[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SUA 85-1] Upcoming Debian 7 Update (7.9)

Debian Stable Updates Announcement SUA 85-1       https://www.debian.org/
debian-release@lists.debian.org                          Adam D. Barratt
August 31st, 2015

Upcoming Debian 7 Update (7.9)

An update to Debian 7 is scheduled for Saturday, September 5th, 2015. As
of now it will include the following bug fixes. They can be found in
"wheezy-proposed-updates", which is carried by all official mirrors.

Please note that packages published through security.debian.org are not
listed, but will be included if possible. Some of the updates below are
also already available through "wheezy-updates".

Testing and feedback would be appreciated. Bugs should be filed in the
Debian Bug Tracking System, but please make the Release Team aware of
them by copying "debian-release@lists.debian.org" on your mails.

The point release will also include a rebuild of debian-installer.

Miscellaneous Bug Fixes

This oldstable update adds a few important corrections to the following

    Package                       Reason

    amd64-microcode               Update included microcode
    base-files                    Update for the point release
    bley                          Remove dnsbl.ahbl.org from the default configuration, as it's been shut down
    clamav                        New upstream version; new upstream release; fix division by zero and pointer arithmetic overflow in the bundled libmspack
    commons-httpclient            Fix incomplete fix for CVE-2012-6153 issue with CN checking [CVE-2014-3577]
    conky                         Declare Breaks+Replaces relationship against conky (<< 1.8.0-1) to fix upgrade path from Lenny to Squeeze and then Wheezy
    debian-security-support       Add package to wheezy
    debmirror                     Support "new" Contents file location; support HTTPS; add --keyring, --include-field and --exclude-field options
    debootstrap                   Add support for Stretch; resolve mount point symlinks relative to the target chroot before unmounting them
    didjvu                        Fix insecure temp file use when calling c44
    exactimage                    Fix integer overflow in the ljpeg_start function in dcraw [CVE-2015-3885]
    frogr                         Use SSL endpoints for Flickr API; fix crash in gcrypt
    gamera                        Fix insecure temp file use [CVE-2014-1937]
    gnome-shell                   Fix week number computation
    hp2xx                         Fix crashes
    httpcomponents-client         Fix check that the server hostname matches domain name in the subject's CN field [CVE-2012-6153, CVE-2014-3577]
    ikiwiki                       Fix XSS in openid selector; backport blogspam plugin from experimental, because the version in wheezy is no longer usable
    intel-microcode               Update included microcode
    ircd-hybrid                   Disable SSL3 to mitigate against the POODLE attack
    lame                          Check for invalid input sample rate and number of channels, avoid malformed wav causing floating point exception, fix check for sample rate ratio being an integer
    lcms                          Repack to remove non-free test files and colour profiles; fix DoS [CVE-2013-4160]
    libdatetime-timezone-perl     New upstream release
    libdbd-pg-perl                Fix interoperability problem between wheezy clients and newer PostgreSQL versions
    libfcgi                       Avoid stack-smashing by using poll() rather than select()
    libraw                        Fix integer overflow in the ljpeg_start function [CVE-2015-3885]
    linux                         Update to stable release 3.2.68; drm, agp: Update to 3.4.106; [rt] Update to 3.2.68-rt99
    linux-ftpd-ssl                Fix "NLST of empty directory results in segfault"
    maven                         Use HTTPS by default to download artifacts from the Maven Central repository
    mdbtools                      Fix overflow in some memo fields and output of binary data
    mediatomb                     Disable user interface by default
    mercurial                     Fix "errors in handling case-sensitive directories allow for remote code execution on pull" [CVE-2014-9390]
    mozilla-noscript              Fix enumeration of scripts with Iceweasel >= 35
    netcf                         Fix ipcalc_netmask; prevent a memory leak when listing interfaces
    open-vm-tools                 Handle structure changes in newer kernel releases (d_alias to d_u.d_alias)
    openafs                       Fix the kernel module build when d_alias is in the d_u union; fix potential file corruption of mmapped files
    opencv                        Update license information for the gpu module
    openvswitch                   Fix build of openvswitch-datapath-dkms
    osc                           Fix shell injection [CVE-2015-0778]
    partconf                      Exclude CD/DVD drives from partition search
    pdf2djvu                      Fix insecure temp file use when calling c44
    pgbouncer                     Fix remote crash - invalid packet order causes lookup of NULL pointer [CVE-2015-4054]
    phpbb3                        Fix CSRF vulnerability [CVE-2015-1432] and CSS injection [CVE-2015-1431]; fix possible redirect vulnerability [CVE-2015-3880]
    policyd-weight                Remove use of obsolete rhsbl.ahbl.org RBL; update list of default RBLs in the manpage to match reality
    postgresql-9.1                New upstream release
    rawtherapee                   Fix dcraw imput sanitization errors [CVE-2015-3885]
    spamassassin                  Remove references to ahbl.org DNSBL, which has ceased operation
    ssl-cert                      Use SHA2 for newly generated certificates; set umask to make sure that the generated key is not world-readable for a short timespan while make-ssl-cert runs
    sudo                          Recognize lenny and squeeze unmodified sudoers to avoid dpkg questions about modified conffiles on upgrades to wheezy
    tcllib                        Fix XSS vulnerability in the html module for <textarea/> elements
    tomcat7                       Fix FTBFS error by making sure SSL unit tests use TLS protocols; re-generate expired test certificates
    tzdata                        New upstream release
    unrar-nonfree                 Fix a symlink directory traversal vulnerability
    unzip                         Fix "unzip thinks some files are symlinks", buffer overflow and crash in zipinfo
    user-mode-linux               Rebuild against current kernel
    vigor                         Use libc's regex routines rather than the bundled ones, to avoid needing to apply security patches independently
    vpim                          Build for ruby 1.9 (Wheezy's default version)
    wesnoth-1.10                  Disallow inclusion of .pbl files from WML [CVE-2015-5069, CVE-2015-5070]
    wireless-regdb                Update included data

A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:


Removed packages

The following packages will be removed due to circumstances beyond our

    Package                    Reason

    cia-clients         Useless as cia.vc is gone
    get-iplayer         Broken by content provider changes
    typo3-src           No longer supported

If you encounter any issues, please don't hesitate to get in touch with
the Debian Release Team at "debian-release@lists.debian.org".

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: