Updated Debian 6.0: 6.0.5 released

May 12th, 2012

The Debian project is pleased to announce the fifth update of its stable distribution Debian 6.0 (codename squeeze ). This update mainly adds corrections for security problems to the stable release, along with a few adjustments for serious problems. Security advisories were already published separately and are referenced where available.

Please note that this update does not constitute a new version of Debian 6.0 but only updates some of the packages included. There is no need to throw away 6.0 CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated.

Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

New installation media and CD and DVD images containing updated packages will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package Reason acpid Really fix CVE-2011-1159 apr Fix apr_file_trunc() bug which could lead to Subversion repository corruption in some rare cases at Create hardlink as priviledged user for compatibility with later kernels base-files Update /etc/debian_version for the point release brltty Fix support for large esys/iris displays clive Adapt for youtube.com changes ecl Remove broken postrm script eglibc Fix resolving issues with broken servers returning NOTIMP or FORMERR to AAAA queries; fix integer overflow in timezone code; local/manpages/gai.conf.5: update from latest RedHat version evolution-data-server Make e_book_get_changes() actually return changes fail2ban Lock server's executeCmd to prevent racing among iptables calls; fix insecure creation of tempfiles foomatic-filters Fix insecure temporary file use in renderer command line giplet Use checkip.dyndns.org instead of the no longer suitable www.whatismyip.org gnusound Fix format string security issue gosa Fix DHCP host removal and user generator Unicode character transliteration highlight Remove broken postrm json-glib Fix serialization of doubles kdeutils Fix directory traversal in Ark keepalived Set correct permissions on pid file laptop-mode-tools Add support for 3.x kernels libcgicc Install pkg-config file to the correct location libxi Fix passive grabs; handle unknown device classes; fill in mods/group->effective in XIQueryPointer linux-2.6 Add longterm releases 2.6.32.5[5-9] linux-kernel-di-amd64-2.6 Rebuild against linux-2.6 2.6.32-45 linux-kernel-di-armel-2.6 Rebuild against linux-2.6 2.6.32-45 linux-kernel-di-i386-2.6 Rebuild against linux-2.6 2.6.32-45 linux-kernel-di-ia64-2.6 Rebuild against linux-2.6 2.6.32-45 linux-kernel-di-mips-2.6 Rebuild against linux-2.6 2.6.32-45 linux-kernel-di-mipsel-2.6 Rebuild against linux-2.6 2.6.32-45 linux-kernel-di-powerpc-2.6 Rebuild against linux-2.6 2.6.32-45 linux-kernel-di-s390-2.6 Rebuild against linux-2.6 2.6.32-45 linux-kernel-di-sparc-2.6 Rebuild against linux-2.6 2.6.32-45 netselect Robustness and documentation fixes; handle mirror lists with embedded attributes openssh Fix information disclosure regarding forced commands via debug messages openvpn Fix /sbin/route calls on kFreeBSD php-memcache Fix cache delete bug, when deleting objects from memcached 1.4.4+ php-memcached Fix double free in getServerByKey() phppgadmin Fix XSS in function.php policykit-1 Fix race condition when reading from /proc which allows local users to gain root privileges by executing a setuid program from pkexec procps Support 3.X kernels pyspf Correctly process CNAMEs in SPF records python-defaults Correctly remove /var/lib/python/python2.6_already_installed python-virtualenv Fix insecure temp file handling rott Fallback to downloading shareware data files from pkg-games.alioth.debian.org sks Use standards-compliant POSTs sysvinit Enable use of either rpcbind or portmap for NFS texlive-base Don't try to repair a missing pdftexconfig.tex in preinst tremulous Rate-limit getstatus and rcon connectionless packets, to avoid their use for traffic amplification; fix several security bugs; disable auto-downloading tzdata New upstream version wicd Fix local privilege escalation, CVE-2012-2095 xfce4-weather-plugin Update service key to restore access to server yapra Add ruby1.8 build-dependency to fix broken build in clean environment

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package Correction(s) DSA-2321 moin Cross-site scripting DSA-2352 puppet Programming error DSA-2359 mojarra EL injection DSA-2394 libxml2 Multiple issues DSA-2395 wireshark Buffer underflow DSA-2396 qemu-kvm Buffer underflow DSA-2397 icu Buffer underflow DSA-2398 curl Multiple issues DSA-2399 php5 Multiple issues DSA-2400 iceweasel Multiple issues DSA-2401 tomcat6 Multiple issues DSA-2402 iceape Multiple issues DSA-2403 php5 Code injection DSA-2404 xen-qemu-dm-4.0 Buffer overflow DSA-2405 apache2 Multiple issues DSA-2406 icedove Multiple issues DSA-2407 cvs Heap overflow DSA-2408 php5 Multiple issues DSA-2409 devscripts Multiple issues DSA-2410 libpng Integer overflow DSA-2411 mumble Information disclosure DSA-2412 libvorbis Buffer overflow DSA-2413 libarchive Buffer overflows DSA-2414 fex Insufficient input sanitization DSA-2415 libmodplug Multiple issues DSA-2416 notmuch Information disclosure DSA-2417 libxml2 Denial of service DSA-2418 postgresql-8.4 Multiple issues DSA-2419 puppet Multiple issues DSA-2420 openjdk-6 Multiple issues DSA-2421 moodle Multiple issues DSA-2422 file Missing bounds check DSA-2423 movabletype-opensource Multiple issues DSA-2424 libxml-atom-perl XML entity expansion DSA-2425 plib Buffer overflow DSA-2426 gimp Multiple issues DSA-2427 imagemagick Multiple issues DSA-2428 freetype Multiple issues DSA-2430 python-pam Double free DSA-2431 libdbd-pg-perl Format string vulnerabilities DSA-2432 libyaml-libyaml-perl Format string vulnerability DSA-2433 iceweasel Multiple issues DSA-2434 nginx Sensitive information leak DSA-2435 gnash Multiple issues DSA-2436 libapache2-mod-fcgid Inactive resource limits DSA-2437 icedove Multiple issues DSA-2438 raptor Programming error DSA-2439 libpng Buffer overflow DSA-2440 libtasn1-3 Integer overflow DSA-2441 gnutls26 Missing bounds check DSA-2442 openarena UDP traffic amplification DSA-2443 linux-2.6 Multiple issues DSA-2443 user-mode-linux Multiple issues DSA-2444 tryton-server Privilege escalation DSA-2445 typo3-src Multiple issues DSA-2446 libpng Incorrect memory handling DSA-2447 tiff Integer overflow DSA-2448 inspircd Buffer overflow DSA-2449 sqlalchemy Missing input sanitization DSA-2450 samba Privilege escalation DSA-2451 puppet Multiple issues DSA-2452 apache2 Insecure default configuration DSA-2453 gajim Multiple issues DSA-2454 openssl Multiple issues DSA-2455 typo3-src Cross site scripting DSA-2456 dropbear Use after free DSA-2457 iceweasel Multiple issues DSA-2458 iceape Multiple issues DSA-2459 quagga Multiple issues DSA-2460 asterisk Multiple issues DSA-2461 spip Multiple issues DSA-2462 imagemagick Multiple issues DSA-2463 samba Missing permission checks DSA-2464 icedove Multiple issues

Debian Installer

The installer has been rebuilt to include the fixes incorporated into stable by the point release.

URLs

The complete lists of packages that have changed with this revision:

The current stable distribution:

Proposed updates to the stable distribution:

Stable distribution information (release notes, errata etc.):

Security announcements and information:

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.