Debian 10260 Published by

The thirteenth and final update of the oldstable distribution Debian GNU/Linux 9 is available. This point release mainly adds corrections for security issues, along with a few adjustments for serious problems.




Updated Debian 9: 9.13 released

------------------------------------------------------------------------
The Debian Project https://www.debian.org/
Updated Debian 9: 9.13 released press@debian.org
July 18th, 2020 https://www.debian.org/News/2020/20200718
------------------------------------------------------------------------

The Debian project is pleased to announce the thirteenth (and final)
update of its oldstable distribution Debian 9 (codename "stretch"). This
point release mainly adds corrections for security issues, along with a
few adjustments for serious problems. Security advisories have already
been published separately and are referenced where available.

After this point release, Debian's Security and Release Teams will no
longer be producing updates for Debian 9. Users wishing to continue to
receive security support should upgrade to Debian 10, or see
https://wiki.debian.org/LTS for details about the subset of
architectures and packages covered by the Long Term Support project.

Please note that the point release does not constitute a new version of
Debian 9 but only updates some of the packages included. There is no
need to throw away old "stretch" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list


Miscellaneous Bugfixes
----------------------

This oldstable update adds a few important corrections to the following
packages:

+--------------------------+------------------------------------------+
| Package | Reason |
+--------------------------+------------------------------------------+
| acmetool [1] | Rebuild against recent golang to pick up |
| | security fixes |
| | |
| atril [2] | dvi: Mitigate command injection attacks |
| | by quoting filename [CVE-2017-1000159]; |
| | fix overflow checks in tiff backend |
| | [CVE-2019-1010006]; tiff: Handle failure |
| | from TIFFReadRGBAImageOriented |
| | [CVE-2019-11459] |
| | |
| bacula [3] | Add transitional package bacula- |
| | director-common, avoiding loss of /etc/ |
| | bacula/bacula-dir.conf when purged; make |
| | PID files owned by root |
| | |
| base-files [4] | Update /etc/debian_version for the point |
| | release |
| | |
| batik [5] | Fix server-side request forgery via |
| | xlink:href attributes [CVE-2019-17566] |
| | |
| c-icap-modules [6] | Support ClamAV 0.102 |
| | |
| ca-certificates [7] | Update Mozilla CA bundle to 2.40, |
| | blacklist distrusted Symantec roots and |
| | expired "AddTrust External Root" ; |
| | remove e-mail only certificates |
| | |
| chasquid [8] | Rebuild against recent golang to pick up |
| | security fixes |
| | |
| checkstyle [9] | Fix XML External Entity injection issue |
| | [CVE-2019-9658 CVE-2019-10782] |
| | |
| clamav [10] | New upstream release [CVE-2020-3123]; |
| | security fixes [CVE-2020-3327 CVE-2020- |
| | 3341] |
| | |
| compactheader [11] | New upstream version, compatible with |
| | newer Thunderbird versions |
| | |
| cram [12] | Ignore test failures to fix build issues |
| | |
| csync2 [13] | Fail HELLO command when SSL is required |
| | |
| cups [14] | Fix heap buffer overflow [CVE-2020-3898] |
| | and "the `ippReadIO` function may |
| | under-read an extension |
| | field" [CVE-2019-8842] |
| | |
| dbus [15] | New upstream stable release; prevent a |
| | denial of service issue [CVE-2020- |
| | 12049]; prevent use-after-free if two |
| | usernames share a uid |
| | |
| debian-installer [16] | Update for the 4.9.0-13 Linux kernel ABI |
