Debian 10225 Published by

The fifth update of Debian GNU/Linux 5.0 has been released



-------------------------------------------------------------------------
The Debian Project http://www.debian.org/
Debian GNU/Linux 5.0 updated press@debian.org
June 26th, 2010 http://www.debian.org/News/2010/20100626
-------------------------------------------------------------------------

Debian GNU/Linux 5.0 updated

The Debian project is pleased to announce the fifth update of its stable distribution Debian GNU/Linux 5.0 (codename "lenny"). This update mainly adds corrections for security problems to the stable release, along with a few adjustment to serious problems.

Please note that this update does not constitute a new version of Debian GNU/Linux 5.0 but only updates some of the packages included. There is no need to throw away 5.0 CDs or DVDs but only to update via an up-to- date Debian mirror after an installation, to cause any out of date packages to be updated.

Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

New CD and DVD images containing updated packages and the regular installation media accompanied with the package archive respectively will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:

http://www.debian.org/distrib/ftplist


Miscellaneous Bugfixes
----------------------

This stable update adds a few important corrections to the following packages:

Package Reason

alien-arena Fix a buffer overflow and a denial of service
apache2 Add missing psmisc dependency; fix memory leak in brigade cleanup
apache2-mpm-itk Ensure child processes get correctly reaped on reload
apr Set FD_CLOEXEC on file descriptors to avoid potential leaks
apt Allow Files sections to contain more than 999 characters
base-files Update /etc/debian_version for the point release
cpio Fix buffer overflow in rmt_read__
dia2code Fix segfault parsing large files
gtk+2.0 Fix hang when printing large documents
libapache-dbi-perl Fix loading of module from Apache startup files
libapache2-mod-perl2 Fix XSS in Apache2::Status
libjavascript-perl Fix segfault when calling non-existent function
libjson-ruby Fix parser DoS and use libjs-prototype rather than embedding the library
liblog-handler-perl Add missing dependency on libuniversal-require-perl
libmediawiki-perl Update to match mediawiki changes
libnamespace-clean-perl Add missing dependency on libscope-guard-perl
libnet-smtp-server-perl Add missing dependency on libnet-dns-perl
libxext Ensure display lock is held before calling XAllocID
linux-2.6 Several fixes and driver updates
mailman Don't add multiple Mime-Version headers
mpg123 Allow modules to be located again (broken by libltdl security fix)
nano Fix symlink attack and arbitrary file ownership change issue
nfs-utils Update test for NFS kernel server support in init script to support partial upgrades
nut Move library to /lib to allow power-down with separated /usr
open-iscsi Fix temporary file vulnerability
openssl Check return value of bn_wexpand() (CVE-2009-3245)
openttd Fix several DoS and crash vulnerabilities
php5 Fix overflows, add missing sybase aliases, improve e-mail validation
poppler Fix remote code execution via crafted PDF files
postgresql-8.3 Several vulnerabilities
pyftpd Security fixes - disable default users, anonymous access and logging to /tmp
python-support Use sane default umask in update-python-modules
request-tracker3.6 Fix login problem introduced in security update
samba Fix memory leaks with domain trust passwords; fix interdomain trust with Windows 2008 r2 servers
slim Make magic cookie less predictable; don't save screenshots in /tmp
sun-java5 Update to new upstream release to fix security issues
sun-java6 Update to new upstream release to fix security issues
tar Security fix in rmt
texlive-bin Security fixes in dvips
tla Fix DoS in embedded expat library
tzdata Update timezone data
usbutils Update USB ID list
user-mode-linux Rebuild against linux-2.6 2.6.26-24
wordpress Fix DoS
xerces-c2 Fix DoS attack with nested DTDs
xmonad-contrib Fix installability on 64-bit architectures
xserver-xorg-input-elographics Prevent X server hangs when using the touchscreen
xserver-xorg-video-intel Add support for ASUS eeetop LVDS output

Note that due to problems with the package build process, updated sun-java5 and sun-java6 packages for the ia64 architecture are not included in this point release. These packages will be provided in proposed-updates as soon as they are available and included in a future point release.


Kernel Updates
--------------

The kernel images included in this point release incorporate a number of important and security-related fixes together with support for additional hardware.

On the amd64 and i386 architectures, support has been re-introduced for automatically running the lilo bootloader when a kernel image is added, updated or removed in order to ensure that this is correctly registered with the bootloader.


Debian Installer
----------------

The Debian Installer has been updated in this point release to correct an issue with the display of the "BIOS boot area" partitioner option when using GPT partitions and to update the list of available mirror servers for package installation.

The kernel image used by the installer has been updated to incorporate a number of important and security-related fixes together with support for additional hardware.


