------------------------------------------------------------------------ The Debian Project http://www.debian.org/ Updated Debian 6.0: 6.0.6 released press@debian.org September 29th, 2012 http://www.debian.org/News/2012/20120929 ------------------------------------------------------------------------ The Debian project is pleased to announce the sixth update of its stable distribution Debian 6.0 (codename "squeeze"). This update mainly adds corrections for security problems to the stable release, along with a few adjustments for serious problems. Security advisories were already published separately and are referenced where available. Please note that this update does not constitute a new version of Debian 6.0 but only updates some of the packages included. There is no need to throw away 6.0 CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated. Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update. New installation media and CD and DVD images containing updated packages will be available soon at the regular locations. Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at: <http://www.debian.org/mirror/list> Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: Package Reason alpine Fix crash in embedded UW-IMAP copy apache2 mod_negotiation - fix CVE-2012-2687; mod_cache - don't cache partial connections; read timeouts should result in a 408 automake1.10 Fix CVE-2012-3386 automake1.11 Fix CVE-2012-3386 automake1.7 Fix CVE-2012-3386 automake1.9 Fix CVE-2012-3386 base-files Update /etc/debian_version for the point release checkgmail Fix GMail authentication issues clamav New upstream release debian-archive-keyring Add wheezy stable and archive signing keys dpkg Ensure a reliable unpack on SELinux systems eglibc Really enable patches/any/cvs-dlopen-tls.diff; fix FORTIFY_SOURCE format string protection bypass; fix a DoS in RPC implementation emesene Update contact end-point to local-bay.contacts.msn.com geshi Fix 'Local File Inclusion Vulnerability in contrib script' gosa Security fix (missing escaping) ia32-libs Update packages libconfig-inifiles-perl Fix insecure temporary file use libgc Check for integer overflow in internal malloc and calloc routines libmtp Fix device flags for some devices; add support for new devices libxslt Fix CVE-2011-1202, CVE-2011-3970, CVE-2012-2825 links2 Security fixes linux-2.6 DRM fixes; leap second fix; security fixes; various driver fixes linux-kernel-di-amd64-2.6 Rebuild against linux-2.6 2.6.32-46 linux-kernel-di-armel-2.6 Rebuild against linux-2.6 2.6.32-46 linux-kernel-di-i386-2.6 Rebuild against linux-2.6 2.6.32-46 linux-kernel-di-ia64-2.6 Rebuild against linux-2.6 2.6.32-46 linux-kernel-di-mips-2.6 Rebuild against linux-2.6 2.6.32-46 linux-kernel-di-mipsel-2.6 Rebuild against linux-2.6 2.6.32-46 linux-kernel-di-powerpc-2.6 Rebuild against linux-2.6 2.6.32-46 linux-kernel-di-s390-2.6 Rebuild against linux-2.6 2.6.32-46 linux-kernel-di-sparc-2.6 Rebuild against linux-2.6 2.6.32-46 lockfile-progs Ensure the correct PID is used when creating lockfiles mysql-mmm Add dependency on libpath-class-perl network-manager Stop allowing ad-hoc WPA networks to be created; kernel bugs mean they get created as open networks nss-pam-ldapd Support larger gecos values; reliability fixes nvidia-graphics-drivers Fix information leak in the kernel module; fix arbitrary memory access vulnerability; fix local privilege escalation through VGA window manipulation nvidia-graphics-modules Rebuild against 195.36.31-6squeeze1 kernel modules for security fixes; rebuild to fix CVE-2012-4225 php-memcached Fix session.gc_maxlifetime handling plymouth Fix the init script to not fail when the package is removed policyd-weight Remove rfc-ignorant.org RBLs (due to upcoming shutdown) and rbl.ipv6-world.net postgresql-common Do not remove the PID file after SIGKILLing the postmaster in the last-ditch powertop Fix segfault on newer kernels with large config files publican Add dependency and build-dependency on libio-string-perl rstatd Support Linux 3.x kernels spip Fix base name disclosure; security fixes tor New upstream; fix TLS 1.1/1.2 renegotiation with openssl 1.0.1; fix potential DOS; fix two crashes and an information disclosure issue ttb Add dependency on python-glade2 vte Fix a memory exhaustion vulnerability wims Fix installation problem wireshark Fix crashes in ANSI A detector and pcap / pcap-ng parsers xserver-xorg-video-intel UXA/glyphs: fall back instead of crashing on large strings yaws Fix