======================================= Sat, 04 Jun 2016 - Debian 7.11 released ======================================= ========================================================================= [Date: Sat, 04 Jun 2016 11:16:12 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: kfreebsd-headers-9.0-2 | 9.0-10+deb70.7 | armel, armhf, ia64, mips, powerpc, s390, s390x, sparc Closed bugs: 825860 ------------------- Reason ------------------- RoQA; ANAIS ---------------------------------------------- ========================================================================= base-files (7.1wheezy11) oldstable; urgency=low . * Changed /etc/debian_version to 7.11, for Debian 7.11 point release. debian-installer-netboot-images (20130613+deb7u3.b2) wheezy; urgency=medium . [ Didier Raboud ] * Swap the d-i Built-Using with the installer fetching, to fail on version mismatches earlier (Closes: #819586). . [ Cyril Brulebois ] * Update to 20130613+deb7u3+b2 images, from proposed-updates. dhcpcd (1:3.2.3-11+deb7u1) oldstable-security; urgency=high . * Fix CVE-2012-6698, CVE-2012-6699, CVE-2012-6700, out-of-bound reads/writes and use-after-free issues with specially crafted DHCP messages. This is a forward port of the patch applied to squeeze-lts since wheezy uses the same upstream version. (LP: #1517226) didiwiki (0.5-11+deb7u2) wheezy-security; urgency=high . * debian/patches: - 91_check_page_path.patch: updated patch to correct restrictive behavior, rendering pages beginning with non alpha-numeric UTF-8 characters, such as "à", inaccessible. Thank you Sergio Gelato for your report and help! (Closes: #818708) dpkg (1.16.18) wheezy; urgency=medium . * Remove trailing space before handling blank line dot-separator in Dpkg::Control::Hash. Regression introduced in dpkg 1.16.16. Reported by Jakub Wilk . Closes: #789580 * Only use the SHELL environment variable for interactive shells. Closes: #788819 * Move tar option --no-recursion before -T in dpkg-deb. With tar > 1.28 the --no-recursion option is now positional, and needs to be passed before the -T option, otherwise the tarball will end up with duplicated entries. Thanks to Richard Purdie . Closes: #807940 * Initialize Config-Version also for packages previously in triggers-pending state, otherwise we end up not passing the previously configured version to «postinst configure», which might consider this a first install instead of an upgrade. Closes: #801156 * Fix memory leaks in dpkg infodb format upgrade logic. * Fix physical file offset comparison in dpkg. Closes: #808912 Thanks to Yuri Gribov . * Do not accept empty field names in dpkg. Closes: #769111 * When sys_siglist is defined in the system, try to use NSIG as we cannot compute the array size with sizeof(). If NSIG is missing fallback to 32 items. Prompted by Igor Pashev . eglibc (2.13-38+deb7u10) wheezy-security; urgency=medium . [ Aurelien Jarno ] * patches/any/cvs-strftime.diff: new patch from upstream to fix segmentation fault caused by passing out-of-range data to strftime() (CVE-2015-8776). Closes: #812445. * patches/any/cvs-hcreate.diff: new patch from upstream to fix an integer overflow in hcreate() and hcreate_r() (CVE-2015-8778). Closes: #812441. * patches/any/cvs-catopen.diff: new patch from upstream to fix multiple unbounded stack allocations in catopen() (CVE-2015-8779). Closes: #812455. * patches/any/cvs-gethostbyname4-memory-leak.diff: new patch from upstream to fix a memory leak in _nss_dns_gethostbyname4_r with big DNS answers. * patches/any/local-CVE-2015-7547.diff: new patch to fix glibc getaddrinfo stack-based buffer overflow (CVE-2015-7547). enigmail (2:1.8.2-4~deb7u1) wheezy-security; urgency=high . * Upload requested by security team. enigmail (2:1.8.2-3) unstable; urgency=medium . * Reproducibility: - make build date use $SOURCE_DATE_EPOCH when available - sort keys for perl-generated .dtd files enigmail (2:1.8.2-2) unstable; urgency=medium . * upload to unstable. enigmail (2:1.8.2-1) experimental; urgency=medium . * New upstream release. * More strongly encourage the use of gnupg2 in Depends and Recommends; enigmail 1.9 will make gnupg 2.x a requirement. enigmail (2:1.8.2~beta3-1) experimental; urgency=medium . * New upstream beta release. enigmail (2:1.8.1-1) experimental; urgency=medium . * New upstream release. enigmail (2:1.8-1) experimental; urgency=medium . * New Upstream Release. * move from autotools-dev to dh-autoreconf enigmail (2:1.7.2-3) unstable; urgency=medium . * d/rules - clean: Fake config/autoconf.mk if it doesn't exist, don't call configure. Fixes FTBFS on ppc64el. closes: #760845 * Make enigmail use the right XPCOM_TARGET name on ppc64 archs. enigmail (2:1.7.2-2) unstable; urgency=medium . * Update config.* files by using autotools-dev. closes: #760845 * Update Standards-Version 3.9.5 -> 3.9.6 * Make enigmail use the right XPCOM_TARGET name on arm{el,hf}, powerpc, and mipsel. Closes: #765937 (hopefully) enigmail (2:1.7.2-1) unstable; urgency=medium . * Imported Upstream version 1.7.2 - Fixes CVE-2014-5369 "an email with only Bcc recipients is sent in plain text" * Drop configure versioning patch fuseiso (20070708-3+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Wheezy LTS Team. * debian/patches (Closes: #779047): (patches copied from the Squeeze version) + CVE-2015-8837 Add 02-prevent-buffer-overflow.patch. Prevent stack-based buffer overflow when concatenating strings to an absolute path name. Prevention is done by checking that the result will stay under the maximum path length as given by the platforms PATH_MAX constant. + CVE-2015-8836 Add 03-prevent-integer-overflow.patch. Prevent integer overflow in ZISO code. Bail out if a ZF block size > 2^17 is to be read. graphite2 (1.3.6-1~deb7u1) oldstable-security; urgency=high . * rebuild for oldstable-security * revert ddeb-migration * revert package rename to -3 and go back to -2.0.0 to avoid changing the package name (ABI compatibility is there). Also dd patch to revert back to .so.2.0.0 as SONAME. graphite2 (1.3.5-1) unstable; urgency=medium . * New upstream release graphite2 (1.3.5-1~deb8u1) stable-security; urgency=high . * rebuild for stable-security * revert ddeb-migration groovy (1.8.6-1+deb7u1) oldstable; urgency=high . * Fix remote execution of untrusted code and possible DoS vulnerability. (CVE-2015-3253) (Closes: #793397). gtk+3.0 (3.4.2-7+deb7u1) oldstable-proposed-updates; urgency=medium . * Non-maintainer upload. * CVE-2013-7447.patch: Avoid integer overflow when allocating a large block of memory in gdk_cairo_set_source_pixbuf (Closes: #818090) highlight (3.9-1+deb7u1) oldstable; urgency=medium . * Backport fix for segfault with undefined syntax and --force (Closes: #698718) icecast2 (2.3.2-9+deb7u3) wheezy; urgency=medium . * CVE-2014-9018 * Add generated Makefile.in to debian/clean to allow building twice icedove (38.7.0-1~deb7u1) oldstable-security; urgency=medium . * [cb9c003] Imported Upstream version 38.7.0 - MFSA 2016-16 aka CVE-2016-1952 - MFSA 2016-17 aka CVE-2016-1954 - MFSA 2016-20 aka CVE-2016-1957 - MFSA 2016-23 aka CVE-2016-1960 - MFSA 2016-24 aka CVE-2016-1961 - MFSA 2016-27 aka CVE-2016-1964 - MFSA 2016-31 aka CVE-2016-1966 - MFSA 2016-34 aka CVE-2016-1974 - MFSA 2016-35 aka CVE-2016-1950 - MFSA 2016-37 aka CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802 icedove (38.6.0-1) unstable; urgency=medium . [ Guido Günther ] * [195730d] Clarify relation between icedove and the calendar extensions (Closes: #809017) . [ Christoph Goehre ] * [988ce5b] Imported Upstream version 38.6.0 * [6763f6f] debian/source.filter: remove evil-licensed jshint.js (Closes: #813053) icedove (38.6.0-1~deb8u1) stable-security; urgency=medium . * [988ce5b] Imported Upstream version 38.6.0 - MFSA 2015-150 aka CVE-2015-7575 - MFSA 2016-01 aka CVE-2016-1930 - MFSA 2016-03 aka CVE-2016-1935 - MFSA 2016-14 aka CVE-2016-1523 icedove (38.6.0-1~deb7u1) oldstable-security; urgency=medium . * [988ce5b] Imported Upstream version 38.6.0 - MFSA 2015-150 aka CVE-2015-7575 - MFSA 2016-01 aka CVE-2016-1930 - MFSA 2016-03 aka CVE-2016-1935 - MFSA 2016-14 aka CVE-2016-1523 icedove (38.5.0-1) unstable; urgency=medium . [ Christoph Goehre ] * [6d45b0b] Imported Upstream version 38.5.0 * [316798f] debian/rules: split override_dh_install into arch and indep section (Closes: #806047) . [ Carsten Schoenert ] * [5b3cb7a] add myself to the uploaders icedove (38.5.0-1~deb8u1) stable-security; urgency=medium . * [6d45b0b] Imported Upstream version 38.5.0 - MFSA 2015-134 aka CVE-2015-7201 - MFSA 2015-139 aka CVE-2015-7212 - MFSA 2015-145 aka CVE-2015-7205 - MFSA 2015-146 aka CVE-2015-7213 - MFSA 2015-149 aka CVE-2015-7214 icedove (38.5.0-1~deb7u1) oldstable-security; urgency=medium . * [6d45b0b] Imported Upstream version 38.5.0 - MFSA 2015-134 aka CVE-2015-7201 - MFSA 2015-139 aka CVE-2015-7212 - MFSA 2015-145 aka CVE-2015-7205 - MFSA 2015-146 aka CVE-2015-7213 - MFSA 2015-149 aka CVE-2015-7214 icedove (38.4.0-1) unstable; urgency=medium . [ Christoph Goehre ] * [754392e] Imported Upstream version 38.4.0 * [ef4b733] debian/watch: adjust download url . [ Carsten Schoenert ] * [f3f5455] lintian: remove icedove.menu file due CTTE#741573 icedove (38.4.0-1~deb8u1) stable-security; urgency=medium . * [754392e] Imported Upstream version 38.4.0 - MFSA 2015-116 aka CVE-2015-4513 - MFSA 2015-122 aka CVE-2015-7188 - MFSA 2015-123 aka CVE-2015-7189 - MFSA 2015-127 aka CVE-2015-7193 - MFSA 2015-128 aka CVE-2015-7194 - MFSA 2015-131 aka CVE-2015-7198, CVE-2015-7199, CVE-2015-7200 - MFSA 2015-132 aka CVE-2015-7197 - MFSA 2015-133 aka CVE-2015-7181, CVE-2015-7182, CVE-2015-7183 icedove (38.4.0-1~deb7u1) oldstable-security; urgency=medium . * [754392e] Imported Upstream version 38.4.0 - MFSA 2015-116 aka CVE-2015-4513 - MFSA 2015-122 aka CVE-2015-7188 - MFSA 2015-123 aka CVE-2015-7189 - MFSA 2015-127 aka CVE-2015-7193 - MFSA 2015-128 aka CVE-2015-7194 - MFSA 2015-131 aka CVE-2015-7198, CVE-2015-7199, CVE-2015-7200 - MFSA 2015-132 aka CVE-2015-7197 - MFSA 2015-133 aka CVE-2015-7181, CVE-2015-7182, CVE-2015-7183 * [2a139f9] debian/rules: build with gcc 4.7 icedove (38.3.0-2) unstable; urgency=medium . * [c988747] Add unminified jquery and jquery-ui files with the exact version as used by upstream thunderbird. We don't want to use the minified versions mozilla ships and can't use what is currently packaged in Jessie or Stretch since these are too recent. (Closes: #802281) icedove (38.3.0-1) unstable; urgency=medium . [ Carsten Schoenert ] * [0f8b6a4] Imported Upstream version 38.3.0 * [566273a] debian/copyright: fixup's and update icedove (38.3.0-1~deb8u1) stable-security; urgency=medium . [ Carsten Schoenert ] * [0f8b6a4] Imported Upstream version 38.3.0 * [1c01f2a] rebuild patch queue from patch-queue branch added patches: - debian-hacks/changing-the-default-search-engine.patch - debian-hacks/fix-identification-of-ObjdirMismatchException.patch - fixes/Bug-1165654-Cleanup-how-libjpeg-turbo-assembly-build.patch - fixes/Bug-1168231-Fixup-to-keep-file-type.patch - fixes/Bug-1168231-Normalize-file-mode-in-jars.patch - porting/Remove-duplicate-SkDiscardableMemory_none.cpp-from-g.patch - reproducible/Bug-1166243-Remove-build-function-from-js-and-xpc-sh.patch - reproducible/Bug-1168316-Remove-build-machine-name-from-about-bui.patch - reproducible/Generate-sorted-libical-header-list - jessie-security/decrease-SQLVERSION-to-jessie-version.patch - porting-mips/Fix-build-error-in-MIPS-SIMD-when-compiling-with-mfp.patch removed patches: - debian-hacks/fixing-various-FTBFS-due-different-datatype-char-beh.patch - fixes/Include-cstdlib-in-gfx-angle-src-compiler-Types.h-fo.patch - iceowl/adjust-calendar-google-provider-to-Google-Calendar-A.patch - iceowl/get-rid-of-subdir-shim-in-gdata-provider.patch - porting-armel/disable-some-libopus-feature-for-ARCH-ARMv6.patch - porting-armhf/FTBFS-armhf-fixing-ARM-CPU-detection.patch * [8de7b23] Revert "debian/rules: move some gdata modules into 'shim' subdir" * [8d744ab] debian/rules: be more flexible on *.xpi files * [fbf3c49] d/icedove.install: mozilla-xremote-client was removed * [b92379b] debian/control: increase package versions * [8f37331] lintian: adding one more source override * [b52a791] lintian: adding new override for the icedove package * [cb23f5e] icedove branding: adopt upstream changes * [33712e9] debian/control: increase b-d versions * [9b536a7] debian/control: adding new package to Breaks field * [ed27ae0] mozconfig.default: adding some explicit configure options * [fabbf70] complete rewrite of copyright information * [a82b740] switching to libgstreamer1.0* * [a872e7b] debian/rules: setting MOZ_BUILD_DATE explicitly * [7f4711f] debian/copyright: more minor updates to the copyright file * [4288e0b] debian/rules: adding switch for no icedove-dbg build * [1e5040f] debian/control: icedove is now recommending iceowl-extension * [f76c02a] adding release related information * [7aae173] debian/vendor.js: adjusting WhatNew link to more dedicated URL * [08ef111] mozconfig.default: don't use icu from system * [d909565] debian/iceowl-extension.lintian-overrides: remove file * [7d730ac] debian/source.lintian-overrides: adding new entries * [8ca9fa4] debian/icedove-dev.links: adding some extra links * [18fd52b] debian/icedove.lintian-overrides: adding more overrides * [9c0a259] debian/mozconfig.default: switch to use internal libs * [5b0a7d6] debian/mozconfig.default: order arch in alphabetical order * [68b5122] debian/rules: remove more dev-libs before linking * [5e8c3d2] debian/copyright: fixup's and update * [1ae0cc6] debian/control: adjust Build-Depends due usage of internal libs * [644e9e4] debian/source.filter: adopt filter list from master . [ Christoph Goehre ] * [e6dc2df] debian/NEWS: adding notes around new security changes * [b573ec6] add missing epoch in libnss3-dev build depends * [39e5656] lintian: fix spelling error in debian/README.Debian * [ff339ce] Add unminified jquery and jquery-ui files (Closes: #802281) . [ Dominik George ] * [0515ab0] debian/control: Upgrade Breaks relation to enigmail (Closes: #782686) icedove (38.3.0-1~deb7u1) oldstable-security; urgency=medium . [ Carsten Schoenert ] * [0f8b6a4] Imported Upstream version 38.3.0 * [911052d] rebuild patch queue from patch-queue branch added patches: - debian-hacks/changing-the-default-search-engine.patch - debian-hacks/fix-identification-of-ObjdirMismatchException.patch - fixes/Bug-1165654-Cleanup-how-libjpeg-turbo-assembly-build.patch - fixes/Bug-1168231-Fixup-to-keep-file-type.patch - fixes/Bug-1168231-Normalize-file-mode-in-jars.patch - p-kfree-hurd/FTBFS-hurd-adding-the-HURD-platform-to-the-configure.patch - porting-powerpcspe/FTBFS-powerpcspe-disable-AltiVec-instructions.patch - porting/Remove-duplicate-SkDiscardableMemory_none.cpp-from-g.patch - porting/ppc-fix-divide-page-size-in-jemalloc.patch - reproducible/Bug-1166243-Remove-build-function-from-js-and-xpc-sh.patch - reproducible/Bug-1168316-Remove-build-machine-name-from-about-bui.patch - reproducible/generate-sorted-output-while-header-creation.patch - porting-mips/Fix-build-error-in-MIPS-SIMD-when-compiling-with-mfp.patch modified patches: - debian-hacks/remove-non-free-W3C-icon-valid.png.patch - p-kfree-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch - wheezy-security/sqlite-dev-revert-version-to-3.7.13.patch deleted patches: - fixes/Include-cstdlib-in-gfx-angle-src-compiler-Types.h-fo.patch - iceowl/adjust-calendar-google-provider-to-Google-Calendar-A.patch - iceowl/get-rid-of-subdir-shim-in-gdata-provider.patch - porting-armel/disable-some-libopus-feature-for-ARCH-ARMv6.patch * [590a0df] Revert "debian/rules: move some gdata modules into 'shim' subdir" * [9b0e68b] lintian: adding one more source override * [f914904] lintian: adding new override for the icedove package * [63bd065] icedove branding: adopt upstream changes * [b2d897c] debian/control: adding new package to Breaks field * [2113754] mozconfig.default: adding some explicit configure options * [b1ae394] complete rewrite of copyright information * [98a5a00] debian/rules: setting MOZ_BUILD_DATE explicitly * [c1e3dae] debian/copyright: more minor updates to the copyright file * [bddd498] debian/rules: adding switch for no icedove-dbg build * [68981d0] debian/control: icedove is now recommending iceowl-extension * [5c9665c] adding release related information * [1e683cd] debian/vendor.js: adjusting WhatNew link to more dedicated URL * [1e449ff] mozconfig.default: don't use icu from system * [18160f3] debian/iceowl-extension.lintian-overrides: remove file * [76d32d8] debian/source.lintian-overrides: adding new entries * [48c6c84] debian/icedove-dev.links: adding some extra links * [fb1f375] debian/icedove.lintian-overrides: adding more overrides * [10d441d] debian/mozconfig.default: order arch in alphabetical order * [b600d0a] debian/copyright: fixup's and