Updated Debian 5.0: 5.0.10 released

March 10th, 2012

The Debian project is pleased to announce the tenth and final update of its oldstable distribution Debian 5.0 (codename lenny). This update mainly adds corrections for security problems to the oldstable release, along with a few adjustments for serious problems. Security advisories were already published separately and are referenced where available.

The alpha and ia64 packages from DSA 1769 are not included in this point release for technical reasons. All other security updates released during the lifetime of lenny that have not previously been part of a point release are included in this update.

Please note that the security support for the oldstable distribution ended in February 2012 and no updates have been released since that point.

Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

New installation media and CD and DVD images containing updated packages will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:

http://www.debian.org/mirror/list

Please note that the oldstable distribution will be moved from the main archive to the archive.debian.org repository after March 24th 2012. After this move, it will no longer be available from the main mirror network. More information about the distribution archive and a list of mirrors is available at:

http://www.debian.org/distrib/archive

Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following packages:

Package Reason
apr Disable robust pthread mutexes on alpha, arm, and armel
base-files Update /etc/debian_version for the point release
ia32-libs Refresh packages to include recent security updates
libdigest-perl Fix unsafe use of eval in Digest->new()
linux-2.6 Various security fixes
phppgadmin Fix XSS
postgresql-8.3 New upstream micro-release
typo3-src Fix cache flooding via improper error handling
xapian-omega Fix escaping issues in templates
xpdf Insecure tempfile usage in zxpdf
user-mode-linux Rebuild against linux-source-2.6.26 (2.6.26-29)

Security Updates

This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package Correction(s)
DSA-1769 openjdk-6Arbitrary code execution
DSA-2161 openjdk-6Multiple issues
DSA-2224 openjdk-6Multiple issues
DSA-2237 aprDenial of service
DSA-2251 subversionMultiple issues
DSA-2258 kolab-cyrus-imapdImplementation error
DSA-2263 movabletype-opensourceMultiple issues
DSA-2265 perlMissing taint check
DSA-2267 perlRestriction bypass
DSA-2271 curlImproper delegation of client credentials
DSA-2281 opieMultiple issues
DSA-2284 opensaml2Implementation error
DSA-2285 mapserverMultiple issues
DSA-2287 libpngMultiple issues
DSA-2301 railsMultiple issues
DSA-2305 vsftpdDenial of service
DSA-2313 xulrunnerMultiple issues
DSA-2315 openoffice.orgMultiple issues
DSA-2316 quaggaMultiple issues
DSA-2318 cyrus-imapd-2.2Multiple issues
DSA-2320 dokuwikiRegression fix
DSA-2321 moinCross-site scripting
DSA-2323 radvdMultiple issues
DSA-2324 wiresharkProgramming error
DSA-2328 freetypeMissing input sanitising
DSA-2332 python-djangoMultiple issues
DSA-2333 phpldapadminMultiple issues
DSA-2334 maharaMultiple issues
DSA-2335 man2htmlMissing input sanitization
DSA-2339 nssMultiple issues
DSA-2340 postgresql-8.3Weak password hashing
DSA-2341 xulrunnerMultiple issues
DSA-2343 opensslCA trust revocation
DSA-2346 proftpd-dfsgMultiple issues
DSA-2347 bind9Improper assert
DSA-2350 freetypeMissing input sanitising
DSA-2351 wiresharkBuffer overflow
DSA-2352 puppetProgramming error
DSA-2354 cupsMultiple issues
DSA-2355 clearsilverFormat string vulnerability
DSA-2357 evinceMultiple issues
DSA-2358 openjdk-6Multiple issues
DSA-2361 chasenBuffer overflow
DSA-2362 acpidMultiple issues
DSA-2363 torBuffer overflow
DSA-2365 dtcMultiple issues
DSA-2366 mediawikiMultiple issues
DSA-2367 asteriskMultiple issues
DSA-2368 lighttpdMultiple issues
DSA-2369 libsoup2.4Directory traversal
DSA-2370 unboundMultiple issues
DSA-2371 jasperBuffer overflows
DSA-2372 heimdalBuffer overflow
DSA-2373 inetutilsBuffer overflow
DSA-2374 openswanImplementation error
DSA-2375 krb5Buffer overflow
DSA-2376 ipmitoolInsecure pid file
DSA-2377 cyrus-imapd-2.2Denial of service
DSA-2380 foomatic-filtersShell command injection
DSA-2382 ecryptfs-utilsMultiple issues
DSA-2383 superBuffer overflow
DSA-2384 cactiMultiple issues
DSA-2385 pdnsPacket loop
DSA-2386 openttdMultiple issues
DSA-2388 t1libMultiple issues
DSA-2390 opensslMultiple issues
DSA-2392 opensslOut-of-bounds read
DSA-2394 libxml2Multiple issues
DSA-2397 icuBuffer underflow
DSA-2398 curlMultiple issues
DSA-2399 php5Multiple issues
DSA-2400 xulrunnerMultiple issues
DSA-2403 php5Code injection
DSA-2405 apache2Multiple issues
DSA-2405 apache2-mpm-itkMultiple issues

Debian Installer / kernel

The kernel included in this point release has been updated to incorporate fixes for a number of security issues. The installer has been rebuilt to use the new kernel.

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
qcad Non-distributable
partlibary Non-distributable

URLs

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/lenny/ChangeLog

The current oldstable distribution:

http://ftp.debian.org/debian/dists/oldstable/

Proposed updates to the oldstable distribution:

http://ftp.debian.org/debian/dists/oldstable-proposed-updates

oldstable distribution information (release notes, errata etc.):

http://www.debian.org/releases/oldstable/

Security announcements and information:

http://security.debian.org/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at http://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.