-------- Original Message --------
Subject: Updated Debian 7: 7.5 released
Resent-Date: Sat, 26 Apr 2014 14:24:42 +0000 (UTC)
Resent-From: debian-announce@???
------------------------------------------------------------------------
The Debian Project http://www.debian.org/
Updated Debian 7: 7.5 released press@???
April 26th, 2014 http://www.debian.org/News/2014/20140426
------------------------------------------------------------------------
The Debian project is pleased to announce the fifth update of its stable
distribution Debian 7 (codename "wheezy"). This update mainly adds
corrections for security problems to the stable release, along with a
few adjustments for serious problems. Security advisories were already
published separately and are referenced where available.
Please note that this update does not constitute a new version of Debian
7 but only updates some of the packages included. There is no need to
throw away old "wheezy" CDs or DVDs but only to update via an up-to-date
Debian mirror after an installation, to cause any out of date packages
to be updated.
Those who frequently install updates from security.debian.org won't have
to update many packages and most updates from security.debian.org are
included in this update.
New installation media and CD and DVD images containing updated packages
will be available soon at the regular locations.
Upgrading to this revision online is usually done by pointing the
aptitude (or apt) package tool (see the sources.list(5) manual page) to
one of Debian's many FTP or HTTP mirrors. A comprehensive list of
mirrors is available at:
http://www.debian.org/mirror/list
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
+---------------------------+-----------------------------------------+
| Package | Reason |
+---------------------------+-----------------------------------------+
| advi | Explicitly pass latexdir to make, |
| | avoiding files ending up in non-FHS |
| | directories |
| base-files | Update for the point release |
| calendarserver | Update zoneinfo to tzdata 2014a |
| catfish | Fix untrusted search path vulnerability |
| | [CVE-2014-2093, CVE-2014-2094, |
| | CVE-2014-2095, CVE-2014-2096] |
| certificatepatrol | Declare compatibility with Iceweasel 24 |
| clamav | New upstream release |
| conkeror | Add patches for compatibility with |
| | Iceweasel 24 |
| debian-installer | Add support for QNAP HS-210 |
| debian-installer-netboot- | Rebuild against the latest debian- |
| images | installer |
| docx2txt | Add missing dependency on unzip |
| erlang | Fix command injection via CR or LF in |
| | user, file or directory names in the |
| | FTP module [CVE-2014-1693] |
| evolution-ews | Fix free/busy indicators with Exchange |
| | 2013 servers |
| firebug | New upstream release; compatible with |
| | Iceweasel 24 |
| flashblock | New upstream release; compatible with |
| | Iceweasel 24 |
| freeciv | Fix denial of service [CVE-2012-5645, |
| | CVE-2012-6083] |
| freerdp | Fix libfreerdp-dev so that it can be |
| | compiled against |
| glark | Force use of Ruby 1.8, as glark doesn't |
| | work with newer versions |
| gorm.app | Fix build failure |
| greasemonkey | New upstream release; compatible with |
| | Iceweasel 24 |
| gst-plugins-bad0.10 | Fix build failure due to the libmodplug |
| | upgrade in DSA 2751 |
| intel-microcode | Include updated microcode |
| ktp-filetransfer- | Fix broken kde-telepathy-filetransfer- |
| handler | handler-dbg on mips |
| lcms2 | Security fixes |
| libdatetime-timezone- | Update to tzdata 2014a |
| perl | |
| libfinance-quote- | Update URLs of Yahoo! Finance services |
| perl | |
| libpdf-api2-perl | Fix build failure |
| libquvi-scripts | New upstream release |
| libsoup2.4 | Fix issues with NTLM authentication |
| | against Windows 2012 |
| libxml2 | Fix memory corruption when re-using the |
| | library from threaded applications |
| linux | Update to stable 3.2.57, 3.2.55-rt81, |
| | drm/agp 3.4.86; several security fixes; |
| | e1000e, igb: backport changes up to |
| | Linux 3.13 |
| ltsp | Fix remote audio on thin clients |
| meep | Stop building with -march=native |
| meep-openmpi | Stop building with -march=native |
| mozilla-noscript | New upstream release; compatible with |
| | Icweasel 24 |
| mp3gain | Fix denial of service and buffer |
| | overflow issues [CVE-2003-0577, |
| | CVE-2004-0805, CVE-2004-0991, CVE-2006- |
| | 1655] |
| net-snmp | Fix agentx subagent issues with |
| | multiple-object requests and increasing |
| | object length [CVE-2014-2310] |
| newsbeuter | Fix build failure due to json's switch |
| | from boolean to json_bool |
| nvidia-graphics- | New upstream release |
| drivers | |
| nvidia-graphics- | Build against nvidia-kernel-source |
| modules | 304.117 |
| openblas | Fix hang when called from an OpenMP- |
| | using program |
| php-getid3 | Fix potential XXE security issue |
| | [CVE-2014-2053] |
| php5 | Many fixes backported from upstream |
| polarssl | Fix build failure due to expired |
| | certificates |
