Updated Debian 7: 7.5 released

April 26th, 2014

The Debian project is pleased to announce the fifth update of its stable distribution Debian 7 (codename wheezy). This update mainly adds corrections for security problems to the stable release, along with a few adjustments for serious problems. Security advisories were already published separately and are referenced where available.

Please note that this update does not constitute a new version of Debian 7 but only updates some of the packages included. There is no need to throw away old wheezy CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated.

Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

New installation media and CD and DVD images containing updated packages will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package Reason
advi Explicitly pass latexdir to make, avoiding files ending up in non-FHS directories
base-files Update for the point release
calendarserver Update zoneinfo to tzdata 2014a
catfish Fix untrusted search path vulnerability [CVE-2014-2093, CVE-2014-2094, CVE-2014-2095, CVE-2014-2096]
certificatepatrol Declare compatibility with Iceweasel 24
clamav New upstream release
conkeror Add patches for compatibility with Iceweasel 24
debian-installer Add support for QNAP HS-210
debian-installer-netboot-images Rebuild against the latest debian-installer
docx2txt Add missing dependency on unzip
erlang Fix command injection via CR or LF in user, file or directory names in the FTP module [CVE-2014-1693]
evolution-ews Fix free/busy indicators with Exchange 2013 servers
firebug New upstream release; compatible with Iceweasel 24
flashblock New upstream release; compatible with Iceweasel 24
freeciv Fix denial of service [CVE-2012-5645, CVE-2012-6083]
freerdp Fix libfreerdp-dev so that it can be compiled against
glark Force use of Ruby 1.8, as glark doesn't work with newer versions
gorm.app Fix build failure
greasemonkey New upstream release; compatible with Iceweasel 24
gst-plugins-bad0.10 Fix build failure due to the libmodplug upgrade in DSA 2751
intel-microcode Include updated microcode
ktp-filetransfer-handler Fix broken kde-telepathy-filetransfer-handler-dbg on mips
lcms2 Security fixes
libdatetime-timezone-perl Update to tzdata 2014a
libfinance-quote-perl Update URLs of Yahoo! Finance services
libpdf-api2-perl Fix build failure
libquvi-scripts New upstream release
libsoup2.4 Fix issues with NTLM authentication against Windows 2012
libxml2 Fix memory corruption when re-using the library from threaded applications
linux Update to stable 3.2.57, 3.2.55-rt81, drm/agp 3.4.86; several security fixes; e1000e, igb: backport changes up to Linux 3.13
ltsp Fix remote audio on thin clients
meep Stop building with -march=native
meep-openmpi Stop building with -march=native
mozilla-noscript New upstream release; compatible with Iceweasel 24
mp3gain Fix denial of service and buffer overflow issues [CVE-2003-0577, CVE-2004-0805, CVE-2004-0991, CVE-2006-1655]
net-snmp Fix agentx subagent issues with multiple-object requests and increasing object length [CVE-2014-2310]
newsbeuter Fix build failure due to json's switch from boolean to json_bool
nvidia-graphics-drivers New upstream release
nvidia-graphics-modules Build against nvidia-kernel-source 304.117
openblas Fix hang when called from an OpenMP-using program
php-getid3 Fix potential XXE security issue [CVE-2014-2053]
php5 Many fixes backported from upstream
polarssl Fix build failure due to expired certificates
postgresql-8.4 New upstream micro-release
postgresql-9.1 New upstream micro-release
qemu Fix entry pointer for ELF kernels loaded with -kernel option; only allow real mode to access 32-bit addresses unless in long mode
qemu-kvm Fix entry pointer for ELF kernels loaded with -kernel option; only allow real mode to access 32-bit addresses unless in long mode
quassel Restrict clients from accessing backlogs belonging to other users [CVE-2013-6404]
resource-agents Fix HTTPS service checking by IP address
ruby-passenger Fix insecure use of /tmp [CVE-2014-1831, CVE-2014-1832]
sage-extension New upstream release; compatible with Iceweasel 24
samba Fix authentication bypass and insufficient protection against brute-force password guessing [CVE-2012-6150, CVE-2013-4496]
samba4 Remove insecure and broken samba4 and winbind4 binary packages
spamassassin Remove xxx from the list of common fake TLDs, since it is not fake any more; remove rules referring to rfc-ignorant.org and NJABL, which have been shut down
spip Fix missing escaping; update security screen
subversion Fix mod_dav_svn crash when handling certain requests [CVE-2014-0032] and removal of libsvnjavahl-1.a/.la/.so from libsvn-dev
sympa Fix CAS authentication issues; fix SQLite upgrade patch to avoid errors with perl <= 5.14; raise a warning instead of an error when the CA bundle file is not readable; provide the missing template help_suspend.tt2
tweepy Use Twitter API 1.1 and SSL
tzdata New upstream release
wml Remove temporary directories (ipp.*)
xine-lib Fix build failure due to the libmodplug upgrade in DSA 2751
xine-lib-1.2 Fix build failure due to the libmodplug upgrade in DSA 2751

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package
DSA-2848 mysql-5.5
DSA-2850 libyaml
DSA-2852 libgadu
DSA-2854 mumble
DSA-2855 libav
DSA-2856 libcommons-fileupload-java
DSA-2857 libspring-java
DSA-2858 iceweasel
DSA-2859 pidgin
DSA-2860 parcimonie
DSA-2861 file
DSA-2862 chromium-browser
DSA-2863 libtar
DSA-2865 postgresql-9.1
DSA-2866 gnutls26
DSA-2867 otrs2
DSA-2868 php5
DSA-2869 gnutls26
DSA-2870 libyaml-libyaml-perl
DSA-2871 wireshark
DSA-2872 udisks
DSA-2873 file
DSA-2874 mutt
DSA-2875 cups-filters
DSA-2877 lighttpd
DSA-2878 virtualbox
DSA-2879 libssh
DSA-2880 python2.7
DSA-2881 iceweasel
DSA-2882 extplorer
DSA-2883 chromium-browser
DSA-2884 libyaml
DSA-2885 libyaml-libyaml-perl
DSA-2886 libxalan2-java
DSA-2887 ruby-actionmailer-3.2
DSA-2888 ruby-activesupport-3.2
DSA-2888 ruby-actionpack-3.2
DSA-2889 postfixadmin
DSA-2890 libspring-java
DSA-2891 mediawiki-extensions
DSA-2891 mediawiki
DSA-2892 a2ps
DSA-2894 openssh
DSA-2895 prosody
DSA-2895 lua-expat
DSA-2896 openssl
DSA-2897 tomcat7
DSA-2898 imagemagick
DSA-2899 openafs
DSA-2900 jbigkit
DSA-2901 wordpress
DSA-2902 curl
DSA-2903 strongswan
DSA-2904 virtualbox
DSA-2905 chromium-browser
DSA-2908 openssl
DSA-2909 qemu
DSA-2910 qemu-kvm

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
hlbr Broken
hlbrw Depends on to-be-removed hlbr

Debian Installer

The installer has been updated to add support for QNAP HS-210 devices and to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/wheezy/ChangeLog

The current stable distribution:

http://ftp.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates

stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/

Security announcements and information:

http://security.debian.org/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.