| | |
| debian-installer- | Rebuild against stretch-proposed-updates |
| netboot-images [17] | |
| | |
| debian-security- | Update support status of several |
| support [18] | packages |
| | |
| erlang [19] | Fix use of weak TLS ciphers [CVE-2020- |
| | 12872] |
| | |
| exiv2 [20] | Fix denial of service issue [CVE-2018- |
| | 16336]; fix over-restrictive fix for |
| | CVE-2018-10958 and CVE-2018-10999 |
| | |
| fex [21] | Security update |
| | |
| file-roller [22] | Security fix [CVE-2020-11736] |
| | |
| fwupd [23] | New upstream release; use a CNAME to |
| | redirect to the correct CDN for |
| | metadata; do not abort startup if the |
| | XML metadata file is invalid; add the |
| | Linux Foundation public GPG keys for |
| | firmware and metadata; raise the |
| | metadata limit to 10MB |
| | |
| glib-networking [24] | Return bad identity error if identity is |
| | unset [CVE-2020-13645] |
| | |
| gnutls28 [25] | Fix memory corruption issue [CVE-2019- |
| | 3829]; fix memory leak; add support for |
| | zero length session tickets, fix |
| | connection errors on TLS1.2 sessions to |
| | some hosting providers |
| | |
| gosa [26] | Tighten check on LDAP success/failure |
| | [CVE-2019-11187]; fix compatibility with |
| | newer PHP versions; backport several |
| | other patches; replace (un)serialize |
| | with json_encode/json_decode to mitigate |
| | PHP object injection [CVE-2019-14466] |
| | |
| heartbleeder [27] | Rebuild against recent golang to pick up |
| | security fixes |
| | |
| intel-microcode [28] | Downgrade some microcodes to previously |
| | released revisions, working around hangs |
| | on boot on Skylake-U/Y and Skylake Xeon |
| | E3 |
| | |
| iptables-persistent [29] | Don't fail if modprobe does |
| | |
| jackson-databind [30] | Fix multiple security issues affecting |
| | BeanDeserializerFactory [CVE-2020-9548 |
| | CVE-2020-9547 CVE-2020-9546 CVE-2020- |
| | 8840 CVE-2020-14195 CVE-2020-14062 |
| | CVE-2020-14061 CVE-2020-14060 CVE-2020- |
| | 11620 CVE-2020-11619 CVE-2020-11113 |
| | CVE-2020-11112 CVE-2020-11111 CVE-2020- |
| | 10969 CVE-2020-10968 CVE-2020-10673 |
| | CVE-2020-10672 CVE-2019-20330 CVE-2019- |
| | 17531 and CVE-2019-17267] |
| | |
| libbusiness-hours- | Use explicit 4 digit years, fixing build |
| perl [31] | and usage issues |
| | |
| libclamunrar [32] | New upstream stable release; add an |
| | unversioned meta-package |
| | |
| libdbi [33] | Comment out _error_handler() call again, |
| | fixing issues with consumers |
| | |
| libembperl-perl [34] | Handle error pages from Apache >= 2.4.40 |
| | |
| libexif [35] | Security fixes [CVE-2016-6328 CVE-2017- |
| | 7544 CVE-2018-20030 CVE-2020-12767 |
| | CVE-2020-0093]; security fixes |
| | [CVE-2020-13112 CVE-2020-13113 CVE-2020- |
| | 13114]; fix a buffer read overflow |
| | [CVE-2020-0182] and an unsigned integer |
| | overflow [CVE-2020-0198] |
| | |
| libvncserver [36] | Fix heap overflow [CVE-2019-15690] |
| | |
| linux [37] | New upstream stable release; update ABI |
| | to 4.9.0-13 |
| | |
| linux-latest [38] | Update for 4.9.0-13 kernel ABI |
| | |
| mariadb-10.1 [39] | New upstream stable release; security |
| | fixes [CVE-2020-2752 CVE-2020-2812 |
| | CVE-2020-2814] |
| | |
| megatools [40] | Add support for the new format of |
| | mega.nz links |
| | |
| mod-gnutls [41] | Avoid deprecated ciphersuites in test |
| | suite; fix test failures when combined |
| | with Apache's fix for CVE-2019-10092 |
| | |
| mongo-tools [42] | Rebuild against recent golang to pick up |
| | security fixes |
| | |
| neon27 [43] | Treat OpenSSL-related test failures as |
| | non-fatal |
| | |
| nfs-utils [44] | Fix potential file overwrite |
| | vulnerability [CVE-2019-3689]; don't |
| | make all of /var/lib/nfs owned by the |
| | statd user |
| | |
| nginx [45] | Fix error page request smuggling |
| | vulnerability [CVE-2019-20372] |
| | |
| node-url-parse [46] | Sanitize paths and hosts before parsing |
| | [CVE-2018-3774] |
| | |
| nvidia-graphics- | New upstream stable release; new |
| drivers [47] | upstream stable release; security fixes |
| | [CVE-2020-5963 CVE-2020-5967] |
| | |
| pcl [48] | Fix missing dependency on libvtk6-qt-dev |
| | |
| perl [49] | Fix multiple regular expression related |
| | security issues [CVE-2020-10543 |
| | CVE-2020-10878 CVE-2020-12723] |
| | |
| php-horde [50] | Fix cross-site scripting vulnerability |
| | [CVE-2020-8035] |
| | |
| php-horde-data [51] | Fix authenticated remote code execution |
| | vulnerability [CVE-2020-8518] |
| | |
| php-horde-form [52] | Fix authenticated remote code execution |
| | vulnerability [CVE-2020-8866] |
| | |
| php-horde-gollem [53] | Fix cross-site scripting vulnerability |
| | in breadcrumb output [CVE-2020-8034] |
| | |
| php-horde-trean [54] | Fix authenticated remote code execution |
| | vulnerability [CVE-2020-8865] |
| | |
| phpmyadmin [55] | Several security fixes [CVE-2018-19968 |
| | CVE-2018-19970 CVE-2018-7260 CVE-2019- |
| | 11768 CVE-2019-12616 CVE-2019-6798 |
| | CVE-2019-6799 CVE-2020-10802 CVE-2020- |
| | 10803 CVE-2020-10804 CVE-2020-5504] |
| | |
| postfix [56] | New upstream stable release |
| | |
| proftpd-dfsg [57] | Fix handling SSH_MSG_IGNORE packets |
| | |
| python-icalendar [58] | Fix Python3 dependencies |
| | |
| rails [59] | Fix possible cross-site scripting via |
| | Javascript escape helper [CVE-2020-5267] |
| | |
| rake [60] | Fix command injection vulnerability |
| | [CVE-2020-8130] |
| | |
| roundcube [61] | Fix cross-site scripting issue via HTML |
| | messages with malicious svg/namespace |
| | [CVE-2020-15562] |
| | |
| ruby-json [62] | Fix unsafe object creation vulnerability |
| | [CVE-2020-10663] |
| | |
| ruby2.3 [63] | Fix unsafe object creation vulnerability |
| | [CVE-2020-10663] |
| | |
| sendmail [64] | Fix finding the queue runner control |
| | process in "split daemon" mode, |
| | "NOQUEUE: connect from (null)" , removal |
| | failure when using BTRFS |
| | |
| sogo-connector [65] | New upstream version, compatible with |
| | newer Thunderbird versions |
| | |
| ssvnc [66] | Fix out-of-bounds write [CVE-2018- |
| | 20020], infinite loop [CVE-2018-20021], |
| | improper initialisation [CVE-2018- |
| | 20022], potential denial-of-service |
| | [CVE-2018-20024] |
| | |
| storebackup [67] | Fix possible privilege escalation |
| | vulnerability [CVE-2020-7040] |
| | |
| swt-gtk [68] | Fix missing dependency on |
| | libwebkitgtk-1.0-0 |
| | |
| tinyproxy [69] | Create PID file before dropping |
| | privileges to non-root account |
| | [CVE-2017-11747] |
| | |
| tzdata [70] | New upstream stable release |
| | |
| websockify [71] | Fix missing dependency on python{3,}- |
| | pkg-resources |
| | |
| wpa [72] | Fix AP mode PMF disconnection protection |
| | bypass [CVE-2019-16275]; fix MAC |
| | randomisation issues with some cards |
| | |
| xdg-utils [73] | Sanitise window name before sending it |
| | over D-Bus; correctly handle directories |
| | with names containing spaces; create the |
| | "applications" directory if needed |
| | |
| xml-security-c [74] | Fix length calculation in the concat |
| | method |
| | |
| xtrlock [75] | Fix blocking of (some) multitouch |
| | devices while locked [CVE-2016-10894] |
| | |
+--------------------------+------------------------------------------+

1: https://packages.debian.org/src:acmetool
2: https://packages.debian.org/src:atril
3: https://packages.debian.org/src:bacula
4: https://packages.debian.org/src:base-files
5: https://packages.debian.org/src:batik
6: https://packages.debian.org/src:c-icap-modules
7: https://packages.debian.org/src:ca-certificates
8: https://packages.debian.org/src:chasquid
9: https://packages.debian.org/src:checkstyle
10: https://packages.debian.org/src:clamav
11: https://packages.debian.org/src:compactheader
12: https://packages.debian.org/src:cram
13: https://packages.debian.org/src:csync2
14: https://packages.debian.org/src:cups
15: https://packages.debian.org/src:dbus
16: https://packages.debian.org/src:debian-installer
17: https://packages.debian.org/src:debian-installer-netboot-images
18: https://packages.debian.org/src:debian-security-support
19: https://packages.debian.org/src:erlang
20: https://packages.debian.org/src:exiv2
21: https://packages.debian.org/src:fex
22: https://packages.debian.org/src:file-roller
23: https://packages.debian.org/src:fwupd
24: https://packages.debian.org/src:glib-networking
25: https://packages.debian.org/src:gnutls28
26: https://packages.debian.org/src:gosa
27: https://packages.debian.org/src:heartbleeder
28: https://packages.debian.org/src:intel-microcode
29: https://packages.debian.org/src:iptables-persistent
30: https://packages.debian.org/src:jackson-databind
31: https://packages.debian.org/src:libbusiness-hours-perl
32: https://packages.debian.org/src:libclamunrar
33: https://packages.debian.org/src:libdbi
34: https://packages.debian.org/src:libembperl-perl
35: https://packages.debian.org/src:libexif
36: https://packages.debian.org/src:libvncserver
37: https://packages.debian.org/src:linux
38: https://packages.debian.org/src:linux-latest
39: https://packages.debian.org/src:mariadb-10.1
40: https://packages.debian.org/src:megatools
41: https://packages.debian.org/src:mod-gnutls
42: https://packages.debian.org/src:mongo-tools
43: https://packages.debian.org/src:neon27
44: https://packages.debian.org/src:nfs-utils
45: https://packages.debian.org/src:nginx
46: https://packages.debian.org/src:node-url-parse
47: https://packages.debian.org/src:nvidia-graphics-drivers
48: https://packages.debian.org/src:pcl
49: https://packages.debian.org/src:perl
50: https://packages.debian.org/src:php-horde
51: https://packages.debian.org/src:php-horde-data
52: https://packages.debian.org/src:php-horde-form
53: https://packages.debian.org/src:php-horde-gollem
54: https://packages.debian.org/src:php-horde-trean
55: https://packages.debian.org/src:phpmyadmin
56: https://packages.debian.org/src:postfix
57: https://packages.debian.org/src:proftpd-dfsg
58: https://packages.debian.org/src:python-icalendar
59: https://packages.debian.org/src:rails
60: https://packages.debian.org/src:rake
61: https://packages.debian.org/src:roundcube
62: https://packages.debian.org/src:ruby-json
63: https://packages.debian.org/src:ruby2.3
64: https://packages.debian.org/src:sendmail
65: https://packages.debian.org/src:sogo-connector
66: https://packages.debian.org/src:ssvnc
67: https://packages.debian.org/src:storebackup
68: https://packages.debian.org/src:swt-gtk
69: https://packages.debian.org/src:tinyproxy
70: https://packages.debian.org/src:tzdata
71: https://packages.debian.org/src:websockify
72: https://packages.debian.org/src:wpa
73: https://packages.debian.org/src:xdg-utils
74: https://packages.debian.org/src:xml-security-c
75: https://packages.debian.org/src:xtrlock

