Updated Debian 6.0: 6.0.6 released
September 29th, 2012
The Debian project is pleased to announce the sixth update of its
stable distribution Debian 6.0 (codename squeeze
).
This update mainly adds corrections for security problems to the stable
release, along with a few adjustments for serious problems. Security advisories
were already published separately and are referenced where available.
Please note that this update does not constitute a new version of Debian 6.0 but only updates some of the packages included. There is no need to throw away 6.0 CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated.
Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.
New installation media and CD and DVD images containing updated packages will be available soon at the regular locations.
Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
Package | Reason |
---|---|
alpine | Fix crash in embedded UW-IMAP copy |
apache2 | mod_negotiation - fix CVE-2012-2687; mod_cache - don't cache partial connections; read timeouts should result in a 408 |
automake1.10 | Fix CVE-2012-3386 |
automake1.11 | Fix CVE-2012-3386 |
automake1.7 | Fix CVE-2012-3386 |
automake1.9 | Fix CVE-2012-3386 |
base-files | Update /etc/debian_version for the point release |
checkgmail | Fix GMail authentication issues |
clamav | New upstream release |
debian-archive-keyring | Add wheezy stable and archive signing keys |
dpkg | Ensure a reliable unpack on SELinux systems |
eglibc | Really enable patches/any/cvs-dlopen-tls.diff; fix FORTIFY_SOURCE format string protection bypass; fix a DoS in RPC implementation |
emesene | Update contact end-point to local-bay.contacts.msn.com |
geshi | Fix 'Local File Inclusion Vulnerability in contrib script' |
gosa | Security fix (missing escaping) |
ia32-libs | Update packages |
libconfig-inifiles-perl | Fix insecure temporary file use |
libgc | Check for integer overflow in internal malloc and calloc routines |
libmtp | Fix device flags for some devices; add support for new devices |
libxslt | Fix CVE-2011-1202, CVE-2011-3970, CVE-2012-2825 |
links2 | Security fixes |
linux-2.6 | DRM fixes; leap second fix; security fixes; various driver fixes |
linux-kernel-di-amd64-2.6 | Rebuild against linux-2.6 2.6.32-46 |
linux-kernel-di-armel-2.6 | Rebuild against linux-2.6 2.6.32-46 |
linux-kernel-di-i386-2.6 | Rebuild against linux-2.6 2.6.32-46 |
linux-kernel-di-ia64-2.6 | Rebuild against linux-2.6 2.6.32-46 |
linux-kernel-di-mips-2.6 | Rebuild against linux-2.6 2.6.32-46 |
linux-kernel-di-mipsel-2.6 | Rebuild against linux-2.6 2.6.32-46 |
linux-kernel-di-powerpc-2.6 | Rebuild against linux-2.6 2.6.32-46 |
linux-kernel-di-s390-2.6 | Rebuild against linux-2.6 2.6.32-46 |
linux-kernel-di-sparc-2.6 | Rebuild against linux-2.6 2.6.32-46 |
lockfile-progs | Ensure the correct PID is used when creating lockfiles |
mysql-mmm | Add dependency on libpath-class-perl |
network-manager | Stop allowing ad-hoc WPA networks to be created; kernel bugs mean they get created as open networks |
nss-pam-ldapd | Support larger gecos values; reliability fixes |
nvidia-graphics-drivers | Fix information leak in the kernel module; fix arbitrary memory access vulnerability; fix local privilege escalation through VGA window manipulation |
nvidia-graphics-modules | Rebuild against 195.36.31-6squeeze1 kernel modules for security fixes; rebuild to fix CVE-2012-4225 |
php-memcached | Fix session.gc_maxlifetime handling |
plymouth | Fix the init script to not fail when the package is removed |
policyd-weight | Remove rfc-ignorant.org RBLs (due to upcoming shutdown) and rbl.ipv6-world.net |
postgresql-common | Do not remove the PID file after SIGKILLing the postmaster in the last-ditch effort to shut downin --force mode |
powertop | Fix segfault on newer kernels with large config files |
publican | Add dependency and build-dependency on libio-string-perl |
rstatd | Support Linux 3.x kernels |
spip | Fix base name disclosure; security fixes |
tor | New upstream; fix TLS 1.1/1.2 renegotiation with openssl 1.0.1; fix potential DOS; fix two crashes and an information disclosure issue |
ttb | Add dependency on python-glade2 |
vte | Fix a memory exhaustion vulnerability |
wims | Fix installation problem |
wireshark | Fix crashes in ANSI A detector and pcap / pcap-ng parsers |
xserver-xorg-video-intel | UXA/glyphs: fall back instead of crashing on large strings |
yaws | Fix RNG strength; fix mail config loading |
Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
