[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian GNU/Linux 5.0 updated

The Debian Project                                 http://www.debian.org/
Debian GNU/Linux 5.0 updated                             press@debian.org
September 5th, 2009              http://www.debian.org/News/2009/20090905

Debian GNU/Linux 5.0 updated

The Debian project is pleased to announce the third update of its stable
distribution Debian GNU/Linux 5.0 (codename "lenny").  This update mainly
adds corrections for security problems to the stable release, along with
a few adjustments for serious problems.

Please note that this update does not constitute a new version of Debian
GNU/Linux 5.0 but only updates some of the packages included.  There is
no need to throw away 5.0 CDs or DVDs but only to update via an up-to-
date Debian mirror after an installation, to cause any out of date
packages to be updated.

Those who frequently install updates from security.debian.org won't have
to update many packages and most updates from security.debian.org are
included in this update.

New CD and DVD images containing updated packages and the regular
installation media accompanied with the package archive respectively will
be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the
aptitude (or apt) package tool (see the sources.list(5) manual page) to
one of Debian's many FTP or HTTP mirrors.  A comprehensive list of
mirrors is available at:


Miscellaneous Bugfixes

This stable update adds a few important corrections to the following

    Package                                      Reason

    avelsieve                     Allow last filter to be deleted and fix interoperability with dovecot
    base-files                    Update /etc/debian_version to reflect the point release
    burn                          Properly escape filenames and more securely handle subprocess arguments
    ffmpeg-debian                 Support reading large metadata in flac decoder
    firmware-nonfree              Add firmware-bnx2x package
    freedoom                      Remove copyright-violating material
    ganeti                        Fix hvmloader path to match Lenny's xen-utils-3.2-1
    geoip                         Add versioned Replaces to avoid issues with upgrades from etch
    gthumb                        Fix treating symlinked directories contents as duplicated
    heartbeat                     Fix syntax error, IPv6 /64 prefixes and etch to lenny upgrades
    irssi                         Fix out of bounds access
    kernel-wedge                  Include bnx2x driver if available
    libcompress-raw-bzip2-perl    CVE-2009-1884: fix off-by-one error in bzinflate()
    libcompress-raw-zlib-perl     CVE-2009-1391: Fix a buffer overflow in inflate()
    libio-socket-ssl-perl         Fix security vulnerability in partial hostname matching
    libpam-ssh                    Fix user enumeration issue
    linux-2.6                     Several fixes and increased hardware support
    linux-kernel-di-alpha-2.6     Rebuild against linux-2.6 kernel 2.6.26-19
    linux-kernel-di-amd64-2.6     Rebuild against linux-2.6 kernel 2.6.26-19
    linux-kernel-di-arm-2.6       Rebuild against linux-2.6 kernel 2.6.26-19
    linux-kernel-di-armel-2.6     Rebuild against linux-2.6 kernel 2.6.26-19
    linux-kernel-di-hppa-2.6      Rebuild against linux-2.6 kernel 2.6.26-19
    linux-kernel-di-i386-2.6      Rebuild against linux-2.6 kernel 2.6.26-19
    linux-kernel-di-ia64-2.6      Rebuild against linux-2.6 kernel 2.6.26-19
    linux-kernel-di-mips-2.6      Rebuild against linux-2.6 kernel 2.6.26-19
    linux-kernel-di-mipsel-2.6    Rebuild against linux-2.6 kernel 2.6.26-19
    linux-kernel-di-powerpc-2.6   Rebuild against linux-2.6 kernel 2.6.26-19
    linux-kernel-di-s390-2.6      Rebuild against linux-2.6 kernel 2.6.26-19
    linux-kernel-di-sparc-2.6     Rebuild against linux-2.6 kernel 2.6.26-19
    mod-wsgi                      Incorporate upstream bug-fix releases (including several potential crash or memory leak bugs)
    multipath-tools               Fix crash on shutdown
    nexuiz-data                   Disable message about new upstream versions
    openafs                       Don't create invalid pointers to kernel memory when handling errors
    openssl                       Fix several vulnerabilities
    perl                          Fix a memory leak, buffer overflow (CVE-2009-1391) and replaces/conflicts package name typo
    pidgin                        Properly enforce the "require SSL/TLS" option on older XMPP servers
    postgrey                      Update whitelist; include wider Google entry
    python-django                 Fix aribtrary filesystem access via crafted URLs
    python-numpy                  Fix incorrect symlink to include file
    python-support                Ignore lines starting "import" when parsing .pth files
    request-tracker3.6            Only allow SuperUsers to edit global RT at a Glance
    spamassassin                  Stop using cybersquatted open-whois.org RBL
    stardict                      Disable network dictionary plugin (CVE-2009-2260)
    subversion                    Fix mail header formatting in commit-email.pl hook
    texlive-base                  Don't fail when LaTeX is five years old; blacklist lamsarrow.sty and include fixed font metrics
    texlive-bin                   Fix error with configuring when included files are five years old
    texlive-extra                 Don't fail when LaTeX is five years old
    texlive-lang                  Don't fail when LaTeX is five years old
    tor                           Fix DoS and another potential security issue
    transmission                  Fix segfault and generation of invalid filenames
    tzdata                        Update Cairo DST for Ramadan
    udev                          Update several rules and add backported fixes
    user-mode-linux               Rebuild against linux-source-2.6.26 (2.6.26-19)
    wordpress                     Fix password reset procedure
    xcftools                      Fix crash with files containing negative co-ordinates
    xfce4-dict                    Don't create zombie processes
    xfce4-weather-plugin          Use weather.com API key so that results are returned again
    xorg                          Fix grave bug in postinst maintainer script which could lead to empty xorg configuration files
    znc                           Fix crash if a user is deleted whilst connecting to a server

New version of debian-installer

The installer has been updated to incorporate the new kernels released 
with this point release, adding support for new network hardware, and to 
fix a segfault early in the boot process of installations for the S/390 

Security Updates

This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these

    Advisory ID    Package                 Correction(s)

    DSA-1813       evolution-data-server   Regressions in previous security update
    DSA-1816       apache2                 Privilege escalation
    DSA-1816       apache2-mpm-itk         Privilege escalation
    DSA-1826       eggdrop                 Several vulnerabilities
    DSA-1827       ipplan                  Cross-site scripting
    DSA-1828       ocsinventory-agent      Arbitrary code execution
    DSA-1829       sork-passwd-h3          Cross-site scripting
    DSA-1830       icedove                 Several vulnerabilities
    DSA-1831       djbdns                  Privilege escalation
    DSA-1832       camlimages              Arbitrary code execution
    DSA-1833       dhcp3                   Arbitrary code execution
    DSA-1834       apache2                 Denial of service
    DSA-1834       apache2-mpm-itk         Denial of service
    DSA-1838       pulseaudio              Privilege escalation
    DSA-1840       xulrunner               Several vulnerabilities
    DSA-1842       openexr                 Several vulnerabilities
    DSA-1843       squid3                  Denial of service
    DSA-1845       user-mode-linux         Several vulnerabilities
    DSA-1846       kvm                     Denial of service
    DSA-1847       bind9                   Denial of service
    DSA-1848       znc                     Remote code execution
    DSA-1851       gst-plugins-bad0.10     Arbitrary code execution
    DSA-1852       fetchmail               SSL certificate verification weakness
    DSA-1853       memcached               Arbitrary code execution
    DSA-1854       apr                     Arbitrary code execution
    DSA-1854       apr-util                Arbitrary code execution
    DSA-1855       subversion              Arbitrary code execution
    DSA-1856       mantis                  Information leak
    DSA-1857       camlimages              Arbitrary code execution
    DSA-1858       imagemagick             Several vulnerabilities
    DSA-1859       libxml2                 Several issues
    DSA-1860       ruby1.8                 Several issues
    DSA-1865       user-mode-linux         Several vulnerabilities
    DSA-1867       kdelibs                 Several vulnerabilities
    DSA-1869       curl                    SSL certificate verification weakness
    DSA-1870       pidgin                  Insufficient input sanitization
    DSA-1871       wordpress               Several vulnerabilities
    DSA-1873       xulrunner               Spoofing vulnerabilities
    DSA-1874       nss                     Several vulnerabilities
    DSA-1875       ikiwiki                 Information disclosure
    DSA-1876       dnsmasq                 Remote code execution
    DSA-1877       mysql-dfsg-5.0          Arbitrary code execution

Removed packages

The following packages were removed due to circumstances beyond our

    Package                    Reason

    sabayon                     very buggy; unsuitable for a stable release


The complete lists of packages that have changed with this revision:


The current stable distribution:


Proposed updates to the stable distribution:


stable distribution information (release notes, errata etc.):


Security announcements and information:


About Debian

The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian GNU/Linux.

Contact Information

For further information, please visit the Debian web pages at
<http://www.debian.org/>, send mail to <press@debian.org>, or contact the
stable release team at <debian-release@lists.debian.org>.

Reply to: