1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
|
<define-tag pagetitle>Debian GNU/Linux 4.0 updated</define-tag>
<define-tag release_date>2010-05-22</define-tag>
#use wml::debian::news
# $Id$
<define-tag release>4.0</define-tag>
<define-tag codename>etch</define-tag>
<define-tag revision>4.0r9</define-tag>
<define-tag dsa>
<tr><td align="center"><a href="$(HOME)/security/%0/dsa-%1">DSA-%1</a></td>
<td align="center"><:
my @p = ();
for my $p (split (/,\s*/, "%2")) {
push (@p, sprintf ('<a href="https://packages.debian.org/src:%s">%s</a>', $p, $p));
}
print join (", ", @p);
:></td><td align="left">%3</td></tr>
</define-tag>
<define-tag correction>
<tr><td><a href="https://packages.debian.org/src:%0">%0</a></td> <td>%1</td></tr>
</define-tag>
<define-tag srcpkg><a href="https://packages.debian.org/src:%0">%0</a></define-tag>
<p>The Debian project is pleased to announce the ninth and final update of
its oldstable distribution Debian GNU/Linux <release> (codename <codename>).</p>
<p>This update incorporates all security updates which have been released
for the oldstable release since the previous point release, with one
exception which it was unfortunately not possible to include, together
with a few adjustments to serious problems.</p>
<p><b>PLEASE NOTE:</b> Security support for the oldstable distribution <a
href="https://www.debian.org/News/2010/20100121">ended in
February 2010</a> and no updates have been released since that point.</p>
<p>Those who frequently install updates from security.debian.org won't
have to update many packages and most updates from security.debian.org
are included in this update.</p>
<p>New CD and DVD images containing updated packages and the regular
installation media accompanied with the package archive respectively
will be available soon at the regular locations.</p>
<p>Upgrading to this revision online is usually done by pointing the
aptitude (or apt) package tool (see the sources.list(5) manual page) to
one of Debian's many FTP or HTTP mirrors. A comprehensive list of
mirrors is available at:</p>
<div class="center">
<url "https://www.debian.org/distrib/ftplist">
</div>
<p>Please note that the oldstable distribution will be moved from the main
archive to the archive.debian.org repository after June 6th 2010.
After this move, it will no longer be available from the main mirror
network. More information about the distribution archive and a list of
mirrors is available at:</p>
<div class="center">
<url "https://www.debian.org/distrib/archive">
</div>
<h2>Miscellaneous Bugfixes</h2>
<p>This oldstable update adds a few important corrections to the following
packages:</p>
<table border=0>
<tr><th>Package</th> <th>Reason</th></tr>
<Correction backup-manager "Fix disclosure of MySQL passwords to local users">
<Correction binutils "Add mips support for ".set symbol,value" gas syntax">
<Correction fam "Fix 100% CPU usage in famd">
<Correction fetchmail "Fix potential MITM against APOP and potential DoS">
<Correction freedoom "Remove copyright-violating material">
<Correction glibc "Fix incorrect libc6-amd64 dependency">
<Correction gnupg "Fix memory leak and cleanup terminal on interrupt">
<Correction irssi "Fix out of bounds access">
<Correction kazehakase "Disallow adding bookmarks for data:/javascript: URIs">
<Correction linux-2.6 "Several vulnerabilities">
<Correction linux-2.6.24 "Several vulnerabilities">
<Correction mksh "Fix unauthenticated local privilege escalation">
