------------------------------------------------------------------------- Debian Stable Updates Announcement SUA 85-1 https://www.debian.org/ debian-release@lists.debian.org Adam D. Barratt August 31st, 2015 ------------------------------------------------------------------------- Upcoming Debian 7 Update (7.9) An update to Debian 7 is scheduled for Saturday, September 5th, 2015. As of now it will include the following bug fixes. They can be found in "wheezy-proposed-updates", which is carried by all official mirrors. Please note that packages published through security.debian.org are not listed, but will be included if possible. Some of the updates below are also already available through "wheezy-updates". Testing and feedback would be appreciated. Bugs should be filed in the Debian Bug Tracking System, but please make the Release Team aware of them by copying "debian-release@lists.debian.org" on your mails. The point release will also include a rebuild of debian-installer. Miscellaneous Bug Fixes ----------------------- This oldstable update adds a few important corrections to the following packages: Package Reason amd64-microcode Update included microcode base-files Update for the point release bley Remove dnsbl.ahbl.org from the default configuration, as it's been shut down clamav New upstream version; new upstream release; fix division by zero and pointer arithmetic overflow in the bundled libmspack commons-httpclient Fix incomplete fix for CVE-2012-6153 issue with CN checking [CVE-2014-3577] conky Declare Breaks+Replaces relationship against conky (<< 1.8.0-1) to fix upgrade path from Lenny to Squeeze and then Wheezy debian-security-support Add package to wheezy debmirror Support "new" Contents file location; support HTTPS; add --keyring, --include-field and --exclude-field options debootstrap Add support for Stretch; resolve mount point symlinks relative to the target chroot before unmounting them didjvu Fix insecure temp file use when calling c44 exactimage Fix integer overflow in the ljpeg_start function in dcraw [CVE-2015-3885] frogr Use SSL endpoints for Flickr API; fix crash in gcrypt gamera Fix insecure temp file use [CVE-2014-1937] gnome-shell Fix week number computation hp2xx Fix crashes httpcomponents-client Fix check that the server hostname matches domain name in the subject's CN field [CVE-2012-6153, CVE-2014-3577] ikiwiki Fix XSS in openid selector; backport blogspam plugin from experimental, because the version in wheezy is no longer usable intel-microcode Update included microcode ircd-hybrid Disable SSL3 to mitigate against the POODLE attack lame Check for invalid input sample rate and number of channels, avoid malformed wav causing floating point exception, fix check for sample rate ratio being an integer lcms Repack to remove non-free test files and colour profiles; fix DoS [CVE-2013-4160] libdatetime-timezone-perl New upstream release libdbd-pg-perl Fix interoperability problem between wheezy clients and newer PostgreSQL versions libfcgi Avoid stack-smashing by using poll() rather than select() libraw Fix integer overflow in the ljpeg_start function [CVE-2015-3885] linux Update to stable release 3.2.68; drm, agp: Update to 3.4.106; [rt] Update to 3.2.68-rt99 linux-ftpd-ssl Fix "NLST of empty directory results in segfault" maven Use HTTPS by default to download artifacts from the Maven Central repository mdbtools Fix overflow in some memo fields and output of binary data mediatomb Disable user interface by default mercurial Fix "errors in handling case-sensitive directories allow for remote code execution on pull" [CVE-2014-9390] mozilla-noscript Fix enumeration of scripts with Iceweasel >= 35 netcf Fix ipcalc_netmask; prevent a memory leak when listing interfaces open-vm-tools Handle structure changes in newer kernel releases (d_alias to d_u.d_alias) openafs Fix the kernel module build when d_alias is in the d_u union; fix potential file corruption of mmapped files opencv Update license information for the gpu module openvswitch Fix build of openvswitch-datapath-dkms osc Fix shell injection [CVE-2015-0778] partconf Exclude CD/DVD drives from partition search pdf2djvu Fix insecure temp file use when calling c44 pgbouncer Fix remote crash - invalid packet order causes lookup of NULL pointer [CVE-2015-4054] phpbb3 Fix CSRF vulnerability [CVE-2015-1432] and CSS injection [CVE-2015-1431]; fix possible redirect vulnerability [CVE-2015-3880] policyd-weight Remove use of obsolete rhsbl.ahbl.org RBL; update list of default RBLs in the manpage to match reality postgresql-9.1 New upstream release rawtherapee Fix dcraw imput sanitization errors [CVE-2015-3885] spamassassin Remove references to ahbl.org DNSBL, which has ceased operation ssl-cert Use SHA2 for newly generated certificates; set umask to make sure that the generated key is not world-readable for a short timespan while make-ssl-cert runs sudo Recognize lenny and squeeze unmodified sudoers to avoid dpkg questions about modified conffiles on upgrades to wheezy tcllib Fix XSS vulnerability in the html module for <textarea/> elements tomcat7 Fix FTBFS error by making sure SSL unit tests use TLS protocols; re-generate expired test certificates tzdata New upstream release unrar-nonfree Fix a symlink directory traversal vulnerability unzip Fix "unzip thinks some files are symlinks", buffer overflow and crash in zipinfo user-mode-linux Rebuild against current kernel vigor Use libc's regex routines rather than the bundled ones, to avoid needing to apply security patches independently vpim Build for ruby 1.9 (Wheezy's default version) wesnoth-1.10 Disallow inclusion of .pbl files from WML [CVE-2015-5069, CVE-2015-5070] wireless-regdb Update included data A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <https://release.debian.org/proposed-updates/oldstable.html> Removed packages ---------------- The following packages will be removed due to circumstances beyond our control: Package Reason cia-clients Useless as cia.vc is gone get-iplayer Broken by content provider changes typo3-src No longer supported If you encounter any issues, please don't hesitate to get in touch with the Debian Release Team at "debian-release@lists.debian.org".
Attachment:
signature.asc
Description: This is a digitally signed message part