Updated Debian 6.0: 6.0.7 released

February 23rd, 2013

The Debian project is pleased to announce the seventh update of its stable distribution Debian 6.0 (codename squeeze). This update mainly adds corrections for security problems to the stable release, along with a few adjustments for serious problems. Security advisories were already published separately and are referenced where available.

Please note that this update does not constitute a new version of Debian 6.0 but only updates some of the packages included. There is no need to throw away 6.0 CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated.

Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

New installation media and CD and DVD images containing updated packages will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:

http://www.debian.org/mirror/list

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package Reason
apt-show-versions Fix detection of squeeze-updates and squeeze; update official distribution list
base-files Update for the point release
bcron Don't allow jobs access to other jobs' temporary files
bind9 Update IP for D root server
bugzilla Add dependency on liburi-perl, used during package configuration
choose-mirror Update URL for master mirror list
clamav New upstream version
claws-mail Fix NULL pointer dereference
clive Adapt for youtube.com changes
cups Ship cups-files.conf's manpage
dbus Avoid code execution in setuid/setgid binaries
dbus-glib Fix authentication bypass through insufficient checks (CVE-2013-0292)
debian-installer Rebuild for 6.0.7
debian-installer-netboot-images Rebuild against debian-installer 20110106+squeeze4+b3
dtach Properly handle close request (CVE-2012-3368)
ettercap Fix hosts list parsing (CVE-2013-0722)
fglrx-driver Fix diversion-related issues with upgrades from lenny
flashplugin-nonfree Use gpg --verify
fusionforge Lenny to squeeze upgrade fix
gmime2.2 Add Conflicts: libgmime2.2-cil to fix upgrades from lenny
gzip Avoid using memcpy on overlapping regions
ia32-libs Update included packages from stable / security.d.o
ia32-libs-core Update included packages from stable / security.d.o
kfreebsd-8 Fix CVE-2012-4576: memory access without proper validation in linux compat system
libbusiness-onlinepayment-ippay-perl Backport changes to IPPay gateway's server name and path
libproc-processtable-perl Fix unsafe temporary file usage (CVE-2011-4363)
libzorpll Add missing Breaks/Replaces: libzorp2-dev to libzorpll-dev
linux-2.6 Update to stable release 2.6.32.60. Backport hpsa, isci and megaraid_sas driver updates. Fix r8169 hangs
linux-kernel-di-amd64-2.6 Rebuild against linux-2.6 2.6.32-48
linux-kernel-di-armel-2.6 Rebuild against linux-2.6 2.6.32-48
linux-kernel-di-i386-2.6 Rebuild against linux-2.6 2.6.32-48
linux-kernel-di-ia64-2.6 Rebuild against linux-2.6 2.6.32-48
linux-kernel-di-mips-2.6 Rebuild against linux-2.6 2.6.32-48
linux-kernel-di-mipsel-2.6 Rebuild against linux-2.6 2.6.32-48
linux-kernel-di-powerpc-2.6 Rebuild against linux-2.6 2.6.32-48
linux-kernel-di-s390-2.6 Rebuild against linux-2.6 2.6.32-48
linux-kernel-di-sparc-2.6 Rebuild against linux-2.6 2.6.32-48
magpierss Fix upgrade issue
maradns Fix CVE-2012-1570 (deleted domain record cache persistence flaw)
mediawiki Prevent session fixation in Special:UserLogin (CVE-2012-5391); prevent linker regex from exceeding backtrack limit
moodle Multiple security fixes
nautilus Add Breaks: samba-common (<< 2:3.5) to fix a lenny to squeeze upgrade issue
openldap Dump the database in prerm on upgrades to help upgrades to releases with newer libdb versions
openssh Improve DoS resistance (CVE-2010-5107)
pam-pgsql Fix issue with NULL passwords
pam-shield Correctly block IPs when allow_missing_dns is no
perl Fix misparsing of maketext strings (CVE-2012-6329)
poppler Security fixes; CVE-2010-0206, CVE-2010-0207, CVE-2012-4653; fix GooString::insert, correctly initialise variables
portmidi Fix crash
postgresql-8.4 New upstream micro-release
sdic Move bzip2 from Suggests to Depends as it is used during installation
snack Fix buffer overflow (CVE-2012-6303)
sphinx Fix incompatibility with jQuery>= 1.4
swath Fix potential buffer overflow in Mule mode
swi-prolog Fix buffer overruns
ttf-ipafont Fix removal of alternatives
tzdata New upstream version; fix DST for America/Bahia (Brazil)
unbound Update IP address hints for D.ROOT-SERVERS.NET
xen Fix clock breakage
xnecview Fix FTBFS on armel

