Chapter 5. Issues to be aware of for wheezy

A feature in the cryptography libraries used in the LDAP libraries causes programs that use LDAP and attempt to change their effective privileges to fail when connecting to an LDAP server using TLS or SSL. This can cause problems for setuid programs on systems using libnss-ldap like sudo, su or schroot and for setuid programs that perform LDAP searches like sudo-ldap.

It is recommended to replace the libnss-ldap package with libnss-ldapd, a newer library which uses a separate daemon (nslcd) for all LDAP lookups. The replacement for libpam-ldap is libpam-ldapd.

Note that libnss-ldapd recommends the NSS caching daemon (nscd) which you should evaluate for suitability in your environment before installing. As an alternative to nscd you can consider unscd.

Further information is available in bugs #566351 and #545414.

Debian 7.0 includes several browser engines which are affected by a steady stream of security vulnerabilities. The high rate of vulnerabilities and partial lack of upstream support in the form of long term branches make it very difficult to support these browsers with backported security fixes. Additionally, library interdependencies make it impossible to update to newer upstream releases. Therefore, browsers built upon the webkit, qtwebkit and khtml engines are included in Wheezy, but not covered by security support. These browsers should not be used against untrusted websites.

For general web browser use we recommend browsers building on the Mozilla xulrunner engine (Iceweasel and Iceape) or Chromium.

Xulrunner has had a history of good backportability for older releases over the previous release cycles. Chromium - while built upon the Webkit codebase - is a leaf package, which will be kept up-to-date by rebuilding the current Chromium releases for stable.

ConsoleKit in Debian 7.0 does not consider sessions started using startx or display managers lacking consolekit integration (e.g. xdm or slim) as local, which might prevent access to some devices.

We recommend using one of gdm3, kdm or lightdm instead.

By default, some accessibility tools are not enabled in the GNOME display manager (gdm3). The simplest way to enable zooming or a visual keyboard is to activate the “shell” greeter.

To do that, edit the /etc/gdm3/greeter.gsettings file, and uncomment the following:

session-name='gdm-shell'

while commenting

session-name='gdm-fallback'

Note that it requires a compatible 3D graphics card — which is the reason why it is not enabled by default.

The knetworkmanager package has been deprecated, and replaced by plasma-widget-networkmanagement in the new KDE Plasma Workspace.

If you are using the deprecated knetworkmanager standalone application, you should be prepared to do some manual configuration after the upgrade. You might need to manually add plasma-widget-networkmanagement to your panel or desktop.

Also, if the network connection shouldn't depend on having a network-manager widget running, you might want to set it as a “system connection”.

NetworkManager can detect if a network interface is managed by ifupdown in order to avoid conflicts, but is not able to do so with other network management programs such as wicd-daemon. Problems and unexpected behavior can result if two such daemons are managing the same interface when attempting to make a network connection.

For instance, if wicd-daemon and NetworkManager are both running, attempting to use a wicd client to make a connection will fail with the error message:

Connection Failed: bad password

Attempting to use a NetworkManager client may likewise fail with the message:

NetworkManager is not running.  Please start it.

It is recommended that users of GNOME consider installing and trying NetworkManager, but the NetworkManager daemon may be permanently disabled if desired using the following command:

# update-rc.d network-manager disable

After disabling the daemon, it is recommended to examine the contents of /etc/resolv.conf. This file is used to specify DNS servers for name resolution and the contents of this file may have been replaced by NetworkManager.

suidperl was removed upstream with 5.12, so the perl-suid package which used to be distributed in Debian has been removed too. Possible alternatives include using a simple setuid C wrapper to execute a Perl script from a hard-coded location, or using a more general tool like sudo.

If you have request-tracker3.8 installed on your squeeze system, note that this package has been removed from wheezy, to be replaced by request-tracker4. Some manual steps are required to upgrade between request-tracker3.8 and request-tracker4: please install request-tracker4 alongside your existing request-tracker3.8 installation and consult the installation/upgrade notes in /usr/share/doc/request-tracker4/README.Debian.gz (section: “Upgrading from request-tracker3.8 to request-tracker4”).

