Debian GNU/Linux 5.0 updated
June 27th, 2009
The Debian project is pleased to announce the second update of its stable
distribution Debian GNU/Linux 5.0 (codename lenny
). This update mainly
adds corrections for security problems to the stable release, along with
a few adjustment to serious problems.
Please note that this update does not constitute a new version of Debian GNU/Linux 5.0 but only updates some of the packages included. There is no need to throw away 5.0 CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated.
Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.
New CD and DVD images containing updated packages and the regular installation media accompanied with the package archive respectively will be available soon at the regular locations.
Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
Package | Reason |
---|---|
apr-util | Fix information disclosure (CVE-2009-1956) |
asciidoc | Replace fop with dblatex |
backuppc | Fix permissions of CGI script and ht* files |
base-files | Bump version to 5.0.2 |
bind9 | Fix DNSSEC lookaside validation failed to handle unknown algorithms |
cdebconf | Optimize screen usage in newt frontend |
choose-mirror | Make preseeding of oldstable possible |
glib2.0 | Fix crashes in gvfs |
gnupg | Fix memory leak and cleanup terminal attributes on interrupt |
hobbit | Create /var/run/hobbit if missing |
installation-guide | New sections on accessibility support |
iodine | Fix segfault when 5.x client connects |
jd | Fix posting comments |
kfreebsd-7 | Fix several vulnerabilities |
libapache2-authcassimple-perl | Fix POST request handling |
libaqbanking | Fix segfault in qt3-wizard |
libnet-rawip-perl | Fix segmentation fault |
libxcb | Fix important performance issues |
linux-2.6 | Several fixes |
linux-kernel-di-alpha-2.6 | Rebuild against latest kernel |
linux-kernel-di-amd64-2.6 | Rebuild against latest kernel |
linux-kernel-di-arm-2.6 | Rebuild against latest kernel |
linux-kernel-di-armel-2.6 | Rebuild against latest kernel |
linux-kernel-di-hppa-2.6 | Rebuild against latest kernel |
linux-kernel-di-i386-2.6 | Rebuild against latest kernel |
linux-kernel-di-ia64-2.6 | Rebuild against latest kernel |
linux-kernel-di-mips-2.6 | Rebuild against latest kernel |
linux-kernel-di-mipsel-2.6 | Rebuild against latest kernel |
linux-kernel-di-powerpc-2.6 | Rebuild against latest kernel |
linux-kernel-di-s390-2.6 | Rebuild against latest kernel |
linux-kernel-di-sparc-2.6 | Rebuild against latest kernel |
live-initramfs | Better support for persistent mode |
live-magic | Fix handling of /etc/debian_version |
mdadm | Fix stability issues |
mt-daapd | Add musepack to transcoding list |
nagios3 | Fix nagios3-common's prerm script |
nss | Fix alignment issues on sparc and ia64 |
onak | Always open db read/write |
pango1.0 | Fix arbitrary code execution |
pidgin-otr | Sourceful upload with bumped version number to fix a collision with a binNMU |
poppler | Fix several vulnerabilities |
pygobject | Fix inconsistent use of tabs and spaces in indentation |
samba | Fix memory leak, winbind crashes and Win2000 SP4 joining issues |
screen | Fix symlink attack |
slime | Remove non-free xref.lisp |
smstools | Fix modem timeouts |
solr | Fix simultaneous installation of tomcat5.5 with solr-tomcat5.5 |
sound-juicer | Fix a crash on invocation of the preferences dialog |
system-config-printer | New Romanian translation |
system-tools-backends | Fix limiting effective password length to 8 characters (CVE-2008-6792) and handle new format of /etc/debian_version |
tzdata | New timezone information |
user-mode-linux | Several fixes |
xorg | Default to fbdev driver on sparc |
xorg-server | Fix wakeup storm in idletime xsync counter |
New version of the debian-installer
The debian-installer has been updated to allow the installation of the
previous stable release (Debian 4.0 etch
) and to include an updated
cdebconf package which resolves several issues with installation menu
rendering using the newt frontend, including:
- explanatory text overlapping with the input box due to a height miscalculation
- overlapping of the
Go Back
button and the select list on certain screens - suboptimal screen usage, particularly affecting debian-edu installations
The installer has been rebuilt to use the updated kernel packages included in this point release, resolving issues with installation on s390 G5 systems and IBM summit-based i386 systems.
Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Advisory ID | Package | Correction(s) |
---|---|---|
DSA-1761 | moodle | File disclosure |
DSA-1762 | icu | Cross-site scripting |
DSA-1763 | openssl | Denial of service |
DSA-1764 | tunapie | Several vulnerabilities |
DSA-1766 | krb5 | Several vulnerabilities |
DSA-1767 | multipath-tools | Denial of service |
DSA-1768 | openafs | Potential code execution |
DSA-1771 | clamav | Several vulnerabilities |
DSA-1772 | udev | Critical privilege escalation |
DSA-1773 | cups | Arbitrary code execution |
DSA-1774 | ejabberd | Cross-site scripting |
DSA-1776 | slurm-llnl | Privilege escalation |
DSA-1777 | git-core | Privilege escalation |
DSA-1778 | mahara | Cross-site scripting |
DSA-1779 | apt | Several vulnerabilities |
DSA-1781 | ffmpeg-debian | Arbitrary code execution |
DSA-1783 | mysql-dfsg-5.0 | Several vulnerabilities |
DSA-1784 | freetype | Arbitrary code execution |
DSA-1785 | wireshark | Several vulnerabilities |
DSA-1786 | acpid | Denial of service |
DSA-1788 | quagga | Denial of service |
DSA-1789 | php5 | Several vulnerabilities |
DSA-1790 | xpdf | Multiple vulnerabilities |
DSA-1791 | moin | Cross-site scripting |
DSA-1792 | drupal6 | Multiple vulnerabilities |
DSA-1793 | kdegraphics | Multiple vulnerabilities |
DSA-1795 | ldns | Arbitrary code execution |
DSA-1797 | xulrunner | Multiple vulnerabilities |
DSA-1798 | pango1.0 | Arbitrary code execution |
DSA-1799 | qemu | Several vulnerabilities |
DSA-1800 | linux-2.6 | Several vulnerabilities |
DSA-1800 | user-mode-linux | Several vulnerabilities |
DSA-1801 | ntp | Several vulnerabilities |
DSA-1802 | squirrelmail | Several vulnerabilities |
DSA-1803 | nsd | Denial of service |
DSA-1803 | nsd3 | Denial of service |
DSA-1804 | ipsec-tools | Denial of service |
DSA-1805 | pidgin | Several vulnerabilities |
DSA-1806 | cscope | Arbitrary code execution |
DSA-1807 | cyrus-sasl2 | Arbitrary code execution |
DSA-1807 | cyrus-sasl2-heimdal | Arbitrary code execution |
DSA-1808 | drupal6 | Insufficient input sanitising |
DSA-1809 | linux-2.6 | Several vulnerabilities |
DSA-1809 | user-mode-linux | Several vulnerabilities |
DSA-1810 | libapache-mod-jk | Information disclosure |
DSA-1811 | cups | Denial of service |
DSA-1812 | apr-util | Several vulnerabilities |
DSA-1813 | evolution-data-server | Several vulnerabilities |
DSA-1814 | libsndfile | Arbitrary code execution |
DSA-1815 | libtorrent-rasterbar | Denial of service |
DSA-1817 | ctorrent | Arbitrary code execution |
DSA-1818 | gforge | Insufficient input sanitising |
DSA-1820 | xulrunner | Several vulnerabilities |
DSA-1821 | amule | Insufficient input sanitising |
DSA-1822 | mahara | Cross-site scripting |
DSA-1823 | samba | Several vulnerabilities |
DSA-1824 | phpmyadmin | Several vulnerabilities |
URLs
The complete lists of packages that have changed with this release:
The current stable distribution:
Proposed updates to the stable distribution:
Stable distribution information (release notes, errata, etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian GNU/Linux.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.