Debian GNU/Linux 4.0 updated

December 27th, 2007

The Debian project is pleased to announce the second update of its stable distribution Debian GNU/Linux 4.0 (codename etch). This update mainly adds corrections for security problems to the stable release, along with a few adjustment to serious problems.

Please note that this update does not constitute a new version of Debian GNU/Linux 4.0 but only updates some of the packages included. There is no need to throw away 4.0 CDs or DVDs but only to update against ftp.debian.org after an installation, in order to incorporate those late changes.

Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

New CD and DVD images containing updated packages and the regular installation media accompanied with the package archive respectively will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:

http://www.debian.org/mirror/list

Debian-Installer Update

The installer has been updated to use and support the updated kernels included in this release. This change causes old netboot and floppy images to stop working; updated versions are available from the regular locations.

Other changes include stability improvements in specific situations, improved serial console support when configuring grub, and added support for SGI O2 machines with 300MHz RM5200SC (Nevada) CPUs (mips).

Miscellaneous Bugfixes

This stable update adds several binary updates for various architectures to packages whose version was not synchronised across all architectures. It also adds a few important corrections to the following packages:

Package Reason
apache2 Fix of several CVEs
apache2-mpm-itk Rebuild for apache2 rebuilds
boson Rebuild against lib3ds-dev
cdebconf Fix of several memory leaks
debconf Fix possible hangs during netboot installs
dosemu-freedos Remove unused non-free code
enigmail Fix regression introduced by icedove 1.5.0.10
fai-kernels Recompile for Linux Kernel rebuilds
findutils Fix locate heap buffer overflow (CVE-2007-2452)
flashplugin-nonfree New upstream release fixes security problems
glibc Fix nscd crash
gnome-hearts Added missing dependency
gnome-panel Fix authentication bypass
iceweasel-l10n Remove roa-es-val translation and updated ca package description
joystick Bring architectures back in sync
kernel-patch-openvz Rebuild for Debian Kernel rebuild
klibc Fixes nfsroot on mips(el)
lib3ds Fix strict-aliasing errors
libdbi-perl Fix potential dataloss
libmarc-charset-perl Bring architectures back in sync
libnarray-ruby Rebuild against current ruby1.8 to fix a wrong library install directory
linux-latest-2.6 Rebuild for Linux Kernel rebuild
lvm2 Fix to work correctly with striped lvm1 metadata
mpop Rebuild against etch (i386 only)
multipath-tools Changed priority of initscript
opal Fix CVE-2007-4924
openscenegraph Bring architectures back in sync
openvpn Rebuild against liblzo2 to fix general protection errors
pam Fix CVE-2005-2977
po4a Fix CVE-2007-4462
postgresql-8.1 Fix regression introduced in 8.1.9
pwlib Fix CVE-2007-4897
pygresql Fix package dependency on libpq
sear Rebuild against lib3ds-dev
tzdata Recent timezone updates
unace Make program 64bit clean
user-mode-linux Rebuild for Debian Kernel rebuild
uswsusp Fix regression
view3ds Rebuild against lib3ds-dev
viewcvs Fix interoperability with etch CVS
wesnoth Fix CVE-2007-6201

