Debian GNU/Linux 5.0 updated

January 30th, 2010

The Debian project is pleased to announce the fourth update of its stable distribution Debian GNU/Linux 5.0 (codename "lenny"). This update mainly adds corrections for security problems to the stable release, along with a few adjustments for serious problems.

Please note that this update does not constitute a new version of Debian GNU/Linux 5.0 but only updates some of the packages included. There is no need to throw away 5.0 CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated.

Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

New CD and DVD images containing updated packages and the regular installation media accompanied with the package archive respectively will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:

http://www.debian.org/mirror/list

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package Reason
alien-arena Fix remote arbitrary code execution
amarok Apply regex update to make Wikipedia tab work again
apache2 Several issues
backup-manager Fix possible mysql password leakage to local users
backuppc Prohibit editing of client name alias to avoid unauthorised file access
base-files Update /etc/debian_version to reflect the point release
choose-mirror Improve suite selection and validation of suites available on selected mirror
clock-setup Correctly handle system dates before epoch
consolekit Don't create pam-foreground-compat tag files for remote users
debmirror Compress packages files using --rsyncable so they match the files from the archive
devscripts Update a number of scripts to understand squeeze and lenny-backports
dhcp3 Fix memory leak and SIGPIPE in LDAP code
dpkg Various fixes to new source package format support
drupal6 Fix XSS issues in Contact and Menu modules
fam Fix 100% CPU usage in famd
fetchmail Fix init script dependencies; don't complain about missing configuration when disabled
firebird2.0 Fix DOS via malformed message
gchempaint Fix segmentation fault
gdebi Fix gksu call to not pass an option that the Debian package doesn't support
geneweb Correctly handle database with names containing whitespace in the postinst
ghc6 Fix deadlock bug on 64-bit architectures
glib2.0 Fix g_file_copy to correctly set permissions of target files
glibc Fix bug in realloc() when enlarging a memory allocation
gnash Reduce messages produced by the browser plugin to avoid filling .xsession-errors
gnome-system-tools Don't change root's home directory when editing the user and fix group creation dialog
haproxy Several stability and crash fixes
kazehakase Disallow adding bookmarks for data:/javascript: URIs (CVE-2007-1084)
killer Correctly handle long usernames in the ruser field
libcgi-pm-perl Fix unwanted ISO-8859-1 -> UTF-8 conversion in CGI::Util::escape()
libdbd-mysql-perl Fix segmentation faults caused by auto_reconnect
libdbd-pg-perl Correctly handle high-bit characters
libfinance-quote-perl Fix ordering of fields in Yahoo data
linux-2.6 Several corrections
linux-kernel-di-alpha-2.6 Rebuild against linux-2.6 2.6.26-21
linux-kernel-di-amd64-2.6 Rebuild against linux-2.6 2.6.26-21
linux-kernel-di-arm-2.6 Rebuild against linux-2.6 2.6.26-21
linux-kernel-di-armel-2.6 Rebuild against linux-2.6 2.6.26-21
linux-kernel-di-hppa-2.6 Rebuild against linux-2.6 2.6.26-21
linux-kernel-di-i386-2.6 Rebuild against linux-2.6 2.6.26-21
linux-kernel-di-ia64-2.6 Rebuild against linux-2.6 2.6.26-21
linux-kernel-di-mips-2.6 Rebuild against linux-2.6 2.6.26-21
linux-kernel-di-mipsel-2.6 Rebuild against linux-2.6 2.6.26-21
linux-kernel-di-powerpc-2.6 Rebuild against linux-2.6 2.6.26-21
linux-kernel-di-s390-2.6 Rebuild against linux-2.6 2.6.26-21
linux-kernel-di-sparc-2.6 Rebuild against linux-2.6 2.6.26-21
lkl Rebuild to get new MD5 sum (previous sum was causing FPs from antivirus)
movabletype-opensource Disable mt-wizard.cgi by default
munin Fix CPU usage graphs to account for changes in kernel reporting
mysql-dfsg-5.0 Revert 'dummy thread' workaround which causes segfaults and fix crash when using GIS functions
nss-ldapd Treat usernames and other lookups as case-sensitive
openttd Fix remote crash vulnerability
otrs2 Don't globally limit MaxRequestsPerChild on Apache or reject valid domains
partman-auto-crypto Avoid triggering unsafe swap warning when setting up LVM
planet-venus Enhance escaping of processed feeds
proftpd-dfsg SSL certificate verification weakness
pyenchant Make add_to_personal() work again
python-docutils Fix insecure temporary file usage in reStructuredText Emacs mode
python-xml Fix two denials of service
qcontrol Create persistent input device to handle changes in udev 0.125-7+lenny3
redhat-cluster Fix problem with resource failover
request-tracker3.6 Session hijack vulnerability
roundup Fix pagination regression caused by security fix
samba Fix regression in name mangling
serveez Fix remote buffer overflow
shadow Fix handling of long lines in the user or group files
spamassassin Don't consider dates in 2010 'grossly in the future'
system-tools-backends Fix regression in operation of some elements
texlive-bin Fix crash with large files
tor Fix crash due to race condition and update authority keys
totem Update youtube plugin to match changes to the site
tzdata Update timezone data
usbutils Update USB IDs
user-mode-linux Rebuild against linux-source-2.6.26 2.6.26-21
vpb-driver Fix Asterisk crash with missing config file
watchdog Ensure daemon really has ended before starting a new one
webauth Avoid inadvertently including passwords in cookie test URLs
wireshark Several vulnerabilities
xfs Fix temporary directory usage in the init script
xscreensaver Fix local screen lock bypass vulnerability

