1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
|
<define-tag pagetitle>Updated Debian GNU/Linux: 5.0.8 released</define-tag>
<define-tag release_date>2011-01-22</define-tag>
#use wml::debian::news
# $Id:
<define-tag release>5.0</define-tag>
<define-tag codename>lenny</define-tag>
<define-tag revision>5.0.8</define-tag>
<define-tag dsa>
<tr><td align="center"><a href="$(HOME)/security/%0/dsa-%1">DSA-%1</a></td>
<td align="center"><:
my @p = ();
for my $p (split (/,\s*/, "%2")) {
push (@p, sprintf ('<a href="https://packages.debian.org/src:%s">%s</a>', $p, $p));
}
print join (", ", @p);
:></td><td align="left">%3</td></tr>
</define-tag>
<define-tag correction>
<tr><td><a href="https://packages.debian.org/src:%0">%0</a></td> <td>%1</td></tr>
</define-tag>
<define-tag srcpkg><a href="https://packages.debian.org/src:%0">%0</a></define-tag>
<p>The Debian project is pleased to announce the eighth update of its
stable distribution Debian GNU/Linux 5.0 (codename <q><codename></q>).
This update mainly adds corrections for security problems to the stable release,
along with a few adjustment to serious problems.</p>
<p>Please note that this update does not constitute a new version of Debian
GNU/Linux 5.0 but only updates some of the packages included. There is
no need to throw away 5.0 CDs or DVDs but only to update via an
up-to-date Debian mirror after an installation, to cause any out of date
packages to be updated.</p>
<p>Those who frequently install updates from security.debian.org won't have
to update many packages and most updates from security.debian.org are
included in this update.</p>
<p>New CD and DVD images containing updated packages and the regular
installation media accompanied with the package archive respectively will
be available soon at the regular locations.</p>
<p>Upgrading to this revision online is usually done by pointing the
aptitude (or apt) package tool (see the sources.list(5) manual page) to
one of Debian's many FTP or HTTP mirrors. A comprehensive list of
mirrors is available at:</p>
<div class="center">
<a href="$(HOME)/mirror/list">http://www.debian.org/mirror/list</a>
</div>
<h2>Miscellaneous Bugfixes</h2>
<p>This stable update adds a few important corrections to the following
packages:</p>
<table border=0>
<tr><th>Package</th> <th>Reason</th></tr>
<correction awstats "Fix directory traversal via crafted LoadPlugin directory">
<correction base-files "Update debian_version for the point release">
<correction boxbackup "Reduce root CA expiration date to avoid overflow in 2038">
<correction git-core "Fix cross-site scripting vulnerability">
<correction gquilt "Insecure setting of PYTHONPATH">
<correction hamlib "Use system libltdl rather than an internal copy vulnerable to CVE-2009-3736">
<correction ia32-libs "Refresh with new packages from lenny and lenny-security">
<correction ia32-libs-gtk "Refresh with new packages from lenny and lenny-security">
<correction ldap-account-manager "Fix upgrades from lenny by dropping master password debconf question">
<correction libcgi-pm-perl "Fix header-parsing related security issues">
<correction libcgi-simple-perl "Fix header-parsing related security issues">
<correction libgadu "Fix memory corruption when removing dcc7 sessions">
<correction man-db "Suppress locale warnings when being run from a dpkg maintainer script">
<correction mediawiki "Deny framing on most pages to minimise risk of clickjacking">
<correction movabletype-opensource "Fix various XSS and SQL security issues">
<correction mumble "Don't make configuration file world-readable; delete /var/lib/mumble-server on purge">
<correction opensc "Protect against buffer overflow from rogue cards">
<correction perl "Fix header-parsing related security bugs; update to Safe-2.25">
<correction postgresql-8.3 "New upstream bugfix release">
<correction spamassassin "Update list of ARIN netblock delegations to avoid false positives in RelayEval">
<correction splashy "Modify lsb-base-logging.sh to avoid issues if splashy is removed but not purged">
<correction surfraw "Update Debian security-tracker URL">
<correction user-mode-linux "Rebuild against linux-source-2.6.26 (2.6.26-26lenny1)">
<correction xdigger "Fix buffer overflow errors">
</table>
<h2>Security Updates</h2>
<p>This revision adds the following security updates to the stable
release. The Security Team has already released an advisory for each of
these updates:</p>
<table border=0>
<tr><th>Advisory ID</th> <th>Package</th> <th>Correction(s)</th></tr>
<dsa 2010 2110 linux-2.6 "Several issues">
<dsa 2010 2122 glibc "Privilege escalation">
<dsa 2010 2126 linux-2.6 "Several issues">
<dsa 2010 2127 wireshark "Denial of service">
<dsa 2010 2128 libxml2 "Potential code execution">
<dsa 2010 2129 krb5 "Checksum verification weakness">
<dsa 2010 2130 bind9 "Denial of service">
<dsa 2010 2131 exim4 "Remote code execution">
<dsa 2010 2132 xulrunner "Several vulnerabilities">
<dsa 2010 2133 collectd "Denial of service">
<dsa 2010 2135 xpdf "Several vulnerabilities">
<dsa 2010 2136 tor "Potential code execution">
<dsa 2010 2137 libxml2 "Several vulnerabilities">
<dsa 2010 2138 wordpress "SQL injection">
<dsa 2010 2139 phpmyadmin "Several vulnerabilities">
<dsa 2011 2140 libapache2-mod-fcgid "Stack overflow">
<dsa 2011 2141 apache2 "Add backward compatibility options when used with new openssl">
<dsa 2011 2141 nss "Protocol design flaw">
<dsa 2011 2141 apache2-mpm-itk "Rebuild with apache2-src 2.2.9-10+lenny9">
<dsa 2011 2141 openssl "Protocol design flaw">
<dsa 2011 2141 lighttpd "Compatibility problem with updated openssl">
<dsa 2011 2142 dpkg "Directory traversal">
<dsa 2011 2143 mysql-dfsg-5.0 "Several vulnerabilities">
<dsa 2011 2144 wireshark "Buffer overflow">
<dsa 2011 2145 libsmi "Buffer overflow">
<dsa 2011 2146 mydms "Directory traversal problem">
<dsa 2011 2147 pimd "Insecure temporary files">
<dsa 2011 2148 tor "Several vulnerabilities">
</table>
<h2>Removed packages</h2>
<p>The following packages were removed due to circumstances beyond our
control:</p>
<table border=0>
<tr><th>Package</th> <th>Reason</th></tr>
<correction pytris "security issues; abandoned upstream">
<correction python-gendoc "broken with python >= 2.5">
<correction clive "completely broken">
<correction gmailfs "broken due to gmail changes; abandoned upstream">
<correction python-libgmail "broken due to gmail changes; abandoned upstream">
</table>
<h2>URLs</h2>
<p>The complete lists of packages that have changed with this
revision:</p>
<div class="center">
<url "http://ftp.debian.org/debian/dists/<downcase <codename>>/ChangeLog">
</div>
<p>The current stable distribution:</p>
<div class="center">
<url "http://ftp.debian.org/debian/dists/stable/">
</div>
<p>Proposed updates to the stable distribution:</p>
<div class="center">
<url "http://ftp.debian.org/debian/dists/proposed-updates">
</div>
<p>Stable distribution information (release notes, errata etc.):</p>
<div class="center">
<a
href="$(HOME)/releases/stable/">http://www.debian.org/releases/stable/</a>
</div>
<p>Security announcements and information:</p>
<div class="center">
<a href="$(HOME)/security/">http://security.debian.org/</a>
</div>
<h2>About Debian</h2>
<p>The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian GNU/Linux.</p>
<h2>Contact Information</h2>
<p>For further information, please visit the Debian web pages at <a
href="$(HOME)/">http://www.debian.org/</a>, send mail to
<press@debian.org>, or contact the stable release team at
<debian-release@lists.debian.org>.</p>
|
