Updated Debian 7: 7.3 released

December 14th, 2013

The Debian project is pleased to announce the third update of its stable distribution Debian 7 (codename wheezy ). This update mainly adds corrections for security problems to the stable release, along with a few adjustments for serious problems. Security advisories were already published separately and are referenced where available.

Please note that this update does not constitute a new version of Debian 7 but only updates some of the packages included. There is no need to throw away old wheezy CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated.

Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

New installation media and CD and DVD images containing updated packages will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages:

Package Reason apt Fix handling of :any in single-arch systems and processing of .debs over 2GB in size apt-listbugs Insecure use of temporary files base-files Update for point release bootchart Fix upgrade path from machines which had lenny's bootchart installed darktable Fix CVE-2013-1438; fix CVE-2013-1439 distro-info-data Add Ubuntu 14.04, Trusty Tahr expat Do not ship pkgconfig files fcitx-cloudpinyin Use Google by default, to replace no longer available previous default firebird2.5 Final 2.5.2 release, bug fixes gnome-settings-daemon Remove no longer required patch which makes syndaemon almost useless gtk+3.0 Load the file icon via a data: URI, to work with librsvg's new origin policy iftop Fix memory leak intel-microcode New upstream update kfreebsd-9 Disable 101_nullfs_vsock.diff libdatetime-timezone-perl New upstream version libguestfs Fix CVE-2013-4419: insecure temporary directory handling for remote guestfish libnet-server-perl Fix use of uninitialized value in pattern match libnet-smtp-tls-butmaintained-perl Fix misuse of IO::Socket::SSL in the SSL_version argument librsvg Fix CVE-2013-1881: disable loading of external entities lua-sql Restore multiarch co-installability meep-lam4 Move /usr/include/meep-lam4 to /usr/include/meep; fixes building against the -dev package meep-mpi-default Move /usr/include/meep-mpi-default to /usr/include/meep; fixes building against the -dev package meep-mpich2 Move /usr/include/meep-mpich2 to /usr/include/meep; fixes building against the -dev package meep-openmpi Move /usr/include/meep-openmpi to /usr/include/meep; fixes building against the -dev package multipath-tools Restore dmsetup export workaround, lost in previous upload nagios3 Stop status.cgi listing unauthorised hosts and services, miscellaneous bug fixes nsd3 Add $network to Required-Start openttd Fix CVE-2013-6411 (DoS) postgresql-8.4 New upstream micro-release postgresql-9.1 New upstream micro-release rtkit Fix access restriction bypass via polkit race condition ruby-passenger Fix CVE-2013-2119 and CVE-2013-4136: insecure tmp files usage scikit-learn Move joblib from Recommends to Depends smplayer Don't append -fontconfig to the command line options for Mplayer2 to prevent crash at startup starpu Remove non-free example material starpu-contrib Remove non-free example material tzdata New upstream release usemod-wiki Update hardcoded cookie expiration date from 2013 to 2025 xfce4-weather-plugin Update weather.com API URI

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:

Advisory ID Package Correction(s) DSA-2738 ruby1.9.1 Multiple issues DSA-2769 kfreebsd-9 Multiple issues DSA-2770 torque Authentication bypass DSA-2771 nas Multiple issues DSA-2772 typo3-src Cross-site scripting DSA-2773 gnupg Multiple issues DSA-2774 gnupg2 Multiple issues DSA-2775 ejabberd Insecure SSL usage DSA-2777 systemd Multiple issues DSA-2778 libapache2-mod-fcgid Heap-based buffer overflow DSA-2779 libxml2 Denial of service DSA-2781 python-crypto PRNG not correctly reseeded in some situations DSA-2782 polarssl Multiple issues DSA-2784 xorg-server Use-after-free DSA-2785 chromium-browser Multiple issues DSA-2786 icu Multiple issues DSA-2787 roundcube Design error DSA-2788 iceweasel Multiple issues DSA-2789 strongswan Denial of service and authorization bypass DSA-2790 nss Uninitialized memory read DSA-2791 tryton-client Missing input sanitization DSA-2792 wireshark Multiple issues DSA-2794 spip Multiple issues DSA-2795 lighttpd Multiple issues DSA-2796 torque Arbitrary code execution DSA-2798 curl Unchecked SSL certificate host name DSA-2799 chromium-browser Multiple issues DSA-2800 nss Buffer overflow DSA-2801 libhttp-body-perl Design error DSA-2802 nginx Restriction bypass DSA-2803 quagga Multiple issues DSA-2804 drupal7 Multiple issues DSA-2805 sup-mail Remote command injection DSA-2806 nbd Privilege escalation DSA-2807 links2 Integer overflow DSA-2808 openjpeg Multiple issues DSA-2809 ruby1.8 Multiple issues DSA-2810 ruby1.9.1 Heap overflow DSA-2811 chromium-browser Multiple issues

Removed packages

The following packages were removed due to circumstances beyond our control:

Package Reason linky License problems iceweasel-linky License problems

Debian Installer

URLs

The installer has been rebuilt to include the fixes incorporated into stable by the point release.

The complete lists of packages that have changed with this revision:

The current stable distribution:

Proposed updates to the stable distribution:

stable distribution information (release notes, errata etc.):

Security announcements and information:

About Debian

The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.

Contact Information

For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.