1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
|
<define-tag pagetitle>Debian GNU/Linux 5.0 updated</define-tag>
<define-tag release_date>2010-01-30</define-tag>
#use wml::debian::news
# $Id$
<define-tag release>5.0</define-tag>
<define-tag codename>lenny</define-tag>
<define-tag revision>5.0.4</define-tag>
<define-tag dsa>
<tr><td align="center"><a href="$(HOME)/security/%0/dsa-%1">DSA-%1</a></td>
<td align="center"><:
my @p = ();
for my $p (split (/,\s*/, "%2")) {
push (@p, sprintf ('<a href="https://packages.debian.org/src:%s">%s</a>', $p, $p));
}
print join (", ", @p);
:></td><td align="left">%3</td></tr>
</define-tag>
<define-tag correction>
<tr><td><a href="https://packages.debian.org/src:%0">%0</a></td> <td>%1</td></tr>
</define-tag>
<define-tag srcpkg><a href="https://packages.debian.org/src:%0">%0</a></define-tag>
<p>The Debian project is pleased to announce the fourth update of its stable
distribution Debian GNU/Linux 5.0 (codename "lenny"). This update mainly
adds corrections for security problems to the stable release, along with
a few adjustments for serious problems.</p>
<p>Please note that this update does not constitute a new version of Debian
GNU/Linux <release> but only updates some of the packages included. There is
no need to throw away <release> CDs or DVDs but only to update via an up-to-date
Debian mirror after an installation, to cause any out of date packages to
be updated.</p>
<p>Those who frequently install updates from security.debian.org won't have
to update many packages and most updates from security.debian.org are
included in this update.</p>
<p>New CD and DVD images containing updated packages and the regular
installation media accompanied with the package archive respectively
will be available soon at the regular locations.</p>
<p>Upgrading to this revision online is usually done by pointing the
aptitude (or apt) package tool (see the sources.list(5) manual page) to
one of Debian's many FTP or HTTP mirrors. A comprehensive list of
mirrors is available at:</p>
<div class="center">
<a href="$(HOME)/mirror/list">https://www.debian.org/mirror/list</a>
</div>
<h2>Miscellaneous Bugfixes</h2>
<p>This stable update adds a few important corrections to the following
packages:</p>
<table border=0>
<tr><th>Package</th> <th>Reason</th></tr>
<correction alien-arena "Fix remote arbitrary code execution">
<correction amarok "Apply regex update to make Wikipedia tab work again">
<correction apache2 "Several issues">
<correction backup-manager "Fix possible mysql password leakage to local users">
<correction backuppc "Prohibit editing of client name alias to avoid unauthorised file access">
<correction base-files "Update /etc/debian_version to reflect the point release">
<correction choose-mirror "Improve suite selection and validation of suites available on selected mirror">
<correction clock-setup "Correctly handle system dates before epoch">
<correction consolekit "Don't create pam-foreground-compat tag files for remote users">
<correction debmirror "Compress packages files using --rsyncable so they match the files from the archive">
<correction devscripts "Update a number of scripts to understand squeeze and lenny-backports">
<correction dhcp3 "Fix memory leak and SIGPIPE in LDAP code">
<correction dpkg "Various fixes to new source package format support">
<correction drupal6 "Fix XSS issues in Contact and Menu modules">
<correction fam "Fix 100% CPU usage in famd">
<correction fetchmail "Fix init script dependencies; don't complain about missing configuration when disabled">