<Correction mt-daapd "Update the embedded prototype.js to fix security issues">
<Correction openafs "Don't create invalid pointers to kernel memory when handling errors">
<Correction openssl "Deprecate MD2 hash signatures and fix several DoS vulnerabilities">
<Correction serveez "Fix remote buffer overflow">
<Correction tetex-bin "Don't fail when LaTeX is more than five years old">
<Correction texlive-bin "Don't fail when LaTeX is more than five years old">
<Correction texlive-extra "Don't fail when LaTeX is more than five years old">
<Correction texlive-lang "Don't fail when LaTeX is more than five years old">
<Correction wordpress "Fix DoS via long title and specially constructed charset parameter">
<Correction xcftools "Fix crash with files containing negative co-ordinates">
</table>
<h2>Debian Installer</h2>
<p>The Debian Installer has been updated in this point release to offer
better support for installation of the "oldstable" distribution and
from archive.debian.org and to resolve issues with checking the GPG
signatures of some files on mirror servers.</p>
<p>The kernel image used by the installer has been updated to incorporate
a number of important and security-related fixes.</p>
<h2>Security Updates</h2>
<p>This revision adds the following security updates to the oldstable
release. The Security Team has already released an advisory for each
of these updates:</p>
<table border=0>
<tr><th>Advisory ID</th> <th>Package</th> <th>Correction(s)</th></tr>
<dsa 2008 1617 refpolicy "Incompatible policy from previous DSA">
<dsa 2008 1622 newsx "Arbitrary code execution">
<dsa 2009 1748 libsoup "Arbitrary code execution">
<dsa 2009 1754 roundup "Privilege escalation">
<dsa 2009 1761 moodle "File disclosure">
<dsa 2009 1762 icu "Cross site scripting">
<dsa 2009 1763 openssl "Denial of service">
<dsa 2009 1763 openssl097 "Denial of service">
<dsa 2009 1765 horde3 "Several vulnerabilities">
<dsa 2009 1766 krb5 "Several vulnerabilities">
<dsa 2009 1767 multipath-tools "Denial of service">
<dsa 2009 1768 openafs "Arbitrary code execution">
<dsa 2009 1770 imp4 "Cross-site scripting">
<dsa 2009 1771 clamav "Several vulnerabilities">
<dsa 2009 1772 udev "Privilege escalation">
<dsa 2009 1773 cupsys "Arbitrary code execution">
<dsa 2009 1775 php-json-ext "Denial of service">
<dsa 2009 1777 git-core "Privilege escalation">
<dsa 2009 1779 apt "Several vulnerabilities">
<dsa 2009 1780 libdbd-pg-perl "Arbitrary code execution">
<dsa 2009 1781 ffmpeg "Arbitrary code execution">
<dsa 2009 1782 mplayer "Arbitrary code execution">
<dsa 2009 1783 mysql-dfsg-5.0 "Several vulnerabilities">
<dsa 2009 1784 freetype "Arbitrary code execution">
<dsa 2009 1786 acpid "Denial of service">
<dsa 2009 1787 linux-2.6.24 "Several vulnerabilities">
<dsa 2009 1789 php5 "Several vulnerabilities">
<dsa 2009 1790 xpdf "Several vulnerabilities">
<dsa 2009 1793 kdegraphics "Several vulnerabilities">
<dsa 2009 1794 user-mode-linux "Several vulnerabilities">
<dsa 2009 1794 fai-kernels "Several vulnerabilities">
<dsa 2009 1794 linux-2.6 "Several vulnerabilities">
<dsa 2009 1796 libwmf "Denial of service">
<dsa 2009 1798 pango1.0 "Arbitrary code execution">
<dsa 2009 1799 qemu "Several vulnerabilities">
<dsa 2009 1801 ntp "Buffer overflows allowing DoS or code execution">
<dsa 2009 1802 squirrelmail "Code execution vulnerability in map_yp_alias function">
<dsa 2009 1803 nsd "Denial of service">
<dsa 2009 1804 ipsec-tools "Denial of service">
