Debian GNU/Linux 5.0 updated
June 26th, 2010
The Debian project is pleased to announce the fifth update of its stable distribution Debian GNU/Linux 5.0 (codename "lenny"). This update mainly adds corrections for security problems to the stable release, along with a few adjustment to serious problems.
Please note that this update does not constitute a new version of Debian GNU/Linux 5.0 but only updates some of the packages included. There is no need to throw away 5.0 CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated.
Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.
New CD and DVD images containing updated packages and the regular installation media accompanied with the package archive respectively will be available soon at the regular locations.
Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
Package | Reason |
---|---|
alien-arena | Fix a buffer overflow and a denial of service |
apache2 | Add missing psmisc dependency; fix memory leak in brigade cleanup |
apache2-mpm-itk | Ensure child processes get correctly reaped on reload |
apr | Set FD_CLOEXEC on file descriptors to avoid potential leaks |
apt | Allow Files sections to contain more than 999 characters |
base-files | Update /etc/debian_version for the point release |
cpio | Fix buffer overflow in rmt_read__ |
dia2code | Fix segfault parsing large files |
gtk+2.0 | Fix hang when printing large documents |
libapache-dbi-perl | Fix loading of module from Apache startup files |
libapache2-mod-perl2 | Fix XSS in Apache2::Status |
libjavascript-perl | Fix segfault when calling non-existent function |
libjson-ruby | Fix parser DoS and use libjs-prototype rather than embedding the library |
liblog-handler-perl | Add missing dependency on libuniversal-require-perl |
libmediawiki-perl | Update to match mediawiki changes |
libnamespace-clean-perl | Add missing dependency on libscope-guard-perl |
libnet-smtp-server-perl | Add missing dependency on libnet-dns-perl |
libxext | Ensure display lock is held before calling XAllocID |
linux-2.6 | Several fixes and driver updates |
mailman | Don't add multiple Mime-Version headers |
mpg123 | Allow modules to be located again (broken by libltdl security fix) |
nano | Fix symlink attack and arbitrary file ownership change issue |
nfs-utils | Update test for NFS kernel server support in init script to support partial upgrades |
nut | Move library to /lib to allow power-down with separated /usr |
open-iscsi | Fix temporary file vulnerability |
openssl | Check return value of bn_wexpand() (CVE-2009-3245) |
openttd | Fix several DoS and crash vulnerabilities |
php5 | Fix overflows, add missing sybase aliases, improve e-mail validation |
poppler | Fix remote code execution via crafted PDF files |
postgresql-8.3 | Several vulnerabilities |
pyftpd | Security fixes - disable default users, anonymous access and logging to /tmp |
python-support | Use sane default umask in update-python-modules |
request-tracker3.6 | Fix login problem introduced in security update |
samba | Fix memory leaks with domain trust passwords; fix interdomain trust with Windows 2008 r2 servers |
slim | Make magic cookie less predictable; don't save screenshots in /tmp |
sun-java5 | Update to new upstream release to fix security issues |
sun-java6 | Update to new upstream release to fix security issues |
tar | Security fix in rmt |
texlive-bin | Security fixes in dvips |
tla | Fix DoS in embedded expat library |
tzdata | Update timezone data |
usbutils | Update USB ID list |
user-mode-linux | Rebuild against linux-2.6 2.6.26-24 |
wordpress | Fix DoS |
xerces-c2 | Fix DoS attack with nested DTDs |
xmonad-contrib | Fix installability on 64-bit architectures |
xserver-xorg-input-elographics | Prevent X server hangs when using the touchscreen |
xserver-xorg-video-intel | Add support for ASUS eeetop LVDS output |
Note that due to problems with the package build process, updated sun-java5 and sun-java6 packages for the ia64 architecture are not included in this point release. These packages will be provided in proposed-updates as soon as they are available and included in a future point release.
Kernel Updates
The kernel images included in this point release incorporate a number of important and security-related fixes together with support for additional hardware.
On the amd64 and i386 architectures, support has been re-introduced for automatically running the lilo bootloader when a kernel image is added, updated or removed in order to ensure that this is correctly registered with the bootloader.
Debian Installer
The Debian Installer has been updated in this point release to correct an issue with the display of the "BIOS boot area" partitioner option when using GPT partitions and to update the list of available mirror servers for package installation.
The kernel image used by the installer has been updated to incorporate a number of important and security-related fixes together with support for additional hardware.
Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Advisory ID | Package | Correction(s) |
---|---|---|
DSA-1841 | git-core | Denial of service |
DSA-1955 | network-manager-applet | Information disclosure |
DSA-1973 | glibc | Information disclosure |
DSA-1977 | python2.4 | Several vulnerabilities |
DSA-1977 | python2.5 | Several vulnerabilities |
DSA-1980 | ircd-ratbox | Arbitrary code execution |
DSA-1981 | maildrop | Privilege escalation |
DSA-1982 | hybserv | Denial of service |
DSA-1983 | wireshark | Several vulnerabilities |
DSA-1984 | libxerces2-java | Denial of service |
DSA-1985 | sendmail | Insufficient input validation |
DSA-1986 | moodle | Several vulnerabilities |
DSA-1987 | lighttpd | Denial of service |
DSA-1988 | qt4-x11 | Several vulnerabilities |
DSA-1989 | fuse | Denial of service |
DSA-1990 | trac-git | Code execution |
DSA-1991 | squid3 | Denial of service |
DSA-1992 | chrony | Denial of service |
DSA-1993 | otrs2 | SQL injection |
DSA-1994 | ajaxterm | Session hijacking |
DSA-1995 | openoffice.org | Several vulnerabilities |
DSA-1996 | linux-2.6 | Several vulnerabilities |
DSA-1997 | mysql-dfsg-5.0 | Several vulnerabilities |
DSA-1998 | kdelibs | Arbitrary code execution |
DSA-1999 | xulrunner | Several vulnerabilities |
DSA-2000 | ffmpeg-debian | Several vulnerabilities |
DSA-2001 | php5 | Multiple vulnerabilities |
DSA-2002 | polipo | Denial of service |
DSA-2004 | samba | Several vulnerabilities |
DSA-2006 | sudo | Several vulnerabilities |
DSA-2007 | cups | Arbitrary code execution |
DSA-2008 | typo3-src | Several vulnerabilities |
DSA-2009 | tdiary | Cross-site scripting |
DSA-2010 | kvm | Several vulnerabilities |
DSA-2011 | dpkg | Path traversal |
DSA-2012 | user-mode-linux | Several vulnerabilities |
DSA-2012 | linux-2.6 | Several vulnerabilities |
DSA-2013 | egroupware | Several vulnerabilities |
DSA-2014 | moin | Several vulnerabilities |
DSA-2015 | drbd8 | Privilege escalation |
DSA-2015 | linux-modules-extra-2.6 | Privilege escalation |
DSA-2016 | drupal6 | Several vulnerabilities |
DSA-2017 | pulseaudio | Insecure temporary directory |
DSA-2018 | php5 | Null pointer dereference |
DSA-2019 | pango1.0 | Denial of service |
DSA-2020 | ikiwiki | Cross-site scripting |
DSA-2021 | spamass-milter | Missing input sanitization |
DSA-2022 | mediawiki | Several vulnerabilities |
DSA-2023 | curl | Arbitrary code execution |
DSA-2024 | moin | Cross-site scripting |
DSA-2025 | icedove | Several vulnerabilities |
DSA-2026 | netpbm-free | Denial of service |
DSA-2027 | xulrunner | Several vulnerabilities |
DSA-2028 | xpdf | Several vulnerabilities |
DSA-2029 | imlib2 | Arbitrary code execution |
DSA-2030 | mahara | SQL injection |
DSA-2031 | krb5 | Denial of service |
DSA-2032 | libpng | Several vulnerabilities |
DSA-2033 | ejabberd | Denial of service |
DSA-2034 | phpmyadmin | Several vulnerabilities |
DSA-2035 | apache2 | Several vulnerabilities |
DSA-2036 | jasper | Denial of service |
DSA-2037 | kdebase | Privilege escalation |
DSA-2038 | pidgin | Denial of service |
DSA-2039 | cacti | Missing input sanitising |
DSA-2040 | squidguard | Several vulnerabilities |
DSA-2041 | mediawiki | Cross-site request forgery |
DSA-2042 | iscsitarget | Arbitrary code execution |
DSA-2044 | mplayer | Arbitrary code execution |
DSA-2045 | libtheora | Arbitrary code execution |
DSA-2046 | phpgroupware | Several vulnerabilities |
DSA-2047 | aria2 | Directory traversal |
DSA-2048 | dvipng | Arbitrary code execution |
DSA-2049 | barnowl | Arbitrary code execution |
DSA-2050 | postgresql-8.3 | Several vulnerabilities |
DSA-2052 | krb5 | Denial of service |
DSA-2053 | linux-2.6 | Several issues |
DSA-2054 | bind9 | Cache poisoning |
DSA-2055 | openoffice.org | Arbitrary code execution |
DSA-2056 | zonecheck | Cross-site scripting |
DSA-2057 | mysql-dfsg-5.0 | Several vulnerabilities |
DSA-2058 | pcsc-lite | Privilege escalation |
DSA-2058 | glibc | Several vulnerabilities |
DSA-2060 | cacti | SQL injection |
DSA-2062 | sudo | Missing input sanitization |
DSA-2063 | pmount | Denial of service |
Removed packages
The following packages were removed due to circumstances beyond our control:
Package | Reason |
---|---|
eclipse | incompatible with stable's xulrunner; not easily fixable |
eclipse-cdt | depends on removed eclipse |
eclipse-nls-sdk | depends on removed eclipse |
URLs
The complete lists of packages that have changed with this release:
The current stable distribution:
Proposed updates to the stable distribution:
Stable distribution information (release notes, errata, etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian GNU/Linux.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.