Debian GNU/Linux 4.0 updated

May 22nd, 2010

The Debian project is pleased to announce the ninth and final update of its oldstable distribution Debian GNU/Linux 4.0 (codename etch).

This update incorporates all security updates which have been released for the oldstable release since the previous point release, with one exception which it was unfortunately not possible to include, together with a few adjustments to serious problems.

PLEASE NOTE: Security support for the oldstable distribution ended in February 2010 and no updates have been released since that point.

Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

New CD and DVD images containing updated packages and the regular installation media accompanied with the package archive respectively will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:

http://www.debian.org/distrib/ftplist

Please note that the oldstable distribution will be moved from the main archive to the archive.debian.org repository after June 6th 2010. After this move, it will no longer be available from the main mirror network. More information about the distribution archive and a list of mirrors is available at:

http://www.debian.org/distrib/archive

Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following packages:

Package Reason
backup-manager Fix disclosure of MySQL passwords to local users
binutils Add mips support for ".set symbol,value" gas syntax
fam Fix 100% CPU usage in famd
fetchmail Fix potential MITM against APOP and potential DoS
freedoom Remove copyright-violating material
glibc Fix incorrect libc6-amd64 dependency
gnupg Fix memory leak and cleanup terminal on interrupt
irssi Fix out of bounds access
kazehakase Disallow adding bookmarks for data:/javascript: URIs
linux-2.6 Several vulnerabilities
linux-2.6.24 Several vulnerabilities
mksh Fix unauthenticated local privilege escalation
mt-daapd Update the embedded prototype.js to fix security issues
openafs Don't create invalid pointers to kernel memory when handling errors
openssl Deprecate MD2 hash signatures and fix several DoS vulnerabilities
serveez Fix remote buffer overflow
tetex-bin Don't fail when LaTeX is more than five years old
texlive-bin Don't fail when LaTeX is more than five years old
texlive-extra Don't fail when LaTeX is more than five years old
texlive-lang Don't fail when LaTeX is more than five years old
wordpress Fix DoS via long title and specially constructed charset parameter
xcftools Fix crash with files containing negative co-ordinates

Debian Installer

The Debian Installer has been updated in this point release to offer better support for installation of the "oldstable" distribution and from archive.debian.org and to resolve issues with checking the GPG signatures of some files on mirror servers.

The kernel image used by the installer has been updated to incorporate a number of important and security-related fixes.

