Updated Debian 7: 7.3 released
December 14th, 2013
The Debian project is pleased to announce the third update of its
stable distribution Debian 7 (codename wheezy
).
This update mainly adds corrections for security problems to the stable
release, along with a few adjustments for serious problems. Security advisories
were already published separately and are referenced where available.
Please note that this update does not constitute a new version of Debian
7 but only updates some of the packages included. There is
no need to throw away old wheezy
CDs or DVDs but only to update
via an up-to-date Debian mirror after an installation, to cause any out of
date packages to be updated.
Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.
New installation media and CD and DVD images containing updated packages will be available soon at the regular locations.
Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
Package | Reason |
---|---|
apt | Fix handling of :any in single-arch systems and processing of .debs over 2GB in size |
apt-listbugs | Insecure use of temporary files |
base-files | Update for point release |
bootchart | Fix upgrade path from machines which had lenny's bootchart installed |
darktable | Fix CVE-2013-1438; fix CVE-2013-1439 |
distro-info-data | Add Ubuntu 14.04, Trusty Tahr |
expat | Do not ship pkgconfig files |
fcitx-cloudpinyin | Use Google by default, to replace no longer available previous default |
firebird2.5 | Final 2.5.2 release, bug fixes |
gnome-settings-daemon | Remove no longer required patch which makes syndaemon almost useless |
gtk+3.0 | Load the file icon via a data: URI, to work with librsvg's new origin policy |
iftop | Fix memory leak |
intel-microcode | New upstream update |
kfreebsd-9 | Disable 101_nullfs_vsock.diff |
libdatetime-timezone-perl | New upstream version |
libguestfs | Fix CVE-2013-4419: insecure temporary directory handling for remote guestfish |
libnet-server-perl | Fix use of uninitialized value in pattern match |
libnet-smtp-tls-butmaintained-perl | Fix misuse of IO::Socket::SSL in the SSL_version argument |
librsvg | Fix CVE-2013-1881: disable loading of external entities |
lua-sql | Restore multiarch co-installability |
meep-lam4 | Move /usr/include/meep-lam4 to /usr/include/meep; fixes building against the -dev package |
meep-mpi-default | Move /usr/include/meep-mpi-default to /usr/include/meep; fixes building against the -dev package |
meep-mpich2 | Move /usr/include/meep-mpich2 to /usr/include/meep; fixes building against the -dev package |
meep-openmpi | Move /usr/include/meep-openmpi to /usr/include/meep; fixes building against the -dev package |
multipath-tools | Restore dmsetup exportworkaround, lost in previous upload |
nagios3 | Stop status.cgi listing unauthorised hosts and services, miscellaneous bug fixes |
nsd3 | Add $network to Required-Start |
openttd | Fix CVE-2013-6411 (DoS) |
postgresql-8.4 | New upstream micro-release |
postgresql-9.1 | New upstream micro-release |
rtkit | Fix access restriction bypass via polkit race condition |
ruby-passenger | Fix CVE-2013-2119 and CVE-2013-4136: insecure tmp files usage |
scikit-learn | Move joblib from Recommends to Depends |
smplayer | Don't append -fontconfig to the command line options for Mplayer2 to prevent crash at startup |
starpu | Remove non-free example material |
starpu-contrib | Remove non-free example material |
tzdata | New upstream release |
usemod-wiki | Update hardcoded cookie expiration date from 2013 to 2025 |
xfce4-weather-plugin | Update weather.com API URI |
Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Advisory ID | Package | Correction(s) |
---|---|---|
DSA-2738 | ruby1.9.1 | Multiple issues |
DSA-2769 | kfreebsd-9 | Multiple issues |
DSA-2770 | torque | Authentication bypass |
DSA-2771 | nas | Multiple issues |
DSA-2772 | typo3-src | Cross-site scripting |
DSA-2773 | gnupg | Multiple issues |
DSA-2774 | gnupg2 | Multiple issues |
DSA-2775 | ejabberd | Insecure SSL usage |
DSA-2777 | systemd | Multiple issues |
DSA-2778 | libapache2-mod-fcgid | Heap-based buffer overflow |
DSA-2779 | libxml2 | Denial of service |
DSA-2781 | python-crypto | PRNG not correctly reseeded in some situations |
DSA-2782 | polarssl | Multiple issues |
DSA-2784 | xorg-server | Use-after-free |
DSA-2785 | chromium-browser | Multiple issues |
DSA-2786 | icu | Multiple issues |
DSA-2787 | roundcube | Design error |
DSA-2788 | iceweasel | Multiple issues |
DSA-2789 | strongswan | Denial of service and authorization bypass |
DSA-2790 | nss | Uninitialized memory read |
DSA-2791 | tryton-client | Missing input sanitization |
DSA-2792 | wireshark | Multiple issues |
DSA-2794 | spip | Multiple issues |
DSA-2795 | lighttpd | Multiple issues |
DSA-2796 | torque | Arbitrary code execution |
DSA-2798 | curl | Unchecked SSL certificate host name |
DSA-2799 | chromium-browser | Multiple issues |
DSA-2800 | nss | Buffer overflow |
DSA-2801 | libhttp-body-perl | Design error |
DSA-2802 | nginx | Restriction bypass |
DSA-2803 | quagga | Multiple issues |
DSA-2804 | drupal7 | Multiple issues |
DSA-2805 | sup-mail | Remote command injection |
DSA-2806 | nbd | Privilege escalation |
DSA-2807 | links2 | Integer overflow |
DSA-2808 | openjpeg | Multiple issues |
DSA-2809 | ruby1.8 | Multiple issues |
DSA-2810 | ruby1.9.1 | Heap overflow |
DSA-2811 | chromium-browser | Multiple issues |
Removed packages
The following packages were removed due to circumstances beyond our control:
Package | Reason |
---|---|
linky | License problems |
iceweasel-linky | License problems |
Debian Installer
The installer has been rebuilt to include the fixes incorporated into stable by the point release.URLs
The complete lists of packages that have changed with this revision:
The current stable distribution:
Proposed updates to the stable distribution:
stable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.