-------------------------------------------------------------------------
Debian Stable Updates Announcement SUA 85-1 https://www.debian.org/
debian-release@lists.debian.org Adam D. Barratt
August 31st, 2015
-------------------------------------------------------------------------
Upcoming Debian 7 Update (7.9)
An update to Debian 7 is scheduled for Saturday, September 5th, 2015. As
of now it will include the following bug fixes. They can be found in
"wheezy-proposed-updates", which is carried by all official mirrors.
Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are
also already available through "wheezy-updates".
Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of
them by copying "debian-release@lists.debian.org" on your mails.
The point release will also include a rebuild of debian-installer.
Miscellaneous Bug Fixes
-----------------------
This oldstable update adds a few important corrections to the following
packages:
Package Reason
amd64-microcode Update included microcode
base-files Update for the point release
bley Remove dnsbl.ahbl.org from the default configuration, as it's been shut down
clamav New upstream version; new upstream release; fix division by zero and pointer arithmetic overflow in the bundled libmspack
commons-httpclient Fix incomplete fix for CVE-2012-6153 issue with CN checking [CVE-2014-3577]
conky Declare Breaks+Replaces relationship against conky (<< 1.8.0-1) to fix upgrade path from Lenny to Squeeze and then Wheezy
debian-security-support Add package to wheezy
debmirror Support "new" Contents file location; support HTTPS; add --keyring, --include-field and --exclude-field options
debootstrap Add support for Stretch; resolve mount point symlinks relative to the target chroot before unmounting them
didjvu Fix insecure temp file use when calling c44
exactimage Fix integer overflow in the ljpeg_start function in dcraw [CVE-2015-3885]
frogr Use SSL endpoints for Flickr API; fix crash in gcrypt
gamera Fix insecure temp file use [CVE-2014-1937]
gnome-shell Fix week number computation
hp2xx Fix crashes
httpcomponents-client Fix check that the server hostname matches domain name in the subject's CN field [CVE-2012-6153, CVE-2014-3577]
ikiwiki Fix XSS in openid selector; backport blogspam plugin from experimental, because the version in wheezy is no longer usable
intel-microcode Update included microcode
ircd-hybrid Disable SSL3 to mitigate against the POODLE attack
lame Check for invalid input sample rate and number of channels, avoid malformed wav causing floating point exception, fix check for sample rate ratio being an integer
lcms Repack to remove non-free test files and colour profiles; fix DoS [CVE-2013-4160]
libdatetime-timezone-perl New upstream release
libdbd-pg-perl Fix interoperability problem between wheezy clients and newer PostgreSQL versions
libfcgi Avoid stack-smashing by using poll() rather than select()
libraw Fix integer overflow in the ljpeg_start function [CVE-2015-3885]
linux Update to stable release 3.2.68; drm, agp: Update to 3.4.106; [rt] Update to 3.2.68-rt99
linux-ftpd-ssl Fix "NLST of empty directory results in segfault"
maven Use HTTPS by default to download artifacts from the Maven Central repository
mdbtools Fix overflow in some memo fields and output of binary data
mediatomb Disable user interface by default
mercurial Fix "errors in handling case-sensitive directories allow for remote code execution on pull" [CVE-2014-9390]
mozilla-noscript Fix enumeration of scripts with Iceweasel >= 35
netcf Fix ipcalc_netmask; prevent a memory leak when listing interfaces
open-vm-tools Handle structure changes in newer kernel releases (d_alias to d_u.d_alias)
openafs Fix the kernel module build when d_alias is in the d_u union; fix potential file corruption of mmapped files
opencv Update license information for the gpu module
openvswitch Fix build of openvswitch-datapath-dkms
osc Fix shell injection [CVE-2015-0778]
partconf Exclude CD/DVD drives from partition search
pdf2djvu Fix insecure temp file use when calling c44
pgbouncer Fix remote crash - invalid packet order causes lookup of NULL pointer [CVE-2015-4054]
phpbb3 Fix CSRF vulnerability [CVE-2015-1432] and CSS injection [CVE-2015-1431]; fix possible redirect vulnerability [CVE-2015-3880]
policyd-weight Remove use of obsolete rhsbl.ahbl.org RBL; update list of default RBLs in the manpage to match reality
postgresql-9.1 New upstream release
rawtherapee Fix dcraw imput sanitization errors [CVE-2015-3885]
spamassassin Remove references to ahbl.org DNSBL, which has ceased operation
ssl-cert Use SHA2 for newly generated certificates; set umask to make sure that the generated key is not world-readable for a short timespan while make-ssl-cert runs
sudo Recognize lenny and squeeze unmodified sudoers to avoid dpkg questions about modified conffiles on upgrades to wheezy
tcllib Fix XSS vulnerability in the html module for <textarea/> elements
tomcat7 Fix FTBFS error by making sure SSL unit tests use TLS protocols; re-generate expired test certificates
tzdata New upstream release
unrar-nonfree Fix a symlink directory traversal vulnerability
unzip Fix "unzip thinks some files are symlinks", buffer overflow and crash in zipinfo
user-mode-linux Rebuild against current kernel
vigor Use libc's regex routines rather than the bundled ones, to avoid needing to apply security patches independently
vpim Build for ruby 1.9 (Wheezy's default version)
wesnoth-1.10 Disallow inclusion of .pbl files from WML [CVE-2015-5069, CVE-2015-5070]
wireless-regdb Update included data
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
<https://release.debian.org/proposed-updates/oldstable.html>
Removed packages
----------------
The following packages will be removed due to circumstances beyond our
control:
Package Reason
cia-clients Useless as cia.vc is gone
get-iplayer Broken by content provider changes
typo3-src No longer supported
If you encounter any issues, please don't hesitate to get in touch with
the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part