Updated Debian 6.0: 6.0.6 released

September 29th, 2012

The Debian project is pleased to announce the sixth update of its stable distribution Debian 6.0 (codename squeeze). This update mainly adds corrections for security problems to the stable release, along with a few adjustments for serious problems. Security advisories were already published separately and are referenced where available.

Please note that this update does not constitute a new version of Debian 6.0 but only updates some of the packages included. There is no need to throw away 6.0 CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated.

Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

New installation media and CD and DVD images containing updated packages will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:

http://www.debian.org/mirror/list

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package Reason
alpine Fix crash in embedded UW-IMAP copy
apache2 mod_negotiation - fix CVE-2012-2687; mod_cache - don't cache partial connections; read timeouts should result in a 408
automake1.10 Fix CVE-2012-3386
automake1.11 Fix CVE-2012-3386
automake1.7 Fix CVE-2012-3386
automake1.9 Fix CVE-2012-3386
base-files Update /etc/debian_version for the point release
checkgmail Fix GMail authentication issues
clamav New upstream release
debian-archive-keyring Add wheezy stable and archive signing keys
dpkg Ensure a reliable unpack on SELinux systems
eglibc Really enable patches/any/cvs-dlopen-tls.diff; fix FORTIFY_SOURCE format string protection bypass; fix a DoS in RPC implementation
emesene Update contact end-point to local-bay.contacts.msn.com
geshi Fix 'Local File Inclusion Vulnerability in contrib script'
gosa Security fix (missing escaping)
ia32-libs Update packages
libconfig-inifiles-perl Fix insecure temporary file use
libgc Check for integer overflow in internal malloc and calloc routines
libmtp Fix device flags for some devices; add support for new devices
libxslt Fix CVE-2011-1202, CVE-2011-3970, CVE-2012-2825
links2 Security fixes
linux-2.6 DRM fixes; leap second fix; security fixes; various driver fixes
linux-kernel-di-amd64-2.6 Rebuild against linux-2.6 2.6.32-46
linux-kernel-di-armel-2.6 Rebuild against linux-2.6 2.6.32-46
linux-kernel-di-i386-2.6 Rebuild against linux-2.6 2.6.32-46
linux-kernel-di-ia64-2.6 Rebuild against linux-2.6 2.6.32-46
linux-kernel-di-mips-2.6 Rebuild against linux-2.6 2.6.32-46
linux-kernel-di-mipsel-2.6 Rebuild against linux-2.6 2.6.32-46
linux-kernel-di-powerpc-2.6 Rebuild against linux-2.6 2.6.32-46
linux-kernel-di-s390-2.6 Rebuild against linux-2.6 2.6.32-46
linux-kernel-di-sparc-2.6 Rebuild against linux-2.6 2.6.32-46
lockfile-progs Ensure the correct PID is used when creating lockfiles
mysql-mmm Add dependency on libpath-class-perl
network-manager Stop allowing ad-hoc WPA networks to be created; kernel bugs mean they get created as open networks
nss-pam-ldapd Support larger gecos values; reliability fixes
nvidia-graphics-drivers Fix information leak in the kernel module; fix arbitrary memory access vulnerability; fix local privilege escalation through VGA window manipulation
nvidia-graphics-modules Rebuild against 195.36.31-6squeeze1 kernel modules for security fixes; rebuild to fix CVE-2012-4225
php-memcached Fix session.gc_maxlifetime handling
plymouth Fix the init script to not fail when the package is removed
policyd-weight Remove rfc-ignorant.org RBLs (due to upcoming shutdown) and rbl.ipv6-world.net
postgresql-common Do not remove the PID file after SIGKILLing the postmaster in the last-ditch effort to shut down in --force mode
powertop Fix segfault on newer kernels with large config files
publican Add dependency and build-dependency on libio-string-perl
rstatd Support Linux 3.x kernels
spip Fix base name disclosure; security fixes
tor New upstream; fix TLS 1.1/1.2 renegotiation with openssl 1.0.1; fix potential DOS; fix two crashes and an information disclosure issue
ttb Add dependency on python-glade2
vte Fix a memory exhaustion vulnerability
wims Fix installation problem
wireshark Fix crashes in ANSI A detector and pcap / pcap-ng parsers
xserver-xorg-video-intel UXA/glyphs: fall back instead of crashing on large strings
yaws Fix RNG strength; fix mail config loading

