Security fixes
Upgrade Tor Browser to 7.0.4-build1 (Closes: #13577).
Upgrade Linux to 4.9.30-2+deb9u3.
Upgrade libtiff to 4.0.8-2+deb9u1.
Upgrade bind9 to 1:9.10.3.dfsg.P4-12.3+deb9u2.
Upgrate evince to 3.22.1-3+deb9u1.
Upgrade imagemagick 8:6.9.7.4+dfsg-11+deb9u1.
Ensure Thunderbird cleans its temporary directory. (Closes: #13340).
Minor improvements
Patch gconf to produce reproducible XML output (refs: #12738). This is
the temporary solution for #12738 in Zero Trace Pen 3.1 which will be reverted
(and fixed permanently by removing gconf) in Zero Trace Pen 3.2.
Apply Debian bts patch to cracklib to produce reproducible dictionnaries
(Closes: #12909).
Upgrade to Debian 9.1 (Closes: #13178).
Bugfixes
Replace faulty URL in htpdate neutral pool (Closes: #13472).
Keep installing a version of Enigmail compatible with Thunderbird 45.x
(Closes: #13530).
Fix the time syncing and Tor notifications translations (Closes: #13437).
Build system
Upgrade the Vagrant basebox for building ISO images to Stretch
(Closes: #11738).
Fix on-disk build by bumping Vagrant build VM memory to 768M
(Closes: #13480).
Fix rescue build option by exporting TAILS_BUILD_FAILURE_RESCUE
(Closes: #13476).
Test suite
mark gnome screenshot scenario as fragile (refs: #13458)
mark UEFI scenario as fragile (refs: #13459).