[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian GNU/Linux 5.0 updated

The Debian Project                                 http://www.debian.org/
Debian GNU/Linux 5.0 updated                             press@debian.org
June 26th, 2010                  http://www.debian.org/News/2010/20100626

Debian GNU/Linux 5.0 updated

The Debian project is pleased to announce the fifth update of its stable
distribution Debian GNU/Linux 5.0 (codename "lenny").  This update mainly
adds corrections for security problems to the stable release, along with
a few adjustment to serious problems.

Please note that this update does not constitute a new version of Debian
GNU/Linux 5.0 but only updates some of the packages included.  There is
no need to throw away 5.0 CDs or DVDs but only to update via an up-to-
date Debian mirror after an installation, to cause any out of date
packages to be updated.

Those who frequently install updates from security.debian.org won't have
to update many packages and most updates from security.debian.org are
included in this update.

New CD and DVD images containing updated packages and the regular
installation media accompanied with the package archive respectively will
be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the
aptitude (or apt) package tool (see the sources.list(5) manual page) to
one of Debian's many FTP or HTTP mirrors.  A comprehensive list of
mirrors is available at:


Miscellaneous Bugfixes

This stable update adds a few important corrections to the following

    Package                          Reason

    alien-arena                      Fix a buffer overflow and a denial of service
    apache2                          Add missing psmisc dependency; fix memory leak in brigade cleanup
    apache2-mpm-itk                  Ensure child processes get correctly reaped on reload
    apr                              Set FD_CLOEXEC on file descriptors to avoid potential leaks
    apt                              Allow Files sections to contain more than 999 characters
    base-files                       Update /etc/debian_version for the point release
    cpio                             Fix buffer overflow in rmt_read__
    dia2code                         Fix segfault parsing large files
    gtk+2.0                          Fix hang when printing large documents
    libapache-dbi-perl               Fix loading of module from Apache startup files
    libapache2-mod-perl2             Fix XSS in Apache2::Status
    libjavascript-perl               Fix segfault when calling non-existent function
    libjson-ruby                     Fix parser DoS and use libjs-prototype rather than embedding the library
    liblog-handler-perl              Add missing dependency on libuniversal-require-perl
    libmediawiki-perl                Update to match mediawiki changes
    libnamespace-clean-perl          Add missing dependency on libscope-guard-perl
    libnet-smtp-server-perl          Add missing dependency on libnet-dns-perl
    libxext                          Ensure display lock is held before calling XAllocID
    linux-2.6                        Several fixes and driver updates
    mailman                          Don't add multiple Mime-Version headers
    mpg123                           Allow modules to be located again (broken by libltdl security fix)
    nano                             Fix symlink attack and arbitrary file ownership change issue
    nfs-utils                        Update test for NFS kernel server support in init script to support partial upgrades
    nut                              Move library to /lib to allow power-down with separated /usr
    open-iscsi                       Fix temporary file vulnerability
    openssl                          Check return value of bn_wexpand() (CVE-2009-3245)
    openttd                          Fix several DoS and crash vulnerabilities
    php5                             Fix overflows, add missing sybase aliases, improve e-mail validation
    poppler                          Fix remote code execution via crafted PDF files
    postgresql-8.3                   Several vulnerabilities
    pyftpd                           Security fixes - disable default users, anonymous access and logging to /tmp
    python-support                   Use sane default umask in update-python-modules
    request-tracker3.6               Fix login problem introduced in security update
    samba                            Fix memory leaks with domain trust passwords; fix interdomain trust with Windows 2008 r2 servers
    slim                             Make magic cookie less predictable; don't save screenshots in /tmp
    sun-java5                        Update to new upstream release to fix security issues
    sun-java6                        Update to new upstream release to fix security issues
    tar                              Security fix in rmt
    texlive-bin                      Security fixes in dvips
    tla                              Fix DoS in embedded expat library
    tzdata                           Update timezone data
    usbutils                         Update USB ID list
    user-mode-linux                  Rebuild against linux-2.6 2.6.26-24
    wordpress                        Fix DoS
    xerces-c2                        Fix DoS attack with nested DTDs
    xmonad-contrib                   Fix installability on 64-bit architectures
    xserver-xorg-input-elographics   Prevent X server hangs when using the touchscreen
    xserver-xorg-video-intel         Add support for ASUS eeetop LVDS output

Note that due to problems with the package build process, updated sun-java5
and sun-java6 packages for the ia64 architecture are not included in this
point release.  These packages will be provided in proposed-updates as soon
as they are available and included in a future point release.

Kernel Updates

The kernel images included in this point release incorporate a number of
important and security-related fixes together with support for additional

On the amd64 and i386 architectures, support has been re-introduced for
automatically running the lilo bootloader when a kernel image is added,
updated or removed in order to ensure that this is correctly registered
with the bootloader.

Debian Installer

The Debian Installer has been updated in this point release to correct
an issue with the display of the "BIOS boot area" partitioner option
when using GPT partitions and to update the list of available mirror
servers for package installation.

The kernel image used by the installer has been updated to incorporate a
number of important and security-related fixes together with support for
additional hardware.