<dsa 2009 1805 gaim "Several vulnerabilities">
<dsa 2009 1806 cscope "Arbitrary code execution">
<dsa 2009 1807 cyrus-sasl2 "Fixes arbitrary code execution">
<dsa 2009 1810 cupsys "Denial of service">
<dsa 2009 1810 libapache-mod-jk "Information disclosure">
<dsa 2009 1812 apr-util "Several vulnerabilities">
<dsa 2009 1813 evolution-data-server "Regressions in previous security update">
<dsa 2009 1814 libsndfile "Arbitrary code execution">
<dsa 2009 1816 apache2 "Privilege escalation">
<dsa 2009 1816 apache2-mpm-itk "Rebuild against apache2 2.2.3-4+etch8">
<dsa 2009 1818 gforge "Insufficient input sanitising">
<dsa 2009 1819 vlc "Several vulnerabilities">
<dsa 2009 1824 phpmyadmin "Several vulnerabilities">
<dsa 2009 1825 nagios2 "Arbitrary code execution">
<dsa 2009 1826 eggdrop "Several vulnerabilities">
<dsa 2009 1829 sork-passwd-h3 "Regression in previous security update">
<dsa 2009 1832 camlimages "Arbitrary code execution">
<dsa 2009 1833 dhcp3 "Arbitrary code execution">
<dsa 2009 1834 apache2 "Denial of service">
<dsa 2009 1834 apache2-mpm-itk "Denial of service">
<dsa 2009 1835 tiff "Several vulnerabilities">
<dsa 2009 1837 dbus "Denial of service">
<dsa 2009 1839 gst-plugins-good0.10 "Arbitrary code execution">
<dsa 2009 1841 git-core "Denial of service">
<dsa 2009 1842 openexr "Several vulnerabilities">
<dsa 2009 1847 bind9 "Denial of service">
<dsa 2009 1848 znc "Remote code execution">
<dsa 2009 1849 xml-security-c "Signature forgery">
<dsa 2009 1850 libmodplug "Arbitrary code execution">
<dsa 2009 1851 gst-plugins-bad0.10 "Arbitrary code execution">
<dsa 2009 1852 fetchmail "SSL certificate verification weakness">
<dsa 2009 1853 memcached "Arbitrary code execution">
<dsa 2009 1854 apr-util "Arbitrary code execution">
<dsa 2009 1854 apr "Arbitrary code execution">
<dsa 2009 1855 subversion "Arbitrary code execution">
<dsa 2009 1857 camlimages "Arbitrary code execution">
<dsa 2009 1858 imagemagick "Several vulnerabilities">
<dsa 2009 1859 libxml2 "Several issues">
<dsa 2009 1860 ruby1.8 "Several issues">
<dsa 2009 1860 ruby1.9 "Several issues">
<dsa 2009 1861 libxml "Several issues">
<dsa 2009 1863 zope2.9 "Arbitrary code execution">
<dsa 2009 1865 fai-kernels "Several vulnerabilities">
<dsa 2009 1865 user-mode-linux "Several vulnerabilities">
<dsa 2009 1866 kdegraphics "Several vulnerabilities">
<dsa 2009 1867 kdelibs "Several vulnerabilities">
<dsa 2009 1869 curl "SSL certificate verification weakness">
<dsa 2009 1871 wordpress "Regression fix">
<dsa 2009 1872 fai-kernels "Several vulnerabilities">
<dsa 2009 1872 user-mode-linux "Several vulnerabilities">
<dsa 2009 1877 mysql-dfsg-5.0 "Arbitrary code execution">
<dsa 2009 1878 devscripts "Remote code execution">
<dsa 2009 1880 openoffice.org "Arbitrary code execution">
<dsa 2009 1882 xapian-omega "Cross-site scripting">
<dsa 2009 1883 nagios2 "Several cross-site scriptings">
<dsa 2009 1884 nginx "Arbitrary code execution">
<dsa 2009 1888 openssl "Deprecate MD2 hash signatures and fix several DoS vulnerabilities">
<dsa 2009 1888 openssl097 "Deprecate MD2 hash signatures">
<dsa 2009 1889 icu "Security bypass due to multibyte sequence parsing">
<dsa 2009 1890 wxwindows2.4 "Arbitrary code execution">
<dsa 2009 1890 wxwidgets2.6 "Arbitrary code execution">
<dsa 2009 1891 changetrack "Arbitrary code execution">
<dsa 2009 1892 dovecot "Arbitrary code execution">
<dsa 2009 1893 cyrus-imapd-2.2 "Arbitrary code execution">