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package Correction(s)
DSA-1288 pptpdDenial of service
DSA-1317 tinymuxBuffer overflow
DSA-1319 maradnsDenial of service
DSA-1320 clamavSeveral vulnerabilities
DSA-1321 evolution-data-serverArbitrary code execution
DSA-1322 wiresharkDenial of service
DSA-1323 krb5Several vulnerabilities
DSA-1324 hikiMissing input sanitising
DSA-1325 evolutionArbitrary code execution
DSA-1326 fireflierUnsafe temporary files
DSA-1327 gsambadUnsafe temporary files
DSA-1328 uniconBuffer overflow
DSA-1330 php5Arbitrary code execution
DSA-1331 php4Arbitrary code execution
DSA-1332 vlcArbitrary code execution
DSA-1333 curlCertificate handling
DSA-1335 gimpArbitrary code execution
DSA-1337 xulrunnerSeveral vulnerabilities
DSA-1338 iceweaselSeveral vulnerabilities
DSA-1339 iceapeSeveral vulnerabilities
DSA-1340 clamavDenial of service
DSA-1341 bind9DNS cache poisoning
DSA-1342 xfsPrivilege escalation
DSA-1343 fileArbitrary code execution
DSA-1344 iceweaselSeveral vulnerabilities
DSA-1345 xulrunnerSeveral vulnerabilities
DSA-1346 iceapeSeveral vulnerabilities
DSA-1347 xpdfArbitrary code execution
DSA-1348 popplerArbitrary code execution
DSA-1351 bochsPrivilege escalation
DSA-1353 tcpdumpArbitrary code execution
DSA-1355 kdegraphicsArbitrary code execution
DSA-1356 linux-2.6Several vulnerabilities
DSA-1357 kofficeArbitrary code execution
DSA-1358 asteriskSeveral vulnerabilities
DSA-1359 dovecotDirectory traversal
DSA-1360 rsyncArbitrary code execution
DSA-1361 postfix-policydArbitrary code execution
DSA-1362 lighttpdSeveral vulnerabilities
DSA-1363 linux-2.6Several vulnerabilities
DSA-1364 vimSeveral vulnerabilities
DSA-1365 id3lib3.8.3Denial of service
DSA-1366 clamavSeveral vulnerabilities
DSA-1367 krb5Arbitrary code execution
DSA-1368 librpcsecgssArbitrary code execution
DSA-1369 gforgeSQL injection
DSA-1370 phpmyadminSeveral vulnerabilities
DSA-1371 phpwikiSeveral vulnerabilities
DSA-1372 xorg-serverPrivilege escalation
DSA-1373 ktorrentDirectory traversal
DSA-1374 jffnmsSeveral vulnerabilities
DSA-1375 OpenOffice.orgArbitrary code execution
DSA-1376 kdebaseAuthentication bypass
DSA-1377 fetchmailDenial of service
DSA-1378 linux-2.6Several vulnerabilities
DSA-1379 opensslArbitrary code execution
DSA-1380 elinksInformation disclosure
DSA-1381 linux-2.6Several vulnerabilities
DSA-1382 quaggaDenial of service
DSA-1383 gforgeCross-site scripting
DSA-1384 xen-utilsSeveral vulnerabilities
DSA-1385 xfsArbitrary code execution
DSA-1386 wesnothDenial of service
DSA-1387 librpcsecgssArbitrary code execution
DSA-1388 dhcpArbitrary code execution
DSA-1389 zophSQL injection
DSA-1390 t1libArbitrary code execution
DSA-1391 icedoveSeveral vulnerabilities
DSA-1392 xulrunnerSeveral vulnerabilities
DSA-1393 xfce4-terminalArbitrary command execution
DSA-1394 repreproAuthentication bypass
DSA-1395 xen-utilsFile truncation
DSA-1396 iceweaselSeveral vulnerabilities
DSA-1397 monoInteger overflow
DSA-1398 perditionArbitrary code execution
DSA-1400 perlArbitrary code execution
DSA-1401 iceapeSeveral vulnerabilities
DSA-1402 gforgeSeveral vulnerabilities
DSA-1403 phpmyadminCross-site scripting
DSA-1404 gallery2Privilege escalation
DSA-1405 zope-cmfploneArbitrary code execution
DSA-1406 horde3Several vulnerabilities
DSA-1407 cupsysArbitrary code execution
DSA-1408 kdegraphicsArbitrary code execution
DSA-1409 sambaSeveral vulnerabilities
DSA-1410 ruby1.8Insecure SSL certificate validation
DSA-1412 ruby1.9Insecure SSL certificate validation
DSA-1413 mysqlSeveral vulnerabilities
DSA-1414 wiresharkSeveral vulnerabilities
DSA-1415 tk8.4Arbitrary code execution
DSA-1416 tk8.3Arbitrary code execution
DSA-1417 asteriskSQL injection
DSA-1418 cactiSQL injection
DSA-1419 OpenOffice.orgArbitrary Java code execution
DSA-1420 zabbixPrivilege escalation
DSA-1421 wesnothArbitrary file disclosure
DSA-1422 e2fsprogsArbitrary code execution
DSA-1423 sitebarSeveral vulnerabilities
DSA-1424 iceweaselSeveral vulnerabilities
DSA-1425 xulrunnerSeveral vulnerabilities
DSA-1426 qt-x11-freeSeveral vulnerabilities
DSA-1427 sambaArbitrary code execution
DSA-1428 linux-2.6Several vulnerabilities
DSA-1429 htdigCross-site scripting
DSA-1430 libnss-ldapDenial of service
DSA-1431 ruby-gnome2Arbitrary code execution
DSA-1432 link-grammarArbitrary code execution
DSA-1433 centericqArbitrary code execution
DSA-1434 mydnsDenial of service
DSA-1435 clamavSeveral vulnerabilities
DSA-1436 linux-2.6Several vulnerabilities

A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision:

http://release.debian.org/stable/4.0/4.0r2/

URLs

The complete lists of packages that have changed with this release:

http://ftp.debian.org/debian/dists/etch/ChangeLog

The current stable distribution:

http://ftp.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates/

Stable distribution information (release notes, errata, etc.):

http://www.debian.org/releases/stable/

Security announcements and information:

http://security.debian.org/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian GNU/Linux.

Contact Information

For further information, please visit the Debian web pages at http://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.