A number of packages were rebuilt on the alpha, amd64 and ia64 architectures to incorporate the fix from the updated ghc6 package:

alex arch2darcs
bnfc c2hs
dfsbuild drift
cpphs darcs
darcs-buildpackage darcs-monitor
datapacker frown
geordi haddock
happy haskell-utils
hat helium
hmake hpodder
hscolour lhs2tex
kaya pxsl-tools
srcinst uuagc
whitespace xmonad

New version of the debian-installer

The Debian Installer has been updated in this point release to offer better support for installation of the "oldstable" distribution and from archive.debian.org. The new installer also allows the system date to be updated using NTP if it is before January 1st, 1970 at boot time.

The kernel image used by the installer has been updated to incorporate a number of important and security-related fixes together with support for additional hardware.

An update to the udev package in the previous point release unfortunately led to the LEDs and on-board buzzer of arm/armel-based QNAP NAS devices not operating during installs. This is rectified in the new installer release.

Finally, it is once again possible to use the installer on the S/390 architecture by booting from CD.

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package Correction(s)
DSA-1796 libwmfDenial of service
DSA-1825 nagios3Arbitrary code execution
DSA-1835 tiffSeveral vulnerabilities
DSA-1836 fckeditorArbitrary code execution
DSA-1837 dbusDenial of service
DSA-1839 gst-plugins-good0.10Arbitrary code execution
DSA-1849 xml-security-cSignature forgery
DSA-1850 libmodplugArbitrary code execution
DSA-1860 ruby1.9Several issues
DSA-1863 zope2.10Arbitrary code execution
DSA-1866 kdegraphicsSeveral vulnerabilities
DSA-1868 kde4libsSeveral vulnerabilities
DSA-1878 devscriptsRemote code execution
DSA-1879 silc-clientArbitrary code execution
DSA-1879 silc-toolkitArbitrary code execution
DSA-1880 openoffice.orgArbitrary code execution
DSA-1882 xapian-omegaCross-site scripting
DSA-1884 nginxArbitrary code execution
DSA-1885 xulrunnerSeveral vulnerabilities
DSA-1886 iceweaselSeveral vulnerabilities
DSA-1887 railsCross-site scripting
DSA-1888 opensslDeprecate MD2 hash signatures
DSA-1889 icuSecurity bypass due to multibyte sequence parsing
DSA-1890 wxwidgets2.6Arbitrary code execution
DSA-1890 wxwidgets2.8Arbitrary code execution
DSA-1891 changetrackArbitrary code execution
DSA-1892 dovecotArbitrary code execution
DSA-1893 cyrus-imapd-2.2Arbitrary code execution
DSA-1893 kolab-cyrus-imapdArbitrary code execution
DSA-1894 newtArbitrary code execution
DSA-1895 opensaml2Interpretation conflict
DSA-1895 shibboleth-sp2Interpretation conflict
DSA-1895 xmltoolingPotential code execution
DSA-1896 opensamlPotential code execution
DSA-1896 shibboleth-spPotential code execution
DSA-1897 horde3Arbitrary code execution
DSA-1898 openswanDenial of service
DSA-1899 strongswanDenial of service
DSA-1900 postgresql-8.3Various problems
DSA-1903 graphicsmagickSeveral vulnerabilities
DSA-1904 wgetSSL certificate verification weakness
DSA-1905 python-djangoDenial of service
DSA-1907 kvmSeveral vulnerabilities
DSA-1908 sambaSeveral vulnerabilities
DSA-1909 postgresql-ocamlMissing escape function
DSA-1910 mysql-ocamlMissing escape function
DSA-1911 pygresqlMissing escape function
DSA-1912 adviArbitrary code execution
DSA-1912 camlimagesArbitrary code execution
DSA-1913 bugzillaSQL injection
DSA-1914 mapserverSeveral vulnerabilities
DSA-1915 linux-2.6Several vulnerabilities
DSA-1915 user-mode-linuxSeveral vulnerabilities
DSA-1916 kdelibsSSL certificate verification weakness
