Updated Debian 7: 7.7 released

October 18th, 2014

The Debian project is pleased to announce the seventh update of its stable distribution Debian 7 (codename wheezy ). This update mainly adds corrections for security problems to the stable release, along with a few adjustments for serious problems. Security advisories were already published separately and are referenced where available.

Please note that this update does not constitute a new version of Debian 7 but only updates some of the packages included. There is no need to throw away old wheezy CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated.

Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

New installation media and CD and DVD images containing updated packages will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package Reason at Only retain variables whose name consists of alphanumerics and underscores, preventing jobs from failing in case bash exports functions to the environment with the changes from DSA-3035 axis Fix MITM attack on SSL caused by incomplete fix for CVE-2012-5784 [CVE-2014-3596] base-files Update for the point release blender Fix illegal hardware instruction ca-certificates Update Mozilla certificate bundle; fix certdata2pem.py for multiple CAs using the same CKA_LABEL debian-archive-keyring Add jessie stable release key debian-installer Rebuild for the point release debian-installer-netboot-images Update to 20130613+deb7u2+b3 images debsums Suppress reporting conffiles which were moved to a new package as modified in the old package dwm Fix broken patch headers eglibc Fix invalid file descriptor reuse while sending DNS query; fix stack overflow issues [CVE-2013-4357]; fix a localplt regression introduced in version 2.13-38+deb7u3 [CVE-2014-0475]; fix a memory leak with dlopen() and thread-local storage variables; re-include all documentation, accidentally broken in earlier uploads exim4 Stop unwanted double expansion of arguments to mathematical comparison operations [CVE-2014-2972] flashplugin-nonfree Fix downgrade vulnerability, update dependencies foremost Fix invalid patch header getfem++ Fix broken patch headers gnubg Fix crash on end game when gnubg is run with the -t option hawtjni Fix /tmp race condition with arbitrary code execution [CVE-2013-2035] ipython Fix remote execution via cross origin websocket [CVE-2014-3429] iso-scan Do not error out when searching in folders with shell-special characters in their name keyutils Use the default compression level for xz for binary packages kvpm Fix invalid patch header libdatetime-timezone-perl New upstream release libplack-perl Avoid unintended file access due to incorrect stripping of trailing slashes from provided paths [CVE-2014-5269] libsnmp-session-perl Fix perl warnings with libsocket6-perl installed linux Update to upstream stable 3.2.63; update drm and agp to 3.4.103; udf: avoid infinite loop when processing indirect ICBs [CVE-2014-6410]; libceph: do not hard code max auth ticket len [CVE-2014-6416 CVE-2014-6417 CVE-2014-6418]; add pata_rdc to pata-modules udeb and virtio_scsi to virtio-modules udeb; sp5100_tco: reject SB8x0 chips live-config Disable SSH login at boot nana Rebuild with debhelper from wheezy to get rid of install-info calls in maintainer scripts; add dummy empty prerm script to allow upgrading the package after is not available net-snmp Fix snmpd: produces error if the Executables/scripts entries in snmpd.conf is over 50 ; security fixes [CVE-2014-2285 CVE-2014-3565 CVE-2012-6151] netcfg Fix support for entering an ESSID manually oss-compat Use softdep directives in the modprobe configuration; remove oss-compat.conf when removing the package perl Don't recurse infinitely in Data::Dumper [CVE-2014-4330] php-getid3 Improve fix for XXE security issue [CVE-2014-2053] postgresql-8.4 New upstream release postgresql-9.1 New upstream release proftpd-dfsg Fix overlapping buffer leading to SFTP crashes and stalls qlandkartegt Update user agent string scotch Rebuild on amd64 to correct openmpi dependency supervisor Fix restart and formatting problems with the init script tor Use correct byte order when sending the address of the chosen rendezvous point to a hidden service; update IP address for the gabelmoo v3 directory authority tzdata New upstream release unattended-upgrades Add oldstable to the list of accepted origins for security packages virtinst Unbreak virtinst with newer python-libvirt wireless-regdb New upstream release witty Fix symlink to jPlayer skin Blue Monday xdg-utils Use /bin/echo rather than echo -e in xdg-mail

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason ctn Undistributable ssdeep Undistributable dicomnifti Depends on to-be-removed ctn ctsim Depends on to-be-removed ctn

URLs

The complete lists of packages that have changed with this revision:

The current stable distribution:

Proposed updates to the stable distribution:

stable distribution information (release notes, errata etc.):

Security announcements and information:

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.