Debian GNU/Linux 3.1 updated

December 28th, 2007

The Debian project is pleased to announce the seventh update of its old stable distribution Debian GNU/Linux 3.1 (codename sarge). This is the first time we update the old stable distribution during the lifetime of the stable distribution. This update mainly adds corrections for security problems to the oldstable release, along with a few adjustments to serious problems.

Please note that this update does not constitute a new version of Debian GNU/Linux 3.1 but only updates some of the packages included. There is no need to throw away 3.1 CDs or DVDs but only to update against ftp.debian.org after an installation, in order to incorporate those late changes.

Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

New CD and DVD images containing updated packages and the regular installation media accompanied with the package archive respectively will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:

http://www.debian.org/mirror/list

Debian-Installer Update

With this release the installation system for sarge gains full support for installing oldstable from network mirrors. This includes base-config.

The installer also uses and supports the updated kernels included in this revision. This causes old netboot and floppy images to stop working, updated versions are available from the regular locations.

Other changes are a final fix to prevent leakage of sensitive data through saved log files and a minor fix in the partman-jfs component.

Miscellaneous Bugfixes

This update adds several binary-only updates for various architectures to packages whose version was not synchronised across all architectures. It also adds a few important corrections to the following packages:

Package Reason
adesklets Bring architectures back in sync
agenda.app Bring architectures back in sync
antlr Bring architectures back in sync
apache2 Fix several minor vulnerabilities
asterisk-spandsp-plugins Bring architectures back in sync
atomix Bring architectures back in sync
bazaar Bring architectures back in sync
camediaplay Bring architectures back in sync
commons-daemon Bring architectures back in sync
debtags-edit Bring architectures back in sync
fai-kernels Rebuild against latest kernel update
fet Bring architectures back in sync
freepops Bring architectures back in sync
gaim-encryption Bring architectures back in sync
gff2aplot Bring architectures back in sync
gnuradio-core Bring architectures back in sync
gr-audio-oss Bring architectures back in sync
iroffer Bring architectures back in sync
joystick Bring architectures back in sync
k3d Bring architectures back in sync
kdissert Bring architectures back in sync
kernel-latest-2.6-alpha Meta package for new kernel ABI
kernel-latest-2.6-amd64 Meta package for new kernel ABI
kernel-latest-2.6-hppa Meta package for new kernel ABI
kernel-latest-2.6-i386 Meta package for new kernel ABI
kernel-latest-2.6-powerpc Meta package for new kernel ABI
kernel-latest-2.6-sparc Meta package for new kernel ABI
kernel-source-2.6.8 Several fixes and driver updates
kexi Bring architectures back in sync
kimdaba Bring architectures back in sync
leafpad Bring architectures back in sync
libdbd-sqlite2-perl Bring architectures back in sync
libgconf-java Bring architectures back in sync
libglade-java Bring architectures back in sync
libgnome-java Bring architectures back in sync
ocaml-http Bring architectures back in sync
octaviz Bring architectures back in sync
osspsa Bring architectures back in sync
paje.app Bring architectures back in sync
pasmo Bring architectures back in sync
plptools Bring architectures back in sync
pwlib Fix remote denial of service
python-biopython Bring architectures back in sync
realtimebattle Bring architectures back in sync
scalapack Bring architectures back in sync
skippy Bring architectures back in sync
swt-gtk Bring architectures back in sync
vgrabbj Bring architectures back in sync
visitors Bring architectures back in sync
wesnoth Fix denial of service
ximian-connector Bring architectures back in sync
xwine Bring architectures back in sync

Security Updates

This revision adds the following security updates to the old stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package Correction(s)
DSA-1267 webcalendarRemote file inclusion
DSA-1282 php4Several vulnerabilities
DSA-1284 qemuSeveral vulnerabilities
DSA-1287 ldap-account-managerSeveral vulnerabilities
DSA-1290 squirrelmailCross-site scripting
DSA-1291 sambaSeveral vulnerabilities
DSA-1293 quaggaDenial of service
DSA-1294 rdesktopSeveral vulnerabilities
DSA-1294 xfree86Several vulnerabilities
DSA-1307 openoffice.orgArbitrary code execution
DSA-1310 libexifArbitrary code execution
DSA-1311 postgresqlPrivilege escalation
DSA-1312 libapache-mod-jkInformation disclosure
DSA-1323 krb5Several vulnerabilities
DSA-1325 evolutionSeveral vulnerabilities
DSA-1326 fireflierUnsafe temporary files
DSA-1329 gfaxPrivilege escalation
DSA-1331 php4Arbitrary code execution
DSA-1332 vlcArbitrary code execution
DSA-1334 freetypeArbitrary code execution
DSA-1335 gimpArbitrary code execution
DSA-1336 mozilla-firefoxSeveral vulnerabilities
DSA-1341 bind9DNS cache poisoning
DSA-1343 fileArbitrary code execution
DSA-1347 xpdfArbitrary code execution
DSA-1349 libextractorArbitrary code execution
DSA-1350 tetex-binArbitrary code execution
DSA-1351 bochsPrivilege escalation
DSA-1352 pdfkit.frameworkArbitrary code execution
DSA-1353 tcpdumpArbitrary code execution
DSA-1354 gpdfArbitrary code execution
DSA-1358 asteriskSeveral vulnerabilities
DSA-1364 vimSeveral vulnerabilities
DSA-1421 wesnothArbitrary file disclosure
DSA-1426 qt-x11-freeSeveral vulnerabilities
DSA-1427 sambaArbitrary code execution
DSA-1433 centericqArbitrary code execution
DSA-1435 clamavSeveral vulnerabilities

A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision:

http://release.debian.org/stable/3.1/3.1r7/

URLs

The complete lists of packages that have changed with this release:

http://ftp.debian.org/debian/dists/sarge/ChangeLog

The current old stable distribution:

http://ftp.debian.org/debian/dists/oldstable/

Proposed updates to the oldstable distribution:

http://ftp.debian.org/debian/dists/oldstable-proposed-updates/

Sarge distribution information (release notes, errata, etc.):

http://www.debian.org/releases/sarge/

Security announcements and information:

http://security.debian.org/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian GNU/Linux.

Contact Information

For further information, please visit the Debian web pages at http://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.