update * [e72dc60] debian/source.filter: adopt filter list from master * [96ec240] debian/rules: be more flexible on *.xpi files . [ Christoph Goehre ] * [f3764f5] debian/NEWS: adding notes around new security changes * [65d5220] debian/rules: fix icedove-dbg build switch * [27d8f5f] lintian: fix spelling error in debian/README.Debian * [64c635a] Add unminified jquery and jquery-ui files (Closes: #802281) . [ Dominik George ] * [bb837cd] debian/control: Upgrade Breaks relation to enigmail (Closes: #782686) icedove (38.2.0-2) unstable; urgency=medium . * [8bcb08b] relax optimize to -O1 on s390x (Closes: #797551) * [6aa0915] debian/rules: Disable jit on mips (Closes: #797548) icedove (38.2.0-1) unstable; urgency=medium . * [d46d5f6] rebuild patch queue from patch-queue branch added patches: - porting-mips/Fix-build-error-in-MIPS-SIMD-when-compiling-with-mfp.patch icedove (38.2.0-1~stretch) stretch; urgency=medium . [ Carsten Schoenert ] * [05b245f] Imported Upstream version 38.2.0 (Closes: #796323) - MFSA 2015-59 aka CVE-2015-2724, CVE-2015-2725, CVE-2015-2726 - MFSA 2015-63 aka CVE-2015-2731 - MFSA 2015-66 aka CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740 - MFSA 2015-70 aka CVE-2015-4000 - MFSA 2015-71 aka CVE-2015-2721 - MFSA 2015-65 aka CVE-2015-2741 - MFSA 2015-79 aka CVE-2015-4474 * [43c8195] rebuild patch queue from patch-queue branch * [c75bdad] debian/control: increase B-D on libnss3-dev * [942bcbe] debian/iceowl-extension.lintian-overrides: remove file * [7131e4d] debian/source.lintian-overrides: adding new entries * [8882360] mozconfig.default: don't use icu from system icedove (38.1.0-1) unstable; urgency=medium . [ Carsten Schoenert ] * [3d27760] Imported Upstream version 38.1.0 (Closes: #790651) * [2cb6cd7] rebuild patch queue from patch-queue branch added patches: - fixes/Bug-1165654-Cleanup-how-libjpeg-turbo-assembly-build.patch - reproducible/Generate-sorted-libical-header-list (Closes: #794456) icedove (38.0.1-1) unstable; urgency=medium . [ Carsten Schoenert ] * [5acef6a] debian/gbp.conf: adopt new upstream branch * [6f88792] Imported Upstream version 38.0.1 (Closes: #358680, #472601, #634316, #691176, #751786, #777908) * [18bba9d] debian/gbp.conf: respect new git-buildpackage behaviour * [26bbdac] rebuild patch queue from patch-queue branch added patches: - debian-hacks/changing-the-default-search-engine.patch (Closes: #780595) - fixes/Bug-1168231-Fixup-to-keep-file-type.patch - fixes/Bug-1168231-Normalize-file-mode-in-jars.patch - reproducible/Bug-1166243-Remove-build-function-from-js-and-xpc-sh.patch - reproducible/Bug-1168316-Remove-build-machine-name-from-about-bui.patc deleted patches: - debian-hacks/remove-timestamps-from-c_cpp-macros-for-reproducibil.patch * [71938b9] debian/rules: setting MOZ_BUILD_DATE explicitly * [e50d708] debian/copyright: more minor updates to the copyright file * [b232895] debian/rules: adding switch for no icedove-dbg build * [bcc15aa] debian/control: icedove is now recommending iceowl-extension * [564a19e] adding release related information * [2ec0053] debian/vendor.js: adjusting WhatNew link to more dedicated URL . [ Christoph Goehre ] * [a9c25b6] lintian: fix spelling error in debian/README.Debian * [2cc2c07] debian/rules: fix icedove-dbg build switch . icedove (38.0~b5-1) experimental; urgency=medium . [ Carsten Schoenert ] * [7e3cab4] Imported Upstream version 38.0~b5 * [3edbafc] Revert "debian/control: remove build-dep on libnotify-dev" * [5e69bab] debian/control: increase b-d versions * [6e6ae36] rebuild patch queue from patch-queue branch added patches: - debian-hacks/remove-timestamps-from-c_cpp-macros-for-reproducibil.patch obsolete patches (fixed in Debian): - adopting-SQLITE3-version.patch * [ac7b760] mozconfig.default: adding some explicit configure options * [81fd6e6] complete rewrite of copyright information * [327dd45] switching to libgstreamer1.0* . [ Christoph Goehre ] * [9877ea3] lintian: add override for libpng . icedove (38.0~b2-1) experimental; urgency=medium . [ Carsten Schoenert ] * [b08d966] debian/source.filter: modifying file list to ignore * [88fd018] Imported Upstream version 38.0~b2 * [e9da8f8] icedove branding: adopt upstream changes * [3610daa] debian/control: increase b-d versions * [950fae7] rebuild patch queue from patch-queue branch modified patches: - system-libs/Allow-to-build-against-system-libffi.patch - porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch obsolete patches (fixed upstream): - porting/Reintroduce-pixman-code-path-removed-in-bug-1097776-.patch * [1820d7c] debian/control: adding xul-ext-compactheader to Breaks field . [ Dominik George ] * [4181126] debian/control: Upgrade Breaks relation to enigmail (Closes: #782686) . icedove (36.0~b1-2) experimental; urgency=medium . * [26c0027] rebuild patch queue from patch-queue branch added patches: - porting/Reintroduce-pixman-code-path-removed-in-bug-1097776-.patch - porting/Remove-duplicate-SkDiscardableMemory_none.cpp-from-g.patch - porting/ppc-fix-divide-page-size-in-jemalloc.patch (Closes: #780404) . icedove (36.0~b1-1) experimental; urgency=medium . [ Carsten Schoenert ] * [68112a3] Imported Upstream version 36.0~b1 * [3120361] rebuild patch queue from patch-queue branch obsolete patches (fixed upstream): - debian-hacks/fixing-various-FTBFS-due-different-datatype-char-beh.patch - porting-arm/FTBFS-armhf-fixing-ARM-CPU-detection.patch modified patches: - debian-hacks/Strip-version-number.patch - p-kfree-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch - p-kfree-hurd/correcting-file-inclusion-for-kfreebsd.patch - p-kfree-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch * [ee185a2] d/icedove.install: mozilla-xremote-client was removed * [64adc44] debian/source.filter: modifying file list to ignore * [dbdd152] debian/control: increase package versions * [fb3307c] lintian: adding one more source override * [2a07495] lintian: adding new override for the icedove package * [38c21ad] debian/README.Debian: adding note around HTTPS Everythere (Closes: #774790) . [ Christoph Goehre ] * [3dce89c] debian/icedove.desktop: correct StartupWMClass to 'Icedove' (Closes: #773876) * [deb3f58] debian/icedove.desktop: add MimeType text/calendar (Closes: #762190) * [4dd96fe] rebuild patch queue from patch-queue branch added patches: - p-kfree-hurd/FTBFS-hurd-adding-the-HURD-platform-to-the-configure.patch - p-powerpcspe/FTBFS-powerpcspe-disable-AltiVec-instructions.patch (Closes: #772933) modified patches: - p-kfree-hurd/FTBFS-hurd-adding-GNU-Hurd-to-the-list-of-OS-systems.patch - p-kfree-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch - p-kfree-hurd/LDAP-support-building-on-GNU-kFreeBSD-and-GNU-Hurd.patch - p-kfree-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch * [373ed05] add missing epoch in libnss3-dev build depends . icedove (34.0~b1-2) experimental; urgency=low . [ Carsten Schoenert ] * [7a4edc4] rebuild patch queue from patch-queue branch added patches: - debian-hacks/fixing-various-FTBFS-due-different-datatype-char-beh.patch - porting-arm/FTBFS-armhf-fixing-ARM-CPU-detection.patch . icedove (34.0~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [1be8ab1] debian/source.filter: more files to ignore * [66e6488] debian/README.source: adjust description for beta versions * [e63d375] Imported Upstream version 34.0~b1 (Closes: #770180) * [1cb54d2] rebuild patch queue from patch-queue branch obsolete patches (fixed upstream): - porting-armel/disable-some-libopus-feature-for-ARCH-ARMv6.patch * [ad29bb1] debian/rules: be more flexible on *.xpi files * [b055e78] debian/NEWS: fixing default SSL/TLS behavior description * [d64a847] debian/NEWS: adding notes around new security changes . icedove (33.0~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [5029c8b] debian/source.filter: more files to ignore * [d4b03d9] README.source: let's use xz while creating the orig.tar.xz * [ebd442f] debian/gbp.conf: some instructions for git-dch * [cc594ea] Imported Upstream version 33.0~b1 * [23b57cf] rebuild patch queue from patch-queue branch added patches: - debian-hacks/fix-identification-of-ObjdirMismatchException.patch - debian-hacks/pass-OS_LDFLAGS-to-all-ldap-libraries.patch modified patches: - debian-hacks/Strip-version-number.patch - icedove/fix-branding-in-migration-wizard-and-the-addon-manag.patch - porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch - obsolete patches (fixed upstream): - fixes/Include-cstdlib-in-gfx-angle-src-compiler-Types.h-fo.patch - porting-alpha/fix-FTBFS-on-alpha.patch * [a5a2a1b] adding additional config options for hppa and ppc64 Both platforms failing on running xpcshell. . [ Christoph Goehre ] * [5a0ba43] linitan: bump up standards version to 3.9.6 * [aaca6a7] debian/NEWS: adding note around increased default TLS version 1.2 (Closes: #761245) . icedove (32.0~b1-1) experimental; urgency=low . [ Christoph Goehre ] * [65ad797] icedove.postinst: remove obsolete symlink handling . [ Carsten Schoenert ] * [baef95a] debian/gbp.conf: adopting experimental branch * [8384eee] Imported Upstream version 32.0~b1 * [75145f3] rebuild patch queue from patch-queue branch modified patches: - icedove/fix-branding-in-migration-wizard-and-the-addon-manag.patch - debian-hacks/remove-non-free-W3C-icon-valid.png.patch obsolete patches (fixed upstream): - porting-armel/fix-skia-for-ARMv4.patch . [ Christoph Goehre ] * [51c3cee] cleanup branding patch icedove (38.0~b5-1) experimental; urgency=medium . [ Carsten Schoenert ] * [7e3cab4] Imported Upstream version 38.0~b5 * [3edbafc] Revert "debian/control: remove build-dep on libnotify-dev" * [5e69bab] debian/control: increase b-d versions * [6e6ae36] rebuild patch queue from patch-queue branch added patches: - debian-hacks/remove-timestamps-from-c_cpp-macros-for-reproducibil.patch obsolete patches (fixed in Debian): - adopting-SQLITE3-version.patch * [ac7b760] mozconfig.default: adding some explicit configure options * [81fd6e6] complete rewrite of copyright information * [327dd45] switching to libgstreamer1.0* . [ Christoph Goehre ] * [9877ea3] lintian: add override for libpng icedove (38.0~b2-1) experimental; urgency=medium . [ Carsten Schoenert ] * [b08d966] debian/source.filter: modifying file list to ignore * [88fd018] Imported Upstream version 38.0~b2 * [e9da8f8] icedove branding: adopt upstream changes * [3610daa] debian/control: increase b-d versions * [950fae7] rebuild patch queue from patch-queue branch modified patches: - system-libs/Allow-to-build-against-system-libffi.patch - porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch obsolete patches (fixed upstream): - porting/Reintroduce-pixman-code-path-removed-in-bug-1097776-.patch * [1820d7c] debian/control: adding xul-ext-compactheader to Breaks field . [ Dominik George ] * [4181126] debian/control: Upgrade Breaks relation to enigmail (Closes: #782686) icedove (36.0~b1-2) experimental; urgency=medium . * [26c0027] rebuild patch queue from patch-queue branch added patches: - porting/Reintroduce-pixman-code-path-removed-in-bug-1097776-.patch - porting/Remove-duplicate-SkDiscardableMemory_none.cpp-from-g.patch - porting/ppc-fix-divide-page-size-in-jemalloc.patch (Closes: #780404) icedove (36.0~b1-1) experimental; urgency=medium . [ Carsten Schoenert ] * [68112a3] Imported Upstream version 36.0~b1 * [3120361] rebuild patch queue from patch-queue branch obsolete patches (fixed upstream): - debian-hacks/fixing-various-FTBFS-due-different-datatype-char-beh.patch - porting-arm/FTBFS-armhf-fixing-ARM-CPU-detection.patch modified patches: - debian-hacks/Strip-version-number.patch - p-kfree-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch - p-kfree-hurd/correcting-file-inclusion-for-kfreebsd.patch - p-kfree-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch * [ee185a2] d/icedove.install: mozilla-xremote-client was removed * [64adc44] debian/source.filter: modifying file list to ignore * [dbdd152] debian/control: increase package versions * [fb3307c] lintian: adding one more source override * [2a07495] lintian: adding new override for the icedove package * [38c21ad] debian/README.Debian: adding note around HTTPS Everythere (Closes: #774790) . [ Christoph Goehre ] * [3dce89c] debian/icedove.desktop: correct StartupWMClass to 'Icedove' (Closes: #773876) * [deb3f58] debian/icedove.desktop: add MimeType text/calendar (Closes: #762190) * [4dd96fe] rebuild patch queue from patch-queue branch added patches: - p-kfree-hurd/FTBFS-hurd-adding-the-HURD-platform-to-the-configure.patch - p-powerpcspe/FTBFS-powerpcspe-disable-AltiVec-instructions.patch (Closes: #772933) modified patches: - p-kfree-hurd/FTBFS-hurd-adding-GNU-Hurd-to-the-list-of-OS-systems.patch - p-kfree-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch - p-kfree-hurd/LDAP-support-building-on-GNU-kFreeBSD-and-GNU-Hurd.patch - p-kfree-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch * [373ed05] add missing epoch in libnss3-dev build depends icedove (34.0~b1-2) experimental; urgency=low . [ Carsten Schoenert ] * [7a4edc4] rebuild patch queue from patch-queue branch added patches: - debian-hacks/fixing-various-FTBFS-due-different-datatype-char-beh.patch - porting-arm/FTBFS-armhf-fixing-ARM-CPU-detection.patch icedove (34.0~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [1be8ab1] debian/source.filter: more files to ignore * [66e6488] debian/README.source: adjust description for beta versions * [e63d375] Imported Upstream version 34.0~b1 (Closes: #770180) * [1cb54d2] rebuild patch queue from patch-queue branch obsolete patches (fixed upstream): - porting-armel/disable-some-libopus-feature-for-ARCH-ARMv6.patch * [ad29bb1] debian/rules: be more flexible on *.xpi files * [b055e78] debian/NEWS: fixing default SSL/TLS behavior description * [d64a847] debian/NEWS: adding notes around new security changes icedove (33.0~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [5029c8b] debian/source.filter: more files to ignore * [d4b03d9] README.source: let's use xz while creating the orig.tar.xz * [ebd442f] debian/gbp.conf: some instructions for git-dch * [cc594ea] Imported Upstream version 33.0~b1 * [23b57cf] rebuild patch queue from patch-queue branch added patches: - debian-hacks/fix-identification-of-ObjdirMismatchException.patch - debian-hacks/pass-OS_LDFLAGS-to-all-ldap-libraries.patch modified patches: - debian-hacks/Strip-version-number.patch - icedove/fix-branding-in-migration-wizard-and-the-addon-manag.patch - porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch - obsolete patches (fixed upstream): - fixes/Include-cstdlib-in-gfx-angle-src-compiler-Types.h-fo.patch - porting-alpha/fix-FTBFS-on-alpha.patch * [a5a2a1b] adding additional config options for hppa and ppc64 Both platforms failing on running xpcshell. . [ Christoph Goehre ] * [5a0ba43] linitan: bump up standards version to 3.9.6 * [aaca6a7] debian/NEWS: adding note around increased default TLS version 1.2 (Closes: #761245) icedove (32.0~b1-1) experimental; urgency=low . [ Christoph Goehre ] * [65ad797] icedove.postinst: remove obsolete symlink handling . [ Carsten Schoenert ] * [baef95a] debian/gbp.conf: adopting experimental branch * [8384eee] Imported Upstream version 32.0~b1 * [75145f3] rebuild patch queue from patch-queue branch modified patches: - icedove/fix-branding-in-migration-wizard-and-the-addon-manag.patch - debian-hacks/remove-non-free-W3C-icon-valid.png.patch obsolete patches (fixed upstream): - porting-armel/fix-skia-for-ARMv4.patch . [ Christoph Goehre ] * [51c3cee] cleanup branding patch icedove (31.8.0-1~deb8u1+kbsd11) jessie-kfreebsd; urgency=medium . * Import nss/kbsd patch from nss package icedove (31.8.0-1~deb8u1) stable-security; urgency=medium . * [d427fea] Imported Upstream version 31.8.0 - MFSA 2015-59 aka CVE-2015-2724 - MFSA 2015-66 aka CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740 - MFSA 2015-70 aka CVE-2015-4000 - MFSA 2015-71 aka CVE-2015-2721 * [6516780] lintian: add override for libpng * [1c33ec2] build against internal libnss3 icedove-l10n (1:38.0.1-1~deb7u1) oldstable-security; urgency=medium . [ Carsten Schoenert ] * [fef2b1f] Imported Upstream version 38.0.1 * [c3d1a0b] icedove-l10n-fi: replace myspell-fi with xul-ext-mozvoikko (Closes: #792367) . [ Christoph Goehre ] * [31a9a5b] adjust icedove depends >= 38.0~ and icedove << 39 icedove-l10n (1:38.0~b2-1) experimental; urgency=medium . * [3978e11] debian/gbp.conf: correct upstream-branch assignment * [3f3a36e] Imported Upstream version 38.0~b2 * [c06cb1f] rebuild patch queue from patch-queue branch * [4693943] adjust icedove depends >= 38.0~ and icedove << 39 icedove-l10n (1:36.0~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [ae1ec3e] debian/c-u-t: adding new helper script (cherry-picked from master) * [97c472d] Imported Upstream version 36.0~b1 * [c5d70b5] rebuild patch queue from patch-queue branch * [fd71069] adjust