Debian GNU/Linux 5.0 updated
January 30th, 2010
The Debian project is pleased to announce the fourth update of its stable distribution Debian GNU/Linux 5.0 (codename "lenny"). This update mainly adds corrections for security problems to the stable release, along with a few adjustments for serious problems.
Please note that this update does not constitute a new version of Debian GNU/Linux 5.0 but only updates some of the packages included. There is no need to throw away 5.0 CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated.
Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.
New CD and DVD images containing updated packages and the regular installation media accompanied with the package archive respectively will be available soon at the regular locations.
Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
Package | Reason |
---|---|
alien-arena | Fix remote arbitrary code execution |
amarok | Apply regex update to make Wikipedia tab work again |
apache2 | Several issues |
backup-manager | Fix possible mysql password leakage to local users |
backuppc | Prohibit editing of client name alias to avoid unauthorised file access |
base-files | Update /etc/debian_version to reflect the point release |
choose-mirror | Improve suite selection and validation of suites available on selected mirror |
clock-setup | Correctly handle system dates before epoch |
consolekit | Don't create pam-foreground-compat tag files for remote users |
debmirror | Compress packages files using --rsyncable so they match the files from the archive |
devscripts | Update a number of scripts to understand squeeze and lenny-backports |
dhcp3 | Fix memory leak and SIGPIPE in LDAP code |
dpkg | Various fixes to new source package format support |
drupal6 | Fix XSS issues in Contact and Menu modules |
fam | Fix 100% CPU usage in famd |
fetchmail | Fix init script dependencies; don't complain about missing configuration when disabled |
firebird2.0 | Fix DOS via malformed message |
gchempaint | Fix segmentation fault |
gdebi | Fix gksu call to not pass an option that the Debian package doesn't support |
geneweb | Correctly handle database with names containing whitespace in the postinst |
ghc6 | Fix deadlock bug on 64-bit architectures |
glib2.0 | Fix g_file_copy to correctly set permissions of target files |
glibc | Fix bug in realloc() when enlarging a memory allocation |
gnash | Reduce messages produced by the browser plugin to avoid filling .xsession-errors |
gnome-system-tools | Don't change root's home directory when editing the user and fix group creation dialog |
haproxy | Several stability and crash fixes |
kazehakase | Disallow adding bookmarks for data:/javascript: URIs (CVE-2007-1084) |
killer | Correctly handle long usernames in the ruser field |
libcgi-pm-perl | Fix unwanted ISO-8859-1 -> UTF-8 conversion in CGI::Util::escape() |
libdbd-mysql-perl | Fix segmentation faults caused by auto_reconnect |
libdbd-pg-perl | Correctly handle high-bit characters |
libfinance-quote-perl | Fix ordering of fields in Yahoo data |
linux-2.6 | Several corrections |
linux-kernel-di-alpha-2.6 | Rebuild against linux-2.6 2.6.26-21 |
linux-kernel-di-amd64-2.6 | Rebuild against linux-2.6 2.6.26-21 |
linux-kernel-di-arm-2.6 | Rebuild against linux-2.6 2.6.26-21 |
linux-kernel-di-armel-2.6 | Rebuild against linux-2.6 2.6.26-21 |
linux-kernel-di-hppa-2.6 | Rebuild against linux-2.6 2.6.26-21 |
linux-kernel-di-i386-2.6 | Rebuild against linux-2.6 2.6.26-21 |
linux-kernel-di-ia64-2.6 | Rebuild against linux-2.6 2.6.26-21 |
linux-kernel-di-mips-2.6 | Rebuild against linux-2.6 2.6.26-21 |
linux-kernel-di-mipsel-2.6 | Rebuild against linux-2.6 2.6.26-21 |
linux-kernel-di-powerpc-2.6 | Rebuild against linux-2.6 2.6.26-21 |
linux-kernel-di-s390-2.6 | Rebuild against linux-2.6 2.6.26-21 |
linux-kernel-di-sparc-2.6 | Rebuild against linux-2.6 2.6.26-21 |
lkl | Rebuild to get new MD5 sum (previous sum was causing FPs from antivirus) |
movabletype-opensource | Disable mt-wizard.cgi by default |
munin | Fix CPU usage graphs to account for changes in kernel reporting |
mysql-dfsg-5.0 | Revert 'dummy thread' workaround which causes segfaults and fix crash when using GIS functions |
nss-ldapd | Treat usernames and other lookups as case-sensitive |
openttd | Fix remote crash vulnerability |
otrs2 | Don't globally limit MaxRequestsPerChild on Apache or reject valid domains |
partman-auto-crypto | Avoid triggering unsafe swap warning when setting up LVM |
planet-venus | Enhance escaping of processed feeds |
proftpd-dfsg | SSL certificate verification weakness |
