Updated Debian 6.0: 6.0.2 released

June 25th, 2011

The Debian project is pleased to announce the second update of its stable distribution Debian 6.0 (codename squeeze ). This update mainly adds corrections for security problems to the stable release, along with a few adjustments to serious problems. Security advisories were already published separately and are referenced where available.

Please note that this update does not constitute a new version of Debian 6.0 but only updates some of the packages included. There is no need to throw away 6.0 CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated.

Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

New installation media and CD and DVD images containing updated packages will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package Reason aide Properly support large files on 32-bit systems; fix group for bind9 log files approx Don't try caching InRelease or non-.gz compressed files apr Fix apr_ino_t changing size depending on -D_FILE_OFFSET_BITS on kfreebsd-* apt Fix file size calculation on big-endian arches; don't prompt for CD re-insertion on apt-get update ; add XZ support apt-listchanges Correctly handle NEWS files containing only one entry base-files Update /etc/debian_version clive Adapt for liveleak.com changes dbus Fix local DoS for system services (CVE-2011-2200) deborphan Exclude libreoffice from --guess-section output; trap WINCH in a POSIX way; minor translation fixes dokuwiki Fix an ACL bypass issue in the XMLRPC interface dpkg Fix regression in 'dpkg-divert --rename'; dpkg-split: don't corrupt metadata on 32-bit systems; fix vsnprintf() compat declaration e2fsprogs Various bug fixes fakechroot Fix 'debootstrap --variant=fakechroot' fcgiwrap Fix init script's 'stop' target gdm3 Reset SIGPIPE handler before starting the session; execute the PostSession script even when GDM is killed or shut down git Allow remove and purge in one step by terminating the git-daemon/log service before removing the gitlog user gnome-settings-daemon Work around possible race condition when starting Xsettings manager ia32-libs Refresh packages from stable and proposed-updates. iceowl Security updates im-config Avoid breaking login via GDM if im-config is removed but not purged inn Stop using 'sort +1n' in makehistory; disable outdated CHECK_INCLUDED_TEXT option by default josm Give more verbose explanation to users who haven't agreed to the new OSM license kde4libs Wildcard SSL certificate and XSS security fixes; ktar checksum and UTF-8 longlink fixes kdenetwork Improve fix for CVE-2010-1000 directory traversal issue kernel-wedge Add hpsa and pm8001 to scsi-extra-modules; add bna to nic-extra-modules kerneltop Increase line buffer size to 1024 bytes klibc ipconfig: escape DHCP options and correctly handle multiple connected network devices (CVE-2011-1930) krb5 Fix DoS; fix interoperability with w2k8r2 KDCs; fix invalid free and double free; don't make authentication fail if PAC verification fails kupfer Use correct parameter type to allow keybindings to work again libapache2-mod-perl2 Rebuild against apr 1.4.2-6+squeeze3 to pick up apr_ino_t size fix on kFreeBSD libburn Don't create images with overly-restrictive permissions libfinance-quotehist-perl Disable test suite, broken by website changes libmms Fix alignment issues on arm linux-2.6 New hardware support; add longterm 2.6.32.41; fix oops via corrupted partition tables linux-kernel-di-amd64-2.6 Rebuild against kernel-wedge 2.74+squeeze3 linux-kernel-di-armel-2.6 Rebuild against kernel-wedge 2.74+squeeze3 linux-kernel-di-i386-2.6 Rebuild against kernel-wedge 2.74+squeeze3 linux-kernel-di-ia64-2.6 Rebuild against kernel-wedge 2.74+squeeze3 linux-kernel-di-mips-2.6 Rebuild against kernel-wedge 2.74+squeeze3 linux-kernel-di-mipsel-2.6 Rebuild against kernel-wedge 2.74+squeeze3 linux-kernel-di-powerpc-2.6 Rebuild against kernel-wedge 2.74+squeeze3 linux-kernel-di-s390-2.6 Rebuild against kernel-wedge 2.74+squeeze3 linux-kernel-di-sparc-2.6 Rebuild against kernel-wedge 2.74+squeeze3 lua-expat Fix the 'billion laughs' DoS attack monkeysphere Fix monkeysphere-host revoke-key nagios-plugins Allocate a big enough buffer to handle all IPs of hosts being pinged nsd3 Remove statoverride before removing the package's user openldap Fix possible database corruption issues, several security issues and dpkg-reconfigure php-svn Rebuild against apr 1.4.2-6+squeeze3 to pick up apr_ino_t size fix on kFreeBSD php5 Rebuild against apr 1.4.2-6+squeeze3 to pick up apr_ino_t size fix on kFreeBSD pianobar Update API keys for XMLRPC v30 postgresql-8.4 New upstream bugfix release; fix pg_upgrade use with TOAST tables prosody Fix the 'billion laughs' DoS attack puppet Fix service provider to properly use update-rc.d disable API python-apt Strip multiarch by default in RealParseDepends; add XZ support python-gudev Add missing dependency on python-gobject q4wine Stop shipping the library in lib64 qemu Don't register qemu-mips(el) with binfmt on mips(el) qemu-kvm Fix division by 0 with some guests; fix vnc zlib overflow; don't abort on user hardware errors; fix migration on 32-bit qt4-x11 Blacklist some fraudulent SSL certificates; fix weakness in wildcard certificate verification rapidsvn Rebuild against apr 1.4.2-6+squeeze3 to pick up apr_ino_t size fix on kFreeBSD refpolicy Various permissions fixes reprepro Handle Release files which don't contain md5sums ruby1.8 Fix upgrades from lenny by making libruby1.8 conflict/replace irb1.8 and rdoc1.8 samba Fix undefined symbol error from tdb2.so; several printing related bugs and a gid leak in winbind / idmap. Document the new and potentially disruptive 'map untrusted to domain' schroot Fix loading of dchroot.conf softhsm Remove statoverride entries before the package's user sun-java6 New upstream security update tzdata New upstream version vimperator Resolve compatibility issues with iceweasel widelands Fix potential security issue in Internet games xenomai Adapt kernel patch to apply cleanly to squeeze's kernel xserver-xorg-video-tseng Fix driver initialisation

