Updated Debian 7: 7.6 released

July 12th, 2014

The Debian project is pleased to announce the sixth update of its stable distribution Debian 7 (codename wheezy ). This update mainly adds corrections for security problems to the stable release, along with a few adjustments for serious problems. Security advisories were already published separately and are referenced where available.

Please note that this update does not constitute a new version of Debian 7 but only updates some of the packages included. There is no need to throw away old wheezy CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated.

Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

New installation media and CD and DVD images containing updated packages will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package Reason apache2 Support ECC keys and ECDH ciphers; mod_proxy: fix crashes under load; mod_dav: fix potential DoS [CVE-2013-6438]; mod_log_config: fix cookie logging apt-cacher-ng Fix cross-site scripting via 403 responses [CVE-2014-4510] automake1.9-nonfree Add empty prerm to ensure a clean upgrade path in case of install-info removal base-files Update for the point release catfish Fix regression from previous security update clamav New upstream release; fix a crash while using clamscan cmus Fix build failure related to the libmodplug upgrade in DSA 2751 cups Fix XSS in the CUPS web interface; fix syntax errors in Hungarian templates cyrus-imapd-2.4 Fix missing GUID for binary appends; fix broken nntpd dbus Fix denial of service [CVE-2014-3477] duo-unix Update upstream HTTPS certificates; improve support for SHA2 in HTTPS eglibc Fix issues which could break dynamic linker on biarch systems; fix regression in IPv6 name resolution; fix February month name in de_AT locale; fix backtrace() on mips; fix nl_langinfo() when used in static binaries elib Rebuild with current debhelper firebug Take over xul-ext-firecookie, as firebug now provides all its functionality; remove copyrighted ICC profile hdf5 Rebuild against current wheezy gfortran intel-microcode Updated microcode; new upstream release ldns Fix default permissions on private DNSKEYs generated by ldns-keygen [CVE-2014-3209] libdatetime-timezone-perl New upstream release libdbi-perl Remove dependency on to-be-removed libplrpc-perl libflickr-api-perl Update URLs in line with upstream changes libjpeg6b Fix memory disclosure vulnerabilities [CVE-2013-6629 CVE-2013-6630] libjpeg8 Fix memory disclosure vulnerabilities [CVE-2013-6629 CVE-2013-6630] libopenobex Fix segfault when transferring files maitreya Replace font to avoid copyright issues mobile-broadband-provider-info Update included data nostalgy Add support for newer icedove versions openchange Remove packages which depend on previously removed samba4 packages openssh Restore patch to disable OpenSSL version check openssl Don't prefer ECDHE_ECDSA with some Safari versions; actually restart the services when restart-without-asking is set policyd-weight Fix infinite loop if resolver only reachable via IPv6 proftpd-mod-geoip Remove useless and buggy proftpd-mod-geoip.postrm script py3dns Fix timeouts associated with only one of several available nameservers being unavailable; correctly deal with source port already in use errors pydap Add dap to namespace_packages in setup.py quassel Fix certificate permissions scheme48 Fix insecure use of temporary file [CVE-2014-4150] sieve-extension Add support for newer icedove versions sks Fix cross-site scripting [CVE-2014-3207]; improve Berkeley DB upgrade handling squid3 Fix sporadic assertion failure under high load suds Fix insecure creation of cache paths tor New upstream release tzdata New upstream release unbound Fix crash when using DNSSEC and num-threads > 1 win32-loader Update embedded dependencies wireless-regdb Update data xmms2 Fix build failure related to the libmodplug upgrade in DSA 2751

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason whatsnewfm Obsolete as freecode.com no longer accepting submissions libplrpc-perl Security issues firecookie Obsolete; superseded by firebug freecode-submit Obsolete as freecode.com no longer accepting submissions

URLs

The complete lists of packages that have changed with this revision:

The current stable distribution:

Proposed updates to the stable distribution:

stable distribution information (release notes, errata etc.):

Security announcements and information:

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.