Debian GNU/Linux 4.0 updated

February 17th, 2008

The Debian project is pleased to announce the third update of its stable distribution Debian GNU/Linux 4.0 (codename etch). This update mainly adds corrections for security problems to the stable release, along with a few adjustment to serious problems.

Please note that this update does not constitute a new version of Debian GNU/Linux 4.0 but only updates some of the packages included. There is no need to throw away 4.0 CDs or DVDs but only to update against ftp.debian.org after an installation, in order to incorporate those late changes.

Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

New CD and DVD images containing updated packages and the regular installation media accompanied with the package archive respectively will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:

http://www.debian.org/mirror/list

Debian-Installer Update

The installer has been updated to use and support the updated kernels included in this release. This change causes old netboot and floppy images to stop working; updated versions are available from the regular locations.

This update also includes stability improvements and added support for SGI O2 machines with 300MHz RM5200SC (Nevada) CPUs that were announced with the second update, but were not actually included.

Important changes

Updated versions of the bcm43xx-fwcutter package will be distributed via volatile.debian.org. The package itself will be removed from etch with the next update.

Flashplugin-nonfree has been removed (see below), as this is closed source and we don't get security support for it. For security reasons, we recommend to immediately remove any version of flashplugin-nonfree and any remaining files of the Adobe Flash Player. Tested updates will be made available via backports.org.

Miscellaneous Bugfixes

This stable update adds several binary updates for various architectures to packages whose version was not synchronised across all architectures. It also adds a few important corrections to the following packages:

Package Reason
apache Fix of several vulnerabilities
apache2 Fix of several vulnerabilities
apache2-mpm-itk Rebuild for apache2 rebuilds
bos Remove non-free content
clamav Remove non-free (and undistributable) unrar-code
cpio Fix malformed creation of ustar archives
denyhosts Fix improper parsing of ssh logfiles
ircproxy Fix denial of service
glibc Fix sunrpc memory leak
gpsd Fix problem with leap years
ipmitool Bring architectures back in sync
kdebase Add support for latest flash plugin
kdelibs Add support for latest flash plugin
kdeutils Prevent unauthorised access when hibernated
libchipcard2 Add missing dependency
linux-2.6 Fix several bugs
loop-aes Updated linux-2.6 kernel
madwifi Fix possible denial of service
net-snmp Fix broken snmpbulkwalk
ngircd Fix possible denial of service
sing Fix privilege escalation
sun-java5 Fix remote program execution
unrar-nonfree Fix arbitrary code execution
viewcvs Fix cvs parsing
xorg-server Fix inline assembler for processors without cpuid

These packages are updated to support the newer kernels:

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package Correction(s)
DSA-1405 zope-cmfploneArbitrary code execution
DSA-1437 cupsysSeveral vulnerabilities
DSA-1438 tarSeveral vulnerabilities
DSA-1439 typo3-srcSQL injection
DSA-1440 inotify-toolsArbitrary code execution
DSA-1441 peercastArbitrary code execution
DSA-1442 libsndfileArbitrary code execution
DSA-1443 tcpreenDenial of service
DSA-1444 php5Several vulnerabilities
DSA-1445 maradnsDenial of service
DSA-1446 wiresharkDenial of service
DSA-1447 tomcat5.5Several vulnerabilities
DSA-1448 eggdropArbitrary code execution
DSA-1449 loop-aes-utilsProgramming error
DSA-1450 util-linuxProgramming error
DSA-1451 mysql-dfsg-5.0Several vulnerabilities
DSA-1452 wzdftpdDenial of service
DSA-1453 tomcat5Several vulnerabilities
DSA-1454 freetypeArbitrary code execution
DSA-1455 libarchiveSeveral problems
DSA-1456 fail2banDenial of service
DSA-1457 dovecotInformation disclosure
DSA-1458 openafsDenial of service
DSA-1459 gforgeSQL injection
DSA-1460 postgresql-8.1Several vulnerabilities
DSA-1461 libxml2Denial of service
DSA-1462 hplipPrivilege escalation
DSA-1463 postgresql-7.4Several vulnerabilities
DSA-1464 syslog-ngDenial of service
DSA-1465 apt-listchangesArbitrary code execution
DSA-1466 xorgSeveral vulnerabilities
DSA-1468 tomcat5.5Several vulnerabilities
DSA-1469 flacArbitrary code execution
DSA-1470 horde3Denial of service
DSA-1471 libvorbisSeveral vulnerabilities
DSA-1472 xine-libArbitrary code execution
DSA-1473 scponlyArbitrary code execution
DSA-1474 exiv2Arbitrary code execution
DSA-1475 gforgeCross site scripting
DSA-1476 pulseaudioPrivilege escalation
DSA-1477 yarssrArbitrary shell command execution
DSA-1478 mysql-dfsg-5.0Several vulnerabilities
DSA-1479 fai-kernelsSeveral vulnerabilities
DSA-1479 linux-2.6Several vulnerabilities
DSA-1483 net-snmpDenial of service
DSA-1484 xulrunnerSeveral vulnerabilities

A complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision:

http://release.debian.org/stable/4.0/4.0r3/

URLs

The complete lists of packages that have changed with this release:

http://ftp.debian.org/debian/dists/etch/ChangeLog

The current stable distribution:

http://ftp.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates/

Stable distribution information (release notes, errata, etc.):

http://www.debian.org/releases/stable/

Security announcements and information:

http://security.debian.org/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian GNU/Linux.

Contact Information

For further information, please visit the Debian web pages at http://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.