icedove depends >= 36.0~ and icedove << 37 icedove-l10n (1:34.0~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [dba229d] Imported Upstream version 34.0~b1 * [17f58e7] rebuild patch queue from patch-queue branch * [b66c03a] adjust icedove depends >= 34.0~ and icedove << 35 * [312f280] debian/control: fix recommends for icedove-l10n-sr (Closes: #767635) icedove-l10n (1:33.0~b1-1) experimental; urgency=low . * [90dac17] Imported Upstream version 33.0~b1 * [4aa4a4c] rebuild patch queue from patch-queue branch * [3cdac77] adjust icedove depends >= 33.0~ and icedove << 34 * [313729d] linitan: bump up standards version to 3.9.6 icedove-l10n (1:32.0~b1-1) experimental; urgency=low . [ Carsten Schoenert ] * [32b4f8e] Imported Upstream version 32.0~b1 * [8bc4841] rebuild patch queue from patch-queue branch * [920724e] adjust icedove depends >= 32.0~ and icedove << 33 icedove-l10n (1:31.4.0-1) unstable; urgency=medium . * [ba9e08f] debian/control: fix recommends for icedove-l10n-sr (Closes: #767635) * [f36a6c4] debian/c-u-t: adding new helper script * [f5e62c4] Imported Upstream version 31.4.0 * [e854a2b] gbp.conf: we want numbered patches * [2d5a8a3] rebuild patch queue from patch-queue branch * [4857382] adjust icedove depends to >= 31.4.0 and << 32 icedove-l10n (1:31.2.0-1) unstable; urgency=low . [ Christoph Goehre ] * [27cf05e] Imported Upstream version 31.2.0 . [ Carsten Schoenert ] * [d5cb699] adjust icedove depends to >= 31.2.0 and << 32 * [b68ab88] linitan: bump up standards version to 3.9.6 icedtea-web (1.4-3~deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2013-4349.diff patch. CVE-2013-4349: Fix IcedTeaScriptableJavaObject::invoke off-by-one heap-based buffer overflow after triggering event attached to applets. (Closes: #723118) icedtea-web (1.4-3~deb7u1) stable-security; urgency=low . * Build for stable icedtea-web (1.4-2) unstable; urgency=low . * Fix icedtea-web for use with OpenJDK 7u25. icedtea-web (1.4-1) unstable; urgency=low . * IcedTea-Web 1.4 release. * Stop building the icedtea6-plugin transitional package. iceweasel (38.8.0esr-1~deb7u1) oldstable-security; urgency=medium . * New upstream release. * Fixes for mfsa2016-{39,44,47}, also known as: CVE-2016-2807, CVE-2016-2805, CVE-2016-2814, CVE-2016-2808. iceweasel (38.7.1esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. - Disables Graphite font shaping library. iceweasel (38.7.1esr-1~deb7u1) oldstable-security; urgency=medium . * New upstream release. - Disables Graphite font shaping library. iceweasel (38.7.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2016-{16-17,20-21,23-25,27-28,31,34-35,37}, also known as: CVE-2016-1952, CVE-2016-1954, CVE-2016-1957, CVE-2016-1958, CVE-2016-1960, CVE-2016-1961, CVE-2016-1962, CVE-2016-1964, CVE-2016-1965, CVE-2016-1966, CVE-2016-1974, CVE-2016-1950, CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802. iceweasel (38.6.1esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2016-14, also known as CVE-2016-1523. iceweasel (38.6.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2016-{01,03}, also known as: CVE-2016-1930, CVE-2016-1935. iceweasel (38.5.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{134,138-139,145-147,149}, also known as: CVE-2015-7201, CVE-2015-7210, CVE-2015-7212, CVE-2015-7205, CVE-2015-7213, CVE-2015-7222, CVE-2015-7214. . * debian/rules: Follow upstream default for Gtk+2 vs. Gtk+3 automatically. * debian/watch: Update file to use https://archive.mozilla.org/. iceweasel (38.5.0esr-1~deb8u2) stable-security; urgency=medium . * security/nss/lib/ckfw/builtins/certdata.txt: Remove the SPI Inc. and CAcert.org CA certificates. The former was removed in NSS 3.21-1 and the latter in 3.16-1, and remained here largely overlooked. . iceweasel (38.5.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{134,138-139,145-147,149}, also known as: CVE-2015-7201, CVE-2015-7210, CVE-2015-7212, CVE-2015-7205, CVE-2015-7213, CVE-2015-7222, CVE-2015-7214. . * debian/rules: Follow upstream default for Gtk+2 vs. Gtk+3 automatically. * debian/watch: Update file to use https://archive.mozilla.org/. iceweasel (38.5.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{134,138-139,145-147,149}, also known as: CVE-2015-7201, CVE-2015-7210, CVE-2015-7212, CVE-2015-7205, CVE-2015-7213, CVE-2015-7222, CVE-2015-7214. . * debian/rules: Follow upstream default for Gtk+2 vs. Gtk+3 automatically. * debian/watch: Update file to use https://archive.mozilla.org/. imagemagick (8:6.7.7.10-5+deb7u4) wheezy-security; urgency=high . * Null pointer access in magick/constitute.c (closes: #811308) https://github.com/ImageMagick/ImageMagick/pull/34 0071-Prevent-null-pointer-access-in-magick-constitute.c.patch * IM 6.9.2 crash with some PNG (closes: #811308, LP: #1492881) http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28466 0072-Fixed-out-of-bounds-error-in-SpliceImage.patch * Add fix-overflow-in-icon-parsing.patch to fix an integer overflow that can lead to a buffer overrun in the icon parsing code. * Add fix-overflow-in-pict-parsing.patch to fix an integer overflow that can lead to a double free. imlib2 (1.4.5-1+deb7u2) wheezy-security; urgency=high . * Fix divide-by-zero on 2x1 ellipse as per CVE-2011-5326 (Closes: #639414) * Fix integer overflow as per CVE-2014-9771 (Closes: #820206) * Fix off-by-one OOB read as per CVE-2016-3993 (Closes: #819818) * Fix out-of-bounds read in the GIF loader as per CVE-2016-3994 (Closes: #785369) * Fix integer overflow as per CVE-2016-4024 (Closes: #821732) imlib2 (1.4.5-1+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload. * CVE-2014-9762: Fix segmentation fault on images without colormap. * CVE-2014-9763: Prevent division-by-zero crashes. * CVE-2014-9764: Fix segfault when opening specially crafted input with feh. isc-dhcp (4.2.2.dfsg.1-5+deb70u8) wheezy-security; urgency=high . * Fix CVE-2015-8605: maliciously crafted IPv4 packet can cause any of the running DHCP applications (server, client, or relay) to crash. kfreebsd-9 (9.0-10+deb70.10) wheezy-security; urgency=high . * Pick SVN r281231 from FreeBSD 9-STABLE to fix: - SA-15:04: integer overflow in IGMP protocol (CVE-2015-1414) updated patch from advisory revision 1.1 (Closes: #779201) - SA-15:09: Denial of Service with IPv6 Router Advertisements (CVE-2015-2923) (Closes: #782735) kfreebsd-9 (9.0-10+deb70.9) wheezy-security; urgency=medium . * Upstream patch for FreeBSD-SA-15:04.igmp / CVE-2015-1414 (Closes: #779201) kfreebsd-9 (9.0-10+deb70.8) wheezy-security; urgency=high . * Team upload. * Disable SCTP due to CVE-2014-3953 and other potential issues; it was anyway unsupported yet by userland tools. * Pick SVN r268432 from FreeBSD 9-STABLE to fix SA-14:17 / CVE-2014-3952: kernel memory disclosure in sockbuf control message (Closes: #754236) * Pick SVN r273412 from FreeBSD 9-STABLE to fix SA-14:22 / CVE-2014-3711: Memory leak in sandboxed namei lookup (Closes: #766275) * Pick SVN r274112 from FreeBSD 9.1-RELEASE to fix SA-14:25 / CVE-2014-8476: Kernel stack disclosure in setlogin(2) / getlogin(2) (Closes: #768104) lhasa (0.0.7-2+deb7u1) wheezy-security; urgency=high . * Backport a patch from 0.3.1 to fix an integer underflow vulnerability in the code for doing LZH level 3 header decodes (TALOS-CAN-0095). Thanks go to Marcin Noga and Regina Wilson of Cisco TALOS for reporting this vulnerability. libcrypto++ (5.6.1-6+deb7u2) wheezy; urgency=medium . * Fix CVE-2016-3995, Rijndael timing attack counter measure. libdatetime-timezone-perl (1:1.58-1+2016d) wheezy; urgency=medium . * Update to Olson database version 2016d. libdbd-firebird-perl (0.91-2+deb7u1) wheezy-security; urgency=high . * Fix potential buffer overflow as per CVE-2015-2788 (Closes: #780925) libebml (1.2.2-2+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload. * Add CVE-2015-8789.patch. Fix use-after-free vulnerability in the EbmlMaster::Read function. * Add CVE-2015-8790.patch. Fix EbmlUnicodeString::UpdateFromUTF8 function that allowed context-dependent attackers to obtain sensitive information from process heap memory via a crafted UTF-8 string. * Add CVE-2015-8791.patch. Fix EbmlElement::ReadCodedSizeValue function that allowed context-dependent attackers to obtain sensitive information from process heap memory via a crafted length value in an EBML id. libgd2 (2.0.36~rc1~dfsg-6.1+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-3074: Signedness vulnerability causing heap overflow (Closes: #822242) libreoffice (1:3.5.4+dfsg2-0+deb7u6) wheezy-security; urgency=high . * debian/patches/V-1lp8t84lh4.diff: fix "LibreOffice Writer Lotus Word Pro TabRack Buffer Overflow Vulnerability" * debian/patches/V-pxk0pgyk9d.diff: fix "LibreOffice Writer Lotus Word Pro 'ReadRootData' Buffer Overflow Vulnerability" * debian/patches/V-mgylorku1q.diff: fix "LibreOffice Writer Lotus Word Pro Bullet Buffer Overflow Vulnerability" (CVE-2016-0794) * debian/patches/V-a7vjdei7l7.diff: fix "LibreOffice Writer Lotus Word Pro 'TocSuperLayout' Buffer Overflow Vulnerability" (CVE-2016-0795) libreoffice (1:3.5.4+dfsg2-0+deb7u5) wheezy-security; urgency=high . * debian/patches/CVE-2015-4551.diff: backport fix for Arbritary file disclosure vulnerabbility (CVE-2014-4551) * debian/patches/ww8dontwrap.diff: fix 'LibreOffice "Piece Table Counter" Invalid Check Design Error Vulnerability' (CVE-2015-5213) * debian/patches/coverity-1266485.diff: fix 'LibreOffice "PrinterSetup Length" Integer Underflow Vulnerability' (CVE-2015-5212) . (thanks to Björn Michaelsen for preparing the patches) . * debian/patches/pStatus-vector-offsets.diff: fix 'LibreOffice Bookmark Status Memory Corruption Vulnerability' (CVE-2015-5214) libreoffice (1:3.5.4+dfsg2-0+deb7u4) wheezy-security; urgency=high . * debian/patches/CVE-2015-1774-hwpreader-check-reads.patch: fix "out of bounds write in hwp file filter" (CVE-2015-1774), backported from libreoffice-4-3 branch libreoffice (1:3.5.4+dfsg2-0+deb7u4~bpo60+1) squeeze-backports; urgency=high . * Rebuild for squeeze-backports. . * debian/patches/remove-poppler-cpp-dev-need.diff: remove need for cpp/poppler-version.h. Doesn't exist on squeezes old poppler... . * debian/rules - use internal sampleicc - disable gtk3 stuff - hack around to not add bogus << 1.1.1-9 builddep for libservlet2.5-java - do enable pdfimport as we have patched poppler-version.h need out - use python3.pc instead of version-specific one which is in pythonX.Y-dev (and misses the "mu" in 3.1) - revert build-dep bump to >= 3.2 * debian/control.in: build-conflict against openoffice.org-java-common to prevent bogus openoffice.org-java-common dependency * debian/control.in: make -core conflict against non-squeeze librdf0 . libreoffice (1:3.5.4+dfsg2-0+deb7u4) wheezy-security; urgency=high . * debian/patches/CVE-2015-1774-hwpreader-check-reads.patch: fix "out of bounds write in hwp file filter" (CVE-2015-1774), backported from libreoffice-4-3 branch . libreoffice (1:3.5.4+dfsg2-0+deb7u3) wheezy-security; urgency=high . * Fix invalid memory writes when importing malformed RTF files as per CVE-2014-9093 (Closes: #771163) * Set urgency=high accordingly . libreoffice (1:3.5.4+dfsg2-0+deb7u2) stable; urgency=low . * debian/rules: - work around possible failure install-common target with missing ca-XV .dirs/.install... (closes: #685723) - hack around broken "*" directory in debian/tmp/pkg on kfreebsd-* extremely slowing down the install target... . libreoffice (1:3.5.4+dfsg2-0+deb7u1) stable; urgency=low . * src/17410483b5b5f267aa18b7e00b65e6e0-hsqldb_1_8_0.zip: remove lib/servlet.jar.. . * debian/patches/fix-view-option.diff: backport fix to fix --view from libreoffice-3-6 (closes: #697723) * debian/patches/odk-link-to-jdk-1.5-docs.diff: link to http://java.sun.com/j2se/1.5/docs/api instead of /1.4.1/ as the former doesn't exist anymore * debian/patches/oosplash-wait-for-ProcessingDone.diff: backport from 3.6; make oosplash wait for InternalIPC::ProcessingDone (closes: #681185) . * debian/control.in: - remove bogus | python3-uno dependency alternatives. Will properly be back with LO 4.0 which supports python3 . libreoffice (1:3.5.4+dfsg-4) unstable; urgency=medium . * debian/control.in: - remove obsolete Pre-Depends on ure (>= 1.5.1+OOo3.1.1-15) (by the way closes: #693626) * debian/libreoffice-core.bug-control: - report-with: fonts-opensymbol instead of transitional ttf-opensymbol libreoffice (1:3.5.4+dfsg2-0+deb7u3) wheezy-security; urgency=high . * Fix invalid memory writes when importing malformed RTF files as per CVE-2014-9093 (Closes: #771163) * Set urgency=high accordingly libstruts1.2-java (1.2.9-5+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the Wheezy LTS Team. * add struts-1.2.9-CVE-2015-0899.patch from Red Hat (same patch as in the Squeeze version) mercurial (2.2.2-4+deb7u2) wheezy-security; urgency=high . * CVE-2016-3630: + mpatch: rewrite pointer overflow checks (prerequisite for the following) + parsers: fix list sizing rounding error + parsers: detect short records * CVE-2016-3068: + subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols * CVE-2016-3069: + convert: add new, non-clowny interface for shelling out to git + convert: rewrite calls to Git to use the new shelling mechanism + convert: dead code removal - old git calling functions + convert: rewrite gitpipe to use common.commandline + convert: test for shell injection in git calls Closes: #819504 oar (2.5.2-3+deb7u1) wheezy-security; urgency=high . [ Pierre Neyron ] * Add patch: fix a vulnerability in the oarsh command (CVE-2016-1235; Closes: #819952) openjdk-6 (6b38-1.13.10-1~deb7u1) wheezy-security; urgency=low . * Rebuild for wheezy-security openjdk-6 (6b38-1.13.10-1~deb6u1) squeeze-lts; urgency=high . * Non-maintainer upload by the Squeeze LTS Team. * Rebuild for squeeze-lts. . [ Tiago Stürmer Daitx ] * IcedTea 1.13.10 release. * Security fixes: - S8059054, CVE-2016-0402: Better URL processing - S8130710, CVE-2016-0448: Better attributes processing - S8133962, CVE-2016-0466: More general limits - S8137060: JMX memory management improvements - S8139012: Better font substitutions - S8139017, CVE-2016-0483: More stable image decoding - S8140543, CVE-2016-0494: Arrange font actions - S8143185: Cleanup for handling proxies - S8143941, CVE-2015-8126, CVE-2015-8472: Update splashscreen displays - CVE-2015-7575: Very difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. * Other fixes: - S7169111, PR2757: Unreadable menu bar with Ambiance theme in GTK L&F (LP: #932274) * debian/rules: removed old @op@, @pkg_version@, and @pkg_sversion@ openjdk-6 (6b37-1.13.9-1) experimental; urgency=medium . [ Tiago Stürmer Daitx ] * IcedTea 1.13.9 release. * Security fixes: - S8048030, CVE-2015-4734: Expectations should be consistent - S8068842, CVE-2015-4803: Better JAXP data handling - S8076339, CVE-2015-4903: Better handling of remote object invocation - S8076383, CVE-2015-4835: Better CORBA exception handling - S8076387, CVE-2015-4882: Better CORBA value handling - S8076392, CVE-2015-4881: Improve IIOPInputStream consistency - S8076413, CVE-2015-4883: Better JRMP message handling - S8078427, CVE-2015-4842: More supportive home environment - S8078440: Safer managed types - S8080541: More direct property handling - S8080688, CVE-2015-4860: Service for DGC services - S8081760: Better group dynamics - S8086733, CVE-2015-4893: Improve namespace handling - S8087350: Improve array conversions - S8103671, CVE-2015-4805: More objective stream classes - S8103675: Better Binary searches - S8130078, CVE-2015-4911: Document better processing - S8130193, CVE-2015-4806: Improve HTTP connections - S8130864: Better server identity handling - S8130891, CVE-2015-4843: (bf) More direct buffering - S8131291, CVE-2015-4872: Perfect parameter patterning - S8132042, CVE-2015-4844: Preserve layout presentation openjdk-6 (6b37-1.13.9-1~deb6u1) squeeze-lts; urgency=high . * Non-maintainer upload by the Squeeze LTS Team. * Rebuild from experimental. [ Tiago Stürmer Daitx ] * IcedTea 1.13.9 release. * Security fixes: - S8048030, CVE-2015-4734: Expectations should be consistent - S8068842, CVE-2015-4803: Better JAXP data handling - S8076339, CVE-2015-4903: Better handling of remote object invocation - S8076383, CVE-2015-4835: Better CORBA exception handling - S8076387, CVE-2015-4882: Better CORBA value handling - S8076392, CVE-2015-4881: Improve IIOPInputStream consistency - S8076413, CVE-2015-4883: Better JRMP message handling - S8078427, CVE-2015-4842: More supportive home environment - S8078440: Safer managed types - S8080541: More direct property handling - S8080688, CVE-2015-4860: Service for DGC services - S8081760: Better group dynamics - S8086733, CVE-2015-4893: Improve namespace handling - S8087350: Improve array conversions - S8103671, CVE-2015-4805: More objective stream classes - S8103675: Better Binary searches - S8130078, CVE-2015-4911: Document better processing - S8130193, CVE-2015-4806: Improve HTTP connections - S8130864: Better server identity handling - S8130891, CVE-2015-4843: (bf) More direct buffering - S8131291, CVE-2015-4872: Perfect parameter patterning - S8132042, CVE-2015-4844: Preserve layout presentation openjdk-6 (6b36-1.13.8-1) experimental; urgency=medium . * IcedTea 1.13.8 release. * Security fixes: - S8043202, CVE-2015-2808: Prohibit RC4 cipher suites. - S8067694, CVE-2015-2625: Improved certification checking. - S8071715, CVE-2015-4760: Tune font layout engine. - S8071731: Better scaling for C1. - S8072490: Better font morphing redux. - S8072887: Better font handling improvements. - S8073334: Improved font substitutions. - S8073773: Presume path preparedness. - S8073894: Getting to the root of certificate chains. - S8074330: Set font anchors more solidly. - S8074335: Substitute for substitution formats. - S8074865, CVE-2015-2601: General crypto resilience changes. - S8074871: Adjust device table handling. - S8075374, CVE-2015-4748: Responding to OCSP responses. - S8075378, CVE-2015-4749: JNDI DnsClient Exception Handling. - S8075738: Better multi-JVM sharing. - S8075838: Method for typing MethodTypes. - S8075853, CVE-2015-2621: Proxy for MBean proxies. - S8076328, CVE-2015-4000: Enforce key exchange constraints. - S8076376, CVE-2015-2628: Enhance IIOP operations. - S8076397, CVE-2015-4731: Better MBean connections. - S8076401, CVE-2015-2590: Serialize OIS data. - S8076405, CVE-2015-4732: Improve serial serialization. - S8076409, CVE-2015-4733: Reinforce RMI framework. - S8077520, CVE-2015-2632: Morph tables into improved form. - PR2488, CVE-2015-4000: Make jdk8 mode the default for jdk.tls.ephemeralDHKeySize. * Refresh patches. openjdk-6 (6b36-1.13.8-1~deb7u1) wheezy-security; urgency=low . * Rebuild for wheezy openjdk-6 (6b36-1.13.8-1~deb6u1) squeeze-lts; urgency=high . * Non-maintainer upload by the Debian LTS team. * Rebuild package from experimental * IcedTea 1.13.8 release. * Security fixes: - S8043202, CVE-2015-2808: Prohibit RC4 cipher suites. - S8067694, CVE-2015-2625: Improved certification checking. - S8071715, CVE-2015-4760: Tune font layout engine. - S8071731: Better scaling for C1. - S8072490: Better font morphing redux. - S8072887: Better font handling improvements. - S8073334: Improved font substitutions. - S8073773: Presume path preparedness. - S8073894: Getting to the root of certificate chains. - S8074330: Set font anchors more solidly. - S8074335: Substitute for substitution formats. - S8074865, CVE-2015-2601: General crypto resilience changes. - S8074871: Adjust device table handling. - S8075374, CVE-2015-4748: Responding to OCSP responses. - S8075378, CVE-2015-4749: JNDI DnsClient Exception Handling. - S8075738: Better multi-JVM sharing. - S8075838: Method for typing MethodTypes. - S8075853, CVE-2015-2621: Proxy for MBean proxies. - S8076328, CVE-2015-4000: Enforce key exchange constraints. - S8076376, CVE-2015-2628: Enhance IIOP operations. - S8076397, CVE-2015-4731: Better MBean connections. - S8076401, CVE-2015-2590: Serialize OIS data. - S8076405, CVE-2015-4732: Improve serial serialization. - S8076409, CVE-2015-4733: Reinforce RMI framework. - S8077520, CVE-2015-2632: Morph tables into improved form. - PR2488, CVE-2015-4000: Make jdk8 mode the default for jdk.tls.ephemeralDHKeySize. * Refresh patches. openjdk-6 (6b35-1.13.7-1) unstable; urgency=medium . * IcedTea 1.13.7 release. * Security fixes: - S8059064: Better G1 log caching. - S8060461: Fix for JDK-8042609 uncovers additional issue. - S8064601, CVE-2015-0480: Improve jar file handling. - S8065286: Fewer subtable substitutions. - S8065291: Improved font lookups. - S8066479: Better certificate chain validation. - S8067050: Better font consistency checking. - S8067684: Better font substitutions. - S8067699, CVE-2015-0469: Better glyph storage. - S8068320, CVE-2015-0477: Limit applet requests. - S8068720, CVE-2015-0488: Better certificate options checking. - S8069198: Upgrade image library. - S8071726, CVE-2015-0478: Better RSA optimizations. - S8071818: Better vectorization on SPARC. - S8071931, CVE-2015-0460: Return of the phantom menace. openjdk-6 (6b35-1.13.7-1~deb7u1) wheezy-security; urgency=low . * Rebuild for stable openjdk-6 (6b35-1.13.7-1~deb6u1) squeeeze-lts; urgency=medium . * Non-maintainer upload by the Debian LTS team. * Rebuild for squeeze. openjdk-6 (6b34-1.13.6-1) unstable; urgency=high . * IcedTea 1.13.6 release. * Security fixes: - S8046656: Update protocol support. - S8047125, CVE-2015-0395: (ref) More phantom object references. - S8047130: Fewer escapes from escape analysis. - S8048035, CVE-2015-0400: Ensure proper proxy protocols. - S8049253: Better GC validation. - S8050807, CVE-2015-0383: Better performing performance data handling. - S8054367, CVE-2015-0412: More references for endpoints. - S8055304, CVE-2015-0407: More boxing for DirectoryComboBoxModel. - S8055309, CVE-2015-0408: RMI needs better transportation considerations. - S8055479: TLAB stability. - S8055489, CVE-2014-6585: Better substitution formats. - S8056264, CVE-2014-6587: Multicast support improvements. - S8056276, CVE-2014-6591: Fontmanager feature improvements. - S8057555, CVE-2014-6593: Less cryptic cipher suite management. - S8058982, CVE-2014-6601: Better verification of an exceptional invokespecial. - S8059485, CVE-2015-0410: Resolve parsing ambiguity. - S8061210, CVE-2014-3566: Issues in TLS. * Fix applying the fontconfig-dejavu patch for older releases. * Fix build on mips64 and mips64el. Addresses #776295. openjdk-6 (6b34-1.13.6-1~deb7u1) wheezy-security; urgency=low . * Rebuild for stable openjdk-6 (6b34-1.13.6-1~deb6u1) squeeze-lts; urgency=low . * Rebuild for squeeze-lts openjdk-6 (6b33-1.13.5-2) unstable; urgency=medium . * Fix libjpeg runtime dependency. * Fix regression running JamVM after the 2.5.3 security update. * Fix regression running CACAO after the 2.5.3 security update. * Fix typo in package description. Closes: #706341. openjdk-6 (6b33-1.13.5-2~deb7u1) wheezy-security; urgency=low . * Rebuild for stable openjdk-6 (6b33-1.13.5-2~deb6u1) squeeze-lts; urgency=medium . * Backport new upstream release to Squeeze in order to fix many security issues: CVE-2014-2490, CVE-2014-4209, CVE-2014-4216, CVE-2014-4218, CVE-2014-4219, CVE-2014-4244, CVE-2014-4252, CVE-2014-4262, CVE-2014-4263, CVE-2014-4266, CVE-2014-4268, CVE-2014-6457, CVE-2014-6502, CVE-2014-6504, CVE-2014-6506, CVE-2014-6511, CVE-2014-6512, CVE-2014-6517, CVE-2014-6519, CVE-2014-6531, CVE-2014-6558 openjdk-6 (6b33-1.13.5-1) unstable; urgency=medium . * IcedTea 1.13.5 release. * Security fixes: - S8015256: Better class accessibility. - S8022783, CVE-2014-6504: Optimize C2 optimizations. - S8035162: Service printing service. - S8035781: Improve equality for annotations. - S8036805: Correct linker method lookup. - S8036810: Correct linker field lookup. - S8037066, CVE-2014-6457: Secure transport layer. - S8037846, CVE-2014-6558: Ensure streaming of input cipher streams. - S8038899: Safer safepoints. - S8038903: More native monitor monitoring. - S8038908: Make Signature more robust. - S8038913: Bolster XML support. - S8039509, CVE-2014-6512: Wrap sockets more thoroughly. - S8039533, CVE-2014-6517: Higher resolution resolvers. - S8041540, CVE-2014-6511: Better use of pages in font processing. - S8041545: Better validation of generated rasters. - S8041564, CVE-2014-6506: Improved management of logger resources. - S8041717, CVE-2014-6519: Issue with class file parser. - S8042609, CVE-2014-6513: Limit splashiness of splash images. - S8042797, CVE-2014-6502: Avoid strawberries in LogRecord. - S8044274, CVE-2014-6531: Proper property processing. * Update to JamVM-2.0.0. * Change B-D to libjpeg-dev to finish the transition to libjpeg-turbo (Ondřej Surý). Closes: #763488. * Depend on libnss3 instead of libnss3-1d for recent releases. Closes: #760122. openjdk-6 (6b32-1.13.4-4.1) unstable; urgency=medium . * Non-maintainer upload * Change B-D to libjpeg-dev to finish the transition to libjpeg-turbo (Closes: #763488) openjdk-6 (6b32-1.13.4-4) unstable; urgency=medium . * Adjust patches for upstream renaming build flags. Adds the jni paths again to the default search path. Closes: #747506. openjdk-6 (6b32-1.13.4-3) unstable; urgency=medium . * Set AM_MAINTAINER_MODE. openjdk-6 (6b32-1.13.4-2) unstable; urgency=medium . * Build using GCC 4.9. Closes: #751328. * Suggest fonts-indic instead of ttf-indic-fonts. Closes: #747693. * Disable the lcms2 version check and assume that system lcms2 packages are kept working for existing releases. Closes: #745616. openjdk-6 (6b32-1.13.4-1) unstable; urgency=high . * IcedTea 1.13.4 release. * Security fixes: - S8029755, CVE-2014-4209: Enhance subject class. - S8030763: Validate global memory allocation. - S8031346, CVE-2014-4244: Enhance RSA key handling. - S8031540: Introduce document horizon. - S8032536: JVM resolves wrong method in some unusual cases. - S8033055: Issues in 2d. - S8033301, CVE-2014-4266: Build more informative InfoBuilder. - S8034267: Probabilistic native crash. - S8034272: Do not cram data into CRAM arrays. - S8035004, CVE-2014-4252: Provider provides less service. - S8035009, CVE-2014-4218: Make Proxy representations consistent. - S8035119, CVE-2014-4219: Fix exceptions to bytecode verification. - S8035699, CVE-2014-4268: File choosers should be choosier. - S8036571: (process) Process process arguments carefully. - S8036800: Attribute OOM to correct part of code. - S8037046: Validate libraries to be loaded. - S8037157: Verify call. - S8037076, CVE-2014-2490: Check constant pool constants. - S8037162, CVE-2014-4263: More robust DH exchanges. - S8037167, CVE-2014-4216: Better method signature resolution. - S8039520, CVE-2014-4262: More atomicity of atomic updates. openjdk-6 (6b32-1.13.4-1~deb7u1) wheezy-security; urgency=low . * Rebuld for wheezy openjdk-6 (6b31-1.13.3-1) unstable; urgency=high . * IcedTea 1.13.3 release. * Security fixes: - S8023046: Enhance splashscreen support. - S8025005: Enhance CORBA initializations. - S8025010, CVE-2014-2412: Enhance AWT contexts. - S8025030, CVE-2014-2414: Enhance stream handling. - S8025152, CVE-2014-0458: Enhance activation set up. - S8026067: Enhance signed jar verification. - S8026163, CVE-2014-2427: Enhance media provisioning. - S8026188, CVE-2014-2423: Enhance envelope factory. - S8026200: Enhance RowSet Factory. - S8026736, CVE-2014-2398: Enhance Javadoc pages. - S8026797, CVE-2014-0451: Enhance data transfers. - S8026801, CVE-2014-0452: Enhance endpoint addressing. - S8027766, CVE-2014-0453: Enhance RSA processing. - S8027775: Enhance ICU code. - S8027841, CVE-2014-0429: Enhance pixel manipulations. - S8028385: Enhance RowSet Factory. - S8029282, CVE-2014-2403: Enhance CharInfo set up. - S8029286: Enhance subject delegation. - S8029699: Update Poller demo. - S8029730: Improve audio device additions. - S8029735: Enhance service mgmt natives. - S8029740, CVE-2014-0446: Enhance handling of loggers. - S8029750: Enhance LCMS color processing. - S8029760, CVE-2014-0462: Enhance AWT image libraries. - S8029854, CVE-2014-2421: Enhance JPEG decodings. - S8029858, CVE-2014-0456: Enhance array copies. - S8030731, CVE-2014-0460: Improve name service robustness. - S8031330: Refactor ObjectFactory. - S8031335, CVE-2014-0459: Better color profiling (LCMS 2 only). - S8031352, CVE-2014-2405: Enhance PNG handling. - S8031394, CVE-2014-0457: (sl) Fix exception handling in ServiceLoader. - S8031395: Enhance LDAP processing. - S8033618, CVE-2014-1876: Correct logging output. - S8034926, CVE-2014-2397: Attribute classes properly. - S8036794, CVE-2014-0461: Manage JavaScript instances. openjdk-6 (6b31-1.13.3-1~deb7u1) stable-security; urgency=low . * Build for stable openjdk-6 (6b30-1.13.2-2) unstable; urgency=medium . * Explicitly build-depend on libkrb5-dev. openjdk-6 (6b30-1.13.2-1) unstable; urgency=medium . * IcedTea 1.13.2 release. . [ Jamie Strandboge ] * debian/rules: disable system lcms2 for releases that don't have lcms2 2.5 or higher. * debian/patches/8017173.diff: XMLCipher with RSA_OAEP Key Transport algorithm can't be instantiated (LP: #1283828) * debian/patches/java-access-bridge-security.patch: fix malformed patch . [ Matthias Klose ] * Re-enable the system lcms2 on releases which have an earlier lcms2 with the security fixes included in 2.5. * Explicitly use AC_MAINTAINER_MODE and automake-1.11 to create the debian .orig tarball. Closes: #740289. openjdk-6 (6b30-1.13.1-1) unstable; urgency=medium . * IcedTea 1.13.1 release. * Security fixes - S6727821: Enhance JAAS Configuration. - S7068126, CVE-2014-0373: Enhance SNMP statuses. - S8010935: Better XML handling. - S8011786, CVE-2014-0368: Better applet networking. - S8021257, CVE-2013-5896: com.sun.corba.se.** should be on restricted package list. - S8021271: Better buffering in ObjC code. - S8022904: Enhance JDBC Parsers. - S8022927: Input validation for byte/endian conversions. - S8022935: Enhance Apache resolver classes. - S8022945: Enhance JNDI implementation classes. - S8023057: Enhance start up image display. - S8023069, CVE-2014-0411: Enhance TLS connections. - S8023245, CVE-2014-0423: Enhance Beans decoding. - S8023301: Enhance generic classes. - S8023672: Enhance jar file validation. - S8024306, CVE-2014-0416: Enhance Subject consistency. - S8024530: Enhance font process resilience. - S8024867: Enhance logging start up. - S8025014: Enhance Security Policy. - S8025018, CVE-2014-0376: Enhance JAX-P set up. - S8025026, CVE-2013-5878: Enhance canonicalization. - S8025034, CVE-2013-5907: Improve layout lookups. - S8025448: Enhance listening events. - S8025758, CVE-2014-0422: Enhance Naming management. - S8025767, CVE-2014-0428: Enhance IIOP Streams. - S8026172: Enhance UI Management. - S8026176: Enhance document printing. - S8026193, CVE-2013-5884: Enhance CORBA stub factories. - S8026204: Enhance auth login contexts. - S8026417, CVE-2013-5910: Enhance XML canonicalization. - S8027201, CVE-2014-0376: Enhance JAX-P set up. openjdk-6 (6b29-1.13.0-2) unstable; urgency=medium . * Fix the sparc builds. openjdk-6 (6b29-1.13.0-1) unstable; urgency=medium . * IcedTea 1.13.0 release. openjdk-6 (6b27-1.12.7-2) unstable; urgency=low . * Fix build failure on arm*. * Re-enable running the testsuite. openjdk-6 (6b27-1.12.7-1) unstable; urgency=medium . * IcedTea 1.12.7 release. * Security fixes: - S8006900, CVE-2013-3829: Add new date/time capability. - S8008589: Better MBean permission validation. - S8011071, CVE-2013-5780: Better crypto provider handling. - S8011081, CVE-2013-5772: Improve jhat. - S8011157, CVE-2013-5814: Improve CORBA portablility. - S8012071, CVE-2013-5790: Better Building of Beans. - S8012147: Improve tool support. - S8012277: CVE-2013-5849: Improve AWT DataFlavor. - S8012425, CVE-2013-5802: Transform TransformerFactory. - S8013503, CVE-2013-5851: Improve stream factories. - S8013506: Better Pack200 data handling. - S8013510, CVE-2013-5809: Augment image writing code. - S8013514: Improve stability of cmap class. - S8013739, CVE-2013-5817: Better LDAP resource management. - S8013744, CVE-2013-5783: Better tabling for AWT. - S8014085: Better serialization support in JMX classes. - S8014093, CVE-2013-5782: Improve parsing of images. - S8014102, CVE-2013-5778: Improve image conversion. - S8014341, CVE-2013-5803: Better service from Kerberos servers. - S8014349, CVE-2013-5840: (cl) Class.getDeclaredClass problematic in some class loader configurations. - S8014530, CVE-2013-5825: Better digital signature processing. - S8014534: Better profiling support. - S8014987, CVE-2013-5842: Augment serialization handling. - S8015614: Update build settings. - S8015731: Subject java.security.auth.subject to improvements. - S8015743, CVE-2013-5774: Address internet addresses. - S8016256: Make finalization final. - S8016653, CVE-2013-5804: javadoc should ignore ignoreable characters in names. - S8016675, CVE-2013-5797: Make Javadoc pages more robust. - S8017196, CVE-2013-5850: Ensure Proxies are handled appropriately. - S8017287, CVE-2013-5829: Better resource disposal. - S8017291, CVE-2013-5830: Cast Proxies Aside. - S8017298, CVE-2013-4002: Better XML support. - S8017300, CVE-2013-5784: Improve Interface Implementation. - S8017505, CVE-2013-5820: Better Client Service. - S8019292: Better Attribute Value Exceptions. - S8019617: Better view of objects. - S8020293: JVM crash. - S8021290, CVE-2013-5823: Better signature validation. - S8022940: Enhance CORBA translations. - S8023683: Enhance class file parsing. openjdk-6 (6b27-1.12.6-1) unstable; urgency=high . * IcedTea 1.12.6 release. * Security fixes: - S6741606, CVE-2013-2407: Integrate Apache Santuario. - S7158805, CVE-2013-2445: Better rewriting of nested subroutine calls. - S7170730, CVE-2013-2451: Improve Windows network stack support. - S8000638, CVE-2013-2450: Improve deserialization. - S8000642, CVE-2013-2446: Better handling of objects for transportation. - S8001032: Restrict object access. - S8001033, CVE-2013-2452: Refactor network address handling in virtual machine identifiers. - S8001034, CVE-2013-1500: Memory management improvements. - S8001038, CVE-2013-2444: Resourcefully handle resources. - S8001043: Clarify definition restrictions. - S8001309: Better handling of annotation interfaces. - S8001318, CVE-2013-2447: Socket.getLocalAddress not consistent with InetAddress.getLocalHost. - S8001330, CVE-2013-2443: Improve on checking order. - S8003703, CVE-2013-2412: Update RMI connection dialog box. - S8004584: Augment applet contextualization. - S8005007: Better glyph processing. - S8006328, CVE-2013-2448: Improve robustness of sound classes. - S8006611: Improve scripting. - S8007467: Improve robustness of JMX internal APIs. - S8007471: Improve MBean notifications. - S8007812, CVE-2013-2455: (reflect) Class.getEnclosingMethod problematic for some classes. - S8008120, CVE-2013-2457: Improve JMX class checking. - S8008124, CVE-2013-2453: Better compliance testing. - S8008128: Better API coherence for JMX. - S8008132, CVE-2013-2456: Better serialization support. - S8008585: Better JMX data handling. - S8008593: Better URLClassLoader resource management. - S8008603: Improve provision of JMX providers. - S8008611: Better handling of annotations in JMX. - S8008615: Improve robustness of JMX internal APIs. - S8008623: Better handling of MBeanServers. - S8008744, CVE-2013-2407: Rework part of fix for JDK-6741606. - S8008982: Adjust JMX for underlying interface changes. - S8009004: Better implementation of RMI connections. - S8009013: Better handling of T2K glyphs. - S8009034: Improve resulting notifications in JMX. - S8009038: Improve JMX notification support. - S8009067: Improve storing keys in KeyStore. - S8009071, CVE-2013-2459: Improve shape handling. - S8009235: Improve handling of TSA data. - S8011243, CVE-2013-2470: Improve ImagingLib. - S8011248, CVE-2013-2471: Better Component Rasters. - S8011253, CVE-2013-2472: Better Short Component Rasters. - S8011257, CVE-2013-2473: Better Byte Component Rasters. - S8012375, CVE-2013-1571: Improve Javadoc framing. - S8012421: Better positioning of PairPositioning. - S8012438, CVE-2013-2463: Better image validation. - S8012597, CVE-2013-2465: Better image channel verification. - S8012601, CVE-2013-2469: Better validation of image layouts. - S8014281, CVE-2013-2461: Better checking of XML signature. - S8015997: Additional improvement in Javadoc framing. * Backports: - See the NEWS file for a complete list of the backports. openjdk-6 (6b27-1.12.6-1~deb7u1) stable-security; urgency=low . * Build for stable-security openjdk-6 (6b27-1.12.6-1~deb6u1) oldstable-security; urgency=low . * Build for oldstable openjdk-6 (6b27-1.12.5-2) unstable; urgency=low . * Fix -source dependency on -jre to be binNMU safe. openjdk-7 (7u95-2.6.4-1~deb7u1) wheezy-security; urgency=low . * Rebuild for wheezy-security openjdk-7 (7u91-2.6.3-3) unstable; urgency=medium . * Fix stripping packages (use bash instead of expr substring). * openjdk-jre-headless: Add dependency on the package containing the mountpoint binary. Closes: #803717. * openjdk-7-jdk: Fix typo in sdk provides. Closes: #803150. * Build using giflib 5. openjdk-7 (7u91-2.6.3-2) unstable; urgency=medium . * Enable sparc64 for hotspot (John Paul Adrian Glaubitz). * Add debian/patches/sparc-libproc-fix.diff to include missing headers on sparc64 (David Matthew Mattli). Closes: #805846. openjdk-7 (7u91-2.6.3-1) unstable; urgency=medium . [ Tiago Stürmer Daitx ] * Icedtea release 2.6.3 (based on 7u91): * Security fixes - S8142882, CVE-2015-4871: rebinding of the receiver of a DirectMethodHandle may allow a protected method to be accessed openjdk-7 (7u91-2.6.3-1~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie-security openldap (2.4.31-2+deb7u2) wheezy; urgency=medium . * Disable the back-mdb test suite on powerpc to work around back-mdb tests failing on buildds running the jessie ppc64 kernel, which uses 64KB pages. (ITS#7713) openldap (2.4.31-2+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add ITS8240-remove-obsolete-assert.patch patch. Import upstream patch to remove an unnecessary assert(0) that could be triggered remotely by an unauthenticated user by sending a malformed BER element. (CVE-2015-6908, Closes: #798622) openssh (1:6.0p1-4+deb7u4) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2015-8325: Ignore PAM environment vars when UseLogin=yes openswan (1:2.6.37-3+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * debian/patches: - CVE-2013-2053 added, fix pre-authentication buffer overflow in atodn() / atoid() (CVE-2013-2053). closes: #709144 - CVE-2013-6466 added, fix pre-authentication remote denial of service in IKEv2 daemon (CVE-2013-6466) closes: #737406 optipng (0.6.4-1+deb7u2) wheezy-security; urgency=low . * CVE-2016-2191.patch optipng (0.6.4-1+deb7u1) wheezy; urgency=high . * Non-maintainer upload. * Fix CVE-2015-7801: Use-after-free vulnerability in optipng 0.6.4 is causing an invalid/double free. optipng (0.6.4-1+deb6u11) squeeze-lts; urgency=high . * CVE-2015-7801: Fix Use-after-free discovered by Gustavo Grieco. postgresql-9.1 (9.1.21-0+deb7u1) wheezy; urgency=medium . * New upstream bugfix release. postgresql-9.1 (9.1.20-0+deb8u1) jessie; urgency=medium . * New upstream release: No effective changes for PL/Perl, the version must just be higher than the one in wheezy. postgresql-9.1 (9.1.20-0+deb7u1) wheezy-security; urgency=medium . * New upstream version. + Fix infinite loops and buffer-overrun problems in regular expressions. Very large character ranges in bracket expressions could cause infinite loops in some cases, and memory overwrites in other cases. (CVE-2016-0773) + Fix privilege escalation issue for users of PL/Java. Certain custom configuration settings (GUCs) for PL/Java will now be modifiable only by the database superuser. (CVE-2016-0766) postgresql-9.1 (9.1.19-0+deb8u1) jessie; urgency=medium . * New upstream version, relevant PL/Perl change: + Fix plperl to handle non-ASCII error message texts correctly. python-django (1.4.5-1+deb7u16) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add missing harden_runtime method for BCryptPasswordHasher python-django (1.4.5-1+deb7u15) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-2512: Prevented spoofing is_safe_url() with basic auth. Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth. (Closes: #816434) * is_safe_url() crashes with a byestring URL on Python 2. Fixes a regression introduced by the original fix for CVE-2016-2512. * CVE-2016-2513: Fixed user enumeration timing attack during login (Closes: #816434) roundcube (0.7.2-9+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload. * Add CVE-2015-8770.patch. Fix directory traversal vulnerability in the set_skin function in program/include/rcube_template.php that allowed remote authenticated users with certain permissions to read arbitrary files or possibly execute arbitrary code. ruby1.9.1 (1.9.3.194-8.1+deb7u5) wheezy-security; urgency=high . * Fix OpenSSL Hostname Verification [CVE-2015-1855] ruby1.9.1 (1.9.3.194-8.1+deb7u3) wheezy-security; urgency=high . * Fix off-by-one error in the encodes function as per CVE-2014-4975 * Fix unrestricted entity expansion in the REXML parser as per CVE-2014-8080 and CVE-2014-8090 * Set urgency=high accordingly srtp (1.4.4+20100615~dfsg-2+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload. * Add CVE-2015-6360.patch. Prevent potential DoS attack due to lack of bounds checking on RTP header CSRC count and extension header length. (Closes: #807698) tiff (4.0.2-6+deb7u5) wheezy-security; urgency=high . * Backport upstream fixes for: - CVE-2015-8665 an out-of-bound read in TIFFRGBAImage interface (closes: #808968), - CVE-2015-8683 an out-of-bounds read in CIE Lab image format (closes: #809021), - CVE-2015-8781 out of bounds write at tif_luv.c:208, - CVE-2015-8782 potential out-of-bound writes in decode, - CVE-2015-8783 potential out-of-bound reads in case of short input data, - CVE-2015-8784 potential out-of-bound write in NeXTDecode(). tomcat6 (6.0.45+dfsg-1~deb7u1) wheezy-security; urgency=high . * Team upload. * The full list of changes between 6.0.35 (the version previously available in Wheezy) and 6.0.45 can be seen in the upstream changelog, which is available online at http://tomcat.apache.org/tomcat-6.0-doc/changelog.html * This update fixes the following security issues: - CVE-2014-0033: prevent remote attackers from conducting session fixation attacks via crafted URLs. - CVE-2014-0119: Fix not properly constraining class loader that accesses the XML parser used with an XSLT stylesheet which allowed remote attackers to read arbitrary files via crafted web applications. - CVE-2014-0099: Fix integer overflow in java/org/apache/tomcat/util/buf/Ascii.java. - CVE-2014-0096: Properly restrict XSLT stylesheets that allowed remote attackers to bypass security-manager restrictions. - CVE-2014-0075: Fix integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java. - CVE-2013-4590: prevent "Tomcat internals" information leaks. - CVE-2013-4322: prevent remote attackers from doing denial of service attacks. - CVE-2013-4286: reject requests with multiple content-length headers or with a content-length header when chunked encoding is being used. - Avoid CVE-2013-1571 when generating Javadoc. * CVE-2014-0227.patch: - Add error flag to allow subsequent attempts at reading after an error to fail fast. * CVE-2014-0230: Add support for maxSwallowSize. * CVE-2014-7810: - Fix potential BeanELResolver issue when running under a security manager. Some classes may not be accessible but may have accessible interfaces. * CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java. * CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45 processes redirects before considering security constraints and Filters. * CVE-2016-0706: Apache Tomcat before 6.0.45 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list which allows remote authenticated users to bypass intended SecurityManager restrictions. * CVE-2016-0714: The session-persistence implementation in Apache Tomcat before 6.0.45 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions. * CVE-2016-0763: The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. * CVE-2015-5351: The Manager and Host Manager applications in Apache Tomcat establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. * Drop the following patches. Applied upstream. - 0011-CVE-2012-0022-regression-fix.patch - 0012-CVE-2012-3544.patch - 0014-CVE-2012-4534.patch - 0015-CVE-2012-4431.patch - 0016-CVE-2012-3546.patch - 0017-CVE-2013-2067.patch - cve-2012-2733.patch - cve-2012-3439.patch - CVE-2014-0227.patch - CVE-2014-0230.patch - CVE-2014-7810-1.patch - CVE-2014-7810-2.patch - 0011-Fix-for-NoSuchElementException-when-an-attribute-has.patch tomcat6 (6.0.45-1~deb6u1) squeeze-lts; urgency=high . * Non-maintainer upload by the Debian LTS team. * Backport version 6.0.45 to Squeeze-LTS. The full list of changes between 6.0.41 (the version previously available in Squeeze-LTS) and 6.0.45 can be seen in the upstream changelog, which is available online at http://tomcat.apache.org/tomcat-6.0-doc/changelog.html * This update fixes the following security vulnerabilities: - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java. - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45 processes redirects before considering security constraints and Filters. - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list which allows remote authenticated users to bypass intended SecurityManager restrictions. - CVE-2016-0714: The session-persistence implementation in Apache Tomcat before 6.0.45 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions. - CVE-2016-0763: The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. - CVE-2015-5351: The Manager and Host Manager applications in Apache Tomcat establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. * Drop the following patches. They were applied upstream. - 0011-Fix-for-NoSuchElementException-when-an-attribute-has.patch. - CVE-2014-0227.patch. - CVE-2014-0230.patch. - CVE-2014-7810-1.patch. - CVE-2014-7810-2.patch. tomcat6 (6.0.41-4) unstable; urgency=medium . * Removed the timstamp from the Javadoc of the Servlet API to make the build reproducible tomcat6 (6.0.41-3) unstable; urgency=medium . * Build only the libservlet2.5-java and libservlet2.5-java-doc packages. Tomcat 6 will not be supported in Jessie, but the Servlet API is still useful as a build dependency for other packages. * Standards-Version updated to 3.9.6 (no changes) tomcat6 (6.0.41-2+squeeze7) squeeze-lts; urgency=medium . * Security upload by the Debian LTS team. * This upload fixes the following issues: - CVE-2014-0227: HTTP request smuggling or DoS by streaming malformed data. - CVE-2014-0230: non-persistent DoS attack by feeding data aborting an upload. - CVE-2014-7810: security manager bypass by using expression language. tomcat6 (6.0.41-2+squeeze6) squeeze-lts; urgency=medium . * Security upload by the Debian LTS team. * This update fixes a regression: - Fix for "NoSuchElementException when an attribute has empty string as value." Reported upstream as https://issues.apache.org/bugzilla/show_bug.cgi?id=56561 tomcat6 (6.0.41-2+squeeze5) squeeze-lts; urgency=medium . * Security upload by the Debian LTS team. * The full list of changes between 6.0.35 (the version previously available in squeeze) and 6.0.41 can be see in the upstream changelog, which is available online at http://tomcat.apache.org/tomcat-6.0-doc/changelog.html * This update fixes the following security issues: - CVE-2014-0033: prevent remote attackers from conducting session fixation attacks via crafted URLs. - CVE-2013-4590: prevent "Tomcat internals" information leaks. - CVE-2013-4322: prevent remote attackers from doing denial of service attacks. - CVE-2013-4286: reject requests with multiple content-length headers or with a content-length header when chunked encoding is being used. - Avoid CVE-2013-1571 when generating Javadoc. - CVE-2012-3439: various improvements to the DIGEST authenticator. * Thanks to Tony Mancill for doing the vast amount of the work for this update! * Downgrade debian/compat to 8 and reduce build-dependency do debhelper 8 to match the squeeze squeeze version . tomcat6 (6.0.41-2) unstable; urgency=medium . [ Emmanuel Bourg ] * Updated the version required for libtcnative-1 (>= 1.1.30) . [ tony mancill ] * Add patch for logfile compression. (Closes: #682955) - Thank you to Thijs Kinkhorst. . tomcat6 (6.0.41-1) unstable; urgency=medium . * New upstream release. - Refreshed the patches . tomcat6 (6.0.39-1) unstable; urgency=medium . * Team upload. * New upstream release. - Refreshed the patches * Standards-Version updated to 3.9.5 (no changes) * Switch to debhelper level 9 * Use XZ compression for the upstream tarball * Use canonical URL for the Vcs-Git field . tomcat6 (6.0.37-1) unstable; urgency=low . * New upstream release. - Drop patches for CVE-2012-4534, CVE-2012-4431, CVE-2012-3546, CVE-2012-2733, CVE-2012-3439 - Drop 0011-CVE-02012-0022-regression-fix.patch - Drop 0017-eclipse-compiler-update.patch * Freshened remaining patches. . tomcat6 (6.0.35-7) unstable; urgency=low . * Team upload. * Fixed the watch file * Fix FTBFS with ecj 3.8 (closes: #717279, #713796) * Updated the standards version to 3.9.4 - no changes * Updated the Vcs-Git field to the canonical url . tomcat6 (6.0.35-6) unstable; urgency=high . * Acknowledge NMU: 6.0.35-5+nmu1 (Closes: #692440) - Thank you to Michael Gilbert. * Add patches for the following security issues: (Closes: #695250) - CVE-2012-4534, CVE-2012-4431, CVE-2012-3546 . tomcat6 (6.0.35-5+nmu1) unstable; urgency=high . * Non-maintainer upload. * Fix multiple security issues (closes: #692440) - cve-2012-2733: denial-of-service by triggering out of memory error. - cve-2012-3439: multiple replay attack issues in digest authentication. . tomcat6 (6.0.35-5) unstable; urgency=low . * Apply patch to README.Debian to explain setting the HTTPOnly flag in cookies by default; CVE-2010-4312. (Closes: #608286) - Thank you to Thijs Kinkhorst for the patch. * Use ucf and a template for /etc/logrotate.d/tomcat6 file to avoid updating the shipped conffile. (Closes: #687818) . tomcat6 (6.0.35-4) unstable; urgency=low . [ tony mancill ] * Team upload. * Apply patch from James Page (Closes: #671373) - d/tomcat6-instance-create: Quote access to files and directories so that spaces can be used when creating user instances. - d/tomcat6.init: Make NAME dynamic, to allow starting multiple instances. (Closes: #299635) . [ Miguel Landaeta ] * Add Slovak debconf translation (Closes: #677912). - Thanks to Ivan Masár. . tomcat6 (6.0.35-3) unstable; urgency=low . [ Miguel Landaeta ] * Add Replaces and Conflicts for libservlet2.5-java to overwrite files in libservlet2.4-java. (Closes: #666256). . [ tony mancill ] * Add libservlet2.4-java transitional package. * Remove /etc/authbind/byuid, /etc/authbind in postrm. (Closes: #668761) * Add 0011-CVE-2012-0022-regression-fix.patch. (Closes: #659748) - Thank you to Marc Deslauriers . tomcat6 (6.0.35-2) unstable; urgency=low . [ tony mancill ] * Remove Michael Koch from Uploaders. (Closes: #654136) * Add Turkish debconf translation (Closes: #664072) - Thanks to Atila KOÇ * Remove libservlet2.5-doc dependency on libservlet2.5. . [ Miguel Landaeta ] * Bump Standards-Version to 3.9.3. No changes were required. * Provide 'debian' version symlink for Maven artifacts. (Closes: #665393). tomcat6 (6.0.41-2) unstable; urgency=medium . [ Emmanuel Bourg ] * Updated the version required for libtcnative-1 (>= 1.1.30) . [ tony mancill ] * Add patch for logfile compression. (Closes: #682955) - Thank you to Thijs Kinkhorst. tomcat6 (6.0.41-1) unstable; urgency=medium . * New upstream release. - Refreshed the patches tomcat6 (6.0.39-1) unstable; urgency=medium . * Team upload. * New upstream release. - Refreshed the patches * Standards-Version updated to 3.9.5 (no changes) * Switch to debhelper level 9 * Use XZ compression for the upstream tarball * Use canonical URL for the Vcs-Git field tomcat6 (6.0.37-1) unstable; urgency=low . * New upstream release. - Drop patches for CVE-2012-4534, CVE-2012-4431, CVE-2012-3546, CVE-2012-2733, CVE-2012-3439 - Drop 0011-CVE-02012-0022-regression-fix.patch - Drop 0017-eclipse-compiler-update.patch * Freshened remaining patches. tomcat6 (6.0.35-7) unstable; urgency=low . * Team upload. * Fixed the watch file * Fix FTBFS with ecj 3.8 (closes: #717279, #713796) * Updated the standards version to 3.9.4 - no changes * Updated the Vcs-Git field to the canonical url tomcat7 (7.0.28-4+deb7u4) wheezy-security; urgency=high . * Team upload. * Fix CVE-2014-0096: java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. * Fix CVE-2014-0119: It was found that in limited circumstances it was possible for a malicious web application to replace the XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs) and tag plugin configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or have visibility of the XML files processed for other web applications deployed on the same Tomcat instance. * Fix CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. * Fix CVE-2015-5345: The Mapper component in Apache Tomcat processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. * Fix CVE-2015-5346: Session fixation vulnerability in Apache Tomcat when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java. * Fix CVE-2015-5351: The Manager and Host Manager applications in Apache Tomcat establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. * Fix CVE-2016-0706: Apache Tomcat does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. * Fix CVE-2016-0714: The session-persistence implementation in Apache Tomcat mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. * Fix CVE-2016-0763: The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. tzdata (2016d-0+deb7u1) oldstable; urgency=medium . * New upstream version, affecting the following future time stamps: - America/Caracas. Closes: #821147. - Asia/Magadan - Asia/Tomsk (new timezone). * Update translations from the sid package. tzdata (2016c-1) unstable; urgency=medium . * New upstream version, affecting the following future time stamps: - America/Santiago - Asia/Baku tzdata (2016c-0+deb8u1) stable; urgency=medium . * New upstream version, affecting the following future time stamps: - America/Santiago - Asia/Baku varnish (3.0.2-2+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team * Fix HTTP Smuggling issues (CVE-2015-8852, Closes: #783510) xapian-core (1.2.12-2+deb7u1) oldstable; urgency=medium . * New patch increment-cursor-version-on-cancel-or-reopen.patch fixing possible database corruption, especially with recoll. (Closes: #808610) zendframework (1.11.13-1.1+deb7u6) wheezy; urgency=medium . * Fix regression from ZF2015-08: binary data corruption * Backport security fix from 1.12.18: - ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1 http://framework.zend.com/security/advisory/ZF2016-01 ======================================= Sat, 02 Apr 2016 - Debian 7.10 released ======================================= ========================================================================= [Date: Sat, 02 Apr 2016 10:33:21 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: iceweasel-vimperator | 3.3-2 | all vimperator | 3.3-2 | source Closed bugs: 801642 ------------------- Reason ------------------- RoM; incompatible with newer iceweasel versions ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 02 Apr 2016 10:35:21 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: gnome-gmail | 1.8.2-1 | source, all Closed bugs: 806176 ------------------- Reason ------------------- RoM; broken ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 02 Apr 2016 10:36:45 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: libnsgif | 0.0.1-1.1 | source libnsgif0 | 0.0.1-1.1 | amd64, armel, armhf, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, s390x, sparc libnsgif0-dbg | 0.0.1-1.1 | amd64, armel, armhf, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, s390x, sparc libnsgif0-dev | 0.0.1-1.1 | amd64, armel, armhf, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, s390x, sparc Closed bugs: 808437 ------------------- Reason ------------------- RoST; security issues, unmaintained ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 02 Apr 2016 10:39:33 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: libnsbmp | 0.0.1-1.1 | source libnsbmp0 | 0.0.1-1.1 | amd64, armel, armhf, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, s390x, sparc libnsbmp0-dbg | 0.0.1-1.1 | amd64, armel, armhf, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, s390x, sparc libnsbmp0-dev | 0.0.1-1.1 | amd64, armel, armhf, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, s390x, sparc Closed bugs: 808438 ------------------- Reason ------------------- RoST; security issues, unmaintained ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 02 Apr 2016 10:40:36 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: python-tlslite | 0.3.8-2 | all tlslite | 0.3.8-2 | source Closed bugs: 816049 ------------------- Reason ------------------- RoQA; unmaintained, outdated ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 02 Apr 2016 11:24:34 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: libclamunrar6 | 0.98.5-0+deb7u1 | amd64, armel, armhf, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, s390x, sparc ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by libclamunrar) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 02 Apr 2016 11:24:59 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: libclamav6 | 0.98.7+dfsg-0+deb7u1 | amd64, armel, armhf, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, s390x, sparc ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by clamav) ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 02 Apr 2016 11:25:28 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: libmozjs17d | 17.0.10esr-1~deb7u1 | mips, mipsel libmozjs17d-dbg | 17.0.10esr-1~deb7u1 | mips, mipsel xulrunner-17.0 | 17.0.10esr-1~deb7u1 | mips, mipsel xulrunner-17.0-dbg | 17.0.10esr-1~deb7u1 | mips, mipsel ------------------- Reason ------------------- [auto-cruft] NBS (no longer built by iceweasel) ---------------------------------------------- ========================================================================= activemq (5.6.0+dfsg-1+deb7u2) wheezy-security; urgency=high . * Team upload. * Fix CVE-2015-5254: Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object. amd64-microcode (1.20160316.1) oldstable; urgency=critical . * Upstream release 20160316 built from linux-firmware: + Updated Microcodes: sig 0x00600f20, patch id 0x0600084f, 2016-01-25 + This microcode updates fixes a critical erratum on NMI handling introduced by microcode patch id 0x6000832 from the 20141028 update. The erratum is also present on microcode patch id 0x6000836. + THIS IS A CRITICAL STABILITY AND SECURITY UPDATE FOR THE EARLIER AMD PILEDRIVER PROCESSORS, including: + AMD Opteron 3300, 4300, 6300 + AMD FX "Vishera" (43xx, 63xx, 83xx, 93xx, 95xx) + AMD processors with family 21, model 2, stepping 0 * Robert Święcki, while fuzzing the kernel using the syzkaller tool, uncovered very strange behavior on an AMD FX-8320, later reproduced on other AMD Piledriver model 2, stepping 0 processors including the Opteron 6300. Robert discovered, using his proof-of-concept exploit code, that the incorrect behavior allows an unpriviledged attacker on an unpriviledged VM to corrupt the return stack of the host kernel's NMI handler. At best, this results in unpredictable host behavior. At worst, it allows for an unpriviledged user on unpriviledged VM to carry a sucessful host-kernel ring 0 code injection attack. * The erratum is timing-dependant, easily triggered by workloads that cause a high number of NMIs, such as running the "perf" tool. aptdaemon (0.45-2+deb7u1) oldstable-proposed-updates; urgency=medium . * Non maintainer upload * Add CVE-2015-1323.patch to address CVE-2015-1323 - taken from 0.43+bzr805-0ubuntu10 (Closes: #789162) base-files (7.1wheezy10) oldstable; urgency=low . * Changed /etc/debian_version to 7.10, for Debian 7.10 point release. bind9 (1:9.8.4.dfsg.P1-6+nmu2+deb7u10) wheezy-security; urgency=high . * Fix CVE-2016-1285: error parsing control channel input. * Fix CVE-2016-1286: error parsing DNAME resource records. bind9 (1:9.8.4.dfsg.P1-6+nmu2+deb7u8) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patch to fix CVE-2015-8000. CVE-2015-8000: Insufficient testing when parsing a message allowed records with an incorrect class to be be accepted, triggering a REQUIRE failure when those records were subsequently cached. bind9 (1:9.8.4.dfsg.P1-6+nmu2+deb7u7) wheezy-security; urgency=high . * CVE-2015-5722: maliciously crafted DNSSEC key can cause named to crash. blueman (1.23-1+deb7u1) wheezy-security; urgency=low . * Fix local privilege escalation bouncycastle (1.44+dfsg-3.1+deb7u1) wheezy-security; urgency=high . * Team upload. * CVE-2015-7940: fix invalid curve attack as described in http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html Thanks to Peter Dettman and Raphaël Hertzog for the patches. (Closes: #802671) bsh (2.0b4-12+deb7u1) wheezy-security; urgency=high . * Team upload. * Fix CVE-2016-2510. An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source. A vulnerable application could be exploited for remote code execution, including executing arbitrary shell commands. bsh (2.0b4-12+deb6u1) squeeze-lts; urgency=high . * Non-maintainer upload by the Debian LTS Team. * Fix CVE-2016-2510. An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source. A vulnerable application could be exploited for remote code execution, including executing arbitrary shell commands. c-icap (1:0.1.6-1.1+deb7u2) oldstable; urgency=medium . * Non-maintainer upload. * Add 0008-Rename-CONF-to-C_ICAP_CONF.patch Rename the CONF symbol which is also declared by openssl in order to fix FTBFS of c-icap-modules (Closes: #768684). cacti (0.8.8a+dfsg-5+deb7u8) wheezy-security; urgency=high . * CVE-2015-8377: Fix SQL Injection vulnerability in graphs_new.php * CVE-2015-8604: Fix SQL Injection vulnerability in graphs_new.php cacti (0.8.8a+dfsg-5+deb7u7) wheezy-security; urgency=high . * Add upstream patch to fix (Closes: #807599) - CVE-2015-8369 SQL Injection vulnerability in graph.php calendarserver (3.2+dfsg-4+deb7u3) wheezy; urgency=low . * Updated zoneinfo to tzdata 2015g clamav (0.99+dfsg-0+deb7u2) oldstable; urgency=medium . * Add libclamav-yara-avoid-unaliged-access-to-64bit-variab.patch to get the testsuite passed on sparc. It also seem avoid invalid loads on ARMv5 cpus. clamav (0.99+dfsg-0+deb7u1) oldstable; urgency=medium . [ Andreas Cadhalpun ] * Import final release of 0.99 * Drop patches included upstream: - bb-10731-Allow-to-specificy-a-group-for-the-socket.patch - clamav-milter-add-additinal-SMFIF_-flags.patch - remove-unnecessary-harmful-flags-from-libclamav.pc.patch - hardcode-LLVM-linker-flag.patch * Print all new options in one build attempt. * Preserve new OnAccessMountPath, OnAccessDisableDDD and OnAccessPrevention options in clamd.conf. * Rename libclamav6 to libclamav7 and update symbols file. * Add -Wl,--as-needed to LDFLAGS to avoid useless dependencies. * Remove unused lintian overrides. * Update debian/copyright. * Drop patch numbers, because they cause too much diff noise. * Add patch to support LLVM 3.6. * Add patch to support system tomsfastmath. * debian/clamav-milter.postinst.in: Update to reflect the change from examples/clamav-milter.conf to examples/clamav-milter.conf.sample. Thanks to Christian Schrötter. (Closes: #795190) * Use 'grep -a' instead of grep in maintainer scripts. (Closes: #799808) * Restore the SE Linux context when creating /var/lib/ucf/cache. Thanks to Russell Coker for the patch. (Closes: #802311) * Adapt debian/watch to new download location www.clamav.net/download.html. * Prevent the logrotate scripts from aborting if reloading/restarting fails. Thanks to John Zaitseff. (Closes: #788652) * Increase MaxRecursion to the upstream default of 16. (Closes: #787249) * Move the PidFile variable from the clamd/freshclam configuration files to the init scripts. This makes the init scripts more robust against misconfiguration and avoids error messages with systemd. (Closes: #767353) * Bump the version for the PidFile removal check in the clamav-daemon and clamav-freshclam postinst scripts (Closes: #767353) * Rename DEBCONFILE to DEBCONFFILE in clamav-freshclam.postinst making it * Use pathfind to avoid hardcoding paths. This fixes command-with-path-in-maintainer-script lintian warnings. consistent with the other postinst scripts. . [ Sebastian Andrzej Siewior ] * suggest libclamunrar7 instead of libclamunrar6 * use T= so we can drop unit_tests-increment-test-timeout-from-40secs-to-5mi from the patch queue. * depend on libpcre3-dev, required for YARA support * add new PCRE related options postinst script for clamd * record new symbols in libclamav6.symbols * also remove debian/clamav-freshclam.prerm clean * Remove Fix-compiling-on-Hurd.patch included upstream. * Add patch to allow M suffix for PCREMaxFileSize as the config file suggests that this should be possible. * Cherry pick tfm-fix-compile-errors.patch from tfm upstream. * add a LFS safe fts() implementation from glibc * Drop __DATE__ from tfm to make the package build reproducible with -Werror=date-time. With this change faketime is no longer required. clamav (0.99+dfsg-0+deb6u1) squeeze-lts; urgency=medium . [ Andreas Cadhalpun ] * Import final release of 0.99 * Drop patches included upstream: - bb-10731-Allow-to-specificy-a-group-for-the-socket.patch - clamav-milter-add-additinal-SMFIF_-flags.patch - remove-unnecessary-harmful-flags-from-libclamav.pc.patch - hardcode-LLVM-linker-flag.patch * Print all new options in one build attempt. * Preserve new OnAccessMountPath, OnAccessDisableDDD and OnAccessPrevention options in clamd.conf. * Rename libclamav6 to libclamav7 and update symbols file. * Add -Wl,--as-needed to LDFLAGS to avoid useless dependencies. * Remove unused lintian overrides. * Update debian/copyright. * Drop patch numbers, because they cause too much diff noise. * Add patch to support LLVM 3.6. * Add patch to support system tomsfastmath. * debian/clamav-milter.postinst.in: Update to reflect the change from examples/clamav-milter.conf to examples/clamav-milter.conf.sample. Thanks to Christian Schrötter. (Closes: #795190) * Use 'grep -a' instead of grep in maintainer scripts. (Closes: #799808) * Restore the SE Linux context when creating /var/lib/ucf/cache. Thanks to Russell Coker for the patch. (Closes: #802311) * Adapt debian/watch to new download location www.clamav.net/download.html. * Prevent the logrotate scripts from aborting if reloading/restarting fails. Thanks to John Zaitseff. (Closes: #788652) * Increase MaxRecursion to the upstream default of 16. (Closes: #787249) * Rename DEBCONFILE to DEBCONFFILE in clamav-freshclam.postinst making it * Use pathfind to avoid hardcoding paths. This fixes command-with-path-in-maintainer-script lintian warnings. consistent with the other postinst scripts. . [ Sebastian Andrzej Siewior ] * suggest libclamunrar7 instead of libclamunrar6 * use T= so we can drop unit_tests-increment-test-timeout-from-40secs-to-5mi from the patch queue. * depend on libpcre3-dev, required for YARA support * add new PCRE related options postinst script for clamd * record new symbols in libclamav6.symbols * also remove debian/clamav-freshclam.prerm clean * Remove Fix-compiling-on-Hurd.patch included upstream. * Add patch to allow M suffix for PCREMaxFileSize as the config file suggests that this should be possible. * Cherry pick tfm-fix-compile-errors.patch from tfm upstream. * add a LFS safe fts() implementation from glibc * Drop __DATE__ from tfm to make the package build reproducible with -Werror=date-time. With this change faketime is no longer required. . [ Scott Kitterman ] * Drop build-dep on llvm-dev since squeeze version is too old to use * Manually autoreconf since squeeze tools are too old for dh-autoreconf to be reliable clamav (0.99~rc2+dfsg-2) experimental; urgency=medium . * Drop LLVM usage on powerpc (it is broken since the v3.6 switch). clamav (0.99~rc2+dfsg-1) experimental; urgency=medium . [ Andreas Cadhalpun ] * Import first upstream release candidate for 0.99. * Drop patches included upstream: - Avoid-emitting-incremental-progress-messages.patch - bb-10731-Allow-to-specificy-a-group-for-the-socket.patch - clamav-milter-add-additinal-SMFIF_-flags.patch - remove-unnecessary-harmful-flags-from-libclamav.pc.patch - hardcode-LLVM-linker-flag.patch * Disable Large File Support because it is incompatible with fts.h, which is required by the new upstream release. * Drop patches needing LFS: - libclamav-use-libmspack.patch - fix-ssize_t-size_t-off_t-printf-modifier.patch * Disable valgrind in the test suite again. It is too flaky. * Print all new options in one build attempt. * Preserve new OnAccessMountPath, OnAccessDisableDDD and OnAccessPrevention options in clamd.conf. * Rename libclamav6 to libclamav7 and update symbols file. * Add -Wl,--as-needed to LDFLAGS to avoid useless dependencies. * Remove unused lintian overrides. * Update debian/copyright. . [ Sebastian Andrzej Siewior ] * add a LFS safe fts() implementation from glibc * bring back libmspack related patches (libclamav-use-libmspack.patch + fix-ssize_t-size_t-off_t-printf-modifier.patch) and -D_FILE_OFFSET_BITS=64 * fix a crash in clamdscan if file is passed via fd * Import second upstream release candidate for 0.99. clamav (0.99~beta1+dfsg-1) experimental; urgency=medium . * use T= so we can drop unit_tests-increment-test-timeout-from-40secs-to-5mi from the patch queue. * import new beta from upstream * depend on libpcre3-dev, required for YARA support * add new PCRE related options postist script for clamd * record new symbols in libclamav6.symbols * enable valgrind in the test suite and see how well it works across all architecures. clamav (0.98.7+dfsg-5) unstable; urgency=medium . [ Andreas Cadhalpun ] * Drop patch numbers, because they cause too much diff noise. * Fix use-pkg-config-to-determine-CHECK_LIBS.patch so that the tests actually get run again. . [ Sebastian Andrzej Siewior ] * Drop LLVM usage on powerpc (it is broken since the v3.6 switch). clamav (0.98.7+dfsg-4) unstable; urgency=medium . * Add patch to support LLVM 3.6. * debian/clamav-milter.postinst.in: Update to reflect the change from examples/clamav-milter.conf to examples/clamav-milter.conf.sample. Thanks to Christian Schrötter. (Closes: #795190) * Use 'grep -a' instead of grep in maintainer scripts. (Closes: #799808) * Restore the SE Linux context when creating /var/lib/ucf/cache. Thanks to Russell Coker for the patch. (Closes: #802311) * Adapt debian/watch to new download location www.clamav.net/download.html. * Add patch to use pkg-config to determine CHECK_LIBS. The linker flags for check changed making the hardcoded flags useless. clamav (0.98.7+dfsg-3) unstable; urgency=medium . [ Sebastian Andrzej Siewior ] * use T= so we can drop unit_tests-increment-test-timeout-from-40secs-to-5mi from the patch queue. * add 0013-tfm-fix-compile-errors.patch and 0014-tfm-duct-tape-misscompile-on-armhf.patch to get it built on armhf with gcc-5. . [ Andreas Cadhalpun ] * Prevent the logrotate scripts from aborting if reloading/restarting fails. Thanks to John Zaitseff. (Closes: #788652) clamav (0.98.7+dfsg-2) unstable; urgency=medium . [ Andreas Cadhalpun ] * Increase MaxRecursion to the upstream default of 16. (Closes: #787249) * Bump the version for the PidFile removal check in the clamav-daemon and clamav-freshclam postinst scripts (Closes: #767353) * Add database existence check also to clamav-daemon.socket. This works around systemd bug #775458. (Closes: #775112) . [ Sebastian Andrzej Siewior ] * also remove debian/clamav-freshclam.prerm clean clamav (0.98.7+dfsg-1) unstable; urgency=high . [ Andreas Cadhalpun ] * Use SocketUser, SocketGroup and RemoveOnStop systemd socket options instead of using ExecStartPost and ExecStopPost for that. * Respect clamav-daemon's LocalSocket* options with the systemd unit by extending the clamav-daemon.socket file appropriately, when running dpkg-reconfigure clamav-daemon. (Closes: #783720) * Disable this extendend configuration, when handling the configuration file with debconf is disabled. * Disable clamav-daemon.socket in prerm script. . [ Sebastian Andrzej Siewior ] * Import new upstream: - Improvements to PDF processing: decryption, escape sequence handling, and file property collection. - Scanning/analysis of additional Microsoft Office 2003 XML format. - Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221. - Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2222. - Fix false negatives on files within iso9660 containers. This issue was reported by Minzhuan Gong. - Fix a couple crashes on crafted upack packed file. Identified and patches supplied by Sebastian Andrzej Siewior. - Fix a crash during algorithmic detection on crafted PE file. Identified and patch supplied by Sebastian Andrzej Siewior. - Fix an infinite loop condition on a crafted "xz" archive file. This was reported by Dimitri Kirchner and Goulven Guiheux. CVE-2015-2668. - Fix compilation error after ./configure --disable-pthreads. Reported and fix suggested by John E. Krokes. - Apply upstream patch for possible heap overflow in Henry Spencer's regex library. CVE-2015-2305 (Closes: #778406). - Fix crash in upx decoder with crafted file. Discovered and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2170. - Fix segfault scanning certain HTML files. Reported with sample by Kai Risku. - Improve detections within xar/pkg files. * update GPG key used to verify releases to get uscan/get_orig.sh working again. * update symbol version for cl_retflevel due to CL_FLEVEL change. clamav (0.98.7+dfsg-0+deb8u1) stable; urgency=high . [ Andreas Cadhalpun ] * Fix variable name mismatch in clamav-milter.postinst in order to make preseeding work correctly. (Closes: #778445) * Rename DEBCONFILE to DEBCONFFILE in clamav-freshclam.postinst making it consistent with the other postinst scripts. * Build against libsystemd-dev. (Closes: #779758) * Drop 'XS-Testsuite: autopkgtest' from debian/control. Debhelper automatically adds the Testsuite field. This fixes the lintian warning xs-testsuite-header-in-debian-control. * Shorten debian/copyright. This fixes some lintian warnings: - dep5-copyright-license-name-not-unique - wildcard-matches-nothing-in-dep5-copyright - unused-file-paragraph-in-dep5-copyright * Use pathfind to avoid hardcoding paths. This fixes command-with-path-in-maintainer-script lintian warnings. * Fix syntax errors in clamav-freshclam.postinst. Thanks piuparts! * Fix cleanup on purge in clamav-base.postrm. * Use SocketUser, SocketGroup and RemoveOnStop systemd socket options instead of using ExecStartPost and ExecStopPost for that. * Respect clamav-daemon's LocalSocket* options with the systemd unit by extending the clamav-daemon.socket file appropriately, when running dpkg-reconfigure clamav-daemon. (Closes: #783720) * Disable this extendend configuration, when handling the configuration file with debconf is disabled. * Disable clamav-daemon.socket in prerm script. . [ Sebastian Andrzej Siewior ] * Replace ” with " in debian/common_functions (Closes: #781088) * Drop __DATE__ from tfm to make the package build reproducible with -Werror=date-time. With this change faketime is no longer required. * Import new upstream: - Improvements to PDF processing: decryption, escape sequence handling, and file property collection. - Scanning/analysis of additional Microsoft Office 2003 XML format. - Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221. - Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2222. - Fix false negatives on files within iso9660 containers. This issue was reported by Minzhuan Gong. - Fix a couple crashes on crafted upack packed file. Identified and patches supplied by Sebastian Andrzej Siewior. - Fix a crash during algorithmic detection on crafted PE file. Identified and patch supplied by Sebastian Andrzej Siewior. - Fix an infinite loop condition on a crafted "xz" archive file. This was reported by Dimitri Kirchner and Goulven Guiheux. CVE-2015-2668. - Fix compilation error after ./configure --disable-pthreads. Reported and fix suggested by John E. Krokes. - Apply upstream patch for possible heap overflow in Henry Spencer's regex library. CVE-2015-2305 (Closes: #778406). - Fix crash in upx decoder with crafted file. Discovered and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2170. - Fix segfault scanning certain HTML files. Reported with sample by Kai Risku. - Improve detections within xar/pkg files. * update GPG key used to verify releases to get uscan/get_orig.sh working again. * update symbol version for cl_retflevel due to CL_FLEVEL change. claws-mail (3.8.1-2+deb7u1) wheezy-security; urgency=medium . * Non-maintainer upload (with maintainer approval) * Add range checks to functions converting between Japanese text encodings (CVE-2015-8614, CVE-2015-8708) commons-httpclient (3.1-10.2+deb7u2) wheezy; urgency=high . * Team upload. * Add CVE-2015-5262.patch. Fix CVE-2015-5262 jakarta-commons-httpclient: https calls ignore http.socket.timeout during SSL Handshake. (Closes: #798650) cpio (2.11+dfsg-0.1+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-2037: 1-byte out-of-bounds write (Closes: #812401) ctdb (1.12+git20120201-5) wheezy-security; urgency=high . * Fix CTDB behavior since CVE-2015-8543 (Closes: #813406) dbconfig-common (1.8.47+nmu1+deb7u1) wheezy; urgency=medium . * Fix permission of PostgreSQL backup files, thanks Simon Ruderich (Closes: #805638) * Repair permissions of already created backups, but only when upgrading from versions before this one (but not from versions after squeeze's lts update). debian-installer-netboot-images (20130613+deb7u3.b1) wheezy; urgency=medium . * Update to 20130613+deb7u3+b1 images, from proposed-updates. didiwiki (0.5-11+deb7u1) wheezy-security; urgency=high . * NMU by the Security Team; thanks to Ignace Mouzannar and Alexander Izmailov for providing the patch for CVE-2013-7448, correcting a major security issue allowing didiwiki to display any file on the filesystem. (Closes: #815111) dpkg (1.16.17) wheezy-security; urgency=high . [ Guillem Jover ] * Fix an off-by-one write access in dpkg-deb when parsing the .deb magic. Reported by Jacek Wielemborek . Closes: #798324 * Fix an off-by-one write access in dpkg-deb when parsing the old format .deb control member size. Thanks to Hanno Böck . Fixes CVE-2015-0860. * Fix an off-by-one read access in dpkg-deb when parsing ar member names. Thanks to Hanno Böck . . [ Updated programs translations ] * Catalan (Jordi Mallach). . [ Updated man page translations ] * Fix incorrect translation in German (Helge Kreutzmann) drupal7 (7.14-2+deb7u12) wheezy-security; urgency=high . * Backported from 7.43 (plus minor needed bits from 7.36 and 7.30 in modules/file/file.module): SA-CORE-2016-001: Fixes several security vulnerabilities: File upload access bypass and DoS, brute force amplification attack via XML-RPC, open redirect via path manipulation, reflected file download, wrong modes set on some user accounts setting saves, information disclosure of email addresses. CVE IDs not yet assigned drupal7 (7.14-2+deb7u11) wheezy-security; urgency=high . * Backported from 7.39: SA-CORE-2015-003 (cross site scripting, access bypass, SQL injection, open redirect). CVE IDs not yet assigned. drupal7 (7.14-2+deb7u11~bpo60+1) squeeze-backports; urgency=high . * Backported from 7.39: SA-CORE-2015-003 (cross site scripting, access bypass, SQL injection, open redirect). CVE IDs not yet assigned. ecryptfs-utils (99-1+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-1572: privilege escalation by mounting over /proc/$pid. eglibc (2.13-38+deb7u9) wheezy; urgency=medium . [ Aurelien Jarno ] * patches/any/cvs-CVE-2015-1781.diff: new patch from upstream to fix a buffer overflow in getanswer_r (CVE-2015-1781). Closes: #796105. * patches/any/cvs-fnmatch-overflow.diff: new patch from upstream to fix a buffer overflow (read past end of buffer) in internal_fnmatch. * patches/any/cvs-_IO_wstr_overflow.diff: new patch from upstream to fix an integer overlow in IO_wstr_overflow. * patches/any/cvs-CVE-2014-8121.diff: new patch from upstream to fix an unexpected closing of nss_files databases after lookups, causing denial of service (CVE-2014-8121). Closes: #779587. * patches/any/cvs-ld_pointer_guard.diff: new patch from upstream to unconditionally disable LD_POINTER_GUARD. Closes: #798316, #801691. . [ Raphaël Hertzog ] * debian/patches/any/cvs-strxfrm-buffer-overflows.diff: new patch from upstream to fix memory allocations issues that can lead to buffer overflows on the stack. Closes: #803927. exfat-utils (0.9.7-2+deb7u1) wheezy; urgency=medium . * Add d/patches/check-sector-and-cluster-size. Fix for https://github.com/relan/exfat/issues/5 found and reported by The Fuzzing Project. * Add d/patches/detect-infinite-loop. Fix for https://github.com/relan/exfat/issues/6 found and reported by The Fuzzing Project. exim4 (4.80-7+deb7u3) wheezy; urgency=medium . * Non-maintainer upload. * Fix defect in 89_02_Store-the-initial-working-directory.diff patch. Thanks to Marc Deslauriers exim4 (4.80-7+deb7u2) wheezy-security; urgency=high . * 88_CVE-2016-1531.diff: + Fix CVE-2016-1531, a local privilege escalation issue when perl_startup is used. + New options keep_environment/add_environment which are empty by default, i.e. any subprocesses start in a clean (empty) environment. + -C requires an absolute path. + Exim changes it's working directory to / right after startup. * Add macros MAIN_KEEP_ENVIRONMENT and MAIN_ADD_ENVIRONMENT to set the new options. Set "keep_environment =" by default to avoid a runtime warning. Bump exim4-config Breaks to exim4-daemon-* (<< 4.80-7+deb7u2). * 89_01_only_warn_on_nonempty_environment.diff, 89_02_Store-the-initial-working-directory.diff: Upstream followups on the CVE fix (Thanks, Heiko Schlittermann!): + Runtime warning is only generated if (and only if) keep_environment is unset and environment is nonempty. + Store the initial working directory and make it available in the new expansion variable $initial_cwd. * Add NEWS entry to warn of potential breakage. firebug (2.0.4-1~deb7u1) wheezy; urgency=medium . * Upload compatible version with recent Iceweasel in Wheezy firebug (2.0.3-1) unstable; urgency=medium . * Team upload . [ Jan Odvarko ] * [firebug-2.0.3] firebug (2.0.2-1) unstable; urgency=medium . * Team upload . [ Jan Odvarko ] * [firebug-2.0.2] firebug (2.0.1-1) unstable; urgency=medium . * Team upload . [ Jan Odvarko ] * [firebug-2.0.1] . [ David Prévot ] * Provide xul-ext-firecookie (Closes: #747606, #751951) firebug (2.0-1) unstable; urgency=medium . * Team upload, to unstable . [ Jan Odvarko ] * [firebug-2.0] firebug (2.0~b8-1) experimental; urgency=medium . * Team upload . [ Jan Odvarko ] * [firebug-2.0b8] . [ David Prévot ] * Use debian/clean instead of override * Define get-orig-source instead of using xpi-repack firebug (2.0~b7-1) experimental; urgency=medium . * Team upload . [ Sebastian Zartner ] * Removed obsolete panel toolbar background images (related to https://github.com/firebug/firebug/pull/140) . [ Jan Odvarko ] * [firebug-2.0b7] . [ David Prévot ] * Revert "Document repack" firebug (2.0~b6+dfsg-1) experimental; urgency=medium . * Team upload . [ Jan Odvarko ] * [firebug-2.0b6] . [ David Prévot ] * Strip away copyrighted ICC profile * Document repack * Update lintian-overrides firebug (1.13.0~a10-1) experimental; urgency=medium . * Team upload * Imported Upstream version 1.13.0~a10 firebug (1.13.0~a9-1) experimental; urgency=medium . * Team upload * Imported Upstream version 1.13.0~a9 firebug (1.13.0~a8-1) experimental; urgency=medium . * Team upload * Track alpha releases, and upload to experimental * Imported Upstream version 1.13.0~a8 * Update copyright * Update upstream changelog foomatic-filters (4.0.17-1+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-8327.patch