Updated Debian 6.0: 6.0.3 released
October 8th, 2011
The Debian project is pleased to announce the third update of its
stable distribution Debian 6.0 (codename squeeze
).
This update mainly adds corrections for security problems to the stable
release, along with a few adjustments to serious problems. Security advisories
were already published separately and are referenced where available.
Please note that this update does not constitute a new version of Debian 6.0 but only updates some of the packages included. There is no need to throw away 6.0 CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated.
Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.
New installation media and CD and DVD images containing updated packages will be available soon at the regular locations.
Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
| Package | Reason |
|---|---|
| ace | Rebuild to drop non-distributable files |
| akonadi | Support the use of network-mounted $HOME |
| amispammer | Update service used for discovering the local IP address |
| apache2 | Fix CVE-2011-3348: Possible denial of service in mod_proxy_ajp; various documentation and init script fixes |
| aptitude | Fix symlink attack in hierarchy editor |
| arcboot | Fix netinstall on IP22 / IP32 |
| atop | Insecure use of temporary files |
| base-files | Update /etc/debian_version for the point release |
| brltty | Fix parsing brltty= when not all parameters are provided; setup gconf even if no table was specified |
| clamav | New upstream release; fix off-by-one and opcode 20 not implementederrors |
| clive | Adapt for youtube.com changes |
| conky | Fix file overwrite vulnerability |
| ctdb | Fix path to ethtool and activation of httpd service |
| debian-installer-utils | Set SUDO_FORCE_REMOVE=yes to allow sudo-ldap to be installed from d-i |
| deja-dup | Explicitly pass environment to subprocesses to ensure correct GPG operation on restores |
| dokuwiki | RSS XSS security fix |
| dput | Update backports configuration to use the new .d.o hosts |
| drupal6 | Security fix for XSS in color module |
| firmware-nonfree | Add VIA VT6656, Realtek RTL8105E-1 and RTL8168E-1/2/3 firmware |
| foo2zjs | Fix insecure use of temporary file |
| freebsd-libs | Move libsbuf.so.0 and libipx.so.2 to /lib |
| freebsd-utils | Provide config files and init.d script for devd; enable ieee80211 (wireless) in ifconfig |
| gajim | Fix high CPU load on connection |
| gdebi | Try to determine correct localized value for Y |
| gdm3 | Only show shutdown options when requested; fix double free; only set WINDOWPATH if not NULL; remove beep in PAM dialog patch |
| git | Fix off-by-one parsing commit subjects; prevent deadlock when shallow-cloning; documentation updates |
| grub-installer | Allow use of grub-legacy to be pre-seeded (if appropriate) |
| grub2 | Handle Xen split-partition disk image devices; ensure uniqueness of RAID array numbers; fix grub-probe detection for ATA devices using atadriver on kFreeBSD 9 |
| heimdal | Allow DES to be used with NFS |
| httpcomponents-client | Fix bug causing Proxy-Authorization header to be passed to target hosts |
| ia32-libs | Refresh packages from stable and security |
| ia32-libs-gtk | Refresh packages from stable and security |
| ibid | Fix various security issues; make the HTTP source work again |
| ipmitool | Fix segfault |
| kde4libs | Prevent marked text being cut when switching documents in kate |
| kernel-wedge | Stop considering acpi.ko as part of the kernel for kFreeBSD |
| kfreebsd-8 | Fix net802.11 stack kernel memory disclosure (CVE-2011-2480); merge backported if_msk driver from 8-STABLE; re-enable building of some modules |
| kfreebsd-kernel-di-amd64 | Rebuild against kfreebsd-8 8.1+dfsg-8+squeeze1 |
| kfreebsd-kernel-di-i386 | Rebuild against kfreebsd-8 8.1+dfsg-8+squeeze1 |
| krb5 | Permit gss_set_allowable_enctypes to restrict acceptor enctypes, allowing newer clients to use a Squeeze NFS server without degrading security for non-NFS applications |
| kupfer | Don't crash if Evolution address book not present |
| libpcap | Fix corruption of snapshot length on live captures; fix device detection when bonding in use |
| lintian | Fix information disclosure issues |
| linux-2.6 | Update to long-term release 2.6.32.46; backport network driver changes |
| linux-kernel-di-amd64-2.6 | Rebuild against linux-2.6 2.6.32-38 |
| linux-kernel-di-armel-2.6 | Rebuild against linux-2.6 2.6.32-38 |
| linux-kernel-di-i386-2.6 | Rebuild against linux-2.6 2.6.32-38 |
| linux-kernel-di-ia64-2.6 | Rebuild against linux-2.6 2.6.32-38 |
| linux-kernel-di-mips-2.6 | Rebuild against linux-2.6 2.6.32-38 |
| linux-kernel-di-mipsel-2.6 | Rebuild against linux-2.6 2.6.32-38 |
| linux-kernel-di-powerpc-2.6 | Rebuild against linux-2.6 2.6.32-38 |
| linux-kernel-di-s390-2.6 | Rebuild against linux-2.6 2.6.32-38 |
| linux-kernel-di-sparc-2.6 | Rebuild against linux-2.6 2.6.32-38 |
| mesa | GLX: suppress BadRequest from DRI2Connect (expected for non-local clients) |
| mod-gnutls | Fix segmentation faults |
| nagvis | Install documentation; properly apply FollowSymlinks; only call ucf if available |
| nss-pam-ldapd | Fix uninitialised memory while parsing the tls_ciphers; fix problem with partial attribute name matches in DN; make all string buffers able to represent 64-bit numbers; treat the hardvalue for tls_reqcert as if it was demand |
| openarena | Fix arbitrary code execution by malicious bytecode |
