Updated Debian 7: 7.9 released

September 5th, 2015

The Debian project is pleased to announce the ninth update of its oldstable distribution Debian 7 (codename wheezy). This update mainly adds corrections for security problems to the oldstable release, along with a few adjustments for serious problems. Security advisories were published separately and are referenced where applicable.

Please note that this update does not constitute a new version of Debian 7 but only updates some of the packages included. There is no need to throw away old wheezy CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated.

Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

New installation media and CD and DVD images containing updated packages will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list

Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following packages:

Package Reason
amd64-microcode Update included microcode
base-files Update for the point release
bley Remove dnsbl.ahbl.org from the default configuration, as it's been shut down
clamav New upstream release; fix division by zero and pointer arithmetic overflow in the bundled libmspack
commons-httpclient Fix incomplete fix for CVE-2012-6153 issue with CN checking [CVE-2014-3577]
conky Declare Breaks+Replaces relationship against conky (<< 1.8.0-1) to fix upgrade path from lenny to squeeze and then wheezy
debian-installer Use the result of 'apt-config dump' to determine where to find the system's sources.list
debian-installer-netboot-images Rebuild against new debian-installer
debian-security-support Add package to Wheezy
debmirror Support new Contents file location; support HTTPS; add --keyring, --include-field and --exclude-field options
debootstrap Add support for Stretch; resolve mount point symlinks relative to the target chroot before unmounting them
didjvu Fix insecure temp file use when calling c44
exactimage Fix integer overflow in the ljpeg_start function in dcraw [CVE-2015-3885]
frogr Use SSL endpoints for Flickr API; fix crash in gcrypt
gamera Fix insecure temp file use [CVE-2014-1937]
gnome-shell Fix week number computation
hp2xx Fix crashes
httpcomponents-client Fix check that the server hostname matches domain name in the subject's CN field [CVE-2012-6153, CVE-2014-3577]
ikiwiki Fix XSS in openid selector; backport blogspam plugin from experimental, because the version in wheezy is no longer usable
intel-microcode Update included microcode
ircd-hybrid Disable SSL3 to mitigate against the POODLE attack
lame Check for invalid input sample rate and number of channels, avoid malformed wav causing floating point exception, fix check for sample rate ratio being an integer
lcms Repack to remove non-free test files and colour profiles; fix DoS [CVE-2013-4160]
libdatetime-timezone-perl Update included data
libdbd-pg-perl Fix interoperability problem between Wheezy clients and newer PostgreSQL versions
libfcgi Avoid stack-smashing by using poll() rather than select()
libraw Fix integer overflow in the ljpeg_start function [CVE-2015-3885]
linux Update to stable release 3.2.68; drm, agp: Update to 3.4.106; [rt] Update to 3.2.68-rt99
linux-ftpd-ssl Fix NLST of empty directory results in segfault
maven Use HTTPS by default when downloading artifacts from the Maven Central repository
mdbtools Fix overflow in some memo fields and output of binary data
mediatomb Disable user interface by default
mercurial Fix errors in handling case-sensitive directories allow for remote code execution on pull [CVE-2014-9390]
mozilla-noscript Fix enumeration of scripts on Iceweasel >= 35
netcf Fix ipcalc_netmask; prevent a memory leak when listing interfaces
open-vm-tools Handle structure changes in newer kernel releases (d_alias to d_u.d_alias)
openafs Fix the kernel module build when d_alias is in the d_u union; fix potential file corruption of mmapped files
opencv Update license information for the gpu module
openvswitch Fix build of openvswitch-datapath-dkms
osc Fix shell injection [CVE-2015-0778]
partconf Exclude CD/DVD drives from partition search
pdf2djvu Fix insecure temp file use when calling c44
pgbouncer Fix remote crash - invalid packet order causes lookup of NULL pointer [CVE-2015-4054]
phpbb3 Fix CSRF vulnerability [CVE-2015-1432] and CSS injection [CVE-2015-1431]; fix possible redirect vulnerability [CVE-2015-3880]
policyd-weight Remove use of obsolete rhsbl.ahbl.org RBL; update list of default RBLs in the manpage to match reality
postgresql-9.1 New upstream release
rawtherapee Fix dcraw imput sanitization errors [CVE-2015-3885]
spamassassin Remove references to ahbl.org DNSBL, which has ceased operation
ssl-cert Use SHA2 for newly generated certificates; set umask to make sure that the generated key is not world-readable for a short timespan while make-ssl-cert runs
sudo Recognize lenny and squeeze unmodified sudoers to avoid dpkg questions about modified conffiles on upgrades to wheezy
tcllib Fix XSS vulnerability in the html module for <textarea/> elements
tomcat7 Fix FTBFS error by making sure SSL unit tests use TLS protocols; re-generate expired test certificates
tzdata New upstream release
unrar-nonfree Fix a symlink directory traversal vulnerability
unzip Fix unzip thinks some files are symlinks, buffer overflow and crash in zipinfo
user-mode-linux Rebuild against current kernel
vigor Use libc's regex routines rather than the bundled ones, to avoid needing to apply security patches independently
vpim Build for ruby 1.9 (wheezy's default version)
wesnoth-1.10 Security fix: Disallowed inclusion of .pbl files from WML [CVE-2015-5069, CVE-2015-5070]
wireless-regdb Update included data

Security Updates

This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package
DSA-2978 libxml2
DSA-3057 libxml2
DSA-3076 wireshark
DSA-3118 strongswan
DSA-3119 libevent
DSA-3120 mantis
DSA-3121 file
DSA-3122 curl
DSA-3123 binutils
DSA-3123 binutils-mingw-w64
DSA-3124 otrs2
DSA-3125 openssl
DSA-3126 php5
DSA-3127 iceweasel
DSA-3128 linux
DSA-3129 rpm
DSA-3130 lsyncd
DSA-3131 xdg-utils
DSA-3133 privoxy
DSA-3134 sympa
DSA-3135 mysql-5.5
DSA-3136 polarssl
DSA-3137 websvn
DSA-3138 jasper
DSA-3139 squid
DSA-3140 xen
DSA-3141 wireshark
DSA-3142 eglibc
DSA-3143 virtualbox
DSA-3145 privoxy
DSA-3146 requests
DSA-3149 condor
DSA-3150 vlc
DSA-3151 python-django
DSA-3152 unzip
DSA-3153 krb5
DSA-3154 ntp
DSA-3155 postgresql-9.1
DSA-3156 vlc
DSA-3156 mplayer
DSA-3156 liblivemedia
DSA-3158 unrtf
DSA-3159 ruby1.8
DSA-3160 xorg-server
DSA-3161 dbus
DSA-3162 bind9
DSA-3164 typo3-src
DSA-3165 xdg-utils
DSA-3166 e2fsprogs
DSA-3167 sudo
DSA-3168 ruby-redcloth
DSA-3169 eglibc
DSA-3170 linux
DSA-3171 samba
DSA-3172 cups
DSA-3174 iceweasel
DSA-3176 request-tracker4
DSA-3177 mod-gnutls
DSA-3178 unace
DSA-3180 libarchive
DSA-3181 xen
DSA-3182 libssh2
DSA-3183 movabletype-opensource
DSA-3184 gnupg
DSA-3185 libgcrypt11
DSA-3186 nss
DSA-3187 icu
DSA-3188 freetype
DSA-3189 libav
DSA-3190 putty
DSA-3191 gnutls26
DSA-3192 checkpw
DSA-3193 tcpdump
DSA-3194 libxfont
DSA-3195 php5
DSA-3196 file
DSA-3197 openssl
DSA-3198 php5
DSA-3199 xerces-c
DSA-3200 drupal7
DSA-3201 iceweasel
DSA-3202 mono
DSA-3203 tor
DSA-3204 python-django
DSA-3205 batik
DSA-3206 dulwich
DSA-3207 shibboleth-sp2
DSA-3208 freexl
DSA-3209 openldap
DSA-3210 wireshark
DSA-3211 iceweasel
DSA-3213 arj
DSA-3214 mailman
DSA-3215 libgd2
DSA-3216 tor
DSA-3217 dpkg
DSA-3218 wesnoth-1.10
DSA-3220 libtasn1-3
DSA-3221 das-watchdog
DSA-3222 chrony
DSA-3223 ntp
DSA-3224 libxrender
DSA-3224 libx11
DSA-3225 gst-plugins-bad0.10
DSA-3226 inspircd
DSA-3227 movabletype-opensource
DSA-3228 ppp
DSA-3229 mysql-5.5
DSA-3230 django-markupfield
DSA-3231 subversion
DSA-3232 curl
DSA-3233 wpa
DSA-3237 linux
DSA-3243 libxml-libxml-perl
DSA-3245 ruby1.8
DSA-3248 libphp-snoopy
DSA-3249 jqueryui
DSA-3250 wordpress
DSA-3251 dnsmasq
DSA-3252 sqlite3
DSA-3253 pound
DSA-3257 mercurial
DSA-3259 qemu
DSA-3259 qemu-kvm
DSA-3260 iceweasel
DSA-3261 libtest-signature-perl
DSA-3261 libmodule-signature-perl
DSA-3262 xen
DSA-3263 proftpd-dfsg
DSA-3265 zendframework
DSA-3266 fuse
DSA-3268 ntfs-3g
DSA-3269 postgresql-9.1
DSA-3271 nbd
DSA-3272 ipsec-tools
DSA-3273 tiff
DSA-3274 virtualbox
DSA-3277 wireshark
DSA-3278 libapache-mod-jk
DSA-3280 php5
DSA-3282 strongswan
DSA-3283 cups
DSA-3284 qemu
DSA-3285 qemu-kvm
DSA-3286 xen
DSA-3287 openssl
DSA-3289 p7zip
DSA-3290 linux
DSA-3291 drupal7
DSA-3295 cacti
DSA-3296 libcrypto++
DSA-3297 unattended-upgrades
DSA-3298 jackrabbit
DSA-3300 iceweasel
DSA-3302 libwmf
DSA-3303 cups-filters
DSA-3304 bind9
DSA-3305 python-django
DSA-3308 mysql-5.5
DSA-3309 tidy
DSA-3310 freexl
DSA-3312 cacti
DSA-3318 expat
DSA-3319 bind9
DSA-3320 openafs
DSA-3321 opensaml2
DSA-3321 xmltooling
DSA-3322 ruby-rack
DSA-3323 icu
DSA-3325 apache2
DSA-3326 ghostscript
DSA-3327 squid3
DSA-3329 linux
DSA-3330 activemq
DSA-3331 subversion
DSA-3333 iceweasel
DSA-3335 request-tracker4
DSA-3336 nss
DSA-3337 gdk-pixbuf
DSA-3338 python-django
DSA-3340 zendframework
DSA-3341 conntrack
DSA-3344 php5
DSA-3345 iceweasel

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason
cia-clients Useless as cia.vc is gone
get-iplayer Broken by content provider changes
typo3-src No longer supported

URLs

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/wheezy/ChangeLog

The current oldstable distribution:

http://ftp.debian.org/debian/dists/oldstable/

Proposed updates to the oldstable distribution:

http://ftp.debian.org/debian/dists/oldstable-proposed-updates

oldstable distribution information (release notes, errata etc.):

https://www.debian.org/releases/oldstable/

Security announcements and information:

https://www.debian.org/security/

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.