium * Non-maintainer upload by the LTS Team. * Enable the test suite (non-fatal). * Switch to source format 3.0 (quilt), rather than having the patches in debian/patches/ but applied directly without a patch system. * Fix regression in Python 2 in the last part of CVE-2020-27783. * math-svg.patch: update expected results for the test suite. Source tzdata, binaries: tzdata:amd64 tzdata:arm64 tzdata (2020e-0+deb9u1) stretch-security; urgency=medium * New upstream version, affecting the following timestamp: - Volgograd switched to Moscow time on 2020-12-27 at 02:00. -- Steve McIntyre <93sam@debian.org> Wed, 30 Dec 2020 16:52:35 +0000 9.13.11-20201218 Updates in 2 source package(s), 4 binary package(s): Source linux, binaries: linux-image-4.9.0-14-amd64:amd64 linux-image-4.9.0-14-arm64:arm64 linux (4.9.246-2) stretch-security; urgency=high * [arm64] Fix FTBFS after Xen netback fix: - arm64: Remove redundant mov from LL/SC cmpxchg - arm64: Avoid redundant type conversions in xchg() and cmpxchg() - arm64: cmpxchg: Use "K" instead of "L" for ll/sc immediate constraint - arm64: Use correct ll/sc atomic constraints Source lxml, binaries: python-lxml:amd64 python-lxml:arm64 lxml (3.7.1-1+deb9u3) stretch-security; urgency=medium * Non-maintainer upload by the LTS Team. * Enable the test suite (non-fatal). * Switch to source format 3.0 (quilt), rather than having the patches in debian/patches/ but applied directly without a patch system. * Fix regression in Python 2 in the last part of CVE-2020-27783. * math-svg.patch: update expected results for the test suite. lxml (3.7.1-1+deb9u2) stretch-security; urgency=high * Non-maintainer upload by the LTS Team. * CVE-2020-27783: Backport additional upstream commit a105ab8dc262ec6735977c25c13f0bdfcdec72a7 to address math/svg part of the vulnerability and complete the fix -- Steve McIntyre <93sam@debian.org> Fri, 18 Dec 2020 11:42:32 +0000 9.13.10-20201217 Updates in 4 source package(s), 10 binary package(s): Source openssl, binaries: libssl1.1:amd64 openssl:amd64 libssl1.1:arm64 openssl:arm64 openssl (1.1.0l-1~deb9u2) stretch-security; urgency=medium * Non-maintainer upload by the LTS team. * CVE-2020-1971: EDIPARTYNAME NULL pointer de-reference. Source linux, binaries: linux-image-4.9.0-14-amd64:amd64 linux-image-4.9.0-14-arm64:arm64 linux (4.9.246-2) stretch-security; urgency=high * [arm64] Fix FTBFS after Xen netback fix: - arm64: Remove redundant mov from LL/SC cmpxchg - arm64: Avoid redundant type conversions in xchg() and cmpxchg() - arm64: cmpxchg: Use "K" instead of "L" for ll/sc immediate constraint - arm64: Use correct ll/sc atomic constraints linux (4.9.246-1) stretch-security; urgency=high * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.241 - tipc: fix the skb_unshare() in tipc_buf_append() - net/ipv4: always honour route mtu during forwarding - r8169: fix data corruption issue on RTL8402 - ALSA: bebob: potential info leak in hwdep_read() - net: hdlc: In hdlc_rcv, check to make sure dev is an HDLC device - net: hdlc_raw_eth: Clear the IFF_TX_SKB_SHARING flag after calling ether_setup - nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() - tcp: fix to update snd_wl1 in bulk receiver fast path - icmp: randomize the global rate limiter (CVE-2020-25705) - cifs: remove bogus debug code - [x86] KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages - ima: Don't ignore errors from crypto_shash_update() - crypto: algif_aead - Do not set MAY_BACKLOG on the async path - [x86] EDAC/i5100: Fix error handling order in i5100_init_one() - [armhf] media: Revert "media: exynos4-is: Add missed check for pinctrl_lookup_state()" - [armhf] media: omap3isp: Fix memleak in isp_probe - [armhf] crypto: omap-sham - fix digcnt register handling with export/ import - [armhf] media: ti-vpe: Fix a missing