[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian GNU/Linux 4.0 updated



-------------------------------------------------------------------------
The Debian Project                                 http://www.debian.org/
Debian GNU/Linux 4.0 updated                             press@debian.org
May 22nd, 2010                   http://www.debian.org/News/2010/20100522
-------------------------------------------------------------------------

Debian GNU/Linux 4.0 updated

The Debian project is pleased to announce the ninth and final update of
its oldstable distribution Debian GNU/Linux 4.0 (codename "etch").

This update incorporates all security updates which have been released
for the oldstable release since the previous point release, with one
exception which it was unfortunately not possible to include, together
with a few adjustments to serious problems.

PLEASE NOTE: Security support for the oldstable distribution ended in
February 2010 [1] and no updates have been released since that point.

  1: http://www.debian.org/News/2010/20100121

Those who frequently install updates from security.debian.org won't
have to update many packages and most updates from security.debian.org
are included in this update.

New CD and DVD images containing updated packages and the regular
installation media accompanied with the package archive respectively
will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the
aptitude (or apt) package tool (see the sources.list(5) manual page) to
one of Debian's many FTP or HTTP mirrors.  A comprehensive list of
mirrors is available at:

    <http://www.debian.org/distrib/ftplist>

Please note that the oldstable distribution will be moved from the main
archive to the archive.debian.org repository after June 6th 2010.
After this move, it will no longer be available from the main mirror
network.  More information about the distribution archive and a list of
mirrors is available at:

    <http://www.debian.org/distrib/archive>


Miscellaneous Bugfixes
----------------------

This oldstable update adds a few important corrections to the following
packages:

    Package                                      Reason

    backup-manager         Fix disclosure of MySQL passwords to local users
    binutils               Add mips support for ".set symbol,value" gas syntax
    fam                    Fix 100% CPU usage in famd
    fetchmail              Fix potential MITM against APOP and potential DoS
    freedoom               Remove copyright-violating material
    glibc                  Fix incorrect libc6-amd64 dependency
    gnupg                  Fix memory leak and cleanup terminal on interrupt
    irssi                  Fix out of bounds access
    kazehakase             Disallow adding bookmarks for data:/javascript: URIs
    linux-2.6              Several vulnerabilities
    linux-2.6.24           Several vulnerabilities
    mksh                   Fix unauthenticated local privilege escalation
    mt-daapd               Update the embedded prototype.js to fix security issues
    openafs                Don't create invalid pointers to kernel memory when handling errors
    openssl                Deprecate MD2 hash signatures and fix several DoS vulnerabilities
    serveez                Fix remote buffer overflow
    tetex-bin              Don't fail when LaTeX is more than five years old
    texlive-bin            Don't fail when LaTeX is more than five years old
    texlive-extra          Don't fail when LaTeX is more than five years old
    texlive-lang           Don't fail when LaTeX is more than five years old
    wordpress              Fix DoS via long title and specially constructed charset parameter
    xcftools               Fix crash with files containing negative co-ordinates


Debian Installer
----------------

The Debian Installer has been updated in this point release to offer
better support for installation of the "oldstable" distribution and
from archive.debian.org and to resolve issues with checking the GPG
signatures of some files on mirror servers.

The kernel image used by the installer has been updated to incorporate
a number of important and security-related fixes.


Security Updates
----------------

This revision adds the following security updates to the oldstable
release.  The Security Team has already released an advisory for each
of these updates:

    Advisory ID    Package                 Correction(s)

    DSA-1617       refpolicy               Incompatible policy from previous DSA
    DSA-1622       newsx                   Arbitrary code execution
    DSA-1748       libsoup                 Arbitrary code execution
    DSA-1754       roundup                 Privilege escalation
    DSA-1761       moodle                  File disclosure
    DSA-1762       icu                     Cross site scripting
    DSA-1763       openssl                 Denial of service
    DSA-1763       openssl097              Denial of service
    DSA-1765       horde3                  Several vulnerabilities
    DSA-1766       krb5                    Several vulnerabilities
    DSA-1767       multipath-tools         Denial of service
    DSA-1768       openafs                 Arbitrary code execution
    DSA-1770       imp4                    Cross-site scripting
    DSA-1771       clamav                  Several vulnerabilities
    DSA-1772       udev                    Privilege escalation
    DSA-1773       cupsys                  Arbitrary code execution
    DSA-1775       php-json-ext            Denial of service
    DSA-1777       git-core                Privilege escalation
    DSA-1779       apt                     Several vulnerabilities
    DSA-1780       libdbd-pg-perl          Arbitrary code execution
    DSA-1781       ffmpeg                  Arbitrary code execution
    DSA-1782       mplayer                 Arbitrary code execution
    DSA-1783       mysql-dfsg-5.0          Several vulnerabilities
    DSA-1784       freetype                Arbitrary code execution
    DSA-1786       acpid                   Denial of service
    DSA-1787       linux-2.6.24            Several vulnerabilities
    DSA-1789       php5                    Several vulnerabilities
    DSA-1790       xpdf                    Several vulnerabilities
    DSA-1793       kdegraphics             Several vulnerabilities
    DSA-1794       user-mode-linux         Several vulnerabilities
    DSA-1794       fai-kernels             Several vulnerabilities
    DSA-1794       linux-2.6               Several vulnerabilities
    DSA-1796       libwmf                  Denial of service
    DSA-1798       pango1.0                Arbitrary code execution
    DSA-1799       qemu                    Several vulnerabilites
    DSA-1801       ntp                     Buffer overflows allowing DoS or code execution
    DSA-1802       squirrelmail            Code execution vulnerability in map_yp_alias function
    DSA-1803       nsd                     Denial of service
    DSA-1804       ipsec-tools             Denial of service
    DSA-1805       gaim                    Several vulnerabilities
    DSA-1806       cscope                  Arbitrary code execution
    DSA-1807       cyrus-sasl2             Fixes arbirary code execution
    DSA-1810       cupsys                  Denial of service
    DSA-1810       libapache-mod-jk        Information disclosure
    DSA-1812       apr-util                Several vulnerabilities
    DSA-1813       evolution-data-server   Regressions in previous security update
    DSA-1814       libsndfile              Arbitrary code execution
    DSA-1816       apache2                 Privilege escalation
    DSA-1816       apache2-mpm-itk         Rebuild against apache2 2.2.3-4+etch8
    DSA-1818       gforge                  Insufficient input sanitising
    DSA-1819       vlc                     Several vulnerabilities
    DSA-1824       phpmyadmin              Several vulnerabilities
    DSA-1825       nagios2                 Arbitrary code execution
    DSA-1826       eggdrop                 Several vulnerabilities
    DSA-1829       sork-passwd-h3          Regression in previous security update
    DSA-1832       camlimages              Arbitrary code execution
    DSA-1833       dhcp3                   Arbitrary code execution
    DSA-1834       apache2                 Denial of service
    DSA-1834       apache2-mpm-itk         Denial of service
    DSA-1835       tiff                    Several vulnerabilities
    DSA-1837       dbus                    Denial of service
    DSA-1839       gst-plugins-good0.10    Arbitrary code execution
    DSA-1841       git-core                Denial of service
    DSA-1842       openexr                 Several vulnerabilities
    DSA-1847       bind9                   Denial of service
    DSA-1848       znc                     Remote code execution
    DSA-1849       xml-security-c          Signature forgery
    DSA-1850       libmodplug              Arbitrary code execution
    DSA-1851       gst-plugins-bad0.10     Arbitrary code execution
    DSA-1852       fetchmail               SSL certificate verification weakness
    DSA-1853       memcached               Arbitrary code execution
    DSA-1854       apr-util                Arbitrary code execution
    DSA-1854       apr                     Arbitrary code execution
    DSA-1855       subversion              Arbitrary code execution
    DSA-1857       camlimages              Arbitrary code execution
    DSA-1858       imagemagick             Several vulnerabilities
    DSA-1859       libxml2                 Several issues
    DSA-1860       ruby1.8                 Several issues
    DSA-1860       ruby1.9                 Several issues
    DSA-1861       libxml                  Several issues
    DSA-1863       zope2.9                 Arbitrary code execution
    DSA-1865       fai-kernels             Several vulnerabilities
    DSA-1865       user-mode-linux         Several vulnerabilities
    DSA-1866       kdegraphics             Several vulnerabilities
    DSA-1867       kdelibs                 Several vulnerabilities
    DSA-1869       curl                    SSL certificate verification weakness
    DSA-1871       wordpress               Regression fix
    DSA-1872       fai-kernels             Several vulnerabilities
    DSA-1872       user-mode-linux         Several vulnerabilities
    DSA-1877       mysql-dfsg-5.0          Arbitrary code
    DSA-1878       devscripts              Remote code execution
    DSA-1880       openoffice.org          Arbitrary code execution
    DSA-1882       xapian-omega            Cross-site scripting