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package Correction(s)
DSA-2457 iceweaselRegression fix
DSA-2458 iceapeRegression fix
DSA-2465 php5Multiple issues
DSA-2466 railsCross site scripting
DSA-2467 maharaInsecure defaults
DSA-2468 libjakarta-poi-javaUnbounded memory allocation
DSA-2470 wordpressMultiple issues
DSA-2471 ffmpegMultiple issues
DSA-2472 gridenginePrivilege escalation
DSA-2473 openoffice.orgBuffer overflow
DSA-2474 ikiwikiCross-site scripting
DSA-2475 opensslInteger underflow
DSA-2476 pidgin-otrFormat string vulnerability
DSA-2477 sympaAuthorization bypass
DSA-2478 sudoParsing error
DSA-2479 libxml2Off-by-one
DSA-2480 request-tracker3.8Regression
DSA-2481 arpwatchFails to drop supplementary groups
DSA-2482 libgdataNo verification of TLS certificates against system root CA
DSA-2483 strongswanAuthentication bypass
DSA-2484 nutDenial of service
DSA-2485 imp4Cross site scripting
DSA-2486 bind9Denial of service
DSA-2487 openoffice.orgBuffer overflow
DSA-2488 iceweaselMultiple issues
DSA-2489 iceapeMultiple issues
DSA-2490 nssDenial of service
DSA-2491 postgresql-8.4Multiple issues
DSA-2492 php5Buffer overflow
DSA-2493 asteriskDenial of service
DSA-2494 ffmpegMultiple issues
DSA-2495 openconnectBuffer overflow
DSA-2497 quaggaDenial of service
DSA-2498 dhcpcdRemote stack overflow
DSA-2499 icedoveMultiple issues
DSA-2500 mantisMultiple issues
DSA-2501 xenMultiple issues
DSA-2502 python-cryptoProgramming error
DSA-2503 bcfg2Shell command injection
DSA-2504 libspring-2.5-javaInformation disclosure
DSA-2505 zendframeworkInformation disclosure
DSA-2506 libapache-mod-securityModsecurity bypass
DSA-2507 openjdk-6Multiple issues
DSA-2508 kfreebsd-8Privilege escalation
DSA-2509 pidginRemote code execution
DSA-2510 extplorerCross-site request forgery
DSA-2511 puppetMultiple issues
DSA-2512 monoMissing input sanitising
DSA-2513 iceapeMultiple issues
DSA-2514 iceweaselMultiple issues
DSA-2515 nsd3Null pointer dereference
DSA-2516 isc-dhcpDenial of service
DSA-2517 bind9Denial of service
DSA-2518 krb5Denial of service
DSA-2519 isc-dhcpDenial of service
DSA-2520 openoffice.orgMultiple heap-based buffer overflows
DSA-2521 libxml2Integer overflows
DSA-2522 fckeditorCross site scripting
DSA-2523 globus-gridftp-serverProgramming error
DSA-2523 globus-gridftp-server-controlProgramming error
DSA-2524 openttdMultiple issues
DSA-2525 expatMultiple issues
DSA-2526 libotrBuffer overflow
DSA-2527 php5Multiple issues
DSA-2528 icedoveMultiple issues
DSA-2529 python-djangoMultiple issues
DSA-2530 rsshShell command injection
DSA-2531 xenDenial of service
DSA-2532 libapache2-mod-rpafDenial of service
DSA-2533 pcpMultiple issues
DSA-2534 postgresql-8.4Multiple issues
DSA-2535 rtfmCross-site scripting
DSA-2536 otrs2Cross-site scripting
DSA-2537 typo3-srcMultiple issues
DSA-2538 moinPrivilege escalation
DSA-2539 zabbixSQL injection
DSA-2540 maharaCross-site scripting
DSA-2541 beakerInformation disclosure
DSA-2542 qemu-kvmMultiple issues
DSA-2543 xen-qemu-dm-4.0Multiple issues
DSA-2544 xenDenial of service
DSA-2545 qemuMultiple issues
DSA-2546 freeradiusCode execution
DSA-2547 bind9Improper assert
DSA-2548 torMultiple issues
DSA-2549 devscriptsMultiple issues

Debian Installer

The installer has been rebuilt to include the fixes incorporated into stable by the point release.

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
blockade Non-distributable data files
kcheckgmail Unmaintained; broken by Google changes
libtrash Unmaintained; broken

URLs

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/squeeze/ChangeLog

The current stable distribution:

http://ftp.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates

stable distribution information (release notes, errata etc.):

http://www.debian.org/releases/stable/

Security announcements and information:

http://security.debian.org/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at http://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.