Security Updates

This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these

    Advisory ID    Package                 Correction(s)

    DSA 1841       git-core                Denial of service
    DSA 1955       network-manager-applet  Information disclosure
    DSA 1973       glibc                   Information disclosure
    DSA 1977       python2.4               Several vulnerabilities
    DSA 1977       python2.5               Several vulnerabilities
    DSA 1980       ircd-ratbox             Arbitrary code execution
    DSA 1981       maildrop                Privilege escalation
    DSA 1982       hybserv                 Denial of service
    DSA 1983       wireshark               Several vulnerabilities
    DSA 1984       libxerces2-java         Denial of service
    DSA 1985       sendmail                Insufficient input validation
    DSA 1986       moodle                  Several vulnerabilities
    DSA 1987       lighttpd                Denial of service
    DSA 1988       qt4-x11                 Several vulnerabilities
    DSA 1989       fuse                    Denial of service
    DSA 1990       trac-git                Code execution
    DSA 1991       squid3                  Denial of service
    DSA 1992       chrony                  Denial of service
    DSA 1993       otrs2                   SQL injection
    DSA 1994       ajaxterm                Session hijacking
    DSA 1995       openoffice.org          Several vulnerabilities
    DSA 1996       linux-2.6               Several vulnerabilities
    DSA 1997       mysql-dfsg-5.0          Several vulnerabilities
    DSA 1998       kdelibs                 Arbitrary code execution
    DSA 1999       xulrunner               Several vulnerabilities
    DSA 2000       ffmpeg-debian           Several vulnerabilities
    DSA 2001       php5                    Multiple vulnerabilities
    DSA 2002       polipo                  Denial of service
    DSA 2004       samba                   Several vulnerabilities
    DSA 2006       sudo                    Several vulnerabilities
    DSA 2007       cups                    Arbitrary code execution
    DSA 2008       typo3-src               Several vulnerabilities
    DSA 2009       tdiary                  Cross-site scripting
    DSA 2010       kvm                     Several vulnerabilities
    DSA 2011       dpkg                    Path traversal
    DSA 2012       user-mode-linux         Several vulnerabilities
    DSA 2012       linux-2.6               Several vulnerabilities
    DSA 2013       egroupware              Several vulnerabilities
    DSA 2014       moin                    Several vulnerabilities
    DSA 2015       drbd8                   Privilege escalation
    DSA 2015       linux-modules-extra-2.6 Privilege escalation
    DSA 2016       drupal6                 Several vulnerabilities
    DSA 2017       pulseaudio              Insecure temporary directory
    DSA 2018       php5                    Null pointer dereference
    DSA 2019       pango1.0                Denial of service
    DSA 2020       ikiwiki                 Cross-site scripting
    DSA 2021       spamass-milter          Missing input sanitization
    DSA 2022       mediawiki               Several vulnerabilities
    DSA 2023       curl                    Arbitrary code execution
    DSA 2024       moin                    Cross-site scripting
    DSA 2025       icedove                 Several vulnerabilities
    DSA 2026       netpbm-free             Denial of service
    DSA 2027       xulrunner               Several vulnerabilities
    DSA 2028       xpdf                    Several vulnerabilities
    DSA 2029       imlib2                  Arbitrary code execution
    DSA 2030       mahara                  SQL injection
    DSA 2031       krb5                    Denial of service
    DSA 2032       libpng                  Several vulnerabilities
    DSA 2033       ejabberd                Denial of service
    DSA 2034       phpmyadmin              Several vulnerabilities
    DSA 2035       apache2                 Several vulnerabilities
    DSA 2036       jasper                  Denial of service
    DSA 2037       kdebase                 Privilege escalation
    DSA 2038       pidgin                  Denial of service
    DSA 2039       cacti                   Missing input sanitising
    DSA 2040       squidguard              Several vulnerabilities
    DSA 2041       mediawiki               Cross-site request forgery
    DSA 2042       iscsitarget             Arbitrary code execution
    DSA 2044       mplayer                 Arbitrary code execution
    DSA 2045       libtheora               Arbitrary code execution
    DSA 2046       phpgroupware            Several vulnerabilities
    DSA 2047       aria2                   Directory traversal
    DSA 2048       dvipng                  Arbitrary code execution
    DSA 2049       barnowl                 Arbitrary code execution
    DSA 2050       postgresql-8.3          Several vulnerabilities
    DSA 2052       krb5                    Denial of service
    DSA 2053       linux-2.6               Several issues
    DSA 2054       bind9                   Cache poisoning
    DSA 2055       openoffice.org          Arbitrary code execution
    DSA 2056       zonecheck               Cross-site scripting
    DSA 2057       mysql-dfsg-5.0          Several vulnerabilities
    DSA 2058       pcsc-lite               Privilege escalation
    DSA 2058       glibc                   Several vulnerabilities
    DSA 2060       cacti                   SQL injection
    DSA 2062       sudo                    Missing input sanitization
    DSA 2063       pmount                  Denial of service

Removed packages

The following packages were removed due to circumstances beyond our

    Package             Reason

    eclipse             incompatible with stable's xulrunner; not easily fixable
    eclipse-cdt         depends on removed eclipse
    eclipse-nls-sdk     depends on removed eclipse


The complete list of packages that have changed with this revision:


The current stable distribution:


Proposed updates to the stable distribution:


Stable distribution information (release notes, errata etc.):


Security announcements and information:


About Debian

The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating systems Debian GNU/Linux.

Contact Information

For further information, please visit the Debian web pages at
<http://www.debian.org/>, send mail to <press@debian.org>, or contact the
stable release team at <debian-release@lists.debian.org>

Reply to: