[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian GNU/Linux 5.0 updated

The Debian Project                                 http://www.debian.org/
Debian GNU/Linux 5.0 updated                             press@debian.org
January 30th, 2010               http://www.debian.org/News/2010/20100130

Debian GNU/Linux 5.0 updated

The Debian project is pleased to announce the fourth update of its stable
distribution Debian GNU/Linux 5.0 (codename "lenny").  This update mainly
adds corrections for security problems to the stable release, along with
a few adjustments for serious problems.

Please note that this update does not constitute a new version of Debian
GNU/Linux 5.0 but only updates some of the packages included.  There is
no need to throw away 5.0 CDs or DVDs but only to update via an up-to-
date Debian mirror after an installation, to cause any out of date
packages to be updated.

Those who frequently install updates from security.debian.org won't have
to update many packages and most updates from security.debian.org are
included in this update.

New CD and DVD images containing updated packages and the regular
installation media accompanied with the package archive respectively will
be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the
aptitude (or apt) package tool (see the sources.list(5) manual page) to
one of Debian's many FTP or HTTP mirrors.  A comprehensive list of
mirrors is available at:


Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

    Package                         Reason

    alien-arena                     Fix remote arbitrary code execution
    amarok                          Apply regex update to make Wikipedia tab work again
    apache2                         Several issues
    backup-manager                  Fix possible mysql password leakage to local users
    backuppc                        Prohibit editing of client name alias to avoid unauthorised file access
    base-files                      Update /etc/debian_version to reflect the point release
    choose-mirror                   Improve suite selection and validation of suites available on selected mirror
    clock-setup                     Correctly handle system dates before epoch
    consolekit                      Don't create pam-foreground-compat tag files for remote users
    debmirror                       Compress packages files using --rsyncable so they match the files from the archive
    devscripts                      Update a number of scripts to understand squeeze and lenny-backports
    dhcp3                           Fix memory leak and SIGPIPE in LDAP code
    dpkg                            Various fixes to new source package format support
    drupal6                         Fix XSS issues in Contact and Menu moduels
    fam                             Fix 100% CPU usage in famd
    fetchmail                       Fix init script dependencies; don't complain about missing configuration when disabled
    firebird2.0                     Fix DOS via malformed message
    gchempaint                      Fix segmentation fault
    gdebi                           Fix gksu call to not pass an option that the Debian package doesn't support
    geneweb                         Correctly handle database with names containing whitespace in the postinst
    ghc6                            Fix deadlock bug on 64-bit architectures
    glib2.0                         Fix g_file_copy to correctly set permissions of target files
    glibc                           Fix bug in realloc() when enlarging a memory allocation
    gnash                           Reduce messages produced by the browser plugin to avoid filling .xsession-errors
    gnome-system-tools              Don't change root's home directory when editing the user and fix group creation dialog
    haproxy                         Several stability and crash fixes
    kazehakase                      Disallow adding bookmarks for data:/javascript: URIs (CVE-2007-1084)
    killer                          Correctly handle long usernames in the ruser field
    libcgi-pm-perl                  Fix unwanted ISO-8859-1 -> UTF-8 conversion in CGI::Util::escape()
    libdbd-mysql-perl               Fix segmentation faults caused by auto_reconnect
    libdbd-pg-perl                  Correctly handle high-bit characters
    libfinance-quote-perl           Fix ordering of fields in Yahoo data
    linux-2.6                       Several corrections
    linux-kernel-di-alpha-2.6       Rebuild against linux-2.6 2.6.26-21
    linux-kernel-di-amd64-2.6       Rebuild against linux-2.6 2.6.26-21
    linux-kernel-di-arm-2.6         Rebuild against linux-2.6 2.6.26-21
    linux-kernel-di-armel-2.6       Rebuild against linux-2.6 2.6.26-21
    linux-kernel-di-hppa-2.6        Rebuild against linux-2.6 2.6.26-21