<dsa 2009 1893 kolab-cyrus-imapd "Arbitrary code execution">
<dsa 2009 1894 newt "Arbitrary code execution">
<dsa 2009 1896 opensaml "Potential code execution">
<dsa 2009 1896 shibboleth-sp "Potential code execution">
<dsa 2009 1897 horde3 "Arbitrary code execution">
<dsa 2009 1898 openswan "Denial of service">
<dsa 2009 1899 strongswan "Denial of service">
<dsa 2009 1900 postgresql-7.4 "Various problems">
<dsa 2009 1900 postgresql-8.1 "Various problems">
<dsa 2009 1901 mediawiki1.7 "Several vulnerabilities">
<dsa 2009 1902 elinks "Arbitrary code execution">
<dsa 2009 1903 graphicsmagick "Several vulnerabilities">
<dsa 2009 1904 wget "SSL certificate verification weakness">
<dsa 2009 1909 postgresql-ocaml "Missing escape function">
<dsa 2009 1910 mysql-ocaml "Missing escape function">
<dsa 2009 1911 pygresql "Missing escape function">
<dsa 2009 1912 camlimages "Arbitrary code execution">
<dsa 2009 1912 advi "Arbitrary code execution">
<dsa 2009 1914 mapserver "Several vulnerabilities">
<dsa 2009 1916 kdelibs "SSL certificate verification weakness">
<dsa 2009 1917 mimetex "Several vulnerabilities">
<dsa 2009 1918 phpmyadmin "Several vulnerabilities">
<dsa 2009 1919 smarty "Several vulnerabilities">
<dsa 2009 1920 nginx "Denial of service">
<dsa 2009 1921 expat "Denial of service">
<dsa 2009 1923 libhtml-parser-perl "Denial of service">
<dsa 2009 1925 proftpd-dfsg "SSL certificate verification weakness">
<dsa 2009 1926 typo3-src "Several vulnerabilities">
<dsa 2009 1928 linux-2.6.24 "Several vulnerabilities">
<dsa 2009 1929 linux-2.6 "Several vulnerabilities">
<dsa 2009 1933 cupsys "Cross-site scripting">
<dsa 2009 1934 apache2 "Several issues">
<dsa 2009 1934 apache2-mpm-itk "Several issues">
<dsa 2009 1935 gnutls13 "SSL certificate verification weakness">
<dsa 2009 1936 libgd2 "Several vulnerabilities">
<dsa 2009 1937 gforge "Cross-site scripting">
<dsa 2009 1938 php-mail "Insufficient input sanitising">
<dsa 2009 1939 libvorbis "Several vulnerabilities">
<dsa 2009 1940 php5 "Multiple issues">
<dsa 2009 1942 wireshark "Several vulnerabilities">
<dsa 2009 1943 openldap2.3 "SSL certificate verification weakness">
<dsa 2009 1944 request-tracker3.6 "Session hijack vulnerability">
<dsa 2009 1944 request-tracker3.4 "Session hijack vulnerability">
<dsa 2009 1945 gforge "Denial of service">
<dsa 2009 1946 belpic "Cryptographic weakness">
<dsa 2009 1947 shibboleth-sp "Cross-site scripting">
<dsa 2009 1948 ntp "Denial of service">
<dsa 2009 1951 firefox-sage "Insufficient input sanitizing">
<dsa 2009 1953 expat "Regression fix">
<dsa 2009 1954 cacti "Insufficient input sanitising">
<dsa 2009 1955 network-manager "Information disclosure">
<dsa 2009 1958 libtool "Privilege escalation">
<dsa 2009 1960 acpid "Weak file permissions">
<dsa 2009 1961 bind9 "Cache poisoning">
<dsa 2009 1964 postgresql-8.1 "Several vulnerabilities">
<dsa 2009 1964 postgresql-7.4 "Several vulnerabilities">
<dsa 2010 1966 horde3 "Cross-site scripting">
<dsa 2010 1968 pdns-recursor "Cache poisoning">
<dsa 2010 1969 krb5 "Denial of service">
<dsa 2010 1971 libthai "Arbitrary code execution">
<dsa 2010 1972 audiofile "Buffer overflow">
<dsa 2010 1973 glibc "Information disclosure">
<dsa 2010 1974 gzip "Arbitrary code execution">
<dsa 2010 1977 python2.4 "Several vulnerabilities">
<dsa 2010 1977 python2.5 "Several vulnerabilities">
<dsa 2010 1979 lintian "Multiple vulnerabilities">
<dsa 2010 1980 ircd-hybrid "Arbitrary code execution">