| opencv | Fix install path of opencv-doc; optimise i386 package for i486 |
| openssh | Quieten logs when multiple from= restrictions are used in different authorized_keys lines for the same key |
| openssl | Fix CVE-2011-3210: SSL memory handling for (EC)DH ciphersuites |
| pianobar | Support XMLRPC API version 31 |
| pmake | Fix symlink attack via temporary files |
| postgresql-8.4 | Fix regression due to fix plpgsql's issues with dropped columns in rowtypes in 8.4 branch |
| python-recaptcha | Update URLs for web service move to google.com |
| quassel | Fix DoS via CTCP |
| red5 | Add missing dependency on glassfish-javaee |
| sbcl | Fix reference to undefined asdf::split in the asdf-install module |
| shelldap | Exit with a nicer error message if IO::Socket::SSL isn't installed, but SSL/TLS was requested |
| system-tools-backends | Properly handle config file rename |
| tesseract | Fix file overwrite vulnerability by disabling xterm-based debug windows |
| typo3-src | Fix cache flooding via improper error handling |
| tzdata | New upstream version |
| update-inetd | Fix breakage with non-default inetd packages |
| usbutils | Update USB ID list; build-depend on libusb2-dev on kFreeBSD |
| user-mode-linux | Rebuild against linux-2.6 2.6.32-37 |
| v86d | Fix CVE-2011-1070: failure to validate netlink message sender; do not include random kernel headers in CFLAGS |
| vftool | Fix a buffer overflow in linetoken() in parseAFM.c |
| vte | Fix DoS |
| widelands | Fix network play on official maps (regression introduced by previous update) |
| win32-loader | Add Built-Using header; allow suite-specific versions; document versions of embedded software |
| xapian-omega | Fix escaping issues in templates |
| zfsutils | Update LSB init headers to ensure clean startup/shutdown; add bash-completion script |
Note that the krb5 change mentioned above requires a further update to the nfs-common
package before it will be effective. It is hoped that this update will be included in
the next point release.
During the final stages of the point release, it was noticed that the quassel
package no longer included any translation files. It is hoped that an update restoring
the translations will be available soon via squeeze-updates
and included in the
next point release.
Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
| Advisory ID | Package | Correction(s) |
|---|---|---|
| DSA-2188 | webkit | Multiple issues |
| DSA-2210 | tiff | Multiple issues |
| DSA-2228 | iceweasel | Multiple issues |
| DSA-2248 | ejabberd | Denial of service |
| DSA-2252 | dovecot | Programming error |
| DSA-2254 | oprofile | Command injection |
| DSA-2256 | tiff | Buffer overflow |
| DSA-2258 | kolab-cyrus-imapd | Implementation error |
| DSA-2266 | php5 | Multiple issues |
| DSA-2267 | perl | Restriction bypass |
| DSA-2268 | iceweasel | Multiple issues |
| DSA-2269 | iceape | Multiple issues |
| DSA-2270 | qemu-kvm | Programming error |
| DSA-2271 | curl | Improper delegation of client credentials |
| DSA-2272 | bind9 | Denial of service |
| DSA-2273 | icedove | Multiple issues |
| DSA-2274 | wireshark | Multiple issues |
| DSA-2276 | asterisk | Multiple issues |
| DSA-2277 | xml-security-c | Buffer overflow |
| DSA-2279 | libapache2-mod-authnz-external | SQL injection |
| DSA-2280 | libvirt | Multiple issues |
| DSA-2281 | opie | Multiple issues |
| DSA-2282 | qemu-kvm | Multiple issues |
| DSA-2285 | mapserver | Multiple issues |
| DSA-2287 | libpng | Multiple issues |
| DSA-2288 | libsndfile | Integer overflow |
| DSA-2289 | typo3-src | Multiple issues |
| DSA-2291 | squirrelmail | Multiple issues |
| DSA-2292 | isc-dhcp | Denial of service |
| DSA-2293 | libxfont | Buffer overflow |
| DSA-2294 | freetype | Missing input sanitization |
| DSA-2295 | iceape | Multiple issues |
| DSA-2296 | iceweasel | Multiple issues |
| DSA-2297 | icedove | Multiple issues |
| DSA-2298 | apache2 | Denial of service |
| DSA-2299 | ca-certificates | Blacklist DigiNotar Root CA |
| DSA-2300 | nss | Compromised certificate authority |
| DSA-2301 | rails | Multiple issues |
| DSA-2302 | bcfg2 | Arbitrary code execution |
| DSA-2303 | user-mode-linux | Multiple issues |
| DSA-2303 | linux-2.6 | Multiple issues |
| DSA-2304 | squid3 | Buffer overflow |
| DSA-2305 | vsftpd | Denial of service |
| DSA-2306 | ffmpeg | Multiple issues |
| DSA-2307 | chromium-browser | Multiple issues |
| DSA-2308 | mantis | Multiple issues |
| DSA-2309 | openssl | Compromised certificate authority |
| DSA-2312 | iceape | Multiple issues |
| DSA-2313 | iceweasel | Multiple issues |
| DSA-2314 | puppet | Multiple issues |
| DSA-2316 | quagga | Multiple issues |
| DSA-2317 | icedove | Multiple issues |
Debian Installer
The Debian Installer has been updated in this point release to correct the following issues (among others):
- fix netinstall on IP22 / IP32 (mips)
- allow use of grub-legacy to be pre-seeded (if appropriate)
The kernel image used by the installer has been updated to incorporate a number of important and security-related fixes together with updates to the e1000e, igb, igbvf, r8169, tg3, and broadcom network drivers to add support for additional hardware.
The GNU/kFreeBSD installer also incorporates an updated kernel image including an updated if_msk Gigabit Ethernet driver.
URLs
The complete lists of packages that have changed with this revision:
The current stable distribution:
Proposed updates to the stable distribution:
Stable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.