Please note that this update does not constitute a new version of
Debian 6.0 but only updates some of the packages included. There is no
need to throw away 6.0 CDs or DVDs but only to update via an up-to-date
Debian mirror after an installation, to cause any out of date packages
to be updated.

Those who frequently install updates from security.debian.org won’t
have to update many packages and most updates from security.debian.org
are included in this update.

New installation media and CD and DVD images containing updated
packages will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the
aptitude (or apt) package tool (see the sources.list(5) manual page) to
one of Debian’s many FTP or HTTP mirrors. A comprehensive list of
mirrors is available at:

Miscellaneous Bugfixes
======================

This stable update adds a few important corrections to the following
packages:

Package Reason
acpid Really fix CVE-2011-1159
Fix apr_file_trunc() bug which could lead
apr to Subversion repository corruption in some
rare cases
at Create hardlink as priviledged user for
compatibility with later kernels
base-files Update /etc/debian_version for the point
release
brltty Fix support for large esys/iris displays
clive Adapt for youtube.com changes
ecl Remove broken postrm script
Fix resolving issues with broken servers
returning NOTIMP or FORMERR to AAAA
eglibc queries; fix integer overflow in timezone
code; local/manpages/gai.conf.5: update
from latest RedHat version
evolution-data-server Make e_book_get_changes() actually return
changes
Lock server’s executeCmd to prevent racing
fail2ban among iptables calls; fix insecure creation
of tempfiles
foomatic-filters Fix insecure temporary file use in renderer
command line
giplet Use checkip.dyndns.org instead of the no
longer suitable www.whatismyip.org
gnusound Fix format string security issue
gosa Fix DHCP host removal and user generator
Unicode character transliteration
highlight Remove broken postrm
json-glib Fix serialization of doubles
kdeutils Fix directory traversal in Ark
keepalived Set correct permissions on pid file
laptop-mode-tools Add support for 3.x kernels
libcgicc Install pkg-config file to the correct
location
Fix passive grabs; handle unknown device
libxi classes; fill in mods/group->effective in
XIQueryPointer
linux-2.6 Add longterm releases 2.6.32.5[5-9]
linux-kernel-di-amd64-2.6 Rebuild against linux-2.6 2.6.32-45
linux-kernel-di-armel-2.6 Rebuild against linux-2.6 2.6.32-45
linux-kernel-di-i386-2.6 Rebuild against linux-2.6 2.6.32-45
linux-kernel-di-ia64-2.6 Rebuild against linux-2.6 2.6.32-45
linux-kernel-di-mips-2.6 Rebuild against linux-2.6 2.6.32-45
linux-kernel-di-mipsel-2.6 Rebuild against linux-2.6 2.6.32-45
linux-kernel-di-powerpc-2.6 Rebuild against linux-2.6 2.6.32-45
linux-kernel-di-s390-2.6 Rebuild against linux-2.6 2.6.32-45
linux-kernel-di-sparc-2.6 Rebuild against linux-2.6 2.6.32-45
netselect Robustness and documentation fixes; handle
mirror lists with embedded attributes
openssh Fix information disclosure regarding forced
commands via debug messages
openvpn Fix /sbin/route calls on kFreeBSD
php-memcache Fix cache delete bug, when deleting objects
from memcached 1.4.4+
php-memcached Fix double free in getServerByKey()
phppgadmin Fix XSS in function.php
Fix race condition when reading from /proc
policykit-1 which allows local users to gain root
privileges by executing a setuid program
from pkexec
procps Support 3.X kernels
pyspf Correctly process CNAMEs in SPF records
python-defaults Correctly remove /var/lib/python/
python2.6_already_installed
python-virtualenv Fix insecure temp file handling
rott Fallback to downloading shareware data
files from pkg-games.alioth.debian.org
sks Use standards-compliant POSTs
sysvinit Enable use of either rpcbind or portmap for
NFS
texlive-base Don’t try to repair a missing
pdftexconfig.tex in preinst
Rate-limit getstatus and rcon
tremulous connectionless packets, to avoid their use
for traffic amplification; fix several
security bugs; disable auto-downloading
tzdata New upstream version
wicd Fix local privilege escalation,
CVE-2012-2095
xfce4-weather-plugin Update service key to restore access to
server
yapra Add ruby1.8 build-dependency to fix broken
build in clean environment

Security Updates
================

This revision adds the following security updates to the stable
release. The Security Team has already released an advisory for each of
these updates:

Advisory ID Package Correction(s)
DSA-2321 moin Cross-site scripting
DSA-2352 puppet Programming error
DSA-2359 mojarra EL injection
DSA-2394 libxml2 Multiple issues
DSA-2395 wireshark Buffer underflow
DSA-2396 qemu-kvm Buffer underflow
DSA-2397 icu Buffer underflow
DSA-2398 curl Multiple issues
DSA-2399 php5 Multiple issues
DSA-2400 iceweasel Multiple issues
DSA-2401 tomcat6 Multiple issues
DSA-2402 iceape Multiple issues
DSA-2403 php5 Code injection
DSA-2404 xen-qemu-dm-4.0 Buffer overflow
DSA-2405 apache2 Multiple issues
DSA-2406 icedove Multiple issues
DSA-2407 cvs Heap overflow
DSA-2408 php5 Multiple issues
DSA-2409 devscripts Multiple issues
DSA-2410 libpng Integer overflow
DSA-2411 mumble Information disclosure
DSA-2412 libvorbis Buffer overflow
DSA-2413 libarchive Buffer overflows
DSA-2414 fex Insufficient input sanitization
DSA-2415 libmodplug Multiple issues
DSA-2416 notmuch Information disclosure
DSA-2417 libxml2 Denial of service
DSA-2418 postgresql-8.4 Multiple issues
DSA-2419 puppet Multiple issues
DSA-2420 openjdk-6 Multiple issues
DSA-2421 moodle Multiple issues
DSA-2422 file Missing bounds check
DSA-2423 movabletype-opensource Multiple issues
DSA-2424 libxml-atom-perl XML entity expansion
DSA-2425 plib Buffer overflow
DSA-2426 gimp Multiple issues
DSA-2427 imagemagick Multiple issues
DSA-2428 freetype Multiple issues
DSA-2430 python-pam Double free
DSA-2431 libdbd-pg-perl Format string vulnerabilities
DSA-2432 libyaml-libyaml-perl Format string vulnerability
DSA-2433 iceweasel Multiple issues
DSA-2434 nginx Sensitive information leak
DSA-2435 gnash Multiple issues
DSA-2436 libapache2-mod-fcgid Inactive resource limits
DSA-2437 icedove Multiple issues
DSA-2438 raptor Programming error
DSA-2439 libpng Buffer overflow
DSA-2440 libtasn1-3 Integer overflow
DSA-2441 gnutls26 Missing bounds check
DSA-2442 openarena UDP traffic amplification
DSA-2443 linux-2.6 Multiple issues
DSA-2443 user-mode-linux Multiple issues
DSA-2444 tryton-server Privilege escalation
DSA-2445 typo3-src Multiple issues
DSA-2446 libpng Incorrect memory handling
DSA-2447 tiff Integer overflow
DSA-2448 inspircd Buffer overflow
DSA-2449 sqlalchemy Missing input sanitization
DSA-2450 samba Privilege escalation
DSA-2451 puppet Multiple issues
DSA-2452 apache2 Insecure default configuration
DSA-2453 gajim Multiple issues
DSA-2454 openssl Multiple issues
DSA-2455 typo3-src Cross site scripting
DSA-2456 dropbear Use after free
DSA-2457 iceweasel Multiple issues
DSA-2458 iceape Multiple issues
DSA-2459 quagga Multiple issues
DSA-2460 asterisk Multiple issues
DSA-2461 spip Multiple issues
DSA-2462 imagemagick Multiple issues
DSA-2463 samba Missing permission checks
DSA-2464 icedove Multiple issues

Debian Installer
================

The installer has been rebuilt to include the fixes incorporated into
stable by the point release.

URLs
====

The complete lists of packages that have changed with this revision:

The current stable distribution:

Proposed updates to the stable distribution:

Stable distribution information (release notes, errata etc.):

Security announcements and information:

About Debian
============

The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian.

Thanks for your support – we’re also linking to the handbook here from Debian-news.net.

Read more here

Highlight: call for DPL helpers
===============================

Before the report, though, let me point out that your friendly
neighborhood DPL could use some help. As discussed during campaign,
there are some intrinsic transparency and scalability limits in the DPL
institution, when run by a single person. Before trying something new to
fix that, I’d like to give a last try to an old “tactic”: calling for
help. If you’re considering running for DPL or if you’re simply
interested in the job the DPL does and willing to help with that, please
let me know. Ideally, if I find a group of people I’m happy to work
with, I’d like to set up periodic IRC meetings with all “DPL helpers” to
publicly discuss items in the DPL agenda and share the work-load.

Ongoing discussions
===================

A big topic of last month has been the proposal [1] by Francesca Ciceri
to publish a diversity statement for the Debian Project. After a lively
discussion on -project, we reached consensus on a text [2], and I’ve
been happy to help with that. To finalize statement publication we now
need to vote on it with a GR [3]. I’ve helped drafting a corresponding
GR proposal that has already been posted to -vote by Francesca. A final
one, looking for seconds, will be posted there soon.

[1]: https://lists.debian.org/debian-project/2012/03/msg00048.html
[2]: https://lists.debian.org/debian-project/2012/04/msg00053.html
[3]: https://lists.debian.org/debian-project/2012/04/msg00088.html

Wrapping up March discussions on a revenue sharing agreement with
DuckDuckGo, I’ve announced my intention [6] to finalize the agreement
and have done so shortly thereafter. The Iceweasel maintainer has
deployed the corresponding search engine query string and other web
browser maintainers could do the same, if they want to.

[6]: https://lists.debian.org/debian-project/2012/04/msg00101.html

In April I’ve also spent some time to move forward the long running
conflict on Python maintenance [4], reported to the tech-ctte more than
2 years ago. With the help of people on the -python mailing list, I’ve
now submitted to the tech-ctte an up to date list of potential
maintenance teams. I hope the tech-ctte now have all the information
needed to come to a decision. Speaking of which, I’m also discussing
with tech-ctte members [15] the possibility of having periodic ctte
meetings; the idea is to ensure that outstanding issues are periodically
reassessed, improving the reliability of tech-ctte decision times.

[4]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573745
[15]: https://lists.debian.org/debian-ctte/2012/04/msg00029.html

I’ve also discussed [5] at length with members of the
pkg-multimedia-maintainers team the relationships with the unofficial
debian-multimedia.org (d-m.o) repository, that have been a cause of
tension for Debian multimedia users and maintainers for quite some time.
On behalf of the team and of the Project I’ve now reached out to the
d-m.o maintainer, hoping to come to some sort of amicable agreement on
which packages belong where.

[5]: http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/2012-April/026063.html

Hardware replacement
====================

As anticipated in last report, I’ve started approving hardware purchases
to implement the yearly hardware replacement plan prepared by DSA.
During April I’ve approved requests to buy servers to replace the
machines running the bugs-master, bugs-mirror, and UDD services. The
total expected expenditure is about 15’000 USD.

Communication
=============

I’ve delivered my classic Debian “18^W 19 years” talk at UNIVPM [16], a
polytechnic university in center Italy; slides are available [10].

[16]: http://www.univpm.it/
[10]: http://upsilon.cc/~zack/talks/2012/20120416-univpm.pdf

I’ve then been contacted by people from the European Synchrotoron [17]
in Grenoble who, beside having recently migrated their infrastructure to
Debian [18], are looking into organizing a workshop on Debian usage for
large science facilities [9]. I’ve been happy to help out providing a
list of potential topics and speakers for the event.

[17]: http://www.esrf.eu/
[18]: http://www.debian.org/News/weekly/2012/09/
[9]: https://lists.debian.org/debian-science/2012/04/msg00044.html

Also as anticipated last month, the Debian Project has been present at
the OpenStack summit. Loic Dachary has represented Debian at the event
and provided a nice report [11] about his experience there. Speaking of
which, I’ve also coordinated a news release [7] about the availability
of cloud technologies in Wheezy, taking the chance to point out the
relationships between what Debian stands for and the ability to deploy
your own private cloud.

[11]: https://lists.debian.org/debian-project/2012/04/msg00096.html
[7]: http://www.debian.org/News/2012/20120425

Sprints
=======

April has been a rather calm month on the sprint front, with the notable
exception of the I18n team who is organizing a sprint for June in Paris
[13,14].

[13]: https://lists.debian.org/debian-i18n/2012/04/msg00101.html
[14]: http://wiki.debian.org/I18n/Sprint2012

Miscellanea
===========

- Google Summer of Code (GSoC) has now started and for Debian is already
quite a success. Wrt last year we doubled the number of student
applications and we jumped from 9 to 15 approved projects. More
details about Debian in GSoC have been posted by Ana [8]. I encourage
all of you to take the chance of GSoC to bond with students and show
them how nice is the Debian community to work with: that’s the prime
trait we need to exhibit to make sure we’ll always have enough
volunteers to run the Debian Project.

[8]: http://ekaia.org/blog/2012/04/27/debian-in-the-google-summer-of-code-2012/

- The one month notice before opening up LDAP dnsZoneEntry [12] has
expired and the field has now been opened by DSA. Practically, this
means that the full listing of *.debian.net entries can now be queried
publicly via LDAP. If anyone would be so kind to provide a script that
does so and produce a nice looking HTML index, we can now publish it
somewhere and replace the perennially out of date page

http://wiki.debian.org/DebianNetDomains

[12]: https://lists.debian.org/debian-devel-announce/2012/03/msg00008.html

Thanks for reading thus far,
HDH! (Happy Debian Hacking)

PS the boring day-to-day activity log for April is available at

– Stefano Zacchiroli zack@{upsilon.cc,pps.jussieu.fr,debian.org} . o .

This post is not for a beginner to Linux servers. You must have some experience with Linux servers to follow these notes.

Read more here