pyenchant | Make add_to_personal() work again |
python-docutils | Fix insecure temporary file usage in reStructuredText Emacs mode |
python-xml | Fix two denials of service |
qcontrol | Create persistent input device to handle changes in udev 0.125-7+lenny3 |
redhat-cluster | Fix problem with resource failover |
request-tracker3.6 | Session hijack vulnerability |
roundup | Fix pagination regression caused by security fix |
samba | Fix regression in name mangling |
serveez | Fix remote buffer overflow |
shadow | Fix handling of long lines in the user or group files |
spamassassin | Don't consider dates in 2010 'grossly in the future' |
system-tools-backends | Fix regression in operation of some elements |
texlive-bin | Fix crash with large files |
tor | Fix crash due to race condition and update authority keys |
totem | Update youtube plugin to match changes to the site |
tzdata | Update timezone data |
usbutils | Update USB IDs |
user-mode-linux | Rebuild against linux-source-2.6.26 2.6.26-21 |
vpb-driver | Fix Asterisk crash with missing config file |
watchdog | Ensure daemon really has ended before starting a new one |
webauth | Avoid inadvertently including passwords in cookie test URLs |
wireshark | Several vulnerabilities |
xfs | Fix temporary directory usage in the init script |
xscreensaver | Fix local screen lock bypass vulnerability |
A number of packages were rebuilt on the alpha, amd64 and ia64 architectures to incorporate the fix from the updated ghc6 package:
alex | arch2darcs |
bnfc | c2hs |
dfsbuild | drift |
cpphs | darcs |
darcs-buildpackage | darcs-monitor |
datapacker | frown |
geordi | haddock |
happy | haskell-utils |
hat | helium |
hmake | hpodder |
hscolour | lhs2tex |
kaya | pxsl-tools |
srcinst | uuagc |
whitespace | xmonad |
New version of the debian-installer
The Debian Installer has been updated in this point release to offer better support for installation of the "oldstable" distribution and from archive.debian.org. The new installer also allows the system date to be updated using NTP if it is before January 1st, 1970 at boot time.
The kernel image used by the installer has been updated to incorporate a number of important and security-related fixes together with support for additional hardware.
An update to the udev package in the previous point release unfortunately led to the LEDs and on-board buzzer of arm/armel-based QNAP NAS devices not operating during installs. This is rectified in the new installer release.
Finally, it is once again possible to use the installer on the S/390 architecture by booting from CD.
Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Advisory ID | Package | Correction(s) |
---|---|---|
DSA-1796 | libwmf | Denial of service |
DSA-1825 | nagios3 | Arbitrary code execution |
DSA-1835 | tiff | Several vulnerabilities |
DSA-1836 | fckeditor | Arbitrary code execution |
DSA-1837 | dbus | Denial of service |
DSA-1839 | gst-plugins-good0.10 | Arbitrary code execution |
DSA-1849 | xml-security-c | Signature forgery |
DSA-1850 | libmodplug | Arbitrary code execution |
DSA-1860 | ruby1.9 | Several issues |
DSA-1863 | zope2.10 | Arbitrary code execution |
DSA-1866 | kdegraphics | Several vulnerabilities |
DSA-1868 | kde4libs | Several vulnerabilities |
DSA-1878 | devscripts | Remote code execution |
DSA-1879 | silc-client | Arbitrary code execution |
DSA-1879 | silc-toolkit | Arbitrary code execution |
DSA-1880 | openoffice.org | Arbitrary code execution |
DSA-1882 | xapian-omega | Cross-site scripting |
DSA-1884 | nginx | Arbitrary code execution |
DSA-1885 | xulrunner | Several vulnerabilities |
DSA-1886 | iceweasel | Several vulnerabilities |
DSA-1887 | rails | Cross-site scripting |
DSA-1888 | openssl | Deprecate MD2 hash signatures |
DSA-1889 | icu | Security bypass due to multibyte sequence parsing |
DSA-1890 | wxwidgets2.6 | Arbitrary code execution |
DSA-1890 | wxwidgets2.8 | Arbitrary code execution |
DSA-1891 | changetrack | Arbitrary code execution |
DSA-1892 | dovecot | Arbitrary code execution |
DSA-1893 | cyrus-imapd-2.2 | Arbitrary code execution |
DSA-1893 | kolab-cyrus-imapd | Arbitrary code execution |
DSA-1894 | newt | Arbitrary code execution |
DSA-1895 | opensaml2 | Interpretation conflict |
DSA-1895 | shibboleth-sp2 | Interpretation conflict |
DSA-1895 | xmltooling | Potential code execution |
DSA-1896 | opensaml | Potential code execution |
DSA-1896 | shibboleth-sp | Potential code execution |
DSA-1897 | horde3 | Arbitrary code execution |
DSA-1898 | openswan | Denial of service |