<correction firebird2.0 "Fix DOS via malformed message">
<correction gchempaint "Fix segmentation fault">
<correction gdebi "Fix gksu call to not pass an option that the Debian package doesn't support">
<correction geneweb "Correctly handle database with names containing whitespace in the postinst">
<correction ghc6 "Fix deadlock bug on 64-bit architectures">
<correction glib2.0 "Fix g_file_copy to correctly set permissions of target files">
<correction glibc "Fix bug in realloc() when enlarging a memory allocation">
<correction gnash "Reduce messages produced by the browser plugin to avoid filling .xsession-errors">
<correction gnome-system-tools "Don't change root's home directory when editing the user and fix group creation dialog">
<correction haproxy "Several stability and crash fixes">
<correction kazehakase "Disallow adding bookmarks for data:/javascript: URIs (CVE-2007-1084)">
<correction killer "Correctly handle long usernames in the ruser field">
<correction libcgi-pm-perl "Fix unwanted ISO-8859-1 -> UTF-8 conversion in CGI::Util::escape()">
<correction libdbd-mysql-perl "Fix segmentation faults caused by auto_reconnect">
<correction libdbd-pg-perl "Correctly handle high-bit characters">
<correction libfinance-quote-perl "Fix ordering of fields in Yahoo data">
<correction linux-2.6 "Several corrections">
<correction linux-kernel-di-alpha-2.6 "Rebuild against linux-2.6 2.6.26-21">
<correction linux-kernel-di-amd64-2.6 "Rebuild against linux-2.6 2.6.26-21">
<correction linux-kernel-di-arm-2.6 "Rebuild against linux-2.6 2.6.26-21">
<correction linux-kernel-di-armel-2.6 "Rebuild against linux-2.6 2.6.26-21">
<correction linux-kernel-di-hppa-2.6 "Rebuild against linux-2.6 2.6.26-21">
<correction linux-kernel-di-i386-2.6 "Rebuild against linux-2.6 2.6.26-21">
<correction linux-kernel-di-ia64-2.6 "Rebuild against linux-2.6 2.6.26-21">
<correction linux-kernel-di-mips-2.6 "Rebuild against linux-2.6 2.6.26-21">
<correction linux-kernel-di-mipsel-2.6 "Rebuild against linux-2.6 2.6.26-21">
<correction linux-kernel-di-powerpc-2.6 "Rebuild against linux-2.6 2.6.26-21">
<correction linux-kernel-di-s390-2.6 "Rebuild against linux-2.6 2.6.26-21">
<correction linux-kernel-di-sparc-2.6 "Rebuild against linux-2.6 2.6.26-21">
<correction lkl "Rebuild to get new MD5 sum (previous sum was causing FPs from antivirus)">
<correction movabletype-opensource "Disable mt-wizard.cgi by default">
<correction munin "Fix CPU usage graphs to account for changes in kernel reporting">
<correction mysql-dfsg-5.0 "Revert 'dummy thread' workaround which causes segfaults and fix crash when using GIS functions">
<correction nss-ldapd "Treat usernames and other lookups as case-sensitive">
<correction openttd "Fix remote crash vulnerability">
<correction otrs2 "Don't globally limit MaxRequestsPerChild on Apache or reject valid domains">
<correction partman-auto-crypto "Avoid triggering unsafe swap warning when setting up LVM">
<correction planet-venus "Enhance escaping of processed feeds">
<correction proftpd-dfsg "SSL certificate verification weakness">
<correction pyenchant "Make add_to_personal() work again">
<correction python-docutils "Fix insecure temporary file usage in reStructuredText Emacs mode">
<correction python-xml "Fix two denials of service">
<correction qcontrol "Create persistent input device to handle changes in udev 0.125-7+lenny3">
<correction redhat-cluster "Fix problem with resource failover">
<correction request-tracker3.6 "Session hijack vulnerability">