Security Updates
----------------

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package Correction(s)

DSA 1841 git-core Denial of service
DSA 1955 network-manager-applet Information disclosure
DSA 1973 glibc Information disclosure
DSA 1977 python2.4 Several vulnerabilities
DSA 1977 python2.5 Several vulnerabilities
DSA 1980 ircd-ratbox Arbitrary code execution
DSA 1981 maildrop Privilege escalation
DSA 1982 hybserv Denial of service
DSA 1983 wireshark Several vulnerabilities
DSA 1984 libxerces2-java Denial of service
DSA 1985 sendmail Insufficient input validation
DSA 1986 moodle Several vulnerabilities
DSA 1987 lighttpd Denial of service
DSA 1988 qt4-x11 Several vulnerabilities
DSA 1989 fuse Denial of service
DSA 1990 trac-git Code execution
DSA 1991 squid3 Denial of service
DSA 1992 chrony Denial of service
DSA 1993 otrs2 SQL injection
DSA 1994 ajaxterm Session hijacking
DSA 1995 openoffice.org Several vulnerabilities
DSA 1996 linux-2.6 Several vulnerabilities
DSA 1997 mysql-dfsg-5.0 Several vulnerabilities
DSA 1998 kdelibs Arbitrary code execution
DSA 1999 xulrunner Several vulnerabilities
DSA 2000 ffmpeg-debian Several vulnerabilities
DSA 2001 php5 Multiple vulnerabilities
DSA 2002 polipo Denial of service
DSA 2004 samba Several vulnerabilities
DSA 2006 sudo Several vulnerabilities
DSA 2007 cups Arbitrary code execution
DSA 2008 typo3-src Several vulnerabilities
DSA 2009 tdiary Cross-site scripting
DSA 2010 kvm Several vulnerabilities
DSA 2011 dpkg Path traversal
DSA 2012 user-mode-linux Several vulnerabilities
DSA 2012 linux-2.6 Several vulnerabilities
DSA 2013 egroupware Several vulnerabilities
DSA 2014 moin Several vulnerabilities
DSA 2015 drbd8 Privilege escalation
DSA 2015 linux-modules-extra-2.6 Privilege escalation
DSA 2016 drupal6 Several vulnerabilities
DSA 2017 pulseaudio Insecure temporary directory
DSA 2018 php5 Null pointer dereference
DSA 2019 pango1.0 Denial of service
DSA 2020 ikiwiki Cross-site scripting
DSA 2021 spamass-milter Missing input sanitization
DSA 2022 mediawiki Several vulnerabilities
DSA 2023 curl Arbitrary code execution
DSA 2024 moin Cross-site scripting
DSA 2025 icedove Several vulnerabilities
DSA 2026 netpbm-free Denial of service
DSA 2027 xulrunner Several vulnerabilities
DSA 2028 xpdf Several vulnerabilities
DSA 2029 imlib2 Arbitrary code execution
DSA 2030 mahara SQL injection
DSA 2031 krb5 Denial of service
DSA 2032 libpng Several vulnerabilities
DSA 2033 ejabberd Denial of service
DSA 2034 phpmyadmin Several vulnerabilities
DSA 2035 apache2 Several vulnerabilities
DSA 2036 jasper Denial of service
DSA 2037 kdebase Privilege escalation
DSA 2038 pidgin Denial of service
DSA 2039 cacti Missing input sanitising
DSA 2040 squidguard Several vulnerabilities
DSA 2041 mediawiki Cross-site request forgery
DSA 2042 iscsitarget Arbitrary code execution
DSA 2044 mplayer Arbitrary code execution
DSA 2045 libtheora Arbitrary code execution
DSA 2046 phpgroupware Several vulnerabilities
DSA 2047 aria2 Directory traversal
DSA 2048 dvipng Arbitrary code execution
DSA 2049 barnowl Arbitrary code execution
DSA 2050 postgresql-8.3 Several vulnerabilities
DSA 2052 krb5 Denial of service
DSA 2053 linux-2.6 Several issues
DSA 2054 bind9 Cache poisoning
DSA 2055 openoffice.org Arbitrary code execution
DSA 2056 zonecheck Cross-site scripting
DSA 2057 mysql-dfsg-5.0 Several vulnerabilities
DSA 2058 pcsc-lite Privilege escalation
DSA 2058 glibc Several vulnerabilities
DSA 2060 cacti SQL injection
DSA 2062 sudo Missing input sanitization
DSA 2063 pmount Denial of service


Removed packages
----------------

The following packages were removed due to circumstances beyond our control:

Package Reason

eclipse incompatible with stable's xulrunner; not easily fixable
eclipse-cdt depends on removed eclipse
eclipse-nls-sdk depends on removed eclipse


URLs
----

The complete list of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/lenny/ChangeLog

The current stable distribution:

http://ftp.debian.org/debian/dists/stable

Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates

Stable distribution information (release notes, errata etc.):

http://www.debian.org/releases/stable/

Security announcements and information:

http://www.debian.org/security/


About Debian
------------

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating systems Debian GNU/Linux.