Security Updates

This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package Correction(s)
DSA-1617 refpolicyIncompatible policy from previous DSA
DSA-1622 newsxArbitrary code execution
DSA-1748 libsoupArbitrary code execution
DSA-1754 roundupPrivilege escalation
DSA-1761 moodleFile disclosure
DSA-1762 icuCross site scripting
DSA-1763 opensslDenial of service
DSA-1763 openssl097Denial of service
DSA-1765 horde3Several vulnerabilities
DSA-1766 krb5Several vulnerabilities
DSA-1767 multipath-toolsDenial of service
DSA-1768 openafsArbitrary code execution
DSA-1770 imp4Cross-site scripting
DSA-1771 clamavSeveral vulnerabilities
DSA-1772 udevPrivilege escalation
DSA-1773 cupsysArbitrary code execution
DSA-1775 php-json-extDenial of service
DSA-1777 git-corePrivilege escalation
DSA-1779 aptSeveral vulnerabilities
DSA-1780 libdbd-pg-perlArbitrary code execution
DSA-1781 ffmpegArbitrary code execution
DSA-1782 mplayerArbitrary code execution
DSA-1783 mysql-dfsg-5.0Several vulnerabilities
DSA-1784 freetypeArbitrary code execution
DSA-1786 acpidDenial of service
DSA-1787 linux-2.6.24Several vulnerabilities
DSA-1789 php5Several vulnerabilities
DSA-1790 xpdfSeveral vulnerabilities
DSA-1793 kdegraphicsSeveral vulnerabilities
DSA-1794 user-mode-linuxSeveral vulnerabilities
DSA-1794 fai-kernelsSeveral vulnerabilities
DSA-1794 linux-2.6Several vulnerabilities
DSA-1796 libwmfDenial of service
DSA-1798 pango1.0Arbitrary code execution
DSA-1799 qemuSeveral vulnerabilities
DSA-1801 ntpBuffer overflows allowing DoS or code execution
DSA-1802 squirrelmailCode execution vulnerability in map_yp_alias function
DSA-1803 nsdDenial of service
DSA-1804 ipsec-toolsDenial of service
DSA-1805 gaimSeveral vulnerabilities
DSA-1806 cscopeArbitrary code execution
DSA-1807 cyrus-sasl2Fixes arbitrary code execution
DSA-1810 cupsysDenial of service
DSA-1810 libapache-mod-jkInformation disclosure
DSA-1812 apr-utilSeveral vulnerabilities
DSA-1813 evolution-data-serverRegressions in previous security update
DSA-1814 libsndfileArbitrary code execution
DSA-1816 apache2Privilege escalation
DSA-1816 apache2-mpm-itkRebuild against apache2 2.2.3-4+etch8
DSA-1818 gforgeInsufficient input sanitising
DSA-1819 vlcSeveral vulnerabilities
DSA-1824 phpmyadminSeveral vulnerabilities
DSA-1825 nagios2Arbitrary code execution
DSA-1826 eggdropSeveral vulnerabilities
DSA-1829 sork-passwd-h3Regression in previous security update
DSA-1832 camlimagesArbitrary code execution
DSA-1833 dhcp3Arbitrary code execution
DSA-1834 apache2Denial of service
DSA-1834 apache2-mpm-itkDenial of service
DSA-1835 tiffSeveral vulnerabilities
DSA-1837 dbusDenial of service
DSA-1839 gst-plugins-good0.10Arbitrary code execution
DSA-1841 git-coreDenial of service
DSA-1842 openexrSeveral vulnerabilities
DSA-1847 bind9Denial of service
DSA-1848 zncRemote code execution
DSA-1849 xml-security-cSignature forgery
DSA-1850 libmodplugArbitrary code execution
DSA-1851 gst-plugins-bad0.10Arbitrary code execution
DSA-1852 fetchmailSSL certificate verification weakness
DSA-1853 memcachedArbitrary code execution
DSA-1854 apr-utilArbitrary code execution
DSA-1854 aprArbitrary code execution
DSA-1855 subversionArbitrary code execution
DSA-1857 camlimagesArbitrary code execution
DSA-1858 imagemagickSeveral vulnerabilities
DSA-1859 libxml2Several issues
DSA-1860 ruby1.8Several issues
DSA-1860 ruby1.9Several issues
DSA-1861 libxmlSeveral issues
DSA-1863 zope2.9Arbitrary code execution
DSA-1865 fai-kernelsSeveral vulnerabilities
DSA-1865 user-mode-linuxSeveral vulnerabilities
DSA-1866 kdegraphicsSeveral vulnerabilities
DSA-1867 kdelibsSeveral vulnerabilities
DSA-1869 curlSSL certificate verification weakness
DSA-1871 wordpressRegression fix
DSA-1872 fai-kernelsSeveral vulnerabilities
DSA-1872 user-mode-linuxSeveral vulnerabilities
DSA-1877 mysql-dfsg-5.0Arbitrary code execution
DSA-1878 devscriptsRemote code execution
DSA-1880 openoffice.orgArbitrary code execution
DSA-1882 xapian-omegaCross-site scripting
DSA-1883 nagios2Several cross-site scriptings
DSA-1884 nginxArbitrary code execution
DSA-1888 opensslDeprecate MD2 hash signatures and fix several DoS vulnerabilities
DSA-1888 openssl097Deprecate MD2 hash signatures
DSA-1889 icuSecurity bypass due to multibyte sequence parsing
DSA-1890 wxwindows2.4Arbitrary code execution
DSA-1890 wxwidgets2.6Arbitrary code execution
DSA-1891 changetrackArbitrary code execution
DSA-1892 dovecotArbitrary code execution
DSA-1893 cyrus-imapd-2.2Arbitrary code execution
DSA-1893 kolab-cyrus-imapdArbitrary code execution
DSA-1894 newtArbitrary code execution
DSA-1896 opensamlPotential code execution
DSA-1896 shibboleth-spPotential code execution
DSA-1897 horde3Arbitrary code execution
DSA-1898 openswanDenial of service
DSA-1899 strongswanDenial of service
DSA-1900 postgresql-7.4Various problems
DSA-1900 postgresql-8.1Various problems
DSA-1901 mediawiki1.7Several vulnerabilities
DSA-1902 elinksArbitrary code execution
DSA-1903 graphicsmagickSeveral vulnerabilities
DSA-1904 wgetSSL certificate verification weakness
DSA-1909 postgresql-ocamlMissing escape function
DSA-1910 mysql-ocamlMissing escape function
DSA-1911 pygresqlMissing escape function
DSA-1912 camlimagesArbitrary code execution
DSA-1912 adviArbitrary code execution
DSA-1914 mapserverSeveral vulnerabilities
DSA-1916 kdelibsSSL certificate verification weakness
DSA-1917 mimetexSeveral vulnerabilities
DSA-1918 phpmyadminSeveral vulnerabilities
DSA-1919 smartySeveral vulnerabilities
DSA-1920 nginxDenial of service
DSA-1921 expatDenial of service
DSA-1923 libhtml-parser-perlDenial of service
DSA-1925 proftpd-dfsgSSL certificate verification weakness
DSA-1926 typo3-srcSeveral vulnerabilities
DSA-1928 linux-2.6.24Several vulnerabilities
DSA-1929 linux-2.6Several vulnerabilities
DSA-1933 cupsysCross-site scripting
DSA-1934 apache2Several issues
DSA-1934 apache2-mpm-itkSeveral issues
DSA-1935 gnutls13SSL certificate verification weakness
DSA-1936 libgd2Several vulnerabilities
DSA-1937 gforgeCross-site scripting
DSA-1938 php-mailInsufficient input sanitising
DSA-1939 libvorbisSeveral vulnerabilities
DSA-1940 php5Multiple issues
DSA-1942 wiresharkSeveral vulnerabilities
DSA-1943 openldap2.3SSL certificate verification weakness
DSA-1944 request-tracker3.6Session hijack vulnerability
DSA-1944 request-tracker3.4Session hijack vulnerability
DSA-1945 gforgeDenial of service
DSA-1946 belpicCryptographic weakness
DSA-1947 shibboleth-spCross-site scripting
DSA-1948 ntpDenial of service
DSA-1951 firefox-sageInsufficient input sanitizing
DSA-1953 expatRegression fix
DSA-1954 cactiInsufficient input sanitising
DSA-1955 network-managerInformation disclosure
DSA-1958 libtoolPrivilege escalation
DSA-1960 acpidWeak file permissions
DSA-1961 bind9Cache poisoning
DSA-1964 postgresql-8.1Several vulnerabilities
DSA-1964 postgresql-7.4Several vulnerabilities
DSA-1966 horde3Cross-site scripting
DSA-1968 pdns-recursorCache poisoning
DSA-1969 krb5Denial of service
DSA-1971 libthaiArbitrary code execution
DSA-1972 audiofileBuffer overflow
DSA-1973 glibcInformation disclosure
DSA-1974 gzipArbitrary code execution
DSA-1977 python2.4Several vulnerabilities
DSA-1977 python2.5Several vulnerabilities
DSA-1979 lintianMultiple vulnerabilities
DSA-1980 ircd-hybridArbitrary code execution
DSA-1981 maildropPrivilege escalation
DSA-1982 hybservDenial of service
DSA-1984 libxerces2-javaDenial of service
DSA-1985 sendmailInsufficient input validation
DSA-1987 lighttpdDenial of service
DSA-1989 fuseDenial of service
DSA-1991 squid3Denial of service
DSA-1991 squidDenial of service
DSA-1992 chronyDenial of service
DSA-1994 ajaxtermSession hijacking
DSA-1995 openoffice.orgSeveral vulnerabilities
DSA-1997 mysql-dfsg-5.0Several vulnerabilities
DSA-2003 fai-kernelsSeveral vulnerabilities
DSA-2003 user-mode-linuxSeveral vulnerabilities
DSA-2003 linux-2.6Several vulnerabilities
DSA-2004 linux-2.6.24Several vulnerabilities