<correction roundup "Fix pagination regression caused by security fix">
<correction samba "Fix regression in name mangling">
<correction serveez "Fix remote buffer overflow">
<correction shadow "Fix handling of long lines in the user or group files">
<correction spamassassin "Don't consider dates in 2010 'grossly in the future'">
<correction system-tools-backends "Fix regression in operation of some elements">
<correction texlive-bin "Fix crash with large files">
<correction tor "Fix crash due to race condition and update authority keys">
<correction totem "Update youtube plugin to match changes to the site">
<correction tzdata "Update timezone data">
<correction usbutils "Update USB IDs">
<correction user-mode-linux "Rebuild against linux-source-2.6.26 2.6.26-21">
<correction vpb-driver "Fix Asterisk crash with missing config file">
<correction watchdog "Ensure daemon really has ended before starting a new one">
<correction webauth "Avoid inadvertently including passwords in cookie test URLs">
<correction wireshark "Several vulnerabilities">
<correction xfs "Fix temporary directory usage in the init script">
<correction xscreensaver "Fix local screen lock bypass vulnerability">
</table>
<p>A number of packages were rebuilt on the alpha, amd64 and ia64
architectures to incorporate the fix from the updated ghc6 package:</p>
<table border=0>
<tr><td>alex </td><td>arch2darcs</td></tr>
<tr><td>bnfc </td><td>c2hs</td></tr>
<tr><td>dfsbuild </td><td>drift</td></tr>
<tr><td>cpphs </td><td>darcs</td></tr>
<tr><td>darcs-buildpackage </td><td>darcs-monitor</td></tr>
<tr><td>datapacker </td><td>frown</td></tr>
<tr><td>geordi </td><td>haddock</td></tr>
<tr><td>happy </td><td>haskell-utils</td></tr>
<tr><td>hat </td><td>helium</td></tr>
<tr><td>hmake </td><td>hpodder</td></tr>
<tr><td>hscolour </td><td>lhs2tex</td></tr>
<tr><td>kaya </td><td>pxsl-tools</td></tr>
<tr><td>srcinst </td><td>uuagc</td></tr>
<tr><td>whitespace </td><td>xmonad</td></tr>
</table>
<h2>New version of the debian-installer</h2>
<p>The Debian Installer has been updated in this point release to offer
better support for installation of the "oldstable" distribution and from
archive.debian.org. The new installer also allows the system date to be
updated using NTP if it is before January 1st, 1970 at boot time.</p>
<p>The kernel image used by the installer has been updated to incorporate a
number of important and security-related fixes together with support for
additional hardware.</p>
<p>An update to the udev package in the previous point release
unfortunately led to the LEDs and on-board buzzer of arm/armel-based
QNAP NAS devices not operating during installs. This is rectified in
the new installer release.</p>
<p>Finally, it is once again possible to use the installer on the S/390
architecture by booting from CD.</p>
<h2>Security Updates</h2>
<p>This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:</p>
<table border=0>
<tr><th>Advisory ID</th> <th>Package</th> <th>Correction(s)</th></tr>
<dsa 2009 1796 libwmf "Denial of service">
<dsa 2009 1825 nagios3 "Arbitrary code execution">
<dsa 2009 1835 tiff "Several vulnerabilities">
<dsa 2009 1836 fckeditor "Arbitrary code execution">
<dsa 2009 1837 dbus "Denial of service">
<dsa 2009 1839 gst-plugins-good0.10 "Arbitrary code execution">
<dsa 2009 1849 xml-security-c "Signature forgery">
<dsa 2009 1850 libmodplug "Arbitrary code execution">
<dsa 2009 1860 ruby1.9 "Several issues">
<dsa 2009 1863 zope2.10 "Arbitrary code execution">
<dsa 2009 1866 kdegraphics "Several vulnerabilities">
<dsa 2009 1868 kde4libs "Several vulnerabilities">
<dsa 2009 1878 devscripts "Remote code execution">
<dsa 2009 1879 silc-client "Arbitrary code execution">
<dsa 2009 1879 silc-toolkit "Arbitrary code execution">
<dsa 2009 1880 openoffice.org "Arbitrary code execution">
<dsa 2009 1882 xapian-omega "Cross-site scripting">
<dsa 2009 1884 nginx "Arbitrary code execution">
<dsa 2009 1885 xulrunner "Several vulnerabilities">
<dsa 2009 1886 iceweasel "Several vulnerabilities">
<dsa 2009 1887 rails "Cross-site scripting">
<dsa 2009 1888 openssl "Deprecate MD2 hash signatures">
<dsa 2009 1889 icu "Security bypass due to multibyte sequence parsing">
<dsa 2009 1890 wxwidgets2.6 "Arbitrary code execution">
<dsa 2009 1890 wxwidgets2.8 "Arbitrary code execution">
<dsa 2009 1891 changetrack "Arbitrary code execution">
<dsa 2009 1892 dovecot "Arbitrary code execution">
<dsa 2009 1893 cyrus-imapd-2.2 "Arbitrary code execution">
<dsa 2009 1893 kolab-cyrus-imapd "Arbitrary code execution">
<dsa 2009 1894 newt "Arbitrary code execution">
<dsa 2009 1895 opensaml2 "Interpretation conflict">
<dsa 2009 1895 shibboleth-sp2 "Interpretation conflict">
<dsa 2009 1895 xmltooling "Potential code execution">
<dsa 2009 1896 opensaml "Potential code execution">
<dsa 2009 1896 shibboleth-sp "Potential code execution">
<dsa 2009 1897 horde3 "Arbitrary code execution">
<dsa 2009 1898 openswan "Denial of service">
<dsa 2009 1899 strongswan "Denial of service">
<dsa 2009 1900 postgresql-8.3 "Various problems">
<dsa 2009 1903 graphicsmagick "Several vulnerabilities">
<dsa 2009 1904 wget "SSL certificate verification weakness">
<dsa 2009 1905 python-django "Denial of service">
<dsa 2009 1907 kvm "Several vulnerabilities">
<dsa 2009 1908 samba "Several vulnerabilities">
<dsa 2009 1909 postgresql-ocaml "Missing escape function">
<dsa 2009 1910 mysql-ocaml "Missing escape function">
<dsa 2009 1911 pygresql "Missing escape function">
<dsa 2009 1912 advi "Arbitrary code execution">
<dsa 2009 1912 camlimages "Arbitrary code execution">
<dsa 2009 1913 bugzilla "SQL injection">
<dsa 2009 1914 mapserver "Several vulnerabilities">
<dsa 2009 1915 linux-2.6 "Several vulnerabilities">
<dsa 2009 1915 user-mode-linux "Several vulnerabilities">
<dsa 2009 1916 kdelibs "SSL certificate verification weakness">
<dsa 2009 1917 mimetex "Several vulnerabilities">
<dsa 2009 1918 phpmyadmin "Several vulnerabilities">
<dsa 2009 1919 smarty "Several vulnerabilities">
<dsa 2009 1920 nginx "Denial of service">
<dsa 2009 1921 expat "Denial of service">
<dsa 2009 1922 xulrunner "Several vulnerabilities">
<dsa 2009 1923 libhtml-parser-perl "Denial of service">
<dsa 2009 1924 mahara "Several vulnerabilities">
<dsa 2009 1925 proftpd-dfsg "SSL certificate verification weakness">
<dsa 2009 1926 typo3-src "Several vulnerabilities">
<dsa 2009 1930 drupal6 "Several vulnerabilities">
<dsa 2009 1931 nspr "Several vulnerabilities">
<dsa 2009 1932 pidgin "Arbitrary code execution">
<dsa 2009 1933 cups "Cross-site scripting">
<dsa 2009 1934 apache2 "Several issues">
<dsa 2009 1934 apache2-mpm-itk "Several issues">
<dsa 2009 1935 gnutls26 "SSL certificate NUL byte vulnerability">
<dsa 2009 1936 libgd2 "Several vulnerabilities">
<dsa 2009 1937 gforge "Cross-site scripting">
<dsa 2009 1938 php-mail "Insufficient input sanitising">
<dsa 2009 1939 libvorbis "Several vulnerabilities">
<dsa 2009 1940 php5 "Multiple issues">
<dsa 2009 1941 poppler "Several vulnerabilities">
<dsa 2009 1942 wireshark "Several vulnerabilities">
<dsa 2009 1944 request-tracker3.6 "Session hijack vulnerability">
