Debian 10233 Published by

Debian 6.0.8 (oldstable branch) has been released



------------------------------------------------------------------------
The Debian Project http://www.debian.org/
Updated Debian 6.0: 6.0.8 released press@debian.org
October 20th, 2013 http://www.debian.org/News/2013/20131020
------------------------------------------------------------------------

The Debian project is pleased to announce the eighth update of its
oldstable distribution Debian 6.0 (codename `squeeze'). This update
mainly adds corrections for security problems to the oldstable release,
along with a few adjustments for serious problems. Security advisories
were already published separately and are referenced where available.

Please note that this update does not constitute a new version of Debian
6.0 but only updates some of the packages included. There is no need to
throw away old `squeeze' CDs or DVDs but only to update via an
up-to-date Debian mirror after an installation, to cause any out of date
packages to be updated.

Those who frequently install updates from security.debian.org won't have
to update many packages and most updates from security.debian.org are
included in this update.

New installation media and CD and DVD images containing updated packages
will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the
aptitude (or apt) package tool (see the sources.list(5) manual page) to
one of Debian's many FTP or HTTP mirrors. A comprehensive list of
mirrors is available at:

http://www.debian.org/mirror/list


Miscellaneous Bugfixes
----------------------

This oldstable update adds a few important corrections to the following
packages:

Package Reason
base-files Update version for point release
clamav New upstream release; security fixes
dpkg-ruby Close files once they're parsed, preventing trouble on
dist-upgrades
gdm3 Fix potential security issue with partial upgrades to
wheezy
graphviz Use system ltdl
grep Fix CVE-2012-5667
ia32-libs Update included packages from oldstable / security.d.o
ia32-libs-gtk Update included packages from oldstable / security.d.o
inform Remove broken calls to update-alternatives
ldap2dns Do not unnecessarily include /usr/share/debconf/
confmodule in postinst
libapache-mod-security Fix NULL pointer dereference. CVE-2013-2765
libmodule-signature-perl CVE-2013-2145: Fixes arbitrary code execution when
verifying SIGNATURE
libopenid-ruby Fix CVE-2013-1812
libspf2 IPv6 fixes
lm-sensors-3 Skip probing for EDID or graphics cards, as it might
cause hardware issues
moin Do not create empty pagedir (with empty edit-log)
net-snmp Fix CVE-2012-2141
openssh Fix potential int overflow when using gssapi-with-mac
authentication (CVE-2011-5000)
openvpn Fix use of non-constant-time memcmp in HMAC
comparison. CVE-2013-2061
pcp Fix insecure tempfile handling
pigz Use more restrictive permissions for in-progress files
policyd-weight Remove shut-down njabl DNSBL
pyopencl Remove non-free file from examples
Use a better random number generator to prevent
pyrad predictable password hashing and packet IDs
(CVE-2013-0294)
python-qt4 Fix crash in uic file with radio buttons
request-tracker3.8 Move non-cache data to /var/lib
samba Fix CVE-2013-4124: Denial of service - CPU loop and
memory allocation
smarty Fix CVE-2012-4437
spamassassin Remove shut-down njabl DNSBL; fix RCVD_ILLEGAL_IP to
not consider 5.0.0.0/8 as invalid
sympa Fix endless loop in wwsympa while loading session data
including metacharacters
texlive-extra Fix predictable temp file names in latex2man
tntnet Fix insecure default tntnet.conf
tzdata New upstream version
wv2 Really remove src/generator/generator_wword{6,8}.htm
xorg-server Link against -lbsd on kfreebsd to make MIT-SHM work
with non-world-accessible segments
xview Fix alternatives handling
Fix SQL injection, zabbix_agentd DoS, possible path
zabbix disclosure, field name parameter checking bypass,
ability to override LDAP configuration when calling
user.login via API


Security Updates
----------------

This revision adds the following security updates to the oldstable release. The
Security Team has already released an advisory for each of these updates:

Advisory ID Package Correction(s)
DSA-2628 nss-pam-ldapd Buffer overflow
DSA-2629 openjpeg Multiple issues
DSA-2630 postgresql-8.4 Programming error
DSA-2631 squid3 Denial of service
DSA-2632 user-mode-linux Multiple issues
DSA-2632 linux-2.6 Multiple issues
DSA-2633 fusionforge Privilege escalation
DSA-2634 python-django Multiple issues
DSA-2635 cfingerd Buffer overflow
DSA-2636 xen Multiple issues
DSA-2637 apache2 Multiple issues
DSA-2638 openafs Buffer overflow
DSA-2639 php5 Multiple issues
DSA-2640 zoneminder Multiple issues
DSA-2641 perl Rehashing flaw
DSA-2641 libapache2-mod-perl2 FTBFS with updated perl
DSA-2642 sudo Multiple issues
DSA-2643 puppet Multiple issues
DSA-2644 wireshark Multiple issues
DSA-2645 inetutils Denial of service
DSA-2646 typo3-src Multiple issues
DSA-2647 firebird2.1 Buffer overflow
DSA-2648 firebird2.5 Multiple issues
DSA-2649 lighttpd Fixed socket name in
world-writable directory
DSA-2650 libvirt Files and device nodes ownership
change to kvm group
DSA-2651 smokeping Cross-site scripting
vulnerability
DSA-2652 libxml2 External entity expansion
DSA-2653 icinga Buffer overflow
DSA-2654 libxslt Denial of service
DSA-2655 rails Multiple issues
DSA-2656 bind9 Denial of service
DSA-2657 postgresql-8.4 Guessable random numbers
DSA-2659 libapache-mod-security XML external entity processing
vulnerability
DSA-2660 curl Cookie leak vulnerability
DSA-2661 xorg-server Information disclosure
DSA-2662 xen Multiple issues
DSA-2663 tinc Stack based buffer overflow
DSA-2664 stunnel4 Buffer overflow
DSA-2665 strongswan Authentication bypass
DSA-2666 xen Multiple issues
DSA-2668 linux-2.6 Multiple issues
DSA-2668 user-mode-linux Multiple issues
DSA-2670 request-tracker3.8 Multiple issues
DSA-2673 libdmx Multiple issues
DSA-2674 libxv Multiple issues
DSA-2675 libxvmc Multiple issues
DSA-2676 libxfixes Multiple issues
DSA-2677 libxrender Multiple issues
DSA-2678 mesa Multiple issues
DSA-2679 xserver-xorg-video-openchrome Multiple issues
DSA-2680 libxt Multiple issues
DSA-2681 libxcursor Multiple issues
DSA-2682 libxext Multiple issues
DSA-2683 libxi Multiple issues
DSA-2684 libxrandr Multiple issues
DSA-2685 libxp Multiple issues
DSA-2686 libxcb Multiple issues
DSA-2687 libfs Multiple issues
DSA-2688 libxres Multiple issues
DSA-2689 libxtst Multiple issues
DSA-2690 libxxf86dga Multiple issues
DSA-2691 libxinerama Multiple issues
DSA-2692 libxxf86vm Multiple issues
DSA-2693 libx11 Multiple issues
DSA-2694 spip Privilege escalation
DSA-2698 tiff Buffer overflow
DSA-2701 krb5 Denial of service
DSA-2702 telepathy-gabble TLS verification bypass
DSA-2703 subversion Multiple issues
DSA-2708 fail2ban Denial of service
DSA-2710 xml-security-c Multiple issues
DSA-2711 haproxy Multiple issues
DSA-2713 curl Heap overflow
DSA-2715 puppet Code execution
DSA-2717 xml-security-c Heap overflow
DSA-2718 wordpress Multiple issues
DSA-2719 poppler Multiple issues
DSA-2723 php5 Heap corruption
DSA-2725 tomcat6 Multiple issues
DSA-2726 php-radius Buffer overflow
DSA-2727 openjdk-6 Multiple issues
DSA-2728 bind9 Denial of service
DSA-2729 openafs Multiple issues
DSA-2730 gnupg Information leak
DSA-2731 libgcrypt11 Information leak
DSA-2733 otrs2 SQL injection
DSA-2734 wireshark Multiple issues
DSA-2736 putty Multiple issues
DSA-2739 cacti Multiple issues
DSA-2740 python-django Cross-site scripting
vulnerability
DSA-2742 php5 Interpretation conflict
DSA-2744 tiff Multiple issues
DSA-2747 cacti Multiple issues
DSA-2748 exactimage Denial of service
DSA-2749 asterisk Multiple issues
DSA-2751 libmodplug Multiple issues
DSA-2752 phpbb3 Too wide permissions
DSA-2753 mediawiki Cross-site request forgery token
disclosure
DSA-2754 exactimage Denial of service
DSA-2755 python-django Directory traversal
DSA-2756 wireshark Multiple issues
DSA-2758 python-django Denial of service
DSA-2760 chrony Multiple issues
DSA-2763 pyopenssl Hostname check bypassing
DSA-2766 user-mode-linux Multiple issues
DSA-2766 linux-2.6 Multiple issues
DSA-2767 proftpd-dfsg Denial of service
DSA-2770 torque Authentication bypass
DSA-2773 gnupg Multiple issues
DSA-2775 ejabberd Insecure SSL usage
DSA-2776 drupal6 Multiple issues
DSA-2778 libapache2-mod-fcgid Heap-based buffer overflow


Removed packages
----------------

The following packages were removed due to circumstances beyond our control:

Package Reason
irssi-plugin-otr Security issues
libpam-rsa Broken, causes security problems


Debian Installer
----------------

The installer has been rebuilt to include the fixes incorporated into oldstable
by the point release.

URLs

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/squeeze/ChangeLog

The current oldstable distribution:

http://ftp.debian.org/debian/dists/oldstable/

Proposed updates to the oldstable distribution:

http://ftp.debian.org/debian/dists/oldstable-proposed-updates

oldstable distribution information (release notes, errata etc.):

http://www.debian.org/releases/oldstable/

Security announcements and information:

http://security.debian.org/


About Debian
------------

The Debian Project is an association of Free Software developers who volunteer
their time and effort in order to produce the completely free operating system
Debian.
  Debian 6.0.8 released