Latest News / News from 2014 / News -- Updated Debian 7: 7.5 released

Updated Debian 7: 7.5 released

April 26th, 2014

The Debian project is pleased to announce the fifth update of its stable distribution Debian 7 (codename wheezy). This update mainly adds corrections for security problems to the stable release, along with a few adjustments for serious problems. Security advisories were already published separately and are referenced where available.

Please note that this update does not constitute a new version of Debian 7 but only updates some of the packages included. There is no need to throw away old wheezy CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated.

Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

New installation media and CD and DVD images containing updated packages will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package	Reason
advi	Explicitly pass latexdir to make, avoiding files ending up in non-FHS directories
base-files	Update for the point release
calendarserver	Update zoneinfo to tzdata 2014a
catfish	Fix untrusted search path vulnerability [CVE-2014-2093, CVE-2014-2094, CVE-2014-2095, CVE-2014-2096]
certificatepatrol	Declare compatibility with Iceweasel 24
clamav	New upstream release
conkeror	Add patches for compatibility with Iceweasel 24
debian-installer	Add support for QNAP HS-210
debian-installer-netboot-images	Rebuild against the latest debian-installer
docx2txt	Add missing dependency on unzip
erlang	Fix command injection via CR or LF in user, file or directory names in the FTP module [CVE-2014-1693]
evolution-ews	Fix free/busy indicators with Exchange 2013 servers
firebug	New upstream release; compatible with Iceweasel 24
flashblock	New upstream release; compatible with Iceweasel 24
freeciv	Fix denial of service [CVE-2012-5645, CVE-2012-6083]
freerdp	Fix libfreerdp-dev so that it can be compiled against
glark	Force use of Ruby 1.8, as glark doesn't work with newer versions
gorm.app	Fix build failure
greasemonkey	New upstream release; compatible with Iceweasel 24
gst-plugins-bad0.10	Fix build failure due to the libmodplug upgrade in DSA 2751
intel-microcode	Include updated microcode
ktp-filetransfer-handler	Fix broken kde-telepathy-filetransfer-handler-dbg on mips
lcms2	Security fixes
libdatetime-timezone-perl	Update to tzdata 2014a
libfinance-quote-perl	Update URLs of Yahoo! Finance services
libpdf-api2-perl	Fix build failure
libquvi-scripts	New upstream release
libsoup2.4	Fix issues with NTLM authentication against Windows 2012
libxml2	Fix memory corruption when re-using the library from threaded applications
linux	Update to stable 3.2.57, 3.2.55-rt81, drm/agp 3.4.86; several security fixes; e1000e, igb: backport changes up to Linux 3.13
ltsp	Fix remote audio on thin clients
meep	Stop building with -march=native
meep-openmpi	Stop building with -march=native
mozilla-noscript	New upstream release; compatible with Iceweasel 24
mp3gain	Fix denial of service and buffer overflow issues [CVE-2003-0577, CVE-2004-0805, CVE-2004-0991, CVE-2006-1655]
net-snmp	Fix agentx subagent issues with multiple-object requests and increasing object length [CVE-2014-2310]
newsbeuter	Fix build failure due to json's switch from boolean to json_bool
nvidia-graphics-drivers	New upstream release
nvidia-graphics-modules	Build against nvidia-kernel-source 304.117
openblas	Fix hang when called from an OpenMP-using program
php-getid3	Fix potential XXE security issue [CVE-2014-2053]
php5	Many fixes backported from upstream
polarssl	Fix build failure due to expired certificates
postgresql-8.4	New upstream micro-release
postgresql-9.1	New upstream micro-release
qemu	Fix entry pointer for ELF kernels loaded with -kernel option; only allow real mode to access 32-bit addresses unless in long mode
qemu-kvm	Fix entry pointer for ELF kernels loaded with -kernel option; only allow real mode to access 32-bit addresses unless in long mode
quassel	Restrict clients from accessing backlogs belonging to other users [CVE-2013-6404]
resource-agents	Fix HTTPS service checking by IP address
ruby-passenger	Fix insecure use of /tmp [CVE-2014-1831, CVE-2014-1832]
sage-extension	New upstream release; compatible with Iceweasel 24
samba	Fix authentication bypass and insufficient protection against brute-force password guessing [CVE-2012-6150, CVE-2013-4496]
samba4	Remove insecure and broken samba4 and winbind4 binary packages
spamassassin	Remove xxx from the list of common fake TLDs, since it is not fake any more; remove rules referring to rfc-ignorant.org and NJABL, which have been shut down
spip	Fix missing escaping; update security screen
subversion	Fix mod_dav_svn crash when handling certain requests [CVE-2014-0032] and removal of libsvnjavahl-1.a/.la/.so from libsvn-dev
sympa	Fix CAS authentication issues; fix SQLite upgrade patch to avoid errors with perl <= 5.14; raise a warning instead of an error when the CA bundle file is not readable; provide the missing template help_suspend.tt2
tweepy	Use Twitter API 1.1 and SSL
tzdata	New upstream release
wml	Remove temporary directories (ipp.*)
xine-lib	Fix build failure due to the libmodplug upgrade in DSA 2751
xine-lib-1.2	Fix build failure due to the libmodplug upgrade in DSA 2751

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID	Package
DSA-2848	mysql-5.5
DSA-2850	libyaml
DSA-2852	libgadu
DSA-2854	mumble
DSA-2855	libav
DSA-2856	libcommons-fileupload-java
DSA-2857	libspring-java
DSA-2858	iceweasel
DSA-2859	pidgin
DSA-2860	parcimonie
DSA-2861	file
DSA-2862	chromium-browser
DSA-2863	libtar
DSA-2865	postgresql-9.1
DSA-2866	gnutls26
DSA-2867	otrs2
DSA-2868	php5
DSA-2869	gnutls26
DSA-2870	libyaml-libyaml-perl
DSA-2871	wireshark
DSA-2872	udisks
DSA-2873	file
DSA-2874	mutt
DSA-2875	cups-filters
DSA-2877	lighttpd
DSA-2878	virtualbox
DSA-2879	libssh
DSA-2880	python2.7
DSA-2881	iceweasel
DSA-2882	extplorer
DSA-2883	chromium-browser
DSA-2884	libyaml
DSA-2885	libyaml-libyaml-perl
DSA-2886	libxalan2-java
DSA-2887	ruby-actionmailer-3.2
DSA-2888	ruby-activesupport-3.2
DSA-2888	ruby-actionpack-3.2
DSA-2889	postfixadmin
DSA-2890	libspring-java
DSA-2891	mediawiki-extensions
DSA-2891	mediawiki
DSA-2892	a2ps
DSA-2894	openssh
DSA-2895	prosody
DSA-2895	lua-expat
DSA-2896	openssl
DSA-2897	tomcat7
DSA-2898	imagemagick
DSA-2899	openafs
DSA-2900	jbigkit
DSA-2901	wordpress
DSA-2902	curl
DSA-2903	strongswan
DSA-2904	virtualbox
DSA-2905	chromium-browser
DSA-2908	openssl
DSA-2909	qemu
DSA-2910	qemu-kvm

Removed packages

The following packages were removed due to circumstances beyond our control:

Package	Reason
hlbr	Broken
hlbrw	Depends on to-be-removed hlbr

Debian Installer

The installer has been updated to add support for QNAP HS-210 devices and to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

The current stable distribution:

Proposed updates to the stable distribution:

stable distribution information (release notes, errata etc.):

Security announcements and information:

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.

---

Back to: other Debian news || Debian Project homepage.

---

---