The Debian project is pleased to announce the second update of its stable distribution Debian GNU/Linux 5.0 (codename “lenny”).  This update mainly adds corrections for security problems to the stable release, along with a few adjustment to serious problems.
Please note that this update does not constitute a new version of Debian GNU/Linux 5.0 but only updates some of the packages included.  There is no need to throw away 5.0 CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated.
Those who frequently install updates from security.debian.org won’t have to update many packages and most updates from security.debian.org are included in this update.
New CD and DVD images containing updated packages and the regular installation media accompanied with the package archive respectively will be available soon at the regular locations.
Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian’s many FTP or HTTP mirrors.  A comprehensive list of mirrors is available at:
  <http://www.debian.org/distrib/ftplist>
Miscellaneous Bugfixes
This stable update adds a few important corrections to the following packages:
  Package               Reason
  apr-util              Fix information disclosure (CVE-2009-1956)
  asciidoc              Replace fop with dblatex
  backuppc              Fix permissions of CGI script and ht* files
  base-files             Bump version to 5.0.2
  bind9                Fix DNSSEC lookaside validation failed to handle unknown algorithms
  cdebconf              Optimize screen usage in newt frontend
  choose-mirror            Make preseeding of oldstable possible
  glib2.0               Fix crashes in gvfs
  gnupg                Fix memory leak and cleanup terminal attributes on interrupt
  hobbit               Create /var/run/hobbit if missing
  installation-guide         New sections on accessibility support
  iodine               Fix segfault when 5.x client connects
  jd                 Fix posting comments
  kfreebsd-7             Fix several vulnerabilities
  libapache2-authcassimple-perl    Fix POST request handling
  libaqbanking            Fix segfault in qt3-wizard
  libnet-rawip-perl          Fix segmentation fault
  libxcb               Fix important performance issues
  linux-2.6              Several fixes
  linux-kernel-di-alpha-2.6      Rebuild against latest kernel
  linux-kernel-di-amd64-2.6      Rebuild against latest kernel
  linux-kernel-di-arm-2.6       Rebuild against latest kernel
  linux-kernel-di-armel-2.6      Rebuild against latest kernel
  linux-kernel-di-hppa-2.6      Rebuild against latest kernel
  linux-kernel-di-i386-2.6      Rebuild against latest kernel
  linux-kernel-di-ia64-2.6      Rebuild against latest kernel
  linux-kernel-di-mips-2.6      Rebuild against latest kernel
  linux-kernel-di-mipsel-2.6     Rebuild against latest kernel
  linux-kernel-di-powerpc-2.6     Rebuild against latest kernel
  linux-kernel-di-s390-2.6      Rebuild against latest kernel
  linux-kernel-di-sparc-2.6      Rebuild against latest kernel
  live-initramfs           Better support for persistent mode
  live-magic             Fix handling of /etc/debian_version
  mdadm                Fix stability issues
  mt-daapd              Add musepack to transcoding list
  nagios3               Fix nagios3-common’s prerm script
  nss                 Fix alignment issues on sparc and ia64
  onak                Always open db read/write
  pango1.0              Fix arbitrary code execution
  pidgin-otr             Sourceful upload with bumped version number to fix a collision with a binNMU
  poppler               Fix several vulnerabilities
  pygobject              Fix inconsistent use of tabs and spaces in indentation
  samba                Fix memory leak, winbind crashes and Win200 SP4 joining issues
  screen               Fix symlink attack
  slime                Remove non-free xref.lisp
  smstools              Fix modem timeouts
  solr                Fix simultaneous installation of tomcat5.5 with solr-tomcat5.5
  sound-juicer            Fix a crash on invocation of the preferences dialog
  system-config-printer        New Romanian translation
  system-tools-backends        Fix limiting effective password length to 8 characters (CVE-2008-6792)
                   and handle new format of /etc/debian_version
  tzdata               New timezone information
  user-mode-linux           Several fixes
  xorg                Default to fbdev driver on sparc
  xorg-server             Fix wakeup storm in idletime xsync counter
New Version of the debian-installer
The debian-installer has been updated to allow the installation of the previous stable release (Debian 4.0 “etch”) and to include an updated cdebconf package which resolves several issues with installation menu rendering using the newt frontend, including:
-
Explanatory text overlapping with the input box due to a height miscalculation
-
Overlapping of the “Go Back” button and the select list on certain screens
-
Suboptimal screen usage, particularly affecting debian-edu installations
The installer has been rebuilt to use the updated kernel packages included in this point release, resolving issues with installation on s390 G5 systems and IBM summit-based i386 systems.