Debian Installer

The kernel image used by the installer has been updated to incorporate a number of important and security-related fixes together with support for additional hardware.

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package Correction(s) DSA-2161 openjdk-6 Denial of service DSA-2193 libcgroup Several DSA-2194 libvirt Privilege escalation DSA-2195 php5 Several DSA-2197 quagga Denial of service DSA-2198 tex-common Insufficient input sanitizing DSA-2199 iceape Update HTTPS certificate blacklist DSA-2200 iceweasel Update HTTPS certificate blacklist DSA-2201 wireshark Several DSA-2202 apache2 Failure to drop root privileges DSA-2203 nss Update HTTPS certificate blacklist DSA-2205 gdm3 Privilege escalation DSA-2206 mahara Several DSA-2208 bind9 Denial of service DSA-2209 tgt Double free DSA-2211 vlc Missing input sanitising DSA-2212 tmux Privilege escalation DSA-2213 x11-xserver-utils Missing input sanitizing DSA-2214 ikiwiki Missing input validation DSA-2215 gitolite Directory traversal DSA-2216 isc-dhcp Missing input sanitizing DSA-2218 vlc Heap-based buffer overflow DSA-2219 xmlsec1 File overwrite DSA-2220 request-tracker3.8 Several DSA-2221 libmojolicious-perl Directory traversal DSA-2222 tinyproxy Incorrect ACL processing DSA-2223 doctrine SQL injection DSA-2224 openjdk-6 Several DSA-2225 asterisk Several DSA-2226 libmodplug Buffer overflow DSA-2227 iceape Several DSA-2229 spip Denial of service DSA-2230 qemu-kvm Several DSA-2231 otrs2 Cross-site scripting DSA-2232 exim4 Format string vulnerability DSA-2233 postfix Several DSA-2235 icedove Several DSA-2236 exim4 Command injection DSA-2237 apr Denial of service DSA-2238 vino Denial of service DSA-2239 libmojolicious-perl Several DSA-2240 user-mode-linux Several issues DSA-2240 linux-2.6 Several issues DSA-2241 qemu-kvm Implementation error DSA-2242 cyrus-imapd-2.2 Implementation error DSA-2244 bind9 Wrong boundary condition DSA-2245 chromium-browser Several vulnerabilities DSA-2246 mahara Several vulnerabilities DSA-2247 rails Several vulnerabilities DSA-2249 jabberd14 Denial of service DSA-2250 citadel Denial of service DSA-2254 oprofile Command injection DSA-2255 libxml2 Buffer overflow DSA-2257 vlc Buffer overflow DSA-2259 fex Authentication bypass DSA-2261 redmine Several DSA-2262 moodle Several DSA-2263 movabletype-opensource Several DSA-2265 perl Missing taint check

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason ktsuss security issues; unmaintained

URLs

The complete lists of packages that have changed with this revision:

The current stable distribution:

Proposed updates to the stable distribution:

Stable distribution information (release notes, errata etc.):

Security announcements and information:

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.