news 28 Posted October 20, 2013 ------------------------------------------------------------------------ The Debian Project http://www.debian.org/ Updated Debian 6.0: 6.0.8 released press ( -at -) debian.org October 20th, 2013 http://www.debian.org/News/2013/20131020 ------------------------------------------------------------------------ The Debian project is pleased to announce the eighth update of its oldstable distribution Debian 6.0 (codename `squeeze'). This update mainly adds corrections for security problems to the oldstable release, along with a few adjustments for serious problems. Security advisories were already published separately and are referenced where available. Please note that this update does not constitute a new version of Debian 6.0 but only updates some of the packages included. There is no need to throw away old `squeeze' CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated. Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update. New installation media and CD and DVD images containing updated packages will be available soon at the regular locations. Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at: http://www.debian.org/mirror/list Miscellaneous Bugfixes ---------------------- This oldstable update adds a few important corrections to the following packages: Package Reason base-files Update version for point release clamav New upstream release; security fixes dpkg-ruby Close files once they're parsed, preventing trouble on dist-upgrades gdm3 Fix potential security issue with partial upgrades to wheezy graphviz Use system ltdl grep Fix CVE-2012-5667 ia32-libs Update included packages from oldstable / security.d.o ia32-libs-gtk Update included packages from oldstable / security.d.o inform Remove broken calls to update-alternatives ldap2dns Do not unnecessarily include /usr/share/debconf/ confmodule in postinst libapache-mod-security Fix NULL pointer dereference. CVE-2013-2765 libmodule-signature-perl CVE-2013-2145: Fixes arbitrary code execution when verifying SIGNATURE libopenid-ruby Fix CVE-2013-1812 libspf2 IPv6 fixes lm-sensors-3 Skip probing for EDID or graphics cards, as it might cause hardware issues moin Do not create empty pagedir (with empty edit-log) net-snmp Fix CVE-2012-2141 openssh Fix potential int overflow when using gssapi-with-mac authentication (CVE-2011-5000) openvpn Fix use of non-constant-time memcmp in HMAC comparison. CVE-2013-2061 pcp Fix insecure tempfile handling pigz Use more restrictive permissions for in-progress files policyd-weight Remove shut-down njabl DNSBL pyopencl Remove non-free file from examples Use a better random number generator to prevent pyrad predictable password hashing and packet IDs (CVE-2013-0294) python-qt4 Fix crash in uic file with radio buttons request-tracker3.8 Move non-cache data to /var/lib samba Fix CVE-2013-4124: Denial of service - CPU loop and memory allocation smarty Fix CVE-2012-4437 spamassassin Remove shut-down njabl DNSBL; fix RCVD_ILLEGAL_IP to not consider 5.0.0.0/8 as invalid sympa Fix endless loop in wwsympa while loading session data including metacharacters texlive-extra Fix predictable temp file names in latex2man tntnet Fix insecure default tntnet.conf tzdata New upstream version wv2 Really remove src/generator/generator_wword{6,8}.htm xorg-server Link against -lbsd on kfreebsd to make MIT-SHM work with non-world-accessible segments xview Fix alternatives handling Fix SQL injection, zabbix_agentd DoS, possible path zabbix disclosure, field name parameter checking bypass, ability to override LDAP configuration when calling user.login via API Security Updates ---------------- This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates: Advisory ID Package Correction(s) DSA-2628 nss-pam-ldapd Buffer overflow DSA-2629 openjpeg Multiple issues DSA-2630 postgresql-8.4 Programming error DSA-2631 squid3 Denial of service DSA-2632 user-mode-linux Multiple issues DSA-2632 linux-2.6 Multiple issues DSA-2633 fusionforge Privilege escalation DSA-2634 python-django Multiple issues DSA-2635 cfingerd Buffer overflow DSA-2636 xen Multiple issues DSA-2637 apache2 Multiple issues DSA-2638 openafs Buffer overflow DSA-2639 php5 Multiple issues DSA-2640 zoneminder Multiple issues DSA-2641 perl Rehashing flaw DSA-2641 libapache2-mod-perl2 FTBFS with updated perl DSA-2642 sudo Multiple issues DSA-2643 puppet Multiple issues DSA-2644 wireshark Multiple issues DSA-2645 inetutils Denial of service DSA-2646 typo3-src Multiple issues DSA-2647 firebird2.1 Buffer overflow DSA-2648 firebird2.5 Multiple issues DSA-2649 lighttpd Fixed socket name in world-writable directory DSA-2650 libvirt Files and device nodes ownership change to kvm group DSA-2651 smokeping Cross-site scripting vulnerability DSA-2652 libxml2 External entity expansion DSA-2653 icinga Buffer overflow DSA-2654 libxslt Denial of service DSA-2655 rails Multiple issues DSA-2656 bind9 Denial of service DSA-2657 postgresql-8.4 Guessable random numbers DSA-2659 libapache-mod-security XML external entity processing vulnerability DSA-2660 curl Cookie leak vulnerability DSA-2661 xorg-server Information disclosure DSA-2662 xen Multiple issues DSA-2663 tinc Stack based buffer overflow DSA-2664 stunnel4 Buffer overflow DSA-2665 strongswan Authentication bypass DSA-2666 xen Multiple issues DSA-2668 linux-2.6 Multiple issues DSA-2668 user-mode-linux Multiple issues DSA-2670 request-tracker3.8 Multiple issues DSA-2673 libdmx Multiple issues DSA-2674 libxv Multiple issues DSA-2675 libxvmc Multiple issues DSA-2676 libxfixes Multiple issues DSA-2677 libxrender Multiple issues DSA-2678 mesa Multiple issues DSA-2679 xserver-xorg-video-openchrome Multiple issues DSA-2680 libxt Multiple issues DSA-2681 libxcursor Multiple issues DSA-2682 libxext Multiple issues DSA-2683 libxi Multiple issues DSA-2684 libxrandr Multiple issues DSA-2685 libxp Multiple issues DSA-2686 libxcb Multiple issues DSA-2687 libfs Multiple issues DSA-2688 libxres Multiple issues DSA-2689 libxtst Multiple issues DSA-2690 libxxf86dga Multiple issues DSA-2691 libxinerama Multiple issues DSA-2692 libxxf86vm Multiple issues DSA-2693 libx11 Multiple issues DSA-2694 spip Privilege escalation DSA-2698 tiff Buffer overflow DSA-2701 krb5 Denial of service DSA-2702 telepathy-gabble TLS verification bypass DSA-2703 subversion Multiple issues DSA-2708 fail2ban Denial of service DSA-2710 xml-security-c Multiple issues DSA-2711 haproxy Multiple issues DSA-2713 curl Heap overflow DSA-2715 puppet Code execution DSA-2717 xml-security-c Heap overflow DSA-2718 wordpress Multiple issues DSA-2719 poppler Multiple issues DSA-2723 php5 Heap corruption DSA-2725 tomcat6 Multiple issues DSA-2726 php-radius Buffer overflow DSA-2727 openjdk-6 Multiple issues DSA-2728 bind9 Denial of service DSA-2729 openafs Multiple issues DSA-2730 gnupg Information leak DSA-2731 libgcrypt11 Information leak DSA-2733 otrs2 SQL injection DSA-2734 wireshark Multiple issues DSA-2736 putty Multiple issues DSA-2739 cacti Multiple issues DSA-2740 python-django Cross-site scripting vulnerability DSA-2742 php5 Interpretation conflict DSA-2744 tiff Multiple issues DSA-2747 cacti Multiple issues DSA-2748 exactimage Denial of service DSA-2749 asterisk Multiple issues DSA-2751 libmodplug Multiple issues DSA-2752 phpbb3 Too wide permissions DSA-2753 mediawiki Cross-site request forgery token disclosure DSA-2754 exactimage Denial of service DSA-2755 python-django Directory traversal DSA-2756 wireshark Multiple issues DSA-2758 python-django Denial of service DSA-2760 chrony Multiple issues DSA-2763 pyopenssl Hostname check bypassing DSA-2766 user-mode-linux Multiple issues DSA-2766 linux-2.6 Multiple issues DSA-2767 proftpd-dfsg Denial of service DSA-2770 torque Authentication bypass DSA-2773 gnupg Multiple issues DSA-2775 ejabberd Insecure SSL usage DSA-2776 drupal6 Multiple issues DSA-2778 libapache2-mod-fcgid Heap-based buffer overflow Removed packages ---------------- The following packages were removed due to circumstances beyond our control: Package Reason irssi-plugin-otr Security issues libpam-rsa Broken, causes security problems Debian Installer ---------------- The installer has been rebuilt to include the fixes incorporated into oldstable by the point release. URLs The complete lists of packages that have changed with this revision: http://ftp.debian.org/debian/dists/squeeze/ChangeLog The current oldstable distribution: http://ftp.debian.org/debian/dists/oldstable/ Proposed updates to the oldstable distribution: http://ftp.debian.org/debian/dists/oldstable-proposed-updates oldstable distribution information (release notes, errata etc.): http://www.debian.org/releases/oldstable/ Security announcements and information: http://security.debian.org/ About Debian ------------ The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian. Contact Information ------------------- For further information, please visit the Debian web pages at http:// www.debian.org/, send mail to , or contact the stable release team at . -- To UNSUBSCRIBE, email to debian-announce-REQUEST ( -at -) lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster ( -at -) lists.debian.org Archive: http://lists.debian.org/20131020184625.GI25562 ( -at -) finlandia.home.infodrom.org Share this post Link to post