The same advice applies if you have request-tracker3.6 or older packages from previous Debian releases still in use; if this is the case it is recommended to upgrade step by step, following the appropriate upgrade documents.

bootlogd has moved from sysvinit-utils to a separate bootlogd package. If you wish to continue using bootlogd, you need to install the bootlogd package. Note that the configuration file /etc/default/bootlogd and its option BOOTLOGD_ENABLE no longer exist; if you do not wish to run bootlogd, remove the bootlogd package.

The file /etc/mtab, used to store the list of currently mounted filesystems, has been changed to be a symbolic link to /proc/mounts. For almost every case, this change will result in a more robust system since the list can never become inconsistent with reality. However, if you use the _netdev option in /etc/fstab to indicate that a filesystem is a network filesystem requiring special handling, this will no longer be set in /proc/mounts after rebooting. This will not cause problems for standard network filesystems such as NFS, which do not rely on the _netdev option. Filesystems which are unaffected by this issue are ceph, cifs, coda, gfs, ncp, ncpfs, nfs, nfs4, ocfs2 and smbfs. For filesystems which do rely on _netdev for correct unmounting at shutdown, for example when using an NBD, a static mtab will be the only way to use _netdev in wheezy. If you have such a setup, then after completing the upgrade to wheezy restore a static /etc/mtab by doing the following:

The Public Domain Korn Shell (pdksh) package is being retired for the release after wheezy, since pdksh is no longer maintained (it has not been actively developed since 1999).

The MirBSD Korn Shell (mksh) package contains its successor; it has evolved from the Public Domain Korn Shell and has been kept up to date with the POSIX standard on the shell. In Debian wheezy, pdksh is a transitional package using lksh, a variant of mksh built with special compatibility options to provide a pdksh binary symlink. This compatibility binary behaves more like the traditional Public Domain Korn Shell than the current mksh. However as it contains behavior-changing bugfixes it is not a pure drop-in replacement. So, you're advised to change your

#!/bin/pdksh

scripts to

#!/bin/mksh

and test them. If the test fails, you're advised to fix your scripts. If, for some reason, this is not possible, you can change them to

#!/bin/lksh

scripts, and test them again. This test has more chances of succeeding without changing a lot of your code. However, be aware at some point in the future the transitional package will get dropped from Debian.

The compatibility binary is not suitable for interactive use, so as system administrator, adjust the login shell of your Korn Shell users. For minimal service interruption, do this before the upgrade of the O.S.: manually install the mksh package and change the login and/or interactive shells of users that use pdksh to mksh. Furthermore, you're encouraged to copy /etc/skel/.mkshrc into their home directories: this provides some shell functions like pushd, popd and dirs and a nice

PS1

(shell prompt).

When upgrading a Puppet managed system from squeeze to wheezy, you must ensure that the corresponding puppetmaster runs at least Puppet version 2.7. If the master is running squeeze's puppetmaster, the managed wheezy system will not be able to connect to it.

Such a combination will lead to the following error message during a puppet agent run:

Could not retrieve catalog from remote server: Error 400 on SERVER: No support for http method POST

In order to resolve this issue the puppetmaster must be upgraded. A 2.7 master is able to manage a 2.6 client system.

The introduction of multiarch (as described in Section 2.2.2, “Multiarch”) changes the paths for some files, which may break assumptions made by toolchain components. Debian's toolchain has been updated, but users trying to build or use external compilers might need to be aware of this.

Some hints to work around these issues can be found in /usr/share/doc/libc6/NEWS.Debian.gz and in bugreport #637232.

Configuration of SQL engine backends for Cyrus SASL, as provided in the libsasl2-modules-sql package, has changed from database specific configuration (e.g. mysql) to the generic sql auxprop plugin.

Configuration files for applications using SASL have to be updated, for example:

auxprop_plugin: mysql

should be replaced by:

auxprop_plugin: sql
sql_engine: mysql

In addition, the SQL query (if used) needs to have %u replaced with %u@%r, because user and realm are now provided separately.

Some hardware drivers, including drivers for (wired or wireless) network cards, as well as the driver for ATI/AMD graphics chipsets, require loadable firmware in order to operate properly.

That firmware is often not free software, and as such only available from the non-free archive, in the firmware-linux and other packages.