Security Updates
This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates:
  DSA 1761    moodle           File disclosure
  DSA 1762    icu             Cross-site scripting
  DSA 1763    openssl           Denial of service
  DSA 1764    tunapie           Several vulnerabilities
  DSA 1766    krb5            Several vulnerabilities
  DSA 1767    multipath-tools       Denial of service
  DSA 1768    openafs           Potential code execution
  DSA 1771    clamav           Several vulnerabilities
  DSA 1772    udev            Critical privilege escalation
  DSA 1773    cups            Arbitrary code execution
  DSA 1774    ejabberd          Cross-site scripting
  DSA 1776    slurm-llnl         Privilege escalation
  DSA 1777    git-core          Privilege escalation
  DSA 1778    mahara           Cross-site scripting
  DSA 1779    apt             Several vulnerabilities
  DSA 1781    ffmpeg-debian        Arbitrary code execution
  DSA 1783    mysql-dfsg-5.0       Several vulnerabilities
  DSA 1784    freetype          Arbitrary code execution
  DSA 1785    wireshark          Several vulnerabilities
  DSA 1786    acpid            Denial of service
  DSA 1788    quagga           Denial of service
  DSA 1789    php5            Several vulnerabilities
  DSA 1790    xpdf            Multiple vulnerabilities
  DSA 1791    moin            Cross-site scripting
  DSA 1792    drupal6           Multiple vulnerabilities
  DSA 1793    kdegraphics         Multiple vulnerabilities
  DSA 1795    ldns            Arbitrary code execution
  DSA 1797    xulrunner          Multiple vulnerabilities
  DSA 1798    pango1.0          Arbitrary code execution
  DSA 1799    qemu            Several vulnerabilities
  DSA 1800    linux-2.6,user-mode-linux  Several vulnerabilities
  DSA 1801    ntp             Several vulnerabilities
  DSA 1802    squirrelmail        Several vulnerabilities
  DSA 1803    nsd, nsd3          Denial of service
  DSA 1804    ipsec-tools         Denial of service
  DSA 1805    pidgin           Several vulnerabilities
  DSA 1806    cscope           Arbitrary code execution
  DSA 1807    cyrus-sasl2         Arbitrary code execution
  DSA 1807    cyrus-sasl2-heimdal     Arbitrary code execution
  DSA 1808    drupal6           Insufficient input sanitising
  DSA 1809    linux-2.6,user-mode-linux  Several vulnerabilities
  DSA 1810    libapache-mod-jk      Information disclosure
  DSA 1811    cups            Denial of service
  DSA 1812    apr-util          Several vulnerabilities
  DSA 1813    evolution-data-server    Several vulnerabilities
  DSA 1814    libsndfile         Arbitrary code execution
  DSA 1815    libtorrent-rasterbar    Denial of service
  DSA 1817    ctorrent          Arbitrary code execution
  DSA 1818    gforge           Insufficient input sanitising
  DSA 1820    xulrunner          Several vulnerabilities
  DSA 1821    amule            Insufficient input sanitising
  DSA 1822    mahara           Cross-site scripting
  DSA 1823    samba            Several vulnerabilities
  DSA 1824    phpmyadmin         Several vulnerabilities
URLs
 <http://ftp.debian.org/debian/dists/lenny/ChangeLog>
The current stable distribution:
 <http://ftp.debian.org/debian/dists/stable>
Proposed updates to the stable distribution:
 <http://ftp.debian.org/debian/dists/proposed-updates>
stable distribution information (release notes, errata etc.):
 <http://www.debian.org/releases/stable/>
Security announcements and information:
 <http://www.debian.org/security/>
About Debian
The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating systems Debian GNU/Linux.
Contact Information
For further information, please visit the Debian web pages at <http://www.debian.org/>, send mail to <
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>, or contact the stable release team at <
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>
