Updated Debian 6.0: 6.0.9 released

February 15th, 2014

The Debian project is pleased to announce the ninth update of its oldstable distribution Debian 6.0 (codename squeeze). This update mainly adds corrections for security problems to the oldstable release, along with a few adjustments for serious problems. Security advisories were already published separately and are referenced where available.

Please note that this update does not constitute a new version of Debian 6.0 but only updates some of the packages included. There is no need to throw away old squeeze CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated.

Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

New installation media and CD and DVD images containing updated packages will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:

http://www.debian.org/mirror/list

Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following packages:

Package Reason
apache2 Fix CVE-2013-1862 (RewriteLog escaping), CVE-2013-1896 (mod_dav: denial of service via MERGE request), segfaults in certain error conditions
base-files Update for the point release
chrony Rebuild in a clean environment
debian-installer Rebuild for the point release
debian-installer-netboot-images Rebuild for the point release
ia32-libs Update included packages from oldstable / security.d.o
ia32-libs-gtk Update included packages from oldstable / security.d.o
librsvg Fix new policy check for non-URIs; fix CVE-2013-1881: disable loading of external entities
localepurge Fix CVE-2014-1638 (insecure tempfile usage)
mapserver Fix CVE-2013-7262, an SQL injection vulnerability in the msPostGISLayerSetTimeFilter function
openttd Fix CVE-2013-6411 (DoS)
postgresql-8.4 New upstream micro-release
spip Fix XSS on signature from author [CVE-2013-7303]
suds Fix CVE-2013-2217
tzdata New upstream release
usemod-wiki Update hardcoded cookie expiration date from 2013 to 2025
xfce4-weather-plugin Update weather.com API URI

Security Updates

This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package Correction(s)
DSA-2496 mysql-5.1Multiple issues
DSA-2581 mysql-5.1Multiple issues
DSA-2757 wordpressMultiple issues
DSA-2771 nasMultiple issues
DSA-2774 gnupg2Multiple issues
DSA-2779 libxml2Denial of service
DSA-2780 mysql-5.1Multiple issues
DSA-2781 python-cryptoPRNG not correctly reseeded in some situations
DSA-2783 librack-rubyMultiple issues
DSA-2784 xorg-serverUse-after-free
DSA-2786 icuMultiple issues
DSA-2789 strongswanDenial of service and authorization bypass
DSA-2791 tryton-clientMissing input sanitization
DSA-2792 wiresharkMultiple issues
DSA-2794 spipMultiple issues
DSA-2795 lighttpdMultiple issues
DSA-2796 torqueArbitrary code execution
DSA-2798 curlUnchecked ssl certificate host name
DSA-2800 nssBuffer overflow
DSA-2803 quaggaMultiple issues
DSA-2805 sup-mailRemote command injection
DSA-2806 nbdPrivilege escalation
DSA-2807 links2Integer overflow
DSA-2808 openjpegMultiple issues
DSA-2812 sambaMultiple issues
DSA-2813 gimpMultiple issues
DSA-2814 varnishDenial of service
DSA-2817 libtarMultiple integer overflows
DSA-2820 nsprInteger overflow
DSA-2821 gnupgSide channel attack
DSA-2822 xorg-serverInteger underflow
DSA-2823 pixmanInteger underflow
DSA-2826 denyhostsRemote denial of ssh service
DSA-2827 libcommons-fileupload-javaArbitrary file upload via deserialization
DSA-2828 drupal6Multiple issues
DSA-2829 hplipMultiple issues
DSA-2831 puppetInsecure temporary files
DSA-2832 memcachedMultiple issues
DSA-2834 typo3-srcMultiple issues
DSA-2835 asteriskBuffer overflow
DSA-2838 libxfontBuffer overflow
DSA-2840 srtpBuffer overflow
DSA-2841 movabletype-opensourceCross-site scripting
DSA-2843 graphvizBuffer overflow
DSA-2844 djvulibreArbitrary code execution
DSA-2845 mysql-5.1Multiple issues
DSA-2849 curlInformation disclosure
DSA-2851 drupal6Impersonation
DSA-2852 libgaduHeap-based buffer overflow
DSA-2853 horde3Remote code execution
DSA-2856 libcommons-fileupload-javaCVE-2014-0050

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
iceape Security support removed

Debian Installer

The installer has been rebuilt to include the fixes incorporated into oldstable by the point release.

URLs

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/squeeze/ChangeLog

The current oldstable distribution:

http://ftp.debian.org/debian/dists/oldstable/

Proposed updates to the oldstable distribution:

http://ftp.debian.org/debian/dists/oldstable-proposed-updates

oldstable distribution information (release notes, errata etc.):

http://www.debian.org/releases/oldstable/

Security announcements and information:

http://security.debian.org/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at http://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.