Debian GNU/Linux 5.0 updated

June 26th, 2010

The Debian project is pleased to announce the fifth update of its stable distribution Debian GNU/Linux 5.0 (codename "lenny"). This update mainly adds corrections for security problems to the stable release, along with a few adjustment to serious problems.

Please note that this update does not constitute a new version of Debian GNU/Linux 5.0 but only updates some of the packages included. There is no need to throw away 5.0 CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated.

Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

New CD and DVD images containing updated packages and the regular installation media accompanied with the package archive respectively will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:

http://www.debian.org/mirror/list

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package Reason
alien-arena Fix a buffer overflow and a denial of service
apache2 Add missing psmisc dependency; fix memory leak in brigade cleanup
apache2-mpm-itk Ensure child processes get correctly reaped on reload
apr Set FD_CLOEXEC on file descriptors to avoid potential leaks
apt Allow Files sections to contain more than 999 characters
base-files Update /etc/debian_version for the point release
cpio Fix buffer overflow in rmt_read__
dia2code Fix segfault parsing large files
gtk+2.0 Fix hang when printing large documents
libapache-dbi-perl Fix loading of module from Apache startup files
libapache2-mod-perl2 Fix XSS in Apache2::Status
libjavascript-perl Fix segfault when calling non-existent function
libjson-ruby Fix parser DoS and use libjs-prototype rather than embedding the library
liblog-handler-perl Add missing dependency on libuniversal-require-perl
libmediawiki-perl Update to match mediawiki changes
libnamespace-clean-perl Add missing dependency on libscope-guard-perl
libnet-smtp-server-perl Add missing dependency on libnet-dns-perl
libxext Ensure display lock is held before calling XAllocID
linux-2.6 Several fixes and driver updates
mailman Don't add multiple Mime-Version headers
mpg123 Allow modules to be located again (broken by libltdl security fix)
nano Fix symlink attack and arbitrary file ownership change issue
nfs-utils Update test for NFS kernel server support in init script to support partial upgrades
nut Move library to /lib to allow power-down with separated /usr
open-iscsi Fix temporary file vulnerability
openssl Check return value of bn_wexpand() (CVE-2009-3245)
openttd Fix several DoS and crash vulnerabilities
php5 Fix overflows, add missing sybase aliases, improve e-mail validation
poppler Fix remote code execution via crafted PDF files
postgresql-8.3 Several vulnerabilities
pyftpd Security fixes - disable default users, anonymous access and logging to /tmp
python-support Use sane default umask in update-python-modules
request-tracker3.6 Fix login problem introduced in security update
samba Fix memory leaks with domain trust passwords; fix interdomain trust with Windows 2008 r2 servers
slim Make magic cookie less predictable; don't save screenshots in /tmp
sun-java5 Update to new upstream release to fix security issues
sun-java6 Update to new upstream release to fix security issues
tar Security fix in rmt
texlive-bin Security fixes in dvips
tla Fix DoS in embedded expat library
tzdata Update timezone data
usbutils Update USB ID list
user-mode-linux Rebuild against linux-2.6 2.6.26-24
wordpress Fix DoS
xerces-c2 Fix DoS attack with nested DTDs
xmonad-contrib Fix installability on 64-bit architectures
xserver-xorg-input-elographics Prevent X server hangs when using the touchscreen
xserver-xorg-video-intel Add support for ASUS eeetop LVDS output

Note that due to problems with the package build process, updated sun-java5 and sun-java6 packages for the ia64 architecture are not included in this point release. These packages will be provided in proposed-updates as soon as they are available and included in a future point release.

Kernel Updates

The kernel images included in this point release incorporate a number of important and security-related fixes together with support for additional hardware.

On the amd64 and i386 architectures, support has been re-introduced for automatically running the lilo bootloader when a kernel image is added, updated or removed in order to ensure that this is correctly registered with the bootloader.

Debian Installer

The Debian Installer has been updated in this point release to correct an issue with the display of the "BIOS boot area" partitioner option when using GPT partitions and to update the list of available mirror servers for package installation.

The kernel image used by the installer has been updated to incorporate a number of important and security-related fixes together with support for additional hardware.