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package Correction(s)
DSA-2550 asteriskMultiple issues
DSA-2551 isc-dhcpDenial of service
DSA-2552 tiffMultiple issues
DSA-2553 iceweaselMultiple issues
DSA-2554 iceapeMultiple issues
DSA-2555 libxsltMultiple issues
DSA-2556 icedoveMultiple issues
DSA-2557 hostapdDenial of service
DSA-2558 baculaInformation disclosure
DSA-2559 libexifMultiple issues
DSA-2560 bind9Denial of service
DSA-2561 tiffBuffer overflow
DSA-2562 cups-pk-helperPrivilege escalation
DSA-2563 viewvcMultiple issues
DSA-2564 tinyproxyDenial of service
DSA-2565 iceweaselMultiple issues
DSA-2566 exim4Heap overflow
DSA-2567 request-tracker3.8Multiple issues
DSA-2568 rtfmPrivilege escalation
DSA-2569 icedoveMultiple issues
DSA-2570 openoffice.orgMultiple issues
DSA-2571 libproxyBuffer overflow
DSA-2572 iceapeMultiple issues
DSA-2573 radsecproxySSL certificate verification weakness
DSA-2574 typo3-srcMultiple issues
DSA-2575 tiffHeap overflow
DSA-2576 trousersDenial of service
DSA-2577 libsshMultiple issues
DSA-2578 rsshMultiple issues
DSA-2579 apache2Multiple issues
DSA-2580 libxml2Buffer overflow
DSA-2582 xenDenial of service
DSA-2583 iceweaselMultiple issues
DSA-2584 iceapeMultiple issues
DSA-2585 bogofilterHeap-based buffer overflow
DSA-2586 perlMultiple issues
DSA-2587 libcgi-pm-perlHTTP header injection
DSA-2588 icedoveMultiple issues
DSA-2589 tiffBuffer overflow
DSA-2590 wiresharkMultiple issues
DSA-2591 maharaMultiple issues
DSA-2592 elinksProgramming error
DSA-2593 moinMultiple issues
DSA-2594 virtualbox-oseProgramming error
DSA-2595 ghostscriptBuffer overflow
DSA-2596 mediawiki-extensionsCross-site scripting in RSSReader extension
DSA-2597 railsInput validation error
DSA-2598 weechatMultiple issues
DSA-2599 nssMis-issued intermediates
DSA-2600 cupsPrivilege escalation
DSA-2601 gnupg2Missing input sanitation
DSA-2601 gnupgMissing input sanitation
DSA-2602 zendframeworkXML external entity inclusion
DSA-2603 emacs23Programming error
DSA-2604 railsInsufficient input validation
DSA-2605 asteriskMultiple issues
DSA-2606 proftpd-dfsgSymlink race
DSA-2607 qemu-kvmBuffer overflow
DSA-2608 qemuBuffer overflow
DSA-2609 railsSQL query manipulation
DSA-2610 gangliaRemote code execution
DSA-2611 movabletype-opensourceMultiple issues
DSA-2612 ircd-ratboxRemote crash
DSA-2613 railsInsufficient input validation
DSA-2614 libupnpMultiple issues
DSA-2615 libupnp4Multiple issues
DSA-2616 nagios3Buffer overflow vulnerability
DSA-2617 sambaMultiple issues
DSA-2618 ircd-hybridDenial of service
DSA-2619 xen-qemu-dm-4.0Buffer overflow
DSA-2620 railsMultiple issues
DSA-2621 opensslMultiple issues
DSA-2622 polarsslMultiple issues
DSA-2623 openconnectBuffer overflow
DSA-2624 ffmpegMultiple issues
DSA-2625 wiresharkMultiple issues
DSA-2626 lighttpdMultiple issues
DSA-2627 nginxInformation leak

Debian Installer

The installer has been rebuilt to include the fixes incorporated into stable by the point release.

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
elmerfem License problems (GPL + non-GPL)

URLs

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/squeeze/ChangeLog

The current stable distribution:

http://ftp.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates/

stable distribution information (release notes, errata etc.):

http://www.debian.org/releases/stable/

Security announcements and information:

http://security.debian.org/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at http://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.