Updated Debian 5.0: 5.0.10 released

March 10th, 2012

The Debian project is pleased to announce the tenth and final update of its oldstable distribution Debian 5.0 (codename lenny ). This update mainly adds corrections for security problems to the oldstable release, along with a few adjustments for serious problems. Security advisories were already published separately and are referenced where available.

The alpha and ia64 packages from DSA 1769 are not included in this point release for technical reasons. All other security updates released during the lifetime of lenny that have not previously been part of a point release are included in this update.

Please note that the security support for the oldstable distribution ended in February 2012 and no updates have been released since that point.

Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

New installation media and CD and DVD images containing updated packages will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:

Please note that the oldstable distribution will be moved from the main archive to the archive.debian.org repository after March 24th 2012. After this move, it will no longer be available from the main mirror network. More information about the distribution archive and a list of mirrors is available at:

Miscellaneous Bugfixes

This oldstable update adds a few important corrections to the following packages:

Package Reason apr Disable robust pthread mutexes on alpha, arm, and armel base-files Update /etc/debian_version for the point release ia32-libs Refresh packages to include recent security updates libdigest-perl Fix unsafe use of eval in Digest->new() linux-2.6 Various security fixes phppgadmin Fix XSS postgresql-8.3 New upstream micro-release typo3-src Fix cache flooding via improper error handling xapian-omega Fix escaping issues in templates xpdf Insecure tempfile usage in zxpdf user-mode-linux Rebuild against linux-source-2.6.26 (2.6.26-29)

Security Updates

This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package Correction(s) DSA-1769 openjdk-6 Arbitrary code execution DSA-2161 openjdk-6 Multiple issues DSA-2224 openjdk-6 Multiple issues DSA-2237 apr Denial of service DSA-2251 subversion Multiple issues DSA-2258 kolab-cyrus-imapd Implementation error DSA-2263 movabletype-opensource Multiple issues DSA-2265 perl Missing taint check DSA-2267 perl Restriction bypass DSA-2271 curl Improper delegation of client credentials DSA-2281 opie Multiple issues DSA-2284 opensaml2 Implementation error DSA-2285 mapserver Multiple issues DSA-2287 libpng Multiple issues DSA-2301 rails Multiple issues DSA-2305 vsftpd Denial of service DSA-2313 xulrunner Multiple issues DSA-2315 openoffice.org Multiple issues DSA-2316 quagga Multiple issues DSA-2318 cyrus-imapd-2.2 Multiple issues DSA-2320 dokuwiki Regression fix DSA-2321 moin Cross-site scripting DSA-2323 radvd Multiple issues DSA-2324 wireshark Programming error DSA-2328 freetype Missing input sanitising DSA-2332 python-django Multiple issues DSA-2333 phpldapadmin Multiple issues DSA-2334 mahara Multiple issues DSA-2335 man2html Missing input sanitization DSA-2339 nss Multiple issues DSA-2340 postgresql-8.3 Weak password hashing DSA-2341 xulrunner Multiple issues DSA-2343 openssl CA trust revocation DSA-2346 proftpd-dfsg Multiple issues DSA-2347 bind9 Improper assert DSA-2350 freetype Missing input sanitising DSA-2351 wireshark Buffer overflow DSA-2352 puppet Programming error DSA-2354 cups Multiple issues DSA-2355 clearsilver Format string vulnerability DSA-2357 evince Multiple issues DSA-2358 openjdk-6 Multiple issues DSA-2361 chasen Buffer overflow DSA-2362 acpid Multiple issues DSA-2363 tor Buffer overflow DSA-2365 dtc Multiple issues DSA-2366 mediawiki Multiple issues DSA-2367 asterisk Multiple issues DSA-2368 lighttpd Multiple issues DSA-2369 libsoup2.4 Directory traversal DSA-2370 unbound Multiple issues DSA-2371 jasper Buffer overflows DSA-2372 heimdal Buffer overflow DSA-2373 inetutils Buffer overflow DSA-2374 openswan Implementation error DSA-2375 krb5 Buffer overflow DSA-2376 ipmitool Insecure pid file DSA-2377 cyrus-imapd-2.2 Denial of service DSA-2380 foomatic-filters Shell command injection DSA-2382 ecryptfs-utils Multiple issues DSA-2383 super Buffer overflow DSA-2384 cacti Multiple issues DSA-2385 pdns Packet loop DSA-2386 openttd Multiple issues DSA-2388 t1lib Multiple issues DSA-2390 openssl Multiple issues DSA-2392 openssl Out-of-bounds read DSA-2394 libxml2 Multiple issues DSA-2397 icu Buffer underflow DSA-2398 curl Multiple issues DSA-2399 php5 Multiple issues DSA-2400 xulrunner Multiple issues DSA-2403 php5 Code injection DSA-2405 apache2 Multiple issues DSA-2405 apache2-mpm-itk Multiple issues

Debian Installer / kernel

The kernel included in this point release has been updated to incorporate fixes for a number of security issues. The installer has been rebuilt to use the new kernel.

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason qcad Non-distributable partlibary Non-distributable

URLs

The complete lists of packages that have changed with this revision:

The current oldstable distribution:

Proposed updates to the oldstable distribution:

oldstable distribution information (release notes, errata etc.):

Security announcements and information:

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.