Unfortunately it was not possible to include the security updates for the lcms package in this point release due to a mismatch between the upstream tarball used for the security update and that already present in the oldstable distribution.

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
destar Security issues
libclass-dbi-loader-relationship-perl License problems
libhdate-pascal [source:hdate] Licensing issues
loop-aes-modules-2.6-sparc32 [source:loop-aes] Corresponding source / kernel no longer in the archive
loop-aes-modules-2.6-sparc64 [source:loop-aes] Corresponding source / kernel no longer in the archive
loop-aes-modules-2.6-sparc64-smp [source:loop-aes] Corresponding source / kernel no longer in the archive
loop-aes-modules-2.6-vserver-sparc64 [source:loop-aes] Corresponding source / kernel no longer in the archive
rails Security and usability issues

A few further packages were removed as a result, as they depend on libclass-dbi-loader-relationship-perl; these packages are:

Additionally those parts of the libwww-search-perl and libperl4caml-ocaml-dev packages which rely on the Google SOAP search API (provided by libnet-google-perl) are no longer functional as the API has been retired by Google. The remaining portions of the packages will continue to function as before.

About Debian

The Debian project is an organisation of Free Software developers who volunteer their time and effort, collaborating via the Internet. Their tasks include maintaining and updating Debian GNU/Linux which is a free distribution of the GNU/Linux operating system. Debian's dedication to Free Software, its non-profit nature, and its open development model makes it unique among GNU/Linux distributions.

Contact Information

For further information, please visit the Debian web pages at http://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.