Table of Contents
/etc/mtab
and _netdev
Sometimes, changes introduced in a new release have side-effects we cannot reasonably avoid, or they expose bugs somewhere else. This section documents issues we are aware of. Please also read the errata, the relevant packages' documentation, bug reports and other information mentioned in Section 6.1, “Further reading”.
A feature in the cryptography libraries used in the
LDAP libraries causes programs that use
LDAP and attempt to change their effective
privileges to fail when connecting to an LDAP
server using TLS or SSL.
This can cause problems for setuid programs on systems using
libnss-ldap
like
sudo, su or
schroot and for setuid programs that perform LDAP
searches like sudo-ldap
.
It is recommended to replace the
libnss-ldap
package with
libnss-ldapd
, a newer library
which uses a separate daemon (nslcd) for all
LDAP lookups. The replacement for
libpam-ldap
is
libpam-ldapd
.
Note that libnss-ldapd
recommends
the NSS caching daemon (nscd
)
which you should evaluate for suitability in your environment before
installing.
As an alternative to nscd
you
can consider unscd
.
Further information is available in bugs #566351 and #545414.
Debian 7.0 includes several browser engines which are affected by a steady stream of security vulnerabilities. The high rate of vulnerabilities and partial lack of upstream support in the form of long term branches make it very difficult to support these browsers with backported security fixes. Additionally, library interdependencies make it impossible to update to newer upstream releases. Therefore, browsers built upon the webkit, qtwebkit and khtml engines are included in Wheezy, but not covered by security support. These browsers should not be used against untrusted websites.
For general web browser use we recommend browsers building on the Mozilla xulrunner engine (Iceweasel and Iceape) or Chromium.
Xulrunner has had a history of good backportability for older releases over the previous release cycles. Chromium - while built upon the Webkit codebase - is a leaf package, which will be kept up-to-date by rebuilding the current Chromium releases for stable.
ConsoleKit in Debian 7.0 does not consider sessions started using
startx or display managers lacking consolekit
integration (e.g. xdm
or slim
) as local, which might prevent access to
some devices.
By default, some accessibility tools are not enabled in the GNOME display
manager (gdm3
). The simplest way
to enable zooming or a visual keyboard is to activate the
“shell” greeter.
To do that, edit the /etc/gdm3/greeter.gsettings
file,
and uncomment the following:
session-name='gdm-shell'
while commenting
session-name='gdm-fallback'
Note that it requires a compatible 3D graphics card — which is the reason why it is not enabled by default.
The knetworkmanager
package has
been deprecated, and replaced by plasma-widget-networkmanagement
in the new KDE
Plasma Workspace.
If you are using the deprecated knetworkmanager standalone application, you should be prepared to do some manual configuration after the upgrade. You might need to manually add plasma-widget-networkmanagement to your panel or desktop.
Also, if the network connection shouldn't depend on having a network-manager widget running, you might want to set it as a “system connection”.
NetworkManager can detect if a network interface is managed by ifupdown in order to avoid conflicts, but is not able to do so with other network management programs such as wicd-daemon. Problems and unexpected behavior can result if two such daemons are managing the same interface when attempting to make a network connection.
For instance, if wicd-daemon and NetworkManager are both running, attempting to use a wicd client to make a connection will fail with the error message:
Connection Failed: bad password
Attempting to use a NetworkManager client may likewise fail with the message:
NetworkManager is not running. Please start it.
It is recommended that users of GNOME consider installing and trying NetworkManager, but the NetworkManager daemon may be permanently disabled if desired using the following command:
# update-rc.d network-manager disable
After disabling the daemon, it is recommended to examine the contents
of /etc/resolv.conf
. This file is used to
specify DNS servers for name resolution and the contents of
this file may have been replaced by NetworkManager.
suidperl was removed upstream with 5.12, so the
perl-suid
package which used to be
distributed in Debian has been removed too. Possible alternatives include
using a simple setuid C wrapper to execute a Perl script from a hard-coded
location, or using a more general tool like sudo.
If you have request-tracker3.8
installed on your squeeze system, note that this package has been removed
from wheezy, to be replaced by request-tracker4
. Some manual steps are
required to upgrade between request-tracker3.8
and request-tracker4
: please install request-tracker4
alongside your existing
request-tracker3.8
installation and
consult the installation/upgrade notes in
/usr/share/doc/request-tracker4/README.Debian.gz
(section: “Upgrading from request-tracker3.8 to
request-tracker4”).
