The release mainly covers the security issues and other bug fixes, the release includes a number of security updates for Thunderbird, Symfony, XML-security-c, OpenJDK-8, samba, Wireshark and many other packages.
Important Bugfixes – Debian 9.6
apache2 – Fix DoS by worker exhaustion [CVE-2018-1333] and by continuous SETTINGS [CVE-2018-11763]; mod_proxy_fcgi: Fix segfault
dom4j – Fix XML injection attack [CVE-2018-1000632]; compile with source/target 1.5 to fix a compilation issue with String.format
firmware-nonfree – Fix security issues in Broadcom wifi firmware [CVE-2016-0801 CVE-2017-0561 CVE-2017-9417 CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080 CVE-2017-13081]; re-add transitional packages for firmware.
libmspack – Fix out-of-bounds write [CVE-2018-18584] and acceptance of blank filenames [CVE-2018-18585]
Spamassassin – New upstream release; fix denial of service [CVE-2017-15705], remote code execution [CVE-2018-11780], code injection [CVE-2018-11781] and unsafe usage of . in @INC [CVE-2016-1238]; fix spamd service management on package upgrades.
libx11 – Fix several security isses [CVE-2018-14598 CVE-2018-14599 CVE-2018-14600]
New installation images will be available soon at the regular locations.Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian’s many HTTP mirrors reads Debian announcement.