Updated Debian 7: 7.9 released
September 5th, 2015
The Debian project is pleased to announce the ninth update of its
oldstable distribution Debian 7 (codename wheezy
).
This update mainly adds corrections for security problems to the oldstable
release, along with a few adjustments for serious problems. Security advisories
were published separately and are referenced where applicable.
Please note that this update does not constitute a new version of Debian
7 but only updates some of the packages included. There is
no need to throw away old wheezy
CDs or DVDs but only to update
via an up-to-date Debian mirror after an installation, to cause any out of
date packages to be updated.
Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.
New installation media and CD and DVD images containing updated packages will be available soon at the regular locations.
Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This oldstable update adds a few important corrections to the following packages:
Package | Reason |
---|---|
amd64-microcode | Update included microcode |
base-files | Update for the point release |
bley | Remove dnsbl.ahbl.org from the default configuration, as it's been shut down |
clamav | New upstream release; fix division by zero and pointer arithmetic overflow in the bundled libmspack |
commons-httpclient | Fix incomplete fix for CVE-2012-6153 issue with CN checking [CVE-2014-3577] |
conky | Declare Breaks+Replaces relationship against conky (<< 1.8.0-1) to fix upgrade path from lenny to squeeze and then wheezy |
debian-installer | Use the result of 'apt-config dump' to determine where to find the system's sources.list |
debian-installer-netboot-images | Rebuild against new debian-installer |
debian-security-support | Add package to Wheezy |
debmirror | Support newContents file location; support HTTPS; add --keyring, --include-field and --exclude-field options |
debootstrap | Add support for Stretch; resolve mount point symlinks relative to the target chroot before unmounting them |
didjvu | Fix insecure temp file use when calling c44 |
exactimage | Fix integer overflow in the ljpeg_start function in dcraw [CVE-2015-3885] |
frogr | Use SSL endpoints for Flickr API; fix crash in gcrypt |
gamera | Fix insecure temp file use [CVE-2014-1937] |
gnome-shell | Fix week number computation |
hp2xx | Fix crashes |
httpcomponents-client | Fix check that the server hostname matches domain name in the subject's CN field [CVE-2012-6153, CVE-2014-3577] |
ikiwiki | Fix XSS in openid selector; backport blogspam plugin from experimental, because the version in wheezy is no longer usable |
intel-microcode | Update included microcode |
ircd-hybrid | Disable SSL3 to mitigate against the POODLE attack |
lame | Check for invalid input sample rate and number of channels, avoid malformed wav causing floating point exception, fix check for sample rate ratio being an integer |
lcms | Repack to remove non-free test files and colour profiles; fix DoS [CVE-2013-4160] |
libdatetime-timezone-perl | Update included data |
libdbd-pg-perl | Fix interoperability problem between Wheezy clients and newer PostgreSQL versions |
libfcgi | Avoid stack-smashing by using poll() rather than select() |
libraw | Fix integer overflow in the ljpeg_start function [CVE-2015-3885] |
linux | Update to stable release 3.2.68; drm, agp: Update to 3.4.106; [rt] Update to 3.2.68-rt99 |
linux-ftpd-ssl | Fix NLST of empty directory results in segfault |
maven | Use HTTPS by default when downloading artifacts from the Maven Central repository |
mdbtools | Fix overflow in some memo fields and output of binary data |
mediatomb | Disable user interface by default |
mercurial | Fix errors in handling case-sensitive directories allow for remote code execution on pull[CVE-2014-9390] |
mozilla-noscript | Fix enumeration of scripts on Iceweasel >= 35 |
netcf | Fix ipcalc_netmask; prevent a memory leak when listing interfaces |
open-vm-tools | Handle structure changes in newer kernel releases (d_alias to d_u.d_alias) |
openafs | Fix the kernel module build when d_alias is in the d_u union; fix potential file corruption of mmapped files |
opencv | Update license information for the gpu module |
openvswitch | Fix build of openvswitch-datapath-dkms |
osc | Fix shell injection [CVE-2015-0778] |
partconf | Exclude CD/DVD drives from partition search |
pdf2djvu | Fix insecure temp file use when calling c44 |
pgbouncer | Fix remote crash - invalid packet order causes lookup of NULL pointer [CVE-2015-4054] |
phpbb3 | Fix CSRF vulnerability [CVE-2015-1432] and CSS injection [CVE-2015-1431]; fix possible redirect vulnerability [CVE-2015-3880] |
policyd-weight | Remove use of obsolete rhsbl.ahbl.org RBL; update list of default RBLs in the manpage to match reality |
postgresql-9.1 | New upstream release |
rawtherapee | Fix dcraw imput sanitization errors [CVE-2015-3885] |
spamassassin | Remove references to ahbl.org DNSBL, which has ceased operation |
ssl-cert | Use SHA2 for newly generated certificates; set umask to make sure that the generated key is not world-readable for a short timespan while make-ssl-cert runs |
sudo | Recognize lenny and squeeze unmodified sudoers to avoid dpkg questions about modified conffiles on upgrades to wheezy |
tcllib | Fix XSS vulnerability in the html module for <textarea/> elements |
tomcat7 | Fix FTBFS error by making sure SSL unit tests use TLS protocols; re-generate expired test certificates |
tzdata | New upstream release |
unrar-nonfree | Fix a symlink directory traversal vulnerability |
unzip | Fix unzip thinks some files are symlinks, buffer overflow and crash in zipinfo |
user-mode-linux | Rebuild against current kernel |
vigor | Use libc's regex routines rather than the bundled ones, to avoid needing to apply security patches independently |
vpim | Build for ruby 1.9 (wheezy's default version) |
wesnoth-1.10 | Security fix: Disallowed inclusion of .pbl files from WML [CVE-2015-5069, CVE-2015-5070] |
wireless-regdb | Update included data |
Security Updates
This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:
Removed packages
The following packages were removed due to circumstances beyond our control:
Package | Reason |
---|---|
cia-clients | Useless as cia.vc is gone |
get-iplayer | Broken by content provider changes |
typo3-src | No longer supported |
URLs
The complete lists of packages that have changed with this revision:
The current oldstable distribution:
Proposed updates to the oldstable distribution:
oldstable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.