    DSA-1883       nagios2                 Several cross-site scriptings
    DSA-1884       nginx                   Arbitrary code execution
    DSA-1888       openssl                 Deprecate MD2 hash signatures and fix several DoS vulnerabilities
    DSA-1888       openssl097              Deprecate MD2 hash signatures
    DSA-1889       icu                     Security bypass due to multibyte sequence parsing
    DSA-1890       wxwindows2.4            Arbitrary code execution
    DSA-1890       wxwidgets2.6            Arbitrary code execution
    DSA-1891       changetrack             Arbitrary code execution
    DSA-1892       dovecot                 Arbitrary code execution
    DSA-1893       cyrus-imapd-2.2         Arbitrary code execution
    DSA-1893       kolab-cyrus-imapd       Arbitrary code execution
    DSA-1894       newt                    Arbitrary code execution
    DSA-1896       opensaml                Potential code execution
    DSA-1896       shibboleth-sp           Potential code execution
    DSA-1897       horde3                  Arbitrary code execution
    DSA-1898       openswan                Denial of service
    DSA-1899       strongswan              Denial of service
    DSA-1900       postgresql-7.4          Various problems
    DSA-1900       postgresql-8.1          Various problems
    DSA-1901       mediawiki1.7            Several vulnerabilities
    DSA-1902       elinks                  Arbitrary code execution
    DSA-1903       graphicsmagick          Several vulnerabilities
    DSA-1904       wget                    SSL certificate verification weakness
    DSA-1909       postgresql-ocaml        Missing escape function
    DSA-1910       mysql-ocaml             Missing escape function
    DSA-1911       pygresql                Missing escape function
    DSA-1912       camlimages              Arbitrary code execution
    DSA-1912       advi                    Arbitrary code execution
    DSA-1914       mapserver               Serveral vulnerabilities
    DSA-1916       kdelibs                 SSL certificate verification weakness
    DSA-1917       mimetex                 Several vulnerabilities
    DSA-1918       phpmyadmin              Several vulnerabilities
    DSA-1919       smarty                  Several vulnerabilities
    DSA-1920       nginx                   Denial of service
    DSA-1921       expat                   Denial of service
    DSA-1923       libhtml-parser-perl     Denial of service
    DSA-1925       proftpd-dfsg            SSL certificate verification weakness
    DSA-1926       typo3-src               Several vulnerabilities
    DSA-1928       linux-2.6.24            Several vulnerabilities
    DSA-1929       linux-2.6               Several vulnerabilities
    DSA-1933       cupsys                  Cross-site scripting
    DSA-1934       apache2                 Several issues
    DSA-1934       apache2-mpm-itk         Several issues
    DSA-1935       gnutls13                SSL certificate
    DSA-1936       libgd2                  Several vulnerabilities
    DSA-1937       gforge                  Cross-site scripting
    DSA-1938       php-mail                Insufficient input sanitising
    DSA-1939       libvorbis               Several vulnerabilities
    DSA-1940       php5                    Multiple issues
    DSA-1942       wireshark               Several vulnerabilities
    DSA-1943       openldap2.3             SSL certificate
    DSA-1944       request-tracker3.6      Session hijack vulnerability
    DSA-1944       request-tracker3.4      Session hijack vulnerability
    DSA-1945       gforge                  Denial of service
    DSA-1946       belpic                  Cryptographic weakness
    DSA-1947       shibboleth-sp           Cross-site scripting
    DSA-1948       ntp                     Denial of service
    DSA-1951       firefox-sage            Insufficient input sanitizing
    DSA-1953       expat                   Regression fix
    DSA-1954       cacti                   Insufficient input sanitising
    DSA-1955       network-manager         Information disclosure
    DSA-1958       libtool                 Privilege escalation
    DSA-1960       acpid                   Weak file permissions
    DSA-1961       bind9                   Cache poisoning
    DSA-1964       postgresql-8.1          Several vulnerabilities
    DSA-1964       postgresql-7.4          Several vulnerabilities
    DSA-1966       horde3                  Cross-site scripting
    DSA-1968       pdns-recursor           Cache poisoning
    DSA-1969       krb5                    Denial of service
    DSA-1971       libthai                 Arbitrary code execution
    DSA-1972       audiofile               Buffer overflow
    DSA-1973       glibc                   Information disclosure
    DSA-1974       gzip                    Arbitrary code execution
    DSA-1977       python2.4               Several vulnerabilities
    DSA-1977       python2.5               Several vulnerabilities
    DSA-1979       lintian                 Multiple vulnerabilities
    DSA-1980       ircd-hybrid             Arbitrary code execution
    DSA-1981       maildrop                Privilege escalation
    DSA-1982       hybserv                 Denial of service
    DSA-1984       libxerces2-java         Denial of service
    DSA-1985       sendmail                Insufficient input validation
    DSA-1987       lighttpd                Denial of service
    DSA-1989       fuse                    Denial of service
    DSA-1991       squid3                  Denial of service
    DSA-1991       squid                   Denial of service
    DSA-1992       chrony                  Denial of service
    DSA-1994       ajaxterm                Session hijacking
    DSA-1995       openoffice.org          Several vulnerabilities
    DSA-1997       mysql-dfsg-5.0          Several vulnerabilities
    DSA-2003       fai-kernels             Several vulnerabilities
    DSA-2003       user-mode-linux         Several vulnerabilities
    DSA-2003       linux-2.6               Several vulnerabilities
    DSA-2004       linux-2.6.24            Several vulnerabilities


Unfortunately it was not possible to include the security updates for
the lcms package in this point release due to a mismatch between the
upstream tarball used for the security update and that already present
in the oldstable distribution.


Removed packages
----------------

The following packages were removed due to circumstances beyond our
control:

    Package                                Reason

    destar                                 Security issues
    libclass-dbi-loader-relationship-perl  License problems
    libhdate-pascal                        [source:hdate] Licensing issues
    loop-aes-modules-2.6-sparc32           [source:loop-aes] Corresponding source / kernel no longer in the archive
    loop-aes-modules-2.6-sparc64           [source:loop-aes] Corresponding source / kernel no longer in the archive
    loop-aes-modules-2.6-sparc64-smp       [source:loop-aes] Corresponding source / kernel no longer in the archive
    loop-aes-modules-2.6-vserver-sparc64   [source:loop-aes] Corresponding source / kernel no longer in the archive
    rails                                  Security and usability issues

A few further packages were removed as a result, as they depend on
libclass-dbi-loader-relationship-perl; these packages are:

    maypole
    maypole-authentication-usersession-cookie
    maypole-plugin-upload
    memories


Additionally those parts of the libwww-search-perl and
libperl4caml-ocaml-dev packages which rely on the Google SOAP search
API (provided by libnet-google-perl) are no longer functional as the
API has been retired by Google.  The remaining portions of the packages
will continue to function as before.


About Debian
------------

The Debian project is an organisation of Free Software developers who
volunteer their time and effort, collaborating via the Internet.  Their
tasks include maintaining and updating Debian GNU/Linux which is a free
distribution of the GNU/Linux operating system.  Debian's dedication to
Free Software, its non-profit nature, and its open development model
makes it unique among GNU/Linux distributions.


Contact
-------

For further information, please visit the Debian web pages at
<http://www.debian.org/>, send mail to <press@debian.org>, or contact
the oldstable release team at <debian-release@lists.debian.org>


Reply to: