======================================== Sat, 23 Feb 2013 - Debian 6.0.7 released ======================================== ========================================================================= [Date: Sat, 23 Feb 2013 10:11:28 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: elmer | 5.5.0.svn.4499.dfsg-1 | amd64, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, sparc elmer-common | 5.5.0.svn.4499.dfsg-1 | all elmerfem | 5.5.0.svn.4499.dfsg-1 | source libelmer-dev | 5.5.0.svn.4499.dfsg-1 | amd64, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, sparc libelmersolver-6.0 | 5.5.0.svn.4499.dfsg-1 | amd64, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, sparc Closed bugs: 699235 ------------------- Reason ------------------- RoM; licensing problems ---------------------------------------------- ========================================================================= apache2 (2.2.16-6+squeeze10) squeeze-security; urgency=low . [ Arno Töll ] * Backport disable-ssl-compression.patch from Wheezy. This patch disabled SSL compression upon request by introducing a "Compression on|off" directive to mod_ssl. This is to mitigate impact of CRIME attacks to SSL - which is a browser issue, however. See also Debian bug #674142 and #689936. . [ Stefan Fritsch ] * CVE-2012-4557: mod_proxy_ajp: Remote denial of service (temporary, until mod_proxy_ajp's retry timeout expired). apt-show-versions (0.16+squeeze1) stable; urgency=low . * Non-maintainer upload. * Fix bug which caused squeeze-updates and squeeze to mask each other. Thanks to Dominic Hargreaves. (Closes: #623252) * Update the list of official suites. asterisk (1:1.6.2.9-2+squeeze10) stable-security; urgency=high . * Fix typo in patch AST-2012-015 (Closes: #698112, #698118). * Fix an error in patch AST-2012-014 (Javier Serrano Polo). asterisk (1:1.6.2.9-2+squeeze9) stable-security; urgency=high . * Patches backported from Asterisk 1.8.19.1 (Closes: #697230): - Patch AST-2012-014 (CVE-2012-5976) - Crashes due to large memory allocations when using TCP. - Patch AST-2012-015 (CVE-2012-5977) - Denial of Service Through Exploitation of Device State Caching. asterisk (1:1.6.2.9-2+squeeze8) stable-security; urgency=high . * Fix AST-2012-010 backported patch (Closes: #688053) asterisk (1:1.6.2.9-2+squeeze7) stable-security; urgency=low . [ Victor Seva ] * Patch AST-2012-010 : Possible resource leak on uncompleted re-invite transactions. . [ Tzafrir Cohen ] * Patch AST-2012-004-MixMonitor: Accidentally left out of patch AST-2012-004 * Patch AST-2012-012 (CVE-2012-2186): AMI User Shell Access with ExternalIVR * Patch AST-2012-012 (CVE-2012-4737): ACL rules ignored during calls by some IAX2 peers. bacula (5.0.2-2.2+squeeze1) stable-security; urgency=high . * debian/patches/fix_dump_resources_acl.patch, debian/rules: + Fix console ACL's bypass with dump_resource, SA CVE-2012-4430 (Closes: #687923). base-files (6.0squeeze7) stable; urgency=low . * Changed /etc/debian_version to 6.0.7, for Debian 6.0.7 point release. bcron (0.09-11+squeeze1) stable; urgency=high . * debian/diff/0008-bcron-exec-Mark-all-temporary-files-close-...diff: new; from upstream git; bcron-exec: Mark all temporary files close-on-exec and close selfpipe; this fixes a security bug in bcron where cron jobs get access to the temporary output files from all other jobs that are still running (CVE-2012-6110, closes: #686650). bind9 (1:9.7.3.dfsg-1~squeeze9) squeeze-proposed-updates; urgency=low . * Update db.root with new IP for D.root-servers.net. Closes: #697352 bind9 (1:9.7.3.dfsg-1~squeeze8) squeeze-security; urgency=high . * Apply patch extracted from 9.7.6-P4 to fix CVE-2012-5166 bogofilter (1.2.2-2+squeeze1) stable-security; urgency=high . * Cherry-pick fix and test for CVE-2012-5468 (aka bogofilter-SA-2012-01) from upstream release 1.2.3. Setting urgency to high. closes: #695139. bugzilla (3.6.2.0-4.6) stable; urgency=low . * Non-maintainer upload. * bugzilla3: Add Depends: liburi-perl. URI.pm is used during package configuration. (Closes: #646837) choose-mirror (2.37+squeeze1) squeeze; urgency=low . [ Tollef Fog Heen ] * Update URL for master mirror list. . [ Cyril Brulebois ] * Backport the above change from 2.39 to fix FTBFS. Closes: #695851 clamav (0.97.6+dfsg-1~squeeze1) stable; urgency=low . * New upstream release (Closes: #689487) * Update libclamav6 lintian override to match updated soversion clamav (0.97.5+dfsg-6) unstable; urgency=medium . * Urgency medium for RC bug fix the addressess regression from 0.97.3 * Add changes from upstream commit 6a879ad98460303b23a6fc119769a3b463a902f8 to fix unpack errors for various compressed files including some .bz2, .xls, .doc, and PDF (Closes: #684697) claws-mail (3.7.6-4+squeeze1) stable; urgency=low . * patches/99_fix_CVE-2012-4507.patch - Added fix for CVE-2012-4507 from 3.8.1-2 (Closes: #690151) clive (2.2.13-5+squeeze5) squeeze; urgency=low . * Adapt for youtube.com changes. + new patch: 688972-youtube.diff cups (1.4.4-7+squeeze3) stable; urgency=low . [ Didier Raboud ] * Ship cups-files.conf's manpage in cups (Closes: #697543) - Update the configuration files split patch to also build the manpage; - Install the english manpage. * Generate translated cups-files.conf's manpage in the po4a infrastructure. * Minimally update French manpage translation . [ Helge Kreutzmann ] * Update German manpage translation. (Closes: #697860) cups (1.4.4-7+squeeze2) stable-security; urgency=high . * Backport upstream configuration files split: - Add split-configuration-files-STR4223.dpatch - Install the new cups-files.conf Fixes: CVE-2012-5519 (Closes: #692791) * Make cupsd.conf a non-conffile, as it is managed by cups itself. - On new installs, set it up from cupsd.conf.default. - On upgrades, move it away in preinst and move it back in postinst. - On aborted upgrades, move the file back in place. - On purge, delete it too. * Document changes in cups.NEWS. cups-pk-helper (0.1.0-3) stable-security; urgency=high . * [4e1319f] Honor file permissions when uploading/downloading files. This fixes CVE-2012-4510. dbus (1.2.24-4+squeeze2) stable; urgency=low . * CVE-2012-3524: apply patches from upstream 1.6.6 to avoid arbitrary code execution in setuid/setgid binaries that incorrectly use libdbus without first sanitizing the environment variables inherited from their less-privileged caller (Closes: #689070). - As per upstream 1.6.8, do not check filesystem capabilities for now, only setuid/setgid, fixing regressions in certain configurations of gnome-keyring dbus-glib (0.88-2.1+squeeze1) stable; urgency=low . * Apply patch from upstream 0.100.1 to fix insufficient checking leading to authentication bypass in pam_fprintd (CVE-2013-0292) (Closes: #700638) debian-installer-netboot-images (20110106.squeeze4.b3) squeeze; urgency=low . * Rebuild against squeeze-proposed-updates dtach (0.8-2+squeeze1) stable; urgency=low . * Fix CVE-2012-3368: properly handle close request (Closes: #625302). elinks (0.12~pre5-2+squeeze1) stable-security; urgency=low . * Disable Javascript support. It breaks with current Xulrunner and it was mostly unusable anyway. Patches welcome to reinstate it. * Fix CVE-2012-4545 emacs23 (23.2+1-7+squeeze1) stable-security; urgency=high . * Mention the fullscreen "maximized" value in the emacs man page. Thanks to Peter Eisentraut for the report and Sven Joachim for the patch. (closes: #594320) . * Add hack-local-variables-filter-fix-for-bug-12155.diff. Don't eval code when enable-local-variables is :safe. Previously, Emacs might eval forms in file-local variable sections even when the Emacs user option `enable-local-variables' was set to :safe (CVE-2012-3479). Please see the patch for additional details. Thanks to Henri Salo for the report. (Closes: #684695) ettercap (1:0.7.3-2.1+squeeze1) stable; urgency=high . * Quilt patch for CVE-2013-0722, a stack-based buffer overflow when parsing hosts list (closes: #697987) exim4 (4.72-6+squeeze3) stable-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2012-5671: Fix heap-based buffer overflow in DKIM handling. ffmpeg (4:0.5.10-1) stable-security; urgency=low . * New upstream release. New release fixes: (Closes: #688849) - mpeg12: do not decode extradata more than once (CVE-2012-2803) - vp6: properly fail on unsupported feature (CVE-2012-2783) - vp56: release frames on error (CVE-2012-2783) - shorten: Use separate pointers for the allocated memory for decoded samples (CVE-2012-0858) - cavsdec: check for changing w/h (CVE-2012-2777 and CVE-2012-2784) - avidec: use actually read size instead of requested size CVE-2012-2788 - avsdec: Set dimensions instead of relying on the demuxer (CVE-2012-2801) fglrx-driver (1:10-9-3squeeze1) stable; urgency=low . * Fix upgrades from lenny: (Closes: #696155) * fglrx-glx{,-ia32}.preinst: Create diversions on upgrades, too. * fglrx-driver.preinst: Move removal of old libdri.so diversion to postinst. The fglrx-driver package in lenny shipped the diverted file, so on upgrades from lenny this still exists at the time the preinst is run. * fglrx-glx-ia32.postinst: Remove obsolete diversions in /emul/ia32-linux created by the packages in lenny. flashplugin-nonfree (1:2.8.2+squeeze1) stable; urgency=low . * update-flashplugin-nonfree: Added use of "gpg --verify" to notice files without signature. Thanks to Ansgar Burchardt for reporting the security issue (via private e-mail on 13 Dec 2012). fusionforge (5.0.2-5+squeeze1) stable; urgency=low . * Non-maintainer upload with maintainer approval. * gforge-web-apache2: Add Breaks/Replaces: gforge-common (<< 4.8). Avoid a file conflict during upgrades from lenny due to files being moved around between packages. (Closes: #696369) ganglia (3.1.7-1+squeeze1) stable-security; urgency=high . * Non-maintainer upload. * Fix for path traversal issue when supplying name of a graph web/graph.php: Check for path traversal issues by making sure real path is actually in graphdir. Fixes CVE-2012-3448. Fix backported from ganglia 3.1.8. (Closes: #683584) ghostscript (8.71~dfsg2-9+squeeze1) stable-security; urgency=low . * CVE-2012-4405 gmime2.2 (2.2.25-2+squeeze1) stable; urgency=low . * Non-maintainer upload. * libgmime-2.0-2a: Add Conflicts: libgmime2.2-cil to ensure the obsolete package from lenny that is incompatible with mono-gac/squeeze gets removed on upgrades. (Closes: #696375) gnupg (1.4.10-4+squeeze1) stable-security; urgency=high . * Apply upstream patch to fix memory and key database corruption when importing with invalid keys (CVE-2012-6085, closes: #697108). gnupg2 (2.0.14-2+squeeze1) stable-security; urgency=high . * debian/patches/04-cve-2012-6085.diff: Patch from upstream to fix CVE-2012-6085, "gnupg key import memory corruption". (Closes: #697251) * debian/rules: Remove linking of config.{guess,sub} and creation of the version file on clean that breaks newer dpkg-source. gzip (1.3.12-9+squeeze1) stable; urgency=low . * Non-maintainer upload to stable. * Backport upstream patch to avoid using memcpy on overlapping memory regions. (Closes: #627121) hostapd (1:0.6.10-2+squeeze1) stable-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix DoS via specially crafted EAP-TLS messages with longer message length than TLS data length. ia32-libs (20130215) stable; urgency=low . * Packages updated . [ cups (1.4.4-7+squeeze2) stable-security; urgency=high ] . * Backport upstream configuration files split: - Add split-configuration-files-STR4223.dpatch - Install the new cups-files.conf Fixes: CVE-2012-5519 (#692791) * Make cupsd.conf a non-conffile, as it is managed by cups itself. - On new installs, set it up from cupsd.conf.default. - On upgrades, move it away in preinst and move it back in postinst. - On aborted upgrades, move the file back in place. - On purge, delete it too. * Document changes in cups.NEWS. . [ libexif (0.6.19-1+squeeze1) stable-security; urgency=high ] . * Non-maintainer upload by the Security Team. * Cherry pick changes for CVE-2012-2814, CVE-2012-2840, CVE-2012-2813, CVE-2012-2812, CVE-2012-2841, CVE-2012-2836, CVE-2012-2837. (backport patches for fix-CVE-2012-2814, fix-CVE-2012-2836, fix-CVE-2012-2837) . [ libxml2 (2.7.8.dfsg-2+squeeze6) stable-security; urgency=high ] . [ Daniel Veillard ] * Fix potential out of bound access CVE-2012-5134, #694521. . [ libxslt (1.1.26-6+squeeze2) stable-security; urgency=high ] . * Patch to fix three CVEs (#689422): - CVE-2012-2870 by Daniel Veillard and Chris Evans - CVE-2012-2871 by Daniel Veillard - CVE-2012-2893 by Chris Evans . [ libxslt (1.1.26-6+squeeze1) stable; urgency=low ] . [ Daniel Veillard ] * Fix generate-id() to not expose object addresses CVE-2011-1202, #617413. . [ Abhishek Arya ] * Fix some case of pattern parsing errors CVE-2011-3970, #660650. . [ Chris Evans ] * [PATCH] Fix crash with unexpected DTD nodes in XSLT. CVE-2012-2825, #679283. . [ nss (3.12.8-1+squeeze6) stable-security; urgency=low ] . * Explicitly distrust two intermediate CA certificates mis-issued by TURKTRUST. . [ openssl (0.9.8o-4squeeze14) squeeze-security; urgency=low ] . * Fix CVE-2013-0166 and CVE-2013-0169 . [ tiff (3.9.4-5+squeeze8) stable-security; urgency=high ] . * Add fix for CVE-2012-5581, reimplementing DOTRANGE handling to make it safer. Thanks to Red Hat security team for backporting the fix. . [ tiff (3.9.4-5+squeeze7) stable-security; urgency=high ] . * Add fix for CVE-2012-4564, a heap-buffer overflow. Thanks Adrian La Duca for doing all the work to prepare this upload. (#692345) . [ tiff (3.9.4-5+squeeze6) stable-security; urgency=high ] . * Add fix for CVE-2012-4447, a buffer overrun. (#688944) * CVE-2012-2088 was actually included in previous version but not listed in the change log. . [ tiff (3.9.4-5+squeeze5) stable-security; urgency=high ] . * Added several additional security patches taken from the Ubuntu Natty (11.04) tiff package. (#678140) . CVE-2010-2482 CVE-2010-2595 CVE-2010-2597 CVE-2010-2630 CVE-2010-4665 CVE-2012-2113 CVE-2012-3401 ia32-libs-core (20130211) stable; urgency=low . * Packages updated . [ bzip2 (1.0.5-6+squeeze1) stable; urgency=low ] . * Non-maintainer upload by the Security Team * Fix CVE-2011-4089, thanks to vladz (#632862) . [ eglibc (2.11.3-4) stable; urgency=low ] . * Enable patches/any/cvs-dlopen-tls.diff, not enabled by mistake. #637239. * patches/any/cvs-FORTIFY_SOURCE-format-strings.diff: new patch from upstream to fix FORTIFY_SOURCE format string protection bypass. #660611. * patches/any/local-sunrpc-dos.diff: fix a DoS in RPC implementation (CVE-2011-4609). #671478. . [ eglibc (2.11.3-3) stable; urgency=low ] . * patches/any/cvs-tzfile.diff: fix integer overflow in timezone code. (CVE-2009-5029). #650790. * patches/any/submitted-resolv-first-query-failure.diff: new patch to fix resolving issues with broken servers returning NOTIMP or FORMERR to AAAA queries. #658171. * local/manpages/gai.conf.5: update from latest RedHat version. #659504. . [ eglibc (2.11.3-2) stable; urgency=low ] . * Add patches/arm/cvs-tls-unallocated.diff and patches/mips/cvs-tls-unallocated.diff to fix FTBFS on armel, mips and mipsel. . [ eglibc (2.11.3-1) stable; urgency=low ] . * Update from stable upstream version, and update from the upstream stable branch: - fix wrong memmove/bcopy optimization with gcc-4.6. #619963. - fix an integer overflow in fnmatch() (CVE-2011-1659). #626370. - fix spurious warning in bswap_16() with -Wconversion. #561249. - fix auxiliary cache file creation. #588218. - fix memory corruption in fnmatch() that can lead to code execution (CVE-2011-1071). #615120 - fix strchr() on x86-64 CPU with SSE4.2. #635885 * Update patches: - patches/locale/locale-print-LANGUAGE.diff - patches/hppa/local-stack-grows-up.diff - patches/m68k/cvs-tls-support.patch - patches/any/local-disable-test-tgmath2.diff - patches/any/submitted-longdouble.diff - patches/any/submitted-bits-fcntl_h-at.diff - patches/kfreebsd/local-readdir_r.diff * Drop obsolete patches: - patches/any/cvs-redirect-throw.diff - patches/any/cvs-flush-cache-textrels.diff - patches/hurd-i386/cvs-linkat.diff - patches/hurd-i386/cvs-select.diff - patches/sparc/submitted-epoll.diff - patches/any/cvs-dont-expand-dst-twice.diff - patches/amd64/cvs-avx-tcb-alignment.diff - patches/any/submitted-etc-resolv.conf.diff - patches/any/cvs-audit-suid.diff * kfreebsd/local-sysdeps.diff, update to r3763 (from squeeze glibc-bsd). - fixes LD_PRELOAD with a kfreebsd-9 kernel. #630695. - uses upstream RFTSIGZMB for exit signal selection when available. - fixes a crash in if_nameindex() with more than 3 interfaces. - alter faccessat() X_OK tests similarly as access(). See #640334. - fix __libc_sa_len() for AF_LOCAL. See #645527. * Fix preinst script wrt 3.0 kernel. Patch by Colin Watson. #630077. * Update submitted-resolv.conf-thread.diff from upstream to fix a deadlock in some rare cases. * Add patches/any/cvs-resolv-different-nameserver.diff and patches/any/submitted-resolv-assert.diff to try a different nameserver if the first one returns REFUSED. #535504. * Add patches/any/cvs-getaddrinfo-single-lookup.diff to fix fallback to single lookup dns requests. #541167. * Add patches/any/cvs-pthread-setgroups.diff to fix setgroups() with multiple threads. * Add debian/patches/cvs-dl_close-scope-handling.diff from upstream to fix issues with dl_close() when resolving locally-defined symbols. #625250. * patches/i386/local-cpuid-level2.diff: fix a typo. #609389. * patches/any/cvs-nptl-pthread-race.diff: fix a race in NPTL code that sometimes causes a deadlock when calling fork() from a thread. * patches/amd64/cvs-avx-detection.diff: do not use AVX if hardware support is present, but not enabled in the kernel. #646549. * patches/any/cvs-statvfs-mount-flags.diff: get the mount flags directly from the kernel when possible instead of parsing /proc/mounts. #639897. * patches/any/cvs-dlopen-tls.diff: fix handling of static TLS in dlopen'ed objects. #637239. . [ icu (4.4.1-8) stable-security; urgency=high ] . * Add patch to address CVE-2011-4599, a potential buffer overflow. iceape (2.0.11-17) stable-security; urgency=low . * Fixes for mfsa2012-{91,93,101,105}, also known as CVE-2012-5842, CVE-2012-4201, CVE-2012-4207, CVE-2012-5829, CVE-2012-4216. * Added hard-blocklist for https://addons.mozilla.org/en-US/firefox/blocked/i162 iceape (2.0.11-16) stable-security; urgency=low . * Fixes for mfsa2012-{74,77,81,85-87}, also known as CVE-2012-3982, CVE-2012-3986, CVE-2012-3991, CVE-2012-4179, CVE-2012-4180, CVE-2012-4182, CVE-2012-4186, CVE-2012-4188, CVE-2012-3990. * Fixes a regression crash from the fix for CVE-2012-3959. iceape (2.0.11-15) stable-security; urgency=low . * Fixes for mfsa2012-{57-58,63,65,70}, also known as CVE-2012-1970, CVE-2012-1972, CVE-2012-1973, CVE-2012-1974, CVE-2012-1975, CVE-2012-1976, CVE-2012-3959, CVE-2012-3962, CVE-2012-3969, CVE-2012-3972, CVE-2012-3978. icedove (3.0.11-1+squeeze15) stable-security; urgency=high . * [e3162df] backported patches from xulrunner fixes mfsa2012-{91,93,101,105} - MFSA 2012-91 aka CVE-2012-5842: Miscellaneous memory safety hazards (rv:17.0/ rv:10.0.11) - MFSA 2012-93 aka CVE-2012-4201: evalInSanbox location context incorrectly applied - MFSA 2012-101 aka CVE-2012-4207: Improper character decoding in HZ-GB-2312 charset - MFSA 2012-103 aka CVE-2012-4216, CVE-2012-5829: Frames can shadow top.location icedove (3.0.11-1+squeeze14) stable-security; urgency=low . * [db8ce96] backported patches from xulrunner fixes mfsa2012-{74,77,81,85-87} - MFSA 2012-74 aka CVE-2012-3982: Miscellaneous memory safety hazards (rv:16.0/ rv:10.0.8) - MFSA 2012-77 aka CVE-2012-3986: Some DOMWindowUtils methods bypass security checks - MFSA 2012-81 aka CVE-2012-3991: GetProperty function can bypass security checks - MFSA 2012-85 aka CVE-2012-4179, CVE-2012-4180, CVE-2012-4182: Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer - MFSA 2012-86 aka CVE-2012-4186, CVE-2012-4188: Heap memory corruption issues found using Address Sanitizer - MFSA 2012-87 aka CVE-2012-3990: Use-after-free in the IME State Manager icedove (3.0.11-1+squeeze13) stable-security; urgency=high . * [9738634] backported patches from xulrunner fixes mfsa2012-{57,58,63,65,70} - MFSA 2012-57 aka CVE-2012-1970: Miscellaneous memory safety hazards (rv:15.0/ rv:10.0.7) - MFSA 2012-58 aka CVE-2012-1972, CVE-2012-1973, CVE-2012-1974, CVE-2012-1975, CVE-2012-1976, CVE-2012-3959, CVE-2012-3962: Use-after-free issues found using Address Sanitizer - MFSA 2012-63 aka CVE-2012-3969: SVG buffer overflow and use-after-free issues - MFSA 2012-65 aka CVE-2012-3972: Out-of-bounds read in format-number in XSLT - MFSA 2012-70 aka CVE-2012-3978: Location object security checks bypassed by chrome code iceweasel (3.5.16-20) stable-security; urgency=low . * Fixes for mfsa2012-{91,93,101,105}, also known as CVE-2012-5842, CVE-2012-4201, CVE-2012-4207, CVE-2012-5829, CVE-2012-4216. * Added hard-blocklist for https://addons.mozilla.org/en-US/firefox/blocked/i162 iceweasel (3.5.16-19) stable-security; urgency=low . * Fixes for mfsa2012-{74,77,81,85-87}, also known as CVE-2012-3982, CVE-2012-3986, CVE-2012-3991, CVE-2012-4179, CVE-2012-4180, CVE-2012-4182, CVE-2012-4186, CVE-2012-4188, CVE-2012-3990. * Fixes a regression crash from the fix for CVE-2012-3959. iceweasel (3.5.16-18) stable-security; urgency=low . * Fixes for mfsa2012-{57-58,63,65,70}, also known as CVE-2012-1970, CVE-2012-1972, CVE-2012-1973, CVE-2012-1974, CVE-2012-1975, CVE-2012-1976, CVE-2012-3959, CVE-2012-3962, CVE-2012-3969, CVE-2012-3972, CVE-2012-3978. ircd-hybrid (1:7.2.2.dfsg.2-6.2+squeeze1) stable-security; urgency=high . * [CVE-2013-0238] fix DoS in hostmask.c:try_parse_v4_netmask() (Closes: #699267) ircd-ratbox (3.0.6.dfsg-2+squeeze1) stable-security; urgency=high . * Applied security fix for CVE-2012-6084 using r27411 in upstream SVN (Closes: #697093). isc-dhcp (4.1.1-P1-15+squeeze8) squeeze-security; urgency=high . * Non-maintainer upload. * Fix DoS in some situations via changing IPv6 lease expiration times (CVE-2012-3955). kfreebsd-8 (8.1+dfsg-8+squeeze4) stable-proposed-updates; urgency=low . [ Steven Chamberlain ] * Apply patch for SA-12:08 / CVE-2012-4576: memory access without proper validation in linux compat system (Closes: #694096) libbusiness-onlinepayment-ippay-perl (0.05~02-2+squeeze1) stable-proposed-updates; urgency=low . * Team upload. * Backport changes to IPPay gateway's server name and path. Thanks to Ivan Kohler for preparing the backport. (Closes: #691723) libcgi-pm-perl (3.49-1squeeze2) stable-security; urgency=high . * Team upload. * Add 0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch [SECURITY] CVE-2012-5526: Newline injection due to improper CRLF escaping in Set-Cookie and P3P headers. Thanks to Niko Tyni (Closes: #693421) libexif (0.6.19-1+squeeze1) stable-security; urgency=high . * Non-maintainer upload by the Security Team. * Cherry pick changes for CVE-2012-2814, CVE-2012-2840, CVE-2012-2813, CVE-2012-2812, CVE-2012-2841, CVE-2012-2836, CVE-2012-2837. (backport patches for fix-CVE-2012-2814, fix-CVE-2012-2836, fix-CVE-2012-2837) libproc-processtable-perl (0.45-1+squeeze1) stable; urgency=low . * Team upload. * [SECURITY] CVE-2011-4363: Fix unsafe temporary file usage (Closes: #650500) libproxy (0.3.1-2+squeeze1) stable-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix cve-2012-4505: buffer overflo in lib/pac.c. libssh (0.4.5-3+squeeze1) stable-security; urgency=high . * Stable security update: Fix possible denial of service and code execution via buffer overflows and double frees (CVE-2012-4559, CVE-2012-4561, CVE-2012-4562) libupnp (1:1.6.6-5+squeeze1) stable-security; urgency=high . * Non-maintainer upload by the Security Team. * debian/patches/0001-Security-fix-for-CERT-issue-VU-922681 added, fix various stack-based buffer overflows in service_unique_name() function. This fix CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961, CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965. closes: #699316 libupnp4 (1.8.0~svn20100507-1+squeeze1) stable-security; urgency=high . * Non-maintainer upload by the Security Team. * debian/patches/0001-Security-fix-for-CERT-issue-VU-922681 added, fix various stack-based buffer overflows in service_unique_name() function. This fix CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961, CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965. closes: #699459 libxml2 (2.7.8.dfsg-2+squeeze6) stable-security; urgency=high . [ Daniel Veillard ] * Fix potential out of bound access CVE-2012-5134, Closes: #694521. libxslt (1.1.26-6+squeeze2) stable-security; urgency=high . * Patch to fix three CVEs (Closes: #689422): - CVE-2012-2870 by Daniel Veillard and Chris Evans - CVE-2012-2871 by Daniel Veillard - CVE-2012-2893 by Chris Evans libzorpll (3.3.0.12-4+squeeze1) stable; urgency=low . * Non-maintainer upload. * libzorpll-dev: Add (unversioned) Breaks/Replaces: libzorp2-dev due to a file conflict. libzorp2-dev was removed after lenny and now libzorpll-dev ships /usr/include/zorp/streamblob.h. (Closes: #693984) lighttpd (1.4.28-2+squeeze1.2) stable-security; urgency=high . * Fix numbering issue with the newly added configuration option. Thanks Wessel Dankers. lighttpd (1.4.28-2+squeeze1.1) stable-security; urgency=high . * Non-maintainer upload by the security team. * Backport upstream fixes for SSL attacks: + Disable client triggered renegotiation by default (CVE-2009-3555). Can be re-enabled with ssl.disable-client-renegotiation = "disable". + Disable SSL compression at build time (CVE-2012-4929, 'CRIME'). (closes: #700399) linux-2.6 (2.6.32-48) stable; urgency=low . * [s390] s390/time: fix sched_clock() overflow (Closes: #698382) * Revert "time: Avoid making adjustments if we haven't accumulated anything" (Closes: #699112, regression in 2.6.32.60) * exec: Fix accounting of execv*() memory after vfork() (Closes: #700486) * r8169: Fix bugs that can cause an interface to hang (possible fix for: #617220, #642025) - r8169: missing barriers. - r8169: fix unsigned int wraparound with TSO - r8169: remove the obsolete and incorrect AMD workaround linux-2.6 (2.6.32-47) stable; urgency=low . [ Ben Hutchings ] * [x86] ALSA: hda_intel: Add device/class IDs for Intel Patsburg, Vortex86MX, VMware, Intel Panther Point and other Intel chips (Closes: #689928) * header: fix broken headers for user space (Closes: #692133) * nfsv4: Fix kernel panic when mounting NFSv4 (Closes: #695872) * hpsa: Backport changes up to Linux 3.2.35 (Closes: #690100) * net: fix route cache rebuilds (Closes: #646063) * Add longterm release 2.6.32.60, including: - netxen: support for GbE port settings (Closes: #638921) - futex: Fix uninterruptible loop due to gate_area - time: Improve sanity checking of timekeeping inputs - eCryptfs: Copy up lower inode attrs after setting lower xattr - eCryptfs: Clear ECRYPTFS_NEW_FILE flag during truncate - bonding: 802.3ad - fix agg_device_up - usbnet: increase URB reference count before usb_unlink_urb - usbnet: don't clear urb->dev in tx_complete - xfs: Fix missing xfs_iunlock() on error recovery path in xfs_readlink() - nilfs2: fix NULL pointer dereference in nilfs_load_super_block() - ntp: Fix integer overflow when setting time - ext4: check for zero length extent - Bluetooth: add NULL pointer check in HCI - Bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close - phonet: Check input from user before allocating - netlink: fix races after skb queueing - net: fix a race in sock_queue_err_skb() - net/ethernet: ks8851_mll fix rx frame buffer overflow - NFSv4: Revalidate uid/gid after open (Closes: #659111) - ext3: Fix error handling on inode bitmap corruption - ext4: fix error handling on inode bitmap corruption - SCSI: fix scsi_wait_scan - fuse: fix stat call on 32 bit platforms - udf: Improve table length check to avoid possible overflow - eCryptfs: Properly check for O_RDONLY flag before doing privileged open - mm: Hold a file reference in madvise_remove (CVE-2012-3511) - SCSI: Avoid dangling pointer in scsi_requeue_command() - usbdevfs: Correct amount of data copied to user in processcompl_compat - ext4: don't let i_reserved_meta_blocks go negative - sctp: Fix list corruption resulting from freeing an association on a list - cipso: don't follow a NULL pointer when setsockopt() is called - net/tun: fix ioctl() based info leaks - futex: Test for pi_mutex on fault in futex_wait_requeue_pi() - futex: Fix bug in WARN_ON for NULL q.pi_state - futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi() - mm: mmu_notifier: fix freed page still mapped in secondary MMU - fuse: verify all ioctl retry iov elements - vfs: missed source of ->f_pos races - compat_sys_{read,write}v() - NFSv3: Ensure that do_proc_get_root() reports errors correctly - Remove user-triggerable BUG from mpol_to_str - udf: Fix data corruption for files in ICB - ext3: Fix fdatasync() for files with only i_size changes - dccp: check ccid before dereferencing - [ia64] Add accept4() syscall (Closes: #647825) - tcp: drop SYN+FIN messages - [x86] amd, xen: Avoid NULL pointer paravirt references - [x86] tls: Off by one limit check - sparc64: Eliminate obsolete __handle_softirq() function - udf: fix retun value on error path in udf_load_logicalvol - epoll: introduce POLLFREE to flush ->signalfd_wqh before kfree() - epoll: ep_unregister_pollwait() can use the freed pwq->whead - Don't limit non-nested epoll paths - epoll: limit paths (CVE-2011-1083) - epoll: clear the tfile_check_list on -ELOOP (CVE-2012-3375) - random: Improve random number generation on non-interactive systems + random: Use arch_get_random_int instead of cycle counter if avail + random: Use arch-specific RNG to initialize the entropy store + random: make 'add_interrupt_randomness()' do something sane + usb: feed USB device information to the /dev/random driver + net: feed /dev/random with the MAC address when registering a device + rtc: wm831x: Feed the write counter into device_add_randomness() + mfd: wm831x: Feed the device UUID into device_add_randomness() + dmi: Feed DMI table to /dev/random driver For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.60 and the bug report which this closes: #698022. - [ia64] Revert "pcdp: use early_ioremap/early_iounmap to access pcdp table", which breaks compilation of this driver * [x86] Don't use the EFI reboot method by default (Closes: #626022) * [x86] drm/i915: Attempt to fix watermark setup on 85x (v2) (Closes: #661696) * [x86] isci: Backport changes up to Linux 3.2.35 (Closes: #698094) * [amd64] rtl8192e: Fix transmit on 64-bit architectures (Closes: #698473) * [x86] usbip: Fix loss of isochronous packets that require padding (Closes: #698474) * staging: Fix various log messages that were broken on 64-bit architectures (Closes: #698475) * [x86] xen/x86: don't corrupt %eip when returning from a signal handler * [i386] xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests. (CVE-2013-0190) . [ Jonathan Nieder ] * megaraid_sas: Backport changes up to Linux 3.0.56 (Closes: #666108) linux-kernel-di-amd64-2.6 (1.76+squeeze9) stable; urgency=low . * Built against version 2.6.32-48 of linux-2.6. linux-kernel-di-armel-2.6 (1.56+squeeze9) stable; urgency=low . * Built against version 2.6.32-48 of linux-2.6. linux-kernel-di-i386-2.6 (1.99+squeeze9) stable; urgency=low . * Built against version 2.6.32-48 of linux-2.6. linux-kernel-di-ia64-2.6 (1.63+squeeze9) stable; urgency=low . * Built against version 2.6.32-48 of linux-2.6. linux-kernel-di-mips-2.6 (1.31+squeeze9) stable; urgency=low . * Built against version 2.6.32-48 of linux-2.6. linux-kernel-di-mipsel-2.6 (1.31+squeeze9) stable; urgency=low . * Built against version 2.6.32-48 of linux-2.6. linux-kernel-di-powerpc-2.6 (1.76+squeeze9) stable; urgency=low . * Built against version 2.6.32-48 of linux-2.6. linux-kernel-di-s390-2.6 (0.59+squeeze9) stable; urgency=low . * Built against version 2.6.32-48 of linux-2.6. linux-kernel-di-sparc-2.6 (1.64+squeeze9) stable; urgency=low . * Built against version 2.6.32-48 of linux-2.6. magpierss (0.72-8+squeeze2) stable-proposed-updates; urgency=high . * Fails to upgrade from 'lenny' (Closes: #694052) mahara (1.2.6-2+squeeze6) stable-security; urgency=low . * SECURITY UPDATE: Fix XSS in pagination URL - debian/patches/CVE-2012-2253.patch: upstream patch . * SECURITY UPDATE: Disable XML entity parsing to prevent XEE - debian/patches/CVE-2012-2239.patch: upstream patch . * SECURITY UPDATE: Multiple cross-site scripting vulnerabilities - Content passed to the error message was not escaped - Escape pieform errors displayed to users - debian/patches/CVE-2012-2243-0001.patch: upstream patch - XHTML files prone to embedded javascript - Prevent uploaded xhtml files from displaying verbatim - debian/patches/CVE-2012-2243-0002.patch: upstream patch . * SECURITY UPDATE: Arbitrary file execution via clam path - Remove executable bit from existing uploaded files - debian/patches/CVE-2012-2244-0001.patch: upstream patch - Ensure future files will not be executable - debian/patches/CVE-2012-2244-0002.patch: upstream patch - Remove direct path option from web configuration - debian/patches/CVE-2012-2244-0003.patch: upstream patch . * SECURITY UPDATE: Prevent click-jacking attacks - Add a HTTP header of X-Frame-Options to every page - debian/patches/CVE-2012-2246.patch: upstream patch . * SECURITY UPDATE: Prevent SVG images being displayed - SVG images displayed inline - Adds SVG files to the list of files to not display by default - debian/patches/CVE-2012-2247.patch: upstream patch maradns (1.4.03-1.1+squeeze1) stable; urgency=low . * Non-maintainer upload. * Backport fix from upstream for CVE-2012-1570 (deleted domain record cache persistence flaw). Closes: #665012 mediawiki (1:1.15.5-2squeeze5) stable; urgency=low . [ Dominik George ] * Security fixes from upstream (Closes: #694998): - CVE-2012-5391 - Prevent session fixation in Special:UserLogin - Prevent linker regex from exceeding backtrack limit mediawiki-extensions (2.3squeeze2) stable-security; urgency=high . * RSSReader: Protect against an injection attack by malicious feeds (CLoses: #696179) moin (1.9.3-1+squeeze4) stable-security; urgency=high . * Another security fix from upstream: + fix path traversal vulnerability in AttachFile action (CVE-2012-XXXX). moodle (1.9.9.dfsg2-2.1+squeeze4) stable; urgency=low . * Minor security updates. * Backporting security fixes from MOODLE_19_STABLE: - CVE-2012-1155 - MSA-12-0013: database activity module entries exporting does not respect separate groups (Closes: #668411). - CVE-2012-2362 - MSA-12-0033: XSS bug in blog/index.php in IE. - CVE-2012-2363 - MSA-12-0034: Stored SQL Injection in calendar. - CVE-2012-2367 - MSA-12-0038: Calendar New Entry still shows and works for roles preventing calendar entry. (Closes: #674163) movabletype-opensource (4.3.8+dfsg-0+squeeze3) stable-security; urgency=low . * Include patch fixing remote execution and SQL injection vulnerability in mt-upgrade.cgi (closes: #697666) nagios3 (3.2.1-2+squeeze1) squeeze-security; urgency=low . * Non-maintainer upload. * Backport 99_security_cve_2012_6096.dpatch for Squeeze, fixes a buffer overflow crasher (Closes: #697930) CVE-2012-6096 nautilus (2.30.1-2squeeze2) stable; urgency=low . * Non-maintainer upload. * libnautilus-extension1: Add Breaks: samba-common (<< 2:3.5) to fix an upgrade path from lenny involving nautilus-share where lenny's apt would fail with "Error, pkgProblemResolver::Resolve generated breaks, this may be caused by held packages.". (Closes: #698775) nginx (0.7.67-3+squeeze3) stable-security; urgency=high . * debian/patches/CVE-2012-4929.diff: + Fixes the vulnerability to CRIME SSL attack. See: CVE-2012-4929 for more details.(Closes: #700426). nss (3.12.8-1+squeeze6) stable-security; urgency=low . * Explicitly distrust two intermediate CA certificates mis-issued by TURKTRUST. openconnect (2.25-0.1+squeeze2) stable-security; urgency=high . * debian/patches/02_CVE-2012-6128.patch: Backport patch from upstream to fix buffer overflow (CVE-2012-6128). openldap (2.4.23-7.3) stable; urgency=low . * Non-maintainer upload targeted at stable * Dump the database in prerm if we're upgrading. Closes: #665199 openoffice.org (1:3.2.1-11+squeeze8) stable-security; urgency=high . * debian/patches/CVE-2012-4233.diff: fix CVE-2012-4233 / HTB23106 openssh (1:5.5p1-6+squeeze3) stable; urgency=low . * CVE-2010-5107: Improve DoS resistance by changing default of MaxStartups to 10:30:100 (closes: #700102). openssl (0.9.8o-4squeeze14) squeeze-security; urgency=low . * Fix CVE-2013-0166 and CVE-2013-0169 pam-pgsql (0.7.1-4+squeeze2) stable-proposed-updates; urgency=low . * Fix "CVE-2013-0191: NULL password query result permits login with any password" by adding patch debian/patches/fix-698241-null-passwort-result-permits-login.patch from upstream bug tracker (Closes: #698241) pam-shield (0.9.2-3.3~squeeze1) stable; urgency=low . * Upload to stable; no other changes. perl (5.10.1-17squeeze5) stable; urgency=low . * [SECURITY] CVE-2012-6329: Fix misparsing of maketext strings which could allow arbitrary code execution from untrusted maketext templates (Closes: #695224) perl (5.10.1-17squeeze4) stable-security; urgency=low . * [SECURITY] CVE-2012-5195: fix a heap buffer overrun with the 'x' string repeat operator. (Closes: #689314) * [SECURITY] CVE-2012-5526: CGI.pm improper cookie and p3p CRLF escaping (Closes: #693420) * [SECURITY] add warning to Storable documentation that Storable documents should not be accepted from untrusted sources (Closes: #695223) polarssl (0.12.1-1squeeze1) stable-security; urgency=low . * Security fix for CVE-2013-0169: Lucky 13 TLS protocol timing flaw including CVE-2013-1621 and CVE-2013-1622, backported from upstream diff from 1.2.4 to 1.2.5. (Closes: #699887) poppler (0.12.4-1.2+squeeze1) stable; urgency=low . * Add myself as uploader. * Fix CVE-2010-0206. * Fix CVE-2010-0207; patch adapted to be API-/ABI-compatible. * Fix CVE-2010-4653; patch adapted to include object.h instead of goo/GooLikely.h (non-existent in poppler 0.12.x). * Backport upstream commits 7ba15d11e56175601104d125d5e4a47619c224bf and 55940e989701eb9118015e30f4f48eb654fa34c4 to fix GooString::insert; patch upstream_fix-GooString-insert.diff. (Closes: #693817) * Correctly initialize PSOutputDev::fontFileNameLen and PSOutputDev::psFileNames; patch psoutputdev-initialize-vars.diff. (Closes: #699421) portmidi (1:184-2+squeeze1) stable; urgency=low . * Non-maintainer upload. * debian/patches/11-pmlinuxalsa.patch: - Avoid SIGSEGV when it receives data for devices which might have already been closed. (Closes: #695842) - Fix some other pointer issues: + alsa_in_close() didn't clear midi-descriptor. + Some other uses of midi->descriptor didn't do NULL-check of the pointer. postgresql-8.4 (8.4.15-0squeeze1) stable; urgency=low . * New upstream bug fix release: - Fix multiple bugs associated with "CREATE INDEX CONCURRENTLY" Fix "CREATE INDEX CONCURRENTLY" to use in-place updates when changing the state of an index's pg_index row. This prevents race conditions that could cause concurrent sessions to miss updating the target index, thus resulting in corrupt concurrently-created indexes. Also, fix various other operations to ensure that they ignore invalid indexes resulting from a failed "CREATE INDEX CONCURRENTLY" command. The most important of these is "VACUUM", because an auto-vacuum could easily be launched on the table before corrective action can be taken to fix or remove the invalid index. - See HISTORY/changelog.gz for details about other bug fixes. postgresql-8.4 (8.4.14-1) unstable; urgency=low . * debian/watch: Update so that this actually works again. Adjusted from current -9.2 watch file. * New upstream bug fix release: - Fix handling of SIGFPE when PL/Perl is in use. Perl resets the process's SIGFPE handler to SIG_IGN, which could result in crashes later on. Restore the normal Postgres signal handler after initializing PL/Perl. - Prevent PL/Perl from crashing if a recursive PL/Perl function is redefined while being executed. - Work around possible misoptimization in PL/Perl. Some Linux distributions contain an incorrect version of "pthread.h" that results in incorrect compiled code in PL/Perl, leading to crashes if a PL/Perl function calls another one that throws an error. postgresql-8.4 (8.4.13-1) unstable; urgency=low . * New upstream release. There are no effective changes for PL/Perl, but we need a version in unstable/wheezy which is larger than the version in squeeze, otherwise the upgrade will fail. proftpd-dfsg (1.3.3a-6squeeze6) stable-security; urgency=low . * Fixed patch 3841 to include the new pr_fsio_lchown() function to correctly backport changes. qemu (0.12.5+dfsg-3squeeze3) stable-security; urgency=low . * CVE-2012-6075 fix (Closes: #696051): e1000-discard-packets-that-are-too-long-if-not-SBP-and-not-LPE.patch e1000-discard-oversized-packets-based-on-SBP_LPE.patch qemu-kvm (0.12.5+dfsg-5+squeeze10) stable-security; urgency=low . * CVE-2012-6075 fix (Closes: #696051): e1000-discard-packets-that-are-too-long-if-not-SBP-and-not-LPE.patch e1000-discard-oversized-packets-based-on-SBP_LPE.patch radsecproxy (1.4-1+squeeze1) stable-security; urgency=high . * Backport two security fixes from 1.6.1/1.6.2: - When verifying clients, don't consider config blocks with CA settings ('tls') which differ from the one used for verifying the certificate chain (RADSECPROXY-43, CVE-2012-4523). Reported by Ralf Paffrath. - Fix the issue with verification of clients when using multiple 'tls' config blocks for DTLS too (RADSECPROXY-43, CVE-2012-4566). Reported by Raphael Geissert. rails (2.3.5-1.2+squeeze7) stable-security; urgency=high . * Team upload. * Add debian/patches/CVE-2013-0276.patch to avoid circumvention of attr_protected. * Add debian/patches/CVE-2013-0277.patch to fix DoS/arbitrary code execution vulnerability with YAML serialized attributes. rails (2.3.5-1.2+squeeze6) stable-security; urgency=high . * Team upload. * debian/patches/CVE-2013-0333.patch: fix vulnerability in JSON Parser that would allow attackers to do very nasty things (Closes: #699226). rails (2.3.5-1.2+squeeze5) stable-security; urgency=high . * Team upload. * debian/patches/CVE-2013-0155.patch: fix for Unsafe Query Generation Risk. It turns out that the 2.3 series is also vulnerable. rails (2.3.5-1.2+squeeze4.1) stable-security; urgency=high . * Non-maintainer upload. * debian/patches/CVE-2013-0156.patch: fix remote execution (Closes: #697722) rails (2.3.5-1.2+squeeze4) stable-security; urgency=high . * Team upload. * debian/patches/2-3-dynamic_finder_injection.patch: add upstream patch for SQL injection vulnerability [CVE-2012-5664]. request-tracker3.8 (3.8.8-7+squeeze6) stable-security; urgency=low . * Multiple security fixes for: - Email header injection attack (CVE-2012-4730) - CSRF protection allows attack on bookmarks (CVE-2012-4732) - Confused deputy attack for non-logged-in users (CVE-2012-4734) - Multiple message signing/encryption attacks related to GnuPG (CVE-2012-4735) - Arbitrary command-line argument injection to GnuPG (CVE-2012-4884) rssh (2.3.2-13squeeze3) stable-security; urgency=high . * Reject the rsync --rsh option even if it does not contain a trailing equal sign. (CVE-2012-2252) rtfm (2.4.2-4+squeeze2) stable-security; urgency=low . * [CVE-2012-4731] Fix missing rights checking samba (2:3.5.6~dfsg-3squeeze9) stable-security; urgency=high . * Security update * CVE-2013-0213: Clickjacking issue in SWAT * CVE-2013-0214: Potential XSRF in SWAT sdic (2.1.3-19+squeeze1) stable; urgency=low . * Non-maintainer upload. * sdic-gene95: Move bzip2 suggestion to Depends. (closes: #675321) snack (2.2.10-dfsg1-9+squeeze1) stable; urgency=low . * Included patch by Michael Karcher to fix CVE-2012-6303 (closes: #695614). sphinx (0.6.6-3+squeeze1) stable; urgency=low . [ Stefano Rivera ] * Improve language and clarify options in manpages. . [ Jakub Wilk ] * Backport upstream patch to fix incompatibility with jQuery >= 1.4 (closes: #628642). Thanks to Yaroslav Halchenko for the bug report. * Apply patches (except move_static_files_outside_site-packages) before building documentation. * Fix a typo in the package description. swath (0.4.0-4+squeeze1) stable; urgency=high . * debian/patches/01_buffer-overflow.patch: backport patch from upstream to fix potential buffer overflow in Mule mode. Thanks Dominik Maier for the report. (Closes: #698189) swi-prolog (5.10.1-1+squeeze1) stable; urgency=low . * Update Maintainer field in debian/control * New patches (taken from RedHat bugzilla, closes: #697416): - CVE-2012-6089.diff - fix for CVE-2012-6089 - possible buffer overrun in path canonisation code - CVE-2012-6090.diff - fix for CVE-2012-6090 - Possible buffer overflows when expanding file-names with long paths tiff (3.9.4-5+squeeze8) stable-security; urgency=high . * Add fix for CVE-2012-5581, reimplementing DOTRANGE handling to make it safer. Thanks to Red Hat security team for backporting the fix. tiff (3.9.4-5+squeeze7) stable-security; urgency=high . * Add fix for CVE-2012-4564, a heap-buffer overflow. Thanks Adrian La Duca for doing all the work to prepare this upload. (Closes: #692345) tiff (3.9.4-5+squeeze6) stable-security; urgency=high . * Add fix for CVE-2012-4447, a buffer overrun. (Closes: #688944) * CVE-2012-2088 was actually included in previous version but not listed in the change log. tiff (3.9.4-5+squeeze5) stable-security; urgency=high . * Added several additional security patches taken from the Ubuntu Natty (11.04) tiff package. (Closes: #678140) . CVE-2010-2482 CVE-2010-2595 CVE-2010-2597 CVE-2010-2630 CVE-2010-4665 CVE-2012-2113 CVE-2012-3401 tinyproxy (1.8.2-1squeeze3) stable-security; urgency=high . * Add patches for CVE-2012-3505 (closes: #685281): - CVE-2012-3505-tinyproxy-limit-headers.patch: Limit the number of headers to prevent DoS attacks. - CVE-2012-3505-tinyproxy-randomized-hashmaps.patch: Randomize hashmaps in order to avoid fake headers getting included in the same bucket, allowing for DoS attacks. Bug reported and patches contributed by gpernot. trousers (0.3.5-2+squeeze1) stable-security; urgency=high . * Fix crash when malformed packet is received (CVE-2012-0698) Closes: #692649 ttf-ipafont (00203-16+squeeze1) stable; urgency=low . * Non-maintainer upload. * ttf-ipafont.prerm: Move removal of the current alternatives to ttf-ipafont-{gothic,mincho}.prerm as their postinst creates them. (Closes: #700722) typo3-src (4.3.9+dfsg1-1+squeeze7) squeeze-security; urgency=medium . * Security patch backported from new upstream release 4.5.21 and 4.5.22: - fixes: "TYPO3 Security Bulletin TYPO3-CORE-SA-2012-005: Several Vulnerabilities in TYPO3 Core" (Closes: 692775) typo3-src (4.3.9+dfsg1-1+squeeze6) squeeze-security; urgency=medium . * Security patch backported from new upstream release 4.5.21: - fixes: "TYPO3 Security Bulletin TYPO3-CORE-SA-2012-005: Several Vulnerabilities in TYPO3 Core" (Closes: 692775) tzdata (2012g-0squeeze1) stable; urgency=low . * New upstream version. * Add brazil-dst-2012-changes.diff from Antonio Terceiro to add DST 2012 rule for the America/Bahia zone. Closes: #690606. tzdata (2012f-1) unstable; urgency=low . * New upstream version. tzdata (2012e-1) unstable; urgency=low . * New upstream version. tzdata (2012d-1) unstable; urgency=low [ Debconf translations ] * Thai (Theppitak Karoonboonyanan). Closes: #672213 * Really add Polish translation. Really Closes: #658403 * Slovak (Ivan Masár). Closes: #677910 [ Clint Adams ] * New upstream version. tzdata (2012c-1) unstable; urgency=low * New upstream release. unbound (1.4.6-1+squeeze3) stable; urgency=low . * Update IP address hints for D.ROOT-SERVERS.NET. viewvc (1.1.5-1.1+squeeze2) stable-security; urgency=high . * Non-maintainer upload. * CVE-2012-4533: Fix XSS in commit message view. Found and patch provided by Nicolás Alvarez (closes: #691062). viewvc (1.1.5-1.1+squeeze1) stable-security; urgency=high . * Non-maintainer upload. . [ gregor herrmann ] * [SECURITY] Fix "CVE-2012-3356 / CVE-2012-3357": - CVE-2012-3356: * security fix: complete authz support for remote SVN views - CVE-2012-3357: * security fix: log msg leak in SVN revision view with unreadable copy source Add patches "CVE-2012-3356" and "CVE-2012-3357", taken from upstream svn. (Closes: #679069) * Fix "viewvc runs extremely slowly (~15s per page)": backport upstream commit r2471 as new patch compression-content-length: don't set Content-Length when compression is used. (Closes: #636805) . [ Ben Hutchings ] * view_query: No longer allow an undocumented URL parameter to override the admin-declared SQL row limit, which could result in excessive CPU usage and memory consumption (CVE-2009-5024) (Closes: #671482) virtualbox-ose (3.2.10-dfsg-1+squeeze1) stable-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix cve-2012-3221: missing privilege check for task gate switches. weechat (0.3.2-1+squeeze1) stable-security; urgency=high . * Switch source format to '3.0 (quilt)' in order to easily add security patches * Add a patch to properly verify that the server hostname matches the domain name of the subject of an X.509 certificate, see CVE-2011-1428. * Add a patch to fix a bug in the process handling API used by scripts. A remote attacker could exploit it to execute arbitrary commands, see CVE-2012-5534. wireshark (1.2.11-6+squeeze9) stable-security; urgency=high . * security fixes from Wireshark 1.8.5: - The CLNP dissector could crash. Discovered independently by Laurent Butti and the Wireshark development team (CVE-2013-1582) - The DTLS dissector could crash. Discovered by Laurent Butti. (CVE-2013-1586) - The DCP-ETSI dissector could corrupt memory. Discovered by Laurent Butti. (CVE-2013-1588) - The Wireshark dissection engine could crash. Discovered by Laurent Butti. - The NTLMSSP dissector could overflow a buffer. Discovered by Ulf Härnhammar. (CVE-2013-1590) wireshark (1.2.11-6+squeeze8) stable-security; urgency=high . * security fixes from Wireshark 1.6.9 and 1.6.10: - The PPP dissector could crash (CVE-2012-4048) (Closes: #680056) - The RTPS2 dissector could overflow a buffer. Reported by Laurent Butti. (CVE-2012-4296) * drop obsolete patches: - debian-changes-1.2.11-6+squeeze3 - 03_preferences.dpatch xen (4.0.1-5.6) stable-proposed-updates; urgency=low . * Non-maintainer upload, previously discussed with Guido. * Fixes Xen clock long standing issue, eg: fix scale_delta() inline assembly, causing domU offset and possibly leading to crashes (Closes: #599161). Thanks to Ian Campbell for forwarding the patch to the Debian BTS, and Jan Beulich for working on an upstream patch. xen (4.0.1-5.5) stable-security; urgency=high . * Apply fix for Xen Security Advisory 5 (CVE-2011-3131) * Apply fix for Xen Security Advisory 20 (CVE-2012-4535) * Apply fix for Xen Security Advisory 22 (CVE-2012-4537) * Apply fix for Xen Security Advisory 23 (CVE-2012-4538) * Apply fix for Xen Security Advisory 24 (CVE-2012-4539) * Apply fix for Xen Security Advisory 26 (CVE-2012-5510) * Apply fix for Xen Security Advisory 29 (CVE-2012-5513) * Apply fix for Xen Security Advisory 30 (CVE-2012-5514) * Apply fix for Xen Security Advisory 31 (CVE-2012-5515) xen-qemu-dm-4.0 (4.0.1-2+squeeze3) stable-security; urgency=low . * Security upload * Fix for Xen Security Advisory 41 (CVE-2012-6075) xnecview (1.35-5.2) stable; urgency=low . * Non-maintainer upload. * Take my own patch from 1.35-7.1. * R0 is already taken as a register name on armel, rename xnecview's constant to DEFFAULTR0. Closes: #621392 zendframework (1.10.6-1squeeze2) squeeze-security; urgency=high . * Fix for CVE-2012-5657: remove the XXE vector by calling libxml_disable_entity_loader() before attempting to parse the feed via DOMDocument::loadXML() (Closes: #696483). ======================================== Sat, 29 Sep 2012 - Debian 6.0.6 released ======================================== ========================================================================= [Date: Sat, 29 Sep 2012 10:23:21 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: libtrash | 2.4-2 | source, amd64, armel, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, sparc Closed bugs: 678178 ------------------- Reason ------------------- RoM; unmaintained; broken ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 29 Sep 2012 10:23:59 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: kcheckgmail | 0.6.0-1 | source kcheckgmail | 0.6.0-1+b1 | amd64, armel, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, sparc Closed bugs: 682103 ------------------- Reason ------------------- RoQA; unmaintained; broken by Google changes ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 29 Sep 2012 10:24:56 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: blockade | 20041028-9 | source, amd64, armel, i386, ia64, mips, mipsel, powerpc, s390, sparc Closed bugs: 687766 ------------------- Reason ------------------- RoQA; non-distributable ---------------------------------------------- ========================================================================= alpine (2.00+dfsg-6+squeeze1) squeeze; urgency=low . * Fix a crash in the embedded copy of UW-IMAP, CVE-2008-5514. (Closes: #653238) apache2 (2.2.16-6+squeeze8) squeeze; urgency=low . * CVE-2012-2687: mod_negotiation: Escape filenames in variant list to prevent a possible XSS vulnerability for a site where untrusted users can upload files to a location with MultiViews enabled. * Send 408 status instead of 400 if reading of a request fails with a timeout. This allows browsers to retry. Closes: #677086 * mod_cache: Prevent Partial Content responses from being cached and served as normal response. Closes: #671204 * mpm_itk: Fix an issue where users can sometimes get spurious 403s on persistent connections. Closes: #672333 arpwatch (2.1a15-1.1+squeeze1) stable-security; urgency=high * Non-maintainer upload by the Security Team. * Fix initgroups() adding the gid 0 group to the list. Instead of dropping privileges it was in fact adding it. This is CVE-2012-2653. closes: #674715 asterisk (1:1.6.2.9-2+squeeze6) stable-security; urgency=high * Patch AST-2012-007 (CVE-2012-2947): Fix IAX receiving HOLD without suggested MOH class crash (Closes: #675204). * Patch AST-2012-008 (CVE-2012-2948): remote crash issue in chan_skinny (Closes: #675210). - Patch skinny_fix_16040: A minor bugfix required to cleanly apply it. automake1.10 (1:1.10.3-1+squeeze1) stable; urgency=low * lib/am/distdir.am: Backport fix for CVE-2012-3386 "Temporary worldwide write permissions during make distcheck". (Closes: #681117) automake1.11 (1:1.11.1-1+squeeze1) stable; urgency=low * lib/am/distdir.am: Fixes CVE-2012-3386 "Temporary worldwide write permissions during make distcheck". (Closes: #681097) base-files (6.0squeeze6) stable; urgency=low . * Changed /etc/debian_version to 6.0.6, for Debian 6.0.6 point release. bcfg2 (1.0.1-3+squeeze2) stable-security; urgency=high * Backport upstream patch to fix unescaped shell command issues in the Trigger plugin (Closes: #679272) beaker (1.5.4-4+squeeze1) squeeze-security; urgency=high . * Non-maintainer upload. * Fix security issue, with PyCrypto not securing data such that an attacker could possibly determine parts of the encrypted payload. Patch by Miloslav Trmac of Redhat. [CVE-2012-3458] Closes: #684890 bind9 (1:9.7.3.dfsg-1~squeeze7) squeeze-security; urgency=high . * Apply patch extracted from 9.7.6-P3 to fix CVE-2012-4244 bind9 (1:9.7.3.dfsg-1~squeeze6) squeeze-security; urgency=high * Non-maintainer upload by the Security Team. * Fi denial of service through assert because of using bad cache data before initialization (CVE-2012-3817). bind9 (1:9.7.3.dfsg-1~squeeze5) squeeze-security; urgency=high * Apply patch from ISC to fix zero-length RDATA handling (CVE-2012-1667) checkgmail (1.13+svn43-2+squeeze0.1) stable; urgency=low . * Non-maintainer upload * debian/patches/60_bts650454_send_galx_as_cookie.dpatch - fix auth problem with GMail by passing GALX in the cookie; thanks to Johan Sandblom for the report; Closes: #650454 clamav (0.97.5+dfsg-5) unstable; urgency=low * Drop /var/run/clamav from the directories shipped in clamav-base (policy 9.1.4) and trust it will get cleaned up on boot - Thanks to Andreas Beckmann for the cluebat clamav (0.97.5+dfsg-4) unstable; urgency=low * Drop postrm snippets from clamav-base, clamav-freshclam, clamav-daemon, and clamav-milter that remove /var/log/clamav, /var/lib/clamav, /var/run/clamav, and /etc/clamav and and let dpkg remove the directories once they are empty in order to fix problems with directory removal by a package that did not own the directory (Closes: #681960) * Add /var/run/clamav to directories shipped by clamav-base so dpkg cleanup will work for it too. clamav (0.97.5+dfsg-3) unstable; urgency=low * Fix proxy port configuration handling in clamav-freshclam.postinst so that failure to specify port does not result in an invalid configuration (Closes: #678247), (LP: #784797) clamav (0.97.5+dfsg-3~squeeze1) stable; urgency=low [ Scott Kitterman ] * New upstream release (Closes: #668273, #669370, #678744) - Addresses possible evasion cases in some archive formats (CVE-2012-1419, CVE-2012-1457, CVE-2012-1458, CVE-2012-1459) (Closes: #668273) - Repack tarball to remove non-free unrar code and win32 directory - Add contrib/split-tarball.sh and docs/man/clambc.1 in the diff.gz (these used to be added to the Debian specific upstream tarball, but aren't upstream so are better in the diff) - Change etc/clamav-milter.conf to Debian defaults * Fix proxy port configuration handling in clamav-freshclam.postinst so that failure to specify port does not result in an invalid configuration (Closes: #678247), (LP: #784797) * Remove /var/run/clamav on purge (LP: #829945) - Thanks to Imre Gergely for the patch * Add call to /sbin/restorecon, if present, in debian/common_functions make_directory to to label the /run directory for SE Linux (Closes: #677686) - Thanks to Russell Coker for the patch * Remove obsolete reference to clamav-data package in clamav-daemon init log failure message * Enabled hardened build flags (Closes: #653958) - Thanks to Moritz Muehlenhoff for the patch * Remove var/lib/clamav/daily.cvd and main.cvd from clamav-base.examples because they aren't installed by the build system anymore (and are provided only as empty files in the upstream tarball) * Fix typos in README.Debian (Closes: #667831) * Update libclamav6 binary lintian override to match current filename * Bump standards version to 3.9.3 without further change * Add myself to uploaders [ Stephen Gran ] * Add a note about RAR functionality to README.Debian (Closes: #652009) * Add VERBOSE=1 to make check [ Christian Perrier ] * Fix spelling error in debconf templates. Closes: #660966 * Fix pending l10n issues. Debconf translations: - Dutch; (Jeroen Schot). Closes: #651405 - German (Thomas Müller). Closes: #653409 - Polish (Michał Kułach). Closes: #659369 - Japanese (Kenshi Muto). Closes: #659980 - Czech (Miroslav Kure). Closes: #660319 - Italian (Luca Monducci). Closes: #660475 [ Loïc Minier ] * Pass --without-included-ltdl to configure instead of hardcoding --with-ltdl-include= and --with-ltdl-lib= pathnames, the pathnames wouldn't work with multiarch anymore. * rules: let clamav-dbg depend on libclamav6 as it seems to require it and this could make rules -j safe (didn't manage to reproduce the -j2 failure I was getting with the change). clamav (0.97.5+dfsg-2) unstable; urgency=medium * Medium urgency due to security fixes * Update debian/clamav-base.postinst.in to test for the existence of the actual .cvd files before trying to install them and not just the directory they should be in (Closes: #678019) * Remove /var/run/clamav on purge (LP: #829945) - Thanks to Imre Gergely for the patch * Add call to /sbin/restorecon in debian/common_functions make_directory to to label the /run directory for SE Linux (Closes: #677686) - Thanks to Russell Coker for the patch * Remove obsolete reference to clamav-data package in clamav-daemon init log failure message clamav (0.97.5+dfsg-1) unstable; urgency=medium [ Scott Kitterman ] * Urgency medium due to security fixes * New upstream release (Closes: #669370) - Addresses possible evasion cases in some archive formats (CVE-2012-1419, CVE-2012-1457, CVE-2012-1458, CVE-2012-1459) (Closes: #668273) - Repack tarball to remove non-free unrar code and win32 directory - Add contrib/split-tarball.sh and docs/man/clambc.1 in the diff.gz (these used to be added to the Debian specific upstream tarball, but aren't upstream so are better in the diff) - Change etc/clamav-milter.conf to Debian defaults * Enabled hardened build flags (Closes: #653958) - Thanks to Moritz Muehlenhoff for the patch * Remove var/lib/clamav/daily.cvd and main.cvd from clamav-base.examples because they aren't installed by the build system anymore (and are provided only as empty files in the upstream tarball) * Fix typos in README.Debian (Closes: #667831) * Update libclamav6 binary lintian override to match current filename * Bump standards version to 3.9.3 without further change [ Stephen Gran ] - Add a note about RAR functionality to README.Debian (Closes: #652009) clamav (0.97.3+dfsg-2.2) unstable; urgency=low * Non-maintainer upload. * Fix "FTBFS: llvm/lib/ExecutionEngine/JIT/Intercept.cpp:69:67: error: 'lseek64' was not declared in this scope": add missing include. Also fixed in upstream git already [bb8ab5c]. (Closes: #674330) clamav (0.97.3+dfsg-2.1) unstable; urgency=low * Non-maintainer upload. * Fix spelling error in debconf templates. Closes: #660966 * Fix pending l10n issues. Debconf translations: - Dutch; (Jeroen Schot). Closes: #651405 - German (Thomas Müller). Closes: #653409 - Polish (Michał Kułach). Closes: #659369 - Japanese (Kenshi Muto). Closes: #659980 - Czech (Miroslav Kure). Closes: #660319 - Italian (Luca Monducci). Closes: #660475 clamav (0.97.3+dfsg-2) unstable; urgency=low [ Loïc Minier ] * Pass --without-included-ltdl to configure instead of hardcoding --with-ltdl-include= and --with-ltdl-lib= pathnames, the pathnames wouldn't work with multiarch anymore. * rules: let clamav-dbg depend on libclamav6 as it seems to require it and this could make rules -j safe (didn't manage to reproduce the -j2 failure I was getting with the change). [ Stephen Gran ] * Add VERBOSE=1 to make check [ Scott Kitterman ] * Add myself to uploaders clamav (0.97.3+dfsg-1) unstable; urgency=medium [ Michael Tautschnig ] * New upstream release: Fixes potential DoS debian-archive-keyring (2010.08.28+squeeze1) squeeze; urgency=low * Team upload. * Add Debian Archive Automatic Signing Key (7.0/wheezy) (ID: 46925553). (Closes: #671105) * Add Wheezy Stable Release Key (ID: 65FFB764). (Closes: #665380) debian-installer-netboot-images (20110106.squeeze4.b2) squeeze; urgency=low . * Rebuild against squeeze-proposed-updates devscripts (2.10.69+squeeze4) stable-security; urgency=high . * dget: + Fix CVE-2012-2241 (arbitrary file deletion) + Fix CVE-2012-2242 (arbitrary code execution) * dscverify: Fix CVE-2012-2240 (arbitrary code execution) * debdiff: Fix regression in exit code, introduced in 2.10.69+squeeze2 (Closes: 686247) devscripts (2.10.69+squeeze3) stable-security; urgency=high . * annotate-output: Fix to prevent symlink attack: don't delete safely-created file and reuse its name. Instead, create temporary directory and create FIFOs therein. Also, be sure to remove temporaries upon catchable signal. Thanks to Jim Meyering for the patch. Fixes CVE-2012-3500. dhcpcd (1:3.2.3-5+squeeze1) stable-security; urgency=high * Security fix, remote stack overflow: CVE-2012-2152. dpkg (1.15.8.13) stable; urgency=low . [ Guillem Jover ] * Do not translate SE Linux context to human readable form while unpacking, as that might cause the operation to fail if the mcstransd daemon stopped running during the transaction. Closes: #679641 Thanks to Russell Coker . . [ Updated man page translations ] * German (Helge Kreutzmann). Fix sub optimal translation of package states LP: #368783, a fix by Chris Leick and other fixes. eglibc (2.11.3-4) stable; urgency=low * Enable patches/any/cvs-dlopen-tls.diff, not enabled by mistake. Closes: #637239. * patches/any/cvs-FORTIFY_SOURCE-format-strings.diff: new patch from upstream to fix FORTIFY_SOURCE format string protection bypass. Closes: #660611. * patches/any/local-sunrpc-dos.diff: fix a DoS in RPC implementation (CVE-2011-4609). Closes: #671478. emesene (1.6.3-1.1) stable; urgency=low * Non-maintainer upload. * Update contact end-point to local-bay.contacts.msn.com (Closes: #648399) extplorer (2.1.0b6+dfsg.2-1+squeeze1) stable-security; urgency=low * CVE-2012-3362: fixes a CSRF (Closes: #678737). fckeditor (1:2.6.6-1squeeze1) squeeze-security; urgency=high * fixed XSS vulnerability in spellchecker (Closes: #683418) [CVE-2012-4000] ffmpeg (4:0.5.9-1) stable-security; urgency=low * New upstream release. New release fixes: - dpcm: ignore extra unpaired bytes in stereo streams (CVE-2011-3951) - h264: Add check for invalid chroma_format_idc (CVE-2012-0851) - adpcm: ADPCM Electronic Arts has always two channels (CVE-2012-0852) - kmvc: Check palsize (CVE-2011-3952) - qdm2: clip array indices returned by qdm2_get_vlc() - configure: properly check for mingw-w64 through installed headers - Replace every usage of -lvfw32 with what is particularly necessary for that case - mingw32: properly check if vfw capture is supported by the system headers - mingw32: merge checks for mingw-w64 and mingw32-runtime >= 3.15 into one - vfwcap: Include windows.h before vfw.h since the latter requires defines from the former - ea: check chunk_size for validity - eatqi: move "block" variable into context to ensure sufficient alignment for idct_put - tqi: Pass errors from the MB decoder - png: check bit depth for PAL8/Y400A pixel formats. ffmpeg (4:0.5.8-1) stable-security; urgency=low * New upstream release. New release fixes: - In 0.5.8: - id3v2: fix skipping extended header in id3v2.4 - nsvdec: Several bugfixes related to CVE-2011-3940 - dv: check stype - dv: Fix null pointer dereference due to ach=0 - dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936. - atrac3: Fix crash in tonal component decoding, fixes CVE-2012-0853 - mjpegbdec: Fix overflow in SOS, fixes CVE-2011-3947 - motionpixels: Clip YUV values after applying a gradient. - vqavideo: return error if image size is not a multiple of block size, fixes CVE-2012-0947. - In 0.5.7: - vorbis: An additional defense in the Vorbis codec. (CVE-2011-3895) - vorbisdec: Fix decoding bug with channel handling. - matroskadec: Fix a bug where a pointer was cached to an array that might later move due to a realloc(). (CVE-2011-3893) - vorbis: Avoid some out-of-bounds reads. (CVE-2011-3893) - vp3: fix oob read for negative tokens and memleaks on error, (CVE-2011-3892) - vp3: fix streams with non-zero last coefficient. freeradius (2.1.10+dfsg-2+squeeze1) stable-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix pre-authentication buffer overflow in EAP TLS handling (CVE-2012-3547; Closes: #687175). geshi (1.0.8.4-1+squeeze1) stable; urgency=low . * Team upload. * Fix "Local File Inclusion Vulnerability in contrib script" use debian/rules to remove contrib/cssgen.php from bundled examples (Closes: #685324) globus-gridftp-server (3.23-1+squeeze1) stable-security; urgency=high . * SECURITY UPDATE: Wrong user mapping on badly configured server - debian/patches/globus-gridftp-server-pw195.patch: backported from upstream - CVE-2012-3292 globus-gridftp-server-control (0.43-1+squeeze1) stable-security; urgency=high . * SECURITY UPDATE: Wrong user mapping on badly configured server - debian/patches/globus-gridftp-server-control-pw195.patch: backported from upstream - CVE-2012-3292 gosa (2.6.11-3+squeeze2) stable; urgency=low * Backport shellvar escaping code. Closes: #665950. gridengine (6.2u5-1squeeze1) squeeze-security; urgency=high * Fix remote root exploit due to trusted user environment (CVE-2012-0208). ia32-libs (20120926) stable; urgency=low . * Packages updated . [ curl (7.21.0-2.1+squeeze2) stable-security; urgency=low ] . * Non-maintainer upload * Add --ssl-allow-beast and CURLOPT_SSL_OPTIONS (#658276) . [ curl (7.21.0-2.1+squeeze1) stable-security; urgency=high ] . * Non-maintainer upload * Fix URL sanitization vulnerability as per CVE-2012-0036 http://curl.haxx.se/docs/adv_20120124.html * Fix SSL CBC IV vulnerability as per CVE-2011-3389 http://curl.haxx.se/docs/adv_20120124B.html * Set urgency=high accordingly . [ expat (2.0.1-7+squeeze1) stable-security; urgency=low ] . * CVE-2012-0876 CVE-2012-1148 . [ freetype (2.4.2-2.1+squeeze4) stable-security; urgency=low ] . * CVE-2012-11[33|34|36|42|44] . [ gnutls26 (2.8.6-1+squeeze2) stable-security; urgency=high ] . * Apply patch to fix crashes in record parsing (CVE-2012-1573) . [ gnutls26 (2.8.6-1+squeeze1) stable; urgency=low ] . * Pull fixes for buffer overflow in gnutls_session_get_data() from upstream git. (CVE-2011-4128: GNUTLS-SA-2011-2) #648441 20_CVE-2011-4128.part1.diff 20_CVE-2011-4128.part2.diff . [ krb5 (1.8.3+dfsg-4squeeze6) stable-security; urgency=high ] . * MITKRB5-SA-2012-001 CVE-2012-1015: KDC frees uninitialized pointer . [ krb5 (1.8.3+dfsg-4squeeze5) squeeze-security; urgency=high ] . * CVE-2011-1529: null pointer dereference in KDC LDAP back end, #629558 * CVE-2011-1528: assertion failure in multiple KDC back ends regarding account lockout . [ libpng (1.2.44-1+squeeze4) stable-security; urgency=low ] . * CVE-2011-3048 . [ libpng (1.2.44-1+squeeze3) stable-security; urgency=high ] . * CVE-2011-3045 . [ libpng (1.2.44-1+squeeze2) stable-security; urgency=high ] . * Fix integer overflow (chromium #112822) . [ libtasn1-3 (2.7-1+squeeze+1) stable-security; urgency=low ] . * ASN.1 length decoding vulnerability. CVE-2012-1569. . [ libvorbis (1.3.1-1+squeeze1) stable-security; urgency=low ] . * CVE-2012-0444 . [ libxi (2:1.3-7) squeeze; urgency=low ] . * Cherry-pick patches from upstream: - Fix passive grabs - Fill in mods/group->effective in XIQueryPointer - Handle unknown device classes (#661021, #660411) . [ libxml2 (2.7.8.dfsg-2+squeeze5) stable-security; urgency=low ] . [ Daniel Veillard ] * Fix parser local buffers size problems * Fix entities local buffers size problems CVE-2012-2807, #679280. . [ libxml2 (2.7.8.dfsg-2+squeeze4) stable-security; urgency=high ] . * CVE-2011-3102 . [ libxml2 (2.7.8.dfsg-2+squeeze3) stable-security; urgency=high ] . * Non-maintainer upload by the Security Team. * Apply upstream patch to add randomization to hashing with large dictionaries to mitigate hash DoS (CVE-2012-0841; #660846). . [ libxml2 (2.7.8.dfsg-2+squeeze2) stable-security; urgency=high ] . * Security update. * parser.c: Fix an allocation error when copying entities. CVE-2011-3919. #656377. * parser.c: Make sure parser returns when getting a Stop order. CVE-2011-3905. * encoding.c: Fix off by one error. CVE-2011-0216. 652352. * xpath.c: Fix for undefined namespaces. CVE-2011-2834. * xpath.c, xpointer.c, include/libxml/xpath.h: Hardening of XPath evaluation. CVE-2011-2821. 643648. . [ nss (3.12.8-1+squeeze5) stable-security; urgency=low ] . * Address CVE-2012-0441 (Insufficient length checking in QuickDER decoder) * debian/rules: Work around NSS not building on Linux 3.x kernels. . [ openssl (0.9.8o-4squeeze13) squeeze-security; urgency=high ] . * Non-maintainer upload by the Security Team. * Fix CVE-2012-2333: DoS via explicit IV in DTLS . [ openssl (0.9.8o-4squeeze12) squeeze-security; urgency=high ] . * Non-maintainer upload by the Security Team. * Fix CVE-2012-2131: incomplete fix of CVE-2012-2110 . [ openssl (0.9.8o-4squeeze11) squeeze-security; urgency=low ] . * Really apply CVE-2012-2110 . [ openssl (0.9.8o-4squeeze10) squeeze-security; urgency=low ] . * Fix CVE-2012-2110 * update CVE-2012-0884 patch to include detecting symmetric crypto errors in PKCS7_decrypt . [ openssl (0.9.8o-4squeeze9) squeeze-security; urgency=low ] . * Fix CVE-2012-1165 . [ openssl (0.9.8o-4squeeze8) squeeze-security; urgency=low ] . * Fix CVE-2012-0884 * Updated patch for CVE-2011-4619 . [ openssl (0.9.8o-4squeeze7) squeeze-security; urgency=low ] . * Re-upload with new version number. . [ openssl (0.9.8o-4squeeze6) squeeze-security; urgency=low ] . * Fix CVE-2012-0050 . [ openssl (0.9.8o-4squeeze5) squeeze-security; urgency=low ] . * Fix CVE-2011-4108, CVE-2011-4109, CVE-2011-4576, CVE-2011-4619 and CVE-2011-4577 * Send alert instead of assertion failure for incorrectly formatted DTLS fragments. (#645805) . [ tiff (3.9.4-5+squeeze4) stable-security; urgency=high ] . * CVE-2012-1173 ia32-libs (20120701) unstable; urgency=low * Drop dependency on removed libdb4.8 [ROM] (Closes: #679671) ia32-libs (20120616) unstable; urgency=low * Transition ia32-libs to multiarch. + ia32-libs:amd64 becomes transitional package depending on ia32-libs-i386. + New transitional package ia32-libs-i386:i386 that depends on all libraries previously in ia32-libs. * Drop libhal1 dependency since it is to be removed from wheezy. * Drop libcapi20-3 dependency since isdnutils is dead and not multiarch. * Removed ia32-libs-dev + building complex 32bit packages on amd64 is no longer supported + build i386 packages and install via multiarch instead * Removed support for ia64, kernel no longer supports 32bit. iceape (2.0.11-14) stable-security; urgency=low * Fixes for mfsa2012-{42-44,46}, also known as CVE-2012-1948, CVE-2012-1950, CVE-2012-1954, CVE-2012-1967. iceape (2.0.11-13) stable-security; urgency=low * Fixes for mfsa2012-{34,40}, also known as CVE-2012-1937, CVE-2012-1939, CVE-2012-1940. iceape (2.0.11-12) stable-security; urgency=low * Revert one of the patches for CVE-2012-0467 because of regression crash. It turns out the issue that patch addresses isn't dangerous in 2.0. icedove (3.0.11-1+squeeze12) stable-security; urgency=high . * [23f20f9] backported patches from xulrunner fixes mfsa2012-{42-44,56} - MFSA 2012-42 aka CVE-2012-1948: Miscellaneous memory safety hazards (rv:14.0/ rv:10.0.6) - MFSA 2012-43 aka CVE-2012-1950: Incorrect URL displayed in addressbar through drag and drop - MFSA 2012-44 aka CVE-2012-1954: Gecko memory corruption - MFSA 2012-56 aka CVE-2012-1967: Code execution through javascript: URLs icedove (3.0.11-1+squeeze11) stable-security; urgency=high * [ee0d82e] backported patches from xulrunner fixes mfsa2012-{34,40} - MFSA 2012-34 aka CVE-2012-1937, CVE-2012-1939: Miscellaneous memory safety hazards - MFSA 2012-40 aka CVE-2012-1940: Buffer overflow and use-after-free issues found using Address Sanitizer iceweasel (3.5.16-17) stable-security; urgency=low . * Fixes for mfsa2012-{42-44,46}, also known as CVE-2012-1948, CVE-2012-1950, CVE-2012-1954, CVE-2012-1966, CVE-2012-1967. iceweasel (3.5.16-16) stable-security; urgency=low * Fixes for mfsa2012-{34,40}, also known as CVE-2012-1937, CVE-2012-1939, CVE-2012-1940. iceweasel (3.5.16-15) stable-security; urgency=low * Revert one of the patches for CVE-2012-0467 because of regression crash. It turns out the issue that patch addresses isn't dangerous in 3.5. Closes: #670586. ikiwiki (3.20100815.9) stable-security; urgency=high * meta: Security fix; add missing sanitization of author and authorurl. CVE-2012-0220 Thanks, Raúl Benencia imp4 (4.3.7+debian0-2.2) stable-security; urgency=high * Non-maintainer upload. * Fix XSS (CVE-2012-0791, Closes: #659392) isc-dhcp (4.1.1-P1-15+squeeze6) squeeze-security; urgency=high * Non-maintainer upload by the Security Team. * Reorder patches in 00list as it seems some are deapplied during the build process. Thanks Mark Deslauriers for spotting this. isc-dhcp (4.1.1-P1-15+squeeze5) squeeze-security; urgency=high * Non-maintainer upload by the Security Team. * Make sure patches for 4.1.1-P1-15+squeeze4 are correctly applied * Fix CVE-2011-4539: DoS when processing evaluated regular expressions. isc-dhcp (4.1.1-P1-15+squeeze4) squeeze-security; urgency=high * Non-maintainer upload by the Security Team. * Backport upstream changes for the following security issues: - CVE-2012-3954: memory leaks in dhcpv6 mode - CVE-2012-3571: DoS via malformed client ids kfreebsd-8 (8.1+dfsg-8+squeeze3) stable-security; urgency=medium [ Steven Chamberlain ] * Apply upstream SA-12:04.sysret patch (CVE-2012-0217) (Closes: #677297) - Include correction from upstream (r237241) * Apply upstream EN-12:02.ipv6refcount patch (Closes: #677738) krb5 (1.8.3+dfsg-4squeeze6) stable-security; urgency=high * MITKRB5-SA-2012-001 CVE-2012-1015: KDC frees uninitialized pointer libapache-mod-security (2.5.12-1+squeeze1) stable-security; urgency=high * CVE-2012-2751: Fix multi-part bypass due to wrong quoting. Applied backported patch from 2.6.6. (Closes: #678529) libapache2-mod-rpaf (0.5-3+squeeze1) stable-security; urgency=high . * New maintainer (See: #636732) * Edit 030_ipv6.patch to fix DOS via crafted X-Forwarded-For header (Closes: #683984, thanks to Sébastien Bocahu) libconfig-inifiles-perl (2.52-1+squeeze1) stable-proposed-updates; urgency=low * Team upload. * SECURITY BUG FIX: Config::IniFiles used to write to a temporary filename with a predictable name ("${filename}-new") which opens the door for potential exploits. -- CVE-2012-2451, CWE-377 (Closes: #671255) libgc (1:6.8-2) stable; urgency=low . * Change maintainer to myself for stable as well . * Use patch from Steve Beattie / Ubuntu to fix CVE-2012-2673 (Closes: #677195): malloc.c, mallocx.c: check for integer overflow in internal malloc and calloc routines. libgdata (0.6.4-2+squeeze1) stable-security; urgency=high * Non-maintainer upload by the Security Team. * debian/patches: - 01_validate-ssl-certificates added, backported from upstream. Enforce validation of SSL certificates against the system root CAs This is CVE-2012-1177. closes: #664032 libjakarta-poi-java (3.6+dfsg-1+squeeze1) squeeze-security; urgency=high * Fix CVE-2012-0213 (OOM on malformed documents) libmtp (1.0.3-1+squeeze2) stable; urgency=low * Support new devices: - Apple iPhone, iPhone 3G, iPhone 3GS, iPod Touch (1st, 2nd and 3rd generations), iPad. - COBY MP705 - Conceptronic CMTD2 - Cowon iAudio J3, iAudio X7, iAudio C2, iAudio 10 - Curitel Communications Verizon Wireless Device - Medion MD99000 (P9514)/Olivetti Olipad 110 - Motorola Droid X/MB525 (Defy) - NEC FOMA N01A - Nextar MA715A-8R - Nokia 5800 XpressMusic (new, previously unknown, ID) N79, E52, 2710, 5230, N7 (a couple of IDs), N8 (a couple of IDs), N9, C7 (a couple of IDs), N950 - Pantech Crux - SonyEricsson U5, U8i, j10i (Elm), j10i2 (Elm), j108i (Cedar), LT15i (Xperia arc S), Xperia Neo, Xperia MK16i, ST18a Xperia Ray ST18i Xperia Ray, ST15i Xperia Mini, Xperia Arc LT15i - SonyEricsson K550i - Wyplay Wyplayer * Fix device flags: - Set DEVICE_FLAG_BROKEN_BATTERY_LEVEL for Nokia 5200 - Set DEVICE_FLAG_{FLAC,OGG}_IS_UNKNOWN for a number of Cowon players to make them properly recognize OGG/FLAC files. - Set DEVICE_FLAG_BROKEN_MTPGETOBJPROPLIST for LG Electronics KM900, LG8575, V909 G-Slate. libspring-2.5-java (2.5.6.SEC02-2+squeeze1) stable-security; urgency=high * Backport fix for CVE-2011-2730: Spring Framework information disclosure from 2.5.6.SEC03 on upstream maintainance repository (Closes: #677814): - d/patches/CVE-2011-2730.diff: A new context parameter has been added called springJspExpressionSupport. When true (the default) the existing behaviour of evaluating EL within the tag will be performed. When running in an environment where EL support is provided by the container, it is strongly recommended that this is set to false libxml2 (2.7.8.dfsg-2+squeeze5) stable-security; urgency=low . [ Daniel Veillard ] * Fix parser local buffers size problems * Fix entities local buffers size problems CVE-2012-2807, Closes: #679280. libxml2 (2.7.8.dfsg-2+squeeze4) stable-security; urgency=high * CVE-2011-3102 libxslt (1.1.26-6+squeeze1) stable; urgency=low [ Daniel Veillard ] * Fix generate-id() to not expose object addresses CVE-2011-1202, Closes: #617413. [ Abhishek Arya ] * Fix some case of pattern parsing errors CVE-2011-3970, Closes: #660650. [ Chris Evans ] * [PATCH] Fix crash with unexpected DTD nodes in XSLT. CVE-2012-2825, Closes: #679283. links2 (2.3~pre1-1+squeeze1) stable-proposed-updates; urgency=low * Fix several security issues reported by upstream (Closes: #668227) linux-2.6 (2.6.32-46) stable; urgency=high . [ Bastian Blank ] * [s390] Enable IUCV special message support. (closes: #671238) . [ Ben Hutchings ] * linux-image: Relax version dependency on linux-base, to simplify testing of bug fixes * [x86] linux-image: Fix minimum version of lilo (Closes: #680467) * [openvz] proc: Fix extreme memory use for /proc/self/mountinfo in container, thanks to Andrew Vagin, Christoph Lechleitner (Closes: #655385) * usb: Fix deadlock in hid_reset when Dell iDRAC is reset (Closes: #670398) * drm: Apply changes deferred from 2.6.32.42+drm33.19: - drm: implement helper functions for scanning lru list - drm/i915: Implement fair lru eviction across both rings. (v2) - drm/i915: Maintain LRU order of inactive objects upon access by CPU (v2) - drm/i915/evict: Ensure we completely cleanup on failure * Add drm changes from 2.6.32.46+drm33.20, 2.6.32.48+drm33.21, 2.6.32.56+drm33.22, 2.6.32.57+drm33.23, 2.6.32.58+drm33.24 (Closes: #681632) including: - drm/radeon/kms: prefer high post dividers in legacy pll algo (Closes: #575893) - drm: mm: fix range restricted allocations (regression in 2.6.32-36) - drm/i915: no lvds quirk for AOpen MP45 * [armel/kirkwood] ahci: Add JMicron 362 device IDs (Closes: #634180) * tcp: Don't change unlocked socket state in tcp_v4_err(). (Closes: #685087) * locks: fix checking of fcntl_setlease argument * sfc: Fix maximum number of TSO segments and minimum TX queue size (CVE-2012-3412) . [ Jonathan Nieder ] * ath5k: initialize default noise floor * ath5k: use noise calibration from madwifi hal (Closes: #611107) * sky2: Add 'legacy_pme' option for PCI legacy power management (Closes: #647560; works around regression introduced in 2.6.32-22) . [ dann frazier ] * Avoid leap second deadlock and early hrtimer/futex expiration issue (Closes: #679882) * net: sock: validate data_len before allocating skb in sock_alloc_send_pskb() (CVE-2012-2136) * dl2k: Clean up rio_ioctl, add missing CAP_NET_ADMIN checks (CVE-2012-2313) * hfsplus: Fix potential buffer overflows (CVE-2012-2319) * hugetlb: fix resv_map leak in error path (CVE-2012-2390) * mm: fix vma_resv_map() NULL pointer (CVE-2012-2390) * cred: copy_process() should clear child->replacement_session_keyring (CVE-2012-2745) * udf: Fix buffer overflow when parsing sparing table (CVE-2012-3400) * rds: set correct msg_namelen (CVE-2012-3430) linux-kernel-di-amd64-2.6 (1.76+squeeze8) stable; urgency=low . * Built against version 2.6.32-46 of linux-2.6. linux-kernel-di-armel-2.6 (1.56+squeeze8) stable; urgency=low . * Built against version 2.6.32-46 of linux-2.6. linux-kernel-di-i386-2.6 (1.99+squeeze8) stable; urgency=low . * Built against version 2.6.32-46 of linux-2.6. linux-kernel-di-ia64-2.6 (1.63+squeeze8) stable; urgency=low . * Built against version 2.6.32-46 of linux-2.6. linux-kernel-di-mips-2.6 (1.31+squeeze8) stable; urgency=low . * Built against version 2.6.32-46 of linux-2.6. linux-kernel-di-mipsel-2.6 (1.31+squeeze8) stable; urgency=low . * Built against version 2.6.32-46 of linux-2.6. linux-kernel-di-powerpc-2.6 (1.76+squeeze8) stable; urgency=low . * Built against version 2.6.32-46 of linux-2.6. linux-kernel-di-s390-2.6 (0.59+squeeze8) stable; urgency=low . * Built against version 2.6.32-46 of linux-2.6. linux-kernel-di-sparc-2.6 (1.64+squeeze8) stable; urgency=low . * Built against version 2.6.32-46 of linux-2.6. lockfile-progs (0.1.15+squeeze1) stable; urgency=low [ Niels Thykier ] * Non-maintainer upload. * Backport fix for #626752 [ Rob Browning ] * Use L_PID rather than L_PPID when appropriate. In cases where lockfile_create() and lockfile_check() were being called with L_PID, use L_PPID to capture the parent's PID. Capturing the PID of the lockfile-create or lockfile-check process made no sense. Thanks to Zrin Žiborski for the report, Larry Diegel for the patch, and Sebastian Siewior for the suggestion to update the documentation. (Closes: #626752) mahara (1.2.6-2+squeeze5) stable-security; urgency=high . * SECURITY UPDATE: Fix multiple cross-site scripting vulnerabilities - Json-encode login form when injected by js - Sanitize links in links and resources menu - debian/patches/CVE-2012-2237-0001.patch: upstream patch - debian/patches/CVE-2012-2237-0002.patch: upstream patch mahara (1.2.6-2+squeeze4) stable-security; urgency=high * SECURITY UPDATE: Fix default config for sites with multiple SAML instances - Default configuration changed to prevent impersonation - debian/patches/saml_multi_default_config.patch: upstream patch mantis (1.1.8+dfsg-10squeeze2) stable-security; urgency=high * Urgency high: Fixes some CVE's - CVE-2011-3578: Added this note as history update. This issue was really fixed in '1.1.8+dfsg-10squeeze1' upload (via 12-Fix-640297-LFI-XSS-injection-bug-action-group-1.diff patch) but there were no CVE ID assigned in that moment, so there are no references to in the changelog. The issue on the Security Tracker was manually updated thanks to Thijs Kinkhorst . - CVE-2012-1118: Array value for $g_private_bug_threshold configuration option allows bypass of access. (Closes: #669924) - CVE-2012-1119: copy/clone bug report action failed to leave an audit trail. (Closes: #669928) - CVE-2012-1120: Delete_bug_threshold/bugnote_allow_user_edit_delete access check bypass. (Closes: #669925) - CVE-2012-1121: mantis 1.1.8 is not affected by this issue. (Closes: #669926) - CVE-2012-1122: Incorrect access checks performed when moving bugs between projects. (Closes: #669927) - CVE-2012-1123: SOAP API null password authentication bypass (Closes: #669930) - CVE-2012-2691: Reporters can update notes of other users by using SOAP API. This bug does not affect mantis package in squeeze. Affected function 'mc_issue_note_update' is not implemented in mantis 1.1.8 version. - CVE-2012-2692: delete_attachments_threshold not checked on attachment deletion. Thanks to David Hicks moin (1.9.3-1+squeeze2) stable-security; urgency=high . * Add patch from upstream to fix a virtual group bug in ACL evaluation (CVE-2012-XXXX). * Add me to uploaders. mono (2.6.7-5.1) stable-security; urgency=high [ Gonzalo Paniagua Javier ] * [29cd322] HtmlEncode the path. Fixes Novell bug #769799. [ Jo Shields ] * Security upload to fix potential XSS issue in System.Web's error page handling (Closes: #681095, CVE-2012-3382) mysql-mmm (2.2.1-1+squeeze1) stable-proposed-updates; urgency=low . * debian/control - introduce RC bug fix (lack of Dependency) as 2.2.1-1.1 for stable network-manager (0.8.1-6+squeeze2) stable; urgency=low . * debian/patches/84-CVE-2012-2736.patch - Disable Ad-Hoc WPA connections as the kernel is broken for Ad-Hoc WPA, and creates the connections as open connections instead. - Fixes CVE-2012-2736. (Closes: #655972) nsd3 (3.2.5-1.squeeze2) stable; urgency=low * CVE-2012-2978: Fix remote crash in TSIG processing code discovered by Marek Vavrusa and Lubos Slovak from CZ.NIC Labs nss (3.12.8-1+squeeze5) stable-security; urgency=low * Address CVE-2012-0441 (Insufficient length checking in QuickDER decoder) * debian/rules: Work around NSS not building on Linux 3.x kernels. nss-pam-ldapd (0.7.15+squeeze2) stable; urgency=low . * support larger gecos values (closes: #640781) (backported from 0.7.17) * fix two possible NULL pointer dereferences (backported from 0.7.17) * increase buffer used for pam_authz_search as suggested by Chris J Arges (backported from 0.7.16) * fix logging of invalid pam_authz_search value (LP: #951343) (backported from 0.7.16) * implement proper range checking of numeric values returned from LDAP (thanks Jakub Hrozek) (backported from 0.7.16) nut (2.4.3-1.1squeeze2) stable-security; urgency=high * debian/control, debian/rules, debian/patches/*: enable dpatch again * debian/patches/0001-fix_CVE-2012-2944.patch: Fix CVE-2012-2944, which expose upsd to remote crashes. (Closes: #675203) nvidia-graphics-drivers (195.36.31-6squeeze2) stable; urgency=low . * CVE-2012-4225. (Closes: #684781) Add upstream patch nvidia-blacklist-vga-pmu-registers-195.diff: Fix exploitable local privilege escalation through VGA window manipulation via the device nodes that allows access to arbitrary physical memory. nvidia-graphics-drivers (195.36.31-6squeeze1) stable-proposed-updates; urgency=medium * Security fix (backported from 195.36.31-7). (Closes: #609338) Apply upstream patch NVIDIA_kernel-260.19.34-778465.diff to fix information leak in the kernel module: kernel memory was returned uninitialized to user space. * CVE-2012-0946 (backported from 295.40-1): Add upstream patch nvidia-blacklist-register-mapping-195.diff: Closed a security vulnerability which made it possible for attackers to reconfigure GPUs to gain access to arbitrary system memory. For further details, see: http://nvidia.custhelp.com/app/answers/detail/a_id/3109 * Let the bug-script collect detailed information about OpenGL and NVIDIA libraries and their symlinks, diversions and alternatives currently found on the system. Also list files remaining from using the nvidia-installer. Report status of more related packages. nvidia-graphics-modules (195.36.31+4) stable; urgency=low . * Rebuild to fix CVE-2012-4225 (see #684781). * Bump B-D to the fixed nvidia-kernel-source (>= 195.36.31-6squeeze2). nvidia-graphics-modules (195.36.31+3) proposed-updates; urgency=low [ Andreas Beckmann ] * Rebuild for security fixes. See #609338, CVE-2012-0946. * Bump B-D to the fixed nvidia-kernel-source (>= 195.36.31-6squeeze1). * Move VCS from SVN to GIT: git://git.debian.org/git/pkg-nvidia/nvidia-graphics-modules.git openconnect (2.25-0.1+squeeze1) stable-security; urgency=high * Apply patch from upstream to fix buffer overflow (CVE-2012-3291) openjdk-6 (6b18-1.8.13-0+squeeze2) stable-security; urgency=low * CVE-2012-1711 CVE-2012-1713 CVE-2012-1716 CVE-2012-1717 CVE-2012-1718 CVE-2012-1719 CVE-2012-1723 CVE-2012-1724 CVE-2012-1725 openoffice.org (1:3.2.1-11+squeeze7) stable-security; urgency=high . * debian/patches/CVE-2012-2665.backport.OOO320m12.diff: fix CVE-2012-2665 ("Multiple heap-based buffer overflows in the XML manifest encryption handling code") openoffice.org (1:3.2.1-11+squeeze6) stable-security; urgency=high . * debian/patches/fail-earlier-on-oversized-images.diff: add additional fixes for SA47244/CVE-2012-1149 for png * debian/patches/RHEL5.CVE-2012-2334.patch: backport fix for CVE-2012-2334, thanks Florian Weimer openoffice.org (1:3.2.1-11+squeeze5) stable-security; urgency=high . * debian/patches/cleanup-jpeg-bitmap-creation-loading-code.diff fix SA47244 ("LibreOffice Integer Overflow" when allocation memory for images) openssl (0.9.8o-4squeeze13) squeeze-security; urgency=high * Non-maintainer upload by the Security Team. * Fix CVE-2012-2333: DoS via explicit IV in DTLS otrs2 (2.4.9+dfsg1-3+squeeze3) stable-security; urgency=high . * Add upstream patch 17-security-osa-2012-01 from OSA-2012-01, which fixes a XSS vulnerability described in CVE-2012-2582 when using the Internet Explorer on viewing e-mails. * Add upstream patch 18-security-tag-nesting to improve HTML security to detect tag nasting. pcp (3.3.3-squeeze2) squeeze-security; urgency=high . * Fix build on 64-bit architectures pcp (3.3.3-squeeze1) squeeze-security; urgency=high . * Fixes for security advisory CVE-2012-3418 (PDU decoding errors) * Workaround for security advisory CVE-2012-3419 (proc disclosure) * Fixes for security advisory CVE-2012-3420 (libpcp/pmcd memleaks) * Fixes for security advisory CVE-2012-3421 (pmcd slow-client DoS) php-memcached (1.0.2-1+squeeze2) stable; urgency=low * Apply patch from upstream to fix broken session.gc_maxlifetime handling (sessions never expire). Closes: #664856. php5 (5.3.3-7+squeeze13) squeeze-security; urgency=high * Rebuild to work around against dak troubles. php5 (5.3.3-7+squeeze9) squeeze-security; urgency=high * Add more return value checks for CVE-2011-4153 (pulled from OpenSUSE) * CVE-2012-1172: Fix insufficient validation of upload name leading to corrupted $_FILES indices * CVE-2012-1823,CVE-2012-2311: Fix PHP-CGI query string parameter vulnerability pidgin (2.7.3-1+squeeze3) stable-security; urgency=high * CVE-2012-3374.patch: - Fix remote crash/overflow in MXit protocol pidgin-otr (3.2.0-5+squeeze1) stable-security; urgency=high * Non-maintainer upload by the Security Team. * CVE-2012-2369: Fix format vulnerability in log messages (Closes: #673154) plymouth (0.8.3-9.2) squeeze; urgency=low * Fix the init script to not do anything if the plymouth package is removed (closes: #617857). policyd-weight (0.1.15.1-2+squeeze1) squeeze; urgency=low . * Add 04_del_rfc-ignorant.org.dpatch which removes rfc-ignorant.org lists due to service shut down on 2012-11-30 * Add 03_del_non_func_ipv6_dnsbl.dpatch which removes non-functional DNSBL rbl.ipv6-world.net postgresql-8.4 (8.4.13-0squeeze1) stable-security; urgency=low . * New upstream security/bug fix release: - Prevent access to external files/URLs via XML entity references. xml_parse() would attempt to fetch external files or URLs as needed to resolve DTD and entity references in an XML value, thus allowing unprivileged database users to attempt to fetch data with the privileges of the database server. While the external data wouldn't get returned directly to the user, portions of it could be exposed in error messages if the data didn't parse as valid XML; and in any case the mere ability to check existence of a file might be useful to an attacker. (CVE-2012-3489) - Prevent access to external files/URLs via "contrib/xml2"'s xslt_process(). libxslt offers the ability to read and write both files and URLs through stylesheet commands, thus allowing unprivileged database users to both read and write data with the privileges of the database server. Disable that through proper use of libxslt's security options. (CVE-2012-3488) Also, remove xslt_process()'s ability to fetch documents and stylesheets from external files/URLs. While this was a documented "feature", it was long regarded as a bad idea. The fix for CVE-2012-3489 broke that capability, and rather than expend effort on trying to fix it, we're just going to summarily remove it. - Prevent too-early recycling of btree index pages. When we allowed read-only transactions to skip assigning XIDs, we introduced the possibility that a deleted btree page could be recycled while a read-only transaction was still in flight to it. This would result in incorrect index search results. The probability of such an error occurring in the field seems very low because of the timing requirements, but nonetheless it should be fixed. - Fix crash-safety bug with newly-created-or-reset sequences. If "ALTER SEQUENCE" was executed on a freshly created or reset sequence, and then precisely one nextval() call was made on it, and then the server crashed, WAL replay would restore the sequence to a state in which it appeared that no nextval() had been done, thus allowing the first sequence value to be returned again by the next nextval() call. In particular this could manifest for serial columns, since creation of a serial column's sequence includes an "ALTER SEQUENCE OWNED BY" step. - Ensure the "backup_label" file is fsync'd after pg_start_backup(). - Back-patch 9.1 improvement to compress the fsync request queue. This improves performance during checkpoints. The 9.1 change has now seen enough field testing to seem safe to back-patch. - Only allow autovacuum to be auto-canceled by a directly blocked process. The original coding could allow inconsistent behavior in some cases; in particular, an autovacuum could get canceled after less than deadlock_timeout grace period. - Improve logging of autovacuum cancels. - Fix log collector so that log_truncate_on_rotation works during the very first log rotation after server start. - Fix WITH attached to a nested set operation (UNION/INTERSECT/EXCEPT). - Ensure that a whole-row reference to a subquery doesn't include any extra GROUP BY or ORDER BY columns. - Disallow copying whole-row references in CHECK constraints and index definitions during "CREATE TABLE". This situation can arise in "CREATE TABLE" with LIKE or INHERITS. The copied whole-row variable was incorrectly labeled with the row type of the original table not the new one. Rejecting the case seems reasonable for LIKE, since the row types might well diverge later. For INHERITS we should ideally allow it, with an implicit coercion to the parent table's row type; but that will require more work than seems safe to back-patch. - Fix memory leak in ARRAY(SELECT ...) subqueries. - Fix extraction of common prefixes from regular expressions. The code could get confused by quantified parenthesized subexpressions, such as ^(foo)?bar. This would lead to incorrect index optimization of searches for such patterns. - Fix bugs with parsing signed "hh":"mm" and "hh":"mm":"ss" fields in interval constants. - Report errors properly in "contrib/xml2"'s xslt_process(). postgresql-8.4 (8.4.12-3) unstable; urgency=medium * Urgency medium; the current version in testing (with the full server) is unsupportable in a stable release. * debian/control: Drop dependency to postgresql-8.4. While it is technically correct (it needs Squeeze's postgresql-8.4 package) it makes britney refuse to get this into testing, as the package is uninstallable in Wheezy. postgresql-8.4 (8.4.12-2) unstable; urgency=low * Drop all binary packages except for postgresql-plperl-8.4. Version 8.4 is obsolete and not supported in Wheezy any more, and there are no remaining reverse dependencies any more. However, postgresql-plperl-8.4 from Squeeze is not installable in Wheezy any more due to the different Perl version, so we need a postgresql-plperl-8.4 built against libperl5.14 so that you can upgrade your existing 8.4 clusters to 9.1. Drop unnecessary build dependencies and disable the optional features to speed up the build. postgresql-8.4 (8.4.12-1) unstable; urgency=medium * Urgency medium due to security fixes. * New upstream security/bug fix release: - Fix incorrect password transformation in "contrib/pgcrypto"'s DES crypt() function. If a password string contained the byte value 0x80, the remainder of the password was ignored, causing the password to be much weaker than it appeared. With this fix, the rest of the string is properly included in the DES hash. Any stored password values that are affected by this bug will thus no longer match, so the stored values may need to be updated. (CVE-2012-2143) - Ignore SECURITY DEFINER and SET attributes for a procedural language's call handler. Applying such attributes to a call handler could crash the server. (CVE-2012-2655) - Allow numeric timezone offsets in timestamp input to be up to 16 hours away from UTC. Some historical time zones have offsets larger than 15 hours, the previous limit. This could result in dumped data values being rejected during reload. - Fix timestamp conversion to cope when the given time is exactly the last DST transition time for the current timezone. This oversight has been there a long time, but was not noticed previously because most DST-using zones are presumed to have an indefinite sequence of future DST transitions. - Fix text to name and char to name casts to perform string truncation correctly in multibyte encodings. - Fix memory copying bug in to_tsquery(). - Fix planner's handling of outer PlaceHolderVars within subqueries. This bug concerns sub-SELECTs that reference variables coming from the nullable side of an outer join of the surrounding query. In 9.1, queries affected by this bug would fail with "ERROR: Upper-level PlaceHolderVar found where not expected". But in 9.0 and 8.4, you'd silently get possibly-wrong answers, since the value transmitted into the subquery wouldn't go to null when it should. - Fix slow session startup when pg_attribute is very large. If pg_attribute exceeds one-fourth of shared_buffers, cache rebuilding code that is sometimes needed during session start would trigger the synchronized-scan logic, causing it to take many times longer than normal. The problem was particularly acute if many new sessions were starting at once. - Ensure sequential scans check for query cancel reasonably often. A scan encountering many consecutive pages that contain no live tuples would not respond to interrupts meanwhile. - Ensure the Windows implementation of PGSemaphoreLock() clears ImmediateInterruptOK before returning. This oversight meant that a query-cancel interrupt received later in the same query could be accepted at an unsafe time, with unpredictable but not good consequences. - Show whole-row variables safely when printing views or rules. Corner cases involving ambiguous names (that is, the name could be either a table or column name of the query) were printed in an ambiguous way, risking that the view or rule would be interpreted differently after dump and reload. Avoid the ambiguous case by attaching a no-op cast. - Fix "COPY FROM" to properly handle null marker strings that correspond to invalid encoding. A null marker string such as E'\\0' should work, and did work in the past, but the case got broken in 8.4. - Ensure autovacuum worker processes perform stack depth checking properly. Previously, infinite recursion in a function invoked by auto-"ANALYZE" could crash worker processes. - Fix logging collector to not lose log coherency under high load. The collector previously could fail to reassemble large messages if it got too busy. - Fix logging collector to ensure it will restart file rotation after receiving SIGHUP. - Fix WAL replay logic for GIN indexes to not fail if the index was subsequently dropped> - Fix memory leak in PL/pgSQL's "RETURN NEXT" command. - Fix PL/pgSQL's "GET DIAGNOSTICS" command when the target is the function's first variable. - Fix potential access off the end of memory in psql's expanded display ("\x") mode. - Fix several performance problems in pg_dump when the database contains many objects. pg_dump could get very slow if the database contained many schemas, or if many objects are in dependency loops, or if there are many owned sequences. - Fix "contrib/dblink"'s dblink_exec() to not leak temporary database connections upon error. - Fix "contrib/dblink" to report the correct connection name in error messages. * debian/control: Move bzr branches to alioth, so that other members of pkg-postgresql can commit. Update Vcs-* tags. * debian/control: Set Maintainer: to pkg-postgresql group, and move myself to Uploaders:. postgresql-8.4 (8.4.12-0squeeze1) stable-security; urgency=low * New upstream security/bug fix release: - Fix incorrect password transformation in "contrib/pgcrypto"'s DES crypt() function. If a password string contained the byte value 0x80, the remainder of the password was ignored, causing the password to be much weaker than it appeared. With this fix, the rest of the string is properly included in the DES hash. Any stored password values that are affected by this bug will thus no longer match, so the stored values may need to be updated. (CVE-2012-2143) - Ignore SECURITY DEFINER and SET attributes for a procedural language's call handler. Applying such attributes to a call handler could crash the server. (CVE-2012-2655) - Allow numeric timezone offsets in timestamp input to be up to 16 hours away from UTC. Some historical time zones have offsets larger than 15 hours, the previous limit. This could result in dumped data values being rejected during reload. - Fix timestamp conversion to cope when the given time is exactly the last DST transition time for the current timezone. This oversight has been there a long time, but was not noticed previously because most DST-using zones are presumed to have an indefinite sequence of future DST transitions. - Fix text to name and char to name casts to perform string truncation correctly in multibyte encodings. - Fix memory copying bug in to_tsquery(). - Fix planner's handling of outer PlaceHolderVars within subqueries. This bug concerns sub-SELECTs that reference variables coming from the nullable side of an outer join of the surrounding query. In 9.1, queries affected by this bug would fail with "ERROR: Upper-level PlaceHolderVar found where not expected". But in 9.0 and 8.4, you'd silently get possibly-wrong answers, since the value transmitted into the subquery wouldn't go to null when it should. - Fix slow session startup when pg_attribute is very large. If pg_attribute exceeds one-fourth of shared_buffers, cache rebuilding code that is sometimes needed during session start would trigger the synchronized-scan logic, causing it to take many times longer than normal. The problem was particularly acute if many new sessions were starting at once. - Ensure sequential scans check for query cancel reasonably often. A scan encountering many consecutive pages that contain no live tuples would not respond to interrupts meanwhile. - Ensure the Windows implementation of PGSemaphoreLock() clears ImmediateInterruptOK before returning. This oversight meant that a query-cancel interrupt received later in the same query could be accepted at an unsafe time, with unpredictable but not good consequences. - Show whole-row variables safely when printing views or rules. Corner cases involving ambiguous names (that is, the name could be either a table or column name of the query) were printed in an ambiguous way, risking that the view or rule would be interpreted differently after dump and reload. Avoid the ambiguous case by attaching a no-op cast. - Fix "COPY FROM" to properly handle null marker strings that correspond to invalid encoding. A null marker string such as E'\\0' should work, and did work in the past, but the case got broken in 8.4. - Ensure autovacuum worker processes perform stack depth checking properly. Previously, infinite recursion in a function invoked by auto-"ANALYZE" could crash worker processes. - Fix logging collector to not lose log coherency under high load. The collector previously could fail to reassemble large messages if it got too busy. - Fix logging collector to ensure it will restart file rotation after receiving SIGHUP. - Fix WAL replay logic for GIN indexes to not fail if the index was subsequently dropped> - Fix memory leak in PL/pgSQL's "RETURN NEXT" command. - Fix PL/pgSQL's "GET DIAGNOSTICS" command when the target is the function's first variable. - Fix potential access off the end of memory in psql's expanded display ("\x") mode. - Fix several performance problems in pg_dump when the database contains many objects. pg_dump could get very slow if the database contained many schemas, or if many objects are in dependency loops, or if there are many owned sequences. - Fix "contrib/dblink"'s dblink_exec() to not leak temporary database connections upon error. - Fix "contrib/dblink" to report the correct connection name in error messages. * debian/patches/15-revert-typmod-check.patch: Unfuzz to apply to new version. * debian/control: Move bzr branches to alioth, so that other members of pkg-postgresql can commit. Update Vcs-* tags. postgresql-8.4 (8.4.11-1) unstable; urgency=medium * Urgency medium due to security fixes. * New upstream bug fix/security release: - Require execute permission on the trigger function for "CREATE TRIGGER". This missing check could allow another user to execute a trigger function with forged input data, by installing it on a table he owns. This is only of significance for trigger functions marked SECURITY DEFINER, since otherwise trigger functions run as the table owner anyway. (CVE-2012-0866) - Remove arbitrary limitation on length of common name in SSL certificates. Both libpq and the server truncated the common name extracted from an SSL certificate at 32 bytes. Normally this would cause nothing worse than an unexpected verification failure, but there are some rather-implausible scenarios in which it might allow one certificate holder to impersonate another. The victim would have to have a common name exactly 32 bytes long, and the attacker would have to persuade a trusted CA to issue a certificate in which the common name has that string as a prefix. Impersonating a server would also require some additional exploit to redirect client connections. (CVE-2012-0867) - Convert newlines to spaces in names written in pg_dump comments. pg_dump was incautious about sanitizing object names that are emitted within SQL comments in its output script. A name containing a newline would at least render the script syntactically incorrect. Maliciously crafted object names could present a SQL injection risk when the script is reloaded. (CVE-2012-0868) - Fix btree index corruption from insertions concurrent with vacuuming. An index page split caused by an insertion could sometimes cause a concurrently-running "VACUUM" to miss removing index entries that it should remove. After the corresponding table rows are removed, the dangling index entries would cause errors (such as "could not read block N in file ...") or worse, silently wrong query results after unrelated rows are re-inserted at the now-free table locations. This bug has been present since release 8.2, but occurs so infrequently that it was not diagnosed until now. If you have reason to suspect that it has happened in your database, reindexing the affected index will fix things. - Update per-column permissions, not only per-table permissions, when changing table owner. Failure to do this meant that any previously granted column permissions were still shown as having been granted by the old owner. This meant that neither the new owner nor a superuser could revoke the now-untraceable-to-table-owner permissions. - Allow non-existent values for some settings in "ALTER USER/DATABASE SET". Allow default_text_search_config, default_tablespace, and temp_tablespaces to be set to names that are not known. This is because they might be known in another database where the setting is intended to be used, or for the tablespace cases because the tablespace might not be created yet. The same issue was previously recognized for search_path, and these settings now act like that one. - Avoid crashing when we have problems deleting table files post-commit. Dropping a table should lead to deleting the underlying disk files only after the transaction commits. In event of failure then (for instance, because of wrong file permissions) the code is supposed to just emit a warning message and go on, since it's too late to abort the transaction. This logic got broken as of release 8.4, causing such situations to result in a PANIC and an unrestartable database. - Track the OID counter correctly during WAL replay, even when it wraps around. Previously the OID counter would remain stuck at a high value until the system exited replay mode. The practical consequences of that are usually nil, but there are scenarios wherein a standby server that's been promoted to master might take a long time to advance the OID counter to a reasonable value once values are needed. - Fix regular expression back-references with - attached. Rather than enforcing an exact string match, the code would effectively accept any string that satisfies the pattern sub-expression referenced by the back-reference symbol. A similar problem still afflicts back-references that are embedded in a larger quantified expression, rather than being the immediate subject of the quantifier. This will be addressed in a future PostgreSQL release. - Fix recently-introduced memory leak in processing of inet/cidr values. - Fix dangling pointer after "CREATE TABLE AS"/"SELECT INTO" in a SQL-language function. In most cases this only led to an assertion failure in assert-enabled builds, but worse consequences seem possible. - Fix I/O-conversion-related memory leaks in plpgsql. - Improve pg_dump's handling of inherited table columns. pg_dump mishandled situations where a child column has a different default expression than its parent column. If the default is textually identical to the parent's default, but not actually the same (for instance, because of schema search path differences) it would not be recognized as different, so that after dump and restore the child would be allowed to inherit the parent's default. Child columns that are NOT NULL where their parent is not could also be restored subtly incorrectly. - Fix pg_restore's direct-to-database mode for INSERT-style table data. Direct-to-database restores from archive files made with "--inserts" or "--column-inserts" options fail when using pg_restore from a release dated September or December 2011, as a result of an oversight in a fix for another problem. The archive file itself is not at fault, and text-mode output is okay. - Allow AT option in ecpg DEALLOCATE statements. The infrastructure to support this has been there for awhile, but through an oversight there was still an error check rejecting the case. - Fix error in "contrib/intarray"'s int[] & int[] operator. If the smallest integer the two input arrays have in common is 1, and there are smaller values in either array, then 1 would be incorrectly omitted from the result. - Fix error detection in "contrib/pgcrypto"'s encrypt_iv() and decrypt_iv(). These functions failed to report certain types of invalid-input errors, and would instead return random garbage values for incorrect input. - Fix one-byte buffer overrun in "contrib/test_parser". The code would try to read one more byte than it should, which would crash in corner cases. Since "contrib/test_parser" is only example code, this is not a security issue in itself, but bad example code is still bad. - Use __sync_lock_test_and_set() for spinlocks on ARM, if available. This function replaces our previous use of the SWPB instruction, which is deprecated and not available on ARMv6 and later. Reports suggest that the old code doesn't fail in an obvious way on recent ARM boards, but simply doesn't interlock concurrent accesses, leading to bizarre failures in multiprocess operation. - Use "-fexcess-precision=standard" option when building with gcc versions that accept it. This prevents assorted scenarios wherein recent versions of gcc will produce creative results. - Allow use of threaded Python on FreeBSD. Our configure script previously believed that this combination wouldn't work; but FreeBSD fixed the problem, so remove that error check. * Drop 04-armel-tas.patch, applied upstream. postgresql-common (113+squeeze1) stable; urgency=high . [ Martin Pitt ] * pg_ctlcluster: Do not remove the PID file after SIGKILLing the postmaster in the "last-ditch effort to shut down" in --force mode. This is a potentially dangerous thing to do when trying to start a second postmaster in parallel while the first one is still being shut down. (see http://archives.postgresql.org/pgsql-general/2012-07/msg00475.php) Cherry-picked from version 133 (bzr r1181). (Closes: #686060) . [ Christoph Berg ] * Update Vcs URLs and Maintainer fields for group maintenance. powertop (1.11-1+squeeze1) stable; urgency=low * Non-maintainer upload. * Fix segfault on newer kernels with large config files. Thanks to Mel Gorman (Closes: #610101) NMU upload prepared with debdiff created by Patrick Winnertz and found on debian-release mailing list. http://lists.debian.org/debian-release/2011/03/msg00292.html publican (2.1-2+squeeze1) stable; urgency=low * Add a missing dependency and build-dependency on libio-string-perl. Closes: #607272 puppet (2.6.2-5+squeeze6) stable-security; urgency=high * Add patch to fix puppet master vulnerabilities (CVE-2012-3864, CVE-2012-3865, CVE-2012-3866, CVE-2012-3867) - CVE-2012-3864: Arbitrary file read on the puppet master from authenticated clients (high) - CVE-2012-3865: Arbitrary file delete/D.O.S on Puppet Master from authenticated clients (high) - CVE-2012-3866: last_run_report.yaml is world readable (medium) - CVE-2012-3867: Insufficient input validation for agent hostnames (low) python-crypto (2.1.0-2+squeeze1) stable-security; urgency=high * Non-maintainer upload. * debian/patches/elgamal-keygen.patch: Backport patch from upstream to fix CVE-2012-2417. python-django (1.2.3-3+squeeze3) stable-security; urgency=high . * Stable security upload: https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/ Fixes: CVE-2012-3442 CVE-2012-3443 CVE-2012-3444 * Apply/backport the 3 security patches: - debian/patches/16_fix_cross_site_scripting_in_authentication.diff - debian/patches/17_fix_dos_in_image_validation.diff - debian/patches/18_fix_dos_via_get_image_dimensions.diff Closes: #683364 qemu (0.12.5+dfsg-3squeeze2) squeeze-security; urgency=low . * block-prevent-snapshot-mode-TMPDIR-symlink-attack-CVE-2012-2652.patch upstream fix for CVE-2012-2652, symlink attacks in snapshot mode. (Closes: #678280) * console-bounds-check-whenever-changing-the-cursor-CVE-2012-3515.patch upstream fix for CVE-2012-3515, VT100 emulation vulnerability. (Closes: #686973) qemu-kvm (0.12.5+dfsg-5+squeeze9) stable-security; urgency=low . * console-bounds-check-whenever-changing-the-cursor-CVE-2012-3515.patch upstream fix for CVE-2012-3515, VT100 emulation vulnerability. (Closes: #686974) * block-prevent-snapshot-mode-TMPDIR-symlink-attack-CVE-2012-2652.patch upstream fix for CVE-2012-2652, symlink attacks in snapshot mode. (Closes: #686977) quagga (0.99.20.1-0+squeeze3) stable-security; urgency=high * SECURITY: CVE-2012-1820 - Quagga contained a bug in BGP OPEN message handling. A denial-of-service condition could be caused by an attacker controlling one of the pre-configured BGP peers. In most cases this means, that the attack must be originated from an adjacent network. Closes: #676510 rails (2.3.5-1.2+squeeze3) stable-security; urgency=low * Fix vulnerability for users that generate their own options tags for use with the select helper in Ruby On Rails [CVE-2012-1099] (Closes: #668607) request-tracker3.8 (3.8.8-7+squeeze5) stable-security; urgency=low . * Apply upstream patch fixing regression in rt-email-dashboards, and whitelist search results and calendar helper from CSRF protection (Closes: #686392) request-tracker3.8 (3.8.8-7+squeeze4) stable-security; urgency=low * Apply second fix for regression introduced by previous security fix when sending email with mod_perl (Closes: #674924) request-tracker3.8 (3.8.8-7+squeeze3) stable-security; urgency=high * Apply fix for regression introduced by previous security fix when sending email with mod_perl (Closes: #674522) * Provide specific instructions for restarting a mod_perl based Apache server (Closes: #674558) rssh (2.3.2-13squeeze1) stable-security; urgency=high . * Apply upstream patch to close security vulnerability that permitted clever manipulation of environment variables on the ssh command line to bypass rssh checking. (CVE-2012-3478) rstatd (4.0.1-4+squeeze1) stable; urgency=low * Non-maintainer upload. * Patch getdata.c. Work with 3.x Linux kernels. A machine running kernel 3.x and the rpc.rstatd does not reply to any rup request from remote or even from local host. This renders the package unusable. Thanks to Thomas Lange (Closes: #654276) rtfm (2.4.2-4+squeeze1) stable-security; urgency=high . * [CVE-2012-2768] Fix multiple XSS vulnerabilities (Closes: #682765, #683290) spip (2.1.1-3squeeze5) stable; urgency=low . * Fix base name disclosure. Closes: #683667 spip (2.1.1-3squeeze4) stable; urgency=low * Updated security screen to 1.1.3. Prevent cross site scripting on referer (addresses missing bits of [CVE-2012-2151]), cross site scripting and PHP injections in internal functions. Closes: #680118 * Backport patch from 2.1.14: - fix XSS on password. Closes: #672961 * Backport patch from 2.1.15: - fix XSS injection in variable name. Closes: #677290 strongswan (4.4.1-5.2) stable-security; urgency=high * Non-maintainer upload by the Security Team. * debian/patches: - 0001-Fix-boolean-return-value-if-an-empty-RSA-signature-i added, backported from upstream. Fix CVE-2012-2388 (when using gmp plugin, zero length RSA signatures are considered valid). sudo (1.7.4p4-2.squeeze.3) stable-security; urgency=high * CVE-2012-2337 sympa (6.0.1+dfsg-4+squeeze1) stable-security; urgency=high * Fix CVE-2012-2352: Possibility to bypass the authorization mechanisms in the archive management page of wwsympa (Closes: #672893) tor (0.2.2.39-1) stable-security; urgency=high . * New upstream version: - Fix an assertion failure in tor_timegm() that could be triggered by a badly formatted directory object. Bug found by fuzzing with Radamsa. Fixes bug 6811; bugfix on 0.2.0.20-rc. - Do not crash when comparing an address with port value 0 to an address policy. This bug could have been used to cause a remote assertion failure by or against directory authorities, or to allow some applications to crash clients. Fixes bug 6690; bugfix on 0.2.1.10-alpha. . tor (0.2.2.38-1) stable; urgency=low . * New upstream version, fixing three security issues, as discussed in #684763: - Avoid an uninitialized memory read when reading a vote or consensus document that has an unrecognized flavor name. This read could lead to a remote crash bug. Fixes bug 6530; bugfix on 0.2.2.6-alpha. [CVE-2012-3518] - Try to leak less information about what relays a client is choosing to a side-channel attacker. Previously, a Tor client would stop iterating through the list of available relays as soon as it had chosen one, thus finishing a little earlier when it picked a router earlier in the list. If an attacker can recover this timing information (nontrivial but not proven to be impossible), they could learn some coarse-grained information about which relays a client was picking (middle nodes in particular are likelier to be affected than exits). The timing attack might be mitigated by other factors (see bug 6537 for some discussion), but it's best not to take chances. Fixes bug 6537; bugfix on 0.0.8rc1. [CVE-2012-3519] * Note that contrary to the upstream release notes and changelog the folloiwng issue is not fixed by this release. Discussion in the upstream bug tracker suggests it is not triggerable in practice. - Avoid read-from-freed-memory and double-free bugs that could occur when a DNS request fails while launching it. Fixes bug 6480; bugfix on 0.2.0.1-alpha. [CVE-2012-3517; https://bugs.torproject.org/6480] . tor (0.2.2.37-1~squeeze+1) stable; urgency=low . * Update tor in stable to 0.2.2.37 as per discussion in #679224: - This version fixes a couple of minor security issues, like no longer leaking uninitialized memory, properly rejecting inputs where the number exceeds valid values for its storage types, or not adding more bytes to input buffers while renegotiating. - Furthermore, a few issues are resolved that might affect a user's anonymity. These include things such as only building circuits when a client knows a sufficient number of "exit" nodes, never using a bridge as an exit, or reusing circuits in an unsafe manner. - Additionaly it updates the list of directory authorities, makes building with newer and older openssl libraries safer (probably not important for us) and makes building on a few other platforms more robust. - For details please consult the upstream changelog entries. . tor (0.2.2.37-1) unstable; urgency=medium . * New upstream version, including: - Work around a bug in OpenSSL that broke renegotiation with TLS 1.1 and TLS 1.2. Without this workaround, all attempts to speak the v2 Tor connection protocol when both sides were using OpenSSL 1.0.1 would fail. Resolves ticket 6033. - When waiting for a client to renegotiate, don't allow it to add any bytes to the input buffer. This fixes a potential DoS issue. Fixes bugs 5934 and 6007; bugfix on 0.2.0.20-rc. - and more. See upstream's changelog. . tor (0.2.2.36-1) unstable; urgency=low . * New upstream version, including updates to authority addresses, and a couple minor security issues, see upstream's changelog. tor (0.2.2.38-1) stable; urgency=low . * New upstream version, fixing three security issues, as discussed in #684763: - Avoid an uninitialized memory read when reading a vote or consensus document that has an unrecognized flavor name. This read could lead to a remote crash bug. Fixes bug 6530; bugfix on 0.2.2.6-alpha. [CVE-2012-3518] - Try to leak less information about what relays a client is choosing to a side-channel attacker. Previously, a Tor client would stop iterating through the list of available relays as soon as it had chosen one, thus finishing a little earlier when it picked a router earlier in the list. If an attacker can recover this timing information (nontrivial but not proven to be impossible), they could learn some coarse-grained information about which relays a client was picking (middle nodes in particular are likelier to be affected than exits). The timing attack might be mitigated by other factors (see bug 6537 for some discussion), but it's best not to take chances. Fixes bug 6537; bugfix on 0.0.8rc1. [CVE-2012-3519] * Note that contrary to the upstream release notes and changelog the folloiwng issue is not fixed by this release. Discussion in the upstream bug tracker suggests it is not triggerable in practice. - Avoid read-from-freed-memory and double-free bugs that could occur when a DNS request fails while launching it. Fixes bug 6480; bugfix on 0.2.0.1-alpha. [CVE-2012-3517; https://bugs.torproject.org/6480] tor (0.2.2.37-1) unstable; urgency=medium * New upstream version, including: - Work around a bug in OpenSSL that broke renegotiation with TLS 1.1 and TLS 1.2. Without this workaround, all attempts to speak the v2 Tor connection protocol when both sides were using OpenSSL 1.0.1 would fail. Resolves ticket 6033. - When waiting for a client to renegotiate, don't allow it to add any bytes to the input buffer. This fixes a potential DoS issue. Fixes bugs 5934 and 6007; bugfix on 0.2.0.20-rc. - and more. See upstream's changelog. tor (0.2.2.37-1~squeeze+1) stable; urgency=low * Update tor in stable to 0.2.2.37 as per discussion in #679224: - This version fixes a couple of minor security issues, like no longer leaking uninitialized memory, properly rejecting inputs where the number exceeds valid values for its storage types, or not adding more bytes to input buffers while renegotiating. - Furthermore, a few issues are resolved that might affect a user's anonymity. These include things such as only building circuits when a client knows a sufficient number of "exit" nodes, never using a bridge as an exit, or reusing circuits in an unsafe manner. - Additionaly it updates the list of directory authorities, makes building with newer and older openssl libraries safer (probably not important for us) and makes building on a few other platforms more robust. - For details please consult the upstream changelog entries. tor (0.2.2.37-1) unstable; urgency=medium * New upstream version, including: - Work around a bug in OpenSSL that broke renegotiation with TLS 1.1 and TLS 1.2. Without this workaround, all attempts to speak the v2 Tor connection protocol when both sides were using OpenSSL 1.0.1 would fail. Resolves ticket 6033. - When waiting for a client to renegotiate, don't allow it to add any bytes to the input buffer. This fixes a potential DoS issue. Fixes bugs 5934 and 6007; bugfix on 0.2.0.20-rc. - and more. See upstream's changelog. tor (0.2.2.36-1) unstable; urgency=low * New upstream version, including updates to authority addresses, and a couple minor security issues, see upstream's changelog. tor (0.2.2.36-1) unstable; urgency=low * New upstream version, including updates to authority addresses, and a coulpe minor security issues, see upstream's changelog. tor (0.2.2.35-1) unstable; urgency=high * New upstream version, fixing a heap overflow bug related to Tor's SOCKS code (CVE-2011-2778). * There no longer is a document called INSTALL to copy to usr/share/docs/tor, so get rid of the lintian override. Since that was the only one in the tor package get rid of installing overrides for the tor package entirely - there's still one override in tor-geoipdb (closes Tor #4576). ttb (1.0.1-3+squeeze1) stable; urgency=low * Depends on python-glade2 (Closes: #616325). typo3-src (4.3.9+dfsg1-1+squeeze5) squeeze-security; urgency=medium . * Security patch backported from new upstream release 4.5.19: - fixes: "TYPO3 Security Bulletin TYPO3-CORE-SA-2012-004: Several Vulnerabilities in TYPO3 Core" (Closes: 685011) vte (1:0.24.3-4) stable; urgency=low * 03_CVE-2012-2738.patch, 04_CVE-2012-2738.patch: backport upstream patches to fix a memory exhaustion vulnerability. Closes: #677717. wims (4.00-4+squeeze1) stable-proposed-updates; urgency=low [ Andreas Beckmann ] * wims.postinst: Move mktexlsr call to the start of the configure sequence s.t. the font sources shipped with wims can be used in the following configuration steps. Depending on the installation/configuration order wims could fail to configure because the Euler fonts were not yet found by the latex tools. (Closes: #574235) [ Georges Khaznadar ] * checked the compilation and installation in a fresh squeeze chroot wireshark (1.2.11-6+squeeze7) stable-proposed-updates; urgency=low * security fixes from Wireshark 1.4.12: - The ANSI A dissector could dereference a NULL pointer and crash (CVE-2012-1593) - The pcap and pcap-ng file parsers could crash trying to read ERF data (CVE-2012-1595) wordpress (3.3.2+dfsg-1~squeeze1) stable-security; urgency=low . * Import wordpress from Wheezy to fix all the security issues present in Squeeze. This fixes: - CVE-2011-3122, CVE-2011-3125, CVE-2011-3126, CVE-2011-3127, CVE-2011-3128, CVE-2011-3129, CVE-2011-3130 (multiple unspecified vulnerabilities) which were allocated from the Wordpress 3.1.3 / 3.2 beta2 release announcement - CVE-2011-4956 (missing input sanitization) and CVE-2011-4957 (missing URL length check in make_clickable() function) allocated from Wordpress 3.1.1 release announcement. - CVE-2012-2399 (unspecified vulnerability in wp-includes/js/swfupload/swfupload.swf), CVE-2012-2400 (unspecified vulnerability in wp-includes/js/swfobject.js), CVE-2012-2401 (Same-Origin Policy bypass in Plupload plugin), CVE-2012-2402 (access restriction bypass by authenticated site administrators), CVE-2012-2403 (Wordpress supports clickable links inside attributes, making it easier to conduct XSS attacks) CVE-2012-2404 (Wordpress supports offsite redirects, making it easier to conduct XSS attacks), which were allocated from the 3.3.2 release announcement. closes: #670124 * debian/wordpress.linktrees: - don't symlink TinyMCE, it's too old in Squeeze. - don't deduplicate jquery, same thing. - don't deduplicate jquery-form, doesn't exist in Squeeze. * debian/control: - drop build-dep on tinymce, libjs-jquery and libjs-jquery-form, we'll use the embedded versions. wordpress (3.3.1+dfsg-1) unstable; urgency=low * New upstream security release. Fixes CVE-2012-0287. wordpress (3.3+dfsg-1) unstable; urgency=low * New upstream release. Closes: #652041 * [4deb832] Add all the missing sources in debian/missing-sources/. (Closes: #646729) * [913eba5] Refresh all patches. * [ae61778] Use xz compression for the debian tarball to save some space. wordpress (3.2.1+dfsg-3) unstable; urgency=medium * Upload with urgency medium to speed up a bit the transition to testing since the testing version is broken. * [72d01a3] Improve dh_linktree. It is now able to generate dependencies and to have different behaviour for each file to replace. Modify wordpress.linktrees to ensure we have the very same JQuery files but blindly replaces all the other files. Drop the explicit dependencies in favor of the autogenerated dependencies. As a side-effect this fixes installation of widgets which was broken by the mismatch of some JQuery ui files. * [bbce711] Add lintian overrides for warnings about the embedded copy of JQuery. We do a reasonable effort to replace it if it matches. wordpress (3.2.1+dfsg-2) unstable; urgency=low * [af74ce2] Add a preinst to drop symlinks to directories for tinymce and cropper. The new dh_linktree only symlinks files and hierarchies are duplicated. So we have to drop symlinks to directories in the preinst, otherwise dpkg installs the new symlinks in the tinymce/cropper directories instead of in the wordpress ones. Also drop the upgrade code in the postinst converting the same directories into symlinks... (Closes: #639733) * [0b51c4f] Invite users affected by #639733 to reinstall tinymce/libjs-cropper. * [55af033] Fix invalid test in postinst (upgrade → configure) "upgrade" is not a valid parameter in the postinst. Instead we get "configure". wordpress (3.2.1+dfsg-1) unstable; urgency=low [ Paul Tagliamonte ] * [c5e4b2c] Added a get-orig-source target to recreate the DFSG-clean tarball. It drops all the sourceless flash files. Closes: #625773 [ Raphaël Hertzog ] * [d1035bd] Imported Upstream version 3.2.1+dfsg * [b968405] Update and refresh all patches. * [10ab97c] Drop manifest.patch because the description in its header doesn't make any sense. * [87537db] Update dependencies as per new upstream requirements. * [0c534ec] Update packaging to avoid using even more embedded PHP/JS libraries. * [ec5c11e] Use a new dh_linktree to replace embedded PHP/JS libraries. * [8690719] Add lintian override for embedded-php-library streams.php since it's a false positive. * [83c15bc] Upgrade Standards-Version to 3.9.2 (no changes needed). * [938fb15] Update internationalization files. * [6ac0357] Install class-smtp.php and class-phpmailer.php so that they can be replaced by dh_linktree. wordpress (3.0.5+dfsg-1) unstable; urgency=medium * [077b77b] Imported Upstream version 3.0.5+dfsg * [8d1ce17] Refreshed patches xen (4.0.1-5.4) stable-security; urgency=high . * Apply fix for Xen Security Advisory 12 (CVE-2012-3494) * Apply fix for Xen Security Advisory 14 (CVE-2012-3496) xen (4.0.1-5.2) stable-security; urgency=high * Apply patch from SuSE to boot even if the hardware is affected by CVE-2012-2934. xen (4.0.1-5.1) squeeze-security; urgency=high * Revert workaround for CVE-2012-2934. xen (4.0.1-5) stable-security; urgency=low * Fix privilege escalation and syscall/sysenter DoS while using non-canonical addresses by untrusted PV guests. CVE-2012-0217 CVE-2012-0218 * Disable Xen on CPUs affected by AMD Erratum #121. PV guests can cause a DoS of the host. CVE-2012-2934 xen-qemu-dm-4.0 (4.0.1-2+squeeze2) stable-security; urgency=low . * Security upload * Fix for Xen Security Advisory 17 (CVE-2012-3515) * Fix for Xen Security Advisory 19 (CVE-2012-4411) (closes: #686848) xserver-xorg-video-intel (2:2.13.0-7) squeeze; urgency=low * Cherry-pick from upstream: - uxa/glyphs: Fallback instead of crashing on large strings Thanks to Simon McVittie for tracking this down (closes: #678565) yaws (1.88-2+squeeze1) stable; urgency=low * Added a patch which fixes insufficient random numbers generator strength. * Fixed a grave bug with config loading in YAWS mail application. zabbix (1:1.8.2-1squeeze4) squeeze-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2012-3435: SQL injection in popup_bitem.php (Closes: #683273) zendframework (1.10.6-1squeeze1) squeeze-security; urgency=high * fixes Local file disclosure via XXE injection (Closes: #679215) ======================================== Sat, 12 May 2012 - Debian 6.0.5 released ======================================== acpid (1:2.0.7-1squeeze4) stable-proposed-updates; urgency=low * Really fix CVE-2011-1159 (Closes: #663249) apache2 (2.2.16-6+squeeze7) squeeze-security; urgency=high * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual hosts' config files. If scripting modules like mod_php or mod_rivet are enabled on systems where either 1) some frontend server forwards connections to an apache2 backend server on the localhost address, or 2) the machine running apache2 is also used for web browsing, this could allow a remote attacker to execute example scripts stored under /usr/share/doc. Depending on the installed packages, this could lead to issues like cross site scripting, code execution, or leakage of sensitive data. apache2 (2.2.16-6+squeeze6) squeeze-security; urgency=high * Rebuild with distribution set to squeeze-security. apr (1.4.2-6+squeeze4) stable; urgency=low * Fix apr_file_trunc() bug which could lead to subversion repository corruption in some rare cases. Closes: #664451 asterisk (1:1.6.2.9-2+squeeze5) stable-security; urgency=high * Do include patch AST-2011-014. * Quote pathes in postinst script: Closes: #656208 (Pocos). * Patch AST-2012-002 Stack overflow in Milliwatt (CVE-2012-1183): Closes: #664411. * Two extra patches: Closes: #670180: - Patch AST-2012-004 - further Manager permission fixes (CVE-2012-2414). - Patch AST-2012-005 - Heap overflow in chan_skinny (CVE-2012-2415). at (3.1.12-1+squeeze1) squeeze; urgency=low * Create hardlink as priviledged user. (Closes: #597130) Patch backported from at/3.1.13. base-files (6.0squeeze5) stable; urgency=low * Changed /etc/debian_version to 6.0.5, for Debian 6.0.5 point release. brltty (4.2-7+squeeze2) squeeze; urgency=low * debian/patches/40-esys-64.patch: New patch from upstream to fix support for large esys/iris displays. clive (2.2.13-5+squeeze4) stable; urgency=low * Adapt for youtube.com changes. (Closes: #645025) Thanks to Ingo Saitz for the patch. + new patch: 645025-youtube.diff curl (7.21.0-2.1+squeeze2) stable-security; urgency=low * Non-maintainer upload * Add --ssl-allow-beast and CURLOPT_SSL_OPTIONS (Closes: #658276) curl (7.21.0-2.1+squeeze1) stable-security; urgency=high * Non-maintainer upload * Fix URL sanitization vulnerability as per CVE-2012-0036 http://curl.haxx.se/docs/adv_20120124.html * Fix SSL CBC IV vulnerability as per CVE-2011-3389 http://curl.haxx.se/docs/adv_20120124B.html * Set urgency=high accordingly cvs (1:1.12.13-12+squeeze1) stable-security; urgency=high * Security update of the squeeze package. Update Maintainer (keep Steve in Uploaders, though); add Vcs-* information in d/control to point to the development location of the new package for the curious. * Apply suggested patch for CVE-2012-0804 from Petr Pisar debian-installer-netboot-images (20110106.squeeze4.b1) squeeze; urgency=low * Rebuild against squeeze-proposed-updates devscripts (2.10.69+squeeze2) squeeze-security; urgency=high [ Adam D. Barratt ] * debdiff: Fix CVE-2012-0211 and CVE-2012-0212 (argument injection / modification) [ Raphael Geissert ] * debdiff: + Fix CVE-2012-0210 (insufficient input sanitising reading .dsc and .changes files) + Remove undocumented feature treating extensionless files as if they were packages (Closes: #659559) dropbear (0.52-5+squeeze1) stable-security; urgency=high * debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff: new: Fix use-after-free bug (CVE-2012-0920) (closes: #661150). ecl (9.6.1-1squeeze2) stable; urgency=low * Team upload for stable release update. * debian/postrm: removed. We introduced this scripted when using clc, but since it's gone since Squeeze, the script will remove /usr/bin/ecl during upgrade, renders the package not usable for any user upgrading from older version. (Closes: #613484). eglibc (2.11.3-3) stable; urgency=low * patches/any/cvs-tzfile.diff: fix integer overflow in timezone code. (CVE-2009-5029). Closes: #650790. * patches/any/submitted-resolv-first-query-failure.diff: new patch to fix resolving issues with broken servers returning NOTIMP or FORMERR to AAAA queries. Closes: #658171. * local/manpages/gai.conf.5: update from latest RedHat version. Closes: #659504. evolution-data-server (2.30.3-2+squeeze1) stable; urgency=low * Add 02_data_book_respond_get_changes_missing_array_add.patch, to fix e_book_get_changes() not returning any changes. Bug reported and patch fished in upstream Git by Chris Frey. Thanks a lot! (closes: #641898, #658445) fail2ban (0.8.4-3+squeeze1) stable; urgency=low [ Jonathan Wiltshire ] * [e2232fc] Backport patch to fix CVE-2009-5023: Insecure creation of tempfile (Closes: #544232, #635746) [ Yaroslav Halchenko ] * [6fc6c7b] Backport patch: Lock server's executeCmd to prevent racing among iptables calls (Closes: #650678) fex (20100208+debian1-1+squeeze3) stable-security; urgency=high * Fixup for last upload. (Missing initialization, Closes: #660828) fex (20100208+debian1-1+squeeze2) stable-security; urgency=high * Add debian/patches/08_xss.patch (backported from and by upstream) to fix XSS (Closes: #660621) - CVE-2012-0869 file (5.04-5+squeeze2) squeeze-security; urgency=high * Fix overeager detection of CDF file as Word documents file (5.04-5+squeeze1) squeeze-security; urgency=high * Switch to the CDF parser from file 5.11. Fixes crashes detected by CERT/CC BFF fuzzer. * Keep old prefix "CDF V2" in file types. foomatic-filters (4.0.5-6+squeeze2) stable; urgency=low * Fix CVE-2011-2924 "foomatic-rip (debug mode) insecure temporary file use in renderer command line by processing PostScript data" - Backport debian/patches/CVE-2011-2924.patch from upstream, add DEP-3 headers. freetype (2.4.2-2.1+squeeze4) stable-security; urgency=low * CVE-2012-11[33|34|36|42|44] gajim (0.13.4-3+squeeze3) stable-security; urgency=high * Non-maintainer upload by the Security Team. * Fix regression introduced by last update if latx conversion utilities are not installed, check_latex("test") fails. (Closes: #668710, #669100, #669105, #669106) gajim (0.13.4-3+squeeze2) stable-security; urgency=high * Non-maintainer upload by the Security Team. * This update fixes the following security issues: - CVE-2012-2086: SQL injections via jids in logging code - CVE-2012-2085: assisted code execution via crafted messages due to insecurely processing input with popen. - CVE-2012-2093: insecure use of temporary files when convering LaTeX IM messages to png images. (Closes: #668710, #668038) gimp (2.6.10-1+squeeze3) stable-security; urgency=high * Non-maintainer upload by the Security Team. * Fix multiple vulnerabilities: CVE-2010-4540 CVE-2010-4541 CVE-2010-4542 CVE-2010-4543 CVE-2011-1782 CVE-2011-2896 Closes: #608497, #629830, #643753. * Add xsltproc to Build-Depends to make it don't FTBFS. giplet (0.2.3-3+squeeze1) stable; urgency=low * Add change-checkip-remoteurl-preference.patch patch. Change preferences on where to check the IP. www.whatismyip.org does not work anymore, change the setting to use checkip.dyndns.org. Thanks to Axel Stammler for the report. (Closes: #670692) gnash (0.8.8-5+squeeze1) stable-security; urgency=high * Fix CVE-2012-1175 (Closes: #664023). * Fix CVE-2010-4337 (Closes: #605419). * Fix CVE-2011-4328 (Closes: #649384). + Add libboost-iostreams-dev as B-D. gnash (0.8.8-5squeeze2) testing; urgency=low * "Following changes have been done in the previous release but we also like useless releases" release. * Removed useless patches. * Add "DM-Upload-Allowed: yes". gnash (0.8.8-5squeeze1) testing; urgency=low * Added patches + 06_ytfix: youtube videos start immediately. + 07_jemalloc: kfreebsd-* ports treated like *bsd oses. + 08_sectempfiles: create configure temporary files in a secure way (CVE-2010-4337). gnusound (0.7.5-3+squeeze1) stable; urgency=low * Added patch 'format-security' from Hilko Bengen to solve a format string security issue (Closes: #654270). gnutls26 (2.8.6-1+squeeze2) stable-security; urgency=high * Apply patch to fix crashes in record parsing (CVE-2012-1573) gosa (2.6.11-3+squeeze1) stable; urgency=low * Fix DHCP host removal. Closes: #650258 * Backport user generator unicode character transliteration. Closes: #657086 highlight (2.16-1+squeeze1) squeeze; urgency=low * remove faulty postrm; this script caused a file owned by highlight-common to be removed when highlight is removed. (Closes: #662748). iceape (2.0.11-11) stable-security; urgency=low * Fixes for mfsa2012-{13-14,16,19-20,23-24,29,33}, also known as CVE-2012-0455, CVE-2012-0456, CVE-2012-0458, CVE-2012-0461, CVE-2012-0467, CVE-2012-0470, CVE-2012-0471, CVE-2012-0477, CVE-2012-0479. iceape (2.0.11-10) stable-security; urgency=low * Fixes for mfsa-2012-{01,02,07,08}, also known as CVE-2012-0442, CVE-2011-3670, CVE-2012-0444, CVE-2012-0449. icedove (3.0.11-1+squeeze10) stable-security; urgency=low * [b3c6c90] Reimplement UTF-7 in mailnews (Closes: #671408, #671410) icedove (3.0.11-1+squeeze9) stable-security; urgency=high * [54a660a] backported patches from xulrunner fixes mfsa2012-{20,23,24,29,33} - MFSA 2012-20 aka CVE-2012-0467: Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4) - MFSA 2012-23 aka CVE-2012-0470: Invalid frees causes heap corruption in gfxImageSurface - MFSA 2012-24 aka CVE-2012-0471: Potential XSS via multibyte content processing errors - MFSA 2012-29 aka CVE-2012-0477: Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues - MFSA 2012-33 aka CVE-2012-0479: Potential site identity spoofing when loading RSS and Atom feeds icedove (3.0.11-1+squeeze8) stable-security; urgency=high * [ee15c08] backported patches from xulrunner fixes mfsa2012-{13,14,16,19} - MFSA 2012-13 aka CVE-2012-0455: XSS with Drag and Drop and Javascript: URL - MFSA 2012-14 aka CVE-2012-0456: SVG issues found with Address Sanitizer - MFSA 2012-16 aka CVE-2012-0458: Escalation of privilege with Javascript: URL as home page - MFSA 2012-19 aka CVE-2012-0461: Miscellaneous memory safety hazards (rv:11.0/ rv:10.0.3 / rv:1.9.2.28) icedove (3.0.11-1+squeeze7) stable-security; urgency=low * [d8a8858] backported patches from xulrunner fixes mfsa2012-{01,02,07,08} - MFSA 2012-01 aka CVE-2012-0442: Miscellaneous memory safety hazards (rv:10.0/ rv:1.9.2.26) - MFSA 2012-02 aka CVE-2011-3670: Overly permissive IPv6 literal syntax - MFSA 2012-07 aka CVE-2012-0444: Potential Memory Corruption When Decoding Ogg Vorbis files - MFSA 2012-08 aka CVE-2012-0449: Crash with malformed embedded XSLT stylesheets iceweasel (3.5.16-14) stable-security; urgency=low * Fixes for mfsa2012-{20,23-24,29,33}, also known as CVE-2012-0467, CVE-2012-0470, CVE-2012-0471, CVE-2012-0477, CVE-2012-0479. iceweasel (3.5.16-13) stable-security; urgency=low * Fixes for mfsa2012-{13-14,16,19}, also known as CVE-2012-0455, CVE-2012-0456, CVE-2012-0458, CVE-2012-0461. iceweasel (3.5.16-12) stable-security; urgency=low * Fixes for mfsa-2012-{01,02,07,08}, also known as CVE-2012-0442, CVE-2011-3670, CVE-2012-0444, CVE-2012-0449. icu (4.4.1-8) stable-security; urgency=high * Add patch to address CVE-2011-4599, a potential buffer overflow. imagemagick (8:6.6.0.4-3+squeeze3) stable-security; urgency=high * Fix my blunder in the previous patch (closes: #670980, #671002). All credit for patches of +squeeeze2 and the current fix go to Bastien Roucaries. imagemagick (8:6.6.0.4-3+squeeze2) stable-security; urgency=high * Fix "Invalid validation DoS CVE-2012-1185 / CVE-2012-1186 (incomplete fix)" (Closes: #665007) * Fix CVE-2012-0259 / CVE-2012-0260 / CVE-2012-1798 / CVE-2012-1610 (Closes: #667635) - Vulnerability CVE-2012-0259 can cause a DoS in a system via handing JPEG files with invalid EXIF XResolution tag. - Vulnerability CVE-2012-0260 can lead to excessive use of memory in target system, when processing a malicious JPEG file. Excessive use of memory can lead to denial of service. - Vulnerability CVE-2012-1798 can cause program to crash when reading invalid memory, while parsing EXIF IFD in a TIFF file. - Vulnerability CVE-2012-1610 Fix a Potential EXIF Integer Overflow imagemagick (8:6.6.0.4-3+squeeze1) stable-security; urgency=high * Security bug fix: "Invalid validation DoS CVE-2012-0247/CVE-2012-02478", thanks to Henri Salo (Closes: #659339). inspircd (1.1.22+dfsg-4+squeeze1) stable-security; urgency=low * Non-maintainer upload. * Protect against a buffer overflow in src/dns.cpp Closes: #667914 CVE-2012-1836 json-glib (0.10.2-2squeeze1) stable; urgency=low * debian/patches/01_use_g_format_for_g_ascii_formatd.patch: - Add upstream patch to fix serialization of doubles kdeutils (4:4.4.5-1+squeeze1) stable; urgency=low * Non-maintainer upload. * CVE-2011-2725: Backport patch for upstream directory traversal in Ark Closes: #635541 (thanks to Moritz Muehlenhoff) keepalived (1:1.1.20-1+squeeze1) stable; urgency=low * Set correct permissions on pid file. This is a fix for CVE-2011-1784. (Closes: #626281) laptop-mode-tools (1.55-2) stable-proposed-updates; urgency=low * Fix compatibility with 3.x kernels (Closes: #647563) libapache2-mod-fcgid (1:2.3.6-1+squeeze1) stable-security; urgency=high * Non-maintainer upload. * import r1037727 from upstream to fix vhost-specific process controls (Closes: #615814, CVE-2012-1181) libarchive (2.8.4.forreal-1+squeeze2) stable-security; urgency=low * Rebuild to correct orig tarball mismatch. libarchive (2.8.4-2) unstable; urgency=low * update-patch-series: + replace local patch with upstream commit. (Rebase patches branch to drop commit/patch "0007-Ignore-ENOSYS-error-when-sett...", in favor of upstream revision 2537 added as "0007-Patch-from-upstream-rev-2537.patch") + add 0008-Patch-from-upstream-rev-2888.patch (Closes: #610079) + add 0009-Patch-from-upstream-rev-2940.patch (Closes: #610783) libcgicc (3.2.9-1+squeeze1) stable; urgency=low * Install pkg-config file to the correct location (closes: #600943) libdbd-pg-perl (2.17.1-2+squeeze1) stable-security; urgency=high * Add format-error.patch patch [SECURITY] CVE-2012-1151. Explicitly warn and croak with controlled format strings. Thanks to Niko Tyni for the patch (Closes: #661536) libmodplug (1:0.8.8.1-1+squeeze2) stable-security; urgency=low * CVE-2011-1761 buffer overflow in load_abc * CVE-2011-2911 integer overflow in CSoundFile::ReadWav() * CVE-2011-2912 boundary error in CSoundFile::ReadS3M() * CVE-2011-2913 off-by-one in CSoundFile::ReadAMS() * CVE-2011-2914 off-by-one in CSoundFile::ReadDSM() * CVE-2011-2915 off-by-one in CSoundFile::ReadAMS2() * Note: 2911-2915 were also reported as SA45131 libpng (1.2.44-1+squeeze4) stable-security; urgency=low * CVE-2011-3048 libpng (1.2.44-1+squeeze3) stable-security; urgency=high * CVE-2011-3045 libpng (1.2.44-1+squeeze2) stable-security; urgency=high * Fix integer overflow (chromium #112822) libtasn1-3 (2.7-1+squeeze+1) stable-security; urgency=low * ASN.1 length decoding vulnerability. CVE-2012-1569. libvorbis (1.3.1-1+squeeze1) stable-security; urgency=low * CVE-2012-0444 libxi (2:1.3-7) squeeze; urgency=low * Cherry-pick patches from upstream: - Fix passive grabs - Fill in mods/group->effective in XIQueryPointer - Handle unknown device classes (closes: #661021, #660411) libxml-atom-perl (0.37-1+squeeze1) stable-security; urgency=low * Switch to dpkg-source 3.0 (quilt) format * Security fix: disable external entities (Closes: #661949) libxml2 (2.7.8.dfsg-2+squeeze3) stable-security; urgency=high * Non-maintainer upload by the Security Team. * Apply upstream patch to add randomization to hashing with large dictionaries to mitigate hash DoS (CVE-2012-0841; Closes: #660846). libxml2 (2.7.8.dfsg-2+squeeze2) stable-security; urgency=high * Security update. * parser.c: Fix an allocation error when copying entities. CVE-2011-3919. Closes: #656377. * parser.c: Make sure parser returns when getting a Stop order. CVE-2011-3905. * encoding.c: Fix off by one error. CVE-2011-0216. Closes: 652352. * xpath.c: Fix for undefined namespaces. CVE-2011-2834. * xpath.c, xpointer.c, include/libxml/xpath.h: Hardening of XPath evaluation. CVE-2011-2821. Closes: 643648. libyaml-libyaml-perl (0.33-1+squeeze1) stable-security; urgency=high * [SECURITY] CVE-2012-1152: Fix format string vulnerabilities in YAML parsing. (Closes: #661548) linux-2.6 (2.6.32-45) stable; urgency=high * Avoid ABI change on some archs due to a new #include in the fix for CVE-2012-2123. linux-2.6 (2.6.32-43) stable; urgency=high * Ignore arch_pick_mmap_layout ABI change on s390 linux-2.6 (2.6.32-42) stable; urgency=high [ Uwe Kleine-König ] * cherry pick commit from 2.6.35-rc6 fixing detection of HP 8560w's touchpad (Closes: #655481). [ Ben Hutchings ] * Add longterm release 2.6.32.55, including: - x86: Fix mmap random address range For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.55 and the bug report which this closes: #657574. * Add longterm release 2.6.32.56, including: - crypto: sha512 - make it work, undo percpu message schedule - crypto: sha512 - reduce stack usage to safe number - USB: cdc-wdm: updating desc->length must be protected by spin_lock - USB: ftdi_sio: fix initial baud rate (Closes: #658164) For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.56 and the bug report which this closes: #659562. * Add longterm release 2.6.32.57, including: - net: fix sk_forward_alloc corruptions - net: sock_queue_err_skb() dont mess with sk_forward_alloc For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.57 and the bug report which this closes: #659629. * appletalk: da.s_net not copied but assigned to itself in aarp_rcv() (Closes: #660902) * Add longterm release 2.6.32.58, including: - hwmon: (f75375s) Fix bit shifting in f75375_write16 - hwmon: (f75375s) Fix automatic pwm mode setting for F75373 & F75375 - lib: proportion: lower PROP_MAX_SHIFT to 32 on 64-bit kernel - crypto: sha512 - Use binary and instead of modulus - crypto: sha512 - Avoid stack bloat on i386 - crypto: sha512 - use standard ror64() - Ban ecryptfs over ecryptfs - autofs: work around unhappy compat problem on x86-64 (Closes: #633423) For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.58 and the bug report which this closes: #662573. * ia64: Define is_compat_task(), now needed by autofs * e1000e: workaround for packet drop on 82579 at 100Mbps (Closes: #644906) * Add longterm release 2.6.32.59, including: - eCryptfs: Handle failed metadata read in lookup - [i386] watchdog: hpwdt: clean up set_memory_x call for 32 bit For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.59 and the bug report which this closes: #663534. linux-2.6 (2.6.32-41squeeze2) stable-security; urgency=low * Ignore symbol version changes in s390/kvm linux-kernel-di-amd64-2.6 (1.76+squeeze7) stable; urgency=low * Built against version 2.6.32-45 of linux-2.6. linux-kernel-di-armel-2.6 (1.56+squeeze7) stable; urgency=low * Built against version 2.6.32-45 of linux-2.6. linux-kernel-di-i386-2.6 (1.99+squeeze7) stable; urgency=low * Built against version 2.6.32-45 of linux-2.6. linux-kernel-di-ia64-2.6 (1.63+squeeze7) stable; urgency=low * Built against version 2.6.32-45 of linux-2.6. linux-kernel-di-mips-2.6 (1.31+squeeze7) stable; urgency=low * Built against version 2.6.32-45 of linux-2.6. linux-kernel-di-mipsel-2.6 (1.31+squeeze7) stable; urgency=low * Built against version 2.6.32-45 of linux-2.6. linux-kernel-di-powerpc-2.6 (1.76+squeeze7) stable; urgency=low * Built against version 2.6.32-45 of linux-2.6. linux-kernel-di-s390-2.6 (0.59+squeeze7) stable; urgency=low * Built against version 2.6.32-45 of linux-2.6. linux-kernel-di-sparc-2.6 (1.64+squeeze7) stable; urgency=low * Built against version 2.6.32-45 of linux-2.6. moin (1.9.3-1+squeeze1) stable-security; urgency=high * Non-maintainer upload. * Add patch from upstream to fix a cross-site scripting vulnerability in the rst parser (CVE-2011-1058). Closes: #643904 mojarra (2.0.3-1+squeeze1) stable-security; urgency=high * Fixed critical bug by not allowing the value of UIViewParam to be an EL Expression: CVE-2011-4358. (Closes: #650430). moodle (1.9.9.dfsg2-2.1+squeeze3) stable-security; urgency=low * Security update based on unstable: * CVE-2011-4308 CVE-2011-4584 CVE-2011-4585 CVE-2011-4586 CVE-2011-4587 * CVE-2011-4588 CVE-2012-0792 CVE-2012-0793 CVE-2012-0794 CVE-2012-0795 * CVE-2012-0796 movabletype-opensource (4.3.8+dfsg-0+squeeze2) stable-security; urgency=low * Include patch to add AllowFileInclude which can be used to re-enable unsafe behaviour for compatibility with some plugins. See movabletype-opensource (4.3.7+dfsg-1) unstable; urgency=high * New upstream release - fixes information disclosure vulnerability (closes: #631437) movabletype-opensource (4.3.6.1+dfsg-1) unstable; urgency=high * New upstream release - fixes unspecified security vulnerabilities (closes: #629937) * Update Standards-Version (no changes) movabletype-opensource (4.3.6+dfsg-1) unstable; urgency=high * New upstream release - fixes unspecified security vulnerabilities (closes: #627936) * Update versioned dependency on libdata-objectdriver-perl to 0.08 following bundled version number movabletype-opensource (4.3.5+dfsg-3) unstable; urgency=low * Check for existence of dbconfig-common in debian/config before using it (closes: #499598) * Update Standards-Version (no changes) * Update to debhelper compatibility level 7 * Update source format version to 3.0 (quilt) mumble (1.2.2-6+squeeze1) stable-security; urgency=high * Add patch 0005-set-file-permissions from Marc Deslauriers, which fixes the word readable file permissions of the Mumble SQLite database, as described in CVE-2012-0863. Closes: #659039 netselect (0.3.ds1-14+squeeze1) stable; urgency=medium * Backport fixes and documentation to Squeeze to fix grave bugs. * netselect-apt: - modify regular expression to parse newest mirrors list with rel="nofollow" in href links. Thanks to "Nameless" for the patch (Closes: #667985, #665876) - Make the script more robust by having it check and detect some common issues when running netselect: * No hosts are found to use with netselect, due to an incorrect file being provided or an error when downloading the mirror list Now the script will at least abort with a (hopefully useful) error message instead of writing a useless sources.list (Closes: #238888) - More verbose output when netselect-apt fails indicating possible causes of errors * netselect-apt.1: Update documentation: - List known limitations of the program - Reference the mirror pages for Debian for more information - Add the Debian maintainers to the author's list * debian/control: Update Homepage address nginx (0.7.67-3+squeeze2) stable-security; urgency=high * debian/patches/CVE-2012-1180.diff: + Fixed the memory issue found on March 15th 2012. See: CVE-2012-1180 for more details. * debian/control: + Added myself as uploader. notmuch (0.3.1+squeeze1) stable-security; urgency=high * Backport MML quoting patch from notmuch 0.11.1. This fixes a vulnerability that allowed arbitrary files to leak when replying in emacs to a malicious message. openarena (0.8.5-5+squeeze3) stable-security; urgency=low * Add CVE reference to changelog and patch for previous version, now that one has been allocated * Incorporate ioquake3 r1763 into the patch for rate-limiting, to fix potential use of uninitialized variables if the network address family is unexpected * Apply ioquake3 r1898 to fix a regression caused by rate-limiting, in which the server would stop responding to getstatus after an uptime of 2**32 milliseconds (approximately 50 days) (Closes: #665945) openarena (0.8.5-5+squeeze2) stable-security; urgency=low * Apply ioquake3 r1762 to rate-limit getstatus and rcon connectionless packets, to avoid their use for traffic amplification. (Closes: #665656) openjdk-6 (6b18-1.8.13-0+squeeze1) unstable; urgency=low * New IcedTea6 1.18.13 security release. openssh (1:5.5p1-6+squeeze2) stable; urgency=high * CVE-2012-0814: Don't send the actual forced command in a debug message, which allowed remote authenticated users to obtain potentially sensitive information by reading these messages (closes: #657445). openssl (0.9.8o-4squeeze12) squeeze-security; urgency=high * Non-maintainer upload by the Security Team. * Fix CVE-2012-2131: incomplete fix of CVE-2012-2110 openssl (0.9.8o-4squeeze11) squeeze-security; urgency=low * Really apply CVE-2012-2110 openssl (0.9.8o-4squeeze9) squeeze-security; urgency=low * Fix CVE-2012-1165 openssl (0.9.8o-4squeeze8) squeeze-security; urgency=low * Fix CVE-2012-0884 * Updated patch for CVE-2011-4619 openvpn (2.1.3-2+squeeze1) stable; urgency=low * Applied Robert Millan's patch to fix /sbin/route calls on kfreebsd. (Closes: #646221) php-memcache (3.0.4-4+squeeze1) stable; urgency=low * Fix cache delete bug, when deleting objects from memcached 1.4.4+ (Closes: #620258) * Maintainer change (See #620029) php-memcached (1.0.2-1+squeeze1) stable; urgency=low * Apply patch from upstream to fix double free in getServerByKey(). Closes: #662662. * New maintainer (See: #620030) php5 (5.3.3-7+squeeze8) squeeze-security; urgency=low * Deprecated error should use E_DEPRECATED and not E_WARNING (Closes: #632838) * CVE-2012-0781: Fix for Tidy::diagnose() NULL pointer dereference * CVE-2011-4153: Fix PHP 5 does not always check the return value of the zend_strndup function * CVE-2010-4697: use-after-free vulnerability * CVE-2011-1092: denial of service and possible data disclosure through integer overflow * CVE-2011-1148: improve reference counting * CVE-2011-1464: limit amount of precision to ensure fitting within MAX_BUF_SIZE * CVE-2011-1467: check for invalid attribute symbols in NumberFormatter::setSymbol() * CVE-2011-1468: fix memory leak of openssl contexts * CVE-2011-1469: improve pointer handling to fix denial of service through application crash when using HTTP proxy with the FTP wrapper * CVE-2011-1470: denial of service through application crash when handling ziparchive streams * CVE-2011-1657: DoS in zip handling due to addGlob() crashing on invalid flags * CVE-2011-3182: DoS due to failure to check for memory allocation errors * CVE-2011-3267: DoS in errorlog() when passed NULL * CVE-2012-0788: PDORow session denial of service * CVE-2012-0831: magic_quotes_gpc remote disable vulnerability (NOTE: magic_quotes_gpc is DEPRECATED and will be removed from PHP 5.4, e.g. you should not use them in any case!) * CVE-2011-1072,CVE-2011-1144: symlink tmp races in pear install php5 (5.3.3-7+squeeze7) squeeze-security; urgency=low * Fix UMR in php_register_variable_ex (pull from upstream SVN) php5 (5.3.3-7+squeeze6) squeeze-security; urgency=low * CVE-2012-0057: Pull complete fix including setting the default php5 (5.3.3-7+squeeze5) squeeze-security; urgency=high * Add Conflicts/Provides: php5-idn to php5-intl (Closes: #637057) * Refresh patches to apply cleanly on current source tree * CVE-2011-4566: integer overflow in exif_process_IFD_TAG() may lead to DoS or arbitrary memory disclosure * CVE-2011-4885: hash table collisions CPU usage DoS (oCERT-2011-003) * CVE-2012-0057: XSLT file writing vulnerability (Closes: #656308) phppgadmin (4.2.3-1.1squeeze2) stable-security; urgency=low * Cherry-pick from 5.0.4: Fix XSS in function.php, reported by Mateusz Goik. plib (1.8.5-5+squeeze1) stable-security; urgency=high * Non-maintainer upload by the Security Team. * Use vsnprintf to fix buffer overflow CVE-2011-4620 (Closes: #654785). policykit-1 (0.96-4+squeeze2) stable; urgency=low * Upload 0.96-4+squeeze1 to stable without further changes. The 0.96-4+squeeze1 upload to stable-security was mistakenly made with an orig tarball which didn't match the one from ftp-master so the security fix was not automatically included in the next stable point release. (Closes: #657758) postgresql-8.4 (8.4.11-0squeeze1) stable-security; urgency=high * New upstream bug fix/security release: - Require execute permission on the trigger function for "CREATE TRIGGER". This missing check could allow another user to execute a trigger function with forged input data, by installing it on a table he owns. This is only of significance for trigger functions marked SECURITY DEFINER, since otherwise trigger functions run as the table owner anyway. (CVE-2012-0866) - Remove arbitrary limitation on length of common name in SSL certificates. Both libpq and the server truncated the common name extracted from an SSL certificate at 32 bytes. Normally this would cause nothing worse than an unexpected verification failure, but there are some rather-implausible scenarios in which it might allow one certificate holder to impersonate another. The victim would have to have a common name exactly 32 bytes long, and the attacker would have to persuade a trusted CA to issue a certificate in which the common name has that string as a prefix. Impersonating a server would also require some additional exploit to redirect client connections. (CVE-2012-0867) - Convert newlines to spaces in names written in pg_dump comments. pg_dump was incautious about sanitizing object names that are emitted within SQL comments in its output script. A name containing a newline would at least render the script syntactically incorrect. Maliciously crafted object names could present a SQL injection risk when the script is reloaded. (CVE-2012-0868) - Fix btree index corruption from insertions concurrent with vacuuming. An index page split caused by an insertion could sometimes cause a concurrently-running "VACUUM" to miss removing index entries that it should remove. After the corresponding table rows are removed, the dangling index entries would cause errors (such as "could not read block N in file ...") or worse, silently wrong query results after unrelated rows are re-inserted at the now-free table locations. This bug has been present since release 8.2, but occurs so infrequently that it was not diagnosed until now. If you have reason to suspect that it has happened in your database, reindexing the affected index will fix things. - Update per-column permissions, not only per-table permissions, when changing table owner. Failure to do this meant that any previously granted column permissions were still shown as having been granted by the old owner. This meant that neither the new owner nor a superuser could revoke the now-untraceable-to-table-owner permissions. - Allow non-existent values for some settings in "ALTER USER/DATABASE SET". Allow default_text_search_config, default_tablespace, and temp_tablespaces to be set to names that are not known. This is because they might be known in another database where the setting is intended to be used, or for the tablespace cases because the tablespace might not be created yet. The same issue was previously recognized for search_path, and these settings now act like that one. - Avoid crashing when we have problems deleting table files post-commit. Dropping a table should lead to deleting the underlying disk files only after the transaction commits. In event of failure then (for instance, because of wrong file permissions) the code is supposed to just emit a warning message and go on, since it's too late to abort the transaction. This logic got broken as of release 8.4, causing such situations to result in a PANIC and an unrestartable database. - Track the OID counter correctly during WAL replay, even when it wraps around. Previously the OID counter would remain stuck at a high value until the system exited replay mode. The practical consequences of that are usually nil, but there are scenarios wherein a standby server that's been promoted to master might take a long time to advance the OID counter to a reasonable value once values are needed. - Fix regular expression back-references with - attached. Rather than enforcing an exact string match, the code would effectively accept any string that satisfies the pattern sub-expression referenced by the back-reference symbol. A similar problem still afflicts back-references that are embedded in a larger quantified expression, rather than being the immediate subject of the quantifier. This will be addressed in a future PostgreSQL release. - Fix recently-introduced memory leak in processing of inet/cidr values. - Fix dangling pointer after "CREATE TABLE AS"/"SELECT INTO" in a SQL-language function. In most cases this only led to an assertion failure in assert-enabled builds, but worse consequences seem possible. - Fix I/O-conversion-related memory leaks in plpgsql. - Improve pg_dump's handling of inherited table columns. pg_dump mishandled situations where a child column has a different default expression than its parent column. If the default is textually identical to the parent's default, but not actually the same (for instance, because of schema search path differences) it would not be recognized as different, so that after dump and restore the child would be allowed to inherit the parent's default. Child columns that are NOT NULL where their parent is not could also be restored subtly incorrectly. - Fix pg_restore's direct-to-database mode for INSERT-style table data. Direct-to-database restores from archive files made with "--inserts" or "--column-inserts" options fail when using pg_restore from a release dated September or December 2011, as a result of an oversight in a fix for another problem. The archive file itself is not at fault, and text-mode output is okay. - Allow AT option in ecpg DEALLOCATE statements. The infrastructure to support this has been there for awhile, but through an oversight there was still an error check rejecting the case. - Fix error in "contrib/intarray"'s int[] & int[] operator. If the smallest integer the two input arrays have in common is 1, and there are smaller values in either array, then 1 would be incorrectly omitted from the result. - Fix error detection in "contrib/pgcrypto"'s encrypt_iv() and decrypt_iv(). These functions failed to report certain types of invalid-input errors, and would instead return random garbage values for incorrect input. - Fix one-byte buffer overrun in "contrib/test_parser". The code would try to read one more byte than it should, which would crash in corner cases. Since "contrib/test_parser" is only example code, this is not a security issue in itself, but bad example code is still bad. - Use __sync_lock_test_and_set() for spinlocks on ARM, if available. This function replaces our previous use of the SWPB instruction, which is deprecated and not available on ARMv6 and later. Reports suggest that the old code doesn't fail in an obvious way on recent ARM boards, but simply doesn't interlock concurrent accesses, leading to bizarre failures in multiprocess operation. - Use "-fexcess-precision=standard" option when building with gcc versions that accept it. This prevents assorted scenarios wherein recent versions of gcc will produce creative results. - Allow use of threaded Python on FreeBSD. Our configure script previously believed that this combination wouldn't work; but FreeBSD fixed the problem, so remove that error check. * Drop 04-armel-tas.patch, applied upstream. postgresql-8.4 (8.4.10-1) unstable; urgency=low * New upstream bug fix release: - Fix bugs in information_schema.referential_constraints view. This view was being insufficiently careful about matching the foreign-key constraint to the depended-on primary or unique key constraint. That could result in failure to show a foreign key constraint at all, or showing it multiple times, or claiming that it depends on a different constraint than the one it really does. Since the view definition is installed by initdb, merely upgrading will not fix the problem. If you need to fix this in an existing installation, you can (as a superuser) drop the information_schema schema then re-create it by sourcing "SHAREDIR/information_schema.sql". (Run pg_config --sharedir if you're uncertain where "SHAREDIR" is.) This must be repeated in each database to be fixed. - Fix incorrect replay of WAL records for GIN index updates. This could result in transiently failing to find index entries after a crash, or on a hot-standby server. The problem would be repaired by the next "VACUUM" of the index, however. - Fix TOAST-related data corruption during CREATE TABLE dest AS SELECT - FROM src or INSERT INTO dest SELECT * FROM src. If a table has been modified by "ALTER TABLE ADD COLUMN", attempts to copy its data verbatim to another table could produce corrupt results in certain corner cases. The problem can only manifest in this precise form in 8.4 and later, but we patched earlier versions as well in case there are other code paths that could trigger the same bug. - Fix race condition during toast table access from stale syscache entries. - Track dependencies of functions on items used in parameter default expressions. Previously, a referenced object could be dropped without having dropped or modified the function, leading to misbehavior when the function was used. Note that merely installing this update will not fix the missing dependency entries; to do that, you'd need to "CREATE OR REPLACE" each such function afterwards. If you have functions whose defaults depend on non-built-in objects, doing so is recommended. - Allow inlining of set-returning SQL functions with multiple OUT parameters. - Make DatumGetInetP() unpack inet datums that have a 1-byte header, and add a new macro, DatumGetInetPP(), that does not. - Improve locale support in money type's input and output. Aside from not supporting all standard lc_monetary formatting options, the input and output functions were inconsistent, meaning there were locales in which dumped money values could not be re-read. - Don't let transform_null_equals affect CASE foo WHEN NULL ... constructs. transform_null_equals is only supposed to affect foo = NULL expressions written directly by the user, not equality checks generated internally by this form of CASE. - Change foreign-key trigger creation order to better support self-referential foreign keys. For a cascading foreign key that references its own table, a row update will fire both the ON UPDATE trigger and the CHECK trigger as one event. The ON UPDATE trigger must execute first, else the CHECK will check a non-final state of the row and possibly throw an inappropriate error. However, the firing order of these triggers is determined by their names, which generally sort in creation order since the triggers have auto-generated names following the convention "RI_ConstraintTrigger_NNNN". A proper fix would require modifying that convention, which we will do in 9.2, but it seems risky to change it in existing releases. So this patch just changes the creation order of the triggers. Users encountering this type of error should drop and re-create the foreign key constraint to get its triggers into the right order. - Avoid floating-point underflow while tracking buffer allocation rate. - Preserve blank lines within commands in psql's command history. The former behavior could cause problems if an empty line was removed from within a string literal, for example. - Fix pg_dump to dump user-defined casts between auto-generated types, such as table rowtypes. - Use the preferred version of xsubpp to build PL/Perl, not necessarily the operating system's main copy. - Fix incorrect coding in "contrib/dict_int" and "contrib/dict_xsyn". - Honor query cancel interrupts promptly in pgstatindex(). - Ensure VPATH builds properly install all server header files. - Shorten file names reported in verbose error messages. Regular builds have always reported just the name of the C file containing the error message call, but VPATH builds formerly reported an absolute path name. procps (1:3.2.8-9squeeze1) stable; urgency=low * Non-maintainer upload to support 3.0 kernels in stable. * Backport "No more complaints for 3.0 kernels" from unstable. Closes: #632749 puppet (2.6.2-5+squeeze5) stable-security; urgency=high * fix for appdmg and pkgdmg providers write packages to insecure location allowing for an arbitrary symlink attack (CVE-2012-1906) * a REST request could be constructed to do an arbitrary filebucket read, overriding the puppetmaster's defined location, this is fixed with upstream patch. (CVE-2012-1986) * fix filebucke denial of service which allowed arbitrary writes on the puppetmaster (CVE-2012-1987) * fix for filebucket arbitrary code execution that required access to the cert on the agent and an unprivileged account on the master (CVE-2012-1988) puppet (2.6.2-5+squeeze4) stable-security; urgency=high * Execs when run with a user specified, but no group, get the root group. Similarly unexpected privileges are given to providers and types (egid remains as root), this is fixed with a patch from upstream (CVE-2012-1053) * Fix Klogin write through symlink (CVE-2012-1054) puppet (2.6.2-5+squeeze3) stable-security; urgency=high * Fix master impersonation attack (CVE-2011-3872) pyspf (2.0.5-2+squeeze1) stable; urgency=low * Backport upstream CVS commit 1.108.2.75 to correct pyspf processing with CNAMES - already fixed in 2.0.7 in Wheezy/Sid (Closes: #663595) - Changes inline due to lack of existing patch system python-defaults (2.6.6-3+squeeze7) stable; urgency=low * debian/python.postinst.in: Correctly remove /var/lib/python/python2.6_already_installed instead of removing /var/lib/python/python2.5_already_installed twice (closes: #608934) python-pam (0.4.2-12.2+squeeze1) stable-security; urgency=low * CVE-2012-1502 python-virtualenv (1.4.9-3squeeze1) stable; urgency=high [ Piotr Ożarowski ] * Apply upstream's 8be37c509fe5 commit (to use proper temp. dir instead of /tmp) (CVE-2011-4617, Closes: #652653) [ Stefano Rivera ] * Team upload. * Backport cleanup_tmpdirs.patch from 1.7.1.2-1. Cleanup temporary working directories. (Closes: #661272) qemu-kvm (0.12.5+dfsg-5+squeeze8) stable-security; urgency=low * patch fix-vnc-memory-corruption-with-width=1440.diff from Gerd Hoffman, fixing guest-triggerable memory corruption in vnc with one of standard display sizes (1440x1050 or 1440x900 or others -- these can be set by guest if run with -vga {std|vmware}. Closes: #608756. * e1000-bounds-packet-size-against-buffer-size-CVE-2012-0029.diff patch from upstream to fix CVE-2012-0029 (Closes: #657529) quagga (0.99.20.1-0+squeeze2) stable-security; urgency=high * Applied fix for a bgpd memory leak related to extra attributes. The bug was intruduced with the upgrade to 0.99.20.1 with the latest security release. Closes: #670940 quagga (0.99.20.1-0+squeeze1) stable-security; urgency=high * SECURITY: CVE-2012-0249 - Quagga ospfd DoS on malformed LS-Update packet CVE-2012-0250 - Quagga ospfd DoS on malformed Network-LSA data CVE-2012-0255 - Quagga bgpd DoS on malformed OPEN message * New upstream release (backport was not feasible). Closes: #664033 quagga (0.99.20-4) unstable; urgency=low * Switch to dpkg-source 3.0 (quilt) format. * Switch to changelog-format-1.0. quagga (0.99.20-3) unstable; urgency=low * Added --sysconfdir back to the configure options (thanks to Sven-Haegar Koch). Closes: #645649 quagga (0.99.20-2) unstable; urgency=low * Bumped standards version to 0.9.2. * Migrated to "dh" build system. * Added quagga-dbg package. quagga (0.99.20-1) unstable; urgency=low * New upstream release: "The primary focus of this release is a fix of SEGV regression in ospfd, which was introduced in 0.99.19. It also features a series of minor improvements, including better RFC compliance in bgpd, better support of FreeBSD and some enhancements to isisd." * Fixes off-by-one bug (removed 20_ospf6_area_argv.dpatch). Closes: #519488 quagga (0.99.19-1) unstable; urgency=high * SECURITY: "This release provides security fixes, which address assorted vulnerabilities in bgpd, ospfd and ospf6d (CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, CVE-2011-3326 and CVE-2011-3327). * New upstream release. * Removed incorporated debian/patches/92_opaque_lsa_enable.dpatch. * Removed incorporated debian/patches/93_opaque_lsa_fix.dpatch. * Removed obsolete debian/README.Debian.Woody and README.Debian.MD5. quagga (0.99.18-1) unstable; urgency=low * SECURITY: "This release fixes 2 denial of services in bgpd, which can be remotely triggered by malformed AS-Pathlimit or Extended-Community attributes. These issues have been assigned CVE-2010-1674 and CVE-2010-1675. Support for AS-Pathlimit has been removed with this release." * Added Brazilian Portuguese debconf translation. Closes: #617735 * Changed section for quagga-doc from "doc" to "net". * Added patch to fix FTBFS with latest GCC. Closes: #614459 quagga (0.99.17-4) unstable; urgency=low * Added comment to init script (thanks to Marc Haber). Closes: #599524 quagga (0.99.17-3) unstable; urgency=low * Fix FTBFS with ld --as-needed (thanks to Matthias Klose at Ubuntu). Closes: #609555 quagga (0.99.17-2) unstable; urgency=low * Added Danisch Debconf translation (thanks to Joe Dalton). Closes: #596259 quagga (0.99.17-1) unstable; urgency=high * SECURITY: "This release provides two important bugfixes, which address remote crash possibility in bgpd discovered by CROSS team.": 1. Stack buffer overflow by processing certain Route-Refresh messages CVE-2010-2948 2. DoS (crash) while processing certain BGP update AS path messages CVE-2010-2949 Closes: #594262 quagga (0.99.16-1) unstable; urgency=low * New upstream release. Closes: #574527 * Added chrpath to debian/rules to fix rpath problems that lintian spottet. quagga (0.99.15-2) unstable; urgency=low * Applied patch for off-by-one bug in ospf6d that caused a segmentation fault when using the "area a.b.c.d filter-list prefix" command (thanks to Steinar H. Gunderson). Closes: 519488 quagga (0.99.15-1) unstable; urgency=low * New upstream release "This fixes some annoying little ospfd and ospf6d regressions, which made 0.99.14 a bit of a problem release (...) This release still contains a regression in the "no ip address ..." command, at least on Linux. See bug #486, which contains a workaround patch. This release should be considered a 1.0.0 release candidate. Please test this release as widely as possible." * Fixed wrong port number in zebra.8 (thanks to Thijs Kinkhorst). Closes: #517860 * Added Russian Debconf tanslation (thanks to Yuri Kozlov). Closes: #539464 * Removed so-version in build-dep to libreadline-dev on request of Matthias Klose. * Added README.source with reference to dpatch as suggested by lintian. * Bumped standards versionto 3.8.3. quagga (0.99.14-1) unstable; urgency=low * New upstream release "This release contains a regression fix for ospf6d, various small fixes and some hopefully very significant bgpd stability fixes. This release should be considered a 1.0.0 release candidate. Please test this release as widely as possible." * Fixes bug with premature LSA aging in ospf6d. Closes: #535030 * Fixes section number in zebra.8 manpage. Closes: #517860 quagga (0.99.13-2) unstable; urgency=low * Added Japanese Debconf translation (thanks to Hideki Yamane). Closes: #510714 * When checking for obsoleted config options in preinst, print filename where it occures (thanks to Michael Bussmann). Closes: #339489 quagga (0.99.13-1) unstable; urgency=low * New upstream release "This release is contains a number of small fixes, for potentially irritating issues, as well as small enhancements to vtysh and support for linking to PCRE (a much faster regex library)." * Added build-dep to gawk as configure required it for memtypes.awk * Replaced build-dep to gs-gpl with ghostscript as requested by lintian * Minor changes to copyright and control files to make lintian happy. quagga (0.99.12-1) unstable; urgency=high * New upstream release "This release fixes an urgent bug in bgpd where it could hit an assert if it received a long AS_PATH with a 4-byte ASN." Noteworthy bugfixes: + [bgpd] Fix bgp ipv4/ipv6 accept handling + [bgpd] AS4 bugfix by Chris Caputo + [bgpd] Allow accepted peers to progress even if realpeer is in Connect + [ospfd] Switch Fletcher checksum back to old ospfd version quagga (0.99.11-1) unstable; urgency=low * New upstream release "Most regressions in 0.99 over 0.98 are now believed to be fixed. This release should be considered a release-candidate for a new stable series." + bgpd: Preliminary UI and Linux-IPv4 support for TCP-MD5 merged + zebra: ignore dead routes in RIB update + [ospfd] Default route needs to be refreshed after neighbour state change + [zebra:netlink] Set proto/scope on all route update messages * Removed debian/patches/20_*bgp*md5*.dpatch due to upstream support. quagga (0.99.10-1) unstable; urgency=medium * New upstream release + bgpd: 4-Byte AS Number support + Sessions were incorrectly reset if a partial AS-Pathlimit attribute was received. + Advertisement of Multi-Protocol prefixes (i.e. non-IPv4) had been broken in the 0.99.9 release. Closes: #467656 quagga (0.99.9-6) unstable; urgency=low * Fixed FTBFS by adding a build-dep to libpcre3-dev (thanks to Luk Claes). Closes: #469891 quagga (0.99.9-5) unstable; urgency=low * C.J. Adams-Collier and Paul Jakma suggested to build against libpcre3 which is supposed to be faster. quagga (0.99.9-4) unstable; urgency=low * Added hardening-wrapper to the build-deps (thanks to Moritz Muehlenhoff). quagga (0.99.9-3) unstable; urgency=low * Replaced the BGP patch by a new one so that the package builds again with kernels above 2.6.21! * debian/control: + Moved quagga-doc to section doc to make lintian happy. * Added Spanish debconf translation (thanks to Carlos Galisteo de Cabo). Closes: #428574 * debian/control: (thanks to Marco Rodrigues) + Bump Standards-Version to 3.7.3 (no changes needed). + Add Homepage field. quagga (0.99.9-2.1) unstable; urgency=low * Non-maintainer upload. * debian/rules: fixed bashisms. (Closes: #459122) quagga (0.99.9-2) unstable; urgency=low * Added CVE id for the security bug to the last changelog entry. Closes: 442133 quagga (0.99.9-1) unstable; urgency=high * SECURITY: "This release fixes two potential DoS conditions in bgpd, reported by Mu Security, where a bgpd could be crashed if a peer sent a malformed OPEN message or a malformed COMMUNITY attribute. Only configured peers can do this, hence we consider these issues to be very low impact." CVE-2007-4826 quagga (0.99.8-1) unstable; urgency=low * New upstream version. quagga (0.99.7-3) unstable; urgency=medium * Applied patch for FTBFS with linux-libc-dev (thanks to Andrew J. Schorr and Lucas Nussbaum). Closes: #429003 quagga (0.99.7-2) unstable; urgency=low * Added Florian Weimar as co-maintainer. Closes: 421977 * Added Dutch debconf translation (thanks to Bart Cornelis). Closes: #420932 * Added Portuguese debconf translation (thanks to Rui Branco). Closes: #421185 * Improved package description (thanks to Reuben Thomas). Closes: #418933 * Added CVE Id to 0.99.6-5 changelog entry. quagga (0.99.7-1) unstable; urgency=low * New upstream release. Closes: #421553 quagga (0.99.6-6) unstable; urgency=medium * Fixes FTBFS with tetex-live. Closes: #420468 quagga (0.99.6-5) unstable; urgency=high * SECURITY: The bgpd daemon was vulnerable to a Denial-of-Service. Configured peers could cause a Quagga bgpd to, typically, assert() and abort. The DoS could be triggered by peers by sending an UPDATE message with a crafted, malformed Multi-Protocol reachable/unreachable NLRI attribute. This is CVE-2007-1995 and Quagga Bug#354. Closes: #418323 quagga (0.99.6-4) unstable; urgency=low * Improved note in README.Debian for SNMP self-builders (thanks to Matthias Wamser). Closes: #414788 quagga (0.99.6-3) unstable; urgency=low * Updated German Debconf translation (thanks to Matthias Julius). Closes: #409327 quagga (0.99.6-2) unstable; urgency=low * Updated config.guess/config.sub as suggested by lintian. * Corrected README.Debian text regarding the WANT_SNMP flag. quagga (0.99.6-1) unstable; urgency=low * New upstream release. Closes: #402361 quagga (0.99.5-5) unstable; urgency=high * Changed Depends on adduser to Pre-Depends to avoid uninstallability in certain cases (thanks to Steve Langasek, Lucas Nussbaum). Closes: #398562 quagga (0.99.5-4) unstable; urgency=low * Added default PAM file and some explanations regarding PAM authentication of vtysh which could prevent the start at boot-time when used wrong. Now PAM permits anybody to access the vtysh tool (a malicious user could build his own vtysh without PAM anyway) and the access is controled by the read/write permissions of the vtysh socket which are only granted to users belonging to the quaggavty group (thanks to Wakko Warner). Closes: #389496 * Added "case" to prerm script so that the Debconf question is not called a second time in e.g. "new-prerm abort-upgrade" after being NACKed in the old-prerm. quagga (0.99.5-3) unstable; urgency=medium * Backport CVS fix for an OSPF DD Exchange regression (thanks to Matt Brown). Closes: #391040 quagga (0.99.5-2) unstable; urgency=medium * Added LSB info section to initscript. * Removed unnecessary depends to libncurses5 to make checklib happy. The one to libcap should remain though as it is just temporarily unused. quagga (0.99.5-1) unstable; urgency=low * New upstream release. Closes: #38704 * Upstream fixes ospfd documentary inconsistency. Closes: #347897 * Changed debconf question in prerm to "high" (thanks to Rafal Pietrak). quagga (0.99.4-4) unstable; urgency=low * Recreate /var/run if not present because /var is e.g. on a tmpfs filesystem (thanks to Martin Pitt). Closes: #376142 * Removed nonexistant option from ospfd.8 manpage (thanks to David Medberry). Closes: 378274 quagga (0.99.4-3) unstable; urgency=low * Removed invalid semicolon from rules file (thanks to Philippe Gramoulle). quagga (0.99.4-2) unstable; urgency=high * Set urgency to high as 0.99.4-1 fixes a security problem! * Fixed building of the info file. quagga (0.99.4-1) unstable; urgency=low * New upstream release to fix a security problem in the telnet interface of the BGP daemon which could be used for DoS attacks (CVE-2006-2276). Closes: 366980 quagga (0.99.3-3) unstable; urgency=low * Added CVE numbers for the security patch in 0.99.3-2. quagga (0.99.3-2) unstable; urgency=high * SECURITY: Added security bugfix patch from upstream BTS for security problem that could lead to injected routes when using RIPv1. CVE-2006-2223 - missing configuration to disable RIPv1 or require plaintext or MD5 authentication CVE-2006-2224 - lack of enforcement of RIPv2 authentication requirements Closes: #365940 * First amd64 upload. quagga (0.99.3-1) unstable; urgency=low * New upstream release quagga (0.99.2-1) unstable; urgency=low * New upstream release Closes: #330248, #175553 quagga (0.99.1-7) unstable; urgency=low * Changed debian/rules check for mounted /proc directory to check for /proc/1 as not all systems (e.g. 2.6 arm kernels) have /proc/kcore which is a optional feature only (thanks to Lennert Buytenhek). Closes: #335695 * Added Swedish Debconf translation (thanks to Daniel Nylander). Closes: #331367 quagga (0.99.1-6) unstable; urgency=low * Fixed debconf dependency as requested by Joey Hess. quagga (0.99.1-5) unstable; urgency=low * Rebuild with libreadline5-dev as build-dep as requested by Matthias Klose. Closes: #326306 * Made initscript more fault tolerant against missing lines in /etc/quagga/daemons (thanks to Ralf Hildebrandt). Closes: #323774 * Added dependency to adduser. quagga (0.99.1-4) unstable; urgency=low * Added French Debconf translation (thanks to Mohammed Adnene Trojette). Closes: #319324 * Added Czech Debconf translation (thanks to Miroslav Kure). Closes: #318127 quagga (0.99.1-3) unstable; urgency=low * A Debconf question now asks the admin before upgrading if the daemon should really be stopped as this could lead to the loss of network connectivity or BGP flaps (thanks to Michael Horn and Achilleas Kotsis). Also added a hint about setting Quagga "on hold" to README.Debian. Closes: #315467 * Added patch to build on Linux/ARM. quagga (0.99.1-2) unstable; urgency=low * Fixed SNMP enabled command in debian/rules (thanks to Christoph Kluenter). Closes: #306840 quagga (0.99.1-1) unstable; urgency=low * New upstream version. Among others: - BGP graceful restart and "match ip route-source" added - support for interface renaming - improved threading for better responsivness under load * Switched to dpatch to make diffs cleaner. * Made autoreconf unnecessary. * Replaced quagga.dvi and quagga.ps by quagga.pdf in quagga-doc. (the PostScript would have needed Makefile corrections and PDF is more preferable anyway) * Added isisd to the list of daemons in /etc/init.d/quagga (thanks to Ernesto Elbe). * Added hint for "netlink-listen: overrun" messages (thanks to Hasso Tepper). * Added preinst check that bails out if old smux options are in use as Quagga would not start up else anyway (thanks to Bjorn Mork). Closes: #308320 quagga (0.98.3-7) unstable; urgency=high * Removed SNMP support as linking against NetSNMP introduced a dependency to OpenSSL which is not compatible to the GPL which governs this application (thanks to Faidon Liambotis). See README.Debian for more information. Closes: #306840 * Changed listening address of ospf6d and ripngd from 127.0.0.1 to "::1". * Added build-dep to groff to let drafz-zebra-00.txt build correctly. quagga (0.98.3-6) testing-proposed-updates; urgency=high * Removed "Recommends kernel-image-2.4" as aptitude then installes a kernel-image for an arbitrary architecture as long as it fullfill that recommendation which can obviously fatal at the next reboot :) Also it is a violation of the policy which mandates a reference to real packages (thanks to Holger Levsen). Closes: #307281 quagga (0.98.3-5) unstable; urgency=high * The patch which tried to remove the OpenSSL dependency, which is not only unneccessary but also a violation of the licence and thus RC, stopped working a while ago, since autoreconf is no longer run before building the binaries. So now ./configure is patched directly (thanks to Faidon Liambotis for reporting). Closes: #306840 * Raised Debhelper compatibility level from 3 to 4. Nothing changed. * Added build-dep to texinfo (>= 4.7) to ease work for www.backports.org. quagga (0.98.3-4) unstable; urgency=low * Removed Debconf upgrade note as it was considered a Debconf abuse and apart from that so obvious that it was not even worth to be put into NEWS.Debian (thanks to Steve Langasek). Closes: #306384 quagga (0.98.3-3) unstable; urgency=medium * Adding the debconf module due to a lintian suggestion is a very bad idea if no db_stop is called as the script hangs then (thanks to Tore Anderson for reporting). Closes: #306324 quagga (0.98.3-2) unstable; urgency=low * Added debconf confmodule to postinst as lintian suggested. quagga (0.98.3-1) unstable; urgency=low * New upstream release. Mmost notably fixes last regression in bgpd (reannounce of prefixes with changed attributes works again), race condition in netlink handling while using IPv6, MTU changes handling in ospfd and several crashes in ospfd, bgpd and ospf6d. quagga (0.98.2-2) unstable; urgency=low * Added patch to let Quagga compile with gcc-4.0 (thanks to Andreas Jochens). Closes: #300949 quagga (0.98.2-1) unstable; urgency=medium * Quoting the upstream announcement: The 0.98.1 release unfortunately was a brown paper bag release with respect to ospfd. [...] 0.98.2 has been released, with one crucial change to fix the unfortunate mistake in 0.98.1, which caused problems if ospfd became DR. * Note: the upstream tarball had a strange problem, apparently redhat.spec was twice in it? At least debuild gave a strange error message so I unpacked it by hand. No changes were made to the .orig.tar.gz! quagga (0.98.1-1) unstable; urgency=medium * New upstream version "fixing a fatal OSPF + MD5 auth regression, and a non-fatal high-load regression in bgpd which were present in the 0.98.0 release." * Upstream version fixes bug in ospfd that could lead to crash when OSPF packages had a MTU > 1500. Closes: #290566 * Added notice regarding capability kernel support to README.Debian (thanks to Florian Weimer). Closes: #291509 * Changed permission setting in postinst script (thanks to Bastian Blank). Closes: #292690 quagga (0.98.0-3) unstable; urgency=low * Fixed problem in init script. Closes: #290317 * Removed obsolete "smux peer enable" patch. quagga (0.98.0-2) unstable; urgency=low * Updated broken TCP MD5 patch for BGP (thanks to John P. Looney for telling me). quagga (0.98.0-1) unstable; urgency=low * New upstream release * Added kernel-image-2.6 as alternative to 2.4 to the recommends (thanks to Faidon Liambotis). Closes: #289530 quagga (0.97.5-1) unstable; urgency=low * New upstream version. * Added Czech debconf translation (thanks to Miroslav Kure). Closes: #287293 * Added Brazilian debconf translation (thanks to Andre Luis Lopes). Closes: #279352 quagga (0.97.4-2) unstable; urgency=low * Fixed quagga.info build problem. quagga (0.97.4-1) unstable; urgency=low * New upstream release. quagga (0.97.3-2) unstable; urgency=low * Included isisd in the daemon list. * Wrote an isisd manpage. * It is now ensured that zebra is always the last daemon to be stopped. * (Thanks to Hasso Tepper for mailing me a long list of suggestions which lead to this release) quagga (0.97.3-1) unstable; urgency=medium * New upstream version. - Fixes important OSPF bug. * Added ht-20040911-smux.patch regarding Quagga bug #112. * Updated ht-20041109-0.97.3-bgp-md5.patch for BGP with TCP MD5 (thanks to Matthias Wamser). quagga (0.97.2-4) unstable; urgency=low * Added Portuguese debconf translation (thanks to Andre Luis Lopes). Closes: #279352 * Disabled ospfapi server by default on recommendation of Paul Jakma. quagga (0.97.2-3) unstable; urgency=low * Added Andrew Schorrs VTY Buffer patch from the [quagga-dev 1729]. quagga (0.97.2-2) unstable; urgency=low * Changed file and directory permissions and ownerships according to a suggestion from Paul Jakma. Still not perfect though. * Fixed upstream vtysh.conf.sample file. * "ip ospf network broadcast" is now saved correctly. Closes: #244116 * Daemon options are now in /etc/quagga/debian.conf to be user configurable (thanks to Simon Raven and Hasso Tepper). Closes: #266715 quagga (0.97.2-1) unstable; urgency=low * New upstream version. Closes: #254541 * Fixed warning on unmodular kernels (thanks to Christoph Biedl). Closes: #277973 quagga (0.97.1-2) unstable; urgency=low * Version 0.97 introduced shared libraries. They are now included. (thanks to Raf D'Halleweyn). Closes: #277446 quagga (0.97.1-1) unstable; urgency=low * New upstream version. * Removed some obsolete files from debian/patches. * Added patch from upstream bug 113. Closes: #254541 * Added patch from upstream that fixes a compilation problem in the ospfclient code (thanks to Hasso Tepper). * Updated German debconf translation (thanks to Jens Nachtigall) Closes: #277059 quagga (0.96.5-11) unstable; urgency=low * Fixed /tmp/buildd/* paths in binaries. For some unknown reason the upstream Makefile modified a .h file at the end of the "debian/rules build" target. During the following "make install" one library got thus be re*compiled* - with /tmp/buildd paths as sysconfdir (thanks to Peder Chr. Norgaard). Closes: #274050 quagga (0.96.5-10) unstable; urgency=medium * The BGP routing daemon might freeze on network disturbances when their peer is also a Quagga/Zebra router. Applied patch from http://bugzilla.quagga.net/show_bug.cgi?id=102 which has been confirmed by the upstream author. (thanks to Gunther Stammwitz) * Changed --enable-pam to --with-libpam (thanks to Hasso Tepper). Closes: #264562 * Added patch for vtysh (thanks to Hasso Tepper). Closes: #215919 quagga (0.96.5-9) unstable; urgency=low * Rewrote the documentation chapter about SNMP support. Closes: #195653 * Added MPLS docs. quagga (0.96.5-8) unstable; urgency=low * Adjusted a grep in the initscript to also match a modprobe message from older modutils packages (thanks to Faidon Paravoid). quagga (0.96.5-7) unstable; urgency=low * Added a "cd /etc/quagga/" to the init script as quagga tries to load the config file first from the current working dir and then from the config dir which could lead to confusion (thanks to Marco d'Itri). Closes: #255078 * Removed warning regarding problems with the Debian kernels from README.Debian as they are no longer valid (thanks to Raphael Hertzog). Closes: #257580 * Added patch from Hasso Tepper that makes "terminal length 0" work in vtysh (thanks to Matthias Wamser). Closes: #252579 quagga (0.96.5-6) unstable; urgency=low * Try to load the capability module as it is needed now. quagga (0.96.5-5) unstable; urgency=low * Changed the homedir of the quagga user to /etc/quagga/ to allow admins to put ~/.ssh/authorized_keys there (thanks to Matthias Wamser). Closes: #252577 quagga (0.96.5-4) unstable; urgency=medium * Fixed rules file to use the renamed ./configure option --enable-tcp-md5 (thanks to Matthias Wamser). Closes: #252141 quagga (0.96.5-3) unstable; urgency=low * Provided default binary package name to all build depends that were virtual packages (thanks to Goswin von Brederlow). Closes: #251625 quagga (0.96.5-2) unstable; urgency=low * New upstream version. * New md5 patch version (thanks to Niklas Jakobsson and Hasso Tepper). Closes: #250985 * Fixes info file generation (thanks to Peder Chr. Norgaard). Closes: #250992 * Added catalan debconf translation (thanks to Aleix Badia i Bosch). Closes: #250118 * PATCHES: This release contains BGP4 MD5 support which requires a kernel patch to work. See /usr/share/doc/quagga/README.Debian.MD5. (The patch is ht-20040525-0.96.5-bgp-md5.patch from Hasso Tepper) quagga (0.96.5-1) unstable; urgency=low * New upstream version. * PATCHES: This release contains BGP4 MD5 support which also requires a kernel patch. See /usr/share/doc/quagga/README.Debian.MD5 and search for CAN-2004-0230. quagga (0.96.4x-10) unstable; urgency=low * SECURITY: This release contains support for MD5 for BGP which is one suggested prevention of the actually long known TCP SYN/RST attacks which got much news in the last days as ideas were revealed that made them much easier probable agains especially the BGP sessions than commonly known. There are a lot of arguments agains the MD5 approach but some ISPs started to require it. See: CAN-2004-0230, http://www.us-cert.gov/cas/techalerts/TA04-111A.html * PATCHES: This release contains the MD5 patch from Hasso Tepper. It also seems to required a kernel patch. See /usr/share/doc/quagga/README.Debian.MD5. quagga (0.96.4x-9) unstable; urgency=low * Fixed daemon loading order (thanks to Matt Kemner). * Fixed typo in init script (thanks to Charlie Brett). Closes: #238582 quagga (0.96.4x-8) unstable; urgency=low * Patched upstream source so that quagga header files end up in /usr/include/quagga/. Closes: #233792 quagga (0.96.4x-7) unstable; urgency=low * Fixed info file installation (thanks to Holger Dietze). Closes: #227579 * Added Japanese translation (thanks to Hideki Yamane). Closes: #227812 quagga (0.96.4x-6) unstable; urgency=low * Added dependency to iproute. * Initscript now checks not only for the pid file but also for the daemons presence (thanks to Phil Gregory). Closes: #224389 * Added my patch to configure file permissions. quagga (0.96.4x-5) unstable; urgency=low * Added patch which gives bgpd the CAP_NET_RAW capability to allow it to bind to special IPv6 link-local interfaces (Thanks to Bastian Blank). Closes: #222930 * Made woody backport easier by applying Colin Watsons po-debconf hack. Thanks to Marc Haber for suggesting it. Closes: #223527 * Made woody backport easier by applying a patch that removes some obscure whitespaces inside an C macro. (Thanks to Marc Haber). Closes: #223529 * Now uses /usr/bin/pager. Closes: #204070 * Added note about the "official woody backports" on my homepage. quagga (0.96.4x-4) unstable; urgency=high * SECURITY: Fixes another bug that was originally reported against Zebra. . http://rhn.redhat.com/errata/RHSA-2003-307.html Herbert Xu reported that Zebra can accept spoofed messages sent on the kernel netlink interface by other users on the local machine. This could lead to a local denial of service attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0858 to this issue. * Minor improvements to init script (thanks to Iustin Pop). Closes: #220938 quagga (0.96.4x-3) unstable; urgency=low * Changed "more" to "/usr/bin/pager" as default pager if $PAGER or $VTYSH_PAGER is not set (thanks to Bastian Blank). Closes: #204070 * Made the directory (but not the config/log files!) world accessible again on user request (thanks to Anand Kumria)). Closes: #213129 * No longer providing sample configuration in /etc/quagga/. They are now only available in /usr/share/doc/quagga/ to avoid accidently using them without changing the adresses (thanks to Marc Haber). Closes: #215918 quagga (0.96.4x-2) unstable; urgency=low * Fixed permission problem with pidfile (thanks to Kir Kostuchenko). Closes: #220938 quagga (0.96.4x-1) unstable; urgency=low * Reupload of 0.96.4. Last upload-in-a-hurry produced a totally crappy .tar.gz file. Closes: #220621 quagga (0.96.4-1) unstable; urgency=high * SECURITY: Remote DoS of protocol daemons. Fix for a remote triggerable crash in vty layer. The management ports ("telnet myrouter ospfd") should not be open to the internet! * New upstream version. - OSPF bugfixes. - Some improvements for bgp and rip. quagga (0.96.3-3) unstable; urgency=low * Fixed pid file generation by substituting the daemons "-d" by the start-stop-daemon option "--background" (thanks to Micha Gaisser). Closes: #218103 quagga (0.96.3-2) unstable; urgency=low * Readded GNOME-PRODUCT-ZEBRA-MIB. quagga (0.96.3-1) unstable; urgency=medium * New upstream version. * Removed -u and -e in postrm due to problems with debhelper and userdel (thanks to Adam Majer and Jaakko Niemi). Closes: #216770 * Removed SNMP MIBs as they are now included in libsnmp-base (thanks to David Engel and Peter Gervai). Closes: #216138, #216086 * Fixed seq command in init script (thanks to Marc Haber). Closes: #215915 * Improved /proc check (thanks to Marc Haber). Closes: #212331 quagga (0.96.2-9) unstable; urgency=medium * Removed /usr/share/info/dir.* which were accidently there and prevented the installation by dpkg (thanks to Simon Raven). Closes: #212614 * Reworded package description (thanks to Anand Kumria). Closes: #213125 * Added french debconf translation (thanks to Christian Perrier). Closes: #212803 quagga (0.96.2-8) unstable; urgency=low * debian/rules now checks if /proc is mounted as ./configure needs it but just fails with an obscure error message if it is absent. (Thanks to Norbert Tretkowski). Closes: #212331 quagga (0.96.2-7) unstable; urgency=low * Last build was rejected due to a buggy dpkg-dev version. Rebuild. quagga (0.96.2-6) unstable; urgency=low * Fixed init script so that is is now possible to just start the bgpd but not the zebra daemon. Also daemons are now actually started in the order defined their priority. (Thanks to Thomas Kaehn and Jochen Friedrich) Closes: #210924 quagga (0.96.2-5) unstable; urgency=low * For using quagga as BGP route server or similar, it is not wanted to have the zebra daemon running too. For this reason it can now be disabled in /etc/quagga/daemons, too. (Thanks to Jochen Friedrich). Closes: #210924 * Attached *unapplied* patch for the ISIS protocol. I did not dare to apply it as long as upstream does not do it but this way give users the possibilities to use it if they like to. (Thanks to Remco van Mook) quagga (0.96.2-4) unstable; urgency=low * Enabled IPV6 router advertisement feature by default on user request (thanks to Jochen Friedrich and Hasso Tepper). Closes: #210732 * Updated GNU autoconf to let it build on hppa/parisc64 (thanks to lamont). Closes: #210492 quagga (0.96.2-3) unstable; urgency=medium * Removed unnecessary "-lcrypto" to avoid dependency against OpenSSL which would require further copyright addtions. quagga (0.96.2-2) unstable; urgency=low * Added note that config files of quagga are in /etc/quagga and not /etc/zebra for the zebra users that migrate to quagga. (Thanks to Roberto Suarez Soto for the idea) * Fixed setgid rights in /etc/quagga. quagga (0.96.2-1) unstable; urgency=low * This package has formally been known as "zebra-pj"! * New upstream release. Fixes "anoying OSPF problem". * Modified group ownerships so that vtysh can now be used by normal uses if they are in the quaggavty group. quagga (0.96.1-1) unstable; urgency=low * Zebra-pj, the fork of zebra has been renamed to quagga as the original upstream author asked the new project membed not to use "zebra" in the name. zebra-pj is obsolete. zebra-pj (0.94+cvs20030721-1) unstable; urgency=low * New CVS build. - OSPF changes (integration of the OSPF API?) - code cleanups (for ipv6?) * Tightened Build-Deps to gcc-2.95 as 3.x does not compile a stable ospfd. This is a known problem and has been discussed on the mailing list. No other solutions so far. zebra-pj (0.94+cvs20030701-1) unstable; urgency=low * Initial Release. quagga (0.99.20.1-0+squeeze1) stable-security; urgency=high * SECURITY: CVE-2012-0249 - Quagga ospfd DoS on malformed LS-Update packet CVE-2012-0250 - Quagga ospfd DoS on malformed Network-LSA data CVE-2012-0255 - Quagga bgpd DoS on malformed OPEN message * New upstream release (backport was not feasible). Closes: #664033 quagga (0.99.20-4) unstable; urgency=low * Switch to dpkg-source 3.0 (quilt) format. * Switch to changelog-format-1.0. quagga (0.99.20-3) unstable; urgency=low * Added --sysconfdir back to the configure options (thanks to Sven-Haegar Koch). Closes: #645649 quagga (0.99.20-2) unstable; urgency=low * Bumped standards version to 0.9.2. * Migrated to "dh" build system. * Added quagga-dbg package. quagga (0.99.20-1) unstable; urgency=low * New upstream release: "The primary focus of this release is a fix of SEGV regression in ospfd, which was introduced in 0.99.19. It also features a series of minor improvements, including better RFC compliance in bgpd, better support of FreeBSD and some enhancements to isisd." * Fixes off-by-one bug (removed 20_ospf6_area_argv.dpatch). Closes: #519488 quagga (0.99.19-1) unstable; urgency=high * SECURITY: "This release provides security fixes, which address assorted vulnerabilities in bgpd, ospfd and ospf6d (CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, CVE-2011-3326 and CVE-2011-3327). * New upstream release. * Removed incorporated debian/patches/92_opaque_lsa_enable.dpatch. * Removed incorporated debian/patches/93_opaque_lsa_fix.dpatch. * Removed obsolete debian/README.Debian.Woody and README.Debian.MD5. quagga (0.99.18-2) unstable; urgency=low * Removed 90_configure_ncurses.dpatch which does not have any visible effect to the control files dependencies nor to the ldd usr/bin/vtysh output anymore. The web site with the "checklib" tool that reported warnings for superfluous dependencies in 2006 cannot be found anymore. * Removed 10_doc__Makefiles__makeinfo-force.dpatch which was only for the 'woody' release. * Added 94_gcc45_format.dpatch which contains the patches from #614459 * Added sed snipped to debian/rules to remove dependencies from all .la files as requested in http://wiki.debian.org/ReleaseGoals/LAFileRemoval * Removed --enable-tcp-md5 from ./configure call as this option has been renamed to --enable-linux24-tcp-md5 and is thus no longer needed. * Bumped standards version to 3.9.2. quagga (0.99.18-1) unstable; urgency=low * SECURITY: "This release fixes 2 denial of services in bgpd, which can be remotely triggered by malformed AS-Pathlimit or Extended-Community attributes. These issues have been assigned CVE-2010-1674 and CVE-2010-1675. Support for AS-Pathlimit has been removed with this release." * Added Brazilian Portuguese debconf translation. Closes: #617735 * Changed section for quagga-doc from "doc" to "net". * Added patch to fix FTBFS with latest GCC. Closes: #614459 quagga (0.99.17-4) unstable; urgency=low * Added comment to init script (thanks to Marc Haber). Closes: #599524 quagga (0.99.17-3) unstable; urgency=low * Fix FTBFS with ld --as-needed (thanks to Matthias Klose at Ubuntu). Closes: #609555 raptor (1.4.21-2+squeeze1) stable-security; urgency=low * CVE-2012-0037, patch by Dave Beckett rott (1.1.1-3.1+squeeze1) squeeze; urgency=low * As a last resort, try to download the shareware data files from pkg-games.alioth.debian.org (Closes: #660266; LP: #685573, #821154, #926959). * Update Vcs-* fields in debian/control. samba (2:3.5.6~dfsg-3squeeze8) stable-security; urgency=high * Security update, fixing CVE-2012-2111: security=ads allows users to grant themselves additional privileges on the server. samba (2:3.5.6~dfsg-3squeeze7) stable-security; urgency=high * Security update, fixing CVE-2012-1182: PIDL based autogenerated code allows overwriting beyond of allocated array sks (1.1.1+dpkgv3-6+squeeze1) squeeze-proposed-updates; urgency=low * SKS recon should emit standards-compliant POSTs (Closes: #667695) spip (2.1.1-3squeeze3) stable-security; urgency=high * Non-maintainer upload by the Security Team. * Updated security screen. Prevent several cross site scripting. * Backport patches from 2.1.7: - fix absolute redirection in actions; - fix PHP injection via lang form. * Backport patch from 2.1.8: - fix XSS on action=converser. * Backport patches from 2.1.11: - fix configuration available to writers; - fix XSS injection via prive/cfg.html; - fix blocked server with action=tester_taille call. * Backport patches from 2.1.13: - fix open redirect on logout; - fix arbitrary password change; - fix XSS on referer. Closes: #670110 sqlalchemy (0.6.3-3+squeeze1) stable-security; urgency=high * Non-maintainer upload by the Security Team. * Backport upstream fix for CVE-2012-0805, sanitizing the values for limit and offset keywords in select statements. sysvinit (2.88dsf-13.1+squeeze1) squeeze-proposed-updates; urgency=low * Non-maintainer upload. * enable use of either rpcbind or portmap for NFS (Closes: #620788) texlive-base (2009-11+squeeze1) stable; urgency=low * Don't try to repair a missing pdftexconfig.tex in preinst - this is done and can only be done in postinst (Closes: #612924) tiff (3.9.4-5+squeeze4) stable-security; urgency=high * CVE-2012-1173 tomcat6 (6.0.35-1+squeeze2) stable-security; urgency=high * Upload to stable security for CVE-2011-4858, among others. * Adjust d/control to more closely match squeeze: - remove tomcat6-extras binary package (would be NEW in squeeze) - remove JRE from tomcat6-common Depends * Revert multi-arch patch in /etc/init.d/tomcat6. tomcat6 (6.0.35-1) unstable; urgency=low [ Miguel Landaeta ] * New upstream release. * Add myself to Uploaders. * Remove 0013-CVE-2011-3190.patch since it was included upstream. * Add mh_clean call in clean target. * Fix error in debian/rules that caused tomcat to report no version. Thanks to Jorge Barreiro for the patch. (Closes: #650656). [ tony mancill ] * Update Vcs-* fields in debian/control for switch to git. * Update to run with openjdk-7 and openjdk-6 when not default-jdk is not present. (Closes: #651448) * Allow java?-runtime-headless to satisfy Depends. * Add myself to Uploaders. tomcat6 (6.0.33-1) unstable; urgency=low * Team upload. * New upstream release. * Remove the following patches (included upstream): - 0011-623242.patch - 0012-CVE-2011-2204.patch - 0015-CVE-2011-2526.patch - 0014-CVE-2011-1184.patch * Add patch for multi-instance startup. CATALINA_HOME no longer depends on the instance $NAME. JVM_TMP is now $NAME-specific. - Thank you to Julien Wajsberg. (Closes: #644365) * Add dependency on JRE to tomcat6-common (Closes: #644340) * Modify init script to look for JVM in /usr/lib/jvm/default-java tomcat6 (6.0.32-7) unstable; urgency=medium [ tony mancill ] * Team upload. * Add "unset LC_ALL" to /etc/defaults/tomcat6 to prevent user environment settings from leaking into the servlet container. - Thank you to Nicolas Pichon. (Closes: #645221) * Apply patch for CVE-2011-1184 and CVE-2011-2526. - Thank you to Marc Deslauriers. (Closes: #648038) [ Niels Thykier ] * Added build-arch and build-indep targets in d/rules. tomcat6 (6.0.32-6) unstable; urgency=medium [ tony mancill ] * Team upload. * Update Korean debconf translation. (Closes: #630950, 631482) Thanks to si-cheol Ko. * Add Dutch debconf translation. (Closes: #637507) Thanks to Jeroen Schot. [ Niels Thykier ] * Removed myself from uploaders. [ James Page ] * Added patch for CVE-2011-3190 (LP: #843701). tomcat6 (6.0.32-5) unstable; urgency=low * Team upload. * Add Catalan debconf translation ca.po (Closes: #630073). * Correct Suggests for libtcnative-1 (tomcat-native) (Closes: #631919) * Add patch for CVE-2011-2204 (Closes: #632882) tomcat6 (6.0.32-4) unstable; urgency=low * Team upload. * Add Italian debconf translation. Thanks to Dario Santamaria (Closes: #624376) * Add logrotate for catalina.out (Closes: 607050) * Bump standards version to 3.9.2 (no changes needed). tomcat6 (6.0.32-3) unstable; urgency=low * Team upload. * Include upstream patch for ASF Bugzilla - Bug 50700 (Context parameters are being overridden with parameters from the web application deployment descriptor) (Closes: #623242) tomcat6 (6.0.32-2) unstable; urgency=low * Team upload. [ tony mancill ] * Patch debian/tomcat6-instance-create (LP: #707405) tomcat6-instance-create should accept -1 as the value of -c option as per http://tomcat.apache.org/tomcat-6.0-doc/config/server.html Thanks to Dave Walker. (Closes: #617553) * Move tomcat6-instance-create manpage from section 2 to section 8. Thanks to brian m. carlson (Closes: #607682) * Add tomcat6-extras package. Currently includes only catalina-jmx-remote.jar (Closes: #614333) [ Thierry Carrez ] * debian/tomcat6-instance-create: Eclipse can now be configured to use a user instance of tomcat6 using tomcat6-instance-create without any additional work. Patch from Abhinav Upadhyay (Closes: #551091, LP: #297675) tomcat6 (6.0.32-1) unstable; urgency=low * Team upload. * New upstream release * Remove following patches applied upstream: CVE-2010-4172, CVE-2011-0534, CVE-2010-3718, CVE-2011-0013, 0009-allow-empty-PID-file.patch * Adjust 0004-split-deploy-webapps-target-from-deploy-target.patch tomcat6 (6.0.28-10) unstable; urgency=medium * Team upload. * Add Portuguese/Brazilian debconf translation. Thanks to José de Figueiredo (Closes: #608527) * Add patches for CVE-2011-0534, CVE-2010-3718, CVE-2011-0013 (Closes: #612257) tremulous (1.1.0-8~squeeze1) stable; urgency=low * Stable update, incorporating a security fix from unstable tremulous (1.1.0-7) unstable; urgency=medium * Add a lintian override for embedded-library libjpeg (#589407) to avoid auto-rejection. It is a valid bug, but is not a regression, and fixing several long-standing security vulnerabilities seems more important than getting rid of an embedded library that is not known to be exploitable. tremulous (1.1.0-7~squeeze1) stable; urgency=low * Stable update (#663104), incorporating security fixes from unstable * Fix an incorrect bug number in revision -6 tremulous (1.1.0-7) unstable; urgency=medium * Add a lintian override for embedded-library libjpeg (#589407) to avoid auto-rejection. It is a valid bug, but is not a regression, and fixing several long-standing security vulnerabilities seems more important than getting rid of an embedded library that is not known to be exploitable. tremulous (1.1.0-6) unstable; urgency=medium * Backport patches from ioquake3 to fix long-standing security bugs: - CVE-2006-2082: arbitrary file download from server by a malicious client (Closes: #660831) - CVE-2006-2236 ("the remapShader exploit"): missing bounds-checking on COM_StripExtension, exploitable in clients of a malicious server (Closes: #660827) - CVE-2006-2875 ("q3cbof"): buffer overflow in CL_ParseDownload by a malicious server (Closes: #660830) - CVE-2006-3324: arbitrary file overwriting in clients of a malicious server (Closes: #660832) - CVE-2006-3325: arbitrary cvar overwriting (could lead to arbitrary code execution) in clients of a malicious server (Closes: #660834) - CVE-2011-3012, CVE-2011-2764: DLL overwriting (leading to arbitrary code execution) in clients of a malicious server if auto-downloading is enabled (Closes: #660836) * As a precaution, disable auto-downloading * Backport ioquake3 r1141 to fix a potential buffer overflow in error handling (not known to be exploitable, but it can't hurt) * Add gcc attributes to all printf- and scanf-like functions, and fix non-literal format strings (again, none are known to be exploitable) tryton-server (1.6.1-2+squeeze1) stable-security; urgency=high * Adding patch for "Missing access control on some relation model for Many2Many" (https://bugs.tryton.org/issue2476). The issue is filed under CVE-2012-0215. typo3-src (4.3.9+dfsg1-1+squeeze4) squeeze-security; urgency=medium * Security patch backported from new upstream release 4.4.15: - fixes: "TYPO3 Security Bulletin TYPO3-CORE-SA-2012-002: Cross-Site Scripting Vulnerability in TYPO3 Core" (Closes: 669158) typo3-src (4.3.9+dfsg1-1+squeeze3) squeeze-security; urgency=high * Security patch backported from new upstream release 4.4.14: - fixes: "TYPO3 Security Bulletin TYPO3-CORE-SA-2012-001: Several Vulnerabilities in TYPO3 Core" (Closes: 666074) tzdata (2012c-0squeeze1) stable; urgency=low * New upstream release. tzdata (2012b-1) unstable; urgency=low [ Debconf translations ] * Indonesian (Mahyuddin Susanto). Closes: #656706 * Italian (Francesca Ciceri). Closes: #656937 * Polish (Michał Kułach). Closes: #658403 * Basque (Iñaki Larrañaga Murgoitio). Closes: #660645 [ Clint Adams ] * New upstream version. * Fix watch file. * Bump to Standards-Version 3.9.3. * Add Homepage to debian/control. tzdata (2011n-2) unstable; urgency=low [ Debconf translations ] * Dutch (Jeroen Schot). Closes: #650647 * Russian (Yuri Kozlov). Closes: #650868 * Brazilian Portuguese (Flamarion Jorge). Closes: #651266 * German (Holger Wansing). Closes: #651328 * Slovak (Ivan Masár). Closes: #651329 * Danish (Joe Hansen). Closes: #651341 * Swedish (Martin Bagge / brother). Closes: #651350 * Thai (Theppitak Karoonboonyanan). Closes: #651360 * Gujarati (Kartik Mistry). Closes: #651366 * Japanese (Kenshi Muto). Closes: #651371 * Portuguese (Miguel Figueiredo). Closes: #651618 * Spanish; (Francisco Javier Cuadrado). Closes: #651632 * Catalan; (Agustí Grau). Closes: #652071 * Czech (Miroslav Kure). Closes: #652584 * Hebrew (Omer Zak). Closes: #653273 tzdata (2011n-1) unstable; urgency=critical * New upstream veersion, fixing DST for: - Cuba. - Fidji. - Pridnestrovian Moldavian Republic. * Set urgency to high as some of the above changes are already effective. * Update French translation. user-mode-linux (2.6.32-1um-4+45) stable-security; urgency=low * Rebuild against linux-source-2.6.32 (2.6.32-45): * Ignore arch_pick_mmap_layout ABI change on s390 * [x86] mm: Fix pgd_lock deadlock * [s390] vdso: use ntp adjusted clock multiplier * Revert "Work around unhappy compat problem on x86-64", included in stable update 2.6.32.58, due to userspace beakage. * CVE-2012-0879: - block: Fix io_context leak after clone with CLONE_IO - block: Fix io_context leak after failure of clone with CLONE_IO * KVM: Ensure all vcpus are consistent with in-kernel irqchip settings (CVE-2012-1601) * hugepages: fix use after free bug in "quota" handling (CVE-2012-2133) * fcaps: clear the same personality flags as suid when fcaps are used (CVE-2012-2123) * jbd2: clear BH_Delay & BH_Unwritten in journal_unmap_buffer (CVE-2011-4086) user-mode-linux (2.6.32-1um-4+41squeeze2) stable-security; urgency=high * Rebuild against linux-source-2.6.32 (2.6.32-41squeeze2): * ext4: fix undefined behavior in ext4_fill_flex_info() (CVE-2009-4307) * ecryptfs: Add mount option to check uid of device being mounted = expect uid (CVE-2011-1833) * KVM: Remove ability to assign devices without IOMMU support * KVM: Check permissions before permitting device assignment (CVE-2011-4347) * Fix CVE-2012-0045, with backport work from Ben Hutchings: - KVM: extend "struct x86_emulate_ops" with "get_cpuid" - KVM: syscall instruction induced guest panic * V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy() * drm: Fix authentication kernel crash * relay: prevent integer overflow in relay_open() * Further refine the fix for CVE-2011-4127: - sd_compat_ioctl: Replace ENOTTY error with ENOIOCTLCMD - kernel.h: fix wrong usage of __ratelimit() - printk_ratelimited(): fix uninitialized spinlock * cifs: fix dentry refcount leak when opening a FIFO on lookup (CVE-2012-1090) * regset: Prevent null pointer reference on readonly regsets (CVE-2012-1097) * eCryptfs: Make truncate path killable * eCryptfs: Infinite loop due to overflow in ecryptfs_write() * cdrom: use copy_to_user() without the underscores wicd (1.7.0+ds1-5+squeeze3) proposed-updates; urgency=low * One more fix to 31-fix_local_privilege_escalation.patch: wicd uses dbus.String at runtime, which inherits unicode, while the patch was tested with 'normal' strings (type 'str'). This should hopefully be the last upload concerning the CVE. wicd (1.7.0+ds1-5+squeeze2) proposed-updates; urgency=low * debian/patches/: - 31-fix_local_privilege_escalation.patch, CVE-2012-2095, improved. Really fixes the bug. (Closes: #668397) wicd (1.7.0+ds1-5+squeeze1) proposed-updates; urgency=low * debian/patches/: - fix local privilege escalation, CVE-2012-2095 (31-fix_local_privilege_escalation.patch) (Closes: #668397) wireshark (1.2.11-6+squeeze6) stable-security; urgency=low * Fix CVE-2011-3483, CVE-2011-0042, CVE-2012-0068, CVE-2012-0067, CVE-2012-0066, CVE-2011-0041 (Patches provided by Balint) xen-qemu-dm-4.0 (4.0.1-2+squeeze1) squeeze-security; urgency=low * Fixes buffer underflow (CVE-2012-0029). xfce4-weather-plugin (0.7.3-3+squeeze1) stable; urgency=low * debian/patches: - 00_license added, change the license key to get a working plugin back. closes: #647749 yapra (0.1.2-3+squeeze1) stable; urgency=low * This is the same fix as 0.1.2-4 but for squeeze * Add ruby1.8 to Build-deps (closes: #630667) - Use ruby1.8 command instead of ruby to fix version ======================================== Sat, 28 Jan 2012 - Debian 6.0.4 released ======================================== ========================================================================= [Date: Sat, 28 Jan 2012 10:18:59 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: qcad | 2.0.5.0-1+090318-8 | source, amd64, armel, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, sparc qcad-data | 2.0.5.0-1+090318-8 | all qcad-doc | 2.0.5.0-1+090318-8 | all Closed bugs: 645043 ------------------- Reason ------------------- RoSRM: documentation, examples and fonts are non-distributable ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 28 Jan 2012 10:19:51 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: partlibrary | 2.1.2.8-1-1 | source, all Closed bugs: 645131 ------------------- Reason ------------------- RoSRM: non-distributable ---------------------------------------------- ========================================================================= acpid (1:2.0.7-1squeeze3) stable-security; urgency=low * Rebuild to work around dak orig.tar.gz ugliness adolc (2.1.8+nomsvcrt-1) stable; urgency=low [ Jonathan Nieder ] * remove Visual C++ runtime from windows/ directory (closes: #641489) * document in debian/copyright how and why the source was repacked asterisk (1:1.6.2.9-2+squeeze4) stable-security; urgency=high [ Kilian Krause ] * Fix sporadic segfault in chan_sip.so (Closes: #630381). [ Tzafrir Cohen ] * Patch fix_bridging_crash: segfault in bridging API (Closes: #639821). * README.Debian: clarify datadir pathes (regarding #628415). * Patch AST-2011-014 (CVE-2011-4598) - Remote crash possibility with SIP and the “automon” feature enabled Closes: #651552. inapplicable to Lenny). * Patch AST-2011-013 (CVE-2011-4597) : potential remote information disclosure. - The patch changeges the sample sip.conf . We change the sample config files, but not the files under /etc/asterisk . backuppc (3.1.0-9.1) stable; urgency=low * Non-maintainer upload. * Fix data corruption in tarballs due to logging to stdout (closes: #654692, #558431) * Fix XSS issue (CVE-2011-3361 CVE-2011-4923, closes: #641450, #646865) base-files (6.0squeeze4) stable; urgency=low * Changed /etc/debian_version to 6.0.4, for Debian 6.0.4 point release. base-installer (1.115+squeeze1) squeeze; urgency=low * Add POWER7 to the powerpc64 family. (Closes: #637519) bind9 (1:9.7.3.dfsg-1~squeeze4) squeeze-security; urgency=high * Apply patch from ISC to fix query.c crash (CVE-2011-4313) bip (0.8.2-1squeeze4) stable-security; urgency=high * add Buffer-Overflow-check-against-the-implicit-size-of-select-arrays.patch Thanks to Julien Tinnes for reporting it. bti (028-2+squeeze1) stable; urgency=low * Backport patch identi.ca-oauth.patch from 031-2: s/http/https/ in identi.ca OAuth URIs, otherwise acquiring an access token doesn't work after the recent changes at identi.ca. Closes: #602507 bugzilla (3.6.2.0-4.5) stable; urgency=low * Non-maintainer upload. * Add security patches: - 87_cve-2011-3657.sh Tabular and graphical reports, as well as new charts have a debug mode which displays raw data as plain text. This text is not correctly escaped and a crafted URL could use this vulnerability to inject code leading to XSS. - 88_cve-2011-3667.sh The User.offer_account_by_email WebService method ignores the user_can_create_account setting of the authentication method and generates an email with a token in it which the user can use to create an account. Depending on the authentication method being active, this could allow the user to log in using this account. Installations where the createemailregexp parameter is empty are not vulnerable to this issue. bugzilla (3.6.2.0-4.4) stable-security; urgency=low * Non-maintainer upload. * Add security patches (Closes: #611176): - 79_cve-2010-4572.sh (CVE-2010-4572) - 80_cve-2010-4567_cve-2011-0048.sh (CVE-2010-4567 CVE-2011-0048) - 81_cve-2010-4568.sh (CVE-2010-4568) - 82_cve-2011-0046.sh (CVE-2011-0046) - 83_cve-2011-2978.sh (CVE-2011-2978) - 84_cve-2011-2381.sh (CVE-2011-2381) - 85_cve-2011-2380.sh (CVE-2011-2979, CVE-2011-2380) - 86_cve-2011-2379.sh (CVE-2011-2379) byobu (2.80-1+squeeze1) stable; urgency=low * Correct postinst chmod semantics. bzip2 (1.0.5-6+squeeze1) stable; urgency=low * Non-maintainer upload by the Security Team * Fix CVE-2011-4089, thanks to vladz (Closes: #632862) c-ares (1.7.3-1squeeze1) stable; urgency=low * Fix ares_expand_name bug (Closes: #607438) cacti (0.8.7g-1+squeeze1) stable-security; urgency=high * Team upload. * [SECURITY] Fixes SQL injection vulnerability in auth_login.php that allows remote attackers to execute arbitrary SQL commands via the login_username parameter. (Closes: #652371) - debian/patches/CVE-2011-4824.patch - CVE-2011-4824 chasen (2.4.4-11+squeeze2) stable-security; urgency=high * Fix buffer overflow in chasen_sparse_main (CVE-2011-4000) cherokee (1.0.8-5+squeeze1) stable; urgency=low * Avoid brute-forceable password in cherokee-admin (Closes: #647205) cifs-utils (2:4.5-2+squeeze1) stable; urgency=low * Stable update to prevent mtab corruption - CVE-2011-1678 - CVE-2011-2724 clamav (0.97.3+dfsg-1~squeeze1) stable; urgency=medium [ Michael Tautschnig ] * New upstream release: Fixes potential DoS clamav (0.97.2+dfsg-1) unstable; urgency=low [ Michael Tautschnig ] * New upstream release - Fixes off-by-one-error (closes: #635599) - Fixes opcode 20 is not implemented error (closes: #635340) - New option ExtraDatabase for freshclam * Debconf translation updates - Portuguese (closes: #630954) - French (closes: #631978) - Swedish (closes: #632144) - Danish (closes: #632558) - Spanish (closes: #633883) - Russian (closes: #635145) clamz (0.4-2+squeeze1) stable; urgency=low * Handle unencrypted AMZ files that are now distributed by Amazon. Closes: #647043. clearsilver (0.10.5-1+squeeze1) stable-security; urgency=high * CVE-2011-4357 cpufrequtils (007-1+squeeze1) stable; urgency=low * Backport changes for 007-2 to squeeze (i.e. just recompile). cups (1.4.4-7+squeeze1) stable-security; urgency=high * Non-maintainer upload by the Security Team. * debian/patches: - str3867 added, fix an infinite loop / heap-based buffer overflow in the gif_read_lzw() function (CVE-2011-2896) - str3914 added, complete the fix for the previous issue (CVE-2011-3170). cyrus-imapd-2.2 (2.2.13-19+squeeze3) stable-security; urgency=high * Non-maintainer upload by the Security Team. * Fix possible NULL pointer dereference via crafted message reference id caused by a missing sanitizing of the mail headers. This can be exploited from a client making use of the IMAP threading feature (CVE-2011-3481). cyrus-imapd-2.2 (2.2.13-19+squeeze2) stable-security; urgency=low * Update Vcs-* and Homepage * Fix stack-based buffer overflow in the split_wildmats function in nntpd.c (CVE-2011-3208) * Fix for authentication bypass in nntpd (SA46093) debian-installer (20110106+squeeze4) squeeze; urgency=low [ Joey Hess ] * Adjust syslinux menu layout to avoid it falling off the bottom of the screen. Thanks, Flavio Stanchina. Closes: #650979 [ dann frazier ] * Rebuild against updated dependencies, including: - linux-kernel-di-*-2.6: adding drivers et131x, isci, xhci-hcd - base-installer: adds POWER7 to the powerpc64 family - libdebian-installer: detect IBM pSeries platform as powerpc/chrp_ibm debian-installer-netboot-images (20110106.squeeze4) squeeze; urgency=low * Rebuild against squeeze-proposed-updates. dpkg (1.15.8.12) stable; urgency=low [ Guillem Jover ] * Do not fail to unpack shared directories missing on the file system from packages being replaced by other packages. Closes: #631808 * Defer hardlink renames so that there's never a point were the new file contents are accessible from the final path before they have been fsync()ed and cannot be executed causing ETXTBSY when trying to open the to be installed paths for writing. Thanks to Jonathan Nieder . Closes: #635683 * Add armhf support to ostable and triplettable. Closes: #594179, #639674 [ Updated man page translations ] * German (Helge Kreutzmann). Minor fixe(s), including improvement by "Flo". [ Updated scripts translations ] * German (Helge Kreutzmann). Minor fix from Sven Joachim. Typo fixes. Closes: #646496 ecryptfs-utils (83-4+squeeze1) stable-security; urgency=low * Non-maintainer upload by the security team. * Various security fixes: - debian/patches/CVE-2011-1831,1832,1834.patch: chdir into mountpoint before checking permissions in src/utils/mount.ecryptfs_private.c. (CVE-2011-1831, CVE-2011-1832) - debian/patches/CVE-2011-1831,1832,1834.patch: modify mtab via a temp file first and make sure it succeeds before replacing the real mtab in src/utils/mount.ecryptfs_private.c. (CVE-2011-1834) - debian/patches/CVE-2011-1835.patch: make sure we don't copy into a user controlled directory in src/utils/ecryptfs-setup-private. (CVE-2011-1835) - debian/patches/CVE-2011-1837.patch: verify permissions with a file descriptor, and don't follow symlinks in src/utils/mount.ecryptfs_private.c. (CVE-2011-1837) - debian/patches/CVE-2011-3145.patch: also set gid and umask before updating mtab in src/utils/mount.ecryptfs_private.c. (CVE-2011-3145) eglibc (2.11.3-2) stable; urgency=low * Add patches/arm/cvs-tls-unallocated.diff and patches/mips/cvs-tls-unallocated.diff to fix FTBFS on armel, mips and mipsel. eglibc (2.11.3-1) stable; urgency=low * Update from stable upstream version, and update from the upstream stable branch: - fix wrong memmove/bcopy optimization with gcc-4.6. Closes: #619963. - fix an integer overflow in fnmatch() (CVE-2011-1659). Closes: #626370. - fix spurious warning in bswap_16() with -Wconversion. Closes: #561249. - fix auxiliary cache file creation. Closes: #588218. - fix memory corruption in fnmatch() that can lead to code execution (CVE-2011-1071). Closes: #615120 - fix strchr() on x86-64 CPU with SSE4.2. Closes: #635885 * Update patches: - patches/locale/locale-print-LANGUAGE.diff - patches/hppa/local-stack-grows-up.diff - patches/m68k/cvs-tls-support.patch - patches/any/local-disable-test-tgmath2.diff - patches/any/submitted-longdouble.diff - patches/any/submitted-bits-fcntl_h-at.diff - patches/kfreebsd/local-readdir_r.diff * Drop obsolete patches: - patches/any/cvs-redirect-throw.diff - patches/any/cvs-flush-cache-textrels.diff - patches/hurd-i386/cvs-linkat.diff - patches/hurd-i386/cvs-select.diff - patches/sparc/submitted-epoll.diff - patches/any/cvs-dont-expand-dst-twice.diff - patches/amd64/cvs-avx-tcb-alignment.diff - patches/any/submitted-etc-resolv.conf.diff - patches/any/cvs-audit-suid.diff * kfreebsd/local-sysdeps.diff, update to r3763 (from squeeze glibc-bsd). - fixes LD_PRELOAD with a kfreebsd-9 kernel. Closes: #630695. - uses upstream RFTSIGZMB for exit signal selection when available. - fixes a crash in if_nameindex() with more than 3 interfaces. - alter faccessat() X_OK tests similarly as access(). See #640334. - fix __libc_sa_len() for AF_LOCAL. See #645527. * Fix preinst script wrt 3.0 kernel. Patch by Colin Watson. Closes: #630077. * Update submitted-resolv.conf-thread.diff from upstream to fix a deadlock in some rare cases. * Add patches/any/cvs-resolv-different-nameserver.diff and patches/any/submitted-resolv-assert.diff to try a different nameserver if the first one returns REFUSED. Closes: #535504. * Add patches/any/cvs-getaddrinfo-single-lookup.diff to fix fallback to single lookup dns requests. Closes: #541167. * Add patches/any/cvs-pthread-setgroups.diff to fix setgroups() with multiple threads. * Add debian/patches/cvs-dl_close-scope-handling.diff from upstream to fix issues with dl_close() when resolving locally-defined symbols. Closes: #625250. * patches/i386/local-cpuid-level2.diff: fix a typo. Closes: #609389. * patches/any/cvs-nptl-pthread-race.diff: fix a race in NPTL code that sometimes causes a deadlock when calling fork() from a thread. * patches/amd64/cvs-avx-detection.diff: do not use AVX if hardware support is present, but not enabled in the kernel. Closes: #646549. * patches/any/cvs-statvfs-mount-flags.diff: get the mount flags directly from the kernel when possible instead of parsing /proc/mounts. Closes: #639897. * patches/any/cvs-dlopen-tls.diff: fix handling of static TLS in dlopen'ed objects. Closes: #637239. eglibc (2.11.2-13) unstable; urgency=low * Fix a typo in debian/patches/any/local-rtld.diff. Closes: #615806. eglibc (2.11.2-12) unstable; urgency=medium [ Aurelien Jarno ] * Re-enable build failure in case of testsuite regressions. * Add patches/any/cvs-fnmatch-alloca.patch from upstream to fix a memory corruption in fnmatch() that can lead to code execution. Closes: #615120. * Add patches/any/cvs-qsort-race.diff from upstream to fix race in qsort_r(). Closes: #614892. [ Samuel Thibault ] * patches/any/submitted-sched_h.diff: Synchronize bits/sched.h with sysdeps/unix/sysv/linux/bits/sched.h (Closes: #527589), rename to cvs-sched_h.diff. * patches/hurd-i386/cvs-if_freereq.diff: Fix crash when siocgifconf actually succeeds. [ Clint Adams ] * Patch from Nobuhiro Iwamatsu to cope with the removal of patch --unified-reject-files. closes: #612540. [ Steve Langasek ] * Merge parts of multiarch patch: - Use the correct path in the ldd script as well - Set default rtlddir to /lib and override it when needed. - Install xen library in $(libdir)/xen instead of /usr/lib/xen. eglibc (2.11.2-11) unstable; urgency=low * patches/kfreebsd/local-sysdeps.diff: remove stub marks for at* syscalls as we don't support FreeBSD 7.x kernels anyway. Closes: #610749. erlang (1:14.a-dfsg-3squeeze1) stable; urgency=low * Added patch by upstream which fixed CVE-2011-0766 (cryptographic weakness) in Erlang SSH application (closes: #628456). etherape (0.9.8-1+squeeze1) stable; urgency=low * Avoid crashes on some RPC packets. (CVE-2011-3369) (closes: #645324) evince (2.30.3-2+squeeze1) stable-security; urgency=high * Non-maintainer upload by the Security Team. * debian/patches: - 02_dvi_security backported from upstream git (439c50 and efadec4f) to complete previous incomplete fix. ffmpeg (4:0.5.6-3) stable-security; urgency=low * Also disable the cavsvideo parser in addition to the CAVS decoder on arm and powerpc. ffmpeg (4:0.5.6-2) stable-security; urgency=low * Disable the CAVS decoder on arm and powerpc, avoids a build failure. ffmpeg (4:0.5.6-1) stable-security; urgency=low * New upstream release. New release fixes: - svq1 decoder (CVE-2011-4579) - DoS in the VP5/VP6 decoders (CVE-2011-4353) - QDM2 decoder (CVE-2011-4351) - Sierra VMD decoder (CVE-2011-4364) * Note while the source package name reads 'ffmpeg', this is actually the libav-0.5.6 release. ffmpeg (4:0.5.5-1) stable-security; urgency=low * New upstream release, closes: #641478. New release fixes: - Fix memory (re)allocation in matroskadec.c (MSVR11-011/CVE-2011-3504) - Fix some crashes with invalid bitstreams in the CAVS decoder (CVE-2011-3362, CVE-2011-3973, CVE-2011-3974) - Compilation fixes for gcc-4.6, testsuite now passes again - Detect and handle overreads in the MJPEG decoder. * debian/watch: update. While this source package is still named 'ffmpeg', we actually track 'http://libav.org' as upstream. ffmpeg (4:0.5.4-1) stable-security; urgency=low * New upstream release. New releases fixes: - Fix memory corruption in WMV parsing (addresses CVE-2010-3908, LP: #690169) - Fix heap corruption crashes (addresses CVE-2011-0722) - Fix crashes in Vorbis decoding found by zzuf (addresses CVE-2010-4704, Closes: #611495) - Fix another crash in Vorbis decoding (addresses CVE-2011-0480, Chrome issue 68115) - Fix invalid reads in VC-1 decoding (related to CVE-2011-0723) - Do not attempt to decode APE file with no frames (fixes DoS) * drop fix-CVE-2010-3429.patch, applied upstream ffmpeg (4:0.5.2-6) unstable; urgency=high * Fix several security issues in flicvideo.c. Fixes: CVE-2010-3429, Closes: #598590 * Raising severity to high because of security issue. ffmpeg (4:0.5.2-5) unstable; urgency=low [ Dominic Evans ] * add libxfixes-dev to build-depends to unbreak x11grab input, Closes: #596342, LP: #631103 [ Reinhard Tartler ] * fix x11grab example in e.g. the manpage so that they actually work ffmpeg (4:0.5.2-4) unstable; urgency=low [ Loïc Minier ] * Fix typo: use -march=armv7-a instead of -marmv7-a ffmpeg (4:0.5.2-3) unstable; urgency=low [ Reinhard Tartler ] * Move breaks declaration from libavformat to libavcodec to help the apt solver, Closes: #591881 [ Loïc Minier ] debian/confflags: detect whether the toolchain supports ARMv7 ("dmb") by default as the NEON pass needs at least ARMv6t2; if it's not enabled by default, pass -marmv7-a in extra-cflags for the NEON pass since NEON implies ARMv7; closes: #594417. ffmpeg (4:0.5.2-2) unstable; urgency=low * Enable some encoders: - h263, h263p, mpeg2video, mpeg4, msmpeg4v1, msmpeg4v2, msmpeg4v3 Closes: #418231, #433287, #440216, #587898, #525349 * Bump Standards Version, no changes needed ffmpeg (4:0.5.2-1) unstable; urgency=low [ Andres Mejia ] * Fix dependency problem for ffmpeg so it can use extra ffmpeg libs. [ Reinhard Tartler ] * move presets back to 'ffmpeg' package. Closes: #581748 [ Fabian Greffrath ] * Imported Upstream version 0.5.2 * Remove ffmpeg-debian_hurd.patch, applied upstream. * Remove fix-ftbfs-altivec.patch, applied upstream. ffmpeg (4:0.5.1-3) unstable; urgency=low * fix ftbfs on powerpc ffmpeg (4:0.5.1-2) unstable; urgency=low * reintroduce gnu/hurd patch * Fix compilation on powerpc with --disable-altivec ffmpeg (4:0.5.1-1) unstable; urgency=low * new upstream release: - clarifies documentation on metadata, Closes: #570050, LP: #501729 - further security backports, Closes: #570713 * adapt to new versioning scheme * use '<<' instead of '<' relationship for internal shlib file * merge changes from ubuntu packaging * drop wmapro backport again as discussed with upstream. The unrelated changes seem too risky for a stable release. ffmpeg (4:0.5+svn20090706-6) unstable; urgency=low [ Fabian Greffrath ] * debian/patches/901-fix-misc-typos.patch: New patch taken from upstream GIT (slightly modified) to fix some spelling errors. * Document our calling of debhelper programs in an odd order in debian/rules. [ Reinhard Tartler ] * document some unattributed patches * enable cpu autodetection in libswscale, Closes: #567725, LP: #386397 [ Christopher Martin ] * backport wmapro codec from ffmpeg trunk ffmpeg (4:0.5+svn20090706-5) unstable; urgency=medium * Upload to unstable * Urgency medium because of fixed RC bugs (security issues) ffmpeg (4:0.5+svn20090706-4) experimental; urgency=low [ Loïc Minier ] * Use default toolchain setup on ARM flavors for noopt and only add FPU CFLAGS in the VFP and NEON flavors; this is ok since internally, cpu will be set to "generic" but -march=generic or -mcpu=generic will NOT be added to the build flags. * Build all armel flavours with -marm since ffmpeg has a lot of hand crafted assembly which doesn't build in the new lucid default mode (Thumb 2); LP: #488267 * Build all armel flavours with -fPIC -DPIC instead of just the neon flavour as the new flags/toolchain require this in Ubuntu lucid. * Build some assembly test code -- just like configure -- to decide whether the *default* toolchain uses vfp or neon to decided whether to build the vfp and neon flavors. * Drop --disable/--enable opt flags such as --disable-neon or --enable-armvfp on ARM since the upstream configure script will do the right thing when the proper flags are set. [ Reinhard Tartler ] * build with PIC on powerpc (Closes: #561956) ffmpeg (4:0.5+svn20090706-3) experimental; urgency=low [ Loïc Minier ] * Disable more autodetecter ARM arch features * Enable neon flavour * Update NEON confflags to assume v7 and VFP * Add backported NEON patches from ffmpeg trunk * Pass proper --cpu and --extra-flags on armel * Pass -fPIC -DPIC to neon pass [ Fabian Greffrath ] * Initialize the FLAVORS variable to static instead of appending to it. Also, we do not support the internalencoders variable anymore. [ Andres Mejia ] * Remove unused patches from packaging. * Update Vcs-* entries to new location. * Bump Standards-Version to 3.8.3. [ Reinhard Tartler ] * change shlibs file to make applications depend on the -extra- packages * loosen dependencies further, so that the -dev packages remain installable even if ffmpeg-extra is 'out-of-date' * add patch for issue1245: Make arguments of av_set_pts_info() unsigned. * Support constant-quant encoding for libtheora, LP: #356322 * increase swscale compile time width (VOF/VOFW), LP: #443264 * Backports of various security patches, Closes: #550442, including: - backport fixes for vorbis_dec - backport oggparsevorbis fix - backport vp3 fixes - backport ffv1 fix - libavcodec/mpegaudiodec.c backports - h264 security backports - backported libavformat/mov.c security fixes - backported libavformat/oggdec.c security fixes - backport svn r18016 aka 'MOV-Support-stz2-Compact-Sample-Size-Box' to fix FTBFS * enable symbol versioning * bump shlibs version * add README.source describing how this source package manages patches * make sure the ${misc:Depends} substvar is used for each binary package ffmpeg (4:0.5+svn20090706-2) unstable; urgency=low [ Fabian Greffrath ] * Enable support for libdirac, now that it has entered Debian. [ Andres Mejia ] * Fix ordering of FLAVORS that are installed. (Closes: #543595) [ Reinhard Tartler ] * prepare new upload * simply debian/confflags by removing the case of renaming the source package ffmpeg (4:0.5+svn20090706-1) unstable; urgency=low * preparing new upstream version, 0.5 release branch, rev 19352 - this version is capable of compiling swscale in LGPL mode * rename source package back - The replacement package with the 'missing bits' will be called 'ffmpeg-extra' - simplify README.upstream-upgrade - rename the source package from 'ffmpeg-debian' -> 'ffmpeg' * fix aac playback regression, thanks to Matthew Wakeling for reporting (Closes: #540729) * fix seeking in DIF (DV) movies Thanks to Dan Dennedy for identifying the patch! (Closes: #540424) * debian/rules: - merge cond_enable_nf macro from master.extra branch - don't disable ffserver in various optimized variants - don't disable building of statically linked helper binaries - simply by removing the case of renaming the source package - change the shlibs file: s/-unstripped-/-extra-/ ffmpeg-debian (4:0.5+svn20090609-2) unstable; urgency=low [ Fabian Greffrath ] * Remove .install files for unstripped packages that we do not build from this branch anyway. * Remove debian/fixup-config.sh which was only a hack needed to repair the crippled config.h * Finally remove strip.sh. [ Andres Mejia ] * Add vdpau support by including vdpau headers in deb packaging. (Closes: #511544) * Don't disable encoders if internalencoders is set in DEB_BUILD_OPTIONS. * Enable yasm for i386 and amd64. [ Reinhard Tartler ] * clarifications suggested by upstream in README.Source * refresh patches [ Fabian Greffrath ] * Document the copyright notice and license for the VDPAU headers in debian/copyright. * Remove parallel make support from debian/confflags, it's overridden in debian/rules anyway. * Quote opts in debian/watch. * Bump debhelper compat to 7. * Clean up clean target in debian/rules in favour of debian/clean. * Replace "dh_clean -k" by dh_prep. [ Reinhard Tartler ] * remove duplicated libxvmc-dev build dependency * sort build dependencies alphabetically * remove section numbering from README.Debian * add note about the lintian override ffmpeg-debian (4:0.5+svn20090609-1) unstable; urgency=low [ Andres Mejia ] * Add myself to Uploaders list. * Reorder when dh_strip is done so qt-faststart is also stripped. * Update to control files. * Add new confflags for new build dependencies. * Use .docs files to add ffmpeg and ffmpeg-doc documentation. * Use .docs files for installing documentation. * Add comment to 900_doxyfile patch. * Add man page for qt-faststart. * Bump version in changelog to prepare new release * Fix FTBFS for ffmpeg source package with -dev packages (Closes: #527761) * Use dh_lintian to install lintian overrides * Update comment on fpic-* patches * Build-Depend on debhelper (>= 6.0.7~) for dh_lintian. * Add lintian overrides for remaining fpic lintian errors. * Shorten comment on lintian-overrides. * Allow passing in extra confflags, removes the need for fix-fpic DEB_BUILD_OPTIONS. * Fix FTBFS on kfreebsd. (Closes: #528591) * Include patches to allow us to use opencore-amr libraries. [ Reinhard Tartler ] * remove debian/control.* mechanism * improve patch description for debian/patches/100_kfreebsd [ Andres Mejia ] * Add lintian overrides for ffmpeg-debian source warnings. * Only use .svnrevision if it's readable. * Update source lintian-overrides for modifications to debian/rules. * Add fix for FTBFS for GNU Hurd OS. Thanks Marc Dequènes. (Closes: #530436) [ Felipe Sateler ] * Don't add -unstripped to the unstripped variant version number in debian/README.upstream-upgrade. * In the same file, pass explicit version to git-import-orig [ Fabian Greffrath ] * Cleaned up debian/watch file. * Add notes why we no longer strip the orig.tar.gz. [ Andres Mejia ] * Fix watch file to ignore daily snapshots. * Make get-orig-source.sh executable. [ Reinhard Tartler ] * add patch for qtrle encoding (Closes: #530016) * Enable xvmc support by adding libxvmc-dev to build dependencies * really add libopenjpeg-dev to build depends, actually enabling the openjpeg decoder. * reorganise README.Debian for the new plan [tm] * no longer strip the source on upstream upgrades * Imported Upstream version 0.5+svn20090609 * adjust notes in README.upstream-upgrade for the now unstripped debian source package * remove hack to build with stripped sources * bump standards version, no changes needed ffmpeg-debian (4:0.5+svn20090420-2) unstable; urgency=low * debian/control: fix dependencies for libavutil-dev and libavfilter-dev so that they can be used with the unstripped variants properly. * debian/rules: set nooptflags only for relevant architectures. * explicitly disable 'dangerous' encoders on the --configure line. * fix SHLIBS_VERSION in debian/rules (Closes: #527350). ffmpeg-debian (4:0.5+svn20090420-1) unstable; urgency=low [ Fabian Greffrath ] * Merge the contents of patents.txt into README.Debian and change some paragraphs to (hopefully) add some more clarity on the removed encoders and the package naming scheme. Based on suggestions by Xavier Douville , thank you very much for the review. (Closes: #519025) * Reorder some confflags to account for GPL licensed libraries. * Remove patents.txt * Explicitely mention that no decoders are disabled in our packages. [ Loïc Minier ] * Disable more autodetecter ARM arch features * Add neon and vfp flavors to armel disabled for now * vfp CFLAGS: add "-mfpu=vfp -mfloat-abi=softfp" [ Reinhard Tartler ] * New Upstream Version (svn revision 18630) * bump epoch as 0.5 was released. Future version will use '+' to indicate that the package is based on a release branch and '~' to indicate that the package is based on the 'trunk' branch. * update from the upstream release branch to generate a new upstream tarball. * add a git-buildpackage config file at debian/gbp.conf * beautify identification string * debian/rules: bump epoch to '4' * update section names in control file * update upstream svn server url * fixup get-orig-source rules in debian/rules * create right filenames for the orig.tar.gz files * update README.upstream-upgrate for new versioning scheme * remove debian/005_release_branch_changes.diff * remove reference to 020_visibility_patch * install the upstream license file and release notes * allow -dev packages be installed with the unstripped variants Closes: #526007, LP: #312898 * be more careful with svn:externals in debian/get-orig-source.sh. (Closes: #525348) ffmpeg-debian (3:0.svn20090303-1) unstable; urgency=low * New Upstream Version (svn revision 17737 libswscale revision 28799) - Electronic Arts TQI decoder - OpenJPEG based JPEG 2000 decoder - NC (NC4600) camera file demuxer - Gopher client support - MXF D-10 muxer - generic metadata API * debian/get-orig-source.sh: Track the version 0.5 release branch. The version number does not really reflect this, but this package is actually very close to the 0.5 release branch. * various cleanups to improve get-orig-source.sh * Remove liba52 from the suggests field in debian/control.ffmpeg, as ffmpeg does no longer use it since upload 0.svn20080206-10. * Fix the Vcs-Git urls to the correct locations. * The libavformat52 now links against libavcodec52, which breaks applications that *ALSO* link against libavcodec51. Adding a Breaks: libavcodec51 should prevent this and (hopefully) Closes: #516885. * improve parallel builds on SMP/multicores by supporting the parallel flag in DEB_BUILD_OPTIONS, and default to the number of available CPUs on i386 and amd64. * Drop unapplied patches from debian/patches. * bump shlibs version. ffmpeg-debian (3:0.svn20090204-3) unstable; urgency=low [ Fabian Greffrath ] * remove libasound2-dev from build-depends on non-Linux archs [ Reinhard Tartler ] * fix postinst generation by calling dh_installdeb after dh_makeshlibs * upload to unstable ffmpeg-debian (3:0.svn20090204-2) experimental; urgency=low * add libxvmc-dev to build-depends in the 'ffmpeg' variant * add libasound2-dev to build-depends. This means that ffplay is now able to actually play using alsa directly instead only via libsdl * add epochs for the "internal" shlibs dependencies ffmpeg-debian (3:0.svn20090204-1) experimental; urgency=low [ Reinhard Tartler ] * New Upstream Version (svn revision 16978 libswscale revision 28461) Upstream Changes: - R3D REDCODE demuxer - ALSA support for playback and record * strighten internal dependencies by using a shlibs.local file Closes: #512844, #512466 * New upstream version reintroduces a compatibility symbol ff_gcd Closes: #512946 * Bump shlibs because of changes of the Metadata API in libavformat. Actually no other package should use them yet, but let's better play safe here... * no longer install dsputil.h. It exposes lots of function that are private to ffmpeg and may change on any new upstream revision. Please get in touch with the ffmpeg maintainers if you maintain packages that rely on that ffmpeg internal headers like this. * simplify debian/confflags by doing autodetection of headers: - xvid.h - lame/lame.h - faac.h - x264.h - vdpau/vdpau.h Also remove the setting externalcodecs from DEB_BUILD_OPTIONS. The codecs will be enabled as soon as the headers are installed on the filesystem, so there is no need in enabling that separately. * install ffpresets in /usr/share/ffmpeg/. Currently only presets for x264 are avaiable, so a libx264 enabled libavcodec (like libavcodec-unstripped-52) is needed to actually use them. [ Fabian Greffrath ] * Enabled Speex decoding via libspeex. * Use an alternative approach to achieve strict internal dependencies by calling dh_makeshlibs twice in debian/rules instead of a debian/shlibs.local file. ffmpeg-debian (3:0.svn20090119-1) experimental; urgency=low * New Upstream Version (svn revision 16681 libswscale revision 28341) * update Vcs-Git tags. Packaging has now moved to git * updates to packaging that faciliate building the unstripped and ubuntu variants of this package * enable xvmc support Upstream Changes: - SVQ3 watermark decoding support - hybrid WavPack support ffmpeg-debian (3:0.svn20090110-1) experimental; urgency=low * new upstream svn snapshot (svn revision 16508, libswscale revision 28286) Upstream Changes: - RV30 and RV40 decoder - QCELP / PureVoice decoder * removed patch 050_fix_pkgconfig_files.patch. Merged upstream * disabled patch 020_visibility_patch. It needs to be adapted to the new upstream changes. Hopefully it will get merged into ffmpeg properly. * install formats.txt in the libavcodec52 package to document what formats this version of ffmpeg has enabled. ffmpeg-debian (3:0.svn20081115-1) experimental; urgency=low * new upstream svn snapshot (svn revision 15824, libswscale revision 27910) * bump standards version to version 3.8.0, no changes needed * Adjust pkg-files to no longer put unnecessary dependencies in the generated .pc files. Closes: #504220 ffmpeg-debian (3:0.svn20081108-1) experimental; urgency=low * upstream svn snapshot (svn revision 15786, libswscale revision 27900). * apply visibility patch from ffmpeg-devel mailing list. This reduces the number of symbols that are exposed to other applications. Please file bugs if applications fail to link against ffmpeg because of that. * remove 001_fixup_version.diff patch and use upstream --extra-version configure flag instead. * now really remove 015_img_convert.patch from source package. ffmpeg-debian (3:0.svn20080925-1) experimental; urgency=low [ Loic Minier ] * Tweak sed versions regexps to deal with epochs and upstream revisions with dashes and be generally stricter. * Large cleanup to rules logic: drop some cruft, rewrite some small chunks in a slightly more readable manner, whitespaces, .PHONY fixes, internalencoders handling, shlibs logic... * Rename SRC_VERSION to UPSTREAM_VERSION in rules. * Use DEB_SOURCE from the Source: field of dpkg-parsechangelog's output instead of hardcoding the name of the source. [ Reinhard Tartler ] * new svn snapshot (svn revision 15404, libswscale revision 27636). * SONAME change: libavcodec51 -> libavcodec52 * drop old scaler (imgres/imgconvert). Upstream is about to remove it completely. - reporter claims that a newer snapshot fixes a crash in the dca decoder. Thanks to "Alexander E. Patrakov" (Closes: #496612) * reenable h261 encoder (Closes: #459073) [ Fabian Greffrath ] * debian/{ffmpeg,lib*-dev}.install: + Simplified, e.g. install the whole /usr/include/ sub-directory for each particular library instead of single header files one by one. * debian/control, debian/confflags: + Enabled Dirac support via libschroedinger. (Closes: #499785) * debian/changelog: + Added an epoch needed for Ubuntu. * debian/control: + Removed Conflicts and Replaces against packages that either aren't even in Debian 4.0 "Etch" anymore or that use the deprecated naming scheme from . + Since ffmpeg-config has been removed from our packages, all inter-package Conflicts and Replaces may be removed, too. + Removed Build-Conflicts against libdc1394-13-dev, because libdc1394-22-dev already does this for us. + Updated inter-package dependencies and demoted Depends on external library packages to Suggests, since we shouldn't encourage package maintainers to link statically against libav*. * debian/confflags, debian/control, debian/rules, debian/libavfilter*: + Built libavfilter and disabled vhook in turn (Closes: #499787). [ Loic Minier ] * Remove debug echo which broke shlibs, sorry. * Fix Vcs-* control fields; thanks Gerfried Fuchs. * Mention upstream SVN in debian/copyright; thanks Gerfried Fuchs; closes: #499914. ffmpeg-debian (0.svn20080206-12) unstable; urgency=low * enable vhook in all flavors. (Closes: #490272, LP: #260296) * make ffmpeg output a proper version number. (Closes: #496133, #483923) ffmpeg-debian (0.svn20080206-11) unstable; urgency=low [ Reinhard Tartler ] * new patch: patches/010_fix_ftbfs_hppa.diff: On hppa shared objects do required object files to be build "-fPIC -DPIC". Patch taken from upstream svn. * bugfix: libraries linked with libX11 on GNU/kFreeBSD. Thanks to Aurelien Jarno for the patch. (Closes: #487252) [ Fabian Greffrath ] * debian/confflags, debian/control: + Build-Depend on libdc1394-22-dev explicitely and add Build-Conflicts on libdc1394-13-dev (Closes: #490319). ffmpeg-debian (0.svn20080206-10) unstable; urgency=high * enable mmx and sse3 in builds. These CPU features are autodetected at runtime on amd64 and i386 using the 'cpuid' instrcution. (Closes: #489732) * disable support for liba52-dev. ffmpeg has its own implementation. * don't add -fPIC -DPIC forcefully to ./configure. upstream claim that the configure script gets this right on all architectures itself. * Add patch 020_bug489965_bufferoverflow_str_demuxer.diff. Fixes a buffer overflow in the STR demuxer. Thanks to Moritz Muehlenhoff for reporting the issue. (Closes: #489965) * Raising severity to high because of security issue. * rework the shlibs file. Make applications linking against libraries produced by this source package generate an alternate dependency on the 'unstripped' variants of this package. They actually do not exist yet at this point, but this way reverse dependencies are enabled to use them when they eventually appear. ffmpeg-debian (0.svn20080206-9) unstable; urgency=low [ Reinhard Tartler ] * cleanup 010_proper_rpath.diff: remove spurious linker search paths. * debian/strip.sh: no need to remove the glue code for x264 and xvid. However, since that code is not built in debian anyway, the orig.tar.gz was not rebuilt with this change. * provide mmx-enabled shared objects on amd64. AFAIK all amd64 machines do support MMX. * Provide optimized versions of the libraries along the unoptimized ones. They are installed in machines and architecture specific directories. Optimized for further target will be added per request, please file bugs to request them. * rename the source package (again), this time on upstream's request. The former name was considered insulting by upstream, because it somewhat indicated the original source was somehow 'non-free', which is not the case. The new name now represents that we modified the package so that it becomes acceptable for debian. * Cleanups in debian/rules file. * Add verbose explanations about the renaming in README.Debian. [ Fabian Greffrath ] * debian/control: + Added Conflicts and Replaces against obsolete library packages from wearing the 'cvs' suffix in their names (Closes: #484585, #484586, #484587, #484776, #484778). + Added doxygen to Build-Depends. + Introduced new package 'ffmpeg-doc' that contains html doxygen documentation of the ffmpeg API (Closes: #438369). + Changed Build-Depends from libdc1394-13-dev to libdc1394-22-dev, which is supported upstream since r11501. * debian/ffmpeg-doc.install: + Added. * debian/rules: + Build and install html doxygen documentation. + Avoid dependency of build-stamp rule on phony targets. * debian/libavutil-dev.install, debian/rules, debian/patches/010_ffmpeg-config.diff: + Removed ffmpeg-config, use pkg-config instead (maintainers of affected packages have been informed, see #487917 to #487922). [ Darren Salt ] * Added patch 900_doxyfile: tell doxyfile to ignore debian* directories. * debian/rules: - Reworked building so that separate source & build directories are used. This makes cleanup simpler and speeds up maintenance by avoiding complete rebuilds when using "debuild binary". - Removed some file installation 'cp' commands, made unnecessary due to the build reworking. - Unpatching is now done *after* cleaning. ffmpeg-free (0.svn20080206-8) unstable; urgency=low [ Fabian Greffrath ] * debian/control: + Added Conflicts and Replaces on libavutil-dev (<< 0.svn20080206-7) to libavcodec-dev (Closes: #483548). [ Reinhard Tartler ] * remove patches from the debian package as disussed with upstream: - 005_runtime_cpudetect.diff: it is supposed to fix runtime cpu detection on i386. The code (and the define) has undergone large refactoring wrt. the define RUNTIME_CPUDETECT. It is very likely to have undisired side-effects with this version of ffmpeg. It therefore seem more safe to me to actually remove this patch for now, and reinvestigate the problems that occur, if they do. (Related to: #482717) - 005_m68k_workaround.diff: works around bugs in gcc for m68k. - 006_mips_pthreads.diff: was an workaround for (now fixed) #428741. - 020_fix_sws_scale_crash: patch has been rejected upstream: http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/2008-May/047846.html - 054_h264_mmx_chroma_mc_crash.diff. According to upstream, this has been fixed in a different way and is not reproducible. Verified that the file referenced in bug #404176 does not crash anymore even without this patch. * new patch: 015_reenable-img_convert.diff. Unlike previous version of this patch, this uses a more lightweight approach. With building imgresample, a few symbol clashes occur with libswscale. We therefore strip off symbols that are already provided by libswscale. (Closes: #483960). * remove 011_link_plugins.diff. It is completely unnecessary now. * refactor quilt usage: use /usr/share/quilt/quilt.make. * support building in paralell. make snippet taken from the qemu package. * cleanups in debian/rules. * Move ffmpeg-config back to libavutil. This way we can avoid a circular dependency between libavutil-dev and libavcodec-dev. (Closes: #484132). libavcodec uses libavutil internally, so this dependency cannot be avoided. * disable altivec, at least for now. (Closes: #482717) * always compile with --disable-strip. We strip the binaries afterwards using dh_strip anyways. * Remove depdency substitutions ${shlibs:Depends} and ${misc:Depends} from the -dev packages. ffmpeg-free (0.svn20080206-7) unstable; urgency=low * debian/control: + Removed unnecessary Conflicts and Replaces from libswscale0 (Closes: #481908), thanks Guillem Jover. + Made libavutil-dev depend on libavcodec-dev. * debian/libavcodec.install, debian/libavutil.install: + Moved ffmpeg-config (script and manpage) from libavutil-dev to libavcodec-dev (really Closes: #482213, #482214). ffmpeg-free (0.svn20080206-6) unstable; urgency=low * Bug fix: "libavg: FTBFS: ld: cannot find -ldts", thanks to Lucas Nussbaum (Closes: #482213, 482214). Fixed by removing -ldts from ffmpeg-config. ffmpeg-free (0.svn20080206-5) unstable; urgency=low [ Fabian Greffrath ] * debian/control: + Fixed dependency typo, libswscale0 conflicts with libswsacle1d but not libswscale1d (Closes: #481908). [ Reinhard Tartler ] * disable 015_build_imgresample.diff. Please port all applications needing the symbols sws_{scale,getContext}, sws_{getCachedContext,freeContext} to use libswscale instead. * downgrade debhelper depencency to level 5. We don't use any of the level 6 features, and level 5 faciliates backporting to earlier releases massively. * remove unapplied patches from source to reduce the size of the .diff.gz. The old patches can be retrieved from branches in our svn. ffmpeg-free (0.svn20080206-4) unstable; urgency=low * debian/rules: + Moved confflags, that result in GPL versions of the libraries, into a dedicated variable gpl_confflags. Add this to the common confflags. + Moved --prefix=/usr to the common confflags. + Added some comments and whitespace (nothing special). + Renamed the "risky" keyword to "internalencoders". Set this in DEB_BUILD_OPTIONS in order to create and build from an unstripped tarball in the get-orig-source and build rules (Closes: #478010). + Introduced the "externalcodecs" keyword. Set this in DEB_BUILD_OPTIONS to enable support for additional codecs via external libraries. + Commented out the amr?b codecs among the external codecs, because the resulting packages will be unredistributable. ffmpeg-free (0.svn20080206-3) experimental; urgency=low * install qt-faststart. Thanks Stefan Hermann for the patch from ubuntu. (Closes: #470484) * Reenable 020_fix_libswscale_pic_code, fixes FTBFS on amd64. * Reenable altivec, fixes FTBFS on powerpc. * Add some notes about the removed mpeg encoders (Closes: #440702) ffmpeg-free (0.svn20080206-2) experimental; urgency=low [ Reinhard Tartler ] * patches/020_fix_sws_scale_crash: if sws_scale is given an invalid context (e.g. a null pointer), the function will crash because of a null pointer dereference. Add a check for that here. * add Conflicts/Replaces for libswscale1d. * Due to the fact that we no longer build the shared version of ffmpeg with mmx optimisations, the following patches have been dropped: - 020_mmx_optims.diff - 020_mmx_pic_code.diff - 020_disable_snow_mmx_in_pic.diff - 020_fix_libswscale_pic_code [ Fabian Greffrath ] * debian/control: + Added libx11-dev and libxext-dev to Build-Depends. * debian/rules: + Build with --enable-x11grab (Closes: #441983). + Build ffmpeg and shared libraries with --extra-cflags="-fPIC -DPIC" (feeling confident that this closes: #472613) and "drop the surgery regarding Makefile.pic and config.mak.pic". + In this context, cleaned up build rule: Run '$(MAKE)' and '$(MAKE) clean' from the top source directory instead of diving into the library directories; force move during backup and recovery of the static libraries; let the build rule itself depend on config-extra-includes.h (instead of build-stamp) to avoid being run again from the binary rule; some more minor changes of cosmetic type. + Renamed config-extra-includes rule to config-extra-includes.h to reflect the file name of the created file (also changed to override it instead of appending) and to avoid the rule to be run twice. + Disabled all architecture-specific optimizations for the time being. ffmpeg-free (0.svn20080206-1) experimental; urgency=low [ Reinhard Tartler ] * new upstream release (Closes: #471136) * refreshed patches * libogg was dropped upstream * no longer install integer.h, as it is not part of the public API (see upstream r11642). * no longer install rtp.h, as it is not part of the public API (see upstream r11505). * install crc.h and sha1.h to libavutil-dev, since it is part of the public API now. * introduce new package: libavdevice52 and libavdevice-dev. * Implemented debian/get-orig-source.sh and adjusted the get-orig-source target in debian/rules to use that. * fix invocation of the testsuite. * bump standards version to 3.7.3 (no changes needed). * add script recordshow.sh (Closes: 461434). Thanks to Daniel Dickinson * Introdcue binary package ffmpeg-dbg, which contains debugging symbols of the shared library packages. [ Fabian Greffrath ] * debian/changelog: + Source is exported from SVN, not CVS. Reflect this in the versioning scheme (Closes: #468319). * debian/control: + Changed Build-Depends to liba52-0.7.4-dev | liba52-dev. + Improved descriptions and dependencies for libavdevice packages. * debian/control, debian/compat: + Bumped debhelper Build-Depends to (>= 6.0.0). * debian/control, debian/*.install: + Adopted shared library package names to upstream SONAMEs. * debian/README.Debian: + Updated, since AAC decoding (through FAAD) is now enabled. + Updated URL for unofficial ffmpeg packages. * debian/rules: + Reordered confflags to optionally build LGPL versions of the libraries. + Removed trailing whitespace. + Removed unused strip rule. + Added libxvidcore4-dev to weak-build-deps and fixed confflags in DEB_BUILD_OPTIONS=risky accordingly. + Added a get-orig-source rule to reproduce the source tarball. Produce an unstripped tarball if DEB_BUILD_OPTIONS=risky. + Do not run debian/fixup-config.sh if DEB_BUILD_OPTIONS=risky. * debian/patches/011_link_plugins.diff: + Updated to link all plugins against libavutil since they all use symbols from this library. Resolves "symbols found in none of the libraries" warnings from dpkg-shlibdeps. ffmpeg-free (0.cvs20071007-4) experimental; urgency=low [ Fabian Greffrath ] * debian/control: + Wrapped Uploaders, Build-Depends and Depends, Conflicts and Replaces fields. + Added libfaad-dev to Build-Depends. + Added Homepage field. + Added ${misc:Depends} to all Depends. * debian/rules: + Enabled faad support via libfaad (Closes: #400094, #418230, #447089, #448068, #449387). + Added libmp3lame-dev to weak-build-deps in DEB_BUILD_OPTIONS=risky. + Added support for amrnb, amrwb and x264 (Closes: #432170) in DEB_BUILD_OPTIONS=risky. [ Reinhard Tartler ] * added Fabian Greffrath to Uploaders ffmpeg-free (0.cvs20071007-3) experimental; urgency=low * disable armv6 code generation. Thanks to Joey Hess for the patch (Closes: #438923). ffmpeg-free (0.cvs20071007-2) experimental; urgency=low * restore soname on libavutil. got dropped on previous upload. * Bug fix: "needs libavutil-dev headers but doesn't depend on it", thanks to rmh@aybabtu.com (Closes: #434494). This was actually already fixed in a previous upload. * build dependencies in debian/control are now multiline. * Drop the XS- from the Vcs-Browser and Vcs-Svn field. ffmpeg-free (0.cvs20071007-1) experimental; urgency=low * new upstream snapshot, using the same day as the mplayer release * Refreshing patches: -005_altivec_flags.diff: dropped, merged upstream -005_m68k_workaround.diff: refreshed -005_runtime_cpudetect.diff: refreshed -006_mips_pthreads.diff: refreshed -010_proper_rpath.diff: refreshed -010_shared_library_versioning.diff: refreshed -011_link_plugins.diff: refreshed (moved to top level makefile) -015_build_imgresample.diff: refreshed -020_disable_snow_mmx_in_pic.diff: refreshed -020_fix_libswscale_pic_code.diff: refreshed -020_mmx_optims.diff: refreshed -020_mmx_pic_code.diff: refreshed -040_early_altivec_detection.diff: disabled, doesn't apply anymore -040_only_use_maltivec_when_needed.diff disabled, (causes ftbfs, needs revising) -040_only_use_maltivec_when_needed.diff: refresh -051_mjpeg_gray_support.diff, removed applied upstream -053_rm_demux_crash.diff removed, applied upstream. -060_fix_avi_skip.diff removed, does not apply anymore * remove --enable-libdts. ffmpeg now has an internal dts decoder since r9051 (2007-05-17). It seems that at least some packages link to libdts and rely on the transitive dependency via ffmpeg. Please add explicit dependencies on libdts instead! * Don't ignore errors in upstream Makefile. Bug found via lintian. ffmpeg-free (0.cvs20070307-7) UNRELEASED; urgency=low * debian/patches/051_mjpeg_gray_support.diff: + Support grayscale MJPEG streams as sent by Axis cameras. ffmpeg-free (0.cvs20070307-6) unstable; urgency=low * Rename the source package. We are (again) no longer shipping the 'real' upstream source of ffmpeg. * Add debian/strip.sh to strip ffmpeg upstream source disabling mpeg based encoders as discussed with ftp-master at debconf7 * update XS-Vcs tags in debian/control. * make ffmpeg binNMU-able by using ${binary:Version} rather than ${Source-Version} ffmpeg (0.cvs20070307-5) unstable; urgency=low * upload to unstable * remove x264 support, as it has been removed from unstable ffmpeg (0.cvs20070307-4) experimental; urgency=low * added myself to uploaders * 020_fix_libswscale_pic_code: + added, avoid some MMX code to avoid PIC code [ Sam Hocevar ] * fixed path in library installation. ffmpeg (0.cvs20070307-3) experimental; urgency=low * debian/patches/015_build_imgresample.diff: + Build imgresample functions even with swscaler activated, or legacy applications will stop working. * debian/patches/053_rm_demux_crash.diff: + New patch: fix a double free with corrupted rm files (Closes: #379922). * debian/patches/054_h264_mmx_chroma_mc_crash.diff: + New patch: workaround for a buffer overflow in the MMX H264 chroma motion compensation until upstream fixes it properly (Closes: #404176). * debian/patches/300_c++_compliant_headers.diff: + Define INT64_C() when the system headers don't provide it, for instance when building C++ code. * debian/control: + Set pkg-multimedia-maintainers as main maintainer. + Updated VCS fields. * debian/rules: + Huge cleanup. ffmpeg (0.cvs20070307-2) experimental; urgency=low * debian/rules: + Activate x264 support now that it is in unstable. * debian/control: + Build-depend on libx264-dev. ffmpeg (0.cvs20070307-1) experimental; urgency=low [ Sam Hocevar ] * New upstream snapshot (Closes: #403330, #404788). * This snapshot fixes numerous file parsing crashes (Closes: #404176, Closes: #407003, #396282, #365006, #403398). * debian/patches/010_proper_rpath.diff: + New patch. Link objects with the libraries that we generate, not the ones installed on the system. * debian/patches/010_shared_library_versioning.diff: + Strip unneeded prefix from .pc files (Closes: #404758). * debian/patches/011_link_plugins.diff: + New patch. Link vhook plugins with the appropriate libraries. * debian/patches/013_strip_unneeded_linker_flags.diff: + Remove unneeded -l flags from .pc files (Closes: #373986). * debian/patches/020_mmx_optims.diff: * debian/patches/020_disable_snow_mmx_in_pic.diff: + Sync patches. * debian/patches/020_really_use_liba52.diff: * debian/patches/050_h264-misc-security-fixes.diff: * debian/patches/051_asf-misc-security-fixes.diff: + Drop patches, applied upstream or no longer relevant. * debian/patches/040_only_use_maltivec_when_needed.diff: + Upgraded patch to cover libswscale. * debian/libavcodec-dev.install: + Ship lzo.h and random.h. * debian/rules: + Fix syntax for a few --enable flags. + Only ship ffmpeg_powerpc_performance_evaluation_howto.txt.gz on powerpc machines (Closes: #385079). + Readded --enable-libtheora, it's here again. + Activate --enable-swscaler (Closes: #399141, #398442). [ Reinhard Tartler ] * debian/rules: + Ignore libswscale.pc and rgb2rgb.h. * debian/libavcodec-dev.install: + Ship fifo.h and opt.h. * debian/patches/005_altivec_flags.diff: * debian/patches/005_m68k_workaround.diff: * debian/patches/005_runtime_cpudetect.diff: * debian/patches/006_mips_pthreads.diff: * debian/patches/020_really_use_liba52.diff: + Sync patches. * debian/patches/007_disable_ffmpeg_option.diff: * debian/patches/030_arm_cpu_detect.diff: * debian/patches/030_arm_workaround.diff: + Drop patches, applied upstream or no longer relevant. ffmpeg (0.cvs20060823-7) unstable; urgency=high * debian/patches/040_only_use_maltivec_when_needed.diff: + Fix a static function prototype that prevented programs using libpostproc from working on PowerPC (Closes: #412214). * debian/control: + Added Xs-Vcs-Browser and XS-Vcs-Svn fields. ffmpeg (0.cvs20060823-6) unstable; urgency=high * Upload to unstable. ffmpeg (0.cvs20060823-5) testing-proposed-updates; urgency=high [ Loïc Minier ] * Add myself to Uploaders. * Exclude firewire libs from ffmpeg-config under kFreeBSD; based on a patch by Petr Salinger; closes: #399701. * Fix handling of debug in DEB_BUILD_OPTIONS; thanks Andreas Henriksson; closes: #406474. * SECURITY: New patch, 050_h264-misc-security-fixes, to properly check the sps and pps ids before use and to check more bitstram values and fix potential security holes; from upstream SVN r7585, r7586, and r7591. * SECURITY: New patch, 051_asf-misc-security-fixes, to properly check packet sizes, chunk sizes, and fragment positions; from upstream SVN r7640 and r7650. [ Sam Hocevar ] * debian/copyright: + Fix typo and clarify licensing terms (Closes: #398235). * debian/README.Debian: + Removed mention of ffmpeg-config now that we ship .pc files. * debian/patches/020_mmx_optims.diff: + New patch, fix FTBFS with DEB_BUILD_OPTIONS=debug. * debian/patches/040_early_altivec_detection.diff: + New patch, detect AltiVec earlier on and only once so that we don't risk using signal handlers in a multithreaded environment or when the caller already installed a SIGILL handler. * debian/patches/040_only_use_maltivec_when_needed.diff: + New patch, only use -maltivec with files that use AltiVec intrinsics, and make sure no codepath leads to these files on a non-AltiVec machine (Closes: #405926). * debian/patches/060_fix_avi_skip.diff: + New patch, courtesy of Ben Hutchings: do not attempt to skip the ODML if the current seek offset is already beyond it (Closes: #383734). ffmpeg (0.cvs20060823-4) unstable; urgency=high * Maintainer upload. * Acknowledging NMU (Closes: #386458). * High urgency because of FTBFS fix. * debian/patches/030_arm_workaround.diff: + New patch courtesy of Aurélien Jarno: disable the broken ARM assembly code in libavcodec/mpegaudiodec.c. * debian/patches/030_arm_cpu_detect.diff: + New patch courtesy of Aurélien Jarno: correctly detect the newer ARM CPUs. ffmpeg (0.cvs20060823-3.1) unstable; urgency=medium * Non-maintainer upload. * Fix variable substitution trick in debian/rules (Closes: #386458). ffmpeg (0.cvs20060823-3) unstable; urgency=low * debian/rules: + Take local packages into account when computing shlibs dependencies, so that ffplay/ffserver depend on the proper libraries (Closes: #386029). ffmpeg (0.cvs20060823-2) unstable; urgency=low * debian/patches/020_really_use_liba52.diff: + New patch: link with the shared liba52 instead of the built-in one. * debian/patches/006_mips_pthreads.diff: + New patch: link libraries with -lpthreads on Linux MIPS because of a known ld bug. * debian/patches/007_disable_ffmpeg_option.diff: + New patch: add a --disable-ffmpeg option. ffmpeg (0.cvs20060823-1) unstable; urgency=low * New SVN snapshot (Closes: #368904). * debian/control: + Set policy to 3.7.2. + Do not build 1394 support on GNU/kFreeBSD or Hurd. Patch courtesy of Petr Salinger (Closes: #372290). * debian/rules: + Minor cleanup. + Removed --enable-theora, upstream dropped that option. * debian/patches/020_mmx_intrinsics.diff: + Disabled intrinsics workaround because it is no longer necessary and it causes trouble with some codecs such as H264 (Closes: #373765). ffmpeg (0.cvs20060329-4) unstable; urgency=low * debian/control: + Make each -dev package depend on the corresponding shared library package (Closes: #361348). + Moved libavutil files from libavformat-dev to libavcodec-dev which is the real common dependency (Closes: #361269). ffmpeg (0.cvs20060329-3) unstable; urgency=low * debian/rules: that build system is hopeless. We now run configure and make twice, backup static libraries inbetween, then update timestamps to fool make. That should fix the FTBFS (Closes: #361215). ffmpeg (0.cvs20060329-2) unstable; urgency=low * debian/rules: fixed Makefile.pic generation. ffmpeg (0.cvs20060329-1) unstable; urgency=low * New CVS snapshot. * Upstream fixed a double free in img.c (Closes: #351455). * Upstream fixed the libvorbisenc dependency in libavcodec.pc (Closes: #357352). * debian/rules: + Activated threading support (Closes: #335677). + Manually reinstall dsputil.h. * debian/README.Debian: + Removed mention of --plugin-libs. + Added a note about the unofficial packages (Closes: #306752). * 020_disable_snow_mmx_in_pic.diff: (new patch) disable MMX acceleration in the Snow encoder in PIC mode. ffmpeg (0.cvs20060306-3) unstable; urgency=low * Switched patch system to quilt. * debian/control: + Build-depend on quilt. * 005_altivec_flags.diff: (new patch from old diff.gz) proper gcc flags to only generate AltiVec code when explicitely asked. * 005_m68k_workaround.diff: (new patch from old diff.gz) use -O2 instead of -O3 on m68k. * 005_runtime_cpudetect.diff: (new patch from old diff.gz) fix runtime CPU detection on m68k and x86. * 010_ffmpeg-config.diff: (new patch from old diff.gz) the ffmpeg-config script and associated manpage (legacy). * 010_shared_library_versioning.diff: (new patch from old diff.gz) use a Debian-specific scheme for shared library versioning to avoid spreading libraries incompatible with every other version. * 020_mmx_intrinsics.diff: (new patch from old diff.gz) use MMX intrinsics in dsputil_mmx.c because gcc is unable to compute some register constraints in PIC mode. * 020_mmx_pic_code.diff: (new patch from old diff.gz) ported some MMX code to be PIC. ffmpeg (0.cvs20060306-2) unstable; urgency=low * ffmpeg-config.in: removed references to _pic libraries. ffmpeg (0.cvs20060306-1) unstable; urgency=low * New CVS snapshot. * Upstream now properly installs dsputil.h (Closes: #354391). * debian/control: + Distribute shared versions of the libraries with a Debian-specific soname. * debian/rules: + Removed all custom PIC rules. + Moved ffmpeg-config to libavformat-dev instead of libavcodec-dev so that it is present by default (Closes: #350750). + Include apiexample.c in libavcodec-dev (Closes: #350027). ffmpeg (0.cvs20050918-6) unstable; urgency=low * Developer upload. * Acknowledge NMU. Thanks to Samuel Mimram (Closes: #342207). * configure: + Set RUNTIME_CPUDETECT (except on m68k where it ICEs and on x86 where it fails to build some asm constructs) (Closes: #337846). * debian/rules: + Make the build process aware of DEB_BUILD_OPTIONS, thanks to Timo Lindfors (Closes: #338895). ffmpeg (0.cvs20050918-5.1) unstable; urgency=low * NMU. * Fix exploitable heap overflow in libavcodec's handling of images with PIX_FMT_PAL8 pixel formats (CVE-2005-4048), closes: #342207. ffmpeg (0.cvs20050918-5) unstable; urgency=low * ffmpeg-config.1: fixed the examples and added a note that static libraries should be put after the objects that refer to them (Closes: #339803). ffmpeg (0.cvs20050918-4) unstable; urgency=low * configure: + Tell the configure script about m68k, ia64 and others. ffmpeg (0.cvs20050918-3) unstable; urgency=low * configure: + Use -O2 instead of -O3 on m68k to avoid ICEs. ffmpeg (0.cvs20050918-2) unstable; urgency=low * libavcodec/i386/dsputil_mmx.c: + Reworked the MMX intrinsics. * tests/libav.regression.ref: + Minor cosmetic fix to use double-digit numbers in test sequences. * debian/control: + PowerPC no longer needs to use gcc-3.4, since 4.x is the default. * libavcodec/Makefile: + Removed special compilation case for HPPA now that we use 4.x. ffmpeg (0.cvs20050918-1) unstable; urgency=low * New CVS snapshot. * Upstream applied most Debian patches. * configure: + Do not use -mabi=altivec (-maltivec is enough for our AltiVec code) so that our code still runs on a G3 computer (Closes: #319151). * debian/rules: + When not cross-compiling, run the regression tests (Closes: #292102). * debian/changelog: + Updated the FSF address. * ffmpeg-config.in: + Fixed avcodec linkage (Closes: #328505). * libavcodec/i386/mpegvideo_mmx_template.c: + Applied patch from Tobias Grimm to fix the PIC MMX code for MPEG encoding (Closes: #318493). * libavcodec/i386/dsputil_mmx.c: + Applied patch from Joshua Kwan to fix the AMD64 build (Closes: #324026). + Reworked that patch so that it still compiles on x86. ffmpeg (0.cvs20050811-2) unstable; urgency=low * ffmpeg-config.in: added a missing -lgsm. ffmpeg (0.cvs20050811-1) unstable; urgency=low * New CVS snapshot. * Upstream fixed an integer overflow in the MPEG encoder (Closes: #320150). * debian/rules: + Activated libgsm support. + Fixed theora support. + Switched installation method to dh_install. * Applied patch from Christian Aichinger and others to fix the clobbering of the %ebx register during build (Closes: #319563). ffmpeg (0.cvs20050626-2) unstable; urgency=low * ffmpeg-config.in: fixed the theora link that caused FTBFS. ffmpeg (0.cvs20050626-1) unstable; urgency=low * New CVS snapshot. * debian/control: + Set policy to 3.6.2.1. * debian/rules: + Fixed Vorbis support (Closes: #306023). + Patch by Jonas Smedegaard : conditionally enable these unofficial libraries if DEB_BUILD_OPTIONS includes "risky": o Mpeg2 layer 3 / MP3 (liblame-dev). o FAAD (libfaad2-dev). o FAAC (libfaac-dev). o XviD (libxvidcore-dev). + Activated theora support. + Activated IEEE 1394 support (Closes: #296737). ffmpeg (0.cvs20050313-2) unstable; urgency=low * libavcodec/libpostproc/postprocess_template.c libavcodec/i386/mpegvideo_mmx_template.c: fixed my PIC MMX code (Closes: #299700). * debian/rules: use gcc-3.4 on PowerPC (Closes: #300686). ffmpeg (0.cvs20050313-1) unstable; urgency=low * New CVS snapshot. * configure: fixed the builtin vector test (Closes: #293284), thanks to Jacob L. Anawalt. * libavcodec/libpostproc/postprocess_template.c libavcodec/i386/mpegvideo_mmx_template.c: fixed MMX code so that it can be compiled in PIC mode, and reactivated MMX (Closes: #290447, #290358). ffmpeg (0.cvs20050121-1) unstable; urgency=low * New CVS snapshot. * This snapshot fixes integer overflows that may lead to arbitrary code execution (Closes: #291566). ffmpeg (0.cvs20050108-1) unstable; urgency=low * Re-done tarball snapshot so that it does not contain binaries. * ffmpeg-config.in: + Added missing -lvorbisenc (Closes: #289030). * debian/rules: + Install missing headers that are not in the install rule: bwswap.h, dsputil.h, os_support.h (Closes: #289033). ffmpeg (0.cvs20050106-1) unstable; urgency=low * New upstream snapshot. * The extern/static declaration conflict was fixed upstream (Closes: #288906). ffmpeg (0.cvs20040716-2) unstable; urgency=low * debian/rules: + Include missing rtp.h / rtsp.h in libavformat-dev. * ffmpeg-config.in: + Added -lz to the libavcodec linking flags. + Added -ldts / -ldts_pic, -la52, -lvorbis to the libavcodec linking flags. ffmpeg (0.cvs20040716-1) unstable; urgency=low * Initial release (Closes: #199266). foomatic-filters (4.0.5-6+squeeze1) stable-security; urgency=high * Fix CVE-2011-2964 "foomaticrip.c in foomatic-rip in foomatic-filters allows remote attackers to execute arbitrary code via a crafted *FoomaticRIPCommandLine field in a .ppd file." - Import debian/patches/CVE-2011-2964.patch from Ubuntu maverick's 4.0.5-0ubuntu3.1, enhance its DEP-3 headers. freetype (2.4.2-2.1+squeeze3) stable-security; urgency=low * Non-maintainer upload by the Security Team. * Upload prepared by Michael Gilbert! * Fix CVE-2011-3439: vulnerability in CID-keyed Type 1 fonts. freetype (2.4.2-2.1+squeeze2) stable-security; urgency=low * Non-maintainer upload by the Security Team * CVE-2011-3256 gimp (2.6.10-1+squeeze1) squeeze-proposed-updates; urgency=low * Non-maintainer Upload (with permission from Ari Pollak) * Fix printing when used with libcairo version 1.10 or above (Closes: #655517) gnutls26 (2.8.6-1+squeeze1) stable; urgency=low * Pull fixes for buffer overflow in gnutls_session_get_data() from upstream git. (CVE-2011-4128: GNUTLS-SA-2011-2) Closes: #648441 20_CVE-2011-4128.part1.diff 20_CVE-2011-4128.part2.diff heimdal (1.4.0~git20100726.dfsg.1-2+squeeze1) squeeze-security; urgency=high * Apply patch from FreeBSD to fix CVE-2011-4862 hplip (3.10.6-2+squeeze1) stable; urgency=low * Fix "Insecure tempfile handling" CVE-2011-2722 by backporting from the removal of the culprit code by upstream. (Closes: #635549) - Added CVE-2011-2722.dpatch by Didier Raboud ia32-libs (20120102) stable; urgency=low * Packages updated [ cups (1.4.4-7+squeeze1) stable-security; urgency=high ] * Non-maintainer upload by the Security Team. * debian/patches: - str3867 added, fix an infinite loop / heap-based buffer overflow in the gif_read_lzw() function (CVE-2011-2896) - str3914 added, complete the fix for the previous issue (CVE-2011-3170). [ freetype (2.4.2-2.1+squeeze3) stable-security; urgency=low ] * Non-maintainer upload by the Security Team. * Upload prepared by Michael Gilbert! * Fix CVE-2011-3439: vulnerability in CID-keyed Type 1 fonts. [ freetype (2.4.2-2.1+squeeze2) stable-security; urgency=low ] * Non-maintainer upload by the Security Team * CVE-2011-3256 [ krb5 (1.8.3+dfsg-4squeeze2) stable; urgency=low ] * Upstream ticket 6852: permit gss_set_allowable_enctypes to restirct acceptor enctypes. Required in order to permit newer than squeeze clients to talk to a squeeze nfs server without degrading security for non-nfs applications on the box, #622146 [ mesa (7.7.1-5) squeeze; urgency=low ] * glx: suppress BadRequest from DRI2Connect (which is expected for non-local clients). [ nss (3.12.8-1+squeeze4) stable-security; urgency=low ] * Explicitly distrust malaysian Digicert Sdn. Bhd CA certificate. * Address CVE-2011-3640 (Untrusted search path vulnerability). #647614. [ openssl (0.9.8o-4squeeze4) squeeze-security; urgency=high ] * Non-maintainer upload by the Security Team. * Block Malaysian's Digicert Sdn. Bhd. certificates by marking them as revoked. [ openssl (0.9.8o-4squeeze3) squeeze; urgency=low ] * Non-maintainer upload by the Security Team. * Fix CVE-2011-3210: SSL memory handling for (EC)DH ciphersuites [ pam (1.1.1-6.1+squeeze1) stable-security; urgency=low ] * Non-maintainer upload by the Security Team * Fix CVE-2011-3148 and CVE-2011-3149 ia32-libs-gtk (20120102) stable; urgency=low * Packages updated [ jasper (1.900.1-7+squeeze1) stable-security; urgency=high ] * Backported patch from #652649: - CVE-2011-4516: Heap-based buffer overflow - CVE-2011-4517: Heap-based buffer overflow iceape (2.0.11-9) stable-security; urgency=low * Fixes for mfsa2011-{46-47,49}, also known as CVE-2011-3647, CVE-2011-3648, CVE-2011-3650. icedove (3.0.11-1+squeeze6) stable-security; urgency=high * [6f96c16] backported patches from xulrunner fixes mfsa2011-{46,47,49} - MFSA 2011-46 aka CVE-2011-3647: loadSubScript unwraps XPCNativeWrapper scope parameter - MFSA 2011-47 aka CVE-2011-3648: Potential XSS against sites using Shift-JIS - MFSA 2011-49 aka CVE-2011-3650: Memory corruption while profiling using Firebug iceweasel (3.5.16-11) stable-security; urgency=low * Fixes for mfsa2011-{46-47,49}, also known as CVE-2011-3647, CVE-2011-3648, CVE-2011-3650. ifupdown-extra (0.14.2) stable; urgency=low * Handle the configuration file through the use of dpkg-maintscript-helper instead of moving it directly to prevent dpkg from raising a conffile change prompt on upgrades even if the user has not made any changes. inetutils (2:1.6-3.1+squeeze1) squeeze-security; urgency=high * Apply patch from FreeBSD to fix CVE-2011-4862 iotop (0.4-2+squeeze1) stable; urgency=low * Backport patch to give a helpful error instead of crashing when Linux denies permission to read the taskstats files (Closes: #644616) ipmitool (1.8.11-2+squeeze2) stable-security; urgency=high * Don't set umask to fix CVE-2011-4339 (Closes: #651917). jabberbot (0.9-1+squeeze1) squeeze; urgency=low * Team upload. * Cherry-pick a change from upstream (included in 0.11): "Bind callbacks after the roster has been initialised. It is possible on busy servers that the callback can receive roster events before the roster is initalised, this moves the binding to later in the process." Closes: #651621 jasper (1.900.1-7+squeeze1) stable-security; urgency=high * Backported patch from #652649: - CVE-2011-4516: Heap-based buffer overflow - CVE-2011-4517: Heap-based buffer overflow kernel-wedge (2.74+squeeze4) stable-proposed-updates; urgency=low [ Joey Hess ] * Add et131x to nic-extra-modules. Closes: #651439 * Add isci to scsi-extra-modules. Closes: #653500 * Add xhci-hcd to usb-modules. Closes: #655923 kfreebsd-8 (8.1+dfsg-8+squeeze2) stable-security; urgency=low * Add 000_unix_socket_overflow.diff and 918_unix_socket_overflow.diff: Fix for FreeBSD-SA-11:05.unix / CVE-2011-4062. (Closes: #645377) killer (0.90-7+squeeze1) stable-proposed-updates; urgency=low * Backport bugfixes from unstable. * Change empty-domain.dpatch to fetch mail domain from DNS domain and not NIS domain (Closes: #656297). * Adjust cron job to return exit code 0 also when the package is removed but not purged (Closes: #586199). krb5 (1.8.3+dfsg-4squeeze5) squeeze-security; urgency=high * CVE-2011-1529: null pointer dereference in KDC LDAP back end, Closes: #629558 * CVE-2011-1528: assertion failure in multiple KDC back ends regarding account lockout krb5-appl (1:1.0.1-1.2) stable-security; urgency=high * Apply patch from FreeBSD to fix CVE-2011-4862 krb5-appl (1:1.0.1-1.1) stable-security; urgency=high * cve-2011-1526, mit-sa-2011-005: Krb5 ftpd fails to set correct group permissions. The ftp daemon always runs with the group permissions of the user it is started as, probably the root group. ldap2zone (0.1-7+squeeze1) stable-proposed-updates; urgency=low * Non-maintainer upload. * Include half the patch from #653053 to silence the cronjob on success, to avoid excessive emails and instead log this with syslog. The full patch has been accepted by the maintainer and is already in wheezy and sid in version 0.2-2. (Closes: #653053) ldns (1.6.6-2+squeeze1) stable-security; urgency=low * Fix heap overflow in ldns_rr_new_frm_str_internal [CVE-2011-3581] (Closes: #647297) libdata-formvalidator-perl (4.66-1+squeeze1) stable; urgency=low [ Damyan Ivanov ] * apply a patch fixing a possible passing of invalid data in untaint mode Closes: #629511 This is CVE-2011-2201. libdebian-installer (0.77+squeeze3) squeeze; urgency=low * Detect IBM pSeries platform as powerpc/chrp_ibm. libdigest-perl (1.16-1+squeeze1) squeeze; urgency=low * [CVE-2011-3597] Fix unsafe use of eval in Digest->new(). 7c25c67ebbddf98ee0471e99cdaf2c1f110eca2dc57b7af227776a8d2b990558 1227 libdigest-perl_1.16-1+squeeze1.dsc b9d70c1ab80e545f207941e497b2b1f9fc00b4641ae6b5494bd5308ff7932495 2828 libdigest-perl_1.16-1+squeeze1.diff.gz libfcgi-perl (0.71-1+squeeze1) stable-security; urgency=high * Team upload * Add patch from upstream bug tracker fixing CVE-2011-2766 Closes: #607479. Thaks to Ferdinand for reporting, Russ Allbery for the analysis and chansen for the patch. * control: update Vcs-* fields to point to Git libhtml-template-pro-perl (0.9502-1+squeeze1) squeeze; urgency=low * Patch XSS vulnerability. (Closes: #652587) + new patch: 652587.diff libjifty-dbi-perl (0.60-1+squeeze1) stable; urgency=high * Team upload. [ AGOSTINI Yves ] * Security fix against SQL injection (Closes: #622919) libmtp (1.0.3-1+squeeze1) stable; urgency=low * Add support for Motorola Xoom devices (Closes: #650152). libpar-packer-perl (1.006-1+squeeze1) stable; urgency=low * Team upload. * Add create-safe-temporary-directories.patch patch. Fixes CVE-2011-4114: PAR packed files are extracted to unsafe and predictable temporary directories. (Closes: #650706) * Bump (Build-)Depends on libpar-perl. Bump the dependencies to libpar-perl (>= 1.000-1+squeeze1) as this version contains the other half of the fix for CVE-2011-4114. * Add run_all_tests_using_a_nonce_PAR_TMPDIR.patch. Run all tests using a nonce PAR_TMPDIR (a leftover /tmp/par-USER directory from previous builds may now be considered "unsafe") libpar-perl (1.000-1+squeeze1) stable; urgency=low * Team upload. * Add create-safe-temporary-directories.patch patch. Fixes CVE-2011-4114: PAR packed files are extracted to unsafe and predictable temporary directories. (Closes: #650707) * Add run_all_tests_using_a_nonce_PAR_TMPDIR.patch. Run all tests using a nonce PAR_TMPDIR (a leftover /tmp/par-USER directory from previous builds may now be considered "unsafe") libsoup2.4 (2.30.2-1+squeeze1) stable-security; urgency=high * Non-maintainer upload by the Security Team. * Fix directory traversal vulnerability through crafted HTTP requests (CVE-2011-2524; Closes: #635837) lighttpd (1.4.28-2+squeeze1) stable-security; urgency=high * Backport security issues from 1.4.30: + Fix integer overflow (CVE-2011-4362) + Fix attack vector as disclosed by the SSL BEAST attack (related: CVE-2011-3389). Note: If you are upgrading from an older version you need to change your configuration to mitigate effects of the attack. See the corresponding NEWS file for details. linux-2.6 (2.6.32-41) stable; urgency=low [ Ben Hutchings ] * ipv6: make fragment identifications less predictable (CVE-2011-2699) - fix NULL dereference in udp6_ufo_fragment (see #643817) * Add longterm release 2.6.32.52: - Revert "clockevents: Set noop handler in clockevents_exchange_device()", included in stable update 2.6.32.50 (Closes: #653398) * Add longterm release 2.6.32.53, including: - cfq-iosched: fix cfq_cic_link() race confition For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.53 and the bug report which this closes: #655049. * Add longterm release 2.6.32.54, including: - drivers/usb/class/cdc-acm.c: clear dangling pointer - asix: fix infinite loop in rx_fixup() - SCSI: scsi_dh: check queuedata pointer before proceeding further - xfs: validate acl count; fix acl count validation (CVE-2012-0044) For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.54 and the bug report which this closes: #655816. * Refine the fix for CVE-2011-4127, based on mainline Linux: - Do not restrict processes that have CAP_SYS_RAWIO - Log a warning when an ioctl is forbidden (with rate-limiting, and excluding CDROM_GET_CAPABILITY) - Fix the ide-floppy and ub drivers - Fix the ub driver properly (not included in Debian configurations) [ Ian Campbell ] * xen: Set XEN_MAX_DOMAIN_MEMORY to 70G for 64 bit domains. (Closes: #645052) [ Jonathan Nieder ] * [x86] ACPI: fix corrupt DSDT by enabling acpi=copy_dsdt automatically on more known-bad Toshiba models (Closes: #598104) [ Arnaud Patard ] * [armel] Backport 88f6282 from mainline (Closes: #655316) linux-2.6 (2.6.32-40) stable; urgency=high [ Ben Hutchings ] * Add longterm releases 2.6.32.47 and 2.6.32.48, including: - atm: br2684: Fix oops due to skb->dev being NULL - md/linear: avoid corrupting structure while waiting for rcu_free to complete. - xen/smp: Warn user why they keel over - nosmp or noapic and what to use instead. (Closes: #637308) - md: Fix handling for devices from 2TB to 4TB in 0.90 metadata. - net/9p: fix client code to fail more gracefully on protocol error - fs/9p: Fid is not valid after a failed clunk. - TPM: Call tpm_transmit with correct size (CVE-2011-1161) - TPM: Zero buffer after copying to userspace (CVE-2011-1162) - libiscsi_tcp: fix LLD data allocation - cfg80211: Fix validation of AKM suites - USB: pid_ns: ensure pid is not freed during kill_pid_info_as_uid - kobj_uevent: Ignore if some listeners cannot handle message (Closes: #641661) - nfsd4: ignore WANT bits in open downgrade - [s390] KVM: check cpu_id prior to using it - cfq: merge cooperating cfq_queues - [x86] KVM: Reset tsc_timestamp on TSC writes (fixes guest performance regression introduced in 2.6.32-35) - ext4: fix BUG_ON() in ext4_ext_insert_extent() - ext2,ext3,ext4: don't inherit APPEND_FL or IMMUTABLE_FL for new inodes For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/ChangeLog-2.6.32.47 http://www.kernel.org/pub/linux/kernel/v2.6/longterm/ChangeLog-2.6.32.48 and the bug report which this closes: #647624. * tg3: Fix I/O failures after chip reset (Closes: #645308; regression in 2.6.32-36) * Add longterm release 2.6.32.49, including: - SCSI: st: fix race in st_scsi_execute_end - NFS/sunrpc: don't use a credential with extra groups. - netlink: validate NLA_MSECS length - hfs: add sanity check for file name length (CVE-2011-4330) - md/raid5: abort any pending parity operations when array fails. - mm: avoid null pointer access in vm_struct via /proc/vmallocinfo - ipv6: udp: fix the wrong headroom check (CVE-2011-4326) - USB: Fix Corruption issue in USB ftdi driver ftdi_sio.c For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/ChangeLog-2.6.32.49 and the bug report which this closes: #650160. * ipv6: Allow inet6_dump_addr() to handle more than 64 addresses (Closes: #651255) * Add longterm release 2.6.32.50, including: - PCI hotplug: shpchp: don't blindly claim non-AMD 0x7450 device IDs (see #638863) - sched, x86: Avoid unnecessary overflow in sched_clock - [x86] mpparse: Account for bus types other than ISA and PCI (Closes: #586494) For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/ChangeLog-2.6.32.50 and the bug report which this closes: #651367. * [vserver] Update patch to 2.6.32.48-vs2.3.0.36.29.8 - nfs: Fix client uid/gid caching (Closes: #633526) * [x86] Add isci driver from Linux 3.1 (Closes: #652857) - libsas: fix definition of wideport, include local sas address - [x86] Introduce pci_map_biosrom() * Add longterm release 2.6.32.51, including: - percpu: fix chunk range calculation - xfrm: Fix key lengths for rfc3686(ctr(aes)) (Closes: #650652) - jbd/jbd2: validate sb->s_first in journal_get_superblock() (CVE-2011-4132) - Make taskstats require root access (CVE-2011-2494) - hfs: fix hfs_find_init() sb->ext_tree NULL ptr oops (CVE-2011-2203) - oprofile, x86: Fix nmi-unsafe callgraph support - ext4: avoid hangs in ext4_da_should_update_i_disksize() [ Ian Campbell ] * xen: backport upstream (xen.git#xen/stable-2.6.32.y) fixes to event handling: - multiple fixes to PIRQ event channel handling (Closes: #638172) - setup IRQ before binding VIRQ to it. - correctly setup event channel mask for secondary CPUs on restore. - use locked set/clear bit when manipulating event channel masks. - ensure event channels are handled in a fair/round-robin order preventing lower numbered event channels from starving higher. * xen: blkback: don't fail empty barrier requests (Closes: #637234) linux-2.6 (2.6.32-39) stable; urgency=high [ Ian Campbell ] * xen: Revert "xen: Use IRQF_FORCE_RESUME". Fixes live migration regression in 2.6.32.42. (Closes: #644604) [ Ben Hutchings ] * Really fix bugs in IPv6 forwarding with GRO/GSO (Closes: #630730): - e1000e,igb,igbvf,ixgbe: Fix IPv6 GSO type checks - ipv6: Add GSO support on forwarding path * [powerpc] vserver: Wire up syscall (Closes: #646132) linux-kernel-di-amd64-2.6 (1.76+squeeze6) stable; urgency=low * Built against version 2.6.32-41 of linux-2.6. linux-kernel-di-armel-2.6 (1.56+squeeze6) stable; urgency=low * Built against version 2.6.32-41 of linux-2.6. linux-kernel-di-i386-2.6 (1.99+squeeze6) stable; urgency=low * Built against version 2.6.32-41 of linux-2.6. linux-kernel-di-ia64-2.6 (1.63+squeeze6) stable; urgency=low * Built against version 2.6.32-41 of linux-2.6. linux-kernel-di-mips-2.6 (1.31+squeeze6) stable; urgency=low * Built against version 2.6.32-41 of linux-2.6. linux-kernel-di-mipsel-2.6 (1.31+squeeze6) stable; urgency=low * Built against version 2.6.32-41 of linux-2.6. linux-kernel-di-powerpc-2.6 (1.76+squeeze6) stable; urgency=low * Built against version 2.6.32-41 of linux-2.6. linux-kernel-di-s390-2.6 (0.59+squeeze6) stable; urgency=low * Built against version 2.6.32-41 of linux-2.6. linux-kernel-di-sparc-2.6 (1.64+squeeze6) stable; urgency=low * Built against version 2.6.32-41 of linux-2.6. mahara (1.2.6-2+squeeze3) stable-security; urgency=high * SECURITY UPDATE: fix unsanitised URIs in external feed block (XSS) - debian/patches/CVE-2011-2771.patch: upstream patch * SECURITY UPDATE: fix DoS when large or invalid images are uploaded - debian/patches/CVE-2011-2772.patch: upstream patch * SECURITY UPDATE: fix CSRF when adding a user to an institution - debian/patches/CVE-2011-2773.patch: upstream patch * SECURITY UPDATE: prevent masquerading as another user through MNet - debian/patches/mnet_masquerading.patch: upstream patch man2html (1.6f+repack-1+squeeze1) stable-security; urgency=high * man2html.cgi.c: Validate user input and make some error messages less verbose to prevent XSS attacks (CVE-2011-2770). masqmail (0.2.27-1.1+squeeze1) stable; urgency=low * Non-maintainer upload. * Fix improper seteuid() calls in src/log.c and src/masqmail.c (Closes: #638002) mdadm (3.1.4-1+8efb9d1+squeeze1) stable; urgency=low [ martin f. krafft ] * Do not print io rescheduling info message when run by cron (closes: #598957). * Fix checkarray script so that it does not die after scheduling the first device when there is no scheduling class specified; thanks to Mario 'BitKoenig' Holbe (closes: #611627). * Schedule start/stop of mdadm-raid before/after filesystems are checked&mounted/unmounted; thanks to Mario 'BitKoenig' Holbe (closes: #611632). * Work around a shell coding bug for cases when there are zero active devices (closes: #618561). * Make mdadm-raid init script depend on hostname; thanks to Mario 'BitKoenig' Holbe (closes: #610421). [ Michael Tokarev ] * don't print W: auto-read-only in checkarray in quiet mode, thanks to Bernd Hanisch for the patch (Closes: #605722, #632797) mediawiki (1:1.15.5-2squeeze4) stable; urgency=low * Disable CVE-2011-4360.patch, it causes ugly error messages in certain situations. The CVE does not apply to this release. mediawiki (1:1.15.5-2squeeze3) stable; urgency=low * debian/patches/CVE-2012-0046.patch: security fix for unintended exposure of hidden content through cache pollution, CVE-2012-0046 (Closes: #655694) mediawiki (1:1.15.5-2squeeze2) stable-security; urgency=low * Security fixes from upstream (Closes: #650434): CVE-2011-4360 - page titles on private wikis could be exposed bypassing different page ids to index.php CVE-2011-4361 - action=ajax requests were dispatched to the relevant function without any read permission checks being done CVE-2011-1578 - XSS for IE <= 6 CVE-2011-1579 - CSS validation error in wikitext parser CVE-2011-1580 - access control checks on transwiki import feature CVE-2011-1587 - fix incomplete patch for CVE-2011-1578 module-init-tools (3.12-2) stable; urgency=low * Backported upstream commit 3328d17 to support 3.x kernels. moodle (1.9.9.dfsg2-2.1+squeeze2) stable-security; urgency=high * Update prepared by Tomasz Muras: * Backporting security fixes from Moodle 1.9.13 and 1.9.14 - MSA-11-0026 Fields in user upload CSV not being escaped (MDL-28360) - MSA-11-0025 Group names in user upload CSV not being escaped (MDL-28197) - MSA-11-0024 Recaptcha images were being authenticated from an older server (MDL-27889) (closes: #638935) - MSA-11-0020 Continue links in error messages can lead offsite (MDL-27464) - MSA-11-0038 Database injection protection strengthened (MDL-29033) - MSA-11-0037 Course section editing injection vulnerability (MDL-28722) - MSA-11-0036 Messaging refresh vulnerability (MDL-29311) - MSA-11-0032 MNET SSL validation issue (MDL-29148) - MSA-11-0031 Forms API constant issue (MDL-23872) Make sure that smarty & yui symlinks are correct (closes: 603255,614712) multipath-tools (0.4.8+git0.761c66f-10) stable-proposed-updates; urgency=low * [b5f7694] Change HP hardware hanlder to hp_sw. Thanks to Phil (Closes: 587315) * [4aae2ad] Update man pages (Closes: 644913) mutt (1.5.20-9+squeeze2) stable; urgency=low * Non-maintainer upload. * 619216-gnutls-CN-validation.patch: backport from unstable Fixes the validation of the commonname in the gnutls code (Closes: #619216) nfs-utils (1:1.2.2-4squeeze2) stable; urgency=high * Fix CVE-2011-1749: Avoid leaving a corrupt mtab file (Closes: #629420) nfs-utils (1:1.2.2-4squeeze1) stable; urgency=low * Build with patch d6c1b35c6b40243bfd6fba2591c9f8f2653078c0 from upstream (Closes: #622146) nginx (0.7.67-3+squeeze1) stable; urgency=low * debian/patches/CVE-2011-4315.diff: + Fixed compression pointer processing in DNS response greater than 255 bytes. See: CVE-2011-4315 for more details. nss (3.12.8-1+squeeze4) stable-security; urgency=low * Explicitly distrust malaysian Digicert Sdn. Bhd CA certificate. * Address CVE-2011-3640 (Untrusted search path vulnerability). Closes: #647614. nss-pam-ldapd (0.7.15+squeeze1) stable; urgency=low * fix an issue where changes in /etc/nsswitch.conf were not correctly picked up and could lead to lookups being disabled on upgrade (closes: #645599) * fix an issue with detecting the uid of the calling process * fix a problem in the disconnect logic code openjdk-6 (6b18-1.8.10-0+squeeze2) squeeze-security; urgency=high * Disable LLVM/Shark on PowerPC openjdk-6 (6b18-1.8.10-0+squeeze1) squeeze-security; urgency=high * New IcedTea6 1.18.10 security release. * Add Conflicts/Replaces for the Cacao VM on i386, amd64. openjdk-6 (6b18-1.8.9-0.1) unstable; urgency=high * Non-maintainer upload by the security team * New upstream version. Closes: #629852 openjdk-6 (6b18-1.8.9-0.1~squeeze1) squeeze-security; urgency=high * Build on stable. * netx/net/sourceforge/jnlp/runtime/CachedJarFileCallback.java: Remove @Override annotations for Java 5 compatibility * Remove Shark and Cacao support for i386 and amd64 openjdk-6 (6b18-1.8.7-5) unstable; urgency=low * Explicitly use GCC 4.4 for the builds. openjdk-6 (6b18-1.8.7-4) unstable; urgency=medium * Temporarily disable building the -zero package. Closes: #625164. * Build for ppc64. Closes: #625992. openjdk-6 (6b18-1.8.7-3) unstable; urgency=low * Stop building NetX and the plugin. * Add multiarch directories to the default library path. openjdk-6 (6b18-1.8.7-2) unstable; urgency=low * Fix FTBFS on armel. openoffice.org (1:3.2.1-11+squeeze4) stable-security; urgency=high * debian/patches/CVE-2011-2713.OpenOffice3.2.1.diff: fix CVE-2011-2713 (Out-of-bounds read in DOC sprm) opensaml2 (2.3-2+squeeze1) stable-security; urgency=high * SECURITY: Fix vulnerability to a "wrapping attack" that could allow a remote, unauthenticated attacker to craft messages that can be successfully verified but contain arbitrary content. This may allow an attacker to subvert the security of software using OpenSAML and supply an unauthenticated login identity and data under the guise of a trusted issuer. (CVE-2011-1411) openssl (0.9.8o-4squeeze7) squeeze-security; urgency=low * Re-upload with new version number. openssl (0.9.8o-4squeeze5) squeeze-security; urgency=low * Fix CVE-2011-4108, CVE-2011-4109, CVE-2011-4576, CVE-2011-4619 and CVE-2011-4577 * Send alert instead of assertion failure for incorrectly formatted DTLS fragments. (Closes: #645805) openssl (0.9.8o-4squeeze4) squeeze-security; urgency=high * Non-maintainer upload by the Security Team. * Block Malaysian's Digicert Sdn. Bhd. certificates by marking them as revoked. openswan (1:2.6.28+dfsg-5+squeeze1) stable-security; urgency=high [Harald Jenny] * Fix pluto crypto helper handler vulnerability (CVE-2011-4073). Thanks to Paul Wouters for the patch. Closes: #650674: [CVE-2011-4073] Openswan crypto helper crasher openttd (1.0.4-4) stable-security; urgency=high * [a0f8ff8] Fix several security issues, patches supplied by upstream. See http://security.debian.org for more details. - CVE-2011-3341 (Denial of service via improperly validated commands) - CVE-2011-3342 (Buffer overflows in savegame loading) - CVE-2011-3343 (Multiple buffer overflows in validation of external data) pam (1.1.1-6.1+squeeze1) stable-security; urgency=low * Non-maintainer upload by the Security Team * Fix CVE-2011-3148 and CVE-2011-3149 partman-target (72+squeeze1) stable; urgency=low * Stop treating ISO hybrid images on USB sticks as real optical drives. (Closes: #597223) pastebinit (1.1-2squeeze1) stable; urgency=low * backport upstream r81. Closes: #655179 (fix user config files support) pbuilder (0.199+nmu1squeeze1) squeeze; urgency=low * Non-maintainer upload. * Cherry-pick from 0.199+nmu4: Rename the /run script from --execute to /runscript, for compatibility with wheezy and later which have /run as a directory replacing /var/run (bug#627086) pdns (2.9.22-8+squeeze1) stable-security; urgency=high * Apply patch from Bert Hubert to stop responding to responses. perl (5.10.1-17squeeze3) stable; urgency=low * [SECURITY] CVE-2011-2939: Fix decode_xs n-byte heap-overflow security bug in Unicode.xs (Closes: #637376) * [SECURITY] CVE-2011-3597: Fix unsafe use of eval in Digest->new(); thanks to Ansgar Burchardt for the notification (Closes: #644108) * Unregister signal handler before destroying my_perl; fixes segfault (Closes: #604902) phpldapadmin (1.2.0.5-2+squeeze1) squeeze-security; urgency=high * Non-maintainer upload by the security team. * CVE-2011-4074 Fix XSS vulnerability in debug code (Closes: #646769) * CVE-2011-4075 Fix arbitrary code execution by unauthenticated users (Closes: #646754) phpmyadmin (4:3.3.7-7) stable-security; urgency=low * Upload to stable for security issues. * CVE-2011-4107: XML external entity (XXE) injection attack (closes: 656247). * CVE-2011-1940, CVE-2011-3181: XSS in tracking feature. * Properly apply fix for minor issues CVE-2011-2642, CVE-2011-2719. phppgadmin (4.2.3-1.1squeeze1) stable-security; urgency=high * Fix CVE-2011-3598 (XSS). pidgin (2.7.3-1+squeeze2) squeeze; urgency=medium * CVE-2011-3594.patch: - fix a SILC remote crash bug * CVE-2011-4601.patch: - fix an AIM/ICQ remote crash bug * CVE-2011-4602.patch: - fix an XMPP remote crash bug * CVE-2011-4603.patch: - fix a SILC remote crash bug postgresql-8.4 (8.4.10-0squeeze1) stable; urgency=low * New upstream bug fix release: - Fix bugs in information_schema.referential_constraints view. This view was being insufficiently careful about matching the foreign-key constraint to the depended-on primary or unique key constraint. That could result in failure to show a foreign key constraint at all, or showing it multiple times, or claiming that it depends on a different constraint than the one it really does. Since the view definition is installed by initdb, merely upgrading will not fix the problem. If you need to fix this in an existing installation, you can (as a superuser) drop the information_schema schema then re-create it by sourcing "SHAREDIR/information_schema.sql". (Run pg_config --sharedir if you're uncertain where "SHAREDIR" is.) This must be repeated in each database to be fixed. - Fix incorrect replay of WAL records for GIN index updates. This could result in transiently failing to find index entries after a crash, or on a hot-standby server. The problem would be repaired by the next "VACUUM" of the index, however. - Fix TOAST-related data corruption during CREATE TABLE dest AS SELECT - FROM src or INSERT INTO dest SELECT * FROM src. If a table has been modified by "ALTER TABLE ADD COLUMN", attempts to copy its data verbatim to another table could produce corrupt results in certain corner cases. The problem can only manifest in this precise form in 8.4 and later, but we patched earlier versions as well in case there are other code paths that could trigger the same bug. - Fix race condition during toast table access from stale syscache entries. - Track dependencies of functions on items used in parameter default expressions. Previously, a referenced object could be dropped without having dropped or modified the function, leading to misbehavior when the function was used. Note that merely installing this update will not fix the missing dependency entries; to do that, you'd need to "CREATE OR REPLACE" each such function afterwards. If you have functions whose defaults depend on non-built-in objects, doing so is recommended. - Allow inlining of set-returning SQL functions with multiple OUT parameters. - Make DatumGetInetP() unpack inet datums that have a 1-byte header, and add a new macro, DatumGetInetPP(), that does not. - Improve locale support in money type's input and output. Aside from not supporting all standard lc_monetary formatting options, the input and output functions were inconsistent, meaning there were locales in which dumped money values could not be re-read. - Don't let transform_null_equals affect CASE foo WHEN NULL ... constructs. transform_null_equals is only supposed to affect foo = NULL expressions written directly by the user, not equality checks generated internally by this form of CASE. - Change foreign-key trigger creation order to better support self-referential foreign keys. For a cascading foreign key that references its own table, a row update will fire both the ON UPDATE trigger and the CHECK trigger as one event. The ON UPDATE trigger must execute first, else the CHECK will check a non-final state of the row and possibly throw an inappropriate error. However, the firing order of these triggers is determined by their names, which generally sort in creation order since the triggers have auto-generated names following the convention "RI_ConstraintTrigger_NNNN". A proper fix would require modifying that convention, which we will do in 9.2, but it seems risky to change it in existing releases. So this patch just changes the creation order of the triggers. Users encountering this type of error should drop and re-create the foreign key constraint to get its triggers into the right order. - Avoid floating-point underflow while tracking buffer allocation rate. - Preserve blank lines within commands in psql's command history. The former behavior could cause problems if an empty line was removed from within a string literal, for example. - Fix pg_dump to dump user-defined casts between auto-generated types, such as table rowtypes. - Use the preferred version of xsubpp to build PL/Perl, not necessarily the operating system's main copy. - Fix incorrect coding in "contrib/dict_int" and "contrib/dict_xsyn". - Honor query cancel interrupts promptly in pgstatindex(). - Ensure VPATH builds properly install all server header files. - Shorten file names reported in verbose error messages. Regular builds have always reported just the name of the C file containing the error message call, but VPATH builds formerly reported an absolute path name. postgresql-8.4 (8.4.9-1) unstable; urgency=low * New upstream bug fix release: - Fix bugs in indexing of in-doubt HOT-updated tuples. These bugs could result in index corruption after reindexing a system catalog. They are not believed to affect user indexes. - Fix multiple bugs in GiST index page split processing. The probability of occurrence was low, but these could lead to index corruption. - Fix possible buffer overrun in tsvector_concat(). The function could underestimate the amount of memory needed for its result, leading to server crashes. - Fix crash in xml_recv when processing a "standalone" parameter. - Make pg_options_to_table return NULL for an option with no value. Previously such cases would result in a server crash. - Avoid possibly accessing off the end of memory in "ANALYZE" and in SJIS-2004 encoding conversion. This fixes some very-low-probability server crash scenarios. - Prevent intermittent hang in interactions of startup process with bgwriter process. This affected recovery in non-hot-standby cases. - Fix race condition in relcache init file invalidation. There was a window wherein a new backend process could read a stale init file but miss the inval messages that would tell it the data is stale. The result would be bizarre failures in catalog accesses, typically "could not read block 0 in file ..." later during startup. - Fix memory leak at end of a GiST index scan. Commands that perform many separate GiST index scans, such as verification of a new GiST-based exclusion constraint on a table already containing many rows, could transiently require large amounts of memory due to this leak. - Fix incorrect memory accounting (leading to possible memory bloat) in tuplestores supporting holdable cursors and plpgsql's RETURN NEXT command. - Fix performance problem when constructing a large, lossy bitmap. - Fix join selectivity estimation for unique columns. This fixes an erroneous planner heuristic that could lead to poor estimates of the result size of a join. - Fix nested PlaceHolderVar expressions that appear only in sub-select target lists. This mistake could result in outputs of an outer join incorrectly appearing as NULL. - Allow nested EXISTS queries to be optimized properly. - Fix array- and path-creating functions to ensure padding bytes are zeroes. This avoids some situations where the planner will think that semantically-equal constants are not equal, resulting in poor optimization. - Fix "EXPLAIN" to handle gating Result nodes within inner-indexscan subplans. The usual symptom of this oversight was "bogus varno" errors. - Work around gcc 4.6.0 bug that breaks WAL replay. This could lead to loss of committed transactions after a server crash. - Fix dump bug for VALUES in a view. - Disallow SELECT FOR UPDATE/SHARE on sequences. This operation doesn't work as expected and can lead to failures. - Fix "VACUUM" so that it always updates pg_class.reltuples/relpages. This fixes some scenarios where autovacuum could make increasingly poor decisions about when to vacuum tables. - Defend against integer overflow when computing size of a hash table. - Fix cases where "CLUSTER" might attempt to access already-removed TOAST data. - Fix portability bugs in use of credentials control messages for "peer" authentication. - Fix SSPI login when multiple roundtrips are required. The typical symptom of this problem was "The function requested is not supported" errors during SSPI login. - Throw an error if "pg_hba.conf" contains hostssl but SSL is disabled. This was concluded to be more user-friendly than the previous behavior of silently ignoring such lines. - Fix typo in pg_srand48 seed initialization. This led to failure to use all bits of the provided seed. This function is not used on most platforms (only those without srandom), and the potential security exposure from a less-random-than-expected seed seems minimal in any case. - Avoid integer overflow when the sum of LIMIT and OFFSET values exceeds 2^63. - Add overflow checks to int4 and int8 versions of generate_series(). - Fix trailing-zero removal in to_char(). In a format with FM and no digit positions after the decimal point, zeroes to the left of the decimal point could be removed incorrectly. - Fix pg_size_pretty() to avoid overflow for inputs close to 2^63. - Weaken plpgsql's check for typmod matching in record values. An overly enthusiastic check could lead to discarding length modifiers that should have been kept. - Fix pg_upgrade to preserve toast tables' relfrozenxids during an upgrade from 8.3. Failure to do this could lead to "pg_clog" files being removed too soon after the upgrade. - Fix psql's counting of script file line numbers during COPY from a different file. - Fix pg_restore's direct-to-database mode for standard_conforming_strings. pg_restore could emit incorrect commands when restoring directly to a database server from an archive file that had been made with standard_conforming_strings set to on. - Be more user-friendly about unsupported cases for parallel pg_restore. This change ensures that such cases are detected and reported before any restore actions have been taken. - Fix write-past-buffer-end and memory leak in libpq's LDAP service lookup code. - In libpq, avoid failures when using nonblocking I/O and an SSL connection. - Improve libpq's handling of failures during connection startup. In particular, the response to a server report of fork() failure during SSL connection startup is now saner. - Improve libpq's error reporting for SSL failures. - Fix PQsetvalue() to avoid possible crash when adding a new tuple to a PGresult originally obtained from a server query. - Make ecpglib write double values with 15 digits precision. - In ecpglib, be sure LC_NUMERIC setting is restored after an error. - Apply upstream fix for blowfish signed-character bug (CVE-2011-2483) (Closes: #631285) "contrib/pg_crypto"'s blowfish encryption code could give wrong results on platforms where char is signed (which is most), leading to encrypted passwords being weaker than they should be. - Fix memory leak in "contrib/seg". - Fix pgstatindex() to give consistent results for empty indexes. - Allow building with perl 5.14. (Closes: #628503) * Drop 16-cmsgcred-size.patch, fixed upstream in a different way. postgresql-8.4 (8.4.9-0squeeze1) stable-security; urgency=low * New upstream bug fix/security release: - Fix bugs in indexing of in-doubt HOT-updated tuples. These bugs could result in index corruption after reindexing a system catalog. They are not believed to affect user indexes. - Fix multiple bugs in GiST index page split processing. The probability of occurrence was low, but these could lead to index corruption. - Fix possible buffer overrun in tsvector_concat(). The function could underestimate the amount of memory needed for its result, leading to server crashes. - Fix crash in xml_recv when processing a "standalone" parameter. - Make pg_options_to_table return NULL for an option with no value. Previously such cases would result in a server crash. - Avoid possibly accessing off the end of memory in "ANALYZE" and in SJIS-2004 encoding conversion. This fixes some very-low-probability server crash scenarios. - Prevent intermittent hang in interactions of startup process with bgwriter process. This affected recovery in non-hot-standby cases. - Fix race condition in relcache init file invalidation. There was a window wherein a new backend process could read a stale init file but miss the inval messages that would tell it the data is stale. The result would be bizarre failures in catalog accesses, typically "could not read block 0 in file ..." later during startup. - Fix memory leak at end of a GiST index scan. Commands that perform many separate GiST index scans, such as verification of a new GiST-based exclusion constraint on a table already containing many rows, could transiently require large amounts of memory due to this leak. - Fix incorrect memory accounting (leading to possible memory bloat) in tuplestores supporting holdable cursors and plpgsql's RETURN NEXT command. - Fix performance problem when constructing a large, lossy bitmap. - Fix join selectivity estimation for unique columns. This fixes an erroneous planner heuristic that could lead to poor estimates of the result size of a join. - Fix nested PlaceHolderVar expressions that appear only in sub-select target lists. This mistake could result in outputs of an outer join incorrectly appearing as NULL. - Allow nested EXISTS queries to be optimized properly. - Fix array- and path-creating functions to ensure padding bytes are zeroes. This avoids some situations where the planner will think that semantically-equal constants are not equal, resulting in poor optimization. - Fix "EXPLAIN" to handle gating Result nodes within inner-indexscan subplans. The usual symptom of this oversight was "bogus varno" errors. - Work around gcc 4.6.0 bug that breaks WAL replay. This could lead to loss of committed transactions after a server crash. - Fix dump bug for VALUES in a view. - Disallow SELECT FOR UPDATE/SHARE on sequences. This operation doesn't work as expected and can lead to failures. - Fix "VACUUM" so that it always updates pg_class.reltuples/relpages. This fixes some scenarios where autovacuum could make increasingly poor decisions about when to vacuum tables. - Defend against integer overflow when computing size of a hash table. - Fix cases where "CLUSTER" might attempt to access already-removed TOAST data. - Fix portability bugs in use of credentials control messages for "peer" authentication. - Fix SSPI login when multiple roundtrips are required. The typical symptom of this problem was "The function requested is not supported" errors during SSPI login. - Throw an error if "pg_hba.conf" contains hostssl but SSL is disabled. This was concluded to be more user-friendly than the previous behavior of silently ignoring such lines. - Fix typo in pg_srand48 seed initialization. This led to failure to use all bits of the provided seed. This function is not used on most platforms (only those without srandom), and the potential security exposure from a less-random-than-expected seed seems minimal in any case. - Avoid integer overflow when the sum of LIMIT and OFFSET values exceeds 2^63. - Add overflow checks to int4 and int8 versions of generate_series(). - Fix trailing-zero removal in to_char(). In a format with FM and no digit positions after the decimal point, zeroes to the left of the decimal point could be removed incorrectly. - Fix pg_size_pretty() to avoid overflow for inputs close to 2^63. - Weaken plpgsql's check for typmod matching in record values. An overly enthusiastic check could lead to discarding length modifiers that should have been kept. - Fix pg_upgrade to preserve toast tables' relfrozenxids during an upgrade from 8.3. Failure to do this could lead to "pg_clog" files being removed too soon after the upgrade. - Fix psql's counting of script file line numbers during COPY from a different file. - Fix pg_restore's direct-to-database mode for standard_conforming_strings. pg_restore could emit incorrect commands when restoring directly to a database server from an archive file that had been made with standard_conforming_strings set to on. - Be more user-friendly about unsupported cases for parallel pg_restore. This change ensures that such cases are detected and reported before any restore actions have been taken. - Fix write-past-buffer-end and memory leak in libpq's LDAP service lookup code. - In libpq, avoid failures when using nonblocking I/O and an SSL connection. - Improve libpq's handling of failures during connection startup. In particular, the response to a server report of fork() failure during SSL connection startup is now saner. - Improve libpq's error reporting for SSL failures. - Fix PQsetvalue() to avoid possible crash when adding a new tuple to a PGresult originally obtained from a server query. - Make ecpglib write double values with 15 digits precision. - In ecpglib, be sure LC_NUMERIC setting is restored after an error. - Apply upstream fix for blowfish signed-character bug (CVE-2011-2483) (Closes: #631285) "contrib/pg_crypto"'s blowfish encryption code could give wrong results on platforms where char is signed (which is most), leading to encrypted passwords being weaker than they should be. - Fix memory leak in "contrib/seg". - Fix pgstatindex() to give consistent results for empty indexes. - Allow building with perl 5.14. (Closes: #628503) * 15-revert-typmod-check.patch: Update for new upstream release. postgresql-8.4 (8.4.8-2) unstable; urgency=low * debian/postgresql-8.4.postrm: Clean up pg_ctl.conf on purge. * debian/control, debian/rules: Drop usage of pycentral. We don't ship any Python extension/module, so we don't need a python helper at all. (Closes: #616948) * Add 16-cmsgcred-size.patch: Fix size of struct cmsgcred to fix ident authentication on kFreeBSD 64 bit. Thanks to Petr Salinger for the patch! (Closes: #612888) postgresql-8.4 (8.4.8-1) unstable; urgency=medium Priority medium due to data-loss pg_upgrade bug. [ Martin Pitt ] * New upstream bug fix release: - If your installation was upgraded from a previous major release by running pg_upgrade, you should take action to prevent possible data loss due to a now-fixed bug in pg_upgrade. The recommended solution is to run "VACUUM FREEZE" on all TOAST tables. More information is available at http://wiki.postgresql.org/wiki/20110408pg_upgrade_fix. - Fix pg_upgrade's handling of TOAST tables. This error poses a significant risk of data loss for installations that have been upgraded with pg_upgrade. This patch corrects the problem for future uses of pg_upgrade, but does not in itself cure the issue in installations that have been processed with a buggy version of pg_upgrade. - Suppress incorrect "PD_ALL_VISIBLE flag was incorrectly set" warning. - Disallow including a composite type in itself. - Avoid potential deadlock during catalog cache initialization. - Fix dangling-pointer problem in BEFORE ROW UPDATE trigger handling when there was a concurrent update to the target tuple. - Disallow "DROP TABLE" when there are pending deferred trigger events for the table. Formerly the "DROP" would go through, leading to "could not open relation with OID nnn" errors when the triggers were eventually fired. - Prevent crash triggered by constant-false WHERE conditions during GEQO optimization. - Improve planner's handling of semi-join and anti-join cases. - Fix selectivity estimation for text search to account for NULLs. - Improve PL/pgSQL's ability to handle row types with dropped columns. - Fix PL/Python memory leak involving array slices. - Fix pg_restore to cope with long lines (over 1KB) in TOC files. - Put in more safeguards against crashing due to division-by-zero with overly enthusiastic compiler optimization. (Closes: #616180) * debian/control: Stop building the versionless metapackages and client-side libraries, they are built by postgresql-9.0 now. Add libpq-dev build dependency. * debian/rules: Drop check for uninstalled files, since it'd now break the build due to the uninstalled libraries. [ Matthias Klose ] * Add 15-bool-altivec.patch: Fix definition of bool on __APPLE_ALTIVEC__ architecture (ppc64). proftpd-dfsg (1.3.3a-6squeeze4) stable-security; urgency=low * [SECURITY] 3711.dpatch. This patch fixes a response pool use-after-free memory corruption error. This is CVE-2011-4130. (closes: #648373) * [SECURITY] 3624.dpatch This patch fixes the issue by causing mod_tls to clear the buffers of any data received from the client, once the SSL/TLS handshake has succeded. This is similar to CVE-2011-0411. pure-ftpd (1.0.28-3+squeeze1) stable; urgency=low * Non-maintainer upload by the Security Team * Fix CVE-2011-1575 python-debian (0.1.18+squeeze1) stable; urgency=low * Allow ':' as the first character of a value. This fixes an implementation error where the paragraph Foo: : bar would be interpreted as {'Foo:': 'bar'} by the Python-native parser, while it would be correctly interpreted as {'Foo': ': bar'} by both the apt_pkg parser and the Python email library. (Closes: #597249) python-django (1.2.3-3+squeeze2) stable-security; urgency=low * Stable security upload: https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/ * Apply/backport the 3 security patches: - debian/patches/13_fix_safety_issue_with_session_data.diff - debian/patches/14_fix_dos_with_urlfield.diff - debian/patches/15_fix_spoofing_issue_with_x_forwarded_host.diff Closes: #641405 python-django-piston (0.2.2-1+squeeze1) squeeze-security; urgency=low * Fix a security issue in the YAML emitter. (CVE-2011-4103) * Disable the pickle loader due to security concerns (Closes: #646517) python3-defaults (3.1.3-12+squeeze1) stable; urgency=low * dh_python3: ignore binary files while checking shebangs (Closes: #651437) - Cherrypicked from /pkg-python/python3-defaults-debian revision 83 qemu-kvm (0.12.5+dfsg-5+squeeze7) stable; urgency=low * stash-away-SCM_RIGHTS-fd-until-a-getfd-command-arrives-e53f27b9d9.diff patch from upstream (included in 0.13 and up, and also in ubuntu) to fix NIC hotplug from libvirt (Closes: #637990) quassel (0.6.3-2+squeeze2) stable; urgency=low * Fixing missing translations in quassel-data-kde4_0.6.3-2+squeeze1_all.deb radvd (1:1.6-1.1) stable-security; urgency=high * Non-maintainer upload by the Security Team. * debian/patches: backport patches from upstream to fix various security issues: closes: #644614 - 0001-set_interface_var-doesn-t-check-interface-name-and-b fix arbitrary file overwrite (CVE-2011-3602) - 0002-main-must-fail-on-privsep_init-errors-it-must-not-ru, 0003-privsep_read_loop-should-return-on-unprivileged-daem and 0004-Really-exit-on-privsep-init-failure fix failure to check return code of privilege dropping function (CVE-2011-3603) - 0005-process_ra-has-numerous-missed-len-checks.-It-leads- fix multiple buffer overreads (CVE-2011-3604) - 0006-removing-mdelay-in-unicast-only-case fix a denial of service (CVE-2011-3605) - 0007-checking-iface-name-more-carefully on top of 0001-set_interface_var-doesn-t-check-interface-name-and-b (CVE-2011-3602) rails (2.3.5-1.2+squeeze2) stable-security; urgency=low * Fix security regression caused by pulling invalid upstream fix (Closes: #629067) recoll (1.13.04-3+squeeze1) stable; urgency=low * debian/patches/03_patch-unac-icclose.diff: + plug conversion descriptor leak in unac.c::convert() error path, fixes index crash (Closes: #614760) rng-tools (2-unofficial-mt.14-1~60squeeze1) stable; urgency=low * Debian 6.0 (Squeeze) backport to fix important bugs in Debian stable (closes: #609289, #630771) + No changes from 2-unofficial-mt.14-1 rpm (4.8.1-6+squeeze1) stable; urgency=low * Non-maintainer upload by the Security Team * Fix CVE-2011-3378 (Closes: #645325) samba (2:3.5.6~dfsg-3squeeze6) stable-proposed-updates; urgency=low * Allow using unencrypted passwords with Windows clients that got KB2536276 installed. Closes: #652048 shorewall (4.4.11.6-3+squeeze1) stable-proposed-updates; urgency=low * Install missing /usr/share/shorewall/helpers (Closes: #646112) shorewall-lite (4.4.11.6-1+squeeze2) stable-proposed-updates; urgency=low * Install missing /usr/share/shorewall-lite/helpers (Closes: #646281) shorewall6 (4.4.11.6-1+squeeze1) stable-proposed-updates; urgency=low * Install missing /usr/share/shorewall6/helpers (Closes: #646280) shorewall6-lite (4.4.11.6-1+squeeze2) stable-proposed-updates; urgency=low * Install missing /usr/share/shorewall6-lite/helpers (Closes: #646282) simplesamlphp (1.6.3-3) stable-security; urgency=high * Fix user-assisted cross site scripting. simplesamlphp (1.6.3-2) stable; urgency=high * Apply upstream patch fixing security issues: - It may be possible to use an SP as a oracle to decrypt encrypted messages sent to that SP. This is the attack described in the paper "How to break XML encryption": http://dx.doi.org/10.1145/2046707.2046756 - It may be possible to use the SP as a key oracle which can be used to forge messages from that SP by issuing 300000-2000000 queries to the SP. This mainly affects SPs that use signed authentication requests. The attack is described in "Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1.": http://www.iacr.org/cryptodb/data/paper.php?pubkey=1037 slbackup (0.0.12-2+squeeze1) stable; urgency=low * Fixed typo in cron-job (path to configfile). (Closes: #626884) slbackup-php (0.3-2.2+squeeze1) stable; urgency=low * Non-maintainer upload. * Patch src/index.php. Fixes reappearing login page on every click (closes: #655832). * Patch src/index.php and templates/restore.tpl. Allows restore of files with blanks in their name. Closes: #565181. Patch provided by Cyril ETCHEVERRIA -> thanks! * Patch templates/status.tpl. For last failed backup really show the timestamp of the last failed backup and not erroneously the timestamp of the last successful backup. * Upload sponsored by Petter Reinholdtsen. spip (2.1.1-3squeeze2) stable-security; urgency=high * Non-maintainer upload by the Security Team. * Updated security screen. Prevent a cross site scripting. * Backport patches from 2.1.12. Fixes a privilege escalation and a cross site scripting. Closes: #649113 squid3 (3.1.6-1.2+squeeze2) stable-security; urgency=high * Apply upstream patches to fix a memory leak and invalid free(). revisions 10111 and 10384 from the SQUID_3_1 branch. Fixes CVE-2011-4096. subversion (1.6.12dfsg-6) stable-security; urgency=high [ Michael Diers ] * patches/cve-2011-1752: New patch for CVE-2011-1752, fixing a remotely triggered crash in mod_dav_svn, delivering baselined WebDAV resources. * patches/cve-2011-1783: New patch for CVE-2011-1783 and CVE-2011-1921, fixing remotely triggered memory exhaustion and a content leak of files that are meant to be unreadable. subversion (1.6.12dfsg-5) stable-security; urgency=high * patches/cve-2011-0715: New patch for CVE-2011-0715, fixing a remotely triggered crash in mod_dav_svn involving lock tokens. super (3.30.0-3+squeeze1) stable-security; urgency=high * Add 12-Use-vsnprintf.patch to fix buffer overflow error occurring when logging via syslog is enabled (CVE-2011-2776). * Add 13-Potential-format-string-vulnerability.patch to fix a vulnerability that might occur if the user of file name or file name used in the tag contains a '%' character. systemtap (1.2-5+squeeze1) stable-security; urgency=high * Non-maintainer upload * Backport upstream fix for CVE-2011-2503. (Closes: #635542) * Rename patch debian-changes-1.2-5 to fix-CVE-2010-4170-CVE-2010-4171.diff and fix misleading DEP-3 information (this fix was first included in 1.2-3). t1lib (5.1.2-3+squeeze1) stable-security; urgency=high * Non-maintainer upload by the Security Team. * debian/patches: - CVE-2010-2642 added, fix heap-based buffer overflow first found in evince but applicable to the embedded afmparse library found in t1lib too. Fixes CVE-2011-0433 too on the same patch. - CVE-2011-0764 added, fix arbitrary code execution by only using ppoints when it is a valid pointer. closes: #652996 This fixes CVE-2011-0764, CVE-2011-1552, CVE-2011-1553 and CVE-2011-1554 * format-string added, fix a format string error IfTrace0 macro and another in T1_SubfsetFont(). t1lib (5.1.2-3+lenny1) oldstable-security; urgency=high * Non-maintainer upload by the Security Team. * debian/patches: - CVE-2010-2642 added, fix heap-based buffer overflow first found in evince but applicable to the embedded afmparse library found in t1lib too. Fixes CVE-2011-0433 too on the same patch. - CVE-2011-0764 added, fix arbitrary code execution by only using ppoints when it is a valid pointer. closes: #652996 This fixes CVE-2011-0764, CVE-2011-1552, CVE-2011-1553 and CVE-2011-1554 * format-string added, fix a format string error IfTrace0 macro and another in T1_SubfsetFont(). tinyproxy (1.8.2-1squeeze2) stable; urgency=low * Add validate_port_number.patch: validate port number specified in Port directive, to avoid possible buffer overflows that could allow for access restriction bypasses [CVE-2011-1843] (closes: #627503). As the configuration file is under the control of the admin, this is not considered a security issue. tor (0.2.2.35-1~squeeze+1) stable-security; urgency=low * Upload tor 0.2.2.x to squeeze security as the old 0.2.1.x tree will be end-of-lifed by upstream soon. This version brings one important security fix to squeeze (CVE-2011-2778, SOCKS handling potential remote code execution), together with the numerous stability and performance improvements that the 0.2.2.x tree has over the old 0.2.1.x versions. * Revert the patch that enables Control Socket by default from Tor version 0.2.2.29-beta-1 (git commit 61bd4d4f) for the squeeze- security upload to make this package's behaviour reasonable close to how Tor 0.2.1.x behaved in squeeze. tor (0.2.2.34-1) unstable; urgency=high * New upstream version, fixing a couple of security relevant bugs such as guard enumeration (CVE-2011-2768) and bridge enumeration (CVE-2011-2769) issues. For details consult the upstream changelog. tor (0.2.2.33-1) unstable; urgency=low * New upstream version. * Make patches/06_add_compile_time_defaults build without compiler warnings: - Correctly declare functions as having no arguments instead of not telling the compiler which arguments it'll have. * Suggest tor-arm (closes: #640265). * Downgrade socat and polipo|privoxy to Suggests (closes: #640264). tor (0.2.2.32-1) unstable; urgency=low * New upstream version, upload to unstable. tor (0.2.2.31-rc-1) experimental; urgency=low * New upstream version. tor (0.2.2.30-rc-1) experimental; urgency=low * New upstream version. tor (0.2.2.29-beta-1) experimental; urgency=low * New upstream version. * Enable Control Socket by default. It lives in /var/run/tor/ (closes: #552556). * The postinst script changes /var/run/tor to mode 02750 if it exists, but the tor init script creates it with mode 02700 if it doesn't. Change the init script to also create the directory with a group writeable mode, the same as the postinst maintainer script, i.e. 02750. . This will allow users in the debian-tor group to access the control socket (re: #552556). tor (0.2.2.28-beta-1) experimental; urgency=low * New upstream version. tor (0.2.2.27-beta-1) experimental; urgency=low * New upstream version. tor (0.2.2.23-alpha-1) experimental; urgency=low * New upstream version. * The tor specification files are no longer shipped in the tarball, so /usr/share/doc/tor/spec is no more. They can be found online at . tor (0.2.2.22-alpha-1) experimental; urgency=low * New upstream version. tor (0.2.2.21-alpha-1) experimental; urgency=high * New upstream version, including several security related fixes. See upstream changelog for details. Addresses CVE-2011-0427. * Forward port patches/03_tor_manpage_in_section_8. tor (0.2.2.20-alpha-1) experimental; urgency=high * New upstream version. - Fix a remotely exploitable bug that could be used to crash instances of Tor remotely by overflowing on the heap. Remote-code execution hasn't been confirmed, but can't be ruled out (CVE-2010-1676). * Since the dawn of time (0.0.2pre19-1, January 2004, initial release of the debian package), the postinst script has changed ownership and permissions of various trees like /var/lib/tor, /var/run/tor, and /var/log/tor, sometimes recursively. . It turns out this actually is a security issue, so try to be more conservative when fixing up modes and only chown/chgrp /var/{lib,log,run}/tor directly, never recursively. * Remove /var/run/tor, recursively, on purge. We already do this for /var/lib/tor and /var/log/tor. tor (0.2.2.19-alpha-1) experimental; urgency=low * New upstream version. - remove debian/patches/15_tlsext_host_name (already included in new upstream version). tor (0.2.2.18-alpha-2) experimental; urgency=low * If we overwrite src/or/micro-revision.i in during build, clean it out in the clean target. * Add debian/patches/15_tlsext_host_name: Work around change in libssl0.9.8 (0.9.8g-15+lenny9 and 0.9.8o-3), taken from 0.2.1.27 (closes: #604198): . Do not set the tlsext_host_name extension on server SSL objects; only on client SSL objects. We set it to immitate a browser, not a vhosting server. This resolves an incompatibility with openssl 0.9.8p and openssl 1.0.0b. Fixes bug 2204; bugfix on 0.2.1.1-alpha. tor (0.2.2.18-alpha-1) experimental; urgency=low * New upstream version. tor (0.2.2.17-alpha-1) experimental; urgency=low * New upstream version. tor (0.2.2.16-alpha-1) experimental; urgency=low * New upstream version. * Downgrade torsocks/tsocks dependency to a recommends. That tool is not needed if you only run a relay, or if you access Tor only using polipo or privoxy. The torify(1) wrapper that makes use of torsocks or tsocks already handles their absense and emmits a proper message telling the user what they are missing (closes: #595898). * Remove suggests of mixminion which is no longer in the archive (closes: #594207), and also of anon-proxy which appears to not have been updated in at least two years. * Add xul-ext-torbutton to suggests. tor (0.2.2.15-alpha-1) experimental; urgency=low * New upstream version. * Forward port 06_add_compile_time_defaults. tor (0.2.2.14-alpha-1) experimental; urgency=low * New upstream version. Among many other things: - New config option "WarnUnsafeSocks 0" disables the warning that occurs whenever Tor receives only an IP address instead of a hostname. Setups that do DNS locally over Tor are fine, and we shouldn't spam the logs in that case. (Closes: #497466) tor (0.2.2.13-alpha-1) experimental; urgency=low * New upstream version. tor (0.2.2.12-alpha-1) experimental; urgency=low * New upstream version. tor (0.2.2.11-alpha-1) experimental; urgency=low * New upstream version. tor (0.2.2.10-alpha-2) experimental; urgency=low * In /etc/default/tor also source /etc/default/tor.vidalia if it exists and if vidalia is installed. We do this so that the vidalia package can override some of our settings: People who have vidalia installed might not want to run Tor as a system service. The vidalia .deb can ask them that and then set run-daemon to no. tor (0.2.2.10-alpha-1) experimental; urgency=low * New upstream version. * debian/rules: - make manpage building properly depend on patch-stamp, - Fix building in the absence of a debian/micro-revision.i file. tor (0.2.2.9-alpha-1) experimental; urgency=low * New upstream version. - We no longer need to build-depend on a recent libssl-dev because Tor now detects whether we need to explicitly turn on autonegotiation at run-time rather than compile time. Good. (This also means we no longer need to conflict with newer libssls when we built against an old one on backports.) - The manpages are now built with asciidoc. While the upstream tarball already ships with the output of asciidoc, we instead build the manpages during package build time so we can patch them. + Therefore build-depend on asciidoc (>= 8.2), docbook-xml, docbook-xsl, and xmlto. + update 03_tor_manpage_in_section_8 to patch the .txt files now. + Remove tor.1.in torify.1.in tor-gencert.1.in tor-resolve.1.in in the doc directory during clean. + And try to work around missing (and if it wasn't, broken) build-system for the manpages. + The torify.1 manpage gets installed by upstream, no longer need to do it manually in debian/rules. - The original design paper is no longer shipped with Tor. + Remove debian/hexdump-*.pdf (which we used to work around fig2dev bugs). + No longer build the paper in debian/rules, and remove it from debian/tor.docs. + No longer build-depend on texlive-base-bin, texlive-latex-base, texlive-fonts-recommended, transfig and ghostscript. - Upstream tarballs no longer ship an AUTHORS file, or the website, Removed these from debian/tor.docs. No longer shipping parts of the website also closes: #443560. - Also no longer distribute doc/TODO and doc/HACKING in the debian package. * Move from comm to section net, where it might fit slightly better (closes: #482801). * Ship contrib/tor-exit-notice.html in the tor package (put it into usr/share/doc/tor; closes: #568934). * Add stark README.polipo with the instructions from Juliusz Chroboczek. (closes: #413730) * 0.2.2.4-alpha failed to ship test.h so we had included it in the debian diff. The upstream bug has long since been fixed so we should probably stop shipping our own copy of test.h. * Finally apply Peter Eisentraut's patch for tor's init script to support status as an argument (closes: #526371). tor (0.2.2.8-alpha-1) experimental; urgency=low * New upstream version. tor (0.2.2.7-alpha-2) experimental; urgency=low * debian/rules: Minor cleanup (use a single variable for making up our configure flags, not two). * debian/rules: Remove logic that ignores the result of unit tests if localhost does not resolve (or not to 127.0.0.1). This should no longer be necessary as our build chroots have gotten a lot better. * Depend on and enable hardening-includes for building. tor (0.2.2.7-alpha-1) experimental; urgency=medium * New upstream version. - Rotate keys (both v3 identity and relay identity) for moria1 and gabelmoo. [and more] tor (0.2.2.6-alpha-1) experimental; urgency=low * New upstream version. - Drop debian/patches/0a58567c-work-with-reneg-ssl.dpatch (part of upstream). tor (0.2.2.5-alpha-1) experimental; urgency=low * New upstream version. * Pick 0a58567ce3418f410cf1dd0143dd3e56b4a4bd1f from master git tree: - work with libssl that has renegotiation disabled by default. (debian/patches/0a58567c-work-with-reneg-ssl.dpatch) * Therefore build-depend on libssl-dev >= 0.9.8k-6. If we build against earlier versions we will not work once libssl gets upgraded to a version that disabled renegotiations. * Change order of recommends from privoxy | polipo to polipo | privoxy. * Allegedly echo -e is a bashism. Remove it from debian/rules, we don't need it anyways (closes: #478631). * Change the dependency on tsocks to torsocks | tsocks (see: #554717). tor (0.2.2.4-alpha-1) experimental; urgency=low * New upstream version. * The testsuite moved from src/or/test to src/test/test, but let's call it using "make check" now. * Upstream failed to ship src/test/test.h. Ship it in debian/ and manually copy it in place during configure and clean up in clean. Let's not use the patch system as this will most likely be rectified by next release. tor (0.2.2.3-alpha-1) experimental; urgency=low * New upstream version. tor (0.2.2.2-alpha-1) experimental; urgency=low * New upstream version. * The files src/common/common_sha1.i src/or/or_sha1.i get changed during the build - they contain the checksums of the individual files that end up in the binary. Of couse changes only end up in the debian diff.gz after building a second time in the same directory. So, remove those files in clean to get both a cleaner diff.gz and idempotent builds. * If we have a debian/micro-revision.i, replace the one in src/or with our copy so that this will be the revision that ends up in the binary. This is an informational only version string, but it'd be kinda nice if it was (more) accurate nonetheless. . Of course this won't help if people manually patch around but it's still preferable to claiming we are exactly upstream's source. . If we are building directly out of a git tree, update debian/micro-revision.i in the clean target. tor (0.2.2.1-alpha-1) experimental; urgency=low * New upstream version. * Forward port patches/03_tor_manpage_in_section_8.dpatch. * Forward port patches/06_add_compile_time_defaults.dpatch. tor (0.2.1.32-1) oldstable-security; urgency=high * New upstream version, fixing a heap overflow bug related to Tor's SOCKS code (CVE-2011-2778). tor (0.2.1.31-1) stable-security; urgency=high * New upstream version, fixing a couple of security relevant bugs such as guard enumeration (CVE-2011-2768) and bridge enumeration (CVE-2011-2769) issues. For details consult the upstream changelog. tor (0.2.1.30-1) unstable; urgency=low * New upstream version. * The tor specification files are no longer shipped in the tarball, so /usr/share/doc/tor/spec is no more. They can be found online at . torque (2.4.8+dfsg-9squeeze1) stable-security; urgency=low * [CVE_2011_2193]: Fix two potential buffer overflows: jobid length and hostname length weren't properly checked, and these both allow segfaults/buffer overflow attacks within the code. * Steal an additional potential buffer overflow fix from upstream SVN: - src/resmom/checkpoint.c (mom_checkpoint_recover): Use strncpy and strncat instead of strcpy and strcat. * Update Vcs-* fields to point to the new squeeze branch. tzdata (2011n-0squeeze1) stable; urgency=low * New upstream veersion, fixing DST for: - Cuba. - Fidji. - Pridnestrovian Moldavian Republic. tzdata (2011m-1) unstable; urgency=critical * New upstream version, fix DST for: - Pridnestrovian Moldavian Republic. - Ukraine (Closes: #645783). - Bahia, Brazil. Drop debian/patches/bahia.diff. * Set urgency to critical as the above changes will be effective on the night from Saturday to Sunday. tzdata (2011m-0squeeze1) stable; urgency=low * New upstream version, fix DST for: - Pridnestrovian Moldavian Republic. - Ukraine (Closes: #645783). - Bahia, Brazil. Drop debian/patches/bahia.diff. tzdata (2011l-2) unstable; urgency=high * Upstream is now ICANN, update debian/watch and debian/copyright. tzdata (2011l-1.1) unstable; urgency=low * Non-maintainer upload. * debian/patches/bahia.diff: add DST for America/Bahia (Closes: #645638). Next upstream release should also include this change. tzdata (2011l-1) unstable; urgency=low * New upstream release. tzdata (2011l-0squeeze1) stable; urgency=low * New upstream release. * Upstream is now IANA, update debian/changes and debian/watch accordingly. * debian/patches/bahia.diff: add DST for America/Bahia (Closes: #645638). tzdata (2011k-1) unstable; urgency=low [ Aurelien Jarno ] * New upstream release: - Update DST rules for Ukraine. Closes: #642232. - Update DST rules for Belarus. Closes: #641846. [ Debconf translations ] * Spanish (Francisco Javier Cuadrado). Closes: #642071. unbound (1.4.6-1+squeeze2) squeeze-security; urgency=high * Apply patch from upstream to fix DNSSEC-related crashes (CVE-2011-4528) user-mode-linux (2.6.32-1um-4+41) stable; urgency=high * Rebuild against linux-source-2.6.32 (2.6.32-41): * Add longterm releases 2.6.32.47 and 2.6.32.48, including: - atm: br2684: Fix oops due to skb->dev being NULL - md/linear: avoid corrupting structure while waiting for rcu_free to complete. - xen/smp: Warn user why they keel over - nosmp or noapic and what to use instead. (Closes: #637308) - md: Fix handling for devices from 2TB to 4TB in 0.90 metadata. - net/9p: fix client code to fail more gracefully on protocol error - fs/9p: Fid is not valid after a failed clunk. - TPM: Call tpm_transmit with correct size (CVE-2011-1161) - TPM: Zero buffer after copying to userspace (CVE-2011-1162) - libiscsi_tcp: fix LLD data allocation - cfg80211: Fix validation of AKM suites - USB: pid_ns: ensure pid is not freed during kill_pid_info_as_uid - kobj_uevent: Ignore if some listeners cannot handle message (Closes: #641661) - nfsd4: ignore WANT bits in open downgrade - [s390] KVM: check cpu_id prior to using it - cfq: merge cooperating cfq_queues - [x86] KVM: Reset tsc_timestamp on TSC writes (fixes guest performance regression introduced in 2.6.32-35) - ext4: fix BUG_ON() in ext4_ext_insert_extent() - ext2,ext3,ext4: don't inherit APPEND_FL or IMMUTABLE_FL for new inodes For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/ChangeLog-2.6.32.47 http://www.kernel.org/pub/linux/kernel/v2.6/longterm/ChangeLog-2.6.32.48 and the bug report which this closes: #647624. * tg3: Fix I/O failures after chip reset (Closes: #645308; regression in 2.6.32-36) * Add longterm release 2.6.32.49, including: - SCSI: st: fix race in st_scsi_execute_end - NFS/sunrpc: don't use a credential with extra groups. - netlink: validate NLA_MSECS length - hfs: add sanity check for file name length (CVE-2011-4330) - md/raid5: abort any pending parity operations when array fails. - mm: avoid null pointer access in vm_struct via /proc/vmallocinfo - ipv6: udp: fix the wrong headroom check (CVE-2011-4326) - USB: Fix Corruption issue in USB ftdi driver ftdi_sio.c For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/ChangeLog-2.6.32.49 and the bug report which this closes: #650160. * ipv6: Allow inet6_dump_addr() to handle more than 64 addresses (Closes: #651255) * Add longterm release 2.6.32.50, including: - PCI hotplug: shpchp: don't blindly claim non-AMD 0x7450 device IDs (see #638863) - sched, x86: Avoid unnecessary overflow in sched_clock - [x86] mpparse: Account for bus types other than ISA and PCI (Closes: #586494) For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/ChangeLog-2.6.32.50 and the bug report which this closes: #651367. * [vserver] Update patch to 2.6.32.48-vs2.3.0.36.29.8 - nfs: Fix client uid/gid caching (Closes: #633526) * [x86] Add isci driver from Linux 3.1 (Closes: #652857) - libsas: fix definition of wideport, include local sas address - [x86] Introduce pci_map_biosrom() * Add longterm release 2.6.32.51, including: - percpu: fix chunk range calculation - xfrm: Fix key lengths for rfc3686(ctr(aes)) (Closes: #650652) - jbd/jbd2: validate sb->s_first in journal_get_superblock() (CVE-2011-4132) - Make taskstats require root access (CVE-2011-2494) - hfs: fix hfs_find_init() sb->ext_tree NULL ptr oops (CVE-2011-2203) - oprofile, x86: Fix nmi-unsafe callgraph support - ext4: avoid hangs in ext4_da_should_update_i_disksize() * xen: backport upstream (xen.git#xen/stable-2.6.32.y) fixes to event handling: - multiple fixes to PIRQ event channel handling (Closes: #638172) - setup IRQ before binding VIRQ to it. - correctly setup event channel mask for secondary CPUs on restore. - use locked set/clear bit when manipulating event channel masks. - ensure event channels are handled in a fair/round-robin order preventing lower numbered event channels from starving higher. * xen: blkback: don't fail empty barrier requests (Closes: #637234) * ipv6: make fragment identifications less predictable (CVE-2011-2699) - fix NULL dereference in udp6_ufo_fragment (see #643817) * Add longterm release 2.6.32.52: - Revert "clockevents: Set noop handler in clockevents_exchange_device()", included in stable update 2.6.32.50 (Closes: #653398) * Add longterm release 2.6.32.53, including: - cfq-iosched: fix cfq_cic_link() race confition For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/ChangeLog-2.6.32.53 and the bug report which this closes: #655049. user-mode-linux (2.6.32-1um-4+39squeeze1) stable-security; urgency=high * Rebuild against linux-source-2.6.32 (2.6.32-39squeeze1): * Revert "ipv6: make fragment identifications less predictable" (Closes: #643817). This reopens CVE-2011-2699. * xen: Revert "xen: Use IRQF_FORCE_RESUME". Fixes live migration regression in 2.6.32.42. (Closes: #644604) * Really fix bugs in IPv6 forwarding with GRO/GSO (Closes: #630730): - e1000e,igb,igbvf,ixgbe: Fix IPv6 GSO type checks - ipv6: Add GSO support on forwarding path * [powerpc] vserver: Wire up syscall (Closes: #646132) * Restrict ioctl forwarding on partitions and logical volumes (CVE-2011-4127) * xfs: Fix possible memory corruption in xfs_readlink (CVE-2011-4077) * KEYS: Fix a NULL pointer deref in the user-defined key type (CVE-2011-4110) * [x86] KVM: Prevent starting PIT timers in the absence of irqchip support (CVE-2011-4622) * rose: Add length checks to CALL_REQUEST parsing (CVE-2011-4914) webkit (1.2.7-0+squeeze2) stable; urgency=low [ Gustavo Noronha Silva ] * debian/patches/06-fix-null-dns-lookups.patch: - Avoid doing lots of needless NULL DNS lookups, thanks to Michael Gratton for the patch and Simon Paillard for the investigation (Closes: #578019) whatsnewfm (0.7.2-0+squeeze1) stable; urgency=medium * New upstream release (closes: #647079) - take the name change into account and make package work again * Update package description to refer to freecode.com wireshark (1.2.11-6+squeeze5) stable-security; urgency=high * security fixes from Wireshark 1.4.10: - Huzaifa Sidhpurwala of Red Hat Security Response Team discovered a buffer overflow in the ERF file reader. (CVE-2011-4102) wireshark (1.2.11-6+squeeze4) stable-security; urgency=low * Rebuild to bypass dak weirdness xen (4.0.1-4) stable-security; urgency=low * Fix overflows and missing error checks in PV kernel loader. CVE-2011-1583 * Protect against malicious MSIs from untrusted devices. CVE-2011-1898 xorg (1:7.5+8+squeeze1) squeeze-security; urgency=low * xserver-wrapper: when we drop privileges, don't forget to also reset effective group id, since we're installed setgid root. * xserver-wrapper: revert change to allow devices with major 5 as consoles. This includes things like /dev/tty and /dev/ptmx, which are world-readable (closes: #652249). Thanks to vladz for the report. Reference: CVE-2011-4613. xorg-server (2:1.7.7-14) squeeze; urgency=low * GLX: add missing input sanitization (CVE-2010-4818). Also fix a couple swapping issues. * File disclosure vulnerability (CVE-2011-4028). * File permission change vulnerability (CVE-2011-4029). * xf86ScaleAxis: support for high resolution devices. xpdf (3.02-12+squeeze1) stable-proposed-updates; urgency=low * Fix cve-2011-2902: insecure tempfile usage in zxpdf (closes: #635849). ======================================== Sat, 08 Oct 2011 - Debian 6.0.3 released ======================================== ace (5.7.7+dfsg-1) stable; urgency=low * Repackage to remove non-distributable .pdf files. Closes: #630897. akonadi (1.3.1-3+squeeze1) stable-proposed-updates; urgency=low * Add patch 04_socket_location.diff to allow akonadi-server to run when HOME is mounted to the network filesystem (Closes: #545139). Thanks to Ansgar Burchardt for the patch. amispammer (3.1-1+squeeze1) stable; urgency=low * Patch to fix detection of the IP address apache2 (2.2.16-6+squeeze4) squeeze; urgency=low * Fix CVE-2011-3348: Possible denial of service in mod_proxy_ajp if combined with mod_proxy_balancer. * Make exit code of '/etc/init.d/apache2 status' more LSB compatible. Closes: #613969 * Fix typo in init script. Closes: #615866 * For multiple instance setups, correctly determine the config dir in the init script if it is called via a start/stop link. Closes: #627061 * Add hint in README.Debian about 403 error with mod_dav PUT. Closes: #613438 * Add hint in README.Debian about how to increase max number of open files. Closes: #615632 * Make it clear in README.multiple-instances that the MPMs are shipped in the apache2.2-bin package. * Tweak patch header to fix "dpatch unapply" with unstable's patch/dpatch. apache2 (2.2.16-6+squeeze3) squeeze-security; urgency=high * Fix regressions related to range requests introduced by 2.2.16-6+squeeze2. Closes: #639825 apache2 (2.2.16-6+squeeze2) squeeze-security; urgency=high * Fix CVE-2011-3192: DoS by high memory usage for a large number of overlapping ranges. aptitude (0.6.3-3.2+squeeze1) stable; urgency=low * Non-maintainer upload. * Backport of 0009-fix-symlink-attack: Fix a potential symlink attack that could occur if a user with no home directory edited and saved the package hierarchy definitions. (Closes: #612034) arcboot (0.3.14+squeeze0) stable; urgency=low * This upload fixes the netinstall on IP22 and IP32 * [5e61c13] tip22: Drop .gnu.att section mapped add VMA 0 * [01c99b5] Move the tip22 image to 0x89702000 on IP22 as described in #452798. Thanks to Edwin Kwan for analyzing this. * [399eff1] Fix address substitution for IP32. It was being handled as IP22 in tip22. * [acd5d82] Cleanup all subarches asterisk (1:1.6.2.9-2+squeeze3) stable-security; urgency=high * Patch AST-2011-008 (CVE-2011-2529) - crash on a malformed SIP packet (Closes: 631446). * Patch AST-2011-010 (CVE-2011-2535): crash due to dereferencing a remote pointer (closes: #631448). * AST-2011-011 (CVE-2011-2536): Don't leak SIP username information (closes: #632029) atop (1.23-1+squeeze1) stable; urgency=high * Non-maintainer upload. * Fix CVE-2011-XXXX: Insecure use of temporary files in rawlog.c and acctproc.c (Closes: #622794) atop (1.23-1+lenny1) oldstable; urgency=high * Non-maintainer upload. * Fix CVE-2011-XXXX: Insecure use of temporary files in rawlog.c and acctproc.c (Closes: #622794) base-files (6.0squeeze3) stable; urgency=low * Changed /etc/debian_version to 6.0.3, for Debian 6.0.3 point release. bcfg2 (1.0.1-3+squeeze1) stable-security; urgency=high * Apply patch from Chris St. Pierre to fix several problems with unescaped shell commands (Closes: #640028). bind9 (1:9.7.3.dfsg-1~squeeze3) squeeze-security; urgency=high * Apply patch from ISC BIND 9.7.3-P3 to address CVE-2011-2464. brltty (4.2-7+squeeze1) squeeze; urgency=low * brltty-udeb.prebasconfig: - do not stop and not setup gconf just because no table was specified in kernel parameters. - Fix parsing brltty= when not all parameters are provided. ca-certificates (20090814+nmu3squeeze1) stable; urgency=low * Non-maintainer upload. * No-change upload with incremented version number to avoid a version number conflict with '20090814+nmu3'. ca-certificates (20090814+nmu3) squeeze-security; urgency=high * Non-maintainer upload by the Security Team. * Blacklist "DigiNotar Root CA" (Closes: #639744) ca-certificates (20090814+nmu3) unstable; urgency=low * Non-maintainer upload. * Fix pending l10n issues. Debconf translations: - French (Christian Perrier). Closes: #594231 - Danish (Joe Hansen). Closes: #601129 - Catalan (Jordi Mallach). Closes: #601089 - Brazilian Portuguese (Adriano Rafael Gomes). Closes: #618633 chromium-browser (6.0.472.63~r59945-5+squeeze6) stable-security; urgency=low * Added gbp.conf * Fixed CVE-2011-2818: Use-after-free in display box rendering. Credit to Martin Barbella. * Fixed CVE-2011-2800: Leak of client-side redirect target. Credit to Juho Nurminen * FIxed CVE-2011-2359: Stale pointer due to bad line box tracking in rendering. Credit to miaubiz and Martin Barbella. * Blacklist SSL certificates issued by DigiNotar-controlled intermediate CAs used by the Dutch PKIoverheid program clamav (0.97.2+dfsg-1~squeeze1) stable; urgency=low [ Michael Tautschnig ] * New upstream release - Fixes off-by-one-error (closes: #635599) - Fixes opcode 20 is not implemented error (closes: #635340) - New option ExtraDatabase for freshclam * Debconf translation updates - Portuguese (closes: #630954) - French (closes: #631978) - Swedish (closes: #632144) - Danish (closes: #632558) - Spanish (closes: #633883) - Russian (closes: #635145) clamav (0.97.1+dfsg-1) unstable; urgency=low [ Michael Tautschnig ] * New upstream release - New option ClamukoExcludeUID for clamd * Added debconf question for clamav-milter/LogClean (closes: #617890). * Clarified text about clamav-milter's temporary directory in debconf question (closes: #617889). * Debconf translation updates - Japanese (closes: #624802) * Remove references to other libraries from dependency_libs field (closes: #621206). Thanks Luk Claes for the patch. * Added doc-base file to clamav-docs (closes: #629357). Thanks John Vogel. * Bumped Standards-Version to 3.9.2, no changes needed. [ Stephen Gran ] * Update README.Debian to reflect reality for the milter (closes: #597048) clamav (0.97.1+dfsg-1~squeeze1) stable; urgency=low [ Michael Tautschnig ] * New upstream release - New option ClamukoExcludeUID for clamd * Added debconf question for clamav-milter/LogClean (closes: #617890). * Clarified text about clamav-milter's temporary directory in debconf question (closes: #617889). * Debconf translation updates - Japanese (closes: #624802) * Remove references to other libraries from dependency_libs field (closes: #621206). Thanks Luk Claes for the patch. * Added doc-base file to clamav-docs (closes: #629357). Thanks John Vogel. * Bumped Standards-Version to 3.9.2, no changes needed. [ Stephen Gran ] * Update README.Debian to reflect reality for the milter (closes: #597048) clamav (0.97+dfsg-2) unstable; urgency=low [ Michael Tautschnig ] * Proper suite name. * More tidy up: new upstream release also fixed problems with ExtendedDetectionInfo (upstream bb#2409, closes: #617262). clive (2.2.13-5+squeeze3) stable; urgency=low * Adapt for youtube.com changes. (Closes: #636612) + new patch: 636612-youtube.diff conky (1.8.0-1+squeeze1) stable; urgency=low * Patch TEMP-0612033-026F3E: security issue in Conky's "eve" module, which causes Conky to be vulnerable to rewriting any user file. ctdb (1.0.112-12-3) stable; urgency=low * Really fix httpd (i.e. apache2 service) activation (the previous patch was depending on commit d98f175e which was not in ctdb 1.0.112-12). ctdb (1.0.112-12-2) stable; urgency=low * Fix ethtool path in /etc/ctdb/events.d/10.interface (Closes: #635135) * Fix httpd (i.e. apache2 service) activation (Closes: #635136) curl (7.21.0-2) stable-security; urgency=high * debian/patches/curl-gssapi-delegation: Fix for GSSAPI delegation vulnerability as detailed in CVE-2011-2192. More information and the patch at . (closes: #631615) debian-installer-netboot-images (20110106.squeeze3.b1) squeeze; urgency=low * Rebuild against squeeze-proposed-updates. debian-installer-utils (1.82+squeeze1) stable; urgency=low * chroot_setup.sh: Export SUDO_FORCE_REMOVE=yes, since removing sudo is never harmful during installation and is occasionally useful, e.g. when installing sudo-ldap (closes: #586887). deja-dup (14.2-1squeeze1) stable; urgency=low * Fix problem with GPG which makes restore impossible, as it now fails with EOFError. Patch picked from upstream code, revision 728. Thanks to Jérémy Bobbio for reporting and providing the patch. (Closes: #624598) dokuwiki (0.0.20091225c-10+squeeze2) stable; urgency=low * debian/patches/rss_security.diff: Backport an upstream security fix for an XSS vulnerability in the RSS embedding mechanism. (CERTA-2011-AVI-366) dovecot (1:1.2.15-7) stable-security; urgency=high * [2ffd812] Lifted Build-Conflicts with ancient linux-kernel-headers (Closes: #622384) dovecot (1:1.2.15-6) stable-security; urgency=high * Rebuilt in a clean squeeze environment, no changes. dovecot (1:1.2.15-5) stable-security; urgency=high * [feae144] Fixed potential crashes and other problems when parsing header names that contained NUL characters. (CVE-2011-1929) (Closes: #627443) dput (0.9.6.1+squeeze1) stable; urgency=low [ Y Giridhar Appaji Nag ] * Change the default backports configuration (Closes: #595726) [ Gerfried Fuchs ] * Duplicate the backports.org upload host as backports. backports.org is left as legacy hostname for now, it shouldn't be used anymore. drupal6 (6.18-1squeeze1) stable-proposed-updates; urgency=high [ Luigi Gangitano ] * debian/patches/21_SA-CORE-2011-001 - Included upsteam security fix for XSS in color module (Ref: SA-CORE-2011-001, CVE: TBA)(Closes: #628896) ejabberd (2.1.5-3+squeeze1) stable-security; urgency=high * Non-maintainer upload by the Security Team. * Fix billion laughs attack DoS attack vector by disabling entity expansion completely (CVE-2011-1753.patch). ffmpeg (4:0.5.4-1) stable-security; urgency=low * New upstream release. New releases fixes: - Fix memory corruption in WMV parsing (addresses CVE-2010-3908, LP: #690169) - Fix heap corruption crashes (addresses CVE-2011-0722) - Fix crashes in Vorbis decoding found by zzuf (addresses CVE-2010-4704, Closes: #611495) - Fix another crash in Vorbis decoding (addresses CVE-2011-0480, Chrome issue 68115) - Fix invalid reads in VC-1 decoding (related to CVE-2011-0723) - Do not attempt to decode APE file with no frames (fixes DoS) * drop fix-CVE-2010-3429.patch, applied upstream firmware-nonfree (0.28+squeeze1) stable; urgency=low * Add VIA VT6656 firmware for use with vt6656 driver * Add Realtek RTL8105E-1 and RTL8168E-1/2/3 firmware for use with r8169 foo2zjs (20090908dfsg-5.1+squeeze0) stable-proposed-updates; urgency=low * Non-maintainer upload. * Update debian/patches/60-getweb.in.patch: Fix CVE-2011-2684 "Insecure Temporary File" (CWE-277) in /usr/bin/getweb by creating a safe temporary directory with mktemp (Closes: #633870) and running the script with -e. freebsd-libs (8.1-5+squeeze1) stable; urgency=low * Move libsbuf.so.0 to /lib (needed by /sbin/zfs and /sbin/zpool). (Closes: #637100) * Move libipx.so.2 to /lib (needed by ifconfig). freebsd-utils (8.1-5) stable; urgency=low * Provide config files and init.d script for devd. (Closes: #630614) * Enable ieee80211 (wireless) in ifconfig. (Closes: #601803) freetype (2.4.2-2.1+squeeze1) stable-security; urgency=high * Non-maintainer upload by the Security Team. * CVE-2011-0226: Vulnerability in parsing Type 1 fonts gajim (0.13.4-3+squeeze1) stable; urgency=low [ Étienne Loks ] * Fix CPU high load when connecting first. Closes: #634880 gdebi (0.6.4+squeeze1) stable; urgency=low * Try to determine correct localized value for "Y" answer by parsing first value located into square brackets instead of relying on an hardcoded value (Closes: #637653). gdm3 (2.30.5-6squeeze4) stable; urgency=low * 35_double_free.patch: stolen from 2.30.7. Fix a double free issue in the chooser code. * 36_windowpath.patch: stolen from 2.30.7. Only set the WINDOWPATH variable if not null. * 37_shutdown_buttons.patch: stolen from upstream git. Only show shutdown options when requested. Closes: #628032. * 14_pam_dialog.patch: remove the beep, since it happens after the session has been reaped and can lock the sound device. git (1:1.7.2.5-3) stable; urgency=low * debian/diff/0034..0042: new from the upstream maint-1.7.2 branch: * bisect, blame, cherry-pick, merge-recursive, revert: fix off-by-one read when searching for the end of a commit subject. * some minor documentation updates. * debian/diff/0043-upload-pack-start-pack-objects-before-...: new from upstream; upload-pack: start child that reads pack_pipe before writing to it. This prevents server-side deadlocks on shallow clone (closes: #607346). * debian/git-daemon/run: use SO_REUSEADDR when binding the listening socket so the server can restart without waiting for old connections to time out (thx Daniel Kahn Gillmor; closes: #609405). * debian/git-daemon-run.postrm purge: terminate the git-daemon/log service, even if there is an active connection using it, before deleting logs and the gitlog user (thx Daniel Kahn Gillmor; closes: #627314). grub-installer (1.60+squeeze3) stable; urgency=low * Restore the ability to choose to install GRUB Legacy by preseeding (grub-installer/grub2_instead_of_grub_legacy=false), removed in 1.60 as a side-effect of removing a warning message. This is still useful e.g. when installing inside Xen. grub2 (1.98+20100804-14+squeeze1) stable; urgency=low [ Colin Watson ] * Backport from upstream: - Handle Xen split-partition disk image devices (closes: 601974). - Ensure uniqueness of RAID array numbers even if some elements have a name (closes: #609804). [ Robert Millan ] * Fix grub-probe detection for ATA devices using `ata' driver on kFreeBSD 9. - kfreebsd-9_ada_devices.patch * Mark la_array as packed. - zfs_packed_la_array.patch heimdal (1.4.0~git20100726.dfsg.1-2) stable; urgency=low * NFS needs same dispensation to use DES as AFS (closes: #629276). httpcomponents-client (4.0.1-1squeeze1) stable; urgency=high * Fixed critical bug causing Proxy-Authorization header to be sent to the target host when tunneling requests through a proxy server that requires authentication: CVE-2011-1498. (Closes: #628727). * Set Debian Java Team as Maintainer and add myself to Uploaders. ia32-libs (20111001) stable; urgency=low * Packages updated [ curl (7.21.0-2) stable-security; urgency=high ] * debian/patches/curl-gssapi-delegation: Fix for GSSAPI delegation vulnerability as detailed in CVE-2011-2192. More information and the patch at . (#631615) [ dbus (1.2.24-4+squeeze1) stable; urgency=low ] * Update Vcs-* control fields to reflect the move to git * Apply patch to fix CVE-2011-2200 (fd.o #38120), which is a local DoS for system services (#629938) [ e2fsprogs (1.41.12-4stable1) stable; urgency=high ] * Upload to proposed-updates * Fix "mke2fs -n" so it won't issue a discard and thus trash all the data on an SSD (oops!!!) [ e2fsprogs (1.41.12-4) unstable; urgency=high ] * Clear ext4 error fields in the superblock. Otherwise users will see scary messages every 24 hours after a file system error is detected, even after e2fsck has fixed it, if they are using Linux 2.6.35 or later. * Fix usage message for logsave (#619788) [ e2fsprogs (1.41.12-3) unstable; urgency=high ] * Fix signed vs. unsigned char bug in getopt in e2fsprogs which afflicts systems with default unsigned char * Fix bug in e2fsck where it would fail to fix file systems where both the primary and backup block group descriptors are corrupted. (Addresses Ubuntu Launchpad bug: #711799) * Fix package description: fsck has been moved to util-linux (#588726) * Fix badblocks so it the progress message correctly handles UTF-8 characters for I18N systems (#583782, #587834) * Prevent e2fsck from accidentally scrambling a file system when checking a snapshot which has an external journal device (which has not been snapshotted). (#587531) * Fix inode nlink accounting that would lead to very scary PROGRAMMING BUG errors. (#555456) * Fix typos, spelling mistakes, spelling-out-the-obvious-to-clueless- sysadmins, etc. in man pages. (#589345, #594004, #580236, #591083, #505719, #599786) [ freetype (2.4.2-2.1+squeeze1) stable-security; urgency=high ] * Non-maintainer upload by the Security Team. * CVE-2011-0226: Vulnerability in parsing Type 1 fonts [ krb5 (1.8.3+dfsg-4squeeze1) stable; urgency=low ] * Fix double free with pkinit on KDC, CVE-2011-0284, #618517 * Updated Danish debconf translations, thanks Joe Dalton, #584282 * KDC/LDAP DOS (CVE-2010-4022, CVE-2011-0281, and CVE-2011-0282, #613487 * Fix delegation of credentials against Windows servers; significant interoperability issue, #611906 * Set nt-srv-inst on TGS names to work against W2K8R2 KDCs, #616429 * Don't fail authentication when PAC verification fails; support hmac- md5 checksums even for non-RC4 keys, #616728 * Port fix to upstream ticket 6899: fix invalid free in kadmind change password case, #622681 [ libpng (1.2.44-1+squeeze1) stable-security; urgency=high ] * Apply upstream patch to 1-byte uninitialized memory reference in png_format_buffer(). (#632786, CVE-2011-2501) * Apply upstream patch to buffer overwrite in png_rgb_to_gray. (#633871, CVE-2011-2690) * Apply upstream patch to crash in png_default_error due to use of NULL Pointer. (#633871, CVE-2011-2691) * Apply upstream patch to memory corruption when handling empty sCAL chunks. (#633871, CVE-2011-2692) [ libsndfile (1.0.21-3+squeeze1) stable-security; urgency=low ] * CVE-2011-2696 [ nss (3.12.8-1+squeeze3) stable-security; urgency=low ] * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Explicitely distrust various DigiNotar CAs: - DigiNotar Root CA - DigiNotar Services 1024 CA - DigiNotar Cyber CA - DigiNotar Cyber CA 2nd - DigiNotar PKIoverheid - DigiNotar PKIoverheid G2 [ nss (3.12.8-1+squeeze2) stable-security; urgency=low ] * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Remove DigiNotar Root CA. [ openldap (2.4.23-7.2) stable; urgency=low ] * Non-maintainer upload targeted at stable. * Fix "dpkg-reconfigure slapd". #596343 [ openldap (2.4.23-7.1) stable; urgency=low ] * Non-maintainer upload targeted at stable. * Picked the following patches from various sources: [ Matthijs Möhlmann ] * Update patch service-operational-before-detach (#616164, #598361) [ Ubuntu Security Team / Jamie Strandboge ] * SECURITY UPDATE: fix successful anonymous bind via chain overlay when using forwarded authentication failures - debian/patches/CVE-2011-1024 - CVE-2011-1024 * SECURITY UPDATE: verify password when authenticating to rootdn and using ndb backend. Note: Debian is not compiled with --enable-ndb by default - debian/patches/CVE-2011-1025 - CVE-2011-1025 * SECURITY UPDATE: fix DoS when processing unauthenticated modrdn requests and requestDN is empty - debian/patches/CVE-2011-1081 - CVE-2011-1081 - LP: #742104, 617606 [ openssl (0.9.8o-4squeeze2) squeeze-security; urgency=high ] * Non-maintainer upload by the Security Team. * Block DigiNotar certificates * Fix CVE-2011-1945: timing attacks against ECDHE_ECDSA makes it easier to determine private keys. [ tiff (3.9.4-5+squeeze3) stable-security; urgency=high ] * Redo CVE-2011-0192 to fix regression. (#630042) ia32-libs-gtk (20111001) stable; urgency=low * Packages updated [ qt4-x11 (4:4.6.3-4+squeeze1) stable; urgency=low ] [ José Manuel Santamaría Lema ] * Blacklist a set of fraudulent ssl certificates; to perform this blacklisting we need these patches: - blacklist_fraudulent_comodo_certificates.diff - ssl_certificate_large_sn.diff * Fix CVE-2010-3170 (browser wildcard cerficate validation weakness) with cve_2010_3170_ssl_certificates_wildcard.diff. This problem affects the Arora web browser. ibid (0.1.0+dfsg-2+squeeze1) stable; urgency=medium * Fix the following security issues. Fixes backported from 0.1.1 bugfix release (Closes: #618026): - perms-705860.patch: Enforce access-restriction on handlers without @match patterns. (LP: #705860) - logfile-visibility-567576.patch: Channels must be explicitly configured to have publicly readable logs. (LP: #567576) - meeting-privacy-649383.patch: Don't report private messages from the bot in meeting minutes. (LP: #649383) * http-features-fix-545168.patch: Fix the breakage of the http source (LP: #545168) iceape (2.0.11-8) stable-security; urgency=low * Fixes for mfsa2011-{36-40}, also known as CVE-2011-2995, CVE-2011-2998, CVE-2011-2999, CVE-2011-3000, CVE-2011-2372. * mozilla/security/manager/ssl/src/nsIdentityChecking.cpp, mozilla/security/manager/ssl/src/nsNSSCallbacks.*, mozilla/security/manager/ssl/src/nsNSSIOLayer.*: Mark DigiNotar root certificates as revoked instead of untrusted. iceape (2.0.11-7) stable-security; urgency=low * Fixes for mfsa2011-30, including: CVE-2011-2982, CVE-2011-2981, CVE-2011-2378, CVE-2011-2984, CVE-2011-2983. iceape (2.0.11-6) stable-security; urgency=low * Fixes for mfsa2011-{19,20,22-24}, also known as CVE-2011-2374, CVE-2011-2376, CVE-2011-2365, CVE-2011-2373, CVE-2011-2371, CVE-2011-0083, CVE-2011-2363, CVE-2011-0085, CVE-2011-2362. icedove (3.0.11-1+squeeze5) stable-security; urgency=high * [44577f9] backported patches from xulrunner fixes mfsa2011-{36-40} - MFSA 2011-36 aka CVE-2011-2995: Miscellaneous memory safety hazards (rv:7.0 / rv:1.9.2.23) - MFSA 2011-37 aka CVE-2011-2998: Integer underflow when using JavaScript RegExp - MFSA 2011-38 aka CVE-2011-2999: XSS via plugins and shadowed window.location object - MFSA 2011-39 aka CVE-2011-3000: Defense against multiple Location headers due to CRLF Injection - MFSA 2011-40 aka CVE-2011-2372, CVE-2011-3001: Code installation through holding down Enter icedove (3.0.11-1+squeeze4) stable-security; urgency=high * [afd20a1] backported patches from xulrunner fixes mfsa2011-32 - CVE-2011-0084: Crash in SVGTextElement.getCharNumAtPosition() - CVE-2011-2378: Dangling pointer vulnerability in appendChild - CVE-2011-2980: Binary planting vulnerability in ThinkPadSensor::Startup - CVE-2011-2981: Privilege escalation using event handlers - CVE-2011-2982: Miscellaneous memory safety hazards (rv:1.9.2.20) - CVE-2011-2983: Private data leakage using RegExp.input - CVE-2011-2984: Privilege escalation dropping a tab element in content area icedove (3.0.11-1+squeeze3) stable-security; urgency=high * [637d85f] backported patches from xulrunner fixes mfsa2011-{19-24} - MFSA 2011-19 aka CVE-2011-2364, CVE-2011-2365, CVE-2011-2374, CVE-2011-2376: Miscellaneous memory safety hazards (rv:3.0/1.9.2.18) - MFSA 2011-20 aka CVE-2011-2373: Use-after-free vulnerability when viewing XUL document with script disabled - MFSA 2011-21 aka CVE-2011-2377: Memory corruption due to multipart/x-mixed-replace images - MFSA 2011-22 aka CVE-2011-2371: Integer overflow and arbitrary code execution in Array.reduceRight() - MFSA 2011-23 aka CVE-2011-0083, CVE-2011-0085, CVE-2011-2363: Multiple dangling pointer vulnerabilities - MFSA 2011-24 aka CVE-2011-2362: Cookie isolation error iceweasel (3.5.16-10) stable-security; urgency=low * Fixes for mfsa2011-{36-40}, also known as CVE-2011-2995, CVE-2011-2998, CVE-2011-2999, CVE-2011-3000, CVE-2011-2372. * security/manager/ssl/src/nsIdentityChecking.cpp, security/manager/ssl/src/nsNSSCallbacks.*, security/manager/ssl/src/nsNSSIOLayer.*: Mark DigiNotar root certificates as revoked instead of untrusted. iceweasel (3.5.16-9) stable-security; urgency=low * Fixes for mfsa2011-30, including: CVE-2011-2982, CVE-2011-2981, CVE-2011-2378, CVE-2011-2984, CVE-2011-2983. iceweasel (3.5.16-8) stable-security; urgency=low * Fixes for mfsa2011-{19,20,22-24}, also known as CVE-2011-2374, CVE-2011-2376, CVE-2011-2365, CVE-2011-2373, CVE-2011-2371, CVE-2011-0083, CVE-2011-2363, CVE-2011-0085, CVE-2011-2362. * toolkit/xre/nsAppRunner.cpp: Avoid crash after connecting to an existing instance. Closes: #630589. iceweasel (3.5.16-7) stable-security; urgency=low * Fixes for mfsa2011-{12-14,16}, also known as CVE-2011-0069, CVE-2011-0070, CVE-2011-0080, CVE-2011-0077, CVE-2011-0078, CVE-2011-0072, CVE-2011-0065, CVE-2011-0066, CVE-2011-0073, CVE-2011-0067, CVE-2011-0071. * gfx/ots/include/opentype-sanitiser.h: strict alignment issues when displaying OpenType fonts. bz#643137. ipmitool (1.8.11-2+squeeze1) stable; urgency=low * debian/control: - Add myself as co-maintainer. * Only approach rsp->data when rsp is set (Closes: #637423). isc-dhcp (4.1.1-P1-15+squeeze3) squeeze-security; urgency=high * Apply patch from ISC to fix CVE-2011-2748 and CVE-2011-2749. kde4libs (4:4.4.5-2+squeeze3) stable; urgency=low [ Ansgar Burchardt ] * Apply upstream patch to prevent marked text being cut out when switching documents in kate. (Closes: #636615) + new patch: 636615-ibus.diff kernel-wedge (2.74+squeeze3.1) stable-proposed-updates; urgency=low * NMU. * Stop considering acpi.ko as part of the kernel for kFreeBSD. kfreebsd-8 (8.1+dfsg-8+squeeze1) stable; urgency=low * Fix net802.11 stack kernel memory disclosure (CVE-2011-2480). (Closes: #631160) - 000_net80211_disclosure.diff * Merge backported if_msk driver from 8-STABLE. (Closes: #628954) - 000_msk_backport.diff * Disable buggy 009_disable_duped_modules.diff. It was disabling many more modules than built into kernel (e.g. all USB modules). * Add a few missing files in header package to make it possible to build external modules. (Closes: #630509) kfreebsd-kernel-di-i386 (0.6.1) stable; urgency=low * NMU. * Rebuild with latest kernel-wedge. Bump build-dependency. kolab-cyrus-imapd (2.2.13-9.1) stable-security; urgency=low * Fix CVE-2011-1926: STARTTLS plaintext command injection vulnerability (VU#555316) krb5 (1.8.3+dfsg-4squeeze2) stable; urgency=low * Upstream ticket 6852: permit gss_set_allowable_enctypes to restirct acceptor enctypes. Required in order to permit newer than squeeze clients to talk to a squeeze nfs server without degrading security for non-nfs applications on the box, Closes: #622146 kupfer (0+v201-2+squeeze2) stable; urgency=low * debian/patches/evolution_contacts.patch: - Do not crash if Evolution address book is missing (Closes: #632933). libapache2-mod-authnz-external (3.2.4-2+squeeze1) stable-security; urgency=high * Non-maintainer upload by the security team * Fix SQL injection via $user parameter (Closes: #633637) Fixes: CVE-2011-2688 libpcap (1.1.1-2+squeeze1) stable; urgency=low * Backport changes from upstream to fix corruption of snapshot length on live captures (CVE-2011-1935) (closes: #623868). * Backport fix from upstream to fix device detection when the bonding module is loaded (closes: #612803). libpng (1.2.44-1+squeeze1) stable-security; urgency=high * Apply upstream patch to 1-byte uninitialized memory reference in png_format_buffer(). (Closes: #632786, CVE-2011-2501) * Apply upstream patch to buffer overwrite in png_rgb_to_gray. (Closes: #633871, CVE-2011-2690) * Apply upstream patch to crash in png_default_error due to use of NULL Pointer. (Closes: #633871, CVE-2011-2691) * Apply upstream patch to memory corruption when handling empty sCAL chunks. (Closes: #633871, CVE-2011-2692) libsndfile (1.0.21-3+squeeze1) stable-security; urgency=low * CVE-2011-2696 libvirt (0.8.3-5+squeeze2) stable-security; urgency=low * [ac67c93] CVE-2011-1486: Make error reporting in libvirtd thread safe (Closes: #623222) * [eafb3d8] CVE-2011-2511: Fix integer overflow in VirDomainGetVcpus (Closes: #633630) libxfont (1:1.4.1-3) squeeze-security; urgency=high * Fix LZW decompression heap corruption (CVE-2011-2895). lintian (2.4.3+squeeze1) stable; urgency=low * checks/{conffiles,etcfiles}: + [NT] Skip all checks in conffiles is a symlink. * checks/debian-source-dir: + [NT] Fixed information disclosure issue, where Lintian could be tricked into disclosing the presence of files on the host system via specially crafted source packages. * debian/source/options: + [NT] Added tar-ignore option that only excludes .git to prevent some files from being "lost" when rebuilding the package. linux-2.6 (2.6.32-38) stable; urgency=high * Revert "ipv6: make fragment identifications less predictable" (Closes: #643817). This reopens CVE-2011-2699. 2a6221ccd30f8715b56731fc872a4e42e5ff8c64e14d132baa476cbf58e32352 13621 linux-2.6_2.6.32-38.dsc b6db15e88f7ad5a61e5ca8bae5f6266fa0b9833a9e4cb88de58f647ffd89734f 15634110 linux-2.6_2.6.32-38.diff.gz linux-2.6 (2.6.32-37) stable; urgency=low * pm: Fix definition of SET_SYSTEM_SLEEP_PM_OPS used in backported drivers (fixes FTBFS on ia64) * splice: Fix write position in output file (Closes: #641419) * PCI: Add definition of pci_pcie_cap(), used in backported e1000e (fixes FTBFS on armel, mips, mipsel, sparc) * [openvz] cpt: Allow ext4 mounts (Closes: #642380) f858741442e7fe2b19ec7b15ba4754f56ce7e1e774c93b2e92aceb258e719d87 6091 linux-2.6_2.6.32-37.dsc ac09c1d662132975399ac0c5e147257845991505ffc45116f7c3465a182a05af 15634056 linux-2.6_2.6.32-37.diff.gz linux-2.6 (2.6.32-36) stable; urgency=low [ maximilian attems ] * Add drm change from 2.6.32.41+drm33.18: - drm/radeon/kms: fix bad shift in atom iio table parser * [opvenz] ptrace: Don't allow to trace a process without memory map. * Add drm change from 2.6.32.42+drm33.19, including: - drm/i915: Add a no lvds quirk for the Asus EeeBox PC EB1007 - drm/radeon/kms: fix for radeon on systems >4GB without hardware iommu * Add longterm release 2.6.32.43, including: - ksm: fix NULL pointer dereference in scan_get_next_rmap_item() (CVE-2011-2183) - TTY: ldisc, do not close until there are readers - uvcvideo: Remove buffers from the queues when freeing - inet_diag: fix inet_diag_bc_audit() (CVE-2011-2213) - net: filter: Use WARN_RATELIMIT - af_packet: prevent information leak - ipv6/udp: Use the correct variable to determine non-blocking condition - mm: prevent concurrent unmap_mapping_range() on the same inode For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.43 and the bug report which this closes: #637848. [ Ben Hutchings ] * Add longterm release 2.6.32.42, including: - ftrace: Only update the function code on write to filter files - kmemleak: Do not return a pointer to an object that kmemleak did not get - ext3: Fix fs corruption when make_indexed_dir() fails - jbd: fix fsync() tid wraparound bug - PCI: allow matching of prefetchable resources to non-prefetchable windows (Closes: #637659) - loop: handle on-demand devices correctly - xhci: Fix full speed bInterval encoding; fix interval calculation for FS isoc endpoints (regressions in 2.6.32-34) - OHCI: fix regression caused by nVidia shutdown workaround (regression in 2.6.32-31) - brd: handle on-demand devices correctly - xen mmu: fix a race window causing leave_mm BUG() - SCSI: Fix oops caused by queue refcounting failure - fat: Fix corrupt inode flags when remove ATTR_SYS flag - pata_cm64x: fix boot crash on parisc (Closes: #622745, #622997) - Revert "iwlagn: Support new 5000 microcode." (Closes: #632778) For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.42 and the bug report which this closes: #631465. * [vserver] Update patch to 2.6.32.41-vs2.3.0.36.29.7 - Apply sched changes deferred from 2.6.32.29 * e1000e: Backport changes up to Linux 2.6.38 (Closes: #627700) - Add support for i82567V-4 and i82579 - Fix support for i82577, i82578 and i82583 * e1000e: Fix selection of alternate MAC address on device id 0x1060 (regression in 2.6.34) * igb,igbvf: Backport changes up to Linux 3.0.4 (Closes: #627702) - Add support for i82576-ET2, i82580, DH89xxCC, i340 and i350 * r8169: Backport changes up to Linux 3.0.2 (Closes: #627704) - Fix support for RTL8102E and RTL8168DP - Add support for RTL8105E, RTL8168E and another variant of RTL8168DP - Add support for D-Link DGE-530T rev C1 * tg3,broadcom: Backport changes up to Linux 2.6.38 (Closes: #627705) - Add support for BCM5717, BCM5719, BCM57765 - Add support for BCM50610M and BCM5241 PHYs - Fix support for BCM5755 * Remove net device features from bug reports (Closes: #638956) * Revert "net/ipv4: Check for mistakenly passed in non-IPv4 address" included in 2.6.32.43, which might break some applications * Add longterm release 2.6.32.44, including: - NFSv4.1: update nfs4_fattr_bitmap_maxsz - hwmon: (max1111) Fix race condition causing NULL pointer exception - bridge: send proper message_age in config BPDU - USB: OHCI: fix another regression for NVIDIA controllers (Closes: #620848) - ext3: Fix oops in ext3_try_to_allocate_with_rsv() - svcrpc: fix list-corrupting race on nfsd shutdown - alpha: fix several security issues (CVE-2011-2208, CVE-2011-2209, CVE-2011-2210, CVE-2011-2211) - ALSA: sound/core/pcm_compat.c: adjust array index - atm: [br2684] allow routed mode operation again For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.44 and the bug report which this closes: #639425. * Add longterm release 2.6.32.45, including: - ALSA: timer - Fix Oops at closing slave timer For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.45 and the bug report which this closes: #639426. * sched: Work around sched_group::cpu_power == 0 (Ameliorates: #636797) * [x86] Revert "x86, hotplug: Use mwait to offline a processor, fix the legacy case" (Closes: #622259) * Fix bugs in IPv6 forwarding with GRO/GSO (Closes: #630730): - e1000e,igb,igbvf,ixgbe: Fix IPv6 GSO type checks - ipv6: Add GSO support on forwarding path * devpts: correctly check d_alloc_name() return code (Closes: #640650) * ipv6: make fragment identifications less predictable (CVE-2011-2699) * Add longterm release 2.6.32.46, including: - atm: br2864: sent packets truncated in VC routed mode (Closes: #638656) - hwmon: (ibmaem) add missing kfree - ALSA: snd-usb-caiaq: Correct offset fields of outbound iso_frame_desc - ALSA: snd_usb_caiaq: track submitted output urbs - futex: Fix regression with read only mappings - x86-32, vdso: On system call restart after SYSENTER, use int $0x80 - fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.46 and the bug report which this closes: #641232. * drm/ttm: fix ttm_bo_add_ttm(user) failure path * 3c503: fix broken IRQ autoprobing (Closes: #566522) 395e73927ce73dd4fbd97a705deaf3d438fa81a76d948376ca62f10c6728e04d 6091 linux-2.6_2.6.32-36.dsc e410c97550d8fb029e57df655d0fa5a41af49e99f294b39be2a1bbba1bf83f4b 15632102 linux-2.6_2.6.32-36.diff.gz linux-2.6 (2.6.32-35squeeze2) stable-security; urgency=high * Fix regression in /proc//maps fixes for CVE-2011-1020 (Closes: #640966) linux-2.6 (2.6.32-35squeeze1) stable-security; urgency=high [ dann frazier ] * Fix regression in fix for CVE-2011-1768 (Closes: #633738) * net: Fix memory leak/corruption on VLAN GRO_DROP (CVE-2011-1576) * taskstats: don't allow duplicate entries in listener mode (CVE-2011-2484) * NLM: Don't hang forever on NLM unlock requests (CVE-2011-2491) * Bluetooth: l2cap/rfcomm: fix 1 byte infoleak to userspace (CVE-2011-2492) * proc: restrict access to /proc/PID/io (CVE-2011-2495) * vm: fix vm_pgoff wrap in up/down stack expansions (CVE-2011-2496) * Bluetooth: Prevent buffer overflow in l2cap config request (CVE-2011-2497) * nl80211: fix check for valid SSID size in scan operations * net_sched: Fix qdisc_notify() (CVE-2011-2525) * gro: Only reset frag0 when skb can be pulled (CVE-2011-2723) * comedi: fix infoleak to userspace (CVE-2011-2909) * restrict access to /proc/pid/* after setuid exec (CVE-2011-1020) * cifs: fix possible memory corruption in CIFSFindNext (CVE-2011-3191) * befs: Validate length of long symbolic links (CVE-2011-2928) * perf overflow/perf_count_sw_cpu_clock crash (CVE-2011-2918) [ Moritz Muehlenhoff ] * si4713-i2c: avoid potential buffer overflow on si4713 (CVE-2011-2700) * Switch to MD5 for sequence number generation (CVE-2011-3188) [ Jonathan Nieder ] * perf: do not look at ./config for configuration (Closes: #632923) (CVE-2011-2905) linux-kernel-di-amd64-2.6 (1.76+squeeze5) squeeze; urgency=low * Built against version 2.6.32-38 of linux-2.6. linux-kernel-di-amd64-2.6 (1.76+squeeze4) squeeze; urgency=low * Built against version 2.6.32-37 of linux-2.6. linux-kernel-di-armel-2.6 (1.56+squeeze5) squeeze; urgency=low * Built against version 2.6.32-38 of linux-2.6. linux-kernel-di-armel-2.6 (1.56+squeeze4) squeeze; urgency=low * Built against version 2.6.32-37 of linux-2.6. linux-kernel-di-i386-2.6 (1.99+squeeze5) squeeze; urgency=low * Built against version 2.6.32-38 of linux-2.6. linux-kernel-di-i386-2.6 (1.99+squeeze4) squeeze; urgency=low * Built against version 2.6.32-37 of linux-2.6. linux-kernel-di-ia64-2.6 (1.63+squeeze5) squeeze; urgency=low * Built against version 2.6.32-38 of linux-2.6. linux-kernel-di-ia64-2.6 (1.63+squeeze4) squeeze; urgency=low * Built against version 2.6.32-37 of linux-2.6. linux-kernel-di-mips-2.6 (1.31+squeeze5) squeeze; urgency=low * Built against version 2.6.32-38 of linux-2.6. linux-kernel-di-mips-2.6 (1.31+squeeze4) squeeze; urgency=low * Built against version 2.6.32-37 of linux-2.6. linux-kernel-di-mipsel-2.6 (1.31+squeeze5) squeeze; urgency=low * Built against version 2.6.32-38 of linux-2.6. linux-kernel-di-mipsel-2.6 (1.31+squeeze4) squeeze; urgency=low * Built against version 2.6.32-37 of linux-2.6. linux-kernel-di-powerpc-2.6 (1.76+squeeze5) squeeze; urgency=low * Built against version 2.6.32-38 of linux-2.6. linux-kernel-di-powerpc-2.6 (1.76+squeeze4) squeeze; urgency=low * Built against version 2.6.32-37 of linux-2.6. linux-kernel-di-s390-2.6 (0.59+squeeze5) squeeze; urgency=low * Built against version 2.6.32-38 of linux-2.6. linux-kernel-di-s390-2.6 (0.59+squeeze4) squeeze; urgency=low * Built against version 2.6.32-37 of linux-2.6. linux-kernel-di-sparc-2.6 (1.64+squeeze5) squeeze; urgency=low * Built against version 2.6.32-38 of linux-2.6. linux-kernel-di-sparc-2.6 (1.64+squeeze4) squeeze; urgency=low * Built against version 2.6.32-37 of linux-2.6. mantis (1.1.8+dfsg-10squeeze1) stable-security; urgency=high * Urgency high: Fixes critical LFI/XSS vulnerabilites (BTS #640297) 1) XSS injection via PHP_SELF : not affected 2) LFI and XSS via bug_actiongroup pages: fixed 3) Projax XSS issues with unescaped parameters: not affected * debian/patches: + added: Multiple vulnerabilities (LFI/XSS injection) Thanks to David Hicks, MantisBT developer. 11-Fix-640297-LFI-XSS-injection-bug-action-group-0.diff 12-Fix-640297-LFI-XSS-injection-bug-action-group-1.diff mapserver (5.6.5-2+squeeze2) stable-security; urgency=high * Fix possible SQL injection in WFS (CVE-2011-2703). [http://trac.osgeo.org/mapserver/ticket/3874] * Fix stack based buffer overflows (CVE-2011-2704). mesa (7.7.1-5) squeeze; urgency=low * glx: suppress BadRequest from DRI2Connect (which is expected for non-local clients). mod-gnutls (0.5.6-1+squeeze1) stable; urgency=low * Fix segmentation faults by applying upstream patch, http://issues.outoforder.cc/file_download.php?file_id=56&type=bug (Closes: #615227) nagvis (1:1.4.6-1.1+squeeze1) stable; urgency=low * Add myself to uploaders * Actually install the documentation * Properly set "Options FollowSymLinks" in the apache configuration (Closes: #632333) * Only call ucf on purge if it's available (Closes: #620037) * Set Path to gadget files in example configuration (via patches/config.dpatch) (Closes: #611909) * Document on how to activate nagvis after installation (Partly fixes #626456) nss (3.12.8-1+squeeze3) stable-security; urgency=low * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Explicitely distrust various DigiNotar CAs: - DigiNotar Root CA - DigiNotar Services 1024 CA - DigiNotar Cyber CA - DigiNotar Cyber CA 2nd - DigiNotar PKIoverheid - DigiNotar PKIoverheid G2 nss (3.12.8-1+squeeze2) stable-security; urgency=low * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Remove DigiNotar Root CA. nss-pam-ldapd (0.7.15) stable; urgency=low * in debconf, treat the "hard" value for tls_reqcert as if it was "demand" (closes: #642347) nss-pam-ldapd (0.7.14) stable; urgency=low * log correct error from ldap_abandon() * fix problem with partial attribute name matches in DN (thanks Timothy White) * handle expressions where some variable would expand to NULL * make buffer sizes consistent and grow all buffers holding string representations of numbers to be able to hold 64-bit numbers * fix a problem with uninitialised memory while parsing the tls_ciphers option (closes: #638872) openarena (0.8.5-5+squeeze1) stable; urgency=medium * Apply upstream r2098 to fix arbitrary code execution by malicious QVM bytecode, which could be auto-downloaded from a malicious server if enabled. CVE-2011-2764 (Closes: #635733) openarena (0.8.5-5+exp3) experimental; urgency=low * Make the OPENARENA_BACKTRACE option work correctly openarena (0.8.5-5+exp2) experimental; urgency=low * Create a Debian-openarena user and install an init script (off by default) (Closes: #503106) * Add a README.Debian explaining alternative ways to run the server * Depend on an ioquake3-server new enough to install q3arch, and run that instead of having our own copy * Depend on debhelper 8 and convert the rules file to dh style openarena (0.8.5-5+exp1) experimental; urgency=low * Install wrapper scripts for ioquake3, instead of our own engine - therefore we no longer use a local copy of libjpeg (Closes: #495966) - remove all patches that only change the engine - adjust FreeBSD portability patch to only apply to the game code * Set up debian/rules so DEB_BUILD_OPTIONS="noopt" does a debug build * Improve the man pages * Update q3arch.sh from ioquake3 - don't warn when building on arm/armel - output the chosen architecture for the benefit of buildd logs opencv (2.1.0-3+squeeze1) stable-proposed-updates; urgency=low * Fix install path of opencv-doc (Closes: #610803). * Fix optimize of i386 (Closes: #629414). Add patches/optimize_i486.patch. openssh (1:5.5p1-6+squeeze1) stable; urgency=low * Quieten logs when multiple from= restrictions are used in different authorized_keys lines for the same key; it's still not ideal, but at least you'll only get one log entry per key (closes: #630606). openssl (0.9.8o-4squeeze3) squeeze; urgency=low * Non-maintainer upload by the Security Team. * Fix CVE-2011-3210: SSL memory handling for (EC)DH ciphersuites openssl (0.9.8o-4squeeze2) squeeze-security; urgency=high * Non-maintainer upload by the Security Team. * Block DigiNotar certificates * Fix CVE-2011-1945: timing attacks against ECDHE_ECDSA makes it easier to determine private keys. opie (2.32.dfsg.1-0.2+squeeze1) stable-security; urgency=high * Non-maintainer upload by the security team * Fix off-by-one and privilege escalation via missing check for setuid() (Closes: #631344, #631345) Fixes: CVE-2011-2489 CVE-2011-2490 oprofile (0.9.6-1.1+squeeze2) stable-security; urgency=low * Non-maintainer upload by the Security Team. * Jamie Strandboge noticed an uncomplete fix for CVE-2011-1760 Closes: #624212 perl (5.10.1-17squeeze2) stable-security; urgency=low * [SECURITY] CVE-2010-1447: further Safe.pm fixes for breaking out of safe compartment using subroutine references (Closes: #631529) php5 (5.3.3-7+squeeze3) squeeze-security; urgency=low * Fix CVE-2011-2202: File path injection vulnerability in RFC1867 File upload filename * Refresh CVE-2011-2202 patch * Update gbp.conf for debian-squeeze branch php5 (5.3.3-7+squeeze2) squeeze-security; urgency=low * Fix regression with missing CRYPT_SALT_LENGTH symbol * Fix CVE-2011-0420: a NULL pointer dereference in grapheme_extract * Fix CVE-2011-0421: _zip_name_locate function in zip_name_locate.c * Fix CVE-2011-0708: incorrect cast on 64-bit platforms in exif.c * Fix CVE-2011-1153: multiple format string vulnerabilities in phar_object.c * Fix CVE-2011-1467: Already fixed in 5.3.3-7; just rename patch * Fix CVE-2011-1466: Already fixed in 5.3.3-7; just rename patch * Fix CVE-2011-1471: for integer signedness error in zip_stream.c * Fix reject-filenames-with-null-r305507.patch to not break oci8 extension (doesn't affect any built code) pianobar (2010.11.06-1+squeeze2) stable; urgency=low * XMLRPC api version bump (v31) (LP: #807860) - Add an empty field to a URL, no other API changes pmake (1.111-2+squeeze1) stable; urgency=low * Non-maintainer upload. * Backport fix for CVE-2011-1920 (symlink attack in bsd.lib.mk (Closes: #626673) postgresql-8.4 (8.4.8-0squeeze2) stable; urgency=low * Add 15-revert-typmod-check.patch: Back out "Fix plpgsql's issues with dropped columns in rowtypes in 8.4 branch.", which introduces a regression. Thanks a lot to Philipp Kern for preparing the fix, and to Josip Rodin for testing this! (Closes: #632028) puppet (2.6.2-5+squeeze1) stable-security; urgency=high * Resist directory traversal attacks (CVE-2011-3848) * Fix SSH authorized_keys symlink attack (CVE-2011-3870) * Fix K5login content attack (CVE-2011-3869) * Fix predictable temp file using RAL (CVE-2011-3871) * Fix file indirector injection (low risk) python-recaptcha (1.0.5-1+squeeze1) stable; urgency=low * Web service has moved from recaptcha.net to google.com. Closes: #637880. qemu-kvm (0.12.5+dfsg-5+squeeze6) stable-security; urgency=low * virtio-fix-indirect-descriptor-buffer-overflow-CVE-2011-2212 fixes a guest-triggerable buffer overflow in virtio handling (closes: #632987) * os-posix-set-groups-properly-for--runas-CVE-2011-2527 clears supplementary groups for -runas (closes: #633669) qemu-kvm (0.12.5+dfsg-5+squeeze5) stable-security; urgency=low * virtio-fix-indirect-descriptor-buffer-overflow-CVE-2011-2212 fixes a guest-triggerable buffer overflow in virtio handling (closes: #632987) * os-posix-set-groups-properly-for--runas-CVE-2011-2527 clears supplementary groups for -runas (closes: #633669) qemu-kvm (0.12.5+dfsg-5+squeeze4) stable-security; urgency=high * virtio: guard against negative vq notifies -- fixes a guest-triggerable bug in virtio implementation (CVE-2011-2512) (Closes: #631975) quagga (0.99.17-2+squeeze3) stable-security; urgency=high * SECURITY: This is a backport of the security patches of Quagga 0.99.19 and 0.99.20: - The vulnerabilities CVE-2011-3324 and CVE-2011-3323 are related to the IPv6 routing protocol (OSPFv3) implemented in ospf6d daemon. Receiving modified Database Description and Link State Update messages, respectively, can result in denial of service in IPv6 routing. - The vulnerability CVE-2011-3325 is a denial of service vulnerability related to Hello message handling by the OSPF service. As Hello messages are used to initiate adjacencies, exploiting the vulnerability may be feasible from the same broadcast domain without an established adjacency. A malformed packet may result in denial of service in IPv4 routing. - The vulnerability CVE-2011-3326 results from the handling of LSA (Link State Advertisement) states in the OSPF service. Receiving a modified Link State Update message with malicious state information can result in denial of service in IPv4 routing. - The vulnerability CVE-2011-3327 is related to the extended communities handling in BGP messages. Receiving a malformed BGP update can result in a buffer overflow and disruption of IPv4 routing. quassel (0.6.3-2+squeeze1) stable; urgency=low * Fixing security issue: ctcp DoS (Closes: #640960) rails (2.3.5-1.2+squeeze1) stable-security; urgency=low * Fix SQL Injection Vulnerability in Ruby on Rails (CVE-2011-2930) * Fix parse error in strip_tags vulnerability (CVE-2011-2931) * Fix response splitting vulnerability (CVE-2011-3186) * Adopt the package under DRE red5 (0.9.1-4squeeze1) stable; urgency=low * Add Depends on glassfish-javaee Java library to fix dangling symlink and then crash at startup (Closes: #620113). sbcl (1:1.0.40.0-3) stable; urgency=low * Fix reference to undefined asdf::split in the asdf-install module (Closes: #640951) shelldap (0.2-1+squeeze1) stable; urgency=low * Add ssl-errmsg.patch to exit with a nicer error message if IO::Socket::SSL isn't installed, but the user is requesting SSL/TLS. (Closes: #614350, #638062). * Email change: Salvatore Bonaccorso -> carnil@debian.org squid3 (3.1.6-1.2+squeeze1) stable-security; urgency=high * Non-maintainer upload by the Security Team. * Fix buffer overflow on long gopher server replies (CVE-2011-3205; Closes: #639755). squirrelmail (2:1.4.21-2) stable-security; urgency=high * Upload to stable for security fixes. * CVE-2011-2023: Messages containing style tags with malicious script attributes were being displayed without being fully sanitized. * CVE-2010-4554: Clickjacking attack wherein the entire application can be loaded in a frame that could overlay other elements on top of SquirrelMail's user interface and possibly expose private user data to an attacker. * CVE-2010-4555 CVE-2011-2752 CVE-2011-2753: An attacker could use one of several small bugs in SquirrelMail to inject malicious script into various pages or alter the contents of user preferences. system-tools-backends (2.10.1-2squeeze1) stable; urgency=low [ Jérémy Bobbio ] * Properly handle the rename of /etc/dbus-1/system.d/system-tools-backends.conf to org.freedesktop.SystemToolsBackends.conf. (Closes: #553672) [ Josselin Mouette ] * Properly guard dpkg-maintscript-helper calls. tesseract (2.04-2+squeeze1) stable; urgency=low * Non-maintainer upload at the maintainer's request. * Disable xterm-based debug windows (closes: #612032, LP: #607297). tiff (3.9.4-5+squeeze3) stable-security; urgency=high * Redo CVE-2011-0192 to fix regression. (Closes: #630042) tiff (3.9.4-5+squeeze2) stable-security; urgency=high * CVE-2009-5022: Buffer overflow in OJPEG support. (Closes: #624287) tiff (3.9.4-5+squeeze1) stable-security; urgency=high * CVE-2011-0192, Buffer overflow in Fax4Decode typo3-src (4.3.9+dfsg1-1+squeeze2) stable-proposed-updates; urgency=high * Security patch from new upstream release 4.3.14: - fixes: "TYPO3 Security Bulletin TYPO3-CORE-SA-2011-003: Improper error handling could lead to cache flooding in TYPO3 Core" (Closes: 641683) typo3-src (4.3.9+dfsg1-1+squeeze1) squeeze-security; urgency=high * Security patch from new upstream release 4.3.12: - fixes: "TYPO3 Security Bulletin TYPO3-CORE-SA-2011-001: Multiple vulnerabilities in TYPO3 Core" (Closes: 635937) tzdata (2011k-0squeeze1) stable; urgency=low * New upstream release: - Update DST rules for Ukraine. Closes: #642232. - Update DST rules for Belarus. Closes: #641846. tzdata (2011k-0lenny1) oldstable; urgency=low * New upstream release: - Update DST rules for Ukraine. Closes: #642232. - Update DST rules for Belarus. Closes: #641846. tzdata (2011j-1) unstable; urgency=low [ Aurelien Jarno ] * New upstream release. [ Debconf translations ] * Swedish (Martin Bagge / brother). Closes: #640624 * Italian (David Paleino). Closes: #640772 * Catalan; (Jordà Polo). Closes: #640775 * Russian (Yuri Kozlov). Closes: #640820 * Japanese (Kenshi Muto). Closes: #641113 * German (Holger Wansing). Closes: #641220 * Danish (Joe Hansen). Closes: #640833 tzdata (2011j-0lenny1) oldstable; urgency=low * New upstream release. tzdata (2011i-2) unstable; urgency=medium [ Aurelien Jarno ] * OpenJDK-6 changed the path to the java binary without warning. Try both the old and the new path, to avoid adding a versioned dependency on openjdk-6-jre-headless that would prevent migration to testing. Closes: #640276. * Set urgency to medium to avoid delaying too much migration to testing with this upload. [ Debconf translations ] * French updated (Christian Perrier) tzdata (2011i-1) unstable; urgency=low * New upstream version. tzdata (2011h-4) unstable; urgency=low * Add build-arch and build-indep targets. * Remove hardlinks to comply with the policy, by replacing identical files with symlinks. It also reduces the package size by 38% and the installed size by 35%. * Change the source compression format to "xz", .po files in plenty of different languages compress very well. tzdata (2011h-3) unstable; urgency=low * Correctly handle empty debconf values (how is that possible for a select entry?). Closes: #545146, #631878. tzdata (2011h-2) unstable; urgency=low * Ignore debconf errors, return default values in that case. Closes: #631878. tzdata (2011h-1) unstable; urgency=low [ Aurelien Jarno ] * Fix preseeding. Closes: #510908. [ Clint Adams ] * New upstream release. * Bump to Standards-Version 3.9.2. tzdata (2011h-0squeeze1) stable; urgency=low * New upstream release. tzdata (2011h-0lenny1) oldstable; urgency=low * New upstream release. tzdata (2011g-1) unstable; urgency=high * New upstream release. closes: #624154. tzdata (2011f-1) unstable; urgency=low * New upstream release. * Update Danish translation from Joe Dalton. closes: #601231. tzdata (2011e-1) unstable; urgency=high * New upstream release. - Changes Chilean DST yet again. closes: #620288. tzdata (2011d-1) unstable; urgency=high [ Aurelien Jarno ] * debian/control: provides tzdata-wheezy instead of tzdata-squeeze. [ Clint Adams ] * New upstream release. update-inetd (4.38+nmu1+squeeze1) stable; urgency=low * Fix breakage with non-default inetd packages (Closes: #638180) * Thanks to Christian Perrier for the NMU. usbutils (0.87-5squeeze1) stable; urgency=low * Build-depends on libusb2-dev on kfreebsd. Closes: bug#612353. * Update usb.ids. user-mode-linux (2.6.32-1um-4+37) stable; urgency=high * Rebuild against linux-source-2.6.32 (2.6.32-37): * pm: Fix definition of SET_SYSTEM_SLEEP_PM_OPS used in backported drivers (fixes FTBFS on ia64) * splice: Fix write position in output file (Closes: #641419) * PCI: Add definition of pci_pcie_cap(), used in backported e1000e (fixes FTBFS on armel, mips, mipsel, sparc) * [openvz] cpt: Allow ext4 mounts (Closes: #642380) * Add drm change from 2.6.32.41+drm33.18: - drm/radeon/kms: fix bad shift in atom iio table parser * [opvenz] ptrace: Don't allow to trace a process without memory map. * Add drm change from 2.6.32.42+drm33.19, including: - drm/i915: Add a no lvds quirk for the Asus EeeBox PC EB1007 - drm/radeon/kms: fix for radeon on systems >4GB without hardware iommu * Add longterm release 2.6.32.43, including: - ksm: fix NULL pointer dereference in scan_get_next_rmap_item() (CVE-2011-2183) - TTY: ldisc, do not close until there are readers - uvcvideo: Remove buffers from the queues when freeing - inet_diag: fix inet_diag_bc_audit() (CVE-2011-2213) - net: filter: Use WARN_RATELIMIT - af_packet: prevent information leak - ipv6/udp: Use the correct variable to determine non-blocking condition - mm: prevent concurrent unmap_mapping_range() on the same inode For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.43 and the bug report which this closes: #637848. * Add longterm release 2.6.32.42, including: - ftrace: Only update the function code on write to filter files - kmemleak: Do not return a pointer to an object that kmemleak did not get - ext3: Fix fs corruption when make_indexed_dir() fails - jbd: fix fsync() tid wraparound bug - PCI: allow matching of prefetchable resources to non-prefetchable windows (Closes: #637659) - loop: handle on-demand devices correctly - xhci: Fix full speed bInterval encoding; fix interval calculation for FS isoc endpoints (regressions in 2.6.32-34) - OHCI: fix regression caused by nVidia shutdown workaround (regression in 2.6.32-31) - brd: handle on-demand devices correctly - xen mmu: fix a race window causing leave_mm BUG() - SCSI: Fix oops caused by queue refcounting failure - fat: Fix corrupt inode flags when remove ATTR_SYS flag - pata_cm64x: fix boot crash on parisc (Closes: #622745, #622997) - Revert "iwlagn: Support new 5000 microcode." (Closes: #632778) For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.42 and the bug report which this closes: #631465. * [vserver] Update patch to 2.6.32.41-vs2.3.0.36.29.7 - Apply sched changes deferred from 2.6.32.29 * e1000e: Backport changes up to Linux 2.6.38 (Closes: #627700) - Add support for i82567V-4 and i82579 - Fix support for i82577, i82578 and i82583 * e1000e: Fix selection of alternate MAC address on device id 0x1060 (regression in 2.6.34) * igb,igbvf: Backport changes up to Linux 3.0.4 (Closes: #627702) - Add support for i82576-ET2, i82580, DH89xxCC, i340 and i350 * r8169: Backport changes up to Linux 3.0.2 (Closes: #627704) - Fix support for RTL8102E and RTL8168DP - Add support for RTL8105E, RTL8168E and another variant of RTL8168DP - Add support for D-Link DGE-530T rev C1 * tg3,broadcom: Backport changes up to Linux 2.6.38 (Closes: #627705) - Add support for BCM5717, BCM5719, BCM57765 - Add support for BCM50610M and BCM5241 PHYs - Fix support for BCM5755 * Remove net device features from bug reports (Closes: #638956) * Revert "net/ipv4: Check for mistakenly passed in non-IPv4 address" included in 2.6.32.43, which might break some applications * Add longterm release 2.6.32.44, including: - NFSv4.1: update nfs4_fattr_bitmap_maxsz - hwmon: (max1111) Fix race condition causing NULL pointer exception - bridge: send proper message_age in config BPDU - USB: OHCI: fix another regression for NVIDIA controllers (Closes: #620848) - ext3: Fix oops in ext3_try_to_allocate_with_rsv() - svcrpc: fix list-corrupting race on nfsd shutdown - alpha: fix several security issues (CVE-2011-2208, CVE-2011-2209, CVE-2011-2210, CVE-2011-2211) - ALSA: sound/core/pcm_compat.c: adjust array index - atm: [br2684] allow routed mode operation again For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.44 and the bug report which this closes: #639425. * Add longterm release 2.6.32.45, including: - ALSA: timer - Fix Oops at closing slave timer For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.45 and the bug report which this closes: #639426. * sched: Work around sched_group::cpu_power == 0 (Ameliorates: #636797) * [x86] Revert "x86, hotplug: Use mwait to offline a processor, fix the legacy case" (Closes: #622259) * Fix bugs in IPv6 forwarding with GRO/GSO (Closes: #630730): - e1000e,igb,igbvf,ixgbe: Fix IPv6 GSO type checks - ipv6: Add GSO support on forwarding path * devpts: correctly check d_alloc_name() return code (Closes: #640650) * ipv6: make fragment identifications less predictable (CVE-2011-2699) * Add longterm release 2.6.32.46, including: - atm: br2864: sent packets truncated in VC routed mode (Closes: #638656) - hwmon: (ibmaem) add missing kfree - ALSA: snd-usb-caiaq: Correct offset fields of outbound iso_frame_desc - ALSA: snd_usb_caiaq: track submitted output urbs - futex: Fix regression with read only mappings - x86-32, vdso: On system call restart after SYSENTER, use int $0x80 - fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.46 and the bug report which this closes: #641232. * drm/ttm: fix ttm_bo_add_ttm(user) failure path * 3c503: fix broken IRQ autoprobing (Closes: #566522) user-mode-linux (2.6.32-1um-4+35squeeze2) stable-security; urgency=high * Rebuild against linux-source-2.6.32 (2.6.32-35squeeze2), whose changelog can be viewed at: http://packages.debian.org/changelogs/pool/main/l/linux-2.6/linux-2.6_2.6.32-35squeeze2/changelog user-mode-linux (2.6.32-1um-4+35squeeze1) stable-security; urgency=high * Rebuild against linux-source-2.6.32 (2.6.32-35squeeze1), whose changelog can be viewed at: http://packages.debian.org/changelogs/pool/main/l/linux-2.6/linux-2.6_2.6.32-35squeeze1/changelog v86d (0.1.9-1+squeeze1) stable; urgency=low * Do not include random kernel headers in CFLAGS. + Adding 04_dont-include-kernel.patch + Closes: #525415 * Fix CVE-2011-1070: failure to validate netlink message sender + Adding 05_CVE-2011-1070.patch + Closes: #619404 vftool (2.0alpha-4+squeeze1) stable; urgency=medium * Non-maintainer upload. * debian/patch-3: - fix CVE-2011-0433, a buffer overflow in linetoken() in parseAFM.c Closes: #614669 vsftpd (2.3.2-3+squeeze2) stable-security; urgency=high * Non-maintainer upload by the Security Team. * Disable network isolation due to a problem with cleaning up network namespaces fast enough in kernels < 2.6.35 (CVE-2011-2189). Thanks Ben Hutchings for the patch! * Fix possible DoS via globa expressions in STAT commands by limiting the matching loop (CVE-2011-0762; Closes: #622741). vte (1:0.24.3-3) stable; urgency=low * 01_CVE-2011-2198.patch: taken from upstream git. Fixes memory exhaustion vulnerability. Closes: #629688, CVE-2011-2198. webkit (1.2.7-0+squeeze1) stable-security; urgency=high * Import new upstream security release: - Fixes cve-2010-1783, cve-2010-2901, cve-2010-4199, cve-2010-4040, cve-2010-4492, cve-2010-4493, cve-2010-4577, cve-2010-4578, cve-2010-0474, cve-2011-0482, and cve-2011-0778. - Drop debian-specific patches for cve-2010-2901 and cve-2010-4040 (included upstream now). * Set DM-Upload-Allowed and add myself as an uploader. widelands (1:15-3squeeze2) stable; urgency=low * Fix network play on official maps (bug introduced by patches/secfix-617960) Added: patches/secfix-617960-aux (Closes: #624316) win32-loader (0.6.21+squeeze0) stable; urgency=low The "GPL compliance" release. * Add a dpkg-distaddfile byhand call to install win32-loader- standalone.exe as tools/$(SUITE)/win32-loader.exe on the mirrors. * Document which packages in which versions are embedded in the standalone flavour. * Add acknowledgement to NSIS in the companion text file. * Include version number in the companion text. * Update debian/copyright and the companion text to point to the real source locations. * Use the Built-Using field and enhance the sources documentation. wireshark (1.2.11-6+squeeze2) stable-security; urgency=high * security fixes from Wireshark 1.2.16: - The X.509if dissector could crash. (CVE-2011-1590) * security fixes from Wireshark 1.2.17 (Closes: #630159): - Huzaifa Sidhpurwala of the Red Hat Security Response Team discovered that a corrupted Visual Networks file could crash Wireshark. (CVE-2011-2175) - David Maciejak of Fortinet's FortiGuard Labs discovered that malformed compressed capture data could crash Wireshark. (CVE-2011-2174) - Huzaifa Sidhpurwala of the Red Hat Security Response Team discovered that a corrupted snoop file could crash Wireshark. (CVE-2011-1959) - Huzaifa Sidhpurwala of the Red Hat Security Response Team discovered that a corrupted Diameter dictionary file could crash Wireshark. (CVE-2011-1958) - Large/infinite loop in the DICOM dissector. (CVE-2011-1957) xapian-omega (1.2.3-1+squeeze1) stable; urgency=low * Fix escaping issues in templates: godmode, opensearch, query, xml. + Undocumented and apparently unused CGI parameter HILITECLASS is no longer supported by the xml template. xml-security-c (1.5.1-3+squeeze1) stable-security; urgency=high * Apply upstream patch to fix buffer overflow when signing or verifying files with big asymmetric keys. (Closes: #632973, CVE-2011-2516) zfsutils (8.1-4+squeeze1) stable; urgency=low * Set "X-Start-Before: checkroot" so that boot doesn't break when fstab relies on ZFS volumes. (Closes: #635627) * Set "X-Stop-After: umountfs" to ensure ZVOLs are no longer in use when "zfs volfini" is called. * Add bash_completion script (stolen from zfs-fuse). ========================================== Sun, 26 Jun 2011 - Debian 6.0.2.1 released ========================================== * No package changes. Reroll due to broken Packages files on both kfreebsd architectures ========================================= Sat, 25 Jun 2011 - Debian 6.0.2 released ========================================= ========================================================================= [Date: Sat, 25 Jun 2011 09:31:45 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: ktsuss | 1.4-1 | source, amd64, armel, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, sparc Closed bugs: 626178 ------------------- Reason ------------------- RoSRM; security issues, unmaintained ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 25 Jun 2011 09:42:32 +0000] [ftpmaster: Archive Administrator] Removed the following packages from stable: debian-installer-6.0-netboot-hppa | 20100912 | all ------------------- Reason ------------------- [auto-cruft] no longer built from source ---------------------------------------------- ========================================================================= aide (0.15.1-2+squeeze1) stable; urgency=low [ Marc Haber ] * 31_aide_bind9: - fix wrong group (closes: #612405) [ Hannes von Haugwitz ] * debian/patches/05-configure_32-bit_lfs_fix.dpatch: new - fixed lfs on 32-bit systems (closes: #615111) apache2 (2.2.16-6+squeeze1) stable-security; urgency=high * Fix CVE-2011-1176 in apache2-mpm-itk: If NiceValue was set, the default with no AssignUserID was to run as root:root instead of the default Apache user and group. Closes: #618857 approx (4.5-1+squeeze1) stable; urgency=low * Deny requests for InRelease files, forcing clients to fall back to Release and Release.gpg files. * Deny requests for all non-gzipped index files, not just bz2 versions. apr (1.4.2-6+squeeze3) stable; urgency=low * Fix apr_ino_t changing size depending on -D_FILE_OFFSET_BITS on kfreebsd-*. Closes: #616323 apr (1.4.2-6+squeeze2) stable-security; urgency=low * Fix regression introduced by fix for CVE-2011-0419: apr_fnmatch may consume 100% CPU. CVE-2011-1928 Closes: #627182 apr (1.4.2-6+squeeze1) stable-security; urgency=high * Fix DoS in apr_fnmatch (CVE-2011-0419) which can be exploited via Apache HTTPD's mod_autoindex. apt (0.8.10.3+squeeze1) stable; urgency=low [ Michael Vogt ] * debian/control: - make Vcs-Bzr point to http://bzr.debian.org/apt/apt/debian-squeeze branch * apt-pkg/acquire-item.cc: - mark pkgAcqIndexTrans as Index-File to avoid asking the user to insert the CD on each apt-get update, closes: #614300 [ Christian Perrier ] * Fix error in French translation of manpages (apt_preferences(5)). Merci, Rémi Vanicat. Closes: #613689 [ David Kalnischkies ] * apt-pkg/contrib/fileutl.cc: - reorder the loaded filesize bytes for big endian (Closes: #612986) Thanks to Jörg Sommer for the detailed analyse! * ftparchive/multicompress.cc, apt-inst/deb/debfile.cc: - support xz compressor to create xz-compressed Indexes and be able to open data.tar.xz files * ftparchive/writer.cc: - include xz-compressed Packages and Sources files in Release file * apt-pkg/deb/debsrcrecords.cc: - support xz-compressed source v3 debian.tar files apt-listchanges (2.85.7+squeeze1) stable; urgency=low [ Sandro Tosi ] * Don't skip the very first entry when the NEWS file is added; thanks to Ryo IGARASHI for the report and to Robert Luberda for the patch; Closes: #590541 [ Michael Biebl ] * Upload to stable. asterisk (1:1.6.2.9-2+squeeze2) stable-security; urgency=high * Patch AST-2011-002 (CVE-2011-1147): Multiple crash vulnerabilities in UDPTL code (Closes: #614580). * Patch AST-2011-005 (CVE-2011-1507): Resource exhaustion in Asterisk Manager Interface. * Patch AST-2011-005-p2: Resource exhaustion in chan_skinny and AJAM - second part of the above (Closes: #618790). * Patch AST-2011-006: Check for "system" privilege in the manager interface (Closes: #623775). * Patches AST-2011-003, manager_manager_bugfix_reload - its pre-requirements. * Patch AST-2011-004: Remote crash vulnerability in TCP/TLS server (Closes: #618791). base-files (6.0squeeze2) stable; urgency=low * Changed /etc/debian_version to 6.0.2, for Debian 6.0.2 point release. bind9 (1:9.7.3.dfsg-1~squeeze2) squeeze-security; urgency=high * Apply patches from 9.7.3-P1 to address crasher in negative caching (CVE-2011-1910) and resolution failures in DLV mode. bind9 (1:9.7.3.dfsg-1~squeeze1) stable-security; urgency=high * Build for squeeze-security chromium-browser (6.0.472.63~r59945-5+squeeze5) stable-security; urgency=low * Fixed CVE-2011-1292: Use-after-free in the frame loader. Credit to Sławomir Błażek. * Fixed CVE-2011-1293: Use-after-free in HTMLCollection. Credit to Sergey Glazunov. * Fixed CVE-2011-1440: Use-after-free with tag and CSS. Credit to Jose A. Vazquez. * Fixed CVE-2011-1444: Race condition in sandbox launcher. Credit to Dan Rosenberg. * Fixed CVE-2011-1797: stale pointer in table captioning (credit: wushi) * Fixed CVE-2011-1799: Bad casts in Chromium WebKit glue. Credit to Google Chrome Security Team (SkyLined). citadel (7.83-2squeeze2) stable-security; urgency=high * Non-maintainer upload by the Security Team. * Fix billion laughs DoS attack vector against xmpp component by completely disabling entity expansion (CVE-2011-1756). clive (2.2.13-5+squeeze2) stable; urgency=low * Adapt for liveleak.com changes. + new patch: liveleak-fix-from-2.2.25.patch cyrus-imapd-2.2 (2.2.13-19+squeeze1) stable-security; urgency=low * Fix infinite loop in case of corrupted index files (Closes: #627078) * Add gbp.conf to easy future updates * Fix CVE-2011-1926: STARTTLS plaintext command injection vulnerability (VU#555316) (Closes: #627081) dbus (1.2.24-4+squeeze1) stable; urgency=low * Update Vcs-* control fields to reflect the move to git * Apply patch to fix CVE-2011-2200 (fd.o #38120), which is a local DoS for system services (Closes: #629938) debian-installer (20110106+squeeze3) squeeze; urgency=high * Rebuild against updated linux-kernel-di-*-2.6, adding drivers hpsa, pm8001 and bna. debian-installer (20110106+squeeze2) squeeze; urgency=high * Add pata-modules to cdrom config for ia64. Closes: #622187 deborphan (1.7.28.3+squeeze1) stable-proposed-updates; urgency=low [ David Prévot ] * Fix typo in Polish translation of deborphan(1) (Robert Luberda) Closes: #610804 * Fix typo in French --show-size short option help. * Change maintainer address. [ Carsten Hey ] * Make trapping WINCH in orphaner POSIX compatible. Closes: #618895 * Exclude libreoffice* from being displayed if --guess-section is used. Closes: #609337 doctrine (1.2.2-2+squeeze1) stable-security; urgency=high * Applied fixes from 1.2.4 upstream version due to CVE 2011-1522 (closes: #622674) dokuwiki (0.0.20091225c-10+squeeze1) stable; urgency=low * debian/README.Debian: Correct a spelling error. * debian/patches/xmlrpc_security.diff: Backport an upstream security fix for an ACL bypass (TEMP-0000000-52FF39). dpkg (1.15.8.11) stable; urgency=high [ Guillem Jover ] * Do not segfault on “dpkg -i --no-act”. * Add missing semicolon to the vsnprintf() compat declaration. Thanks to Robert Millan. Closes: #612203 * Fix typo in «dpkg-name --overwrite» argument parsing so that it actually works at all. Thanks to Ivan Gagis . LP: #728708 * Fix dpkg-split to not corrupt binary part metadata when generating the split packages on 32-bit systems. [ Raphaël Hertzog ] * Fix a regression in dpkg-divert where using --rename led to a failure when the rename implies crossing file systems. Thanks to Durk Strooisma for spotting it. [ Updated dpkg translations ] * German (Sven Joachim). [ Updated man page translations ] * German (Helge Kreutzmann). Minor fixe(s). e2fsprogs (1.41.12-4stable1) stable; urgency=high * Upload to proposed-updates * Fix "mke2fs -n" so it won't issue a discard and thus trash all the data on an SSD (oops!!!) e2fsprogs (1.41.12-4) unstable; urgency=high * Clear ext4 error fields in the superblock. Otherwise users will see scary messages every 24 hours after a file system error is detected, even after e2fsck has fixed it, if they are using Linux 2.6.35 or later. * Fix usage message for logsave (Closes: #619788) e2fsprogs (1.41.12-3) unstable; urgency=high * Fix signed vs. unsigned char bug in getopt in e2fsprogs which afflicts systems with default unsigned char * Fix bug in e2fsck where it would fail to fix file systems where both the primary and backup block group descriptors are corrupted. (Addresses Ubuntu Launchpad bug: #711799) * Fix package description: fsck has been moved to util-linux (Closes: #588726) * Fix badblocks so it the progress message correctly handles UTF-8 characters for I18N systems (Closes: #583782, #587834) * Prevent e2fsck from accidentally scrambling a file system when checking a snapshot which has an external journal device (which has not been snapshotted). (Closes: #587531) * Fix inode nlink accounting that would lead to very scary PROGRAMMING BUG errors. (Closes: #555456) * Fix typos, spelling mistakes, spelling-out-the-obvious-to-clueless- sysadmins, etc. in man pages. (Closes: #589345, #594004, #580236, #591083, #505719, #599786) e2fsprogs (1.41.12-4) unstable; urgency=high * Clear ext4 error fields in the superblock. Otherwise users will see scary messages every 24 hours after a file system error is detected, even after e2fsck has fixed it, if they are using Linux 2.6.35 or later. * Fix usage message for logsave (Closes: #619788) e2fsprogs (1.41.12-3) unstable; urgency=high * Fix signed vs. unsigned char bug in getopt in e2fsprogs which afflicts systems with default unsigned char * Fix bug in e2fsck where it would fail to fix file systems where both the primary and backup block group descriptors are corrupted. (Addresses Ubuntu Launchpad bug: #711799) * Fix package description: fsck has been moved to util-linux (Closes: #588726) * Fix badblocks so it the progress message correctly handles UTF-8 characters for I18N systems (Closes: #583782, #587834) * Prevent e2fsck from accidentally scrambling a file system when checking a snapshot which has an external journal device (which has not been snapshotted). (Closes: #587531) * Fix inode nlink accounting that would lead to very scary PROGRAMMING BUG errors. (Closes: #555456) * Fix typos, spelling mistakes, spelling-out-the-obvious-to-clueless- sysadmins, etc. in man pages. (Closes: #589345, #594004, #580236, #591083, #505719, #599786) exim4 (4.72-6+squeeze2) stable-security; urgency=low * [83_dkimexpand.diff] Pulled from upstream git. Do not use string expansion on DKIM domain or identity. CVE-2011-1407. exim4 (4.72-6+squeeze1) stable-security; urgency=high * [82_dkimpercent.diff] Pulled from upstream git. Don't pass DKIM compound log line as format string. CVE-2011-1764. Closes: #624670 fakechroot (2.9-1.1+squeeze1) stable; urgency=low * Non-maintainer upload. * get debootstrap --variant=fakechroot working in squeeze again - fix length returned by readlink() (Closes: #561991) - add new utimensat to handle cp -dp (Closes: #588508) fcgiwrap (1.0-1+squeeze1) stable; urgency=low * Non-maintainer upload. * Unquote $pid and $DAEMON on stop_daemon() so it actually stops (closes: #602199). * Reduce the wait when just stopping (closes: #602200). fex (20100208+debian1-1+squeeze1) squeeze-security; urgency=high * Add debian/patches/07_fup.patch (backported from upstream): Security update for cgi-bin/fup to not allow everyone to upload files with empty auth-ID (fixes CVE-2011-1409) * Put myself into Uploaders gdm3 (2.30.5-6squeeze3) stable; urgency=low * 33_reset_signal_handler.patch: stolen upstream. Reset SIGPIPE handler before starting the session. * 34_postsession_shutdown.patch: stolen upstream. Execute the PostSession script even when GDM is killed or shut down. gdm3 (2.30.5-6squeeze2) stable-security; urgency=medium * Apply patch from Ray Strode to address CVE-2011-0727 git (1:1.7.2.5-2) stable; urgency=low * debian/git-daemon-run.postrm purge: terminate the git-daemon/log service before removing the gitlog user (closes: #610099). gitolite (1.5.4-2+squeeze1) squeeze-security; urgency=low * cherry-pick 4ce00a commit to fix security issue related to ACDs. gnome-settings-daemon (2.30.2-2+squeeze1) stable; urgency=low * 11_retry-startup.patch: when starting the Xsettings manager, try again several times because there is a race condition on the X side. Closes: #614682. ia32-libs (20110609) stable; urgency=low * Packages updated [ libxml2 (2.7.8.dfsg-2+squeeze1) stable-security; urgency=low ] * xpath.c: Fix some potential problems on reallocation failures. #628537. [ nss (3.12.8-1+squeeze1) stable-security; urgency=low ] * debian/rules: Fallback to DEB_BUILD_ARCH when dpkg-architecture does't support DEB_BUILD_ARCH_BITS. * debian/control: Lower build depends on dpkg-dev to (>= 1.13.19), which was the value before starting to use DEB_BUILD_ARCH_BITS. * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Mark fraudulent Comodo certificates as untrusted. [ pulseaudio (0.9.21-3+squeeze1) stable; urgency=low ] * Team upload. * Fix pacmd hanging in poll() when reading from stdin very early. Patch extracted from upstream by Alexander Wuerstlein (#574589) [ tiff (3.9.4-5+squeeze2) stable-security; urgency=high ] * CVE-2009-5022: Buffer overflow in OJPEG support. (#624287) [ tiff (3.9.4-5+squeeze1) stable-security; urgency=high ] * CVE-2011-0192: Buffer overflow in Fax4Decode * CVE-2011-1167: Buffer overflow with thunder encoded files iceape (2.0.11-5) stable-security; urgency=low * Fixes for mfsa2011-{12-14,16}, also known as CVE-2011-0069, CVE-2011-0070, CVE-2011-0080, CVE-2011-0077, CVE-2011-0078, CVE-2011-0072, CVE-2011-0065, CVE-2011-0066, CVE-2011-0073, CVE-2011-0067, CVE-2011-0071. * gfx/ots/include/opentype-sanitiser.h: strict alignment issues when displaying OpenType fonts. bz#643137. iceape (2.0.11-4) stable-security; urgency=low * mfsa2011-11: Update to HTTPS certificate blacklist. icedove (3.0.11-1+squeeze2) stable-security; urgency=high * [66361e1] backported patches from xulrunner fixes mfsa2011-{12-14,16} - MFSA 2011-12 aka CVE-2011-0069, CVE-2011-0070, CVE-2011-0072, CVE-2011-0074, CVE-2011-0075, CVE-2011-0077, CVE-2011-0078, CVE-2011-0080: Miscellaneous memory safety hazards (rv:2.0.1/ 1.9.2.17/ 1.9.1.19) - MFSA 2011-13 aka CVE-2011-0065, CVE-2011-0066, CVE-2011-0073: Multiple dangling pointer vulnerabilities - MFSA 2011-14 aka CVE-2011-0067: Information stealing via form history - MFSA 2011-16 aka CVE-2011-0071: Directory traversal in resource: protocol * [8e5f78f] gfx/ots/include/opentype-sanitiser.h: strict alignment issues when displaying OpenType fonts. iceowl (1.0~b1+dfsg2-2+squeeze2) stable-proposed-updates; urgency=low * [0e4ac0a] Apply security updates from xulrunner/icedove: - MFSA 2011-12 aka CVE-2011-0069, CVE-2011-0070, CVE-2011-0072, CVE-2011-0074, CVE-2011-0075, CVE-2011-0077, CVE-2011-0078, CVE-2011-0080: Miscellaneous memory safety hazards (rv:2.0.1/ 1.9.2.17/ 1.9.1.19) - MFSA 2011-13 aka CVE-2011-0065, CVE-2011-0066, CVE-2011-0073: Multiple dangling pointer vulnerabilities - MFSA 2011-14 aka CVE-2011-0067: Information stealing via form history - MFSA 2011-16 aka CVE-2011-0071: Directory traversal in resource: protocol * [51a3ea8] gfx/ots/include/opentype-sanitiser.h: strict alignment issues when displaying OpenType font. Patch taken from icedove. iceweasel (3.5.16-6) stable-security; urgency=low * mfsa2011-11: Update to HTTPS certificate blacklist. ikiwiki (3.20100815.7) stable-security; urgency=high * meta: Security fix; don't allow alternative stylesheets to be added on pages where the htmlscrubber is enabled. CVE-2011-1401 im-config (0.3+squeeze1) stable; urgency=low * Fixed package removal side effects. Closes: #618021 inn (1:1.7.2q-39+squeeze1) proposed-updates; urgency=low * Stop using "sort +1n" in makehistory, because it is not supported anymore by the squeeze version of coreutils. (Closes: #612265) * Disable CHECK_INCLUDED_TEXT, we have perl filters to do this. (Closes: #573993) isc-dhcp (4.1.1-P1-15+squeeze2) stable-security; urgency=high * Fix cve-2011-0997: remote code execution vulnerability in dhclient. jabberd14 (1.6.1.1-5+squeeze1) stable-security; urgency=high * Non-maintainer upload by the Security Team. * Prevent entity expansion in order to prevent about the billion laughs DoS attack (CVE-2011-1754.dpatch). josm (0.0.svn3376-1+squeeze1) proposed-updates; urgency=low * Backport fixed failed authorisation dialog from 4021, gives more verbose message of why the authorisation process failed. (needed for OSM License Change Phase III) kde4libs (4:4.4.5-2+squeeze2) stable; urgency=low [ José Manuel Santamaría Lema ] * Fix CVE-2011-1168 (Konqueror partially universal XSS in error pages) by cve_2011_1168_konqueror_xss.diff. * Fix CVE-2010-3170 (browser wildcard cerficate validation weakness) for Konqueror by cve_2010_3170_cn_wildcards.diff. * Fix CVE-2011-1094 (kdelibs does not properly verify that the server hostname matches the Common Name of the Subject of an X.509 certificate if that CN is an IP address) by cve_2011_1094_ssl_verify_hostname.diff. [ Modestas Vainius ] * KTar: use unsigned arithmetic when calculating checksum of tar header record (as per ustar specification). However, when reading archive, verify checksum by calculating it both ways (unsigned and signed) and accept if either matches (partially solves #612675). Implemented in ktar_header_checksum_fix.diff patch. * Fix KTar longlink support when filenames are encoded in the UTF-8 (or other multibyte) locale. Implemented in ktar_longlink_length_in_bytes.diff patch (thanks to Ibragimov Rinat). Closes: #612675 kdenetwork (4:4.4.5-2+squeeze1) stable; urgency=low [ José Manuel Santamaría Lema ] * Add cve_2010_1000_directory_traversal.diff, note that CVE-2010-1000 was already fixed, but this patch performs a better protection against that vulnerability. kernel-wedge (2.74+squeeze3) stable-proposed-updates; urgency=low * scsi-extra-modules: hpsa * scsi-extra-modules: pm8001 * nic-extra-modules: bna kerneltop (0.8-2+squeeze1) stable; urgency=low * Non-maintainer upload. * Increase size of mapfile line buffer from 128 to 1024 (closes: #607309). Thanks to Marcin Szewczyk for the bug report. klibc (1.5.20-1+squeeze1) stable; urgency=low * ipconfig: handle multiple connected network dev. (closes: #621065) * ipconfig: Escape DHCP options. (CVE-2011-1930) krb5 (1.8.3+dfsg-4squeeze1) stable; urgency=low * Fix double free with pkinit on KDC, CVE-2011-0284, Closes: #618517 * Updated Danish debconf translations, thanks Joe Dalton, Closes: #584282 * KDC/LDAP DOS (CVE-2010-4022, CVE-2011-0281, and CVE-2011-0282, Closes: #613487 * Fix delegation of credentials against Windows servers; significant interoperability issue, Closes: #611906 * Set nt-srv-inst on TGS names to work against W2K8R2 KDCs, Closes: #616429 * Don't fail authentication when PAC verification fails; support hmac- md5 checksums even for non-RC4 keys, Closes: #616728 * Port fix to upstream ticket 6899: fix invalid free in kadmind change password case, Closes: #622681 kupfer (0+v201-2+squeeze1) stable; urgency=low * debian/patches/TYPE_UINT.patch: - Backport a fix from upstream git repository, use UINT signal parameter type to fix an issue with ui.keybindings (Closes: #615060). libburn (0.8.0.pl00-2+squeeze1) stable; urgency=low * Do not create images with overly-restrictive permissions (Closes: #623378) libcgroup (0.36.2-3+squeeze1) stable-security; urgency=low * [0cdfa74] Backport upstream fix for CVE-2011-1006 * [d5d5690] Backport upstream fix for CVE-2011-1022 libfinance-quotehist-perl (1.14-1+squeeze1) stable; urgency=low * Disable faulty unit tests. (Closts: #612914) libmms (0.6-1+squeeze1) stable; urgency=low * Apply patch by Paul Burton cherry-picked from upstream git to fix alignment issues on ARM (Closes: #611791). * Apply another patch backported from upstream git to fixup bswap.h macros. This patch does not change anything functionally, but it does make the code read correctly. libmodplug (1:0.8.8.1-1+squeeze1) stable-security; urgency=high * CVE-2011-1574 libmojolicious-perl (0.999926-1+squeeze2) stable-security; urgency=high * [SECURITY] Fix XSS vulnerability in link_to helper. Fixes CVE-2011-1841 (Closes: #626135). * [SECURITY] Add fix-CVE-2010-4803.patch. Fix not properly implemented HMAC-MD5 checksums. Fixes CVE-2010-4803. * [SECURITY] Add fix-CVE-2010-4802.patch. Fix broken CGI environment detection. Fixes CVE-2010-4802. libmojolicious-perl (0.999926-1+squeeze1) stable-security; urgency=high * [SECURITY] Add 622952-path-traversal-vulnerability.patch to fix path traversal security vulnerability. Fix CVE-2011-1589. (Closes: #622952). * Add improve-RFC3986-compliance-of-Mojo-Path.patch backported from upstream commit 748ef373291dd342c18a0811f967ea0d88df5368. This prevents FTBFS with the applied security patch. Thanks to Ansgar Burchardt (ansgar) for suggestion. libvirt (0.8.3-5+squeeze1) stable-security; urgency=low * [0ee351f] [CVE-2011-1146] Add missing checks for read only connections. Some API forgot to check the read-only status of the connection for entry point which modify the state of the system or may lead to a remote execution using user data. The entry points concerned are: - virConnectDomainXMLToNative - virNodeDeviceDettach - virNodeDeviceReAttach - virNodeDeviceReset - virDomainRevertToSnapshot - virDomainSnapshotDelete src/libvirt.c: fix the above set of entry points to error on read-only (Closes: #617773) libxml2 (2.7.8.dfsg-2+squeeze1) stable-security; urgency=low * xpath.c: Fix some potential problems on reallocation failures. Closes: #628537. linux-2.6 (2.6.32-35) stable; urgency=high [ Ben Hutchings ] * scsi: Add hpsa driver for HP Smart Array controllers - Disable binding to devices currently handled by cciss * scsi: Add pm8001 driver for PMC-Sierra SAS/SATA HBAs * bnx2i: Add support for BCM5771E * wl1251: Add support for PG11 chips * bnx2x: Add support for BCM84823 * ar9170usb: Add several additional USB device IDs * net: Add bna driver for Brocade Ethernet adapters * Add longterm release 2.6.32.40, including: - ubifs: Fix master node recovery - dasd: Correct device table (Closes: #607416) - udp: Fix bogus UFO packet generation (Closes: #626284) - pmcraid: Reject negative request size - af_unix: Only allow recv on connected seqpacket sockets. - usb: musb: core: set has_tt flag - NFS: nfs_wcc_update_inode() should set nfsi->attr_gencount (Closes: #617364) For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.40 * USB: Prevent buggy hubs from crashing the USB stack (deferred from 2.6.32.29 due to regressions which were fixed in 2.6.32.40) * [x86] cpu: Set ARAT feature on some AMD processors (deferred from 2.6.32.39 due to apparent regression which was fixed in 2.6.32.40) * [armel] Implement accept4() system call (Closes: #625752) * Add longterm release 2.6.32.41, including: - cifs: check for bytes_remaining going to zero in CIFS_SessSetup For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.41 * [x86] Do not enable ARAT feature on AMD processors below family 0x12 [ Ian Campbell ] * Remove lazy vunmap for non-Xen flavours too. (Closes: #613634) [ dann frazier ] * efi: corrupted GUID partition tables can cause kernel oops (CVE-2011-1577) * tunnels: fix netns vs proto registration ordering (CVE-2011-1768) * fs/partitions/ldm.c: fix oops caused by corrupted partition table (CVE-2011-1017) linux-2.6 (2.6.32-34squeeze1) stable-security; urgency=high * Validate size of EFI GUID partition entries (CVE-2011-1776) * [cifs] fix session reuse issue (CVE-2011-1585): - cifs: clean up cifs_find_smb_ses - cifs: fix NULL pointer dereference in cifs_find_smb_ses - cifs: check for NULL session password * gre: fix netns vs proto registration ordering (CVE-2011-1767) * dccp: handle invalid feature options length (CVE-2011-1770) * [arm] 6891/1: prevent heap corruption in OABI semtimedop (CVE-2011-1759) linux-2.6 (2.6.32-34) stable; urgency=high [ Ian Campbell ] * [xen] backport fixes to vmalloc_sync_all (Closes: #614400) [ Bastian Blank ] * [x86] Revert "x86: Cleanup highmap after brk is concluded" (closes: #621072) * [xen] Remove lazy vunmap completely. (closes: #613634) [ Ben Hutchings ] * usb-audio: Reduce packet size for some buggy USB MIDI devices (Closes: #617743) * [sparc] serial: Enable SERIAL_8250, SERIAL_8250_PCI as modules (Closes: #622779) * [amd64] Revert "Save cr4 to mmu_cr4_features at boot time", unneeded after "x86: Cleanup highmap after brk is concluded" was reverted * Add longterm releases 2.6.32.37 and 2.6.32.38, including: - ALSA: Fix yet another race in disconnection - myri10ge: Fix rmmod crash - cciss: Fix lost command issue - ses: Avoid kernel panic when lun 0 is not mapped - eCryptfs: Unlock page in write_begin error path - signal: Relax signal code checks (regression due to fix for CVE-2011-1182) - irda: Prevent heap corruption on invalid nickname - nilfs2: Fix data loss in mmap page write for hole blocks - ROSE: Prevent heap corruption with bad facilities (CVE-2011-1493) - [x86] mtrr, pat: Fix one cpu getting out of sync during resume - ath9k: Fix a chip wakeup related crash in ath9k_start - ubifs: Fix oops on error path in read_pnode - ubifs: Fix debugging failure in dbg_check_space_info - quota: Don't write quota info in dquot_commit() - mm: Avoid wrapping vm_pgoff in mremap() - b43: Allocate receive buffers big enough for max frame len + offset - ocfs2: Treat writes as new when holes span across page boundaries - tpm: Fix unitialized usage of data buffer (CVE-2011-1160) - ipt_CLUSTERIP: fix buffer overflow - ab3100, rtc-ds1511, ep93xx_pwm: Restrict write permissions on files in debugfs/sysfs - gro: Reset more skb fields on reuse (CVE-2011-1478) - [x86] microcode, AMD: Allow larger microcode for family 15h - squashfs: Handle corruption of directory structure - sctp: Calculate the INIT/INIT-ACK chunk length correctly - ext4: Fix credits computing for delalloc for indirect mapped files - nfsd: Fix auth_domain reference leak on nlm operations For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.37 http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.38 * nfsd: NFSv4: Allow opening existing files with O_CREAT flag in non-writable directories (Closes: #617508) * Add previously missed drm changes from 2.6.32.y+drm33.z: - i915_gem: Return -EFAULT if copy_to_user fails - drm/kms: Remove spaces from connector names, so they can be named in the 'video' parameter on the kernel command line * atl1c: Fix duplication of packet headers when using sendfile (Closes: #623059) * [powerpc] Apply kexec fix from 2.6.32.34, avoiding ABI change [ dann frazier ] * Add longterm release 2.6.32.39, including: - next_pidmap: fix overflow condition (CVE-2011-1593) For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.39 (Closes: #624268) * Revert AMD deep C changes from 2.6.32.39 * fs/partitions/ldm.c: fix oops caused by corrupted partition table (CVE-2011-1017) * mpt2sas: prevent heap overflows and unchecked reads (CVE-2011-1494) * can: Add missing socket check in can/bcm release (CVE-2011-1598) * can: Add missing socket check in can/raw release (CVE-2011-1748) * agp: fix arbitrary kernel memory writes (CVE-2011-1745) * agp: fix OOM and buffer overflow (CVE-2011-1746) [ Frederik Schüler ] * aacraid: Add new code for PMC-Sierra's SRC based controller family linux-2.6 (2.6.32-33) stable; urgency=high [ maximilian attems ] * Add drm changes from 2.6.32.28+drm33.13: - drm/radeon/kms: Fix retrying ttm_bo_init() after it failed once. - drm/radeon: fall back to GTT if bo creation/validation in VRAM fails. [ Ben Hutchings ] * [x86] Enable VMWARE_PVSCSI as module (Really closes: #600957) * via-ircc: Fix device list management and DMA buffer allocation (Closes: #619450) * [amd64] Save cr4 to mmu_cr4_features at boot time (Closes: #620284) [ dann frazier ] * xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1 This fixes a panic caused by a regression introduced by the fix for CVE-2011-0711. * [powerpc] Revert kdump fix from 2.6.32.34 (FTBFS) * [powerpc] Revert kexec fix from 2.6.32.34 to avoid ABI change * irda: validate peer name and attribute lengths (CVE-2011-1180) linux-2.6 (2.6.32-32) stable; urgency=low [ Ben Hutchings ] * tulip: Add support for Microsoft MN-120 PCMCIA network card (Closes: #617917) * [x86] Add vmw_pvscsi driver and enable as module, for use in VMware guests (Closes: #600957) * Add longterm release 2.6.32.33, including: - keyboard: Fix integer underflow bug - RxRPC: Fix v1 keys - mm: Fix possible cause of a page_mapped BUG - nfsd: Fix wrong index used in NFSv4 session creation - comedi/jr3_pci: Don't ioremap too much space. Check result. (Closes: #618309) - Defer netdev module loading changes For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.33 * Revert "drm/i915: Add pipe A force quirk for some laptops" (Closes: #618665; reopens: #608148) * scsi: Re-enable SCSI_PROC_FS (/proc/scsi directory) (Closes: #618258) * [vserver] Complete fix for CVE-2010-4243 (Closes: #618485) * [x86] quirk: Fix SB600 revision check (regression in 2.6.32.30) * r8169: Fix up backport of "r8169: keep firmware in memory." (Closes: #619173) * [armel,hppa] Disable XFS_FS. It did not work correctly on these architectures until Linux 2.6.34. (Closes: #423562) * btrfs, ext4: Disable FS_IOC_FIEMAP ioctl. It does not work correctly for extents that are subject to delayed allocation. (Closes: #615035) * Add longterm release 2.6.32.36, including: - signal: Prevent rt_sigqueueinfo and rt_tgsigqueueinfo from spoofing the signal code (CVE-2011-1182) - ext3: Skip orphan cleanup on rocompat fs - proc: Protect mm start_code/end_code in /proc/pid/stat - nfsd: Fix internal NFSv4.1 operation flags to be non-overlapping - nfsd: Fix wrong limit used in NFSv4 session creation - cdc-acm: Fix various bugs that can lead to a crash or memory corruption - xen-kbdfront: Advertise either absolute or relative coordinates For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.36 [ dann frazier ] * Fix corrupted OSF partition table parsing (CVE-2011-1163) * xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1 (CVE-2011-0711) * Add longterm releases 2.6.32.34 and 2.6.32.35, including: - RDMA/cma: Fix crash in request handlers (CVE-2011-0695) For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.34 http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.35 * drm/radeon/kms: check AA resolve registers on r300 (CVE-2011-1016) * Bluetooth: sco: fix information leak to userspace (CVE-2011-1078) * Bluetooth: bnep: fix buffer overflow (CVE-2010-1079) * bridge: netfilter: fix information leak (CVE-2011-1080) * nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab (CVE-2011-1090) * netfilter: arp_tables: fix infoleak to userspace (CVE-2011-1170) * netfilter: ip_tables: fix infoleak to userspace (CVE-2011-1171) * ipv6: netfilter: ip6_tables: fix infoleak to userspace (CVE-2011-1172) * econet: 4 byte infoleak to the network (CVE-2011-1173) linux-kernel-di-amd64-2.6 (1.76+squeeze3) squeeze; urgency=low * Rebuild against kernel-wedge 2.74+squeeze3 linux-kernel-di-amd64-2.6 (1.76+squeeze2) squeeze; urgency=low * Built against version 2.6.32-35 of linux-2.6. linux-kernel-di-armel-2.6 (1.56+squeeze3) squeeze; urgency=low * Rebuild against kernel-wedge 2.74+squeeze3 linux-kernel-di-armel-2.6 (1.56+squeeze2) squeeze; urgency=low * Built against version 2.6.32-35 of linux-2.6. linux-kernel-di-i386-2.6 (1.99+squeeze3) squeeze; urgency=low * Rebuild against kernel-wedge 2.74+squeeze3 linux-kernel-di-i386-2.6 (1.99+squeeze2) squeeze; urgency=low * Built against version 2.6.32-35 of linux-2.6. linux-kernel-di-ia64-2.6 (1.63+squeeze3) squeeze; urgency=low * Rebuild against kernel-wedge 2.74+squeeze3 linux-kernel-di-ia64-2.6 (1.63+squeeze2) squeeze; urgency=high * pata-modules: add * Built against version 2.6.32-35 of linux-2.6. linux-kernel-di-mips-2.6 (1.31+squeeze3) squeeze; urgency=low * Rebuild against kernel-wedge 2.74+squeeze3 linux-kernel-di-mips-2.6 (1.31+squeeze2) squeeze; urgency=low * Built against version 2.6.32-35 of linux-2.6. linux-kernel-di-mipsel-2.6 (1.31+squeeze3) squeeze; urgency=low * Rebuild against kernel-wedge 2.74+squeeze3 linux-kernel-di-mipsel-2.6 (1.31+squeeze2) squeeze; urgency=low * Built against version 2.6.32-35 of linux-2.6. linux-kernel-di-powerpc-2.6 (1.76+squeeze3) squeeze; urgency=low * Rebuild against kernel-wedge 2.74+squeeze3 linux-kernel-di-powerpc-2.6 (1.76+squeeze2) squeeze; urgency=low * Built against version 2.6.32-35 of linux-2.6. linux-kernel-di-s390-2.6 (0.59+squeeze3) squeeze; urgency=low * Rebuild against kernel-wedge 2.74+squeeze3 linux-kernel-di-s390-2.6 (0.59+squeeze2) squeeze; urgency=low * Built against version 2.6.32-35 of linux-2.6. linux-kernel-di-sparc-2.6 (1.64+squeeze3) squeeze; urgency=low * Rebuild against kernel-wedge 2.74+squeeze3 linux-kernel-di-sparc-2.6 (1.64+squeeze2) squeeze; urgency=low * Built against version 2.6.32-35 of linux-2.6. lua-expat (1.2.0-0squeeze1) stable; urgency=low * new upstream release adding APIs to prevent the “billion laughs” denial-of-service attack (Closes: #629225) lua-expat (1.1.0-4) unstable; urgency=low * depend on lua5.1-policy-dev >= 27 to kill all .la files (Closes: #620600) mahara (1.2.6-2+squeeze2) stable-security; urgency=high * SECURITY UPDATE: fixes to session key validation (CSRF) - debian/patches/CVE-2011-1403.patch: upstream patch * SECURITY UPDATE: privilege escalations - debian/patches/CVE-2011-1402.patch: upstream patch * SECURITY UPDATE: information disclosure in AJAX calls - debian/patches/CVE-2011-1404.patch: upstream patch * SECURITY UPDATE: https to http downgrade - debian/patches/CVE-2011-1406.patch: upstream patch * SECURITY UPDATE: sanitisation of HTML emails - debian/patches/CVE-2011-1405.patch: upstream patch mahara (1.2.6-2+squeeze1) stable-security; urgency=high * SECURITY UPDATE: cross-site scripting vulnerability - debian/patches/CVE-2011-0439.dpatch: upstream patch - CVE-2011-0439 * SECURITY UPDATE: possible cross-site request forgery (deleting blogs) - debian/patches/CVE-2011-0440.dpatch: upstream patch - CVE-2011-0440 monkeysphere (0.31-4) stable; urgency=low * fix monkeysphere-host revoke-key (Closes: #607596) moodle (1.9.9.dfsg2-2.1+squeeze1) stable-security; urgency=high * Backporting security fixes from Moodle 1.9.11 and 1.9.12 - MSA-11-0002 Cross-site request forgery vulnerability in RSS block (MDL-18839) - MSA-11-0003 Cross-site scripting vulnerability in tag autocomplete (MDL-25754) - MSA-11-0008 IMS enterprise enrolment file may disclose sensitive information (MDL-26189) - MSA-11-0011 Multiple cross-site scripting problems in media filter (MDL-26030) - MSA-11-0015 Cross Site Scripting through URL encoding (MDL-26966) - MSA-11-0013 Group/Quiz permissions issue (MDL-25122) movabletype-opensource (4.3.5+dfsg-2+squeeze2) stable-security; urgency=low * Apply patch from 4.361 fixing various security vulnerabilities (closes: #629937) nagios-plugins (1.4.15-3squeeze1) stable-proposed-updates; urgency=low * Add 14_check_icmp_multiple_ips.dpatch (Closes: #623702), thanks Max Kosmach for spotting and Sebastian Harl for providing a fix - When specifying a host-name on the command line, each of its IPs is added to the host table (and each one is pinged). So, the buffer has to be large enough to hold all of the respective host objects. (argc - 1) only fits hosts with a single IP. nsd3 (3.2.5-1.squeeze1) stable; urgency=low * Fix statoverride file breakage (Closes: #621071) nss (3.12.8-1+squeeze1) stable-security; urgency=low * debian/rules: Fallback to DEB_BUILD_ARCH when dpkg-architecture does't support DEB_BUILD_ARCH_BITS. * debian/control: Lower build depends on dpkg-dev to (>= 1.13.19), which was the value before starting to use DEB_BUILD_ARCH_BITS. * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Mark fraudulent Comodo certificates as untrusted. openjdk-6 (6b18-1.8.7-2~squeeze1) stable-security; urgency=low * Build on stable. * Switch to hs14. openjdk-6 (6b18-1.8.7-1) unstable; urgency=medium * IcedTea6 1.9.7 release. - S6878713, CVE-2010-4469: Hotspot backward jsr heap corruption. - S6907662, CVE-2010-4465: Swing timer-based security manager bypass. - S6994263, CVE-2010-4472: Untrusted code allowed to replace DSIG/C14N implementation. - S6981922, CVE-2010-4448: DNS cache poisoning by untrusted applets. - S6983554, CVE-2010-4450: Launcher incorrect processing of empty library path entries. - S6985453, CVE-2010-4471: Java2D font-related system property leak. - S6927050, CVE-2010-4470: JAXP untrusted component state manipulation. - CVE-2011-0706: Multiple signers privilege escalation. * IcedTea6 1.9.6 release. - S4421494, CVE-2010-4476: infinite loop while parsing double literal. openjdk-6 (6b18-1.8.5-1) unstable; urgency=high * IcedTea6 1.8.5 release. - CVE-2011-0025: IcedTea jarfile signature verification bypass. openjdk-6 (6b18-1.8.4-1) unstable; urgency=high * IcedTea6 1.8.4 release. - Fix CVE-2010-4351: IcedTea JNLP SecurityManager bypass. openjdk-6 (6b18-1.8.3-2+squeeze1) stable-security; urgency=high * Added floating point securityfix from OpenJDK 7. http://hg.openjdk.java.net/jdk7/tl/jdk/rev/82c8c54ac1d5 (CVE-2010-4476). Closes: #612660. openldap (2.4.23-7.2) stable; urgency=low * Non-maintainer upload targeted at stable. * Fix "dpkg-reconfigure slapd". Closes: #596343 openldap (2.4.23-7.1) stable; urgency=low * Non-maintainer upload targeted at stable. * Picked the following patches from various sources: [ Matthijs Möhlmann ] * Update patch service-operational-before-detach (Closes: #616164, #598361) [ Ubuntu Security Team / Jamie Strandboge ] * SECURITY UPDATE: fix successful anonymous bind via chain overlay when using forwarded authentication failures - debian/patches/CVE-2011-1024 - CVE-2011-1024 * SECURITY UPDATE: verify password when authenticating to rootdn and using ndb backend. Note: Debian is not compiled with --enable-ndb by default - debian/patches/CVE-2011-1025 - CVE-2011-1025 * SECURITY UPDATE: fix DoS when processing unauthenticated modrdn requests and requestDN is empty - debian/patches/CVE-2011-1081 - CVE-2011-1081 - LP: #742104, Closes: 617606 oprofile (0.9.6-1.1+squeeze1) stable-security; urgency=high * Non-maintainer upload by the Security Team. * Add patches by William Cohen to fix argument sanitation, CVE-2011-1760. This fixes the arbitrary command execution via opcontrol. (Closes: #624212) otrs2 (2.4.9+dfsg1-3+squeeze1) stable-security; urgency=high [ Thomas Mueller ] * Add security patch: - 16-security-osa-2011-01.diff * Title: Several XSS attacks possible * CVE: CVE-2011-1518 * Upstream information: http://otrs.org/advisory/OSA-2011-01-en/ [ Patrick Matthäi ] * Fix bug with upgrades from Lenny to Squeeze, because of an missing sanity check in preinst. Closes: #625605 perl (5.10.1-17squeeze1) stable-security; urgency=low * [SECURITY] CVE-2011-1487: taint laundering in lc, uc, et al. (Closes: #622817) php5 (5.3.3-7+squeeze1) squeeze-security; urgency=high * Fix CVE-2011-0441: arbitrary files removal via cronjob (Closes #618489) pianobar (2010.11.06-1+squeeze1) stable; urgency=low * XMLRPC api version bump (v30) (closes: #624326) - Include new API keys, no other API changes postfix (2.7.1-1+squeeze1) stable-security; urgency=high * Fix data injection in TLS handshaking (CVE-2011-0411) * Don't reuse the SASL handle after authentication failure (CVE-2011-1720) postgresql-8.4 (8.4.8-0squeeze1) stable; urgency=low * New upstream bug fix release: (Closes: #626559) - If your installation was upgraded from a previous major release by running pg_upgrade, you should take action to prevent possible data loss due to a now-fixed bug in pg_upgrade. The recommended solution is to run "VACUUM FREEZE" on all TOAST tables. More information is available at http://wiki.postgresql.org/wiki/20110408pg_upgrade_fix. - Fix pg_upgrade's handling of TOAST tables. This error poses a significant risk of data loss for installations that have been upgraded with pg_upgrade. This patch corrects the problem for future uses of pg_upgrade, but does not in itself cure the issue in installations that have been processed with a buggy version of pg_upgrade. - Suppress incorrect "PD_ALL_VISIBLE flag was incorrectly set" warning. - Disallow including a composite type in itself. - Avoid potential deadlock during catalog cache initialization. - Fix dangling-pointer problem in BEFORE ROW UPDATE trigger handling when there was a concurrent update to the target tuple. - Disallow "DROP TABLE" when there are pending deferred trigger events for the table. Formerly the "DROP" would go through, leading to "could not open relation with OID nnn" errors when the triggers were eventually fired. - Prevent crash triggered by constant-false WHERE conditions during GEQO optimization. - Improve planner's handling of semi-join and anti-join cases. - Fix selectivity estimation for text search to account for NULLs. - Improve PL/pgSQL's ability to handle row types with dropped columns. - Fix PL/Python memory leak involving array slices. - Fix pg_restore to cope with long lines (over 1KB) in TOC files. - Put in more safeguards against crashing due to division-by-zero with overly enthusiastic compiler optimization. (Closes: #616180) postgresql-8.4 (8.4.7-1) unstable; urgency=low * New upstream security/bug fix release: - Fix buffer overrun in "contrib/intarray"'s input function for the query_int type. This bug is a security risk since the function's return address could be overwritten. Thanks to Apple Inc's security team for reporting this issue and supplying the fix. (CVE-2010-4015) - Avoid failures when "EXPLAIN" tries to display a simple-form CASE expression. If the CASE's test expression was a constant, the planner could simplify the CASE into a form that confused the expression-display code, resulting in "unexpected CASE WHEN clause" errors. - Fix assignment to an array slice that is before the existing range of subscripts. If there was a gap between the newly added subscripts and the first pre-existing subscript, the code miscalculated how many entries needed to be copied from the old array's null bitmap, potentially leading to data corruption or crash. - Avoid unexpected conversion overflow in planner for very distant date values. The date type supports a wider range of dates than can be represented by the timestamp types, but the planner assumed it could always convert a date to timestamp with impunity. - Fix pg_restore's text output for large objects (BLOBs) when standard_conforming_strings is on. Although restoring directly to a database worked correctly, string escaping was incorrect if pg_restore was asked for SQL text output and standard_conforming_strings had been enabled in the source database. - Fix erroneous parsing of tsquery values containing ... & !(subexpression) | ... . Queries containing this combination of operators were not executed correctly. The same error existed in "contrib/intarray"'s query_int type and "contrib/ltree"'s ltxtquery type. - Fix bug in "contrib/seg"'s GiST picksplit algorithm. This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a seg column. If you have such an index, consider "REINDEX"ing it after installing this update. (This is identical to the bug that was fixed in "contrib/cube" in the previous update.) prosody (0.7.0-1squeeze1) stable; urgency=low * Secutiry fix for the “billion laughs” denial-of-service attack (Closes: #629234) puppet (2.6.2-5) stable; urgency=low [ Micah Anderson ] * Fix puppet service provider to properly use update-rc.d disable API, (Closes: #573551) python-apt (0.7.100.1+squeeze1) stable; urgency=low [ Michael Vogt ] * python/apt_pkgmodule.cc: - strip multiarch by default in RealParseDepends - add optional parameter to allow parse_depends() to keep the multiarch parameter * tests/test_deps.py: - add test forapt_pkg.parse_depends(strip_multiarch=True) * python/arfile.cc, apt/debfile.py: - add support for .xz archives * tests/test_debfile.py: - add test for xz compression [ Julian Andres Klode ] * tests/test_debfile.py: - Fix mixed tab/spaces indentation in xz test python-gudev (147.2-1+squeeze1) stable; urgency=low * Depends on python-gobject (Closes: #612214). * Update debian/gbp.conf file. q4wine (0.118-5) squeeze-proposed-updates; urgency=low * Added debian/patches/ to fix libq4wine-core.so destination from /usr/lib64/q4wine/ to /usr/lib/q4wine/ (Closes: #612027) qemu (0.12.5+dfsg-3squeeze1) squeeze-proposed-updates; urgency=low * Don't register qemu-mips(el) with binfmt on mips(el). Closes: #618369. * mips hosts: fix branch target change during code retranslation. qemu-kvm (0.12.5+dfsg-5+squeeze3) stable; urgency=low * cirrus_vga:fix-division-by-0-for-color-expansion-rop-92d675d1c1.diff (fix from upstream) - fixes division by zero with some guests like WinNT 4.0 and WinME. * fix-vnc-zlib-overflow.diff (backport from 0.14) (closes: #616159) * qdev-dont-hw_error-in-qdev_init_nofail-bd6c9a61.diff - don't abort but exit on user errors (closes: #619452) * fix transitional kvm package description (closes: #625206) * fix long-standing migration bug on 32bits (closes: #625571) qemu-kvm (0.12.5+dfsg-5+squeeze2) stable-security; urgency=high * fix CVE-2011-1751 for 0.12. The actual fix is in hotplug-4-ignore-pci-hotplug-requests-for-unpluggable-devices-CVE-2011-1751 but that change, while trivial, required 6 more changes to be backported to 0.12: o pci-cleanly-backout-of-pci_qdev_init-925fe64ae7 (moving common code to a separate function and using it from another place to fix a memory leak) o hotplug-0-acpi_piix4-qdevfy-e8ec0571e1 this qdevifies acpi_piix4 device o hotplug-1-pci-allow-devices-being-tagged-as-not-hotpluggable-180c22e18b introduce a "no_hotplug" attribute and check it in common places to ensure such devices wont be hot-(un)plugged. This needs the pci-cleanly-backout-of-pci_qdev_init patch mentioned above o hotplug-2-piix-tag-as-not-hotpluggable-0965f12da6 o hotplug-3-vga-tag-as-not-hotplugable-be92bbf73d mark certain devices as non-hotpluggable And finally the actual fix for CVE-2011-1751, which verifies the no_hotplug attribute when handling hot-unplug request from guest. (closes: #627448) qemu-kvm (0.12.5+dfsg-5+squeeze1) stable-security; urgency=high * fix CVE-2011-0011: Setting VNC password to empty string silently disables all authentication (Closes: #611134) * fix CVE-2011-1750: virtio-blk: heap buffer overflow caused by unaligned requests (Closes: #624177) * urgency is high due to #624177 qt4-x11 (4:4.6.3-4+squeeze1) stable; urgency=low [ José Manuel Santamaría Lema ] * Blacklist a set of fraudulent ssl certificates; to perform this blacklisting we need these patches: - blacklist_fraudulent_comodo_certificates.diff - ssl_certificate_large_sn.diff * Fix CVE-2010-3170 (browser wildcard cerficate validation weakness) with cve_2010_3170_ssl_certificates_wildcard.diff. This problem affects the Arora web browser. quagga (0.99.17-2+squeeze2) stable-security; urgency=high * Fix crash in Extended Communities handling (CVE-2010-1674) * Remove support for AS_PATHLIMIT (CVE-2010-1675) * Fix format string issue in vty_hello rails (2.3.5-1.2+squeeze0.1) stable-security; urgency=low * Non-maintainer upload. * Fix CVE-2011-0446: Be sure to javascript_escape the email address to prevent apostrophes inadvertently causing javascript errors. * Fix CVE-2011-0447: Change the CSRF whitelisting to only apply to get requests (Closes: #614864) redmine (1.0.1-2) stable-security; urgency=high * Security update, fixes - Infoleak in journals controller, - Persistent XSS in issue description, - Command Execution in repository. (Closes: #608397) refpolicy (2:0.2.20100524-7+squeeze1) stable; urgency=low * Like the 2:0.2.20100524-8 that was uploaded to unstable. * Add tunable user_manage_dos_files which defaults to true * Correctly label /usr/lib/xulrunner-1.9.1/xulrunner-stub * Allow mozilla to create directories under /tmp * Use correct label for /usr/lib/upower/upowerd * Dontaudit bind_t write attempts to / for lwresd calling access(".", W_OK) * Allow user domains to execute mysqld_exec_t, for KDE * Label /var/lib/fetchmail as fetchmail_uidl_cache_t and allow fetchmail_t to search /var/lib and manage fetchmail_uidl_cache_t dirs * Allow xm_t to read kernel image files, needed for DomU startup on boot * Allow gpg_agent_t to read etc_t files and sysctl_crypto_t. * Allow network manager to run wpa_cli_exec_t programs. reprepro (4.2.0-2squeeze1) stable-proposed-updates; urgency=low * handle Release files without MD5Sum (Closes: 614361) request-tracker3.8 (3.8.8-7+squeeze1) stable-security; urgency=high * Security fix: fix information leakage in scrips (Closes: 614576; CVE-2011-1008) * Multiple security fixes for: - Remote code execution in external custom fields (CVE-2011-1685) - Information disclosure via SQL injection (CVE-2011-1686) - Information disclosure via search interface (CVE-2011-1687) - Information disclosure via directory traversal (CVE-2011-1688) - User javascript execution via XSS vulnerability (CVE-2011-1689) - Authentication credentials theft (CVE-2011-1690) ruby1.8 (1.8.7.302-2squeeze1) stable; urgency=low * Add Conflicts and Replaces to libruby1.8 for irb1.8 and rdoc1.8. Closes: #608582 samba (2:3.5.6~dfsg-3squeeze4) stable-proposed-updates; urgency=low * Document the newly introduced "map untrusted to domain" parameter and its default value that can lead to disruptive behavioral changes when upgrading from pre-3.5 versions. Closes: #623190 * Fix "tdb2.so undefined symbol: dyn_get_STATEDIR" by fixing a typo in fhs-filespath.patch. Closes: #629183, LP: #789097 samba (2:3.5.6~dfsg-3squeeze3) stable-proposed-updates; urgency=low * Cherry-picked fixes from samba 3.5.8 for some important bugs: - Upstream bug 7567: printing from Windows 7 fails with 0x000003e6. Closes: #617429 - Upstream bug 6727: printer device settings not saved for normal domain users. Closes: #611177 - Upstream bug 7777: winbind leaks gids with idmap ldap backend Closes: #613624 - Upstream bug 7880: rpcclient deldriver does not remove drivers from all architectures. schroot (1.4.19-1+squeeze1) stable-proposed-updates; urgency=low * dchroot-dsa: Use current interface for loading dchroot.conf, rather than the old, which caused a fatal exception (Closes: #626503). softhsm (1.1.4-4+squeeze1) stable; urgency=low * Remove dpkg-statoverride entries first then remove group (Closes: #619810) spip (2.1.1-3squeeze1) stable-security; urgency=high * Updated security screen. Fixes a vulnerability that enabled a connected author to disconnect the website from its database. sun-java6 (6.26-0squeeze1) stable; urgency=high [ Sylvestre Ledru ] * New upstream release (Closes: #629852) * SECURITY UPDATE: multiple upstream vulnerabilities. Upstream fixes: - (CVE-2011-0862): integer overflows in JPEGImageReader and font SunLayoutEngine (2D, 7013519) - (CVE-2011-0873): unspecified vulnerability fixed in 6u26 (2D) - (CVE-2011-0815): FileDialog.show() buffer overflow (AWT, 7012520) - (CVE-2011-0817): unspecified vulnerabilities fixed in 6u26 (Deployment, JRE) - (CVE-2011-0863): unspecified vulnerability fixed in 6u26 (Deployment) - (CVE-2011-0864): JVM memory corruption via certain bytecode (HotSpot, 7020373) - (CVE-2011-0802): unspecified vulnerabilities fixed in 6u26 (Sound) - (CVE-2011-0814): unspecified vulnerabilities fixed in 6u26 (Sound) - (CVE-2011-0871): MediaTracker created Component instances with unnecessary privileges (Swing, 7020198) - (CVE-2011-0786): unspecified vulnerabilities fixed in 6u26 (Deployment, JRE) - (CVE-2011-0788): unspecified vulnerabilities fixed in 6u26 (Deployment, JRE) - (CVE-2011-0866): unspecified vulnerabilities fixed in 6u26 (Deployment, JRE) - (CVE-2011-0868): incorrect numeric type conversion in TransformHelper (2D, 7016495) - (CVE-2011-0872): non-blocking sockets incorrectly selected for reading (NIO, 6213702) - (CVE-2011-0867): NetworkInterface information leak (Networking, 7013969) - (CVE-2011-0869): unprivileged proxy settings change via SOAPConnection (SAAJ, 7013971) - (CVE-2011-0865): Deserialization allows creation of mutable SignedObject (Deserialization, 6618658) [ Torsten Werner ] * Upload to stable. sun-java6 (6.25-3) unstable; urgency=low * For now, revert changes of upload 6.25-2 due to license reasons. In touch with upstream about this issue. sun-java6 (6.25-2) unstable; urgency=low * sun-java6-fonts can be installed without installing the jre (Closes: #625617) sun-java6 (6.25-1) unstable; urgency=low * New upstream release * Standards-Version updated to version 3.9.2 * Suggests default-jdk-doc instead of openjdk-6-doc * Update of the lintian overrides about embedded-library sun-java6 (6.24-2) unstable; urgency=low * Remove Build-Depends: libxp6. (Closes: #623657) sun-java6 (6.24-1) unstable; urgency=high * New upstream release * Watch file added * Homepage updated to http://jdk-distros.java.net/ * SECURITY UPDATE: multiple upstream vulnerabilities. Upstream fixes: - (CVE-2010-4476): Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number. - (CVE-2010-4452): Oracle Java XGetSamplePtrFromSnd Remote Code Execution Vulnerability - (CVE-2010-4454): Vulnerability allows successful unauthenticated network attacks via multiple protocols. - (CVE-2010-4462): XGetSamplePtrFromSnd Remote Code Execution Vulnerability - (CVE-2010-4463): Webstart Trusted JNLP Extension Remote Code Execution Vulnerability - (CVE-2010-4465): Swing timer-based security manager bypass - (CVE-2010-4467): Vulnerability allows successful unauthenticated network attacks via multiple protocols. - (CVE-2010-4469): Hotspot backward jsr heap corruption - (CVE-2010-4473): Vulnerability allows successful unauthenticated network attacks via multiple protocols. - (CVE-2010-4422): Vulnerability allows successful unauthenticated network attacks via multiple protocols. - (CVE-2010-4451): Vulnerability allows successful unauthenticated network attacks via HTTP. - (CVE-2010-4466): Runtime NTLM Authentication Information Leakage Vulnerability - (CVE-2010-4470): JAXP untrusted component state manipulation - (CVE-2010-4471): Java2D font-related system property leak - (CVE-2010-4447): Vulnerability allows successful unauthenticated network attacks via multiple protocols. - (CVE-2010-4475): vulnerability allows successful unauthenticated network attacks via multiple protocols. - (CVE-2010-4468): DNS cache poisoning by untrusted applets - (CVE-2010-4450): Launcher incorrect processing of empty library path entries - (CVE-2010-4448): DNS cache poisoning by untrusted applets - (CVE-2010-4472): Untrusted code allowed to replace DSIG/C14N implementation - (CVE-2010-4474): Easily exploitable vulnerability requiring logon to Operating System. tex-common (2.08.1) stable-security; urgency=high * disable shell_escape completely tgt (1:1.0.4-2squeeze1) stable-security; urgency=high * iscsi: fix buffer overflow before login (CVE-2011-0001) tinyproxy (1.8.2-1squeeze1) stable-security; urgency=low * Add netmask_generation.patch: fix bug in ACL netmask generation, which could allow to use Tinyproxy as an open proxy very easily [CVE-2011-1499] (closes: #621493). tmux (1.3-2+squeeze1) stable-security; urgency=high * Fix "Incorrect dropping of privileges allows users to obtain utmp group privileges" by adjusting patch 04_drop_unnecessary_privileges.diff to drop privileges at the caller side (Closes: #620304). tzdata (2011d-0squeeze1) stable; urgency=low * New upstream release. tzdata (2011d-0lenny1) oldstable; urgency=low * New upstream release . - Contains Turkish DST change. tzdata (2011c-1) unstable; urgency=low * New upstream release. user-mode-linux (2.6.32-1um-4+34squeeze1) stable-security; urgency=high * Rebuild against linux-source-2.6.32 (2.6.32-34squeeze1), whose changelog can be viewed at: http://packages.debian.org/changelogs/pool/main/l/linux-2.6/linux-2.6_2.6.32-34squeeze1/changelog vimperator (2.3.1-0+squeeze1) stable-security; urgency=low * New upstream point release: - vimperator now works again with version of iceweasel in squeeze (closes: #617789, #600278, #560138, #603258, #534477) * Update debian/copyright with new upstream license * Update maintainer field * Move git repo to collab-maint on git.debian.org * Update homepage and download URL vino (2.28.2-2+squeeze1) stable-security; urgency=high * 05_avoid_out-of-bounds_memory_accesses.patch: from upstream fixing CVE-2011-0904 and CVE-2011-0905 vlc (1.1.3-1squeeze6) stable-security; urgency=high * Non-maintainer upload by the Security Team. * Fix integer overflow in demux/playlist/xspf.c leading to heap overflow (CVE-2011-2194). vlc (1.1.3-1squeeze5) stable-security; urgency=high * Non-maintainer upload by the Security Team. * Fix heap-based buffer overflow in mp4 decoder, VideoLAN-SA-1103. vlc (1.1.3-1squeeze4) stable-security; urgency=high * CVE-2010-3275/CVE-2010-3276 widelands (1:15-3squeeze1) stable; urgency=high * Closes a potential security issue in internet games. Added: patches/secfix-617960 (Closes: #617960) widelands (1:15-3) unstable; urgency=high * Closes a potential security issue in internet games. Added: patches/secfix-617960 (Closes: #617960) wireshark (1.2.11-6+squeeze1) stable-security; urgency=high * security fixes from Wireshark 1.2.15: - Huzaifa Sidhpurwala of the Red Hat Security Response Team discovered that Wireshark could free an uninitialized pointer while reading a malformed pcap-ng file. (CVE-2011-0538) (Closes: #613202) - Huzaifa Sidhpurwala of the Red Hat Security Response Team discovered that a large packet length in a pcap-ng file could crash Wireshark - Wireshark could overflow a buffer while reading a Nokia DCT3 trace file. (CVE-2011-0713) - joernchen of Phenoelit discovered that the LDAP and SMB dissectors could overflow the stack. - Xiaopeng Zhang of Fortinet's Fortiguard Labs discovered that large LDAP Filter strings can consume excessive amounts of memory. x11-xserver-utils (7.5+3) squeeze-security; urgency=high * xrdb: Create shell-escape-safe cpp options in the non-pathetic-cpp case. Fixes CVE-2011-0465. xenomai (2.5.4-3squeeze1) stable; urgency=low * Fixed kernel patch for Debian's 2.6.32 (Closes: #614010, #621869) xmlsec1 (1.2.14-1+squeeze1) stable-security; urgency=high * Non-maintainer upload by the Security Team. * Apply patch from upstream addressing arbitrary file overwrite (CVE-2011-1425, closes: #620560). xserver-xorg-video-tseng (1:1.2.3-2+squeeze1) squeeze; urgency=low * Cherry-pick fix from upstream git to fix a regression introduced in 1.2.0. This prevented the driver from initializing successfully. ========================================= Sat, 19 Mar 2011 - Debian 6.0.1 released ========================================= apt-dater (0.8.4-4+squeeze1) stable-proposed-updates; urgency=medium * Fix apt-dater-host.config, to not mess up with boolean values and integers. Closes: #611968 apt-setup (1:0.53+squeeze2) squeeze; urgency=low * Upload to drop .git from source tarball apt-setup (1:0.53+squeeze1) stable; urgency=low * If no network mirror was selected during install, add a (commented-out) entry pointing at ftp.debian.org, together with a comment explaining why the entry is commented out and that it should be updated to use a relevant mirror. The comment is not translated, but this is still preferable to the previous behaviour of creating clearly broken entries under such circumstances which users then re-enabled. (Closes: #613910) asterisk (1:1.6.2.9-2+squeeze1) stable-security; urgency=high * AST-2011-001/CVE-2011-0495: Stack buffer overflow in SIP channel driver (Closes: #610487) avahi (0.6.27-2+squeeze1) stable-security; urgency=high * debian/patches/03_read_null_udp_packets.patch - Read NULL UDP packets else we end up in an infinite loop using 100% CPU and DoS of Avahi. (Closes: #614785, Fixes: CVE-2011-1002) * Urgency high for the security fix. base-files (6.0squeeze1) stable; urgency=low * Changed /etc/debian_version to 6.0.1, for Debian 6.0.1 point release. cdebconf (0.153+squeeze2) squeeze; urgency=low * No-changes upload to get rid of the .git directory in the source package. cdebconf (0.153+squeeze1) squeeze; urgency=low [ Joey Hess ] * Support window managed use of the gtk frontend, by asking the WM to fullscreen d-i, thus leaving room for decorations etc. Closes: #605401 (Patch from Ben Armstrong) cgiirc (0.5.9-3squeeze1) stable-security; urgency=high * Non-maintainer upload by The Security Team. * Fixed XSS flaw in handling clients who have Javascript disabled. [CVE-2011-0050] cgiirc (0.5.9-3lenny3) oldstable-security; urgency=low * Non-maintainer upload by the security team. * Fix XSS attack for non-javascript using clients. [CVE-2011-0050]. chromium-browser (6.0.472.63~r59945-5+squeeze4) stable-security; urgency=low * Fixed CVE-2011-0779: does not properly handle a missing key in an extension, which allows remote attackers to cause a denial of service (application crash) via a crafted extension. * Fixed CVE-2011-1290: Integer overflow in style elements * Removed mips from arch to avoid flood of given-back build log chromium-browser (6.0.472.63~r59945-5+squeeze3) stable-security; urgency=low * Backported security patches from stable: - [54262] High URL bar spoof with history interaction. Credit to Jordi Chancel. - [63732] High Crash with javascript dialogs. Credit to Sergey Radchenko. - [68263] High Stylesheet node stale pointer. Credit to Sergey Glazunov. - [69640] Medium Out-of-bounds read in text searching. Credit to Kostya Serebryany of the Chromium development community - [64-bit Linux only] [70376] Medium Out-of-bounds read in pickle deserialization. Credit to Evgeniy Stepanov of the Chromium development community. - [71114] High Stale node in table child handling. Credit to Martin Barbella - [71115] High Stale pointer in table rendering. Credit to Martin Barbella. - [71855] High Integer overflow in textarea handling. Credit to miaubiz. - [71960] Medium Out-of-bounds read in WebGL. Credit to Google Chrome Security Team (Inferno). - [72134] High Memory corruption in SVG fonts. Credit to Andreas Kling. - [69628] High Memory corruption with counter nodes. Credit to Martin Barbella. - [70027] High Stale node in box layout. Credit to Martin Barbella. - [70336] Medium Cross-origin error message leak with workers. Credit to Daniel Divricean. - [72028] High Stale pointer in table painting. Credit to Martin Barbella. - [73746] High Stale pointer with SVG cursors. Credit to Sergey Glazunov. chromium-browser (6.0.472.63~r59945-5+squeeze2) stable-security; urgency=high * Backported security patches from stable: - High Stale pointer in animation event handling. Credit to Rik Cabanier. - High Stale pointer with anonymous block handling. Credit to Martin Barbella. - Medium Out-of-bounds read in plug-in handling. Credit to Bill Budge of Google. - Medium Possible failure to terminate process on out-of-memory condition. Credit to David Warren of CERT/CC. clamav (0.97+dfsg-2~squeeze1) stable; urgency=medium [ Michael Tautschnig ] * Proper suite name. * More tidy up: new upstream release also fixed problems with ExtendedDetectionInfo (upstream bb#2409, closes: #617262). * Upload intended for squeeze-updates (fixes security issues, urgency bumped to medium). clamav (0.97+dfsg-1) UNRELEASED; urgency=low [ Alberto Wu ] * New upstream release [ Stephen Gran ] * General tidy up clive (2.2.13-5+squeeze1) stable; urgency=low * Adapt for youtube.com changes. (Closes: #616575) + new patch: 0001-Youtube-Fix-video-ID-parsing-10.patch * debian/rules: Set CLIVE_CACHE when running tests to avoid build failure when $HOME is not writable. cmake (2.8.2+dfsg.1-0+squeeze1) stable-proposed-updates; urgency=low * Regenerate original tarball removing files provided under proprietary licence. (Closes: #614390) They were not actually used. Mention removed files in the debian/copyright. colo-installer (1.17+squeeze1) stable-proposed-updates; urgency=low [ Martin Michlmayr ] * Make sure to put "hda" into the CoLo config file instead of "sda" since CoLo only knows about the former. Closes: #614839 console-setup (1.68+squeeze2) squeeze; urgency=low * No-changes upload to get rid of the .git directory in the source package. console-setup (1.68+squeeze1) squeeze; urgency=low [ Samuel Thibault ] * Use bg, ch, se instead of bg(bds), ch(de), se(basic), as those are not in xorg.xml any more (closes: #610843). cryptsetup (2:1.1.3-4squeeze2) stable-proposed-updates; urgency=low * fix changelog for cryptsetup 2:1.1.3-4squeeze1. cryptsetup (2:1.1.3-4squeeze1) stable-proposed-updates; urgency=low * NOT RELEASED YET * install cryptkeyctl initramfs hook, needed for keyctl keyscript in initramfs, thanks to Maik Zumstrull (closes: #610750) * fix luksformat script to invoke usage() with --help. (closes: #612947) * luksformat: invoke udevadm settle between mkfs.vfat and luksClose, to prevent possible race conditions. This is a workaround. (closes: #601886) dajaxice (0.1.5-1squeeze1) stable-security; urgency=low * debian/patches/fix_csrf_verification: (Closes: #614787) - Fix bug related to CSRF verification on Django dbconfig-common (1.8.46+squeeze.0) stable; urgency=low * Fix version sorting logic bug on upgrade files in postinst. Thanks to Ghislain Mokolomboka (Closes: #611820) debian-installer (20110106+squeeze1) squeeze; urgency=low [ Jurij Smakov ] * Add pata-modules to cdrom config for sparc and sparc64. Closes: #610906. [ Martin Michlmayr ] * qnap-flash-debian: recognize QNAP TS-x12 devices. * lspro-config-debian: Exit if the firmware version cannot be determined. Thanks John Bytheway. Closes: #609476 debian-installer-netboot-images (20110106.squeeze1) squeeze; urgency=low [ Daniel Baumann ] * Adding tftpd-hpa to suggests, this is the tftp server that is covered in the installer manual (Closes: #597116). [ Otavio Salvador ] * Update to 20110106+squeeze1 version. [ Julien Cristau ] * Fetch images from squeeze-proposed-updates. * We need to fetch 20110106+squeeze1, but can't be versioned that way because that would be lower than 20110106.b1. So hack up debian/rules to turn . into +. * Drop debian-installer-6.0-netboot-hppa. debian-installer-netboot-images (20110106.b1) unstable; urgency=low * Update to 20110106+b1 images. * Add support to handle binNMUs. debian-installer-netboot-images (20101127) unstable; urgency=low * Update to 20101127 images. debian-installer-netboot-images (20101020) unstable; urgency=low * Update to 20101020 images. debian-reference (2.46) stable; urgency=low * Updated Portguese translation by Américo Monteiro. * Fixed s/--get-selection/--get-selections/ etc. Closes: #612435 * Reflected introduction of squeeze-updates suite which replaced Debian Volatile Service. Closes: #614224 * Fixed URL for Debian Mirror Checker site. Closes: #614253 debootstrap (1.0.26+squeeze1) stable-proposed-updates; urgency=low [ Miguel Figueiredo ] * Fix bug and typo on --private-key Patch by Jonathan Klee. * Fix for ar usage, thanks to Guillem Jover. Closes: #598729 deluge (1.2.3+git20110209.8c36830-0squeeze1) stable; urgency=low * Imported Upstream version 1.2.3+git20110209.8c36830 - Upstream commit 8c36830 backported from the 1.3.x release: "fix hang on quit". (Closes: #602613) desktop-base (6.0.5squeeze1) stable; urgency=low * debian/plymouth: - include patch by adris to fix dual screen setups. closes: #613249 devscripts (2.10.69+squeeze1) stable; urgency=low * bts: Accept the "wheezy" and "wheezy-ignore" tags. * debchange: + Set Squeeze as the default backports target. + Recognize "lenny-backports-squeeze" and "squeeze-backports" distributions. + Remove "etch-backports" and "etch-volatile" distributions. eclipse (3.5.2-6squeeze2) stable; urgency=low * Backported patch for CVE-2010-4647. (Closes: #611849) - Fixes XSS in help browser application. exuberant-ctags (1:5.8-3squeeze1) stable; urgency=low * Apply patch from Ben Spencer to use memmove rather than strcpy on overlapping strings (closes: #594185). finish-install (2.28squeeze1) stable-proposed-updates; urgency=low [ Aurelien Jarno ] * Recognize /dev/duart* as a serial console. ganeti (2.1.6-1+squeeze1) stable; urgency=low * Fix "Wrong permissions for /var/lock after 'gnt-node add'" (applied patch fixing octal mode usage) (Closes: #613648) gdm3 (2.30.5-6squeeze1) stable; urgency=low [ Josselin Mouette ] * gdm3.init: chown the configuration to Debian-gdm, to avoid umask issues. Closes: #603510. * gdm3.postrm: handle deluser/delgroup failures gracefully. Closes: #603753. * 29_grep_path.patch: new patch. Don’t hardcode grep to a wrong location. Closes: #607664. * 30_utf8_locale.patch: new patch. Pass locale.UTF-8 instead of locale.utf8. Closes: #607753. [ Emilio Pozuelo Monfort ] * debian/gdm3.8.pod: + Fix typo, thanks Yury V. Zaytsev. Closes: #610723. gedit (2.30.4-1squeeze1) stable; urgency=low * 10_pt_BR_po.patch: fix an important mistake in the Brazilian Portuguese translation. Closes: #603502. git (1:1.7.2.5-1) stable; urgency=low * new upstream point release. * support "add.ignoreErrors" synonym for the existing "add.ignore-errors" configuration variable. * bash completion: match lightweight tags in prompt. * gitweb: use esc_url to quote a few more URLs. * diff: always trim trailing space from --show-c-function lines. * some minor test suite and documentation updates. * debian/diff/0010-cache_tree_free-Fix-small-memory-leak.diff, debian/diff/0011-diff.c-call-regfree....diff, debian/diff/0034-gitweb-Introduce-esc_attr...diff: remove; applied upstream. * add myself as uploader. gnome-screensaver (2.30.0-2squeeze1) stable; urgency=low * Disable libnotify support, the function simply doesn’t work at all. Closes: #606830. gnumed-client (0.7.10-3) stable-proposed-updates; urgency=low * Fix regression of last two uploads which did not installed translations into correct place Closes: #610240 grub-installer (1.60+squeeze2) squeeze; urgency=low * Upload to drop .git from source tarball grub-installer (1.60+squeeze1) stable-proposed-updates; urgency=low * Set debconf title to avoid reusing a previous one. hw-detect (1.84+squeeze2) squeeze; urgency=low * No-changes upload to get rid of the .git directory in the source package. hw-detect (1.84+squeeze1) squeeze; urgency=low [ Jurij Smakov ] * Increase the number of attempts to detect the new disk devices in disk_found() of disk-detect.sh to 15, bringing the total waiting time to 28 seconds. Current timeout of 4 seconds is not sufficient for some SCSI subsystems with long driver/disk initialization time. Closes: #611314 [ Miguel Figueircedo ] * discover-mac-io.sh: Fix module loading for Ibook G4 (powermac). Closes: #525902, #525946, #606984. Thanks to Risto Suominen . [ Otavio Salvador ] * Blacklist snd-aoa to allow snd-powermac to work. Refs: #606984. ia32-libs (20110310) stable; urgency=low * Packages updated * Add fix for duplicate sources due to security updates. * Welcome Thijs Kinkhorst to the team. [ avahi (0.6.27-2+squeeze1) stable-security; urgency=high ] * debian/patches/03_read_null_udp_packets.patch - Read NULL UDP packets else we end up in an infinite loop using 100% CPU and DoS of Avahi. (#614785, Fixes: CVE-2011-1002) * Urgency high for the security fix. [ openssl (0.9.8o-4squeeze1) stable-security; urgency=low ] * Fix OCSP stapling parse error (CVE-2011-0014) [ util-linux (2.17.2-9) unstable; urgency=low ] * Ack NMU from Christian Perrier - Fix encoding for Danish and Slovak debconf translations [Adriano Rafael Gomes] * Brazilian Portuguese debconf templates translation. #610489 [ util-linux (2.17.2-8) unstable; urgency=low ] * fix mangled characters in debconf translations [ util-linux (2.17.2-7) unstable; urgency=low ] * dh_installdebconf is needed in binary-arch, not so much in -indep. Based on report from Adam D. Barratt . #566072 [ util-linux (2.17.2-6) unstable; urgency=low ] [Bjørn Steensrud] * nb translations. #608325 [Américo Monteiro] * Portuguese debconf translations. #608233 [Vincenzo Campanella] * Italian translations. #608307 [Yuri Kozlov] * russian debconf translations. #608302 [Martin Ågren] * Swedish debconf translations. #608483 [Joe Dalton] * Danish translations. #608330 [Christian Perrier] * French debconf translations. #608464 [Martin Eberhard Schauer] * German debconf translations. #608463 [Camaleón] * Spanish debconf translations. #608518 [Thorsten Glaser] * hwclock: [m68k] unbreak FTBFS with recent (>= 2.4.18?) kernels. #578168 [Slavko] * Slovak transtions. #608305 [Michal Simunek] * Czech debconf translations. #608495 ia32-libs-core (20110202) stable; urgency=low [ Goswin von Brederlow ] * Do not disable secure APT when downloading packages. * Add fix for duplicate sources due to security updates. * Add security repository next to the regular Debian mirror. * Welcome Thijs Kinkhorst to the team. * Packages updated [ eglibc (2.11.2-10) unstable; urgency=low ] * Add patches/amd64/cvs-avx-tcb-alignment.diff from upstream to fix alignement issues on CPU supporting the AVX instruction set. #610657. [ eglibc (2.11.2-9) unstable; urgency=low ] * Disable build failure in case of testsuite regressions, will be re-enabled after squeeze release. [ eglibc (2.11.2-8) unstable; urgency=low ] [ Clint Adams ] * Japanese debconf translation update from Nobuhiro Iwamatsu. #604752. [ Samuel Thibault ] * Add expected gettext failure on hurd-i386. [ Aurelien Jarno ] * Update patches/localedata/locale-et_EE.diff to switch Estonian currency to euro. #608803. * Revert incorrect upstream patch for CVE-2010-3847 and use the correct set of patches: - Remove patches/any/submitted-origin.diff - Add patches/any/cvs-dont-expand-dst-twice.diff - Add debian/patches/any/cvs-ignore-origin-privileged.diff - Keep debian/patches/any/cvs-audit-suid.diff [ ncurses (5.7+20100313-5) unstable; urgency=low ] * New patch 01-debian-kfreebsd-terminfo.patch, adding a cons25-debian terminfo entry to ncurses-base for the Debian GNU/kfreebsd console (#607662). ia32-libs-gtk (20110310) stable; urgency=low * Packages updated * Add fix for duplicate sources due to security updates. * Welcome Thijs Kinkhorst to the team. [ pango1.0 (1.28.3-1+squeeze2) stable-security; urgency=high ] * 02_CVE-2011-0064.patch: patch from Behdad Esfahbod and Karl Tomlinson to fix buffer overwrite on OOM realloc failure. CVE-2011-0064, Mozilla #606997. [ pango1.0 (1.28.3-1+squeeze1) unstable; urgency=low ] * 01_CVE-2011-0020.patch: patch from Behdad Esfahbod to fix heap corruption. #610792, CVE-2011-0020. LP: #696616. iceape (2.0.11-3) stable-security; urgency=low * Fixes for mfsa2011-{01-08,10}, also known as CVE-2011-0053, CVE-2011-0051, CVE-2011-0055, CVE-2011-0054, CVE-2011-0056, CVE-2011-0057, CVE-2011-0058, CVE-2010-1585, CVE-2011-0059. icedove (3.0.11-1+squeeze1) stable-security; urgency=high * [2bf1366] backported patches from xulrunner fixes mfsa2011-{01-08,10} - MFSA 2011-01 aka CVE-2011-0053: Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17) - MFSA 2011-02 aka CVE-2011-0051: Recursive eval call causes confirm dialogs to evaluate to true - MFSA 2011-03 aka CVE-2011-0055: Use-after-free error in JSON.stringify - MFSA 2011-04 aka CVE-2011-0054: Buffer overflow in JavaScript upvarMap - MFSA 2011-05 aka CVE-2011-0056: Buffer overflow in JavaScript atom map - MFSA 2011-06 aka CVE-2011-0057: Use-after-free error using Web Workers - MFSA 2011-07 aka CVE-2011-0058: Memory corruption during text run construction (Windows) - MFSA 2011-08 aka CVE-2010-1585: ParanoidFragmentSink allows javascript: URLs in chrome documents - MFSA 2011-10 aka CVE-2011-0059: CSRF risk with plugins and 307 redirects iceweasel (3.5.16-5) stable-security; urgency=low * Fixes for mfsa2011-{01-08,10}, also known as CVE-2011-0053, CVE-2011-0051, CVE-2011-0055, CVE-2011-0054, CVE-2011-0056, CVE-2011-0057, CVE-2011-0058, CVE-2010-1585, CVE-2011-0059. installation-guide (20110122~squeeze1) stable; urgency=low * Upload to Squeeze. isc-dhcp (4.1.1-P1-15+squeeze1) stable-security; urgency=high * Non-maintainer upload. * Fix cve-2011-0413: remote ipv6 denial-of-service (daemon crash). katoob (0.5.9.1-1.2+squeeze1) stable; urgency=low * Added fix_tooltip_crash.patch (Closes: #611623) kde4libs (4:4.4.5-2+squeeze1) stable-proposed-updates; urgency=low * Add a kconf_update script (migrate_from_kde3_icon_theme) to migrate away from old KDE 3 icon themes which are KDE 4 incompatible (e.g. crystalsvg). (Closes: #588374) kdebase-workspace (4:4.4.5-7+squeeze1) stable-proposed-updates; urgency=low * Backport 33_backport_krunner_crash_fix_threading.diff patch from 4.5.0 to fix random but common krunner crashes. (Closes: #607974) kernel-wedge (2.74+squeeze2) stable-proposed-updates; urgency=low [ Miguel Figueiredo ] * mmc-modules: sdhci_pci. Closes: #558036. * Add support for Cherry keyboards (hid-cherry on input-modules). Closes: #584973. [ Joey Hess ] * build-arch: Pass -I to dpkg-buildpackage without arguments to take advantage of its built-in list of all version control gunk to ignore. [ Otavio Salvador ] * Use 2.74+squeeze2 version since squeeze1 has been upload to unstable by mistake. kernel-wedge (2.74+squeeze1) unstable; urgency=low [ Miguel Figueiredo ] * mmc-modules: sdhci_pci. Closes: #558036. * Add support for Cherry keyboards (hid-cherry on input-modules). Closes: #584973. [ Joey Hess ] * build-arch: Pass -I to dpkg-buildpackage without arguments to take advantage of its built-in list of all version control gunk to ignore. kernel-wedge (2.74) unstable; urgency=low [ Miguel Figueiredo ] * usb-modules: xhci module (usb3 support). Closes #601249. * nic-wireless-modules: added ralink wireless drivers, thanks to Mike Miller. Closes: #604176. * mmc-modules: sdhci_pci. Closes: #558036. * Add support for Cherry keyboards (hid-cherry on input-modules). Closes: #584973. [ Joey Hess ] * build-arch: Pass -I to dpkg-buildpackage without arguments to take advantage of its built-in list of all version control gunk to ignore. [ Otavio Salvador ] * nic-pcmcia-modules: make netwave_cs and wavelan_cs optional * crypto-modules: replace twofish with twofish_generic * nic-wireless-modules: replace orinoco_pci with hostap_pci * pcmcia-storage-modules: make ide-cs optional * serial-modules: add synclink_cs * nic-extra-modules: add 3c359 * ppp-modules: depends on crc-modules * scsi-modules: make qla1280 optional kfreebsd-8 (8.1+dfsg-8) stable-proposed-updates; urgency=low [ Petr Salinger ] * Add 000_tcp_usrreq.diff, fixes local DoS. Closes: #611476. * Extend 108_teken_utf8_table.diff for middle-dot l/L. Closes: #609681. Thanks to Robert Millan. kgb-bot (1.05-1+squeeze1) stable; urgency=low [ gregor herrmann ] * kgb-bot: - fix typo when accessing global config - call polygen_available with full class name [ Damyan Ivanov ] * rules: fix the check whether package version matches "upstream" code version. Avoids FTBFS when the package revisiion contains non-digits (e.g. stable/security updates). Thanks to Moritz Muehlenhoff. Closes: #612922 krusader (1:2.2.0~beta1-2+squeeze1) stable-proposed-updates; urgency=low * Replace rev1154581.patch with backport_fix_krusader_not_terminating.diff backported from upstream svn. It has a proper fix for #587842. (Closes: #604196) libapache-mod-jk (1:1.2.30-1squeeze1) stable; urgency=medium * Team upload. * Fix issue with socket(2) syscall and SOCK_CLOEXEC flag affecting upgrades from 1.2.26 to 1.2.30. (Closes: #609886). libdebian-installer (0.77+squeeze2) squeeze; urgency=low * Upload to drop .git from source tarball libdebian-installer (0.77+squeeze1) squeeze; urgency=low [ Martin Michlmayr ] * Add support for Buffalo Linkstation LiveV3 (LS-CHL). Closes: #612168 * Add support for Buffalo Linkstation Mini (LS-WSGL). libemail-mime-createhtml-perl (1.029-2) stable; urgency=low * Team upload * Add libfile-policy-perl as a runtime dependency (Closes: #612003) libvirt (0.8.3-5+squeeze0) stable; urgency=low [ Laurent Léonard ] * [6f95d48] Fix exit status codes in libvirt init script to comply with LSB (Closes: #612305) linux-2.6 (2.6.32-31) stable; urgency=low [ Ian Campbell ] * xen: blkback: fix potential leak of kernel thread. (CVE-2010-3699) [ Moritz Muehlenhoff ] * rds: Fix rds_iovec page count overflow (CVE-2010-3865) [ Ben Hutchings ] * tty: Fix information leaks from SIOCGICOUNT handlers (CVE-2010-4075, CVE-2010-4076, CVE-2010-4077) * bonding: Ensure that we unshare skbs prior to calling pskb_may_pull (Closes: #610838) * r8169: Keep firmware in memory (Closes: #609538) * linux-base: Convert LILO entries for /boot/vmlinuz, /boot/vmlinuz.old (Closes: #613200) * aufs: Fix VM race leading to kernel panic (Closes: #607879) * rt2500usb: Fall back to SW encryption for TKIP+AES (Closes: #611390) * Add longterm 2.6.32.29: - SCSI: Fix medium error problems with some arrays which can cause data corruption - ptrace: Use safer wake up on ptrace_detach() - [x86] mm: Avoid possible bogus TLB entries by clearing prev mm_cpumask after switching mm - sched: Fix softirq time accounting - sched: Use group weight, idle cpu metrics to fix imbalances during idle - [openvz,vserver] Revert sched changes since they conflict * Revert "USB: Prevent buggy hubs from crashing the USB stack", included in longterm 2.6.32.29 and reported to cause a regression * virtio_net: Further fixes for out-of-memory conditions (Closes: #603835) - Fix OOM handling on TX - Add schedule check to napi_enable call * af_unix: Limit recursion level of passing sockets through sockets (variant of CVE-2010-4249) * iowarrior: Don't trust report_size for buffer size (CVE-2010-4656) * drm: Fix unsigned vs signed comparison issue in modeset ctl ioctl (CVE-2011-1013) * brcm80211: Fix suspend/resume in brcmsmac (Closes: #600769, #604802) * brcm80211: Fix race between scanning and calibration on SMP (Closes: 602444) * drm/i915: Overlay on gen2 can't address above 1G * drm/i915: Fix memory corruption with GM965 and >4GB RAM * ipv6: Silence privacy extensions initialization (Closes: #590653) * [x86] Enable VT6656, loading firmware from a separate file (requires firmware-linux-nonfree 0.28+squeeze1) (Closes: #568454) * usbfs: Show correct speed for SuperSpeed USB devices (Closes: #613531) * drm/i915: Add pipe A force quirk for some laptops (Closes: #608148) * psmouse/elantech: Fix detection and decoding for newer Elantech touchpads (Closes: #613335) [ dann frazier ] * xfs: Fix information leak using stale NFS handle (CVE-2010-2943) * CAN: Use inode instead of kernel address for /proc file (CVE-2010-4565) [ maximilian attems] * Update openvz patch to feoktistov (ipv6, checkpointing, stability, ipsec, nfs, ppp, tc, ve). (closes: #607041, #613501, #613170) * HID: add support for Acan FG-8100 barcode reader. (closes: #615888) * Add longterm 2.6.32.30: - nfsd: Memory corruption due to writing beyond the stat array - av7110: check for negative array offset (CVE-2011-0521) - cred: Fix get_task_cred() and task_state() to not resurrect dead credentials - cred: Fix kernel panic upon security_file_alloc() failure - cred: Fix BUG() upon security_cred_alloc_blank() failure - cred: Fix memory and refcount leaks upon security_prepare_creds() failure - dm/raid1: Fail writes if errors are not handled and log fails - GFS2: Fix bmap allocation corner-case bug - [s390] remove task_show_regs (CVE-2011-0710) - PM/hibernate: Return error code when alloc_image_page() fails - fs/partitions: Validate map_count in Mac partition tables (CVE-2011-1010) - ALSA: caiaq - Fix possible string-buffer overflow (CVE-2011-0712) - acer-wmi, asus_acpi, tc1100-wmi: Restrict write permissions on files in procfs/sysfs - [x86] usbip/vhci: Update reference count for usb_device - [x86] usbip/vhci: Give back URBs from in-flight unlink requests - [x86] usbip/vhci: Refuse to enqueue for dead connections - epoll: Prevent creating circular epoll structures - fs/partitions/ldm: Corrupted partition table can cause kernel oops - xhci: Avoid BUG() in interrupt context - xhci: Fix errors in the running total calculations in the TRB math - xhci: Fix an error in count_sg_trbs_needed() - x25: Do not reference freed memory * Add longterm 2.6.32.31. * Add longterm 2.6.32.32-rc1: - netxen: fix set mac addr. (closes: #616058) - [xen] do not release any memory under 1M in domain 0. (closes: #613823) - virtio: set pci bus master enable bit. (closes: #610360) - sctp: Fix oops when sending queued ASCONF chunks (CVE-2010-1173). - drm/ttm: Fix two race conditions + fix busy codepaths (closes: #591061) * Add Slovak translation by Slavko. (closes: #608684) * Add drm changes from 2.6.32.28+drm33.13: - drm/i915: Add dependency on CONFIG_TMPFS. - drm/i915/lvds: Add AOpen i915GMm-HFS to the list of false-positive LVDS. - drm/radeon/kms: add pll debugging output. - drm/radeon/kms: add quirk for Mac Radeon HD 2600 card. - drm/radeon/kms: fix s/r issues with bios scratch regs. - drm/radeon/kms: make the mac rv630 quirk generic. - drm/radeon: remove 0x4243 pci id. [ Aurelien Jarno ] * init: fix race between init and kthreadd, fixes a kernel panic on mips/5kc-malta. * mips/swarm: enable PATA drivers that have been lost during IDE -> PATA conversion. [ Martin Michlmayr ] * Orion: add support for Buffalo LS-CHL (Closes: #590105). * Kirkwood: initialize PCIE1 for QNAP TS-419P+ (Closes: #613499). [ Jurij Smakov ] * sparc: add sparc-console-handover.patch to address problems with console handover on sparc causing kernel to hang during boot on systems using atyfb driver. Thanks to Fabio M. Di Nitto for the patch. (Closes: #602853) [ Bastian Blank ] * Add supportt for AMD Family 10h/11h CPU internal temperatur sensor. (closes: #614555) linux-kernel-di-amd64-2.6 (1.76+squeeze1) squeeze; urgency=low * Built against version 2.6.32-31 of linux-2.6. linux-kernel-di-armel-2.6 (1.56+squeeze1) squeeze; urgency=low [ Martin Michlmayr ] * kirkwood: include ahci in sata-modules since it's needed on the QNAP TS-419P+. Closes: #613497 [ Otavio Salvador ] * Built against version 2.6.32-31 of linux-2.6. linux-kernel-di-i386-2.6 (1.99+squeeze1) squeeze; urgency=low * Built against version 2.6.32-31 of linux-2.6. linux-kernel-di-ia64-2.6 (1.63+squeeze1) squeeze; urgency=low * Built against version 2.6.32-31 of linux-2.6. linux-kernel-di-mips-2.6 (1.31+squeeze1) squeeze; urgency=low * Built against version 2.6.32-31 of linux-2.6. linux-kernel-di-mipsel-2.6 (1.31+squeeze1) squeeze; urgency=low * Built against version 2.6.32-31 of linux-2.6. linux-kernel-di-powerpc-2.6 (1.76+squeeze1) squeeze; urgency=low * Built against version 2.6.32-31 of linux-2.6. linux-kernel-di-s390-2.6 (0.59+squeeze1) squeeze; urgency=low * Built against version 2.6.32-31 of linux-2.6. linux-kernel-di-sparc-2.6 (1.64+squeeze1) squeeze; urgency=low [ Jurij Smakov ] [Jurij Smakov] * Add niu network driver for sparc, needed by T2+ sparc systems. Closes: #608516. [ Otavio Salvador ] * Built against version 2.6.32-31 of linux-2.6. logwatch (7.3.6.cvs20090906-1squeeze1) stable-security; urgency=high * CVE-2011-1018: Remote code execution by combination of - Logfile name by attacker's choice (e.g. samba log files) and - Missing sanitization of logfile names in system() call. - fix by encapsulating logfile names in ' and disallowing '. Taken from upstream. - closes: #615995 magpierss (0.72-8+squeeze1) stable-proposed-updates; urgency=low * Fixing CVE-2011-0740 (Closes: #611940) Cross-site scripting (XSS) vulnerability in scripts/magpie_slashbox.php and scripts/simple_smarty.php mailman (1:2.1.13-5) stable-security; urgency=high * Upload to stable to fix security issue. * CVE-2011-0707: Cross site scripting in subscriber names. mcabber (0.10.0-1+squeeze1) squeeze; urgency=medium * Pull upstream commit 3695266e16c7 to fix crash after /status invisible (closes: #612797) * Pull upstream commit e09763e16e49 to fix segfault related to url_regex (closes: #612798) * Pull upstream commit 75a0a22bbf78 to fix commandline corruption (closes: #612789) * Pull upstream commit ee8657ff9aa8 to fix two FD leaks (closes: #612799) mediawiki (1:1.15.5-2squeeze1) stable; urgency=high * CVE-2011-0047: Protect against a CSS injection vulnerability (closes: #611787) mediawiki-extensions (2.3squeeze1) stable; urgency=low * Non-maintainer upload. * php53_confirmedit.patch: PHP5.3 compatibility fixes for ConfirmEdit. (Closes: #612227) nautilus (2.30.1-2squeeze1) stable; urgency=low * 15_nautilus_file_peek_crash.patch: stolen from upstream git. Fix a crasher with lots of upstream duplicates from squeeze systems. network-manager (0.8.1-6+squeeze1) stable; urgency=low * debian/patches/82-core-handle-device-removal.patch - Cherry-pick patch from upstream to correctly handle device removal when properties are unreadable. (Closes: #605570) * debian/patches/83-dnsmasq-send-no-config-file-instead-of-a-bogus-one.patch - Newer versions of dnsmasq validate the option parameters more strictly. Instead of passing a bogus file name simply use --conf-file without additional parameters. (Closes: #615082) * debian/ifblacklist_migrate.sh - Only comment out iface lines if we have an exact match for the network interface. (Closes: #612247) * debian/patches/51-normalized-keys.patch - Normalize keys in ifupdown parser, so we accept options with either hyphens or underscores, like e.g. bridge_ports and bridge-ports. (Closes: #609831) ocrodjvu (0.4.6-3+squeeze1) stable; urgency=low * Fix of upside-down generation of hocr data [upsidedown-hocr.diff] (closes: #611460). ocsigen (1.3.3-1squeeze1) stable; urgency=low * Add missing dependencies to ocsigen: libocsigen-xhtml-ocaml-dev and liblwt-ssl-ocaml-dev (Closes: #613372) openafs (1.4.12.1+dfsg-4) stable-security; urgency=high * Apply upstream deltas: - [707a959c] update ticket5 from heimdal. Avoids a double-free (from upstream) which basically allows an arbitrary attack against any krb5-aware Rx service by exploiting when the double-free occurs in asn1 payloads which came from the wire. - [beaf1606] LINUX: Use correct type of error in flock code. This avoids dereferencing a pointer that is not a pointer due to failing to properly ERR_PTR a return value. * Add a dependency on libc6-dev to openafs-modules-dkms. dkms doesn't depend on it because most kernel modules don't need it, but openafs builds userspace helper programs. Thanks, Peter Palfrader. (Closes: #607903) openssl (0.9.8o-4squeeze1) stable-security; urgency=low * Fix OCSP stapling parse error (CVE-2011-0014) pam-pgsql (0.7.1-4+squeeze1) stable-security; urgency=high * add debian/patches/ipaddr-crash_603436.patch: fix crash on long addresses that trigger signedness in "%d", thanks to Kees Cook for the patch (LP: #722386, Closes: 603436). pango1.0 (1.28.3-1+squeeze2) stable-security; urgency=high * 02_CVE-2011-0064.patch: patch from Behdad Esfahbod and Karl Tomlinson to fix buffer overwrite on OOM realloc failure. CVE-2011-0064, Mozilla #606997. partconf (1.36squeeze1) stable-proposed-updates; urgency=low [ Aurelien Jarno ] * Don't set default debconf values, they are already set in the templates. This fixes preseeding. pdftk (1.41+dfsg-10+squeeze1) stable; urgency=low * Support PROMPT for user_pw and owner_pw simultaneously. (Closes: #614071) * Backport from 1.43: Support filenames starting with the keywords 'odd', 'even', 'end'. (Closes: #609471) phpmyadmin (4:3.3.7-5) stable-security; urgency=high * Fixes SQL injection (PMASA-2011-2, CVE-2011-0987). postgresql-8.4 (8.4.7-0squeeze2) stable-security; urgency=high * New upstream security/bug fix release: - Fix buffer overrun in "contrib/intarray"'s input function for the query_int type. This bug is a security risk since the function's return address could be overwritten. Thanks to Apple Inc's security team for reporting this issue and supplying the fix. (CVE-2010-4015) - Avoid failures when "EXPLAIN" tries to display a simple-form CASE expression. If the CASE's test expression was a constant, the planner could simplify the CASE into a form that confused the expression-display code, resulting in "unexpected CASE WHEN clause" errors. - Fix assignment to an array slice that is before the existing range of subscripts. If there was a gap between the newly added subscripts and the first pre-existing subscript, the code miscalculated how many entries needed to be copied from the old array's null bitmap, potentially leading to data corruption or crash. - Avoid unexpected conversion overflow in planner for very distant date values. The date type supports a wider range of dates than can be represented by the timestamp types, but the planner assumed it could always convert a date to timestamp with impunity. - Fix pg_restore's text output for large objects (BLOBs) when standard_conforming_strings is on. Although restoring directly to a database worked correctly, string escaping was incorrect if pg_restore was asked for SQL text output and standard_conforming_strings had been enabled in the source database. - Fix erroneous parsing of tsquery values containing ... & !(subexpression) | ... . Queries containing this combination of operators were not executed correctly. The same error existed in "contrib/intarray"'s query_int type and "contrib/ltree"'s ltxtquery type. - Fix bug in "contrib/seg"'s GiST picksplit algorithm. This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a seg column. If you have such an index, consider "REINDEX"ing it after installing this update. (This is identical to the bug that was fixed in "contrib/cube" in the previous update.) postgresql-8.4 (8.4.6-1) unstable; urgency=low * New upstream bug fix release: - Force the default wal_sync_method to be fdatasync on Linux. The default on Linux has actually been fdatasync for many years, but recent kernel changes caused PostgreSQL to choose open_datasync instead. This choice did not result in any performance improvement, and caused outright failures on certain filesystems, notably ext4 with the data=journal mount option. - Fix assorted bugs in WAL replay logic for GIN indexes. This could result in "bad buffer id: 0" failures or corruption of index contents during replication. - Fix recovery from base backup when the starting checkpoint WAL record is not in the same WAL segment as its redo point. - Fix persistent slowdown of autovacuum workers when multiple workers remain active for a long time. The effective vacuum_cost_limit for an autovacuum worker could drop to nearly zero if it processed enough tables, causing it to run extremely slowly. - Add support for detecting register-stack overrun on IA64. The IA64 architecture has two hardware stacks. Full prevention of stack-overrun failures requires checking both. - Add a check for stack overflow in copyObject(). Certain code paths could crash due to stack overflow given a sufficiently complex query. - Fix detection of page splits in temporary GiST indexes. It is possible to have a "concurrent" page split in a temporary index, if for example there is an open cursor scanning the index when an insertion is done. GiST failed to detect this case and hence could deliver wrong results when execution of the cursor continued. - Fix error checking during early connection processing. The check for too many child processes was skipped in some cases, possibly leading to postmaster crash when attempting to add the new child process to fixed-size arrays. - Improve efficiency of window functions. Certain cases where a large number of tuples needed to be read in advance, but work_mem was large enough to allow them all to be held in memory, were unexpectedly slow. percent_rank(), cume_dist() and ntile() in particular were subject to this problem. - Avoid memory leakage while "ANALYZE"'ing complex index expressions. - Ensure an index that uses a whole-row Var still depends on its table. An index declared like create index i on t (foo(t.-)) would not automatically get dropped when its table was dropped. - Do not "inline" a SQL function with multiple OUT parameters. This avoids a possible crash due to loss of information about the expected result rowtype. - Behave correctly if ORDER BY, LIMIT, FOR UPDATE, or WITH is attached to the VALUES part of INSERT ... VALUES. - Fix constant-folding of COALESCE() expressions. The planner would sometimes attempt to evaluate sub-expressions that in fact could never be reached, possibly leading to unexpected errors. - Fix postmaster crash when connection acceptance (accept() or one of the calls made immediately after it) fails, and the postmaster was compiled with GSSAPI support. - Fix missed unlink of temporary files when log_temp_files is active. If an error occurred while attempting to emit the log message, the unlink was not done, resulting in accumulation of temp files. - Add print functionality for InhRelation nodes. This avoids a failure when debug_print_parse is enabled and certain types of query are executed. - Fix incorrect calculation of distance from a point to a horizontal line segment. This bug affected several different geometric distance-measurement operators. - Fix incorrect calculation of transaction status in ecpg. - Fix PL/pgSQL's handling of "simple" expressions to not fail in recursion or error-recovery cases. - Fix PL/Python's handling of set-returning functions. Attempts to call SPI functions within the iterator generating a set result would fail. - Fix bug in "contrib/cube"'s GiST picksplit algorithm. This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a cube column. If you have such an index, consider "REINDEX"ing it after installing this update. - Don't emit "identifier will be truncated" notices in "contrib/dblink" except when creating new connections. - Fix potential coredump on missing public key in "contrib/pgcrypto". - Fix memory leak in "contrib/xml2"'s XPath query functions. postgresql-8.4 (8.4.5-2) unstable; urgency=low * debian/control: Build against libedit instead of libreadline. We can't simultaneously link against readline (GPL) and libssl (incompatible with GPL). (Closes: #603598) postgresql-8.4 (8.4.5-1) unstable; urgency=medium * Urgency medium, since this fixes a security bug (but also a lot of other bugs, it's not a pinpointed patch). * New upstream security/bug fix update: - Use a separate interpreter for each calling SQL userid in PL/Perl and PL/Tcl. This change prevents security problems that can be caused by subverting Perl or Tcl code that will be executed later in the same session under another SQL user identity (for example, within a SECURITY DEFINER function). Most scripting languages offer numerous ways that that might be done, such as redefining standard functions or operators called by the target function. Without this change, any SQL user with Perl or Tcl language usage rights can do essentially anything with the SQL privileges of the target function's owner. The cost of this change is that intentional communication among Perl and Tcl functions becomes more difficult. To provide an escape hatch, PL/PerlU and PL/TclU functions continue to use only one interpreter per session. This is not considered a security issue since all such functions execute at the trust level of a database superuser already. It is likely that third-party procedural languages that claim to offer trusted execution have similar security issues. We advise contacting the authors of any PL you are depending on for security-critical purposes. Our thanks to Tim Bunce for pointing out this issue (CVE-2010-3433). - Prevent possible crashes in pg_get_expr() by disallowing it from being called with an argument that is not one of the system catalog columns it's intended to be used with. - Fix incorrect placement of placeholder evaluation. This bug could result in query outputs being non-null when they should be null, in cases where the inner side of an outer join is a sub-select with non-strict expressions in its output list. - Fix possible duplicate scans of UNION ALL member relations. - Fix "cannot handle unplanned sub-select" error. This occurred when a sub-select contains a join alias reference that expands into an expression containing another sub-select. - Fix mishandling of whole-row Vars that reference a view or sub-select and appear within a nested sub-select. - Fix mishandling of cross-type IN comparisons. This could result in failures if the planner tried to implement an IN join with a sort-then-unique-then-plain-join plan. - Fix computation of "ANALYZE" statistics for tsvector columns. The original coding could produce incorrect statistics, leading to poor plan choices later. - Improve planner's estimate of memory used by array_agg(), string_agg(), and similar aggregate functions. The previous drastic underestimate could lead to out-of-memory failures due to inappropriate choice of a hash-aggregation plan. - Fix failure to mark cached plans as transient. If a plan is prepared while "CREATE INDEX CONCURRENTLY" is in progress for one of the referenced tables, it is supposed to be re-planned once the index is ready for use. This was not happening reliably. - Reduce PANIC to ERROR in some occasionally-reported btree failure cases, and provide additional detail in the resulting error messages. This should improve the system's robustness with corrupted indexes. - Fix incorrect search logic for partial-match queries with GIN indexes. Cases involving AND/OR combination of several GIN index conditions didn't always give the right answer, and were sometimes much slower than necessary. - Prevent show_session_authorization() from crashing within autovacuum processes. - Defend against functions returning setof record where not all the returned rows are actually of the same rowtype. - Fix possible corruption of pending trigger event lists during subtransaction rollback. This could lead to a crash or incorrect firing of triggers. - Fix possible failure when hashing a pass-by-reference function result. - Improve merge join's handling of NULLs in the join columns. A merge join can now stop entirely upon reaching the first NULL, if the sort order is such that NULLs sort high. - Take care to fsync the contents of lockfiles (both "postmaster.pid" and the socket lockfile) while writing them. This omission could result in corrupted lockfile contents if the machine crashes shortly after postmaster start. That could in turn prevent subsequent attempts to start the postmaster from succeeding, until the lockfile is manually removed. - Avoid recursion while assigning XIDs to heavily-nested subtransactions. The original coding could result in a crash if there was limited stack space. - Avoid holding open old WAL segments in the walwriter process. The previous coding would prevent removal of no-longer-needed segments. - Fix log_line_prefix's %i escape, which could produce junk early in backend startup. - Prevent misinterpretation of partially-specified relation options for TOAST tables. In particular, fillfactor would be read as zero if any other reloption had been set for the table, leading to serious bloat. - Fix inheritance count tracking in "ALTER TABLE ... ADD CONSTRAINT" - Fix possible data corruption in "ALTER TABLE ... SET TABLESPACE" when archiving is enabled. - Allow "CREATE DATABASE" and "ALTER DATABASE ... SET TABLESPACE" to be interrupted by query-cancel. - Improve "CREATE INDEX"'s checking of whether proposed index expressions are immutable. - Fix "REASSIGN OWNED" to handle operator classes and families. - Fix possible core dump when comparing two empty tsquery values. - Fix LIKE's handling of patterns containing % followed by _. We've fixed this before, but there were still some incorrectly-handled cases. - Re-allow input of Julian dates prior to 0001-01-01 AD. Input such as 'J100000'::date worked before 8.4, but was unintentionally broken by added error-checking. - Fix PL/pgSQL to throw an error, not crash, if a cursor is closed within a FOR loop that is iterating over that cursor. - In PL/Python, defend against null pointer results from PyCObject_AsVoidPtr and PyCObject_FromVoidPtr. - In libpq, fix full SSL certificate verification for the case where both host and hostaddr are specified. - Make psql recognize "DISCARD ALL" as a command that should not be encased in a transaction block in autocommit-off mode. - Fix some issues in pg_dump's handling of SQL/MED objects. Notably, pg_dump would always fail if run by a non-superuser, which was not intended. - Improve pg_dump and pg_restore's handling of non-seekable archive files. This is important for proper functioning of parallel restore. - Improve parallel pg_restore's ability to cope with selective restore (-L option). The original code tended to fail if the -L file commanded a non-default restore ordering. - Fix ecpg to process data from RETURNING clauses correctly. - Fix some memory leaks in ecpg. - Improve "contrib/dblink"'s handling of tables containing dropped columns. - Fix connection leak after "duplicate connection name" errors in "contrib/dblink". - Fix "contrib/dblink" to handle connection names longer than 62 bytes correctly. - Add hstore(text, text) function to "contrib/hstore". This function is the recommended substitute for the now-deprecated => operator. It was back-patched so that future-proofed code can be used with older server versions. Note that the patch will be effective only after "contrib/hstore" is installed or reinstalled in a particular database. Users might prefer to execute the "CREATE FUNCTION" command by hand, instead. - Update build infrastructure and documentation to reflect the source code repository's move from CVS to Git. * debian/postgresql-8.4.preinst: Add missing debhelper token. * debian/control: Bump Standards-Version to 3.9.1 (no changes necessary). proftpd-dfsg (1.3.3a-6squeeze1) stable-security; urgency=high * [SECURITY] CVE-2011-1137: mod_sftp behaves badly when receiving badly formed SSH messages. See http://bugs.proftpd.org/show_bug.cgi?id=3586 pulseaudio (0.9.21-3+squeeze1) stable; urgency=low * Team upload. * Fix pacmd hanging in poll() when reading from stdin very early. Patch extracted from upstream by Alexander Wuerstlein (Closes: #574589) pulseaudio (0.9.21-3squeeze1) stable; urgency=low * Team upload. * Fix pacmd hanging in poll() when reading from stdin very early. Patch extracted from upstream by Alexander Wuerstlein (Closes: #574589) python-defaults (2.6.6-3+squeeze6) stable; urgency=low * pycompile: use /usr/bin/pythonX.Y rather than pythonX.Y (to avoid /usr/local interpreters and thus fix some Lenny → Squeeze upgrades) python-django (1.2.3-3+squeeze1) stable-security; urgency=high * Resolve two vulnerabilities: - Flaw in CSRF handling Django includes a cross-site request forgery protection mechanism, which makes use of a token inserted into outgoing forms. Middleware then checks for the token's presence on form submission, and validates it. Previously, however, Django's CSRF protection made an exception for AJAX requests, on the following basis: 1. Many AJAX toolkits add an 'X-Requested-With' header when using XMLHttpRequest. 2. Browsers have strict same-origin policies regarding XMLHttpRequest. 3. In the context of a browser, the only way that a custom header of this nature can be added is with XMLHttpRequest. Therefore, for ease of use, Django did not apply CSRF checks to requests that appeared to be AJAX on the basis of the X-Requested-With header. The Ruby on Rails web framework had a similar exemption. Recently, engineers at Google made members of the Ruby on Rails development team aware of a combination of browser plugins and redirects which can allow an attacker to provide custom HTTP headers on a request to any website. This can allow a forged request to appear to be an AJAX request, thereby defeating CSRF protection which trusts the same-origin nature of AJAX requests. Michael Koziarski of the Rails team brought this to the Django developers attention, and we were able to produce a proof-of-concept demonstrating the same vulnerability in Django's CSRF handling. To remedy this, Django will now apply full CSRF validation to all requests, regardless of apparent AJAX origin. This is technically backwards-incompatible, but the security risks have been judged to outweigh the compatibility concerns in this case. Extended notes on how to accomodate this change will be added to the Django homepage in following days. - Potential XSS in file field rendering Django's form system includes form fields and widgets for performing file uploads; in many cases, the name of the file currently stored in the field is displayed. In the process of rendering, the filename is displayed without being escaped. In many cases this does not result in a cross-site-scripting vulnerability, as file-storage backends can and are encouraged to (and the default backends provided with Django do) sanitize the supplied filename according to their requirements. However, the risk of a vulnerability appearing in a backend which does not sanitize, or which performs insufficient sanitization, is such that Django will now automatically escape filenames in form rendering. Thanks to James Bennett . pywebdav (0.9.4-1+squeeze1) stable-security; urgency=high * Applying CVE-2011-0432.patch for MySQL injection possibility in MySQLAuthHandler found by Teeed filed under CVE-2011-0432 samba (2:3.5.6~dfsg-3squeeze2) stable-security; urgency=high * Security update, fixing the following issue: - CVE-2011-0719: denial of service by memory corruption samba (2:3.5.6~dfsg-3squeeze1) stable-proposed-updates; urgency=low * Fix pam_winbind file descriptor leak with a patch proposed in https://bugzilla.samba.org/show_bug.cgi?id=7265. Upstream claim is that #7265 is fixed in 3.5.6 but our bug submitter confirmed it is not while the patch applied here fixes the file descriptor leak. Closes: #574468 [ Debconf translations ] * Brazilian Portuguese (Adriano Rafael Gomes). Closes: #607402 shadow (1:4.1.4.2+svn3283-2+squeeze1) stable-security; urgency=high * The "Tomanoix" release. * debian/patches/300_CVE-2011-0721: Fix insufficient input sanitation leading to possible user or group creation in NIS environments. sobby (0.4.7-2+squeeze1) squeeze; urgency=low * The init script creates a new session file if it does not exist yet. Add a chown call to make it writeable by sobby, which is not run as root. Make sure to chown the file before sobby's stopped, in prerm, so that the write on termination has a chance to succeed. (Closes: #613085) sudo (1.7.4p4-2.squeeze.2) stable; urgency=low * patch from upstream to resolve interoperability problem between HOME in env_keep and the -H flag, originally closed #596493, applying this to to squeeze also closes: #614232 sun-java6 (6.24-1~squeeze1) stable; urgency=low * Upload to stable. (Closes: #613723) sun-java6 (6.23-1) unstable; urgency=low * New upstream release * Add 'google-chrome' as Depends of sun-java6-plugin (Closes: #607455) * Standards-Version updated to version 3.9.1 telepathy-gabble (0.9.15-1+squeeze1) stable-security; urgency=high * debian/patches/00-jingleinfo.diff: Added to ignore google:jingleinfo pushes from contacts which may theoretically allow an attacker to trick Gabble into relaying streamed media through a server of the attacker's choosing, enabling them to intercept, obstruct or modify the user's audio and video calls. tomcat6 (6.0.28-9+squeeze1) stable-security; urgency=high * Team upload. * Update Vcs-* fields in debian/control to track security branch. * Add patches for CVE-2011-0534, CVE-2010-3718, CVE-2011-0013 Thanks to Moritz Muehlenhoff (Closes: #612257) ttf-liberation (1.05.2.20091019-4squeeze1) stable-proposed-updates; urgency=low * Apply a patch by Cody Boisclair backported from upstream git that fixes the character widths in Liberation Mono so that it is correctly detected as monospaced (rhbz 620273, Closes: #567806). * Add myself to Uploaders. tzdata (2011c-0squeeze1) stable; urgency=low * New upstream release. - Contains Chilean DST change. closes: #617331. tzdata (2011b-2) unstable; urgency=low * Mark tzdata and tzdata-java as Multi-Arch: foreign. closes: #612700. tzdata (2011b-1) unstable; urgency=low * New upstream release. tzdata (2011a-1) unstable; urgency=low * New upstream release. usb-modeswitch-data (20100826-1+squeeze0) stable; urgency=low * From upstream release 20101222 * debian/patches/00_squeeze_new_devices.patch: + Add new devices [0421:0622] Nokia CS-17 [0421:0627] Nokia CS-18 [05c7:1000] Qtronix EVDO 3G Modem (for TianYi) [0e8d:7109] MediaTek Wimax USB Card [0fd1:1000] GW D301 (Advinne AMC) [1004:6190] LG AD600 [106c:3b05] Pantech / UTStarcom UMW190 (Verizon) [12d1:1553] Huawei E1553 [12d1:1c0b] Huawei E173s [16d8:6281] C-motech CHU-628S [1edf:6003] AirPlus MCD-800 [230d:0001] Linktop LW272/LW273 (BSNL Teracom) * debian/patches/00_squeeze_enlarge_detection_base.patch: × Enlarge devices detection base [1410:5010] Novatel Wireless devices [19d2:2000] ZTE devices [1bbb:f000] Alcatel X200/X200L/X060S * debian/patches/00_squeeze_huawei_updates.patch: × Correct the modeswitching lines for Huawei devices [12d1:101e] Huawei U7510 / U7517 [12d1:1446] Huawei, newer modems [12d1:14ad] Vodafone (Huawei) K3806 [12d1:14c1] Vodafone (Huawei) K4605 [12d1:1520] Huawei K3765 [12d1:1521] Huawei K4505 [12d1:1523] Huawei R201 [12d1:1557] Huawei E173 why (2.26+dfsg-2+squeeze1) stable; urgency=low * Add 0007-Squeeze-s-Coq-is-also-compatible.patch: why-config checks compatibility of provers by checking their version number. Coq versioned 8.2pl2 is also compatible (like 8.2pl1). Marking it as such so that it gets activated. wordpress (3.0.5+dfsg-0+squeeze1) stable-security; urgency=high * [077b77b] Imported Upstream version 3.0.5+dfsg - Fixed CVE-2011-0700: two XSS bug. Affects users of the Author or Contributor role. - Fixed CVE-2011-0701: potential information disclosure of posts through the media uploader. xorg-server (2:1.7.7-13) stable; urgency=low * bug script: Report KMS configuration files and their contents. * bug script: Keep only one lspci call (with proper filtering), which makes PCI IDs come back. * Merge from server-1.7-branch, fixing broken rotation with nvidia driver (Closes: #611619): - Revert "randr: check for virtual size limits before set crtc" * bug script: Report libGL-related diversions. xorg-server (2:1.7.7-12) unstable; urgency=low * Cherry-pick this to fix crashes with MCE remotes (Closes: #609750): - mi: handle DGA subtypes when determining the master device. * Add 22-stop-searching-for-xf86config-files, cherry-picking the upstream commit below (which we can't do directly since it depends on a patch kept in the quilt series: 08-config-xorg-conf-d.diff), so that XF86Config-4 is no longer considered (Closes: #610453). Thanks, Bernhard R. Link! - Stop searching for XF86Config files * Improve bug script: - Stop reporting about roster and checksum for config file and server symlink, they are no longer used. - Replace printf with echo everywhere, it's slightly more readable and all lines are newline-terminated anyway. - Also use a “pecho” (pretty echo) function to underline some strings, making the output slightly more readable. - Fix listing xorg.conf.d's contents. Previously, that was only done if xorg.conf existed. - Check for local libraries by running ldd on the server. - Check for obsolete libraries in the same way (/usr/X11R6/lib might still exist in some cases, and be referenced in /etc/ld.so.conf, so using ldd is sufficient to find out, see #546836 for an example). xserver-xorg-video-intel (2:2.13.0-6) stable; urgency=low * Cherry-pick from upstream: - uxa: Fallback if the temporary is too large * This fixes a null pointer dereference with some rendering operations involving large pictures (Closes: #613830). Thanks, Enrico! * Cherry-pick from upstream, thanks to Bjørn Mork: - Don't replace the scanout bo through PutImage - dri: Fix the use of the uninitialised bo for flink * These should fix issues with SDL (Closes: #602207). ========================================= Sat, 05 Feb 2011 - Debian 6.0 released =========================================