Debian 9.5 released with the fix for a number of security issues including Spectre and the update covers other Miscellaneous Bugfixes.
The release is not completely a new version of Debian 9, it includes only the updates for some of the packages and users can upgrade to the current versions using an up-to-date Debian mirror.
According to Debian release notes users “who install updates from security.debian.org won’t have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations.”
Updated Debian 9: 9.5 released https://t.co/nnof1UzAk1
— The Debian Project (@debian) July 14, 2018
Here you can find the comprehensive list of HTTP mirrors.
Debian 9.5 Released – Important Bugfixes
adminer: Don’t allow connections to privileged ports [CVE-2018-7667]
apache2: high memory usage and potential crash [CVE-2018-1302];
blktrace: Fix buffer overflow in btt [CVE-2018-10689]
faad2: Fix several DoS issues via crafted MP4 files [CVE-2017-9218 CVE-2017-9219 CVE-2017-9220 CVE-2017-9221 CVE-2017-9222 CVE-2017-9223 CVE-2017-9253 CVE-2017-9254 CVE-2017-9255 CVE-2017-9256 CVE-2017-9257]
file: Avoid reading past the end of buffer [CVE-2018-10360]
freedink-dfarc: Fix directory traversal in D-Mod extractor [CVE-2018-0496]
ghostscript: Fix segfault with fuzzing file in gxht_thresh_image_init(); fix buffer overflow in fill_threshold_buffer [CVE-2016-10317]; pdfwrite – Guard against trying to output an infinite number [CVE-2018-10194]
git-annex: Security fixes [CVE-2018-10857 CVE-2018-10859]
intel-microcode: Update included microcode, including fixes for Spectre v2 [CVE-2017-5715]
libextractor: Various security fixes [CVE-2017-15266 CVE-2017-15267 CVE-2017-15600 CVE-2017-15601 CVE-2017-15602 CVE-2017-15922 CVE-2017-17440]
liblouis: Fix buffer overflow [CVE-2018-11410]; fix several buffer overflows [CVE-2018-11440 CVE-2018-11577 CVE-2018-11683 CVE-2018-11684 CVE-2018-11685 2018-12085]
miniupnpd: Fix DoS [CVE-2017-1000494]
patch: Fix arbitrary command execution in ed-style patches [CVE-2018-1000156]
salt: Fix salt-ssh minion copied over configuration from the Salt Master without adjusting permissions [CVE-2017-8109]
xapian-core: Fix MSet::snippet() to escape HTML in all cases [CVE-2018-499]
xerces-c: Fix Denial of Service via external DTD reference [CVE-2017-12627]