-------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 39-1 http://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
October 14th, 2013
-------------------------------------------------------------------------
Upcoming Debian GNU/Linux 6.0 Update (6.0.8)
An update to Debian GNU/Linux 6.0 is scheduled for Saturday, October
19th, 2013. As of now it will include the following bug fixes. They can
be found in “squeeze-proposed-updates”, which is carried by all official
mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are
also already available through “squeeze-updates”.
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of
them by copying “debian-release@lists.debian.org” on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bugfixes
----------------------
This oldstable update adds a few important corrections to the following
packages:
Package Reason
base-files Update version for point release
clamav New upstream release; security fixes
dpkg-ruby Close files once they're parsed, preventing trouble on dist-upgrades
gdm3 Fix potential security issue with partial upgrades to wheezy
graphviz Use system ltdl
grep Fix CVE-2012-5667
ia32-libs Update included packages from oldstable / security.d.o
ia32-libs-gtk Update included packages from oldstable / security.d.o
inform Remove calls to update-alternatives
ldap2dns Do not unnecessarily include /usr/share/debconf/confmodule in postinst
libapache-mod-security Fix NULL pointer dereference. CVE-2013-2765
libmodule-signature-perl CVE-2013-2145: Fixes arbitrary code execution when verifying SIGNATURE
libopenid-ruby Fix CVE-2013-1812
libspf2 IPv6 fixes
lm-sensors-3 Skip probing for EDID or graphics cards, as it might cause hardware issues
moin Do not create empty pagedir (with empty edit-log)
net-snmp Fix CVE-2012-2141
openssh Fix potential int overflow when using gssapi-with-mac authentication (CVE-2011-5000)
openvpn Fix use of non-constant-time memcmp in HMAC comparison. CVE-2013-2061
pcp Fix insecure tempfile handling
pigz Use more restrictive permissions for in-progress files
policyd-weight Remove shut-down njabl DNSBL
pyopencl Remove non-free file from examples
pyrad Use a better random number generator to prevent predictable password hashing and packet IDs (CVE-2013-0294)
python-qt4 Fix crash in uic file with radio buttons
request-tracker3.8 Move non-cache data to /var/lib
samba Fix CVE-2013-4124: Denial of service - CPU loop and memory allocation
smarty Fix CVE-2012-4437
spamassassin Remove shut-down njabl DNSBL; fix RCVD_ILLEGAL_IP to not consider 5.0.0.0/8 as invalid
sympa Fix endless loop in wwsympa while loading session data including metacharacters
texlive-extra Fix predictable temp file names in latex2man
tntnet Fix insecure default tntnet.conf
tzdata New upstream version
wv2 Really remove src/generator/generator_wword{6,8}.htm
xorg-server Link against -lbsd on kfreebsd to make MIT-SHM work with non-world-accessible segments
xview Fix alternatives handling
zabbix Fix SQL injection, zabbix_agentd DoS, possible path disclosure, field name parameter checking bypass, ability to override LDAP configuration when calling user.login via API
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<http://release.debian.org/proposed-updates/oldstable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
irssi-plugin-otr Security issues
libpam-rsa Broken, causes security problems
If you encounter any issues, please don't hesitate to get in touch with
the Debian Release Team at “debian-release@lists.debian.org”.
Attachment:
signature.asc
Description: This is a digitally signed message part