RNG strength; fix mail config loading Security Updates ---------------- This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates: Advisory ID Package Correction(s) DSA-2457 iceweasel Regression fix DSA-2458 iceape Regression fix DSA-2465 php5 Multiple issues DSA-2466 rails Cross site scripting DSA-2467 mahara Insecure defaults DSA-2468 libjakarta-poi-java Unbounded memory allocation DSA-2470 wordpress Multiple issues DSA-2471 ffmpeg Multiple issues DSA-2472 gridengine Privilege escalation DSA-2473 openoffice.org Buffer overflow DSA-2474 ikiwiki Cross-site scripting DSA-2475 openssl Integer underflow DSA-2476 pidgin-otr Format string vulnerability DSA-2477 sympa Authorization bypass DSA-2478 sudo Parsing error DSA-2479 libxml2 Off-by-one DSA-2480 request-tracker3.8 Regression DSA-2481 arpwatch Fails to drop supplementary groups DSA-2482 libgdata No verification of TLS certificates against system root CA DSA-2483 strongswan Authentication bypass DSA-2484 nut Denial of service DSA-2485 imp4 Cross site scripting DSA-2486 bind9 Denial of service DSA-2487 openoffice.org Buffer overflow DSA-2488 iceweasel Multiple issues DSA-2489 iceape Multiple issues DSA-2490 nss Denial of service DSA-2491 postgresql-8.4 Multiple issues DSA-2492 php5 Buffer overflow DSA-2493 asterisk Denial of service DSA-2494 ffmpeg Multiple issues DSA-2495 openconnect Buffer overflow DSA-2497 quagga Denial of service DSA-2498 dhcpcd Remote stack overflow DSA-2499 icedove Multiple issues DSA-2500 mantis Multiple issues DSA-2501 xen Multiple issues DSA-2502 python-crypto Programming error DSA-2503 bcfg2 Shell command injection DSA-2504 libspring-2.5-java Information disclosure DSA-2505 zendframework Information disclosure DSA-2506 libapache-mod-security Modsecurity bypass DSA-2507 openjdk-6 Multiple issues DSA-2508 kfreebsd-8 Privilege escalation DSA-2509 pidgin Remote code execution DSA-2510 extplorer Cross-site request forgery DSA-2511 puppet Multiple issues DSA-2512 mono Missing input sanitising DSA-2513 iceape Multiple issues DSA-2514 iceweasel Multiple issues DSA-2515 nsd3 Null pointer dereference DSA-2516 isc-dhcp Denial of service DSA-2517 bind9 Denial of service DSA-2518 krb5 Denial of service DSA-2519 isc-dhcp Denial of service DSA-2520 openoffice.org Multiple heap-based buffer overflows DSA-2521 libxml2 Integer overflows DSA-2522 fckeditor Cross site scripting DSA-2523 globus-gridftp-server Programming error DSA-2524 openttd Multiple issues DSA-2525 expat Multiple issues DSA-2526 libotr Buffer overflow DSA-2527 php5 Multiple issues DSA-2528 icedove Multiple issues DSA-2529 python-django Multiple issues DSA-2530 rssh Shell command injection DSA-2531 xen Denial of service DSA-2532 libapache2-mod-rpaf Denial of service DSA-2533 pcp Multiple issues DSA-2534 postgresql-8.4 Multiple issues DSA-2535 rtfm Cross-site scripting DSA-2536 otrs2 Cross-site scripting DSA-2537 typo3-src Multiple issues DSA-2538 moin Privilege escalation DSA-2539 zabbix SQL injection DSA-2540 mahara Cross-site scripting DSA-2541 beaker Information disclosure DSA-2542 qemu-kvm Multiple issues DSA-2543 xen-qemu-dm-4.0 Multiple issues DSA-2544 xen Denial of service DSA-2545 qemu Multiple issues DSA-2546 freeradius Code execution DSA-2547 bind9 Improper assert DSA-2548 tor Multiple issues DSA-2549 devscripts Multiple issues Debian Installer ---------------- The installer has been rebuilt to include the fixes incorporated into stable by the point release. Removed packages ---------------- The following packages were removed due to circumstances beyond our control: Package Reason blockade Non-distributable data files kcheckgmail Unmaintained; broken by Google changes libtrash Unmaintained; broken URLs ---- The complete lists of packages that have changed with this revision: <http://ftp.debian.org/debian/dists/squeeze/ChangeLog> The current stable distribution: <http://ftp.debian.org/debian/dists/stable/> Proposed updates to the stable distribution: <http://ftp.debian.org/debian/dists/proposed-updates> stable distribution information (release notes, errata etc.): <http://www.debian.org/releases/stable/> Security announcements and information: <http://security.debian.org/> About Debian ------------ The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian. Contact Information ------------------- For further information, please visit the Debian web pages at http://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.
Attachment:
signature.asc
Description: Digital signature