    linux-kernel-di-i386-2.6        Rebuild against linux-2.6 2.6.26-21
    linux-kernel-di-ia64-2.6        Rebuild against linux-2.6 2.6.26-21
    linux-kernel-di-mips-2.6        Rebuild against linux-2.6 2.6.26-21
    linux-kernel-di-mipsel-2.6      Rebuild against linux-2.6 2.6.26-21
    linux-kernel-di-powerpc-2.6     Rebuild against linux-2.6 2.6.26-21
    linux-kernel-di-s390-2.6        Rebuild against linux-2.6 2.6.26-21
    linux-kernel-di-sparc-2.6       Rebuild against linux-2.6 2.6.26-21
    lkl                             Rebuild to get new MD5 sum (previous sum was causing FPs from antivirus)
    movabletype-opensource          Disable mt-wizard.cgi by default
    munin                           Fix CPU usage graphs to account for changes in kernel reporting
    mysql-dfsg-5.0                  Revert "dummy thread" workaround which causes segfaults and fix crash when using GIS functions
    nss-ldapd                       Treat usernames and other lookups as case-sensitive
    openttd                         Fix remote crash vulnerability
    otrs2                           Don't globally limit MaxRequestsPerChild on Apache or reject valid domains
    partman-auto-crypto             Avoid triggering unsafe swap warning when setting up LVM
    planet-venus                    Enhance escaping of processed feeds
    proftpd-dfsg                    SSL certificate verification weakness
    pyenchant                       Make add_to_personal() work again
    python-docutils                 Fix insecure temporary file usage in reStructuredText Emacs mode
    python-xml                      Fix two denials of service
    qcontrol                        Create persistent input device to handle changes in udev 0.125-7+lenny3
    redhat-cluster                  Fix problem with resource failover
    request-tracker3.6              Session hijack vulnerability
    roundup                         Fix pagination regression caused by security fix
    samba                           Fix regression in name mangling
    serveez                         Fix remote buffer overflow
    shadow                          Fix handling of long lines in the user or group files
    spamassassin                    Don't consider dates in 2010 "grossly in the future"
    system-tools-backends           Fix regression in operation of some elements
    texlive-bin                     Fix crash with large files
    tor                             Fix crash due to race condition and update authority keys
    totem                           Update youtube plugin to match changes to the site
    tzdata                          Update timezone data
    usbutils                        Update USB IDs
    user-mode-linux                 Rebuild against linux-source-2.6.26 2.6.26-21
    vpb-driver                      Fix Asterisk crash with missing config file
    watchdog                        Ensure daemon really has ended before starting a new one
    webauth                         Avoid inadvertently including passwords in cookie test URLs
    wireshark                       Several vulnerabilities
    xfs                             Fix temporary directory usage in the init script
    xscreensaver                    Fix local screen lock bypass vulnerability

A number of packages were rebuilt on the alpha, amd64 and ia64 
architectures to incorporate the fix from the updated ghc6 package:

    alex                               arch2darcs
    bnfc                               c2hs
    dfsbuild                           drift
    cpphs                              darcs
    darcs-buildpackage                 darcs-monitor
    datapacker                         frown
    geordi                             haddock
    happy                              haskell-utils
    hat                                helium
    hmake                              hpodder
    hscolour                           lhs2tex
    kaya                               pxsl-tools
    srcinst                            uuagc
    whitespace                         xmonad

Debian Installer

The Debian Installer has been updated in this point release to offer 
better support for installation of the "oldstable" distribution and from 
archive.debian.org.  The new installer also allows the system date to be 
updated using NTP if it is before January 1st, 1970 at boot time.

The kernel image used by the installer has been updated to incorporate a 
number of important and security-related fixes together with support for 
additional hardware.

An update to the udev package in the previous point release 
unfortunately led to the LEDs and on-board buzzer of arm/armel-based 
QNAP NAS devices not operating during installs.  This is rectified in 
the new installer release.

Finally, it is once again possible to use the installer on the S/390 
architecture by booting from CD.

Security Updates

This revision adds the following security updates to the stable release.  
The Security Team has already released an advisory for each of these updates:

    Advisory ID    Package                 Correction(s)

    DSA 1796       libwmf                  Denial of service
    DSA 1825       nagios3                 Arbitrary code execution
    DSA 1835       tiff                    Several vulnerabilities
    DSA 1836       fckeditor               Arbitrary code execution
    DSA 1837       dbus                    Denial of service
    DSA 1839       gst-plugins-good0.10    Arbitrary code execution
    DSA 1849       xml-security-c          Signature forgery
    DSA 1850       libmodplug              Arbitrary code execution
    DSA 1860       ruby1.9                 Several issues
    DSA 1863       zope2.10                Arbitrary code execution
    DSA 1866       kdegraphics             Several vulnerabilities
    DSA 1868       kde4libs                Several vulnerabilities
    DSA 1878       devscripts              Remote code execution
    DSA 1879       silc-client             Arbitrary code execution
    DSA 1879       silc-toolkit            Arbitrary code execution
    DSA 1880       openoffice.org          Arbitrary code execution
    DSA 1882       xapian-omega            Cross-site scripting
    DSA 1884       nginx                   Arbitrary code execution
    DSA 1885       xulrunner               Several vulnerabilities
    DSA 1886       iceweasel               Several vulnerabilities
    DSA 1887       rails                   Cross-site scripting
    DSA 1888       openssl                 Deprecate MD2 hash signatures
    DSA 1889       icu                     Security bypass due to multibyte sequence parsing
    DSA 1890       wxwidgets2.6            Arbitrary code execution
    DSA 1890       wxwidgets2.8            Arbitrary code execution
    DSA 1891       changetrack             Arbitrary code execution
    DSA 1892       dovecot                 Arbitrary code execution
    DSA 1893       cyrus-imapd-2.2         Arbitrary code execution
    DSA 1893       kolab-cyrus-imapd       Arbitrary code execution
    DSA 1894       newt                    Arbitrary code execution
    DSA 1895       opensaml2               Interpretation conflict
    DSA 1895       shibboleth-sp2          Interpretation conflict
    DSA 1895       xmltooling              Potential code execution
    DSA 1896       opensaml                Potential code execution
    DSA 1896       shibboleth-sp           Potential code execution
    DSA 1897       horde3                  Arbitrary code execution
    DSA 1898       openswan                Denial of service
    DSA 1899       strongswan              Denial of service
    DSA 1900       postgresql-8.3          Various problems
    DSA 1903       graphicsmagick          Several vulnerabilities
    DSA 1904       wget                    SSL certificate verification weakness
    DSA 1905       python-django           Denial of service
    DSA 1907       kvm                     Several vulnerabilities
    DSA 1908       samba                   Several vulnerabilities
    DSA 1909       postgresql-ocaml        Missing escape function
    DSA 1910       mysql-ocaml             Missing escape function
    DSA 1911       pygresql                Missing escape function
    DSA 1912       advi                    Arbitrary code execution
    DSA 1912       camlimages              Arbitrary code execution
    DSA 1913       bugzilla                SQL injection
    DSA 1914       mapserver               Serveral vulnerabilities
    DSA 1915       linux-2.6               Several vulnerabilities
    DSA 1915       user-mode-linux         Several vulnerabilities
    DSA 1916       kdelibs                 SSL certificate verification weakness
    DSA 1917       mimetex                 Several vulnerabilities
    DSA 1918       phpmyadmin              Several vulnerabilities
    DSA 1919       smarty                  Several vulnerabilities
    DSA 1920       nginx                   Denial of service
    DSA 1921       expat                   Denial of service
    DSA 1922       xulrunner               Several vulnerabilities
    DSA 1923       libhtml-parser-perl     Denial of service
    DSA 1924       mahara                  Several vulnerabilities
    DSA 1925       proftpd-dfsg            SSL certificate verification weakness
