[Monitoring] 25 Debian package update(s) for quigon.federez.net

apticron report [Sat, 09 Dec 2017 22:38:11 +0100] ======================================================================== apticron has detected that some packages need upgrading on: quigon.federez.net [ 160.228.155.65 ] The following packages are currently pending an upgrade: base-files 9.9+deb9u3 dbus 1.10.24-0+deb9u1 iproute 1:4.9.0-1+deb9u1 iproute2 4.9.0-1+deb9u1 libdbus-1-3 1.10.24-0+deb9u1 libicu57 57.1-6+deb9u1 libpython2.7 2.7.13-2+deb9u2 libpython2.7-dev 2.7.13-2+deb9u2 libpython2.7-minimal 2.7.13-2+deb9u2 libpython2.7-stdlib 2.7.13-2+deb9u2 libsqlite3-0 3.16.2-5+deb9u1 libxcursor1 1:1.1.14-1+deb9u1 linux-image-4.9.0-4-amd64 4.9.65-3 linux-libc-dev 4.9.65-3 openssh-client 1:7.4p1-10+deb9u2 openssh-server 1:7.4p1-10+deb9u2 openssh-sftp-server 1:7.4p1-10+deb9u2 publicsuffix 20171028.2055-0+deb9u1 python2.7 2.7.13-2+deb9u2 python2.7-dev 2.7.13-2+deb9u2 python2.7-minimal 2.7.13-2+deb9u2 sa-compile 3.4.1-6+deb9u1 spamassassin 3.4.1-6+deb9u1 spamc 3.4.1-6+deb9u1 zsh 5.3.1-4+b2 ======================================================================== Package Details: apt-listchanges : Lecture des fichiers de modifications (« changelog »)... apt-listchanges : journaux des modifications (« changelogs ») ------------------------------------------------------------- --- Modifications pour icu (libicu57) --- icu (57.1-6+deb9u1) stretch; urgency=high * Backport upstream security fix for CVE-2017-14952: double free in createMetazoneMappings() (closes: #878840). -- Laszlo Boszormenyi (GCS) &lt;gcs(a)debian.org&gt; Tue, 24 Oct 2017 17:28:30 +0000 --- Modifications pour libxcursor (libxcursor1) --- libxcursor (1:1.1.14-1+deb9u1) stretch-security; urgency=high * Non-maintainer upload by the Security Team. * Fix heap overflows when parsing malicious files (CVE-2017-16612) (Closes: #883792) -- Salvatore Bonaccorso &lt;carnil(a)debian.org&gt; Thu, 07 Dec 2017 17:07:35 +0100 --- Modifications pour base-files --- base-files (9.9+deb9u3) stretch; urgency=medium * Change /etc/debian_version to 9.3, for Debian 9.3 point release. -- Santiago Vila &lt;sanvila(a)debian.org&gt; Sun, 19 Nov 2017 16:25:10 +0100 --- Modifications pour dbus (dbus libdbus-1-3) --- dbus (1.10.24-0+deb9u1) stretch; urgency=medium * New upstream stable release - dbus/dbus-sysdeps-unix.c: Increase listen() backlog of AF_UNIX sockets to the maximum possible, minimizing failed connections under heavy load (Closes: #872144) - bus/config-loader-expat.c: When parsing dbus-daemon configuration, don't delay startup if high-quality entropy is not yet available: we trust the configuration anyway, so algorithmic complexity attacks via hash table collisions are not a concern - bus/*: When using the Monitoring interface, match message filters that specify a destination correctly - test/monitor.c: Add test-cases for this - tools/dbus-send.c: Avoid a compiler warning when gcc gets confused about a conditionally-initialized variable - dbus/dbus-sysdeps-unix.c: Avoid a compiler warning on Solaris (not relevant to Debian) -- Simon McVittie &lt;smcv(a)debian.org&gt; Sun, 01 Oct 2017 12:09:14 +0100 --- Modifications pour iproute2 (iproute iproute2) --- iproute2 (4.9.0-1+deb9u1) stretch; urgency=medium * Backport upstream commit 97a02cabef to fix segfault with iptables 1.6; the xtables_globals structure needs to have its new member compat_rev initialized. (Closes: #868059) * Sync include/xtables.h from iptables to make sure the right offset is used when accessing structure members defined in libxtables. One could get “Extension does not know id …” otherwise. (See also: #868059) -- Cyril Brulebois &lt;cyril(a)debamax.com&gt; Fri, 24 Nov 2017 09:22:10 +0000 --- Modifications pour linux (linux-image-4.9.0-4-amd64 linux-libc-dev) --- linux (4.9.65-3) stretch; urgency=medium [ Salvatore Bonaccorso ] * xen/time: do not decrease steal time after live migration on xen (Closes: #871608) -- Ben Hutchings &lt;ben(a)decadent.org.uk&gt; Sun, 03 Dec 2017 19:41:55 +0000 linux (4.9.65-2) stretch; urgency=medium * [s390x] qeth: Ignore ABI changes (fixes FTBFS) -- Ben Hutchings &lt;ben(a)decadent.org.uk&gt; Sun, 03 Dec 2017 17:22:42 +0000 linux (4.9.65-1) stretch; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.52 - mm: prevent double decrease of nr_reserved_highatomic - IB/{qib, hfi1}: Avoid flow control testing for RDMA write operation - IB/addr: Fix setting source address in addr6_resolve() - tty: improve tty_insert_flip_char() fast path - tty: improve tty_insert_flip_char() slow path - tty: fix __tty_insert_flip_char regression - [x86] pinctrl/amd: save pin registers over suspend/resume - [mips*] math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix quiet NaN propagation - [mips*] math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix cases of both inputs zero - [mips*] math-emu: <MAX|MIN>.<D|S>: Fix cases of both inputs negative - [mips*] math-emu: <MAXA|MINA>.<D|S>: Fix cases of input values with opposite signs - [mips*] math-emu: <MAXA|MINA>.<D|S>: Fix cases of both infinite inputs - [mips*] math-emu: MINA.<D|S>: Fix some cases of infinity and zero inputs - [mips*] math-emu: Handle zero accumulator case in MADDF and MSUBF separately - [mips*] math-emu: <MADDF|MSUBF>.<D|S>: Fix NaN propagation - [mips*] math-emu: <MADDF|MSUBF>.<D|S>: Fix some cases of infinite inputs - [mips*] math-emu: <MADDF|MSUBF>.<D|S>: Fix some cases of zero inputs - [mips*] math-emu: <MADDF|MSUBF>.<D|S>: Clean up "maddf_flags" enumeration - [mips*] math-emu: <MADDF|MSUBF>.S: Fix accuracy (32-bit case) - [mips*] math-emu: <MADDF|MSUBF>.D: Fix accuracy (64-bit case) - [x86] crypto: ccp - Fix XTS-AES-128 support on v5 CCPs - crypto: AF_ALG - remove SGL terminator indicator when chaining - ext4: fix incorrect quotaoff if the quota feature is enabled - ext4: fix quota inconsistency during orphan cleanup for read-only mounts - [powerpc*] Fix DAR reporting when alignment handler faults - block: Relax a check in blk_start_queue() - md/bitmap: disable bitmap_resize for file-backed bitmaps. - skd: Avoid that module unloading triggers a use-after-free - skd: Submit requests to firmware before triggering the doorbell - [s390x] scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled - [s390x] scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress path - [s390x] scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace records - [s390x] scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with HBA - [s390x] scsi: zfcp: fix missing trace records for early returns in TMF eh handlers - [s390x] scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records - [s390x] scsi: zfcp: trace HBA FSF response by default on dismiss or timedout late response - [s390x] scsi: zfcp: trace high part of "new" 64 bit SCSI LUN - scsi: megaraid_sas: set minimum value of resetwaittime to be 1 secs - scsi: megaraid_sas: Check valid aen class range to avoid kernel panic - scsi: megaraid_sas: Return pended IOCTLs with cmd_status MFI_STAT_WRONG_STATE in case adapter is dead - [x86] scsi: storvsc: fix memory leak on ring buffer busy - scsi: sg: remove 'save_scat_len' - scsi: sg: use standard lists for sg_requests - scsi: sg: off by one in sg_ioctl() - scsi: sg: factor out sg_fill_request_table() - scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE - scsi: qla2xxx: Correction to vha->vref_count timeout - ftrace: Fix selftest goto location on error - ftrace: Fix memleak when unregistering dynamic ops when tracing disabled - tracing: Add barrier to trace_printk() buffer nesting modification - tracing: Apply trace_clock changes to instance max buffer - [x86] PCI: shpchp: Enable bridge bus mastering if MSI is enabled - PCI: pciehp: Report power fault only once until we clear it - net/netfilter/nf_conntrack_core: Fix net_conntrack_lock() - [s390x] mm: fix local TLB flushing vs. detach of an mm address space - [s390x] mm: fix race on mm->context.flush_mm - media: v4l2-compat-ioctl32: Fix timespec conversion - media: uvcvideo: Prevent heap overflow when accessing mapped controls - PM / devfreq: Fix memory leak when fail to register device - bcache: initialize dirty stripes in flash_dev_run() - bcache: Fix leak of bdev reference - bcache: do not subtract sectors_to_gc for bypassed IO - bcache: correct cache_dirty_target in __update_writeback_rate() - bcache: Correct return value for sysfs attach errors - bcache: fix for gc and write-back race - bcache: fix bch_hprint crash and improve output https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.53 - cifs: release cifs root_cred after exit_cifs - cifs: release auth_key.response for reconnect. - fs/proc: Report eip/esp in /prod/PID/stat for coredumping - mac80211: fix VLAN handling with TXQs - mac80211_hwsim: Use proper TX power - mac80211: flush hw_roc_start work before cancelling the ROC - genirq: Make sparse_irq_lock protect what it should protect - [powerpc*] KVM: Book3S: Fix race and leak in kvm_vm_ioctl_create_spapr_tce() - [powerpc*] KVM: Book3S HV: Protect updates to spapr_tce_tables list - tracing: Fix trace_pipe behavior for instance traces - tracing: Erase irqsoff trace with empty write - md/raid5: fix a race condition in stripe batch - md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list - drm/radeon: disable hard reset in hibernate for APUs - crypto: drbg - fix freeing of resources - security/keys: properly zero out sensitive key material in big_key - security/keys: rewrite all of big_key crypto - KEYS: fix writing past end of user-supplied buffer in keyring_read() - KEYS: prevent creating a different user's keyrings - KEYS: prevent KEYCTL_READ on negative key (CVE-2017-12192) - [powerpc*] pseries: Fix parent_dn reference leak in add_dt_node() - [powerpc*] tm: Flush TM only if CPU has TM feature - [powerpc*] ftrace: Pass the correct stack pointer for DYNAMIC_FTRACE_WITH_REGS - [s390x] mm: fix write access check in gup_huge_pmd() - PM: core: Fix device_pm_check_callbacks() - cifs: Fix SMB3.1.1 guest authentication to Samba - SMB3: Warn user if trying to sign connection that authenticated as guest - SMB: Validate negotiate (to protect against downgrade) even if signing off - SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags - vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets - iw_cxgb4: remove the stid on listen create failure - iw_cxgb4: put ep reference in pass_accept_req() - seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter() - [arm64] Make sure SPsel is always set - [arm64] fault: Route pte translation faults via do_translation_fault - [x86] KVM: VMX: extract __pi_post_block - [x86] KVM: VMX: avoid double list add with VT-d posted interrupts - [x86] KVM: VMX: simplify and fix vmx_vcpu_pi_load - [x86] kvm: Handle async PF in RCU read-side critical sections - xfs: validate bdev support for DAX inode flag - [armhf] etnaviv: fix gem object list corruption - PCI: Fix race condition with driver_override - btrfs: fix NULL pointer dereference from free_reloc_roots() - btrfs: propagate error to btrfs_cmp_data_prepare caller - btrfs: prevent to set invalid default subvolid - [x86] mm: Fix fault error path using unsafe vma pointer - [x86] fpu: Don't let userspace set bogus xcomp_bv - gfs2: Fix debugfs glocks dump - timer/sysctl: Restrict timer migration sysctl values to 0 and 1 - [x86] KVM: VMX: do not change SN bit in vmx_update_pi_irte() - [x86] KVM: VMX: remove WARN_ON_ONCE in kvm_vcpu_trigger_posted_interrupt - [powerpc*] cxl: Fix driver use count - [x86] KVM: VMX: use cmpxchg64 - swiotlb-xen: implement xen_swiotlb_dma_mmap callback https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.54 - drm_fourcc: Fix DRM_FORMAT_MOD_LINEAR #define - drm: bridge: add DT bindings for TI ths8135 - GFS2: Fix reference to ERR_PTR in gfs2_glock_iter_next - [x86] drm/i915: Fix the overlay frontbuffer tracking - [armhf] dts: exynos: Add CPU OPPs for Exynos4412 Prime - [armhf] clk: sunxi-ng: fix PLL_CPUX adjusting on H3 - RDS: RDMA: Fix the composite message user notification - [mips*] Ensure bss section ends on a long-aligned address - scsi: be2iscsi: Add checks to validate CID alloc/free - [armhf] dts: am335x-chilisom: Wakeup from RTC-only state by power on event - igb: re-assign hw address pointer on reset after PCI error - hwmon: (gl520sm) Fix overflows and crash seen when writing into limit attributes - IB/rxe: Add a runtime check in alloc_index() - IB/rxe: Fix a MR reference leak in check_rkey() - [x86] drm/i915/psr: disable psr2 for resolution greater than 32X20 - serial: 8250: moxa: Store num_ports in brd - serial: 8250_port: Remove dangerous pr_debug() - IB/ipoib: Fix deadlock over vlan_mutex - IB/ipoib: rtnl_unlock can not come after free_netdev - IB/ipoib: Replace list_del of the neigh->list with list_del_init - [amd64] drm/amdkfd: fix improper return value on error - USB: serial: mos7720: fix control-message error handling - USB: serial: mos7840: fix control-message error handling - sfc: get PIO buffer size from the NIC - partitions/efi: Fix integer overflow in GPT size calculation - ASoC: dapm: handle probe deferrals - audit: log 32-bit socketcalls - ath10k: prevent sta pointer rcu violation - [armhf,arm64] iommu/arm-smmu: Set privileged attribute to 'default' instead of 'unprivileged' - [armhf,arm64] usb: chipidea: vbus event may exist before starting gadget - ASoC: dapm: fix some pointer error handling - [arm64] drm: mali-dp: Fix destination size handling when rotating - [arm64] drm: mali-dp: Fix transposed horizontal/vertical flip - HID: wacom: release the resources before leaving despite devm - net: core: Prevent from dereferencing null pointer when releasing SKB - net/packet: check length in getsockopt() called with PACKET_HDRLEN - team: fix memory leaks - udp: disable inner UDP checksum offloads in IPsec case - qed: Fix possible system hang in the dcbnl-getdcbx() path. - mmc: sdio: fix alignment issue in struct sdio_func - bridge: netlink: register netdevice before executing changelink - Btrfs: fix segmentation fault when doing dio read - Btrfs: fix potential use-after-free for cloned bio - sata_via: Enable hotplug only on VT6421 - hugetlbfs: initialize shared policy as part of inode allocation - netfilter: invoke synchronize_rcu after set the _hook_ to NULL - [mips*] IRQ Stack: Unwind IRQ stack onto task stack - nvme-rdma: handle cpu unplug when re-establishing the controller - netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max - nfs: make nfs4_cb_sv_ops static - [x86] cpufreq: intel_pstate: Update pid_params.sample_rate_ns in pid_param_set() - [x86] acpi: Restore the order of CPU IDs - [armhf,arm64] iommu/io-pgtable-arm: Check for leaf entry before dereferencing it - mm/cgroup: avoid panic when init with low memory - rds: ib: add error handle - md/raid10: submit bio directly to replacement disk - netfilter: nf_tables: set pktinfo->thoff at AH header if found - [arm64] i2c: meson: fix wrong variable usage in meson_i2c_put_data - xfs: remove kmem_zalloc_greedy - libata: transport: Remove circular dependency at free time - tools/power turbostat: bugfix: GFXMHz column not changing - IB/qib: fix false-postive maybe-uninitialized warning - ttpci: address stringop overflow warning - [s390x] mm: make pmdp_invalidate() do invalidation only https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.55 - USB: gadgetfs: Fix crash caused by inadequate synchronization - USB: gadgetfs: fix copy_to_user while holding spinlock - usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives - usb-storage: fix bogus hardware error messages for ATA pass-thru devices - ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor (CVE-2017-16529) - usb: pci-quirks.c: Corrected timeout values used in handshake - USB: cdc-wdm: ignore -EPIPE from GetEncapsulatedResponse - USB: dummy-hcd: fix connection failures (wrong speed) - USB: dummy-hcd: fix infinite-loop resubmission bug - USB: dummy-hcd: Fix erroneous synchronization change - usb: gadget: mass_storage: set msg_registered after msg registered - USB: g_mass_storage: Fix deadlock when driver is unbound - USB: uas: fix bug in handling of alternate settings (CVE-2017-16530) - USB: core: harden cdc_parse_cdc_header (CVE-2017-16534) - usb: Increase quirk delay for USB devices - USB: fix out-of-bounds in usb_set_configuration (CVE-2017-16531) - xhci: fix finding correct bus_state structure for USB 3.1 hosts - xhci: Fix sleeping with spin_lock_irq() held in ASmedia 1042A workaround - xhci: set missing SuperSpeedPlus Link Protocol bit in roothub descriptor - [x86] Revert "xhci: Limit USB2 port wake support for AMD Promontory hosts" - [armhf] iio: adc: twl4030: Fix an error handling path in 'twl4030_madc_probe()' - [armhf] iio: adc: twl4030: Disable the vusb3v1 rugulator in the error handling path of 'twl4030_madc_probe()' - iio: core: Return error for failed read_reg - uwb: properly check kthread_run return value (CVE-2017-16526) - uwb: ensure that endpoint is interrupt - mm, oom_reaper: skip mm structs with mmu notifiers - lib/ratelimit.c: use deferred printk() version - Revert "ALSA: echoaudio: purge contradictions between dimension matrix members and total number of members" - ALSA: usx2y: Suppress kernel warning at page allocation failures - net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker - sctp: potential read out of bounds in sctp_ulpevent_type_enabled() - tcp: update skb->skb_mstamp more carefully - bpf/verifier: reject BPF_ALU64|BPF_END - tcp: fix data delivery rate - udpv6: Fix the checksum computation when HW checksum does not apply - ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header - net: phy: Fix mask value write on gmii2rgmii converter speed register - ip6_tunnel: do not allow loading ip6_tunnel if ipv6 is disabled in cmdline - net/sched: cls_matchall: fix crash when used with classful qdisc - tcp: fastopen: fix on syn-data transmit failure - [powerpc,ppc64] net: emac: Fix napi poll list corruption - packet: hold bind lock when rebinding to fanout hook (CVE-2017-15649) - bpf: one perf event close won't free bpf program attached by another perf event - net_sched: always reset qdisc backlog in qdisc_reset() - vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit - l2tp: Avoid schedule while atomic in exit_net - l2tp: fix race condition in l2tp_tunnel_delete - tun: bail out from tun_get_user() if the skb is empty - net: dsa: Fix network device registration order - packet: in packet_do_bind, test fanout with bind_lock held (CVE-2017-15649) - packet: only test po->has_vnet_hdr once in packet_snd - net: Set sk_prot_creator when cloning sockets to the right proto - netlink: do not proceed if dump's start() errs - ip6_gre: ip6gre_tap device should keep dst - ip6_tunnel: update mtu properly for ARPHRD_ETHER tunnel device in tx path - tipc: use only positive error codes in messages - net: rtnetlink: fix info leak in RTM_GETSTATS call - [powerpc*/*64*]: Use emergency stack for kernel TM Bad Thing program checks (CVE-2017-1000255) - [powerpc*] tm: Fix illegal TM state in signal handler (CVE-2017-1000255) - percpu: make this_cpu_generic_read() atomic w.r.t. interrupts - driver core: platform: Don't read past the end of "driver_override" buffer - [x86] Drivers: hv: fcopy: restore correct transfer length - ftrace: Fix kmemleak in unregister_ftrace_graph - HID: i2c-hid: allocate hid buffers for real worst case - HID: wacom: leds: Don't try to control the EKR's read-only LEDs - HID: wacom: Always increment hdev refcount within wacom_get_hdev_data - HID: wacom: bits shifted too much for 9th and 10th buttons - netlink: fix nla_put_{u8,u16,u32} for KASAN - iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD - iwlwifi: add workaround to disable wide channels in 5GHz - scsi: sd: Do not override max_sectors_kb sysfs setting - brcmfmac: add length check in brcmf_cfg80211_escan_handler() (CVE-2017-0786) - brcmfmac: setup passive scan if requested by user-space - [x86] drm/i915/bios: ignore HDMI on port A - nvme-pci: Use PCI bus address for data/queues in CMB - mmc: core: add driver strength selection when selecting hs400es - sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs - vfs: deny copy_file_range() for non regular files - ext4: fix data corruption for mmap writes - ext4: don't allow encrypted operations without keys - f2fs: don't allow encrypted operations without keys https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.56 https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.57 - ext4: in ext4_seek_{hole,data}, return -ENXIO for negative offsets - CIFS: Reconnect expired SMB sessions - nl80211: Define policy for packet pattern attributes - rcu: Allow for page faults in NMI handlers - USB: dummy-hcd: Fix deadlock caused by disconnect detection - [mips*] math-emu: Remove pr_err() calls from fpu_emu() - [armhf] dmaengine: edma: Align the memcpy acnt array size with the transfer - [armhf] dmaengine: ti-dma-crossbar: Fix possible race condition with dma_inuse - HID: usbhid: fix out-of-bounds bug (CVE-2017-16533) - crypto: shash - Fix zero-length shash ahash digest crash - [x86] KVM: MMU: always terminate page walks at level 1 - [x86] KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit - [x86] iommu/amd: Finish TLB flush in amd_iommu_unmap() - device property: Track owner device of device property - fs/mpage.c: fix mpage_writepage() for pages with buffers - ALSA: usb-audio: Kill stray URB at exiting (CVE-2017-16527) - ALSA: seq: Fix use-after-free at creating a port (CVE-2017-15265) - ALSA: seq: Fix copy_from_user() call inside lock - ALSA: caiaq: Fix stray URB at probe error path - ALSA: line6: Fix missing initialization before error path - ALSA: line6: Fix leftover URB at error-path during probe - [x86] drm/i915/edp: Get the Panel Power Off timestamp after panel is off - [x86] drm/i915: Read timings from the correct transcoder in intel_crtc_mode_get() - [x86] drm/i915/bios: parse DDI ports also for CHV for HDMI DDC pin and DP AUX channel - usb: gadget: configfs: Fix memory leak of interface directory data - usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options - direct-io: Prevent NULL pointer access in submit_page_section - fix unbalanced page refcounting in bio_map_user_iov (CVE-2017-12190) - more bio_map_user_iov() leak fixes - bio_copy_user_iov(): don't ignore ->iov_offset - USB: serial: console: fix use-after-free after failed setup (CVE-2017-16525) - [x86] alternatives: Fix alt_max_short macro to really be a max() - [x86] KVM: nVMX: update last_nonleaf_level when initializing nested EPT (CVE-2017-12188) https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.58 - [mips*] Fix minimum alignment requirement of IRQ stack - xen-netback: Use GFP_ATOMIC to allocate hash - irqchip/crossbar: Fix incorrect type of local variables - initramfs: finish fput() before accessing any binary from initramfs - mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length - qed: Don't use attention PTT for configuring BW - mac80211: fix power saving clients handling in iwlwifi - net/mlx4_en: fix overflow in mlx4_en_init_timestamp() - netfilter: nf_ct_expect: Change __nf_ct_expect_check() return value. - f2fs: do SSR for data when there is enough free space - sched/fair: Update rq clock before changing a task's CPU affinity - Btrfs: send, fix failure to rename top level inode due to name collision - f2fs: do not wait for writeback in write_begin - md/linear: shutup lockdep warnning - net/mlx4_core: Fix VF overwrite of module param which disables DMFS on new probed PFs - mm/memory_hotplug: set magic number to page->freelist instead of page->lru.next - ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock - scsi: scsi_dh_emc: return success in clariion_std_inquiry() - drm/amdgpu: refuse to reserve io mem for split VRAM buffers - [armhf] net: mvpp2: release reference to txq_cpu[] entry after unmapping - qede: Prevent index problems in loopback test - qed: Reserve doorbell BAR space for present CPUs - qed: Read queue state before releasing buffer - ceph: don't update_dentry_lease unless we actually got one - ceph: fix bogus endianness change in ceph_ioctl_set_layout - ceph: clean up unsafe d_parent accesses in build_dentry_path - uapi: fix linux/mroute6.h userspace compilation errors - [amd64] IB/hfi1: Use static CTLE with Preset 6 for integrated HFIs - [amd64] IB/hfi1: Allocate context data on memory node - target/iscsi: Fix unsolicited data seq_end_offset calculation - hrtimer: Catch invalid clockids again - nfsd/callback: Cleanup callback cred on shutdown - [powerpc*] perf: Add restrictions to PMC5 in power9 DD1 - drm/nouveau/gr/gf100-: fix ccache error logging - regulator: core: Resolve supplies before disabling unused regulators - btmrvl: avoid double-disable_irq() race - [x86] EDAC, mce_amd: Print IPID and Syndrome on a separate line - usb: dwc3: gadget: Correct ISOC DATA PIDs for short packets https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.59 - USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor() (CVE-2017-16535) - usb: hub: Allow reset retry for USB2 devices on connect bounce - can: gs_usb: fix busy loop if no more TX context is available - iio: dummy: events: Add missing break - [armhf] usb: musb: sunxi: Explicitly release USB PHY on exit - [armhf] usb: musb: Check for host-mode using is_host_active() on reset interrupt - xhci: Identify USB 3.1 capable hosts by their port protocol capability - can: esd_usb2: Fix can_dlc value for received RTR, frames - drm/nouveau/bsp/g92: disable by default - drm/nouveau/mmu: flush tlbs before deleting page tables - ALSA: seq: Enable 'use' locking in all configurations - ALSA: hda: Remove superfluous '-' added by printk conversion - ALSA: hda: Abort capability probe at invalid register read - [x86] i2c: ismt: Separate I2C block read from SMBus block read - i2c: piix4: Fix SMBus port selection for AMD Family 17h chips - brcmfmac: Add check for short event packets - brcmsmac: make some local variables 'static const' to reduce stack size - [armel,armhf] bus: mbus: fix window size calculation for 4GB windows - [i386] clockevents/drivers/cs5535: Improve resilience to spurious interrupts - rtlwifi: rtl8821ae: Fix connection lost problem - [x86] microcode/intel: Disable late loading on model 79 - KEYS: encrypted: fix dereference of NULL user_key_payload - lib/digsig: fix dereference of NULL user_key_payload - KEYS: don't let add_key() update an uninstantiated key (CVE-2017-15299) - pkcs7: Prevent NULL pointer dereference, since sinfo is not always set. - [x86] vmbus: fix missing signaling in hv_signal_on_read() - xfs: don't unconditionally clear the reflink flag on zero-block files - xfs: evict CoW fork extents when performing finsert/fcollapse - fs/xfs: Use %pS printk format for direct addresses - xfs: report zeroed or not correctly in xfs_zero_range() - xfs: update i_size after unwritten conversion in dio completion - xfs: perag initialization should only touch m_ag_max_usable for AG 0 - xfs: Capture state of the right inode in xfs_iflush_done - xfs: always swap the cow forks when swapping extents - xfs: handle racy AIO in xfs_reflink_end_cow - xfs: Don't log uninitialised fields in inode structures - xfs: move more RT specific code under CONFIG_XFS_RT - xfs: don't change inode mode if ACL update fails - xfs: reinit btree pointer on attr tree inactivation walk - xfs: handle error if xfs_btree_get_bufs fails - xfs: cancel dirty pages on invalidation - xfs: trim writepage mapping to within eof - fscrypt: fix dereference of NULL user_key_payload - KEYS: Fix race between updating and finding a negative key (CVE-2017-15951) - FS-Cache: fix dereference of NULL user_key_payload https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.60 - workqueue: replace pool->manager_arb mutex with a flag - ceph: unlock dangling spinlock in try_flush_caps() - usb: xhci: Handle error condition in xhci_stop_device() - [powerpc*] KVM: Fix oops when checking KVM_CAP_PPC_HTM (CVE-2017-15306) - fuse: fix READDIRPLUS skipping an entry - xen/gntdev: avoid out of bounds access in case of partial gntdev_mmap() - Input: gtco - fix potential out-of-bound access (CVE-2017-16643) - assoc_array: Fix a buggy node-splitting case - [s390x] scsi: zfcp: fix erp_action use-before-initialize in REC action trace - scsi: sg: Re-fix off by one in sg_fill_request_table() - drm/amd/powerplay: fix uninitialized variable - [armhf] can: sun4i: fix loopback mode - can: kvaser_usb: Correct return value in printout - can: kvaser_usb: Ignore CMD_FLUSH_QUEUE_REPLY messages - cfg80211: fix connect/disconnect edge cases - ipsec: Fix aborted xfrm policy dump crash (CVE-2017-16939) - [armhf] regulator: fan53555: fix I2C device ids - ecryptfs: fix dereference of NULL user_key_payload https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.61 - ALSA: timer: Add missing mutex lock for compat ioctls - ALSA: seq: Fix nested rwsem annotation for lockdep splat - cifs: check MaxPathNameComponentLength != 0 before using it (Closes: #880504) - KEYS: return full count in keyring_read() if buffer is too small - KEYS: fix out-of-bounds read during ASN.1 parsing - [arm64] ensure __dump_instr() checks addr_limit - [armhf,arm64] KVM: set right LR register value for 32 bit guest when inject abort - [armhf,arm64] kvm: Disable branch profiling in HYP code - [armel,armhf] 8715/1: add a private asm/unaligned.h - drm/amdgpu: return -ENOENT from uvd 6.0 early init for harvesting - ocfs2: fstrim: Fix start offset of first cluster group during fstrim - [x86] drm/i915/edp: read edp display control registers unconditionally - [arm64] drm/msm: Fix potential buffer overflow issue - [arm64] drm/msm: fix an integer overflow test - cpufreq: Do not clear real_cpus mask on policy init - [x86] crypto: ccp - Set the AES size field for all modes - IB/mlx5: Assign DSCP for R-RoCE QPs