Security Updates
----------------

This revision adds the following security updates to the oldstable
release. The Security Team has already released an advisory for each of
these updates:

+----------------+----------------------------+
| Advisory ID | Package |
+----------------+----------------------------+
| DSA-4005 [76] | openjfx [77] |
| | |
| DSA-4255 [78] | ant [79] |
| | |
| DSA-4352 [80] | chromium-browser [81] |
| | |
| DSA-4379 [82] | golang-1.7 [83] |
| | |
| DSA-4380 [84] | golang-1.8 [85] |
| | |
| DSA-4395 [86] | chromium [87] |
| | |
| DSA-4421 [88] | chromium [89] |
| | |
| DSA-4616 [90] | qemu [91] |
| | |
| DSA-4617 [92] | qtbase-opensource-src [93] |
| | |
| DSA-4618 [94] | libexif [95] |
| | |
| DSA-4619 [96] | libxmlrpc3-java [97] |
| | |
| DSA-4620 [98] | firefox-esr [99] |
| | |
| DSA-4621 [100] | openjdk-8 [101] |
| | |
| DSA-4622 [102] | postgresql-9.6 [103] |
| | |
| DSA-4624 [104] | evince [105] |
| | |
| DSA-4625 [106] | thunderbird [107] |
| | |
| DSA-4628 [108] | php7.0 [109] |
| | |
| DSA-4629 [110] | python-django [111] |
| | |
| DSA-4630 [112] | python-pysaml2 [113] |
| | |
| DSA-4631 [114] | pillow [115] |
| | |
| DSA-4632 [116] | ppp [117] |
| | |
| DSA-4633 [118] | curl [119] |
| | |
| DSA-4634 [120] | opensmtpd [121] |
| | |
| DSA-4635 [122] | proftpd-dfsg [123] |
| | |
| DSA-4637 [124] | network-manager-ssh [125] |
| | |
| DSA-4639 [126] | firefox-esr [127] |
| | |
| DSA-4640 [128] | graphicsmagick [129] |
| | |
| DSA-4642 [130] | thunderbird [131] |
| | |
| DSA-4646 [132] | icu [133] |
| | |
| DSA-4647 [134] | bluez [135] |
| | |
| DSA-4648 [136] | libpam-krb5 [137] |
| | |
| DSA-4650 [138] | qbittorrent [139] |
| | |
| DSA-4653 [140] | firefox-esr [141] |
| | |
| DSA-4655 [142] | firefox-esr [143] |
| | |
| DSA-4656 [144] | thunderbird [145] |
| | |
| DSA-4657 [146] | git [147] |
| | |
| DSA-4659 [148] | git [149] |
| | |
| DSA-4660 [150] | awl [151] |
| | |
| DSA-4663 [152] | python-reportlab [153] |
| | |
| DSA-4664 [154] | mailman [155] |
| | |
| DSA-4666 [156] | openldap [157] |
| | |
| DSA-4668 [158] | openjdk-8 [159] |
| | |
| DSA-4670 [160] | tiff [161] |
| | |
| DSA-4671 [162] | vlc [163] |
| | |
| DSA-4673 [164] | tomcat8 [165] |
| | |
| DSA-4674 [166] | roundcube [167] |
| | |
| DSA-4675 [168] | graphicsmagick [169] |
| | |
| DSA-4676 [170] | salt [171] |
| | |
| DSA-4677 [172] | wordpress [173] |
| | |
| DSA-4678 [174] | firefox-esr [175] |
| | |
| DSA-4683 [176] | thunderbird [177] |
| | |
| DSA-4685 [178] | apt [179] |
| | |
| DSA-4686 [180] | apache-log4j1.2 [181] |
| | |
| DSA-4687 [182] | exim4 [183] |
| | |
| DSA-4688 [184] | dpdk [185] |
| | |
| DSA-4689 [186] | bind9 [187] |
| | |
| DSA-4692 [188] | netqmail [189] |
| | |
| DSA-4693 [190] | drupal7 [191] |
| | |
| DSA-4695 [192] | firefox-esr [193] |
| | |
| DSA-4698 [194] | linux [195] |
| | |
| DSA-4700 [196] | roundcube [197] |
| | |
| DSA-4701 [198] | intel-microcode [199] |
| | |
| DSA-4702 [200] | thunderbird [201] |
| | |
| DSA-4703 [202] | mysql-connector-java [203] |
| | |
| DSA-4704 [204] | vlc [205] |
| | |
| DSA-4705 [206] | python-django [207] |
| | |
| DSA-4706 [208] | drupal7 [209] |
| | |
| DSA-4707 [210] | mutt [211] |
| | |
| DSA-4711 [212] | coturn [213] |
| | |
| DSA-4713 [214] | firefox-esr [215] |
| | |
| DSA-4715 [216] | imagemagick [217] |
| | |
| DSA-4717 [218] | php7.0 [219] |
| | |
| DSA-4718 [220] | thunderbird [221] |
| | |
+----------------+----------------------------+

76: https://www.debian.org/security/2017/dsa-4005
77: https://packages.debian.org/src:openjfx
78: https://www.debian.org/security/2018/dsa-4255
79: https://packages.debian.org/src:ant
80: https://www.debian.org/security/2018/dsa-4352
81: https://packages.debian.org/src:chromium-browser
82: https://www.debian.org/security/2019/dsa-4379
83: https://packages.debian.org/src:golang-1.7
84: https://www.debian.org/security/2019/dsa-4380
85: https://packages.debian.org/src:golang-1.8
86: https://www.debian.org/security/2019/dsa-4395
87: https://packages.debian.org/src:chromium
88: https://www.debian.org/security/2019/dsa-4421
89: https://packages.debian.org/src:chromium
90: https://www.debian.org/security/2020/dsa-4616
91: https://packages.debian.org/src:qemu
92: https://www.debian.org/security/2020/dsa-4617
93: https://packages.debian.org/src:qtbase-opensource-src
94: https://www.debian.org/security/2020/dsa-4618
95: https://packages.debian.org/src:libexif
96: https://www.debian.org/security/2020/dsa-4619
97: https://packages.debian.org/src:libxmlrpc3-java
98: https://www.debian.org/security/2020/dsa-4620
99: https://packages.debian.org/src:firefox-esr
100: https://www.debian.org/security/2020/dsa-4621
101: https://packages.debian.org/src:openjdk-8
102: https://www.debian.org/security/2020/dsa-4622
103: https://packages.debian.org/src:postgresql-9.6
104: https://www.debian.org/security/2020/dsa-4624
105: https://packages.debian.org/src:evince
106: https://www.debian.org/security/2020/dsa-4625
107: https://packages.debian.org/src:thunderbird
108: https://www.debian.org/security/2020/dsa-4628
109: https://packages.debian.org/src:php7.0
110: https://www.debian.org/security/2020/dsa-4629
111: https://packages.debian.org/src:python-django
112: https://www.debian.org/security/2020/dsa-4630
113: https://packages.debian.org/src:python-pysaml2
114: https://www.debian.org/security/2020/dsa-4631
115: https://packages.debian.org/src:pillow
116: https://www.debian.org/security/2020/dsa-4632
117: https://packages.debian.org/src:ppp
118: https://www.debian.org/security/2020/dsa-4633
119: https://packages.debian.org/src:curl
120: https://www.debian.org/security/2020/dsa-4634
121: https://packages.debian.org/src:opensmtpd
122: https://www.debian.org/security/2020/dsa-4635
123: https://packages.debian.org/src:proftpd-dfsg
124: https://www.debian.org/security/2020/dsa-4637
125: https://packages.debian.org/src:network-manager-ssh
126: https://www.debian.org/security/2020/dsa-4639
127: https://packages.debian.org/src:firefox-esr
128: https://www.debian.org/security/2020/dsa-4640
129: https://packages.debian.org/src:graphicsmagick
130: https://www.debian.org/security/2020/dsa-4642
131: https://packages.debian.org/src:thunderbird
132: https://www.debian.org/security/2020/dsa-4646
133: https://packages.debian.org/src:icu
134: https://www.debian.org/security/2020/dsa-4647
135: https://packages.debian.org/src:bluez
136: https://www.debian.org/security/2020/dsa-4648
137: https://packages.debian.org/src:libpam-krb5
138: https://www.debian.org/security/2020/dsa-4650
139: https://packages.debian.org/src:qbittorrent
140: https://www.debian.org/security/2020/dsa-4653
141: https://packages.debian.org/src:firefox-esr
142: https://www.debian.org/security/2020/dsa-4655
143: https://packages.debian.org/src:firefox-esr
144: https://www.debian.org/security/2020/dsa-4656
145: https://packages.debian.org/src:thunderbird
146: https://www.debian.org/security/2020/dsa-4657
147: https://packages.debian.org/src:git
148: https://www.debian.org/security/2020/dsa-4659
149: https://packages.debian.org/src:git
150: https://www.debian.org/security/2020/dsa-4660
151: https://packages.debian.org/src:awl
152: https://www.debian.org/security/2020/dsa-4663
153: https://packages.debian.org/src:python-reportlab
154: https://www.debian.org/security/2020/dsa-4664
155: https://packages.debian.org/src:mailman
156: https://www.debian.org/security/2020/dsa-4666
157: https://packages.debian.org/src:openldap
158: https://www.debian.org/security/2020/dsa-4668
159: https://packages.debian.org/src:openjdk-8
160: https://www.debian.org/security/2020/dsa-4670
161: https://packages.debian.org/src:tiff
162: https://www.debian.org/security/2020/dsa-4671
163: https://packages.debian.org/src:vlc
164: https://www.debian.org/security/2020/dsa-4673
165: https://packages.debian.org/src:tomcat8
166: https://www.debian.org/security/2020/dsa-4674
167: https://packages.debian.org/src:roundcube
168: https://www.debian.org/security/2020/dsa-4675
169: https://packages.debian.org/src:graphicsmagick
170: https://www.debian.org/security/2020/dsa-4676
171: https://packages.debian.org/src:salt
172: https://www.debian.org/security/2020/dsa-4677
173: https://packages.debian.org/src:wordpress
174: https://www.debian.org/security/2020/dsa-4678
175: https://packages.debian.org/src:firefox-esr
176: https://www.debian.org/security/2020/dsa-4683
177: https://packages.debian.org/src:thunderbird
178: https://www.debian.org/security/2020/dsa-4685
179: https://packages.debian.org/src:apt
180: https://www.debian.org/security/2020/dsa-4686
181: https://packages.debian.org/src:apache-log4j1.2
182: https://www.debian.org/security/2020/dsa-4687
183: https://packages.debian.org/src:exim4
184: https://www.debian.org/security/2020/dsa-4688
185: https://packages.debian.org/src:dpdk
186: https://www.debian.org/security/2020/dsa-4689
187: https://packages.debian.org/src:bind9
188: https://www.debian.org/security/2020/dsa-4692
189: https://packages.debian.org/src:netqmail
190: https://www.debian.org/security/2020/dsa-4693
191: https://packages.debian.org/src:drupal7
192: https://www.debian.org/security/2020/dsa-4695
193: https://packages.debian.org/src:firefox-esr
194: https://www.debian.org/security/2020/dsa-4698
195: https://packages.debian.org/src:linux
196: https://www.debian.org/security/2020/dsa-4700
197: https://packages.debian.org/src:roundcube
198: https://www.debian.org/security/2020/dsa-4701
199: https://packages.debian.org/src:intel-microcode
200: https://www.debian.org/security/2020/dsa-4702
201: https://packages.debian.org/src:thunderbird
202: https://www.debian.org/security/2020/dsa-4703
203: https://packages.debian.org/src:mysql-connector-java
204: https://www.debian.org/security/2020/dsa-4704
205: https://packages.debian.org/src:vlc
206: https://www.debian.org/security/2020/dsa-4705
207: https://packages.debian.org/src:python-django
208: https://www.debian.org/security/2020/dsa-4706
209: https://packages.debian.org/src:drupal7
210: https://www.debian.org/security/2020/dsa-4707
211: https://packages.debian.org/src:mutt
212: https://www.debian.org/security/2020/dsa-4711
213: https://packages.debian.org/src:coturn
214: https://www.debian.org/security/2020/dsa-4713
215: https://packages.debian.org/src:firefox-esr
216: https://www.debian.org/security/2020/dsa-4715
217: https://packages.debian.org/src:imagemagick
218: https://www.debian.org/security/2020/dsa-4717
219: https://packages.debian.org/src:php7.0
220: https://www.debian.org/security/2020/dsa-4718
221: https://packages.debian.org/src:thunderbird