Advisory ID | Package | Correction(s) |
---|---|---|
DSA-2457 | iceweasel | Regression fix |
DSA-2458 | iceape | Regression fix |
DSA-2465 | php5 | Multiple issues |
DSA-2466 | rails | Cross site scripting |
DSA-2467 | mahara | Insecure defaults |
DSA-2468 | libjakarta-poi-java | Unbounded memory allocation |
DSA-2470 | wordpress | Multiple issues |
DSA-2471 | ffmpeg | Multiple issues |
DSA-2472 | gridengine | Privilege escalation |
DSA-2473 | openoffice.org | Buffer overflow |
DSA-2474 | ikiwiki | Cross-site scripting |
DSA-2475 | openssl | Integer underflow |
DSA-2476 | pidgin-otr | Format string vulnerability |
DSA-2477 | sympa | Authorization bypass |
DSA-2478 | sudo | Parsing error |
DSA-2479 | libxml2 | Off-by-one |
DSA-2480 | request-tracker3.8 | Regression |
DSA-2481 | arpwatch | Fails to drop supplementary groups |
DSA-2482 | libgdata | No verification of TLS certificates against system root CA |
DSA-2483 | strongswan | Authentication bypass |
DSA-2484 | nut | Denial of service |
DSA-2485 | imp4 | Cross site scripting |
DSA-2486 | bind9 | Denial of service |
DSA-2487 | openoffice.org | Buffer overflow |
DSA-2488 | iceweasel | Multiple issues |
DSA-2489 | iceape | Multiple issues |
DSA-2490 | nss | Denial of service |
DSA-2491 | postgresql-8.4 | Multiple issues |
DSA-2492 | php5 | Buffer overflow |
DSA-2493 | asterisk | Denial of service |
DSA-2494 | ffmpeg | Multiple issues |
DSA-2495 | openconnect | Buffer overflow |
DSA-2497 | quagga | Denial of service |
DSA-2498 | dhcpcd | Remote stack overflow |
DSA-2499 | icedove | Multiple issues |
DSA-2500 | mantis | Multiple issues |
DSA-2501 | xen | Multiple issues |
DSA-2502 | python-crypto | Programming error |
DSA-2503 | bcfg2 | Shell command injection |
DSA-2504 | libspring-2.5-java | Information disclosure |
DSA-2505 | zendframework | Information disclosure |
DSA-2506 | libapache-mod-security | Modsecurity bypass |
DSA-2507 | openjdk-6 | Multiple issues |
DSA-2508 | kfreebsd-8 | Privilege escalation |
DSA-2509 | pidgin | Remote code execution |
DSA-2510 | extplorer | Cross-site request forgery |
DSA-2511 | puppet | Multiple issues |
DSA-2512 | mono | Missing input sanitising |
DSA-2513 | iceape | Multiple issues |
DSA-2514 | iceweasel | Multiple issues |
DSA-2515 | nsd3 | Null pointer dereference |
DSA-2516 | isc-dhcp | Denial of service |
DSA-2517 | bind9 | Denial of service |
DSA-2518 | krb5 | Denial of service |
DSA-2519 | isc-dhcp | Denial of service |
DSA-2520 | openoffice.org | Multiple heap-based buffer overflows |
DSA-2521 | libxml2 | Integer overflows |
DSA-2522 | fckeditor | Cross site scripting |
DSA-2523 | globus-gridftp-server | Programming error |
DSA-2523 | globus-gridftp-server-control | Programming error |
DSA-2524 | openttd | Multiple issues |
DSA-2525 | expat | Multiple issues |
DSA-2526 | libotr | Buffer overflow |
DSA-2527 | php5 | Multiple issues |
DSA-2528 | icedove | Multiple issues |
DSA-2529 | python-django | Multiple issues |
DSA-2530 | rssh | Shell command injection |
DSA-2531 | xen | Denial of service |
DSA-2532 | libapache2-mod-rpaf | Denial of service |
DSA-2533 | pcp | Multiple issues |
DSA-2534 | postgresql-8.4 | Multiple issues |
DSA-2535 | rtfm | Cross-site scripting |
DSA-2536 | otrs2 | Cross-site scripting |
DSA-2537 | typo3-src | Multiple issues |
DSA-2538 | moin | Privilege escalation |
DSA-2539 | zabbix | SQL injection |
DSA-2540 | mahara | Cross-site scripting |
DSA-2541 | beaker | Information disclosure |
DSA-2542 | qemu-kvm | Multiple issues |
DSA-2543 | xen-qemu-dm-4.0 | Multiple issues |
DSA-2544 | xen | Denial of service |
DSA-2545 | qemu | Multiple issues |
DSA-2546 | freeradius | Code execution |
DSA-2547 | bind9 | Improper assert |
DSA-2548 | tor | Multiple issues |
DSA-2549 | devscripts | Multiple issues |
Debian Installer
The installer has been rebuilt to include the fixes incorporated into stable by the point release.
Removed packages
The following packages were removed due to circumstances beyond our control:
Package | Reason |
---|---|
blockade | Non-distributable data files |
kcheckgmail | Unmaintained; broken by Google changes |
libtrash | Unmaintained; broken |
URLs
The complete lists of packages that have changed with this revision:
The current stable distribution:
Proposed updates to the stable distribution:
stable distribution information (release notes, errata etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian.
Contact Information
For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.