<dsa 2009 1945 gforge "Denial of service">
<dsa 2009 1947 opensaml2 "Cross-site scripting">
<dsa 2009 1947 shibboleth-sp "Cross-site scripting">
<dsa 2009 1947 shibboleth-sp2 "Cross-site scripting">
<dsa 2009 1948 ntp "Denial of service">
<dsa 2009 1949 php-net-ping "Arbitrary code execution">
<dsa 2009 1950 webkit "Several vulnerabilities">
<dsa 2009 1951 firefox-sage "Insufficient input sanitising">
<dsa 2009 1952 asterisk "Several vulnerabilities">
<dsa 2009 1953 expat "Denial of service">
<dsa 2009 1954 cacti "Insufficient input sanitising">
<dsa 2009 1956 xulrunner "Several vulnerabilities">
<dsa 2009 1957 aria2 "Arbitrary code execution">
<dsa 2009 1958 libtool "Privilege escalation">
<dsa 2009 1959 ganeti "Arbitrary command execution">
<dsa 2009 1960 acpid "Weak file permissions">
<dsa 2009 1961 bind9 "Cache poisoning">
<dsa 2009 1962 kvm "Several vulnerabilities">
<dsa 2009 1963 unbound "DNSSEC validation">
<dsa 2009 1964 postgresql-8.3 "Several vulnerabilities">
<dsa 2010 1965 phpldapadmin "Remote file inclusion">
<dsa 2010 1966 horde3 "Cross-site scripting">
<dsa 2010 1967 transmission "Directory traversal">
<dsa 2010 1968 pdns-recursor "Potential code execution">
<dsa 2010 1969 krb5 "Denial of service">
<dsa 2010 1970 openssl "Denial of service">
<dsa 2010 1971 libthai "Arbitrary code execution">
<dsa 2010 1972 audiofile "Buffer overflow">
<dsa 2010 1974 gzip "Arbitrary code execution">
<dsa 2010 1976 dokuwiki "Several vulnerabilities">
<dsa 2010 1978 phpgroupware "Several vulnerabilities">
<dsa 2010 1979 lintian "Multiple vulnerabilities">
<dsa 2010 1980 ircd-hybrid "Arbitrary code execution">
</table>
<h2>Removed packages</h2>
<p>The following packages were removed due to circumstances beyond our
control:</p>
<table border=0>
<tr><th>Package</th> <th>Reason</th></tr>
<correction destar "Security issues; unmaintained; abandoned upstream">
<correction electricsheep "No longer functional">
<correction gnudip "Security issues; unmaintained; abandoned upstream">
<correction kcheckgmail "No longer functional">
<correction libgnucrypto-java "Security issues; obsolete">
</table>
<p>Additionally those parts of the libwww-search-perl and
libperl4caml-ocaml-dev packages which rely on the Google SOAP search
API (provided by libnet-google-perl) are no longer functional as the
API has been retired by Google. The remaining portions of the
packages will continue to function as before.</p>
<h2>URLs</h2>
<p>The complete lists of packages that have changed with this
release:</p>
<div class="center">
<url "http://ftp.debian.org/debian/dists/<downcase <codename>>/ChangeLog">
</div>
<p>The current stable distribution:</p>
<div class="center">
<url "http://ftp.debian.org/debian/dists/stable/">
</div>
<p>Proposed updates to the stable distribution:</p>
<div class="center">
<url "http://ftp.debian.org/debian/dists/proposed-updates/">
</div>
<p>Stable distribution information (release notes, errata, etc.):</p>
<div class="center">
<a
href="$(HOME)/releases/stable/">https://www.debian.org/releases/stable/</a>
</div>
<p>Security announcements and information:</p>
<div class="center">
<a href="$(HOME)/security/">http://security.debian.org/</a>
</div>
<h2>About Debian</h2>
<p>The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian GNU/Linux.</p>
<h2>Contact Information</h2>
<p>For further information, please visit the Debian web pages at
<a href="$(HOME)/">https://www.debian.org/</a>, send mail to
<press@debian.org>, or contact the stable release team at
<debian-release@lists.debian.org>.</p>
|