Removed packages
----------------

The following packages were removed due to circumstances beyond our
control:

+------------------------------+---------------------------------------+
| Package | Reason |
+------------------------------+---------------------------------------+
| certificatepatrol [222] | Incompatible with newer Firefox ESR |
| | versions |
| | |
| colorediffs-extension [223] | Incompatible with newer Thunderbird |
| | versions |
| | |
| dynalogin [224] | Depends on to-be-removed simpleid |
| | |
| enigmail [225] | Incompatible with newer Thunderbird |
| | versions |
| | |
| firefox-esr [226] | [armel] No longer supported (requires |
| | nodejs) |
| | |
| firefox-esr [226] | [mips mipsel mips64el] No longer |
| | supported (needs newer rustc) |
| | |
| getlive [227] | Broken due to Hotmail changes |
| | |
| gplaycli [228] | Broken by Google API changes |
| | |
| kerneloops [229] | Upstream service no longer available |
| | |
| libmicrodns [230] | Security issues |
| | |
| libperlspeak-perl [231] | Security issues; unmaintained |
| | |
| mathematica-fonts [232] | Relies on unavailable download |
| | location |
| | |
| pdns-recursor [233] | Security issues; unsupported |
| | |
| predictprotein [234] | Depends on to-be-removed profphd |
| | |
| profphd [235] | Unusable |
| | |
| quotecolors [236] | Incompatible with newer Thunderbird |
| | versions |
| | |
| selenium-firefoxdriver [237] | Incompatible with newer Firefox ESR |
| | versions |
| | |
| simpleid [238] | Does not work with PHP7 |
| | |
| simpleid-ldap [239] | Depends on to-be-removed simpleid |
| | |
| torbirdy [240] | Incompatible with newer Thunderbird |
| | versions |
| | |
| weboob [241] | Unmaintained; already removed from |
| | later releases |
| | |
| yahoo2mbox [242] | Broken for several years |
| | |
+------------------------------+---------------------------------------+

222: https://packages.debian.org/src:certificatepatrol
223: https://packages.debian.org/src:colorediffs-extension
224: https://packages.debian.org/src:dynalogin
225: https://packages.debian.org/src:enigmail
226: https://packages.debian.org/src:firefox-esr
227: https://packages.debian.org/src:getlive
228: https://packages.debian.org/src:gplaycli
229: https://packages.debian.org/src:kerneloops
230: https://packages.debian.org/src:libmicrodns
231: https://packages.debian.org/src:libperlspeak-perl
232: https://packages.debian.org/src:mathematica-fonts
233: https://packages.debian.org/src:pdns-recursor
234: https://packages.debian.org/src:predictprotein
235: https://packages.debian.org/src:profphd
236: https://packages.debian.org/src:quotecolors
237: https://packages.debian.org/src:selenium-firefoxdriver
238: https://packages.debian.org/src:simpleid
239: https://packages.debian.org/src:simpleid-ldap
240: https://packages.debian.org/src:torbirdy
241: https://packages.debian.org/src:weboob
242: https://packages.debian.org/src:yahoo2mbox

Debian Installer
----------------

The installer has been updated to include the fixes incorporated into
oldstable by the point release.


URLs
----

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/stretch/ChangeLog


The current oldstable distribution:

http://ftp.debian.org/debian/dists/oldstable/


Proposed updates to the oldstable distribution:

http://ftp.debian.org/debian/dists/oldstable-proposed-updates


oldstable distribution information (release notes, errata etc.):

https://www.debian.org/releases/oldstable/


Security announcements and information:

https://www.debian.org/security/


About Debian
------------

The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian. 

Debian913