<dsa 2010 1981 maildrop "Privilege escalation">
<dsa 2010 1982 hybserv "Denial of service">
<dsa 2010 1984 libxerces2-java "Denial of service">
<dsa 2010 1985 sendmail "Insufficient input validation">
<dsa 2010 1987 lighttpd "Denial of service">
<dsa 2010 1989 fuse "Denial of service">
<dsa 2010 1991 squid3 "Denial of service">
<dsa 2010 1991 squid "Denial of service">
<dsa 2010 1992 chrony "Denial of service">
<dsa 2010 1994 ajaxterm "Session hijacking">
<dsa 2010 1995 openoffice.org "Several vulnerabilities">
<dsa 2010 1997 mysql-dfsg-5.0 "Several vulnerabilities">
<dsa 2010 2003 fai-kernels "Several vulnerabilities">
<dsa 2010 2003 user-mode-linux "Several vulnerabilities">
<dsa 2010 2003 linux-2.6 "Several vulnerabilities">
<dsa 2010 2004 linux-2.6.24 "Several vulnerabilities">
</table>
<p>Unfortunately it was not possible to include the security updates for
the lcms package in this point release due to a mismatch between the
upstream tarball used for the security update and that already present
in the oldstable distribution.</p>
<h2>Removed packages</h2>
<p>The following packages were removed due to circumstances beyond our
control:</p>
<table border=0>
<tr><th>Package</th> <th>Reason</th></tr>
<Correction destar "Security issues">
<Correction libclass-dbi-loader-relationship-perl "License problems">
<Correction libhdate-pascal "[source:hdate] Licensing issues">
<Correction loop-aes-modules-2.6-sparc32 "[source:loop-aes] Corresponding source / kernel no longer in the archive">
<Correction loop-aes-modules-2.6-sparc64 "[source:loop-aes] Corresponding source / kernel no longer in the archive">
<Correction loop-aes-modules-2.6-sparc64-smp "[source:loop-aes] Corresponding source / kernel no longer in the archive">
<Correction loop-aes-modules-2.6-vserver-sparc64 "[source:loop-aes] Corresponding source / kernel no longer in the archive">
<Correction rails "Security and usability issues">
</table>
<p>A few further packages were removed as a result, as they depend on
libclass-dbi-loader-relationship-perl; these packages are:</p>
<ul>
<li><a href="https://packages.debian.org/src:maypole">maypole</a></li>
<li><a href="https://packages.debian.org/src:maypole-authentication-usersession-cookie">maypole-authentication-usersession-cookie</a></li>
<li><a href="https://packages.debian.org/src:maypole-plugin-upload">maypole-plugin-upload</a></li>
<li><a href="https://packages.debian.org/src:memories">memories</a></li>
</ul>
<p>Additionally those parts of the libwww-search-perl and
libperl4caml-ocaml-dev packages which rely on the Google SOAP search
API (provided by libnet-google-perl) are no longer functional as the
API has been retired by Google. The remaining portions of the packages
will continue to function as before.</p>
<h2>About Debian</h2>
<p>The Debian project is an organisation of Free Software developers who
volunteer their time and effort, collaborating via the Internet.
Their tasks include maintaining and updating Debian GNU/Linux which is
a free distribution of the GNU/Linux operating system. Debian's
dedication to Free Software, its non-profit nature, and its open
development model makes it unique among GNU/Linux distributions.</p>
<h2>Contact Information</h2>
<p>For further information, please visit the Debian web pages at
<a href="$(HOME)/">https://www.debian.org/</a>, send mail to
<press@debian.org>, or contact the stable release team at
<debian-release@lists.debian.org>.</p>
|