DSA-1917 mimetexSeveral vulnerabilities
DSA-1918 phpmyadminSeveral vulnerabilities
DSA-1919 smartySeveral vulnerabilities
DSA-1920 nginxDenial of service
DSA-1921 expatDenial of service
DSA-1922 xulrunnerSeveral vulnerabilities
DSA-1923 libhtml-parser-perlDenial of service
DSA-1924 maharaSeveral vulnerabilities
DSA-1925 proftpd-dfsgSSL certificate verification weakness
DSA-1926 typo3-srcSeveral vulnerabilities
DSA-1930 drupal6Several vulnerabilities
DSA-1931 nsprSeveral vulnerabilities
DSA-1932 pidginArbitrary code execution
DSA-1933 cupsCross-site scripting
DSA-1934 apache2Several issues
DSA-1934 apache2-mpm-itkSeveral issues
DSA-1935 gnutls26SSL certificate NUL byte vulnerability
DSA-1936 libgd2Several vulnerabilities
DSA-1937 gforgeCross-site scripting
DSA-1938 php-mailInsufficient input sanitising
DSA-1939 libvorbisSeveral vulnerabilities
DSA-1940 php5Multiple issues
DSA-1941 popplerSeveral vulnerabilities
DSA-1942 wiresharkSeveral vulnerabilities
DSA-1944 request-tracker3.6Session hijack vulnerability
DSA-1945 gforgeDenial of service
DSA-1947 opensaml2Cross-site scripting
DSA-1947 shibboleth-spCross-site scripting
DSA-1947 shibboleth-sp2Cross-site scripting
DSA-1948 ntpDenial of service
DSA-1949 php-net-pingArbitrary code execution
DSA-1950 webkitSeveral vulnerabilities
DSA-1951 firefox-sageInsufficient input sanitising
DSA-1952 asteriskSeveral vulnerabilities
DSA-1953 expatDenial of service
DSA-1954 cactiInsufficient input sanitising
DSA-1956 xulrunnerSeveral vulnerabilities
DSA-1957 aria2Arbitrary code execution
DSA-1958 libtoolPrivilege escalation
DSA-1959 ganetiArbitrary command execution
DSA-1960 acpidWeak file permissions
DSA-1961 bind9Cache poisoning
DSA-1962 kvmSeveral vulnerabilities
DSA-1963 unboundDNSSEC validation
DSA-1964 postgresql-8.3Several vulnerabilities
DSA-1965 phpldapadminRemote file inclusion
DSA-1966 horde3Cross-site scripting
DSA-1967 transmissionDirectory traversal
DSA-1968 pdns-recursorPotential code execution
DSA-1969 krb5Denial of service
DSA-1970 opensslDenial of service
DSA-1971 libthaiArbitrary code execution
DSA-1972 audiofileBuffer overflow
DSA-1974 gzipArbitrary code execution
DSA-1976 dokuwikiSeveral vulnerabilities
DSA-1978 phpgroupwareSeveral vulnerabilities
DSA-1979 lintianMultiple vulnerabilities
DSA-1980 ircd-hybridArbitrary code execution

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
destar Security issues; unmaintained; abandoned upstream
electricsheep No longer functional
gnudip Security issues; unmaintained; abandoned upstream
kcheckgmail No longer functional
libgnucrypto-java Security issues; obsolete

Additionally those parts of the libwww-search-perl and libperl4caml-ocaml-dev packages which rely on the Google SOAP search API (provided by libnet-google-perl) are no longer functional as the API has been retired by Google. The remaining portions of the packages will continue to function as before.

URLs

The complete lists of packages that have changed with this release:

http://ftp.debian.org/debian/dists/lenny/ChangeLog

The current stable distribution:

http://ftp.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates/

Stable distribution information (release notes, errata, etc.):

http://www.debian.org/releases/stable/

Security announcements and information:

http://security.debian.org/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian GNU/Linux.

Contact Information

For further information, please visit the Debian web pages at http://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.