Updated Debian 7: 7.6 released

July 12th, 2014

The Debian project is pleased to announce the sixth update of its stable distribution Debian 7 (codename wheezy). This update mainly adds corrections for security problems to the stable release, along with a few adjustments for serious problems. Security advisories were already published separately and are referenced where available.

Please note that this update does not constitute a new version of Debian 7 but only updates some of the packages included. There is no need to throw away old wheezy CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated.

Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

New installation media and CD and DVD images containing updated packages will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:

http://www.debian.org/mirror/list

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package Reason
apache2 Support ECC keys and ECDH ciphers; mod_proxy: fix crashes under load; mod_dav: fix potential DoS [CVE-2013-6438]; mod_log_config: fix cookie logging
apt-cacher-ng Fix cross-site scripting via 403 responses [CVE-2014-4510]
automake1.9-nonfree Add empty prerm to ensure a clean upgrade path in case of install-info removal
base-files Update for the point release
catfish Fix regression from previous security update
clamav New upstream release; fix a crash while using clamscan
cmus Fix build failure related to the libmodplug upgrade in DSA 2751
cups Fix XSS in the CUPS web interface; fix syntax errors in Hungarian templates
cyrus-imapd-2.4 Fix missing GUID for binary appends; fix broken nntpd
dbus Fix denial of service [CVE-2014-3477]
duo-unix Update upstream HTTPS certificates; improve support for SHA2 in HTTPS
eglibc Fix issues which could break dynamic linker on biarch systems; fix regression in IPv6 name resolution; fix February month name in de_AT locale; fix backtrace() on mips; fix nl_langinfo() when used in static binaries
elib Rebuild with current debhelper
firebug Take over xul-ext-firecookie, as firebug now provides all its functionality; remove copyrighted ICC profile
hdf5 Rebuild against current wheezy gfortran
intel-microcode Updated microcode; new upstream release
ldns Fix default permissions on private DNSKEYs generated by ldns-keygen [CVE-2014-3209]
libdatetime-timezone-perl New upstream release
libdbi-perl Remove dependency on to-be-removed libplrpc-perl
libflickr-api-perl Update URLs in line with upstream changes
libjpeg6b Fix memory disclosure vulnerabilities [CVE-2013-6629 CVE-2013-6630]
libjpeg8 Fix memory disclosure vulnerabilities [CVE-2013-6629 CVE-2013-6630]
libopenobex Fix segfault when transferring files
maitreya Replace font to avoid copyright issues
mobile-broadband-provider-info Update included data
nostalgy Add support for newer icedove versions
openchange Remove packages which depend on previously removed samba4 packages
openssh Restore patch to disable OpenSSL version check
openssl Don't prefer ECDHE_ECDSA with some Safari versions; actually restart the services when restart-without-asking is set
policyd-weight Fix infinite loop if resolver only reachable via IPv6
proftpd-mod-geoip Remove useless and buggy proftpd-mod-geoip.postrm script
py3dns Fix timeouts associated with only one of several available nameservers being unavailable; correctly deal with source port already in use errors
pydap Add dap to namespace_packages in setup.py
quassel Fix certificate permissions
scheme48 Fix insecure use of temporary file [CVE-2014-4150]
sieve-extension Add support for newer icedove versions
sks Fix cross-site scripting [CVE-2014-3207]; improve Berkeley DB upgrade handling
squid3 Fix sporadic assertion failure under high load
suds Fix insecure creation of cache paths
tor New upstream release
tzdata New upstream release
unbound Fix crash when using DNSSEC and num-threads > 1
win32-loader Update embedded dependencies
wireless-regdb Update data
xmms2 Fix build failure related to the libmodplug upgrade in DSA 2751

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package
DSA-2808 openjpeg
DSA-2913 drupal7
DSA-2915 dpkg
DSA-2916 libmms
DSA-2917 super
DSA-2919 mysql-5.5
DSA-2920 chromium-browser
DSA-2921 xbuffy
DSA-2922 strongswan
DSA-2925 rxvt-unicode
DSA-2927 libxfont
DSA-2929 ruby-actionpack-3.2
DSA-2930 chromium-browser
DSA-2931 openssl
DSA-2932 qemu
DSA-2933 qemu-kvm
DSA-2934 python-django
DSA-2935 libgadu
DSA-2936 torque
DSA-2937 mod-wsgi
DSA-2939 chromium-browser
DSA-2941 lxml
DSA-2942 typo3-src
DSA-2943 php5
DSA-2944 gnutls26
DSA-2945 chkrootkit
DSA-2946 python-gnupg
DSA-2947 libav
DSA-2948 python-bottle
DSA-2949 linux
DSA-2950 openssl
DSA-2951 mupdf
DSA-2952 kfreebsd-9
DSA-2953 dpkg
DSA-2954 dovecot
DSA-2956 icinga
DSA-2957 mediawiki
DSA-2958 apt
DSA-2959 chromium-browser
DSA-2961 php5
DSA-2962 nspr
DSA-2963 lucene-solr
DSA-2964 iodine
DSA-2965 tiff
DSA-2966 samba
DSA-2967 gnupg
DSA-2968 gnupg2
DSA-2969 libemail-address-perl
DSA-2970 cacti
DSA-2971 dbus
DSA-2972 linux

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
whatsnewfm Obsolete as freecode.com no longer accepting submissions
libplrpc-perl Security issues
firecookie Obsolete; superseded by firebug
freecode-submit Obsolete as freecode.com no longer accepting submissions

URLs

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/wheezy/ChangeLog

The current stable distribution:

http://ftp.debian.org/debian/dists/stable/

Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates

stable distribution information (release notes, errata etc.):

http://www.debian.org/releases/stable/

Security announcements and information:

http://security.debian.org/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at http://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.