check and reference count leak - regulator: resolve supply after creating regulator - ath10k: provide survey info as accumulated data - ath6kl: prevent potential array overflow in ath6kl_add_new_sta() - ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() - wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 - [arm64] ASoC: qcom: lpass-platform: fix memory leak - mwifiex: Do not use GFP_KERNEL in atomic context - [x86] drm/gma500: fix error check - scsi: qla4xxx: Fix an error handling path in 'qla4xxx_get_host_stats()' - scsi: csiostor: Fix wrong return value in csio_hw_prep_fw() - [x86] VMCI: check return value of get_user_pages_fast() for errors - tty: serial: earlycon dependency - pty: do tty_flip_buffer_push without port->lock in pty_write - [x86] video: fbdev: vga16fb: fix setting of pixclock because a pass-by- value error - video: fbdev: sis: fix null ptr dereference - HID: roccat: add bounds checking in kone_sysfs_write_settings() - ath6kl: wmi: prevent a shift wrapping bug in ath6kl_wmi_delete_pstream_cmd() - [amd64] misc: mic: scif: Fix error handling path - ALSA: seq: oss: Avoid mutex lock for a long-time ioctl - quota: clear padding in v2r1_mem2diskdqb() - net: enic: Cure the enic api locking trainwreck - iwlwifi: mvm: split a print to avoid a WARNING in ROC - usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above. - nl80211: fix non-split wiphy information - scsi: be2iscsi: Fix a theoretical leak in beiscsi_create_eqs() - mwifiex: fix double free - IB/mlx4: Fix starvation in paravirt mux/demux - IB/mlx4: Adjust delayed work when a dup is observed - mtd: lpddr: fix excessive stack usage with clang - mtd: mtdoops: Don't write panic data twice - [armel,armhf] 9007/1: l2c: fix prefetch bits init in L2X0_AUX_CTRL using DT values - RDMA/qedr: Fix use of uninitialized field - [x86] perf intel-pt: Fix "context_switch event has no tid" error - [arm64] RDMA/hns: Set the unsupported wr opcode - overflow: Include header file with SIZE_MAX declaration - IB/rdmavt: Fix sizeof mismatch - rapidio: fix error handling path - rapidio: fix the missed put_device() for rio_mport_add_riodev - [arm64,armhf] clk: bcm2835: add missing release if devm_clk_hw_register fails - vfio/pci: Clear token on bypass registration failure - [armhf] Input: omap4-keypad - fix handling of platform_get_irq() error - [armhf] Input: twl4030_keypad - fix handling of platform_get_irq() error - [armhf] Input: sun4i-ps2 - fix handling of platform_get_irq() error - [x86] KVM: x86: emulating RDPID failure shall return #UD rather than #GP - [arm64] dts: qcom: msm8916: Fix MDP/DSI interrupts - [arm64] dts: zynqmp: Remove additional compatible string for i2c IPs - nvmet: fix uninitialized work for zero kato - [x86] crypto: ccp - fix error handling - media: firewire: fix memory leak - media: ati_remote: sanity check for both endpoints - [armhf] media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync - [armhf] media: exynos4-is: Fix a reference count leak due to pm_runtime_get_sync - [armhf] media: exynos4-is: Fix a reference count leak - media: media/pci: prevent memory leak in bttv_probe - media: uvcvideo: Ensure all probed info is returned to v4l2 - mmc: sdio: Check for CISTPL_VERS_1 buffer size - media: saa7134: avoid a shift overflow - fs: dlm: fix configfs memory leak - ntfs: add check for mft record size in superblock - PM: hibernate: remove the bogus call to get_gendisk() in software_resume() - scsi: mvumi: Fix error return in mvumi_io_attach() - scsi: target: core: Add CONTROL field for trace events - [amd64] mic: vop: copy data to kernel space then write to io memory - [amd64] misc: vop: add round_up(x,4) for vring_size to avoid kernel panic - usb: gadget: function: printer: fix use-after-free in __lock_acquire - udf: Limit sparing table size - udf: Avoid accessing uninitialized data on failed inode read - USB: cdc-acm: handle broken union descriptors - ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() - misc: rtsx: Fix memory leak in rtsx_pci_probe - reiserfs: only call unlock_new_inode() if I_NEW - xfs: make sure the rt allocator doesn't run off the end - usb: ohci: Default to per-port over-current protection - Bluetooth: Only mark socket zapped after unlocking - brcmsmac: fix memory leak in wlc_phy_attach_lcnphy - rtl8xxxu: prevent potential memory leak - Fix use after free in get_capset_info callback. - tty: ipwireless: fix error handling - ipvs: Fix uninit-value in do_ip_vs_set_ctl() - reiserfs: Fix memory leak in reiserfs_parse_options() - brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach - usb: core: Solve race condition in anchor cleanup functions - ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() - usb: cdc-acm: add quirk to blacklist ETAS ES58X devices - USB: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync(). - eeprom: at25: set minimum read/write access stride to 1 - usb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets. https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.242 - SUNRPC: ECONNREFUSED should cause a rebind. - efivarfs: Replace invalid slashes with exclamation marks in dentries. - tipc: fix memory leak caused by tipc_buf_append() - [x86] arch/x86/amd/ibs: Fix re-arming IBS Fetch - fuse: fix page dereference after free - p54: avoid accessing the data mapped to streaming DMA - mtd: lpddr: Fix bad logic in print_drs_error - fscrypt: return -EXDEV for incompatible rename or link into encrypted dir - fscrypto: move ioctl processing more fully into common code - fscrypt: use EEXIST when file already uses different policy - f2fs: add trace exit in exception path - f2fs: fix to check segment boundary during SIT page readahead - um: change sigio_spinlock to a mutex - [armel,armhf] 8997/2: hw_breakpoint: Handle inexact watchpoint addresses - xfs: fix realtime bitmap/summary file truncation when growing rt volume - ath10k: fix VHT NSS calculation when STBC is enabled - media: tw5864: check status of tw5864_frameinterval_get - mmc: via-sdmmc: Fix data race bug - USB: adutux: fix debugging - [arm64] mm: return cpu_all_mask when node is NUMA_NO_NODE - drivers/net/wan/hdlc_fr: Correctly handle special skb->protocol values - md/bitmap: md_bitmap_get_counter returns wrong blocks - [armhf] clk: ti: clockdomain: fix static checker warning - net: 9p: initialize sun_server.sun_path to have addr's value only when addr is valid - ext4: Detect already used quota file early - gfs2: add validation checks for size of superblock - [armhf] memory: emif: Remove bogus debugfs error handling - md/raid5: fix oops during stripe resizing - [x86] perf/x86/amd/ibs: Don't include randomized bits in get_ibs_op_count() - [x86] perf/x86/amd/ibs: Fix raw sample data accumulation - fs: Don't invalidate page buffers in block_write_full_page() - NFS: fix nfs_path in case of a rename retry - ACPI / extlog: Check for RDMSR failure - ACPI: video: use ACPI backlight for HP 635 Notebook - ACPI: debug: don't allow debugging when ACPI is disabled - acpi-cpufreq: Honor _PSD table setting on new AMD CPUs - scsi: mptfusion: Fix null pointer dereferences in mptscsih_remove() - btrfs: reschedule if necessary when logging directory items - btrfs: cleanup cow block on error - btrfs: fix use-after-free on readahead extent after failure to create it - [arm64,armhf] usb: dwc3: core: add phy cleanup for probe error handling - [arm64,armhf] usb: dwc3: core: don't trigger runtime pm when remove driver - vt: keyboard, simplify vt_kdgkbsent - vt: keyboard, extend func_buf_lock to readers (CVE-2020-25656) - ubifs: dent: Fix some potential memory leaks while iterating entries - ubi: check kthread_should_stop() after the setting of task state - ceph: promote to unsigned long long before shifting - libceph: clear con->out_msg on Policy::stateful_server faults - 9P: Cast to loff_t before multiplying - ring-buffer: Return 0 on success from ring_buffer_resize() - vringh: fix __vringh_iov() when riov and wiov are different - tty: make FONTX ioctl use the tty pointer they were actually passed (CVE-2020-25668) - cachefiles: Handle readpage error correctly - device property: Keep secondary firmware node secondary by type - device property: Don't clear secondary pointer for shared primary firmware node - [arm64] KVM: arm64: Fix AArch32 handling of DBGD{CCINT,SCRext} and DBGVCR - [x86] staging: comedi: cb_pcidas: Allow 2-channel commands for AO subdevice - tipc: fix use-after-free in tipc_bcast_get_mode - ALSA: usb-audio: Add implicit feedback quirk for Qu-16 - kthread_worker: prevent queuing delayed work from timer_fn when it is being canceled - ftrace: Fix recursion check for NMI test - ftrace: Handle tracing when switching between context - tracing: Fix out of bounds write in get_trace_buf - [armhf] dts: sun4i-a10: fix cpu_alert temperature - [x86] kexec: Use up-to-dated screen_info copy to fill boot params - of: Fix reserved-memory overlap detection - scsi: core: Don't start concurrent async scan on same host - vsock: use ns_capable_noaudit() on socket create - ACPI: NFIT: Fix comparison to '-ENXIO' - vt: Disable KD_FONT_OP_COPY (CVE-2020-28974) - fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent - USB: serial: cyberjack: fix write-URB completion race - USB: serial: option: add LE910Cx compositions 0x1203, 0x1230, 0x1231 - USB: serial: option: add Telit FN980 composition 0x1055 - USB: Add NO_LPM quirk for Kingston flash drive https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.243 - powercap: restrict energy meter to root access (CVE-2020-8694) https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.244 - regulator: defer probe when trying to get voltage from unresolved supply - ring-buffer: Fix recursion protection transitions between interrupt context - gfs2: Wake up when sd_glock_disposal becomes zero - mm: mempolicy: fix potential pte_unmap_unlock pte error - time: Prevent undefined behaviour in timespec64_to_ns() - btrfs: reschedule when cloning lots of extents - genirq: Let GENERIC_IRQ_IPI select IRQ_DOMAIN_HIERARCHY - net: xfrm: fix a race condition during allocing spi - perf tools: Add missing swap for ino_generation - ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link() - can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context - can: dev: __can_get_echo_skb(): fix real payload length return value for RTR frames - can: can_create_echo_skb(): fix echo skb generation: always use skb_clone() - can: peak_usb: add range checking in decode operations - can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping - xfs: flush new eof page on truncate to avoid post-eof corruption - Btrfs: fix missing error return if writeback for extent buffer never started - pinctrl: devicetree: Avoid taking direct reference to device name string (CVE-2020-0427) - i40e: Fix a potential NULL pointer dereference - i40e: add num_vectors checker in iwarp handler - i40e: Wrong truncation from u16 to u8 - i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c - i40e: Memory leak in i40e_config_iwarp_qvlist - geneve: add transport ports in route lookup for geneve (CVE-2020-25645) - ath9k_htc: Use appropriate rs_datalen type - gfs2: Free rd_bits later in gfs2_clear_rgrpd to fix use-after-free - gfs2: check for live vs. read-only file system in gfs2_fitrim - scsi: hpsa: Fix memory leak in hpsa_init_one() - drm/amdgpu: perform srbm soft reset always on SDMA resume - mac80211: fix use of skb payload