Updated Debian GNU/Linux 5.0: 5.0.9 released

October 1st, 2011

The Debian project is pleased to announce the ninth update of its oldstable distribution Debian GNU/Linux 5.0 (codename lenny). This update mainly adds corrections for security problems to the oldstable release, along with a few adjustment to serious problems. Security advisories were already published separately and are referenced where available.

Please note that this update does not constitute a new version of Debian GNU/Linux 5.0 but only updates some of the packages included. There is no need to throw away 5.0 CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated.

Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

New installation media and CD and DVD images containing updated packages will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:

http://www.debian.org/mirror/list

Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following packages:

Package Reason
aptitude Fix symlink attack in hierarchy editor
atop Insecure use of temporary files
base-files Update /etc/debian_version for the point release
conky Fix file overwrite vulnerability
dokuwiki RSS XSS security fix
klibc Escape ipconfig's DHCP options
linux-2.6 Several security updates and select fixes from upstream 2.6.27.58/9
magpierss Fix cross-site scripting vulnerability (CVE-2011-0740)
mediawiki Protect against CSS injection vulnerability
openldap Security fixes
openssl Fix CVE-2011-3210: SSL memory handling for (EC)DH ciphersuites
pmake Fix symlink attack via temporary files
sun-java6 New upstream security update
tesseract Disable xterm-based debug windows to avoid file overwrite vulnerability
tzdata New upstream version
user-mode-linux Rebuild against linux-2.6 2.6.26-27
v86d Fix CVE-2011-1070: failure to validate netlink message sender; do not include random kernel headers in CFLAGS
vftool Fix a buffer overflow in linetoken() in parseAFM.c
xorg-server GLX: don't crash in SwapBuffers if we don't have a context

Due to the timing of this point release relative to the next update for the stable release (Debian 6.0 squeeze), the versions of atop and tzdata included in this point release are higher than the corresponding packages currently in stable. The next stable point release is planned for one week's time, after which the package versions in stable will once again be higher, as expected.

We do not expect that this situation will cause any issues with upgrades from oldstable to the stable release during this short period of time, but please report any such issues which do arise. (See the Contact Information section below).

Security Updates

This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package Correction(s)
DSA-2043 vlcArbitrary code execution
DSA-2149 dbusDenial of service
DSA-2150 request-tracker3.6Salt password hashing
DSA-2151 openoffice.orgMultiple issues
DSA-2152 hplipBuffer overflow
DSA-2153 user-mode-linuxMultiple issues
DSA-2153 linux-2.6Multiple issues
DSA-2154 exim4Privilege escalation
DSA-2155 freetypeMultiple issues
DSA-2156 pcsc-liteBuffer overflow
DSA-2157 postgresql-8.3Buffer overflow
DSA-2158 cgiircCross-site scripting flaw
DSA-2165 ffmpeg-debianBuffer overflow
DSA-2167 phpmyadminSQL injection
DSA-2168 openafsMultiple issues
DSA-2169 telepathy-gabbleMissing input validation
DSA-2170 mailmanMultiple issues
DSA-2171 asteriskBuffer overflow
DSA-2172 moodleMultiple issues
DSA-2173 pam-pgsqlBuffer overflow
DSA-2174 avahiDenial of service
DSA-2175 sambaMissing input sanitising
DSA-2176 cupsMultiple issues
DSA-2179 dtcSQL injection
DSA-2181 subversionDenial of service
DSA-2182 logwatchRemote code execution
DSA-2183 nbdArbitrary code execution
DSA-2186 xulrunnerMultiple issues
DSA-2191 proftpd-dfsgMultiple issues
DSA-2195 php5Multiple issues
DSA-2196 maradnsBuffer overflow
DSA-2197 quaggaDenial of service
DSA-2200 xulrunnerUpdate HTTPS certificate blacklist
DSA-2200 nssCompromised certificate authority
DSA-2201 wiresharkMultiple issues
DSA-2203 nssUpdate HTTPS certificate blacklist
DSA-2204 imp4Insufficient input sanitising
DSA-2206 maharaMultiple issues
DSA-2207 tomcat5.5Multiple issues
DSA-2208 bind9Issue with processing of new DNSSEC DS records
DSA-2210 tiffMultiple issues
DSA-2211 vlcMissing input sanitising
DSA-2213 x11-xserver-utilsMissing input sanitizing
DSA-2214 ikiwikiMissing input validation
DSA-2217 dhcp3Missing input sanitizing
DSA-2219 xmlsec1File overwrite
DSA-2220 request-tracker3.6Multiple issues
DSA-2225 asteriskMultiple issues
DSA-2226 libmodplugBuffer overflow
DSA-2228 xulrunnerMultiple issues
DSA-2233 postfixMultiple issues
DSA-2234 zodbMultiple issues
DSA-2242 cyrus-imapd-2.2Implementation error
DSA-2243 unboundDesign flaw
DSA-2244 bind9Wrong boundary condition
DSA-2246 maharaMultiple issues
DSA-2247 railsMultiple issues
DSA-2248 ejabberdDenial of service
DSA-2250 citadelDenial of service
DSA-2253 fontforgeBuffer overflow
DSA-2254 oprofileCommand injection
DSA-2255 libxml2Buffer overflow
DSA-2260 railsMultiple issues
DSA-2264 user-mode-linuxMultiple issues
DSA-2264 linux-2.6Multiple issues
DSA-2266 php5Multiple issues
DSA-2268 xulrunnerMultiple issues
DSA-2272 bind9Denial of service
DSA-2274 wiresharkMultiple issues
DSA-2276 asteriskMultiple issues
DSA-2277 xml-security-cBuffer overflow
DSA-2278 horde3Multiple issues
DSA-2280 libvirtMultiple issues
DSA-2286 phpmyadminMultiple issues
DSA-2288 libsndfileInteger overflow
DSA-2289 typo3-srcMultiple issues
DSA-2290 sambaCross-side scripting
DSA-2291 squirrelmailMultiple issues
DSA-2292 dhcp3Denial of service
DSA-2293 libxfontBuffer overflow
DSA-2294 freetypeMissing input sanitization
DSA-2296 xulrunnerMultiple issues
DSA-2298 apache2Denial of service
DSA-2298 apache2-mpm-itkDenial of service
DSA-2300 nssCompromised certificate authority
DSA-2301 railsMultiple issues
DSA-2302 bcfg2Arbitrary code execution
DSA-2304 squid3Buffer overflow
DSA-2308 mantisMultiple issues
DSA-2309 opensslCompromised certificate authority
DSA-2310 linux-2.6Multiple issues

Debian Installer

The Debian Installer has been updated to incorporate a new kernel containing a number of important and security-related fixes.

Removed package

The following package was removed due to circumstances beyond our control:

Package Reason
pixelpost unmaintained, multiple security issues

URLs

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/lenny/ChangeLog

The current oldstable distribution:

http://ftp.debian.org/debian/dists/oldstable/

Proposed updates to the oldstable distribution:

http://ftp.debian.org/debian/dists/oldstable-proposed-updates

oldstable distribution information (release notes, errata etc.):

http://www.debian.org/releases/oldstable/

Security announcements and information:

http://security.debian.org/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at http://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.