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package Correction(s)
DSA-1841 git-coreDenial of service
DSA-1955 network-manager-appletInformation disclosure
DSA-1973 glibcInformation disclosure
DSA-1977 python2.4Several vulnerabilities
DSA-1977 python2.5Several vulnerabilities
DSA-1980 ircd-ratboxArbitrary code execution
DSA-1981 maildropPrivilege escalation
DSA-1982 hybservDenial of service
DSA-1983 wiresharkSeveral vulnerabilities
DSA-1984 libxerces2-javaDenial of service
DSA-1985 sendmailInsufficient input validation
DSA-1986 moodleSeveral vulnerabilities
DSA-1987 lighttpdDenial of service
DSA-1988 qt4-x11Several vulnerabilities
DSA-1989 fuseDenial of service
DSA-1990 trac-gitCode execution
DSA-1991 squid3Denial of service
DSA-1992 chronyDenial of service
DSA-1993 otrs2SQL injection
DSA-1994 ajaxtermSession hijacking
DSA-1995 openoffice.orgSeveral vulnerabilities
DSA-1996 linux-2.6Several vulnerabilities
DSA-1997 mysql-dfsg-5.0Several vulnerabilities
DSA-1998 kdelibsArbitrary code execution
DSA-1999 xulrunnerSeveral vulnerabilities
DSA-2000 ffmpeg-debianSeveral vulnerabilities
DSA-2001 php5Multiple vulnerabilities
DSA-2002 polipoDenial of service
DSA-2004 sambaSeveral vulnerabilities
DSA-2006 sudoSeveral vulnerabilities
DSA-2007 cupsArbitrary code execution
DSA-2008 typo3-srcSeveral vulnerabilities
DSA-2009 tdiaryCross-site scripting
DSA-2010 kvmSeveral vulnerabilities
DSA-2011 dpkgPath traversal
DSA-2012 user-mode-linuxSeveral vulnerabilities
DSA-2012 linux-2.6Several vulnerabilities
DSA-2013 egroupwareSeveral vulnerabilities
DSA-2014 moinSeveral vulnerabilities
DSA-2015 drbd8Privilege escalation
DSA-2015 linux-modules-extra-2.6Privilege escalation
DSA-2016 drupal6Several vulnerabilities
DSA-2017 pulseaudioInsecure temporary directory
DSA-2018 php5Null pointer dereference
DSA-2019 pango1.0Denial of service
DSA-2020 ikiwikiCross-site scripting
DSA-2021 spamass-milterMissing input sanitization
DSA-2022 mediawikiSeveral vulnerabilities
DSA-2023 curlArbitrary code execution
DSA-2024 moinCross-site scripting
DSA-2025 icedoveSeveral vulnerabilities
DSA-2026 netpbm-freeDenial of service
DSA-2027 xulrunnerSeveral vulnerabilities
DSA-2028 xpdfSeveral vulnerabilities
DSA-2029 imlib2Arbitrary code execution
DSA-2030 maharaSQL injection
DSA-2031 krb5Denial of service
DSA-2032 libpngSeveral vulnerabilities
DSA-2033 ejabberdDenial of service
DSA-2034 phpmyadminSeveral vulnerabilities
DSA-2035 apache2Several vulnerabilities
DSA-2036 jasperDenial of service
DSA-2037 kdebasePrivilege escalation
DSA-2038 pidginDenial of service
DSA-2039 cactiMissing input sanitising
DSA-2040 squidguardSeveral vulnerabilities
DSA-2041 mediawikiCross-site request forgery
DSA-2042 iscsitargetArbitrary code execution
DSA-2044 mplayerArbitrary code execution
DSA-2045 libtheoraArbitrary code execution
DSA-2046 phpgroupwareSeveral vulnerabilities
DSA-2047 aria2Directory traversal
DSA-2048 dvipngArbitrary code execution
DSA-2049 barnowlArbitrary code execution
DSA-2050 postgresql-8.3Several vulnerabilities
DSA-2052 krb5Denial of service
DSA-2053 linux-2.6Several issues
DSA-2054 bind9Cache poisoning
DSA-2055 openoffice.orgArbitrary code execution
DSA-2056 zonecheckCross-site scripting
DSA-2057 mysql-dfsg-5.0Several vulnerabilities
DSA-2058 pcsc-litePrivilege escalation
DSA-2058 glibcSeveral vulnerabilities
DSA-2060 cactiSQL injection
DSA-2062 sudoMissing input sanitization
DSA-2063 pmountDenial of service

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
eclipse incompatible with stable's xulrunner; not easily fixable
eclipse-cdt depends on removed eclipse
eclipse-nls-sdk depends on removed eclipse

URLs

The complete lists of packages that have changed with this release:

http://ftp.debian.org/debian/dists/lenny/ChangeLog

The current stable distribution:

http://ftp.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates/

Stable distribution information (release notes, errata, etc.):

http://www.debian.org/releases/stable/

Security announcements and information:

http://security.debian.org/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian GNU/Linux.

Contact Information

For further information, please visit the Debian web pages at http://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.