instead of header - cfg80211: regulatory: Fix inconsistent format argument - scsi: scsi_dh_alua: Avoid crash during alua_bus_detach() - [amd64] iommu/amd: Increase interrupt remapping table limit to 512 entries - xfs: fix flags argument to rmap lookup when converting shared file rmaps - xfs: fix rmap key and record comparison functions - xfs: fix a missing unlock on error in xfs_fs_map_blocks - of/address: Fix of_node memory leak in of_dma_is_coherent - [i386] cosa: Add missing kfree in error path of cosa_write - perf: Fix get_recursion_context() - ext4: correctly report "not supported" for {usr,grp}jquota when !CONFIG_QUOTA - ext4: unlock xattr_sem properly in ext4_inline_data_truncate() - usb: cdc-acm: Add DISABLE_ECHO for Renesas USB Download mode - [x86] mei: protect mei_cl_mtu from null dereference - ocfs2: initialize ip_next_orphan - don't dump the threads that had been already exiting when zapped. - [x86] drm/gma500: Fix out-of-bounds access to struct drm_device.vblank[] - [x86] pinctrl: amd: use higher precision for 512 RtcClk - [x86] pinctrl: amd: fix incorrect way to disable debounce filter - swiotlb: fix "x86: Don't panic if can not alloc buffer for swiotlb" - IPv6: Set SIT tunnel hard_header_len to zero - net/x25: Fix null-ptr-deref in x25_connect - net: Update window_clamp if SOCK_RCVBUF is set - random32: make prandom_u32() output unpredictable - [x86] speculation: Allow IBPB to be conditionally enabled on CPUs with always-on STIBP - perf/core: Fix bad use of igrab() - perf/core: Fix crash when using HW tracing kernel filters - perf/core: Fix a memory leak in perf_event_parse_addr_filter() (CVE-2020-25704) - xen/events: avoid removing an event channel while handling it (CVE-2020-27675) - xen/events: Fix potential DoS of dom0 by rogue guests (CVE-2020-27673): + xen/events: add a proper barrier to 2-level uevent unmasking + xen/events: fix race in evtchn_fifo_unmask() + xen/events: add a new "late EOI" evtchn framework + xen/blkback: use lateeoi irq binding + xen/netback: use lateeoi irq binding + xen/scsiback: use lateeoi irq binding + xen/pciback: use lateeoi irq binding + xen/events: switch user event channels to lateeoi model + xen/events: use a common cpu hotplug hook for event channels + xen/events: defer eoi in case of excessive number of events + xen/events: block rogue events for some time - perf/core: Fix race in the perf_mmap_close() function (CVE-2020-14351) - Revert "kernel/reboot.c: convert simple_strtoul to kstrtoint" - reboot: fix overflow parsing reboot cpu number - ext4: fix leaking sysfs kobject after failed mount - Convert trailing spaces and periods in path components https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.245 - [armhf] i2c: imx: use clk notifier for rate changes - [armhf] i2c: imx: Fix external abort on interrupt in exit paths - [armhf] i2c: mux: pca954x: Add missing pca9546 definition to chip_desc - [x86] Input: sunkbd - avoid use-after-free in teardown paths (CVE-2020-25669) - mac80211: always wind down STA state - [x86] KVM: x86: clflushopt should be treated as a no-op by emulation https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.246 - ah6: fix error return code in ah6_input() - atm: nicstar: Unmap DMA on send error - bnxt_en: read EEPROM A2h address using page 0 - devlink: Add missing genlmsg_cancel() in devlink_nl_sb_port_pool_fill() - inet_diag: Fix error path to cancel the meseage in inet_req_diag_fill() - net: b44: fix error return code in b44_init_one() - net: bridge: add missing counters to ndo_get_stats64 callback - net: Have netpoll bring-up DSA management interface - netlabel: fix our progress tracking in netlbl_unlabel_staticlist() - netlabel: fix an uninitialized warning in netlbl_unlabel_staticlist() - net/mlx4_core: Fix init_hca fields offset - net: x25: Increase refcnt of "struct x25_neigh" in x25_rx_call_request - qlcnic: fix error return code in qlcnic_83xx_restart_hw() - sctp: change to hold/put transport for proto_unreach_timer - net: usb: qmi_wwan: Set DTR quirk for MR400 - tcp: only postpone PROBE_RTT if RTT is < current min_rtt estimate - [armhf] pinctrl: rockchip: enable gpio pclk for rockchip_gpio_to_irq - [arm64] psci: Avoid printing in cpu_psci_cpu_die() - vfs: remove lockdep bogosity in __sb_start_write - [armhf] dts: imx6qdl-udoo: fix rgmii phy-mode for ksz9031 phy - [armhf] dts: imx50-evk: Fix the chip select 1 IOMUX - perf lock: Don't free "lock_seq_stat" if read_count isn't zero - can: dev: can_restart(): post buffer from the right context - can: peak_usb: fix potential integer overflow on shift of a int - [armhf] regulator: ti-abb: Fix array out of bound read access on the first transition - xfs: revert "xfs: fix rmap key and record comparison functions" - libfs: fix error cast of negative value in simple_attr_write() - ALSA: ctl: fix error path at adding user-defined element set - ALSA: mixart: Fix mutex deadlock - tty: serial: imx: keep console clocks always on - ext4: fix bogus warning in ext4_update_dx_flag() - [x86] iio: accel: kxcjk1013: Replace is_smo8500_device with an acpi_type enum - regulator: fix memory leak with repeated set_machine_constraints() - mac80211: minstrel: remove deferred sampling code - mac80211: minstrel: fix tx status processing corner case - mac80211: free sta in sta_info_insert_finish() on errors - [x86] microcode/intel: Check patch signature before saving microcode for early loading [ Ben Hutchings ] * fscrypto: Ignore ABI changes * xen/events: Ignore ABI changes * efivarfs: revert "fix memory leak in efivarfs_create()" (regression in 4.9.246) * [x86] speculation: Fix prctl() when spectre_v2_user={seccomp,prctl},ibpb (regressions in 4.9.228, 4.9.244) * regulator: avoid resolve_supply() infinite recursion (regression in 4.9.241) * regulator: workaround self-referent regulators (regression in 4.9.241) * bonding: wait for sysfs kobject destruction before freeing struct slave (regression in 4.9.226) * [x86] iommu/amd: Set DTE[IntTabLen] to represent 512 IRTEs (regression in 4.9.244) Source openssl1.0, binaries: libssl1.0.2:amd64 libssl1.0.2:arm64 openssl1.0 (1.0.2u-1~deb9u3) stretch-security; urgency=medium * Non-maintainer upload by the LTS team. * CVE-2020-1971: EDIPARTYNAME NULL pointer de-reference. Source lxml, binaries: python-lxml:amd64 python-lxml:arm64 lxml (3.7.1-1+deb9u2) stretch-security; urgency=high * Non-maintainer upload by the LTS Team. * CVE-2020-27783: Backport additional upstream commit a105ab8dc262ec6735977c25c13f0bdfcdec72a7 to address math/svg part of the vulnerability and complete the fix -- Steve McIntyre <93sam@debian.org> Thu, 17 Dec 2020 23:58:43 +0000 9.13.9-20201210 Updates in 4 source package(s), 14 binary package(s): Source apt, binaries: apt:amd64 apt-utils:amd64 libapt-inst2.0:amd64 libapt-pkg5.0:amd64 apt:arm64 apt-utils:arm64 libapt-inst2.0:arm64 libapt-pkg5.0:arm64 apt (1.4.11) stretch-security; urgency=high * SECURITY UPDATE: Integer overflow in parsing (LP: #1899193) - apt-pkg/contrib/arfile.cc: add extra checks. - apt-pkg/contrib/tarfile.cc: limit tar item sizes to 128 GiB - apt-pkg/deb/debfile.cc: limit control file sizes to 64 MiB - test/*: add tests. - CVE-2020-27350 * Additional hardening: - apt-pkg/contrib/tarfile.cc: Limit size of long names and links to 1 MiB + * Fix autopkgtest regression in 1.8.2.1 security update Source lxml, binaries: python-lxml:amd64 python-lxml:arm64 lxml (3.7.1-1+deb9u1) stretch-security; urgency=medium * Non-maintainer upload by the Debian LTS Team. * CVE-2018-19787: lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping. * CVE-2020-27783: Prevent combinations of