Debian GNU/Linux 4.0 updated
December 27th, 2007
The Debian project is pleased to announce the second update of its stable
distribution Debian GNU/Linux 4.0 (codename etch). This update mainly
adds corrections for security problems to the stable release, along with
a few adjustment to serious problems.
Please note that this update does not constitute a new version of Debian
GNU/Linux 4.0 but only updates some of the packages included. There is
no need to throw away 4.0 CDs or DVDs but only to update against
ftp.debian.org after an installation, in order to incorporate those late
changes.
Those who frequently install updates from security.debian.org won't have
to update many packages and most updates from security.debian.org are
included in this update.
New CD and DVD images containing updated packages and the regular
installation media accompanied with the package archive respectively
will be available soon at the regular locations.
Upgrading to this revision online is usually done by pointing the
aptitude (or apt) package tool (see the sources.list(5) manual page) to
one of Debian's many FTP or HTTP mirrors. A comprehensive list of
mirrors is available at:
Debian-Installer Update
The installer has been updated to use and support the updated kernels
included in this release. This change causes old netboot and floppy images
to stop working; updated versions are available from the regular locations.
Other changes include stability improvements in specific situations,
improved serial console support when configuring grub, and added support
for SGI O2 machines with 300MHz RM5200SC (Nevada) CPUs (mips).
Miscellaneous Bugfixes
This stable update adds several binary updates for various architectures
to packages whose version was not synchronised across all architectures.
It also adds a few important corrections to the following packages:
Package Reason
Fix of several CVEs
Rebuild for apache2 rebuilds
Rebuild against lib3ds-dev
Fix of several memory leaks
Fix possible hangs during netboot installs
Remove unused non-free code
Fix regression introduced by icedove 1.5.0.10
Recompile for Linux Kernel rebuilds
Fix locate heap buffer overflow (CVE-2007-2452)
New upstream release fixes security problems
Fix nscd crash
Added missing dependency
Fix authentication bypass
Remove roa-es-val translation and updated ca package description
Bring architectures back in sync
Rebuild for Debian Kernel rebuild
Fixes nfsroot on mips(el)
Fix strict-aliasing errors
Fix potential dataloss
Bring architectures back in sync
Rebuild against current ruby1.8 to fix a wrong library install directory
Rebuild for Linux Kernel rebuild
Fix to work correctly with striped lvm1 metadata
Rebuild against etch (i386 only)
Changed priority of initscript
Fix CVE-2007-4924
Bring architectures back in sync
Rebuild against liblzo2 to fix general protection errors
Fix CVE-2005-2977
Fix CVE-2007-4462
Fix regression introduced in 8.1.9
Fix CVE-2007-4897
Fix package dependency on libpq
Rebuild against lib3ds-dev
Recent timezone updates
Make program 64bit clean
Rebuild for Debian Kernel rebuild
Fix regression
Rebuild against lib3ds-dev
Fix interoperability with etch CVS
Fix CVE-2007-6201
Security Updates
This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:
Advisory ID Package Correction(s)
Denial of service
Buffer overflow
Denial of service
Several vulnerabilities
Denial of service
Several vulnerabilities
Missing input sanitising
Arbitrary code execution
Unsafe temporary files
Unsafe temporary files
Buffer overflow
Arbitrary code execution
Arbitrary code execution
Arbitrary code execution
Certificate handling
Arbitrary code execution
Several vulnerabilities
Several vulnerabilities
Several vulnerabilities
Denial of service
DNS cache poisoning
Privilege escalation
Arbitrary code execution
Several vulnerabilities
Several vulnerabilities
Several vulnerabilities
Arbitrary code execution
Arbitrary code execution
Privilege escalation
Arbitrary code execution
Arbitrary code execution
Several vulnerabilities
Arbitrary code execution
Several vulnerabilities
Directory traversal
Arbitrary code execution
Arbitrary code execution
Several vulnerabilities
Several vulnerabilities
Several vulnerabilities
Several vulnerabilities
Arbitrary code execution
Arbitrary code execution
Several vulnerabilities
Several vulnerabilities
Privilege escalation
Directory traversal
Several vulnerabilities
Arbitrary code execution
Authentication bypass
Denial of service
Several vulnerabilities
Arbitrary code execution
Information disclosure
Several vulnerabilities
Denial of service
Cross-site scripting
Several vulnerabilities
Arbitrary code execution
Denial of service
Arbitrary code execution
Arbitrary code execution
SQL injection
Arbitrary code execution
Several vulnerabilities
Several vulnerabilities
Arbitrary command execution
Authentication bypass
Several vulnerabilities
Integer overflow
Arbitrary code execution
Arbitrary code execution
Several vulnerabilities
Several vulnerabilities
Cross-site scripting
Privilege escalation
Arbitrary code execution
Several vulnerabilities
Arbitrary code execution
Arbitrary code execution
Several vulnerabilities
Insecure SSL certificate validation
Insecure SSL certificate validation
Several vulnerabilities
Several vulnerabilities
Arbitrary code execution
Arbitrary code execution
SQL injection
Arbitrary Java code execution
Privilege escalation
Arbitrary file disclosure
Arbitrary code execution
Several vulnerabilities
Several vulnerabilities
Several vulnerabilities
Several vulnerabilities
Arbitrary code execution
Several vulnerabilities
Cross-site scripting
Arbitrary code execution
Arbitrary code execution
Arbitrary code execution
Denial of service
Several vulnerabilities
Several vulnerabilities
A complete list of all accepted and rejected packages together with
rationale is on the preparation page for this revision:
URLs
The complete lists of packages that have changed with this
release:
The current stable distribution:
Proposed updates to the stable distribution:
Stable distribution information (release notes, errata, etc.):
Security announcements and information:
About Debian
The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely
free operating system Debian GNU/Linux.
Contact Information
For further information, please visit the Debian web pages at
https://www.debian.org/, send mail to
, or contact the stable release team at
.