| postgresql-8.4 | New upstream micro-release |
| postgresql-9.1 | New upstream micro-release |
| qemu | Fix entry pointer for ELF kernels |
| | loaded with -kernel option; only allow |
| | real mode to access 32-bit addresses |
| | unless in long mode |
| qemu-kvm | Fix entry pointer for ELF kernels |
| | loaded with -kernel option; only allow |
| | real mode to access 32-bit addresses |
| | unless in long mode |
| quassel | Restrict clients from accessing |
| | backlogs belonging to other users |
| | [CVE-2013-6404] |
| resource-agents | Fix HTTPS service checking by IP |
| | address |
| ruby-passenger | Fix insecure use of /tmp [CVE-2014- |
| | 1831, CVE-2014-1832] |
| sage-extension | New upstream release; compatible with |
| | Icewasel 24 |
| samba | Fix authentication bypass and |
| | insufficient protection against brute- |
| | force password guessing [CVE-2012-6150, |
| | CVE-2013-4496] |
| samba4 | Remove insecure and broken samba4 and |
| | winbind4 binary packages |
| spamassassin | Remove "xxx" from the list of common |
| | fake TLDs, since it is not fake any |
| | more; remove rules referring to rfc- |
| | ignorant.org and NJABL, which have been |
| | shut down |
| spip | Fix missing escaping; update security |
| | screen |
| subversion | Fix mod_dav_svn crash when handling |
| | certain requests [CVE-2014-0032] and |
| | removal of libsvnjavahl-1.a/.la/.so |
| | from libsvn-dev |
| sympa | Fix CAS authentication issues; fix |
| | SQLite upgrade patch to avoid errors |
| | with perl <= 5.14; raise a warning |
| | instead of an error when the CA bundle |
| | file is not readable; provide the |
| | missing template help_suspend.tt2 |
| tweepy | Use Twitter API 1.1 and SSL |
| tzdata | New upstream release |
| wml | Remove temporary directories (ipp.*) |
| xine-lib | Fix build failure due to the libmodplug |
| | upgrade in DSA 2751 |
| xine-lib-1.2 | Fix build failure due to the libmodplug |
| | upgrade in DSA 2751 |
+---------------------------+-----------------------------------------+
Security Updates
----------------
This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:
+----------------+---------------------------------+
| Advisory ID | Package |
+----------------+---------------------------------+
| DSA-2848 | mysql-5.5 |
| DSA-2850 | libyaml |
| DSA-2852 | libgadu |
| DSA-2854 | mumble |
| DSA-2855 | libav |
| DSA-2856 | libcommons-fileupload-java |
| DSA-2857 | libspring-java |
| DSA-2858 | iceweasel |
| DSA-2859 | pidgin |
| DSA-2860 | parcimonie |
| DSA-2861 | file |
| DSA-2862 | chromium-browser |
| DSA-2863 | libtar |
| DSA-2865 | postgresql-9.1 |
| DSA-2866 | gnutls26 |
| DSA-2867 | otrs2 |
| DSA-2868 | php5 |
| DSA-2869 | gnutls26 |
| DSA-2870 | libyaml-libyaml-perl |
| DSA-2871 | wireshark |
| DSA-2872 | udisks |
| DSA-2873 | file |
| DSA-2874 | mutt |
| DSA-2875 | cups-filters |
| DSA-2877 | lighttpd |
| DSA-2878 | virtualbox |
| DSA-2879 | libssh |
| DSA-2880 | python2.7 |
| DSA-2881 | iceweasel |
| DSA-2882 | extplorer |
| DSA-2883 | chromium-browser |
| DSA-2884 | libyaml |
| DSA-2885 | libyaml-libyaml-perl |
| DSA-2886 | libxalan2-java |
| DSA-2887 | ruby-actionmailer-3.2 |
| DSA-2888 | ruby-activesupport-3.2 |
| DSA-2888 | ruby-actionpack-3.2 |
| DSA-2889 | postfixadmin |
| DSA-2890 | libspring-java |
| DSA-2891 | mediawiki-extensions |
| DSA-2891 | mediawiki |
| DSA-2892 | a2ps |
| DSA-2894 | openssh |
| DSA-2895 | prosody |
| DSA-2895 | lua-expat |
| DSA-2896 | openssl |
| DSA-2897 | tomcat7 |
| DSA-2898 | imagemagick |
| DSA-2899 | openafs |
| DSA-2900 | jbigkit |
| DSA-2901 | wordpress |
| DSA-2902 | curl |
| DSA-2903 | strongswan |
| DSA-2904 | virtualbox |
| DSA-2905 | chromium-browser |
| DSA-2908 | openssl |
| DSA-2909 | qemu |
| DSA-2910 | qemu-kvm |
+----------------+---------------------------------+
Removed packages
----------------
The following packages were removed due to circumstances beyond our
control:
+-------------+-------------------------------+
| Package | Reason |
+-------------+-------------------------------+
| hlbr | Broken |
| hlbrw | Depends on to-be-removed hlbr |
+-------------+-------------------------------+
Debian Installer
----------------
The Debian install media will be updated shortly with the relevent
changes.
URLs
----
The complete lists of packages that have changed with this revision:
http://ftp.debian.org/debian/dists/wheezy/ChangeLog
The current stable distribution:
http://ftp.debian.org/debian/dists/stable/
Proposed updates to the stable distribution:
http://ftp.debian.org/debian/dists/proposed-updates
stable distribution information (release notes, errata etc.):
http://www.debian.org/releases/stable/
Security announcements and information:
http://security.debian.org/
About Debian
------------
The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian.
Contact Information
-------------------
For further information, please visit the Debian web pages at
http://www.debian.org/, send mail to <press@???>, or contact the
stable release team at <debian-release@???>.
