Debian 9844 Published by

The ninth update of the Debian 5.0 (oldstable) has been released



------------------------------------------------------------------------
The Debian Project http://www.debian.org/
Updated Debian 5.0: 5.0.9 released press@debian.org
October 1st, 2011 http://www.debian.org/News/2011/20111001
------------------------------------------------------------------------

Updated Debian 5.0: 5.0.9 released

The Debian project is pleased to announce the ninth update of its
oldstable distribution Debian GNU/Linux 5.0 (codename "lenny"). This
update mainly adds corrections for security problems to the oldstable
release, along with a few adjustment to serious problems. Security
advisories were already published separately and are referenced where
available.

Please note that this update does not constitute a new version of Debian
GNU/Linux 5.0 but only updates some of the packages included. There is
no need to throw away 5.0 CDs or DVDs but only to update via an
up-to-date Debian mirror after an installation, to cause any out of date
packages to be updated.

Those who frequently install updates from security.debian.org won't have
to update many packages and most updates from security.debian.org are
included in this update.

New installation media and CD and DVD images containing updated packages
will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the
aptitude (or apt) package tool (see the sources.list(5) manual page)
to one of Debian's many FTP or HTTP mirrors. A comprehensive list of
mirrors is available at:

http://www.debian.org/mirror/list


Miscellaneous Bugfixes
----------------------

This oldstable update adds a few important corrections to the following
packages:

Package Reason

aptitude Fix symlink attack in hierarchy editor
atop Insecure use of temporary files
base-files Update /etc/debian_version for the point release
conky Fix file overwrite vulnerability
dokuwiki RSS XSS security fix
klibc Escape ipconfig's DHCP options
linux-2.6 Several security updates and select fixes from upstream 2.6.27.58/9
magpierss Fix cross-site scripting vulnerability (CVE-2011-0740)
mediawiki Protect against CSS injection vulnerability
openldap Security fixes
openssl Fix CVE-2011-3210: SSL memory handling for (EC)DH ciphersuites
pmake Fix symlink attack via temporary files
sun-java6 New upstream security update
tesseract Disable xterm-based debug windows to avoid file overwrite vulnerability
tzdata New upstream version
user-mode-linux Rebuild against linux-2.6 2.6.26-27
v86d Fix CVE-2011-1070: failure to validate netlink message sender;
do not include random kernel headers in CFLAGS
vftool Fix a buffer overflow in linetoken() in parseAFM.c
xorg-server GLX: don't crash in SwapBuffers if we don't have a context

Due to the timing of this point release relative to the next update for
the stable release (Debian 6.0 "squeeze"), the versions of atop and
tzdata included in this point release are higher than the corresponding
packages currently in stable. The next stable point release is planned
for one week's time, after which the package versions in stable will
once again be higher, as expected.

We do not expect that this situation will cause any issues with upgrades
from oldstable to the stable release during this short period of time,
but please report any such issues which do arise. (See the "Contact
Information" section below).


Security Updates
----------------

This revision adds the following security updates to the stable
release. The Security Team has already released an advisory for each of
these updates:

Advisory ID Package Correction(s)

DSA-2043 vlc Arbitrary code execution
DSA-2149 dbus Denial of service
DSA-2150 request-tracker3.6 Salt password hashing
DSA-2151 openoffice.org Multiple issues
DSA-2152 hplip Buffer overflow
DSA-2153 linux-2.6 Multiple issues
DSA-2153 user-mode-linux Multiple issues
DSA-2154 exim4 Privilege escalation
DSA-2155 freetype Multiple issues
DSA-2156 pcsc-lite Buffer overflow
DSA-2157 postgresql-8.3 Buffer overflow
DSA-2158 cgiirc Cross-site scripting flaw
DSA-2165 ffmpeg-debian Buffer overflow
DSA-2167 phpmyadmin SQL injection
DSA-2168 openafs Multiple issues
DSA-2169 telepathy-gabble Missing input validation
DSA-2170 mailman Multiple issues
DSA-2171 asterisk Buffer overflow
DSA-2172 moodle Multiple issues
DSA-2173 pam-pgsql Buffer overflow
DSA-2174 avahi Denial of service
DSA-2175 samba Missing input sanitising
DSA-2176 cups Multiple issues
DSA-2179 dtc SQL injection
DSA-2181 subversion Denial of service
DSA-2182 logwatch Remote code execution
DSA-2183 nbd Arbitrary code execution
DSA-2186 xulrunner Multiple issues
DSA-2191 proftpd-dfsg Multiple issues
DSA-2195 php5 Multiple issues
DSA-2196 maradns Buffer overflow
DSA-2197 quagga Denial of service
DSA-2200 nss Compromised certificate authority
DSA-2200 xulrunner Update HTTPS certificate blacklist
DSA-2201 wireshark Multiple issues
DSA-2203 nss Update HTTPS certificate blacklist
DSA-2204 imp4 Insufficient input sanitising
DSA-2206 mahara Multiple issues
DSA-2207 tomcat5.5 Multiple issues
DSA-2208 bind9 Issue with processing of new DNSSEC DS records
DSA-2210 tiff Multiple issues
DSA-2211 vlc Missing input sanitising
DSA-2213 x11-xserver-utils Missing input sanitizing
DSA-2214 ikiwiki Missing input validation
DSA-2217 dhcp3 Missing input sanitizing
DSA-2219 xmlsec1 File overwrite
DSA-2220 request-tracker3.6 Multiple issues
DSA-2225 asterisk Multiple issues
DSA-2226 libmodplug Buffer overflow
DSA-2228 xulrunner Multiple issues
DSA-2233 postfix Multiple issues
DSA-2234 zodb Multiple issues
DSA-2242 cyrus-imapd-2.2 Implementation error
DSA-2243 unbound Design flaw
DSA-2244 bind9 Wrong boundary condition
DSA-2246 mahara Multiple issues
DSA-2247 rails Multiple issues
DSA-2248 ejabberd Denial of service
DSA-2250 citadel Denial of service
DSA-2253 fontforge Buffer overflow
DSA-2254 oprofile Command injection
DSA-2255 libxml2 Buffer overflow
DSA-2260 rails Multiple issues
DSA-2264 linux-2.6 Multiple issues
DSA-2264 user-mode-linux Multiple issues
DSA-2266 php5 Multiple issues
DSA-2268 xulrunner Multiple issues
DSA-2272 bind9 Denial of service
DSA-2274 wireshark Multiple issues
DSA-2276 asterisk Multiple issues
DSA-2277 xml-security-c Buffer overflow
DSA-2278 horde3 Multiple issues
DSA-2280 libvirt Multiple issues
DSA-2286 phpmyadmin Multiple issues
DSA-2288 libsndfile Integer overflow
DSA-2289 typo3-src Multiple issues
DSA-2290 samba Cross-side scripting
DSA-2291 squirrelmail Multiple issues
DSA-2292 dhcp3 Denial of service
DSA-2293 libxfont Buffer overflow
DSA-2294 freetype Missing input sanitization
DSA-2296 xulrunner Multiple issues
DSA-2298 apache2 Denial of service
DSA-2298 apache2-mpm-itk Denial of service
DSA-2300 nss Compromised certificate authority
DSA-2301 rails Multiple issues
DSA-2302 bcfg2 Arbitrary code execution
DSA-2304 squid3 Buffer overflow
DSA-2308 mantis Multiple issues
DSA-2309 openssl Compromised certificate authority
DSA-2310 linux-2.6 Multiple issues


Debian Installer
----------------

The Debian Installer has been updated to incorporate a new kernel
containing a number of important and security-related fixes.


Removed package
---------------

The following package was removed due to circumstances beyond our control:

Package Reason

pixelpost Unmaintained, multiple security issues


URLs
----

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/squeeze/ChangeLog

The current stable distribution:

http://ftp.debian.org/debian/dists/stable

Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates

Stable distribution information (release notes, errata etc.):

http://www.debian.org/releases/stable/

Security announcements and information:

http://www.debian.org/security/


About Debian
------------

The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian GNU/Linux.