The same advice applies if you have request-tracker3.6
or older packages from
previous Debian releases still in use; if this is the case it is
recommended to upgrade step by step, following the appropriate
upgrade documents.
bootlogd has moved from sysvinit-utils
to a separate bootlogd
package. If you wish to continue
using bootlogd, you need to install the bootlogd
package. Note that the configuration
file /etc/default/bootlogd
and its option
BOOTLOGD_ENABLE
no longer exist; if you do not wish to
run bootlogd, remove the bootlogd
package.
The file /etc/mtab
, used to store the list of
currently mounted filesystems, has been changed to be a symbolic link
to /proc/mounts
. For almost every case, this
change will result in a more robust system since the list can never
become inconsistent with reality. However, if you use the
_netdev
option in /etc/fstab
to indicate that a filesystem is a network filesystem requiring
special handling, this will no longer be set in
/proc/mounts
after rebooting. This will
not cause problems for standard network
filesystems such as NFS, which do not rely on the
_netdev
option. Filesystems which are
unaffected by this issue are
ceph
, cifs
,
coda
, gfs
,
ncp
, ncpfs
,
nfs
, nfs4
,
ocfs2
and smbfs
. For
filesystems which do rely on
_netdev
for correct unmounting at shutdown, for
example when using an NBD, a static mtab will be
the only way to use _netdev
in wheezy. If you have
such a setup, then after completing the upgrade to wheezy restore a
static /etc/mtab
by doing the following:
Edit /etc/init.d/checkroot.sh
, and comment out
these lines:
if [ "$rootmode" != "ro" ]; then mtab_migrate fi
If you have rebooted the system, and /etc/mtab
is
now a symbolic link:
# rm /etc/mtab # cp /proc/mounts /etc/mtab
Re-add the _netdev
option by remounting the
affected filesystems:
# mount -o remount filesystem
/etc/mtab
will be recreated fully next time you
reboot the system.
The Public Domain Korn Shell (pdksh
)
package is being retired for the release after wheezy, since
pdksh is no longer maintained (it has not been actively
developed since 1999).
The MirBSD Korn Shell (mksh
)
package contains its successor; it has evolved from the Public Domain Korn
Shell and has been kept up to date with the POSIX standard on the shell.
In Debian wheezy,
pdksh
is a transitional package
using lksh, a variant of
mksh
built with
special compatibility options to provide a pdksh binary
symlink. This compatibility binary behaves more like the traditional
Public Domain Korn Shell than the current mksh. However
as it contains behavior-changing bugfixes it is not a pure drop-in
replacement. So, you're advised to change your
#!/bin/pdksh
scripts to
#!/bin/mksh
and test them. If the test fails, you're advised to fix your scripts. If, for some reason, this is not possible, you can change them to
#!/bin/lksh
scripts, and test them again. This test has more chances of succeeding without changing a lot of your code. However, be aware at some point in the future the transitional package will get dropped from Debian.
The compatibility binary is not suitable for interactive
use, so as system administrator, adjust the login shell of your Korn Shell
users. For minimal service interruption, do this before the upgrade of
the O.S.: manually install the mksh
package and change the login and/or interactive shells of users that use
pdksh to mksh. Furthermore, you're
encouraged to copy /etc/skel/.mkshrc
into their home
directories: this provides some shell functions like pushd,
popd and dirs and a nice
PS1
(shell prompt).
When upgrading a Puppet managed system from squeeze to wheezy, you
must ensure that the corresponding puppetmaster runs at least Puppet
version 2.7. If the master is running squeeze's puppetmaster
, the managed wheezy system
will not be able to connect to it.
Such a combination will lead to the following error message during a puppet agent run:
Could not retrieve catalog from remote server: Error 400 on SERVER: No support for http method POST
In order to resolve this issue the puppetmaster must be upgraded. A 2.7 master is able to manage a 2.6 client system.
The introduction of multiarch (as described in Section 2.2.2, “Multiarch”) changes the paths for some files, which may break assumptions made by toolchain components. Debian's toolchain has been updated, but users trying to build or use external compilers might need to be aware of this.
Some hints to work around these issues can be found in
/usr/share/doc/libc6/NEWS.Debian.gz
and in bugreport
#637232.
Configuration of SQL engine backends for Cyrus SASL, as provided in the
libsasl2-modules-sql
package, has
changed from database specific configuration (e.g.
mysql
) to the generic sql
auxprop
plugin.
Configuration files for applications using SASL have to be updated, for example:
auxprop_plugin: mysql
should be replaced by:
auxprop_plugin: sql sql_engine: mysql
In addition, the SQL query (if used) needs to have %u
replaced with %u@%r
, because user and realm are now
provided separately.
Some hardware drivers, including drivers for (wired or wireless) network cards, as well as the driver for ATI/AMD graphics chipsets, require loadable firmware in order to operate properly.
That firmware is often not free software, and as such only available from
the non-free archive, in the firmware-linux
and other
packages.