Updated Debian 6.0: 6.0.8 released

October 20th, 2013

The Debian project is pleased to announce the eighth update of its oldstable distribution Debian 6.0 (codename squeeze). This update mainly adds corrections for security problems to the oldstable release, along with a few adjustments for serious problems. Security advisories were already published separately and are referenced where available.

Please note that this update does not constitute a new version of Debian 6.0 but only updates some of the packages included. There is no need to throw away old squeeze CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated.

Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

New installation media and CD and DVD images containing updated packages will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:

http://www.debian.org/mirror/list

Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following packages:

Package Reason
base-files Update version for point release
clamav New upstream release; security fixes
dpkg-ruby Close files once they're parsed, preventing trouble on dist-upgrades
gdm3 Fix potential security issue with partial upgrades to wheezy
graphviz Use system ltdl
grep Fix CVE-2012-5667
ia32-libs Update included packages from oldstable / security.d.o
ia32-libs-gtk Update included packages from oldstable / security.d.o
inform Remove broken calls to update-alternatives
ldap2dns Do not unnecessarily include /usr/share/debconf/confmodule in postinst
libapache-mod-security Fix NULL pointer dereference. CVE-2013-2765
libmodule-signature-perl CVE-2013-2145: Fixes arbitrary code execution when verifying SIGNATURE
libopenid-ruby Fix CVE-2013-1812
libspf2 IPv6 fixes
lm-sensors-3 Skip probing for EDID or graphics cards, as it might cause hardware issues
moin Do not create empty pagedir (with empty edit-log)
net-snmp Fix CVE-2012-2141
openssh Fix potential int overflow when using gssapi-with-mac authentication (CVE-2011-5000)
openvpn Fix use of non-constant-time memcmp in HMAC comparison. CVE-2013-2061
pcp Fix insecure tempfile handling
pigz Use more restrictive permissions for in-progress files
policyd-weight Remove shut-down njabl DNSBL
pyopencl Remove non-free file from examples
pyrad Use a better random number generator to prevent predictable password hashing and packet IDs (CVE-2013-0294)
python-qt4 Fix crash in uic file with radio buttons
request-tracker3.8 Move non-cache data to /var/lib
samba Fix CVE-2013-4124: Denial of service - CPU loop and memory allocation
smarty Fix CVE-2012-4437
spamassassin Remove shut-down njabl DNSBL; fix RCVD_ILLEGAL_IP to not consider 5.0.0.0/8 as invalid
sympa Fix endless loop in wwsympa while loading session data including metacharacters
texlive-extra Fix predictable temp file names in latex2man
tntnet Fix insecure default tntnet.conf
tzdata New upstream version
wv2 Really remove src/generator/generator_wword{6,8}.htm
xorg-server Link against -lbsd on kfreebsd to make MIT-SHM work with non-world-accessible segments
xview Fix alternatives handling
zabbix Fix SQL injection, zabbix_agentd DoS, possible path disclosure, field name parameter checking bypass, ability to override LDAP configuration when calling user.login via API

Security Updates

This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package Correction(s)
DSA-2628 nss-pam-ldapdBuffer overflow
DSA-2629 openjpegMultiple issues
DSA-2630 postgresql-8.4Programming error
DSA-2631 squid3Denial of service
DSA-2632 user-mode-linuxMultiple issues
DSA-2632 linux-2.6Multiple issues
DSA-2633 fusionforgePrivilege escalation
DSA-2634 python-djangoMultiple issues
DSA-2635 cfingerdBuffer overflow
DSA-2636 xenMultiple issues
DSA-2637 apache2Multiple issues
DSA-2638 openafsBuffer overflow
DSA-2639 php5Multiple issues
DSA-2640 zoneminderMultiple issues
DSA-2641 perlRehashing flaw
DSA-2641 libapache2-mod-perl2FTBFS with updated perl
DSA-2642 sudoMultiple issues
DSA-2643 puppetMultiple issues
DSA-2644 wiresharkMultiple issues
DSA-2645 inetutilsDenial of service
DSA-2646 typo3-srcMultiple issues
DSA-2647 firebird2.1Buffer overflow
DSA-2648 firebird2.5Multiple issues
DSA-2649 lighttpdFixed socket name in world-writable directory
DSA-2650 libvirtFiles and device nodes ownership change to kvm group
DSA-2651 smokepingCross-site scripting vulnerability
DSA-2652 libxml2External entity expansion
DSA-2653 icingaBuffer overflow
DSA-2654 libxsltDenial of service
DSA-2655 railsMultiple issues
DSA-2656 bind9Denial of service
DSA-2657 postgresql-8.4Guessable random numbers
DSA-2659 libapache-mod-securityXML external entity processing vulnerability
DSA-2660 curlCookie leak vulnerability
DSA-2661 xorg-serverInformation disclosure
DSA-2662 xenMultiple issues
DSA-2663 tincStack based buffer overflow
DSA-2664 stunnel4Buffer overflow
DSA-2665 strongswanAuthentication bypass
DSA-2666 xenMultiple issues
DSA-2668 linux-2.6Multiple issues
DSA-2668 user-mode-linuxMultiple issues
DSA-2670 request-tracker3.8Multiple issues
DSA-2673 libdmxMultiple issues
DSA-2674 libxvMultiple issues
DSA-2675 libxvmcMultiple issues
DSA-2676 libxfixesMultiple issues
DSA-2677 libxrenderMultiple issues
DSA-2678 mesaMultiple issues
DSA-2679 xserver-xorg-video-openchromeMultiple issues
DSA-2680 libxtMultiple issues
DSA-2681 libxcursorMultiple issues
DSA-2682 libxextMultiple issues
DSA-2683 libxiMultiple issues
DSA-2684 libxrandrMultiple issues
DSA-2685 libxpMultiple issues
DSA-2686 libxcbMultiple issues
DSA-2687 libfsMultiple issues
DSA-2688 libxresMultiple issues
DSA-2689 libxtstMultiple issues
DSA-2690 libxxf86dgaMultiple issues
DSA-2691 libxineramaMultiple issues
DSA-2692 libxxf86vmMultiple issues
DSA-2693 libx11Multiple issues
DSA-2694 spipPrivilege escalation
DSA-2698 tiffBuffer overflow
DSA-2701 krb5Denial of service
DSA-2702 telepathy-gabbleTLS verification bypass
DSA-2703 subversionMultiple issues
DSA-2708 fail2banDenial of service
DSA-2710 xml-security-cMultiple issues
DSA-2711 haproxyMultiple issues
DSA-2713 curlHeap overflow
DSA-2715 puppetCode execution
DSA-2717 xml-security-cHeap overflow
DSA-2718 wordpressMultiple issues
DSA-2719 popplerMultiple issues
DSA-2723 php5Heap corruption
DSA-2725 tomcat6Multiple issues
DSA-2726 php-radiusBuffer overflow
DSA-2727 openjdk-6Multiple issues
DSA-2728 bind9Denial of service
DSA-2729 openafsMultiple issues
DSA-2730 gnupgInformation leak
DSA-2731 libgcrypt11Information leak
DSA-2733 otrs2SQL injection
DSA-2734 wiresharkMultiple issues
DSA-2736 puttyMultiple issues
DSA-2739 cactiMultiple issues
DSA-2740 python-djangoCross-site scripting vulnerability
DSA-2742 php5Interpretation conflict
DSA-2744 tiffMultiple issues
DSA-2747 cactiMultiple issues
DSA-2748 exactimageDenial of service
DSA-2749 asteriskMultiple issues
DSA-2751 libmodplugMultiple issues
DSA-2752 phpbb3Too wide permissions
DSA-2753 mediawikiCross-site request forgery token disclosure
DSA-2754 exactimageDenial of service
DSA-2755 python-djangoDirectory traversal
DSA-2756 wiresharkMultiple issues
DSA-2758 python-djangoDenial of service
DSA-2760 chronyMultiple issues
DSA-2763 pyopensslHostname check bypassing
DSA-2766 user-mode-linuxMultiple issues
DSA-2766 linux-2.6Multiple issues
DSA-2767 proftpd-dfsgDenial of service
DSA-2770 torqueAuthentication bypass
DSA-2773 gnupgMultiple issues
DSA-2775 ejabberdInsecure SSL usage
DSA-2776 drupal6Multiple issues
DSA-2778 libapache2-mod-fcgidHeap-based buffer overflow

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
irssi-plugin-otr Security issues
libpam-rsa Broken, causes security problems

Debian Installer

The installer has been rebuilt to include the fixes incorporated into oldstable by the point release.

URLs

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/squeeze/ChangeLog

The current oldstable distribution:

http://ftp.debian.org/debian/dists/oldstable/

Proposed updates to the oldstable distribution:

http://ftp.debian.org/debian/dists/oldstable-proposed-updates

oldstable distribution information (release notes, errata etc.):

http://www.debian.org/releases/oldstable/

Security announcements and information:

http://security.debian.org/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at http://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.