DSA-1899 | strongswan | Denial of service |
DSA-1900 | postgresql-8.3 | Various problems |
DSA-1903 | graphicsmagick | Several vulnerabilities |
DSA-1904 | wget | SSL certificate verification weakness |
DSA-1905 | python-django | Denial of service |
DSA-1907 | kvm | Several vulnerabilities |
DSA-1908 | samba | Several vulnerabilities |
DSA-1909 | postgresql-ocaml | Missing escape function |
DSA-1910 | mysql-ocaml | Missing escape function |
DSA-1911 | pygresql | Missing escape function |
DSA-1912 | advi | Arbitrary code execution |
DSA-1912 | camlimages | Arbitrary code execution |
DSA-1913 | bugzilla | SQL injection |
DSA-1914 | mapserver | Several vulnerabilities |
DSA-1915 | linux-2.6 | Several vulnerabilities |
DSA-1915 | user-mode-linux | Several vulnerabilities |
DSA-1916 | kdelibs | SSL certificate verification weakness |
DSA-1917 | mimetex | Several vulnerabilities |
DSA-1918 | phpmyadmin | Several vulnerabilities |
DSA-1919 | smarty | Several vulnerabilities |
DSA-1920 | nginx | Denial of service |
DSA-1921 | expat | Denial of service |
DSA-1922 | xulrunner | Several vulnerabilities |
DSA-1923 | libhtml-parser-perl | Denial of service |
DSA-1924 | mahara | Several vulnerabilities |
DSA-1925 | proftpd-dfsg | SSL certificate verification weakness |
DSA-1926 | typo3-src | Several vulnerabilities |
DSA-1930 | drupal6 | Several vulnerabilities |
DSA-1931 | nspr | Several vulnerabilities |
DSA-1932 | pidgin | Arbitrary code execution |
DSA-1933 | cups | Cross-site scripting |
DSA-1934 | apache2 | Several issues |
DSA-1934 | apache2-mpm-itk | Several issues |
DSA-1935 | gnutls26 | SSL certificate NUL byte vulnerability |
DSA-1936 | libgd2 | Several vulnerabilities |
DSA-1937 | gforge | Cross-site scripting |
DSA-1938 | php-mail | Insufficient input sanitising |
DSA-1939 | libvorbis | Several vulnerabilities |
DSA-1940 | php5 | Multiple issues |
DSA-1941 | poppler | Several vulnerabilities |
DSA-1942 | wireshark | Several vulnerabilities |
DSA-1944 | request-tracker3.6 | Session hijack vulnerability |
DSA-1945 | gforge | Denial of service |
DSA-1947 | opensaml2 | Cross-site scripting |
DSA-1947 | shibboleth-sp | Cross-site scripting |
DSA-1947 | shibboleth-sp2 | Cross-site scripting |
DSA-1948 | ntp | Denial of service |
DSA-1949 | php-net-ping | Arbitrary code execution |
DSA-1950 | webkit | Several vulnerabilities |
DSA-1951 | firefox-sage | Insufficient input sanitising |
DSA-1952 | asterisk | Several vulnerabilities |
DSA-1953 | expat | Denial of service |
DSA-1954 | cacti | Insufficient input sanitising |
DSA-1956 | xulrunner | Several vulnerabilities |
DSA-1957 | aria2 | Arbitrary code execution |
DSA-1958 | libtool | Privilege escalation |
DSA-1959 | ganeti | Arbitrary command execution |
DSA-1960 | acpid | Weak file permissions |
DSA-1961 | bind9 | Cache poisoning |
DSA-1962 | kvm | Several vulnerabilities |
DSA-1963 | unbound | DNSSEC validation |
DSA-1964 | postgresql-8.3 | Several vulnerabilities |
DSA-1965 | phpldapadmin | Remote file inclusion |
DSA-1966 | horde3 | Cross-site scripting |
DSA-1967 | transmission | Directory traversal |
DSA-1968 | pdns-recursor | Potential code execution |
DSA-1969 | krb5 | Denial of service |
DSA-1970 | openssl | Denial of service |
DSA-1971 | libthai | Arbitrary code execution |
DSA-1972 | audiofile | Buffer overflow |
DSA-1974 | gzip | Arbitrary code execution |
DSA-1976 | dokuwiki | Several vulnerabilities |
DSA-1978 | phpgroupware | Several vulnerabilities |
DSA-1979 | lintian | Multiple vulnerabilities |
DSA-1980 | ircd-hybrid | Arbitrary code execution |
Removed packages
The following packages were removed due to circumstances beyond our control:
Package | Reason |
---|---|
destar | Security issues; unmaintained; abandoned upstream |
electricsheep | No longer functional |
gnudip | Security issues; unmaintained; abandoned upstream |
kcheckgmail | No longer functional |
libgnucrypto-java | Security issues; obsolete |
Additionally those parts of the libwww-search-perl and libperl4caml-ocaml-dev packages which rely on the Google SOAP search API (provided by libnet-google-perl) are no longer functional as the API has been retired by Google. The remaining portions of the packages will continue to function as before.
URLs
The complete lists of packages that have changed with this release:
The current stable distribution:
Proposed updates to the stable distribution:
Stable distribution information (release notes, errata, etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian GNU/Linux.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.