    DSA 1926       typo3-src               Several vulnerabilities
    DSA 1930       drupal6                 Several vulnerabilities
    DSA 1931       nspr                    Several vulnerabilities
    DSA 1932       pidgin                  Arbitrary code execution
    DSA 1933       cups                    Cross-site scripting
    DSA 1934       apache2                 Several issues
    DSA 1934       apache2-mpm-itk         Several issues
    DSA 1935       gnutls26                SSL certificate NUL byte vulnerability
    DSA 1936       libgd2                  Several vulnerabilities
    DSA 1937       gforge                  Cross-site scripting
    DSA 1938       php-mail                Insufficient input sanitising
    DSA 1939       libvorbis               Several vulnerabilities
    DSA 1940       php5                    Multiple issues
    DSA 1941       poppler                 Several vulnerabilities
    DSA 1942       wireshark               Several vulnerabilities
    DSA 1944       request-tracker3.6      Session hijack vulnerability
    DSA 1945       gforge                  Denial of service
    DSA 1947       opensaml2               Cross-site scripting
    DSA 1947       shibboleth-sp           Cross-site scripting
    DSA 1947       shibboleth-sp2          Cross-site scripting
    DSA 1948       ntp                     Denial of service
    DSA 1949       php-net-ping            Arbitrary code execution
    DSA 1950       webkit                  Several vulnerabilities
    DSA 1951       firefox-sage            Insufficient input sanitizing
    DSA 1952       asterisk                Several vulnerabilities
    DSA 1953       expat                   Denial of service
    DSA 1954       cacti                   Insufficient input sanitising
    DSA 1956       xulrunner               Several vulnerabilities
    DSA 1957       aria2                   Arbitrary code execution
    DSA 1958       libtool                 Privilege escalation
    DSA 1959       ganeti                  Arbitrary command execution
    DSA 1960       acpid                   Weak file permissions
    DSA 1961       bind9                   Cache poisoning
    DSA 1962       kvm                     Several vulnerabilities
    DSA 1963       unbound                 DNSSEC validation
    DSA 1964       postgresql-8.3          Several vulnerabilities
    DSA 1965       phpldapadmin            Remote file inclusion
    DSA 1966       horde3                  Cross-site scripting
    DSA 1967       transmission            Directory traversal
    DSA 1968       pdns-recursor           Potential code execution
    DSA 1969       krb5                    Denial of service
    DSA 1970       openssl                 Denial of service
    DSA 1971       libthai                 Arbitrary code execution
    DSA 1972       audiofile               Buffer overflow
    DSA 1974       gzip                    Arbitrary code execution
    DSA 1976       dokuwiki                Several vulnerabilities
    DSA 1978       phpgroupware            Several vulnerabilities
    DSA 1979       lintian                 Multiple vulnerabilities
    DSA 1980       ircd-hybrid             Arbitrary code execution

Removed packages

The following packages were removed due to circumstances beyond our

    Package               Reason

    destar                Security issues; unmaintained; abandoned upstream
    electricsheep         No longer functional
    gnudip                Security issues; unmaintained; abandoned upstream
    kcheckgmail           No longer functional
    libgnucrypto-java     Security issues; obsolete

Additionally those parts of the libwww-search-perl and 
libperl4caml-ocaml-dev packages which rely on the Google SOAP search 
API (provided by libnet-google-perl) are no longer functional as the
API has been retired by Google.  The remaining portions of the
packages will continue to function as before.


The complete lists of packages that have changed with this revision:


The current stable distribution:


Proposed updates to the stable distribution:


stable distribution information (release notes, errata etc.):


Security announcements and information:


About Debian

The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian GNU/Linux.

Contact Information

For further information, please visit the Debian web pages at
<http://www.debian.org/>, send mail to <press@debian.org>, or contact the
stable release team at <debian-release@lists.debian.org>

Reply to: