Debian GNU/Linux 4.0 updated
February 17th, 2008
The Debian project is pleased to announce the third update of its stable distribution Debian GNU/Linux 4.0 (codename etch). This update mainly adds corrections for security problems to the stable release, along with a few adjustment to serious problems.
Please note that this update does not constitute a new version of Debian GNU/Linux 4.0 but only updates some of the packages included. There is no need to throw away 4.0 CDs or DVDs but only to update against ftp.debian.org after an installation, in order to incorporate those late changes.
Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.
New CD and DVD images containing updated packages and the regular installation media accompanied with the package archive respectively will be available soon at the regular locations.
Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:
The installer has been updated to use and support the updated kernels included in this release. This change causes old netboot and floppy images to stop working; updated versions are available from the regular locations.
This update also includes stability improvements and added support for SGI O2 machines with 300MHz RM5200SC (Nevada) CPUs that were announced with the second update, but were not actually included.
Updated versions of the bcm43xx-fwcutter package will be distributed via volatile.debian.org. The package itself will be removed from etch with the next update.
Flashplugin-nonfree has been removed (see below), as this is closed source and we don't get security support for it. For security reasons, we recommend to immediately remove any version of flashplugin-nonfree and any remaining files of the Adobe Flash Player. Tested updates will be made available via backports.org.
This stable update adds several binary updates for various architectures to packages whose version was not synchronised across all architectures. It also adds a few important corrections to the following packages:
|apache||Fix of several vulnerabilities|
|apache2||Fix of several vulnerabilities|
|apache2-mpm-itk||Rebuild for apache2 rebuilds|
|bos||Remove non-free content|
|clamav||Remove non-free (and undistributable) unrar-code|
|cpio||Fix malformed creation of ustar archives|
|denyhosts||Fix improper parsing of ssh logfiles|
|ircproxy||Fix denial of service|
|glibc||Fix sunrpc memory leak|
|gpsd||Fix problem with leap years|
|ipmitool||Bring architectures back in sync|
|kdebase||Add support for latest flash plugin|
|kdelibs||Add support for latest flash plugin|
|kdeutils||Prevent unauthorised access when hibernated|
|libchipcard2||Add missing dependency|
|linux-2.6||Fix several bugs|
|loop-aes||Updated linux-2.6 kernel|
|madwifi||Fix possible denial of service|
|net-snmp||Fix broken snmpbulkwalk|
|ngircd||Fix possible denial of service|
|sing||Fix privilege escalation|
|sun-java5||Fix remote program execution|
|unrar-nonfree||Fix arbitrary code execution|
|viewcvs||Fix cvs parsing|
|xorg-server||Fix inline assembler for processors without cpuid|
These packages are updated to support the newer kernels:
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
|DSA-1405||zope-cmfplone||Arbitrary code execution|
|DSA-1440||inotify-tools||Arbitrary code execution|
|DSA-1441||peercast||Arbitrary code execution|
|DSA-1442||libsndfile||Arbitrary code execution|
|DSA-1443||tcpreen||Denial of service|
|DSA-1445||maradns||Denial of service|
|DSA-1446||wireshark||Denial of service|
|DSA-1448||eggdrop||Arbitrary code execution|
|DSA-1452||wzdftpd||Denial of service|
|DSA-1454||freetype||Arbitrary code execution|
|DSA-1456||fail2ban||Denial of service|
|DSA-1458||openafs||Denial of service|
|DSA-1461||libxml2||Denial of service|
|DSA-1464||syslog-ng||Denial of service|
|DSA-1465||apt-listchanges||Arbitrary code execution|
|DSA-1469||flac||Arbitrary code execution|
|DSA-1470||horde3||Denial of service|
|DSA-1472||xine-lib||Arbitrary code execution|
|DSA-1473||scponly||Arbitrary code execution|
|DSA-1474||exiv2||Arbitrary code execution|
|DSA-1475||gforge||Cross site scripting|
|DSA-1477||yarssr||Arbitrary shell command execution|
|DSA-1483||net-snmp||Denial of service|
A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision:
The complete lists of packages that have changed with this release:
The current stable distribution:
Proposed updates to the stable distribution:
Stable distribution information (release notes, errata, etc.):
Security announcements and information:
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian GNU/Linux.
For further information, please visit the Debian web pages at http://www.debian.org/, send mail to <firstname.lastname@example.org>, or contact the stable release team at <email@example.com>.