Address Path - PM / wakeirq: report a wakeup_event on dedicated wekup irq - scsi: megaraid_sas: Do not set fp_possible if TM capable for non-RW syspdIO, change fp_possible to bool - [armhf] mfd: axp20x: Fix axp288 PEK_DBR and PEK_DBF irqs being swapped - bnxt_en: Added PCI IDs for BCM57452 and BCM57454 ASICs - staging: rtl8712u: Fix endian settings for structs describing network packets - PCI/MSI: Return failure when msix_setup_entries() fails - ext4: fix stripe-unaligned allocations - ext4: do not use stripe_width if it is not set - [x86] net/ena: change driver's default timeouts - drm/amdgpu: when dpm disabled, also need to stop/start vce. - perf tools: Only increase index if perf_evsel__new_idx() succeeds - iwlwifi: mvm: use the PROBE_RESP_QUEUE to send deauth to unknown station - [armhf,arm64] clocksource/drivers/arm_arch_timer: Add dt binding for hisilicon-161010101 erratum - net: phy: dp83867: Recover from "port mirroring" N/A MODE4 - cx231xx: Fix I2C on Internal Master 3 Bus - ath10k: fix reading sram contents for QCA4019 - [armhf] clk: sunxi-ng: Check kzalloc() for errors and cleanup error path - [armhf] mtd: nand: sunxi: Fix the non-polling case in sunxi_nfc_wait_events() - xen/manage: correct return value check on xenbus_scanf() - scsi: aacraid: Process Error for response I/O - [x86] platform: intel_mid_thermal: Fix module autoload - [x86] staging: lustre: llite: don't invoke direct_IO for the EOF case - [x86] staging: lustre: hsm: stack overrun in hai_dump_data_field - [x86] staging: lustre: ptlrpc: skip lock if export failed - [x86] staging: lustre: lmv: Error not handled for lmv_find_target - brcmfmac: check brcmf_bus_get_memdump result for error - vfs: open() with O_CREAT should not create inodes with unknown ids - [x86] ASoC: Intel: boards: remove .pm_ops in all Atom/DPCM machine drivers - [armhf] exynos4-is: fimc-is: Unmap region obtained by of_iomap() - [x86] mei: return error on notification request to a disconnected client - [s390x] dasd: check for device error pointer within state change interrupts - [s390x] prng: Adjust generation of entropy to produce real 256 bits. - [s390x] crypto: Extend key length check for AES-XTS in fips mode. - bt8xx: fix memory leak - [armhf] drm/exynos: g2d: prevent integer overflow in - PCI: Avoid possible deadlock on pci_lock and p->pi_lock - [powerpc*/*64*]: Don't try to use radix MMU under a hypervisor - xen: don't print error message in case of missing Xenstore entry - [armel,armhf] dts: mvebu: pl310-cache disable double-linefill https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.62 - [armel,armhf] PCI: mvebu: Handle changes to the bridge windows while enabled - sched/core: Add missing update_rq_clock() call in sched_move_task() - xen/netback: set default upper limit of tx/rx queues to 8 - [x86] EDAC, amd64: Add x86cpuid sanity check during init - PM / OPP: Error out on failing to add static OPPs for v1 bindings - [armhf] clk: samsung: exynos5433: Add IDs for PHYCLK_MIPIDPHY0_* clocks - drm: drm_minor_register(): Clean up debugfs on failure - [powerpc*] KVM: Book 3S: XICS: correct the real mode ICP rejecting counter - [armhf,arm64] iommu/arm-smmu-v3: Clear prior settings when updating STEs - [x86] pinctrl: baytrail: Fix debugfs offset output - [powerpc*] corenet: explicitly disable the SDHC controller on kmcoge4 - [powerpc*] cxl: Force psl data-cache flush during device shutdown - [arm64] dma-mapping: Only swizzle DMA ops for IOMMU_DOMAIN_DMA - [powerpc*] crypto: vmx - disable preemption to enable vsx in aes_ctr.c - [arm64] drm: mali-dp: fix Lx_CONTROL register fields clobber - iio: trigger: free trigger resource correctly - [x86] iio: proximity: sx9500: claim direct mode during raw proximity reads - libertas: fix improper return value - usb: hcd: initialize hcd->flags to 0 when rm hcd - netfilter: nft_meta: deal with PACKET_LOOPBACK in netdev family - brcmfmac: setup wiphy bands after registering it first - rt2800usb: mark tx failure on timeout - apparmor: fix undefined reference to `aa_g_hash_policy' - IPsec: do not ignore crypto err in ah4 input - [x86] EDAC, amd64: Save and return err code from probe_one_instance() - [s390x] topology: make "topology=off" parameter work - [powerpc] sched/cputime: Fix stale scaled stime on context switch - IB/ipoib: Change list_del to list_del_init in the tx object - [armhf] dts: STiH410-family: fix wrong parent clock frequency - [s390x] qeth: fix retrieval of vipa and proxy-arp addresses - [s390x] qeth: issue STARTLAN as first IPA command - [arm64] wcn36xx: Don't use the destroyed hal_mutex - IB/rxe: Fix reference leaks in memory key invalidation code - [armhf] clk: mvebu: adjust AP806 CPU clock frequencies to production chip - [x86] platform: hp-wmi: Fix detection for dock and tablet mode - cdc_ncm: Set NTB format again after altsetting switch for Huawei devices - KEYS: trusted: sanitize all key material - KEYS: trusted: fix writing past end of buffer in trusted_read() - [x86] platform: hp-wmi: Fix error value for hp_wmi_tablet_state - [x86] platform: hp-wmi: Do not shadow error values - [x86] uaccess, sched/preempt: Verify access_ok() context - workqueue: Fix NULL pointer dereference - crypto: ccm - preserve the IV buffer - [x86] crypto: sha1-mb - fix panic due to unaligned access - [x86] crypto: sha256-mb - fix panic due to unaligned access - KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2] - [armel,armhf] 8720/1: ensure dump_instr() checks addr_limit - ALSA: seq: Fix OSS sysex delivery in OSS emulation - [x86] drm/i915: Do not rely on wm preservation for ILK watermarks - [mips*] Fix CM region target definitions - [mips*] SMP: Use a completion event to signal CPU up - [mips*] Fix race on setting and getting cpu_online_mask - [mips*] SMP: Fix deadlock & online race - [armhf] ASoC: sun4i-spdif: remove legacy dapm components - rbd: use GFP_NOIO for parent stat and data requests - [x86] drm/vmwgfx: Fix Ubuntu 17.10 Wayland black screen issue - [arm64] drm/bridge: adv7511: Rework adv7511_power_on/off() so they can be reused internally - [arm64] drm/bridge: adv7511: Reuse __adv7511_power_on/off() when probing EDID - [arm64] drm/bridge: adv7511: Re-write the i2c address before EDID probing - [armhf] can: sun4i: handle overrun in RX FIFO - [x86] smpboot: Make optimization of delay calibration work correctly - [x86] oprofile/ppro: Do not use __this_cpu*() in preemptible context https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.63 - gso: fix payload length when gso_size is zero - tun/tap: sanitize TUNSETSNDBUF input - ipv6: addrconf: increment ifp refcount before ipv6_del_addr() - netlink: do not set cb_running if dump's start() errs - net: call cgroup_sk_alloc() earlier in sk_clone_lock() - tcp: fix tcp_mtu_probe() vs highest_sack - l2tp: check ps->sock before running pppol2tp_session_ioctl() - tun: call dev_get_valid_name() before register_netdevice() - sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect - tcp/dccp: fix ireq->opt races - packet: avoid panic in packet_getsockopt() - soreuseport: fix initialization race - ipv6: flowlabel: do not leave opt->tot_len with garbage - sctp: full support for ipv6 ip_nonlocal_bind & IP_FREEBIND - tcp/dccp: fix lockdep splat in inet_csk_route_req() - tcp/dccp: fix other lockdep splats accessing ireq_opt - net/unix: don't show information about sockets from other namespaces - tap: double-free in error path in tap_open() - ipip: only increase err_count for some certain type icmp in ipip_err - ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err - ip6_gre: update dst pmtu if dev mtu has been updated by toobig in __gre6_xmit - tun: allow positive return values on dev_get_valid_name() call - sctp: reset owner sk for data chunks on out queues when migrating a sock - net_sched: avoid matching qdisc with zero handle - ppp: fix race in ppp device destruction - mac80211: accept key reinstall without changing anything (CVE-2017-13080) - mac80211: use constant time comparison with keys - mac80211: don't compare TKIP TX MIC key in reinstall prevention (CVE-2017-13080) - usb: usbtest: fix NULL pointer dereference (CVE-2017-16532) - Input: ims-psu - check if CDC union descriptor is sane (CVE-2017-16645) - ALSA: seq: Cancel pending autoload work at unbinding device (CVE-2017-16528) - netfilter: nat: avoid use of nf_conn_nat extension - netfilter: nat: Revert "netfilter: nat: convert nat bysrc hash to rhashtable" - brcmfmac: remove setting IBSS mode when stopping AP - [arm64,mips*] security/keys: add CONFIG_KEYS_COMPAT to Kconfig (Closes: #881830) - target/iscsi: Fix iSCSI task reassignment handling - qla2xxx: Fix incorrect tcm_qla2xxx_free_cmd use during TMR ABORT (v2) https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.64 - media: imon: Fix null-ptr-deref in imon_probe (CVE-2017-16537) - media: dib0700: fix invalid dvb_detach argument (CVE-2017-16646) - [armel,armhf] crypto: reduce priority of bit-sliced AES cipher - Bluetooth: btusb: fix QCA Rome suspend/resume - [armhf,arm64] extcon: Remove potential problem when calling extcon_register_notifier() - [armhf] extcon: palmas: Check the parent instance to prevent the NULL - fm10k: request reset when mbx->state changes - [armhf] dts: Fix compatible for ti81xx uarts for 8250 - [armhf] dts: Fix am335x and dm814x scm syscon to probe children - [armhf] OMAP2+: Fix init for multiple quirks for the same SoC - [armhf] dts: Fix omap3 off mode pull defines - [armhf] dts: omap5-uevm: Allow bootloader to configure USB Ethernet MAC - igb: reset the PHY before reading the PHY ID - igb: close/suspend race in netif_device_detach - igb: Fix hw_dbg logging in igb_update_flash_i210 - scsi: ufs: add capability to keep auto bkops always enabled - tcp: provide timestamps for partial writes - staging: rtl8188eu: fix incorrect ERROR tags from logs - [x86] irq, trace: Add __irq_entry annotation to x86's platform IRQ handlers - scsi: lpfc: Add missing memory barrier - scsi: lpfc: FCoE VPort enable-disable does not bring up the VPort - scsi: lpfc: Correct host name in symbolic_name field - scsi: lpfc: Correct issue leading to oops during link reset - scsi: lpfc: Clear the VendorVersion in the PLOGI/PLOGI ACC payload - ALSA: vx: Don't try to update capture stream before running - ALSA: vx: Fix possible transfer overflow - [armhf] drm/omap: panel-sony-acx565akm.c: Add MODULE_ALIAS - [x86] gpu: drm: mgag200: mgag200_main:- Handle error from pci_iomap - [arm64] dts: NS2: reserve memory for Nitro firmware - ixgbe: Configure advertised speeds correctly for KR/KX backplane - ixgbe: fix AER error handling - ixgbe: handle close/suspend race with netif_device_detach/present - ixgbe: Fix reporting of 100Mb capability - ixgbe: Reduce I2C retry count on X550 devices - ixgbe: add mask for 64 RSS queues - ixgbe: do not disable FEC from the driver - [mips*] End asm function prologue macros with .insn - [mips*] init: Ensure bootmem does not corrupt reserved memory - [mips*] init: Ensure reserved memory regions are not added to bootmem - [mips*] traps: Ensure L1 & L2 ECC checking match for CM3 systems - crypto: dh - Don't permit 'p' to be 0 - crypto: dh - Don't permit 'key' or 'g' size longer than 'p' - USB: usbfs: compute urb->actual_length for isochronous - usb: gadget: f_fs: Fix use-after-free in ffs_free_inst - USB: serial: garmin_gps: fix I/O after failed probe and remove - USB: serial: garmin_gps: fix memory leak on probe errors - [x86] MCE/AMD: Always give panic severity for UC errors in kernel context - brcmfmac: don't preset all channels as disabled https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.65 - tcp_nv: fix division by zero in tcpnv_acked() - net: vrf: correct FRA_L3MDEV encode type - tcp: do not mangle skb->cb[] in tcp_make_synack() - netfilter/ipvs: clear ipvs_property flag when SKB net namespace changed - bonding: discard lowest hash bit for 802.3ad layer3+4 - net: cdc_ether: fix divide by 0 on bad descriptors (CVE-2017-16649) - net: qmi_wwan: fix divide by 0 on bad descriptors (CVE-2017-16650) - qmi_wwan: Add missing skb_reset_mac_header-call - net: usb: asix: fill null-ptr-deref in asix_suspend (CVE-2017-16647) - vlan: fix a use-after-free in vlan_device_event() - af_netlink: ensure that NLMSG_DONE never fails in dumps - sctp: do not peel off an assoc from one netns to another one (CVE-2017-15115) - net/sctp: Always set scope_id in sctp_inet6_skb_msgname - crypto: dh - fix memleak in setkey - crypto: dh - Fix double free of ctx->p - ima: do not update security.ima if appraisal status is not INTEGRITY_PASS - [armhf] serial: omap: Fix EFR write on RTS deassertion - serial: 8250_fintek: Fix finding base_port with activated SuperIO - ocfs2: fix cluster hang after a node dies - ocfs2: should wait dio before inode lock in ocfs2_setattr() - ipmi: fix unsigned long underflow - mm/page_alloc.c: broken deferred calculation - coda: fix 'kernel memory exposure attempt' in fsync - mm/pagewalk.c: report holes in hugetlb ranges [ Ben Hutchings ] * [armhf] dts: exynos: Add dwc3 SUSPHY quirk (Closes: #843448) * [mips*] Remove pt_regs adjustments in indirect syscall handler (Closes: #867358) * [arm64] brcmfmac: Enable BRCMFMAC_SDIO (Closes: #877911) * l2tp: Ignore ABI change * [armel,armhf] mbus: Ignore ABI change * usb: gadget: Ignore ABI change * [s390x] mm: Avoid ABI change in 4.9.52 * mac80211: Avoid ABI change in 4.9.53 * mmc: sdio: Avoid ABI change in 4.9.54 * KEYS: Limit ABI change in 4.9.59 * netfilter: nat: Avoid ABI change in 4.9.63 * mm/page_alloc: Avoid ABI change in 4.9.65 * Revert "phy: increase size of MII_BUS_ID_SIZE and bus_id" to avoid ABI change * Revert "bpf: one perf event close won't free bpf program attached ..." to avoid ABI change * [rt] Add new signing subkey for Steven Rostedt * [rt] Update to 4.9.61-rt52: - Revert "pci: Use __wake_up_all_locked in pci_unblock_user_cfg_access()" - drivers/zram: fix zcomp_stream_get() smp_processor_id() use in preemptible code - fs/dcache: disable preemption on i_dir_seq's write side - tpm_tis: fix stall after iowrite*()s - fs: convert two more BH_Uptodate_Lock related bitspinlocks - locking/rt-mutex: fix deadlock in device mapper / block-IO - md/raid5: do not disable interrupts * mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack (Closes: #865416) * mm/mmap.c: expand_downwards: don't require the gap if !vm_prev * mmap: Remember the MAP_FIXED flag as VM_FIXED * [x86] mmap: Add an exception to the stack gap for Hotspot JVM compatibility (Closes: #865303) [ Salvatore Bonaccorso ] * media: cx231xx-cards: fix NULL-deref on missing association descriptor (CVE-2017-16536) * mm, thp: Do not make page table dirty unconditionally in touch_p[mu]d() (CVE-2017-1000405) -- Ben Hutchings &lt;ben(a)decadent.org.uk&gt; Sat, 02 Dec 2017 15:53:59 +0000 --- Modifications pour openssh (openssh-client openssh-server openssh-sftp-server) --- openssh (1:7.4p1-10+deb9u2) stretch; urgency=medium * Test configuration before starting or reloading sshd under systemd (closes: #865770). * Adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme (closes: #877800). * Make "--" before the hostname terminate argument processing after the hostname too (closes: #873201). -- Colin Watson &lt;cjwatson(a)debian.org&gt; Sat, 18 Nov 2017 09:37:22 +0000 --- Modifications pour publicsuffix --- publicsuffix (20171028.2055-0+deb9u1) stable; urgency=medium * new upstream publicsuffix data -- Daniel Kahn Gillmor &lt;dkg(a)fifthhorseman.net&gt; Mon, 13 Nov 2017 00:50:12 +0800 publicsuffix (20170910.1557-0+deb9u1) stable; urgency=medium * new upstream publicsuffix data -- Daniel Kahn Gillmor &lt;dkg(a)fifthhorseman.net&gt; Thu, 19 Oct 2017 02:20:46 -0400 --- Modifications pour python2.7 (libpython2.7 libpython2.7-dev libpython2.7-minimal libpython2.7-stdlib python2.7 python2.7-dev python2.7-minimal) --- python2.7 (2.7.13-2+deb9u2) stretch; urgency=medium * Backport c3c9db89273fabc62ea1b48389d9a3000c1c03ae to address CVE-2017-1000158 / https://bugs.python.org/issue30657 -- Moritz Mühlenhoff &lt;jmm(a)debian.org&gt; Fri, 24 Nov 2017 18:33:09 +0100 python2.7 (2.7.13-2+deb9u1) stretch; urgency=medium * Non-maintainer upload with maintainer's permission * Support all groups in TLS communication (Closes: #868143) -- Kurt Roeckx &lt;kurt(a)roeckx.be&gt; Thu, 09 Nov 2017 21:58:19 +0100 --- Modifications pour spamassassin (sa-compile spamassassin spamc) --- spamassassin (3.4.1-6+deb9u1) stretch; urgency=medium * Ensure that spamd doesn't automatically start upon initial installation. * Disable bb.barracudacentral.org (RCVD_IN_BRBL_LASTEXT), as it requires users to register. (Closes: #861671) * Update the systemd unit file to use the same pid file as was used in the sysvinit script. (Closes: #808804) * Update spamassassin docs to remove outdated gpg version compatibility note. (Closes: #853913) * Update systemd unit dependencies to include network and syslog. (Closes: 864810) * Fix inappropriate invocation of invoke-rc.d in cron script. (Closes: 865514) * Fix spamd service manage on upgrades. (Closes: #865356) -- Noah Meyerhans &lt;noahm(a)debian.org&gt; Sun, 19 Nov 2017 10:43:02 -0800 --- Modifications pour sqlite3 (libsqlite3-0) --- sqlite3 (3.16.2-5+deb9u1) stretch; urgency=medium * Fix CVE-2017-10989 , heap-based buffer over-read via undersized RTree blobs (closes: #867618). -- Laszlo Boszormenyi (GCS) &lt;gcs(a)debian.org&gt; Tue, 03 Oct 2017 16:13:44 +0000 --- Modifications pour zsh --- zsh (5.3.1-4+b2) stretch; urgency=low, binary-only=yes * Binary-only non-maintainer upload for amd64; no source changes. * Rebuild against current stretch to pick up ncurses security fixes in zsh-static -- amd64 Build Daemon (binet) &lt;buildd-binet(a)buildd.debian.org&gt; Sun, 19 Nov 2017 21:10:07 +0000 ======================================================================== You can perform the upgrade by issuing the command: apt-get dist-upgrade as root on quigon.federez.net -- apticron