Updated Debian 7: 7.3 released

December 14th, 2013

The Debian project is pleased to announce the third update of its stable distribution Debian 7 (codename wheezy). This update mainly adds corrections for security problems to the stable release, along with a few adjustments for serious problems. Security advisories were already published separately and are referenced where available.

Please note that this update does not constitute a new version of Debian 7 but only updates some of the packages included. There is no need to throw away old wheezy CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated.

Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

New installation media and CD and DVD images containing updated packages will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:

http://www.debian.org/mirror/list

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package Reason
apt Fix handling of :any in single-arch systems and processing of .debs over 2GB in size
apt-listbugs Insecure use of temporary files
base-files Update for point release
bootchart Fix upgrade path from machines which had lenny's bootchart installed
darktable Fix CVE-2013-1438; fix CVE-2013-1439
distro-info-data Add Ubuntu 14.04, Trusty Tahr
expat Do not ship pkgconfig files
fcitx-cloudpinyin Use Google by default, to replace no longer available previous default
firebird2.5 Final 2.5.2 release, bug fixes
gnome-settings-daemon Remove no longer required patch which makes syndaemon almost useless
gtk+3.0 Load the file icon via a data: URI, to work with librsvg's new origin policy
iftop Fix memory leak
intel-microcode New upstream update
kfreebsd-9 Disable 101_nullfs_vsock.diff
libdatetime-timezone-perl New upstream version
libguestfs Fix CVE-2013-4419: insecure temporary directory handling for remote guestfish
libnet-server-perl Fix use of uninitialized value in pattern match
libnet-smtp-tls-butmaintained-perl Fix misuse of IO::Socket::SSL in the SSL_version argument
librsvg Fix CVE-2013-1881: disable loading of external entities
lua-sql Restore multiarch co-installability
meep-lam4 Move /usr/include/meep-lam4 to /usr/include/meep; fixes building against the -dev package
meep-mpi-default Move /usr/include/meep-mpi-default to /usr/include/meep; fixes building against the -dev package
meep-mpich2 Move /usr/include/meep-mpich2 to /usr/include/meep; fixes building against the -dev package
meep-openmpi Move /usr/include/meep-openmpi to /usr/include/meep; fixes building against the -dev package
multipath-tools Restore dmsetup export workaround, lost in previous upload
nagios3 Stop status.cgi listing unauthorised hosts and services, miscellaneous bug fixes
nsd3 Add $network to Required-Start
openttd Fix CVE-2013-6411 (DoS)
postgresql-8.4 New upstream micro-release
postgresql-9.1 New upstream micro-release
rtkit Fix access restriction bypass via polkit race condition
ruby-passenger Fix CVE-2013-2119 and CVE-2013-4136: insecure tmp files usage
scikit-learn Move joblib from Recommends to Depends
smplayer Don't append -fontconfig to the command line options for Mplayer2 to prevent crash at startup
starpu Remove non-free example material
starpu-contrib Remove non-free example material
tzdata New upstream release
usemod-wiki Update hardcoded cookie expiration date from 2013 to 2025
xfce4-weather-plugin Update weather.com API URI

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package Correction(s)
DSA-2738 ruby1.9.1Multiple issues
DSA-2769 kfreebsd-9Multiple issues
DSA-2770 torqueAuthentication bypass
DSA-2771 nasMultiple issues
DSA-2772 typo3-srcCross-site scripting
DSA-2773 gnupgMultiple issues
DSA-2774 gnupg2Multiple issues
DSA-2775 ejabberdInsecure SSL usage
DSA-2777 systemdMultiple issues
DSA-2778 libapache2-mod-fcgidHeap-based buffer overflow
DSA-2779 libxml2Denial of service
DSA-2781 python-cryptoPRNG not correctly reseeded in some situations
DSA-2782 polarsslMultiple issues
DSA-2784 xorg-serverUse-after-free
DSA-2785 chromium-browserMultiple issues
DSA-2786 icuMultiple issues
DSA-2787 roundcubeDesign error
DSA-2788 iceweaselMultiple issues
DSA-2789 strongswanDenial of service and authorization bypass
DSA-2790 nssUninitialized memory read
DSA-2791 tryton-clientMissing input sanitization
DSA-2792 wiresharkMultiple issues
DSA-2794 spipMultiple issues
DSA-2795 lighttpdMultiple issues
DSA-2796 torqueArbitrary code execution
DSA-2798 curlUnchecked SSL certificate host name
DSA-2799 chromium-browserMultiple issues
DSA-2800 nssBuffer overflow
DSA-2801 libhttp-body-perlDesign error
DSA-2802 nginxRestriction bypass
DSA-2803 quaggaMultiple issues
DSA-2804 drupal7Multiple issues
DSA-2805 sup-mailRemote command injection
DSA-2806 nbdPrivilege escalation
DSA-2807 links2Integer overflow
DSA-2808 openjpegMultiple issues
DSA-2809 ruby1.8Multiple issues
DSA-2810 ruby1.9.1Heap overflow
DSA-2811 chromium-browserMultiple issues

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
linky License problems
iceweasel-linky License problems

Debian Installer

The installer has been rebuilt to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/wheezy/ChangeLog

The current stable distribution:

http://ftp.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates

stable distribution information (release notes, errata etc.):

http://www.debian.org/releases/stable/

Security announcements and information:

http://security.debian.org/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at http://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.