patch. CVE-2015-8327: foomatic-rip did not consider the back tick as an illegal shell escape character allowing arbitrary code execution. (Closes: #806886) * Add CVE-2015-8560.patch patch. CVE-2015-8560: code execution via improper escaping of ; (semicolon). (Closes: #807993) freeimage (3.15.1-1.1) wheezy-security; urgency=high . * Non-maintainer upload. * Fix integer overflow CVE-2015-0852. (Closes: #797165) freetype (2.4.9-1.1+deb7u3) wheezy-security; urgency=high . * Non-maintainer upload by LTS team. * CVE-2014-9674: integer overflow and heap-based buffer overflow in Mac_Read_POST_Resource. The added patch also includes the fixes for CVE-2014-9673 since they overlap. Closes: #777656 freetype (2.4.9-1.1+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload. * CVE-2014-9745: Fix Savannah bug #41590. Protect against invalid number in t1load.c parse_encoding(). * CVE-2014-9746, CVE-2014-9747: Fix Savannah bug #41309. Correct use of uninitialized data in t1load.c, cidload.c, t42parse.c and psobjs.c. freexl (1.0.0b-1+deb7u3) wheezy-security; urgency=high . * Add patch to fix regression introduced by afl-vulnerabilitities.patch. fuse-exfat (0.9.7-2+deb7u1) wheezy; urgency=medium . * Add d/patches/check-sector-and-cluster-size. Fix for https://github.com/relan/exfat/issues/5 found and reported by The Fuzzing Project. * Add d/patches/detect-infinite-loop. Fix for https://github.com/relan/exfat/issues/6 found and reported by The Fuzzing Project. gajim (0.15.1-4.1+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * No-changes rebuild to fix broken dependency on python (Closes: #816158) gajim (0.15.1-4.1+deb7u1) wheezy-security; urgency=high . * debian/patches/05_fix-cve-2015-8688.diff: backport a fix for CVE-2015-8688. ganeti (2.5.2-1+deb7u2) wheezy-security; urgency=high . * Fix gnt-instance info regression after CVE-2015-7945 (Closes: #810850) ganeti (2.5.2-1+deb7u1) wheezy-security; urgency=medium . * Redact the DRBD secret in instance queries (CVE-2015-7945). * RAPI hardening (CVE-2015-7944): bind to lo by default. * Add NEWS entry about RAPI hardening. gdk-pixbuf (2.26.1-1+deb7u3) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add additional patch for CVE-2015-4491. The n_x variable could be made large enough to overflow, which was missed in the initial commit upstream. gdk-pixbuf (2.26.1-1+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patches to fix CVE-2015-7673. CVE-2015-7673: Heap overflow and DoS vulnerability when scaling a TGA file. * Add patch to fix CVE-2015-7674. CVE-2015-7674: Heap overflow when scaling a GIF file. giflib (4.1.6-10+deb7u1) wheezy; urgency=medium . * Non-maintainer upload by the LTS Team. * CVE-2015-7555: bail out if Width > SWidth. Cherry-picked upstream commit 179510be300bf11115e37528d79619b53c884a63 (Closes: #808704) git (1:1.7.10.4-1+wheezy3) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix remote code execution via buffer overflows (CVE-2016-2315, CVE-2016-2324) (Closes: #818318) git (1:1.7.10.4-1+wheezy2) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix CVE-2015-7545, arbitrary code execution issues via URLs with: - 0016-CVE-2015-7545-backport1.patch: add function string_list_append_nodup() - 0017-CVE-2015-7545-backport2.patch: add two new functions for splitting strings - 0018-CVE-2015-7545-1.patch: add a protocol-whitelist environment variable - 0019-CVE-2015-7545-2.patch: allow only certain protocols for submodule fetches - 0020-CVE-2015-7545-3.patch: refactor protocol whitelist code - 0021-CVE-2015-7545-4.patch: limit redirection to protocol-whitelist - 0022-CVE-2015-7545-5.patch: limit redirection depth * Make new tests executable. gnutls26 (2.12.20-8+deb7u5) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 43_CVE-2015-7575.diff patch. CVE-2015-7575: MD5-based ServerKeyExchange signature accepted by default. gnutls26 (2.12.20-8+deb7u4) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 42_CVE-2015-8313.diff patch. CVE-2015-8313: Fixes off by one issue in padding check. graphite2 (1.3.5-1~deb7u1) oldstable-security; urgency=high . * rebuild for oldstable-security * revert ddeb-migration * revert package rename to -3 and go back to -2.0.0 to avoid changing the package name (ABI compatibility is there). Also dd patch to revert back to .so.2.0.0 as SONAME. graphite2 (1.3.4-2) unstable; urgency=medium . * debian/patches/revert-collision-info-refactoring-to-fix-alignment.diff: add from upstream git, thanks Tim Eves (closes: #805323) * debian/patches/reproducible-build.diff: tell dblatex to use a static path to make build reproduceable, thanks Reiner Herrmann (closes: #807838) * use -DGRAPHITE2_NTRACING:BOOL=ON (instead of :bool=1) * fix Maintainer: * migrate from manual -dbg to ddeb graphite2 (1.3.4-1) unstable; urgency=medium . * New upstream release graphite2 (1.3.3-1) unstable; urgency=medium . * New upstream release graphite2 (1.3.2-4) unstable; urgency=medium . * upload to unstable . * add graphviz to B-D-I... graphite2 (1.3.2-3) experimental; urgency=medium . * don't run dh_auto_install when ./build/src/libgraphite2.so.3 doesn't exist (as for dh_auto_test) so that we don't run a graphite build after building the docs (as make install of course requires that). Install the docs manually using .install graphite2 (1.3.2-2) experimental; urgency=medium . * check for existence of ./build/src/libgraphite2.so.3 before running dh_auto_test to skip the tests on "all" builds where we don't build graphite at all. graphite2 (1.3.2-1) experimental; urgency=medium . * New upstream release . * use --parallel in dh_auto_build (not in docs build and tests; the former doesn't build with parallelism) * Standards-Versions: 3.9.1 -> 3.9.6, no changes needed graphite2 (1.3.0-2) experimental; urgency=medium . * backport fixes from http://hg.palaso.org/graphitedev/raw-rev/cfab7499b46b: - fix tests on !linux (closes: #79499) - increase test timeout from 10s to 120s to make them succeed on mips(el) graphite2 (1.3.0-1) experimental; urgency=medium . * New upstream release graphite2 (1.2.4-3) unstable; urgency=medium . * run a2x without --icons to avoid FTBFS (closes: #741845) graphite2 (1.2.4-2) unstable; urgency=low . * add patch from Pino Toscano to also avoid linking to libstdc++ on kFreeBSD and Hurd (closes: #738353) graphite2 (1.2.4-1) unstable; urgency=low . * New upstream release * some tests need apparently need python, build-dep on python (>= 2.6) graphite2 (1.2.3-1) unstable; urgency=low . * New upstream release graphite2 (1.2.2-2) unstable; urgency=low . * add patch from Michael Cree to fix misaligned memory access - thanks (closes: #710336) graphite2 (1.2.2-1) unstable; urgency=low . * New upstream release * stop building with gotten from somewhere and overriding dpkg-buildflags' value, just remove via sed * converto multiarch again... (closes: #689813) graphite2 (1.2.1-2) unstable; urgency=low . * upload to unstable graphite2 (1.2.1-1) experimental; urgency=low . * New upstream release graphite2 (1.2.0-4) experimental; urgency=low . * revert multiarch stuff as harfbuzz now doesn't need us anymore... (reopens: #699714) graphite2 (1.2.0-3) experimental; urgency=low . * apply patch from Daniel Schaal to convert to multiarch as already multiarchified pango now needs us via harfbuzz... (closes: #699714) * clean up (not packaged) perl module packaging * add (not used yet) stuff to build mono binding * split arch-dep and arch-indep (docs...) build * disable the compare renderer stuff - enough compared ;-) graphite2 (1.2.0-2) experimental; urgency=low . * break libgraphite2-2.0.0 (<< 1.2.0) (closes: #689813) graphite2 (1.2.0-1) experimental; urgency=low . * New upstream release grub2 (1.99-27+deb7u3) wheezy-security; urgency=high . * Non-maintainer upload. * Fix CVE-2015-8370: buffer overflow when checking password entered during bootup (Closes: #807614). gummi (0.6.3-1.2+deb7u2) oldstable; urgency=medium . * no-predictable-tmpfiles.patch: use upstream fix (Closes: #812577). gummi (0.6.3-1.2+deb7u1) oldstable; urgency=medium . * Added no-predictable-tmpfiles.patch, fix of CVE 2015-7758 (Closes: #756432). icedove (31.8.0-1~deb7u1) oldstable-security; urgency=medium . * [d427fea] Imported Upstream version 31.8.0 - MFSA 2015-59 aka CVE-2015-2724 - MFSA 2015-66 aka CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740 - MFSA 2015-70 aka CVE-2015-4000 - MFSA 2015-71 aka CVE-2015-2721 * [a906439] lintian: add override for libpng icedove (31.7.0-1) unstable; urgency=medium . * [c3c81df] Imported Upstream version 31.7.0 * [471ec7c] rebuild patch queue from patch-queue branch added patches: - fixes/vp8_impl.cc-backporting-naming-for-const.patch (Closes: #785429) * [137ee51] lintian: add override for libpng icedove (31.7.0-1~deb8u1) stable-security; urgency=medium . * [c3c81df] Imported Upstream version 31.7.0 - MFSA 2015-46 aka CVE-2015-2708 - MFSA 2015-47 aka CVE-2015-0797 - MFSA 2015-48 aka CVE-2015-2710 - MFSA 2015-51 aka CVE-2015-2713 - MFSA 2015-54 aka CVE-2015-2716 * [eb8cb5a] adjust gbp.conf for jessie-security branch icedove (31.7.0-1~deb7u1) oldstable-security; urgency=medium . * [c3c81df] Imported Upstream version 31.7.0 - MFSA 2015-46 aka CVE-2015-2708 - MFSA 2015-47 aka CVE-2015-0797 - MFSA 2015-48 aka CVE-2015-2710 - MFSA 2015-51 aka CVE-2015-2713 - MFSA 2015-54 aka CVE-2015-2716 icedove (31.6.0-1) unstable; urgency=medium . * [c71fc00] Imported Upstream version 31.6.0 * [e13a5a1] rebuild patch queue from patch-queue branch added patches: - porting/ppc-fix-divide-page-size-in-jemalloc.patch (Closes: #780404) icedove (31.6.0-1~deb7u1) stable-security; urgency=medium . * [c71fc00] Imported Upstream version 31.6.0 - MFSA 2015-30 aka CVE-2015-0815 - MFSA 2015-31 aka CVE-2015-0813 - MFSA 2015-33 aka CVE-2015-0816 - MFSA 2015-37 aka CVE-2015-0807 - MFSA 2015-40 aka CVE-2015-0801 icedove (31.5.0-1) unstable; urgency=low . * [f0e7673] Imported Upstream version 31.5.0 * [4bf64fa] rebuild patch queue from patch-queue branch modified patches: - p-kfree-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch icedove (31.5.0-1~deb7u1) stable-security; urgency=medium . * [f0e7673] Imported Upstream version 31.5.0 - MFSA 2015-11 aka CVE-2015-0836 - MFSA 2015-16 aka CVE-2015-0831 - MFSA 2015-19 aka CVE-2015-0827 - MFSA 2015-24 aka CVE-2015-0822 * [d2941e9] rebuild patch queue from patch-queue branch added patches: - iceowl/adjust-calendar-google-provider-to-Google-Calendar-A.patch (Closes: #770008) - iceowl/get-rid-of-subdir-shim-in-gdata-provider.patch * [738a72d] debian/rules: move some gdata modules into 'shim' subdir icedove (31.4.0-2) unstable; urgency=low . [ Christoph Goehre ] * [305b0fb] debian/icedove.desktop: correct StartupWMClass to 'Icedove' (Closes: #773876) * [8b4871a] rebuild patch queue from patch-queue branch added patches: - iceowl/adjust-calendar-google-provider-to-Google-Calendar-A.patch (Closes: #770008) - iceowl/get-rid-of-subdir-shim-in-gdata-provider.patch modified patches: - p-kfree-hurd/FTBFS-hurd-adding-GNU-Hurd-to-the-list-of-OS-systems.patch - p-kfree-hurd/FTBFS-hurd-adding-the-HURD-platform-to-the-configure.patch - p-kfree-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch - p-kfree-hurd/LDAP-support-building-on-GNU-kFreeBSD-and-GNU-Hurd.patch - p-kfree-hurd/correcting-file-inclusion-for-kfreebsd-and-hurd.patch * [573c8bb] debian/rules: move some gdata modules into 'shim' subdir * [acf83d3] debian/icedove.desktop: add MimeType text/calendar (Closes: #762190) . [ Carsten Schoenert ] * [cf73d7e] debian/README.Debian: adding note around HTTPS Everythere (Closes: #774790) icedove (31.4.0-1) unstable; urgency=low . [ Carsten Schoenert ] * [c993970] rebuild patch queue from patch-queue branch added patches: - porting-kfreebsd-hurd/FTBFS-hurd-adding-the-HURD-platform-to-the-c.patch - porting-powerpcspe/FTBFS-powerpcspe-disable-AltiVec-instructions.patch (Closes: #772933) modified patches: - porting-kfreebsd-hurd/FTBFS-hurd-adding-GNU-Hurd-to-the-list-of-OS.patch . [ Christoph Goehre ] * [e93b49c] Imported Upstream version 31.4.0 icedove (31.4.0-1~deb7u1) stable-security; urgency=low . * [e93b49c] Imported Upstream version 31.4.0 - MFSA 2015-01 aka CVE-2014-8634 - MFSA 2015-03 aka CVE-2014-8638 - MFSA 2015-04 aka CVE-2014-8639 icedove (31.3.0-1) unstable; urgency=low . [ Carsten Schoenert ] * [679d70d] debian/source.filter: more files to ignore * [054b68a] debian/NEWS: fixing default SSL/TLS behavior description. * [b5acb03] debian/NEWS: adding notes around new security changes. . [ Christoph Goehre ] * [e2572a7] Imported Upstream version 31.3.0 * [10ce820] rebuild patch queue from patch-queue branch added patches: - debian/patches/FTBFS-armhf-fixing-ARM-CPU-detection.patch - debian/patches/fixing-various-FTBFS-due-different-datatype-char-beh.patch iceweasel (38.5.0esr-1~deb7u2) oldstable-security; urgency=medium . * security/nss/lib/ckfw/builtins/certdata.txt: Remove the SPI Inc. and CAcert.org CA certificates. The former was removed in NSS 3.21-1 and the latter in 3.16-1, and remained here largely overlooked. . iceweasel (38.5.0esr-1~deb7u1) oldstable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{134,138-139,145-147,149}, also known as: CVE-2015-7201, CVE-2015-7210, CVE-2015-7212, CVE-2015-7205, CVE-2015-7213, CVE-2015-7222, CVE-2015-7214. . * debian/rules: Follow upstream default for Gtk+2 vs. Gtk+3 automatically. * debian/watch: Update file to use https://archive.mozilla.org/. iceweasel (38.4.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{116,122-123,127-128,130-132}, also known as: CVE-2015-4513, CVE-2015-7188, CVE-2015-7189, CVE-2015-7193, CVE-2015-7194, CVE-2015-7196, CVE-2015-7198, CVE-2015-7199, CVE-2015-7200, CVE-2015-7197. iceweasel (38.4.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{116,122-123,127-128,130-133}, also known as: CVE-2015-4513, CVE-2015-7188, CVE-2015-7189, CVE-2015-7193, CVE-2015-7194, CVE-2015-7196, CVE-2015-7198, CVE-2015-7199, CVE-2015-7200, CVE-2015-7197, CVE-2015-7181, CVE-2015-7182, CVE-2015-7183. . * debian/control*: Bump nspr and nss build dependencies. iceweasel (38.4.0esr-1~deb7u1) oldstable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{116,122-123,127-128,130-133}, also known as: CVE-2015-4513, CVE-2015-7188, CVE-2015-7189, CVE-2015-7193, CVE-2015-7194, CVE-2015-7196, CVE-2015-7198, CVE-2015-7199, CVE-2015-7200, CVE-2015-7197, CVE-2015-7181, CVE-2015-7182, CVE-2015-7183. . * debian/control*: Bump nspr and nss build dependencies. iceweasel (38.3.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{96,105-106,110-112}, also known as: CVE-2015-4500, CVE-2015-4511, CVE-2015-4509, CVE-2015-4519, CVE-2015-4520, CVE-2015-7174. . * debian/rules, debian/removed_conffiles, debian/browser.postinst.in, debian/browser.postrm.in, debian/browser.preinst.in: Remove past conffiles. Closes: #795353. . * config/system-headers: Fix build against latest freetype code. bz#1143411, bz#1194520. iceweasel (38.3.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{96,101,105-106,110-112}, also known as: CVE-2015-4500, CVE-2015-4506, CVE-2015-4511, CVE-2015-4509, CVE-2015-4519, CVE-2015-4520, CVE-2015-7174. . * debian/rules, debian/removed_conffiles, debian/browser.postinst.in, debian/browser.postrm.in, debian/browser.preinst.in: Remove past conffiles. Closes: #795353. . * config/system-headers: Fix build against latest freetype code. bz#1143411, bz#1194520. iceweasel (38.3.0esr-1~deb7u1) oldstable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{96,101,105-106,110-112}, also known as: CVE-2015-4500, CVE-2015-4506, CVE-2015-4511, CVE-2015-4509, CVE-2015-4519, CVE-2015-4520, CVE-2015-7174. . * debian/rules, debian/removed_conffiles, debian/browser.postinst.in, debian/browser.postrm.in, debian/browser.preinst.in: Remove past conffiles. Closes: #795353. . * config/system-headers: Fix build against latest freetype code. bz#1143411, bz#1194520. iceweasel (38.2.1esr-1) unstable; urgency=high . * New upstream release. * Fixes for mfsa2015-{94-95}, also known as: CVE-2015-4497, CVE-2015-4498. . * configure.in: Build libvpx neon code with -mfloat-abi=softfp on armel. * media/libjpeg/simd/jsimd_mips_dspr2.S: Fix build error in MIPS SIMD when compiling with -mfpxx. . iceweasel (38.2.0esr-2) UNRELEASED; urgency=medium . * debian/rules, debian/upstream.mk: Don't set LESS_SYSTEM_LIBS when building a backport for stretch. Closes: #795331. * debian/rules, debian/control.in: Force build with GCC 4.7 when backporting to wheezy. . * media/libvpx/moz.build: Build libvpx neon code without -mthumb and -mfloat-abi=softfp. Closes: #795337. . iceweasel (38.2.1esr-1~deb8u1) stable-security; urgency=high . * New upstream release. * Fixes for mfsa2015-{94-95}, also known as: CVE-2015-4497, CVE-2015-4498. . * configure.in: Build libvpx neon code with -mfloat-abi=softfp on armel. * media/libjpeg/simd/jsimd_mips_dspr2.S: Fix build error in MIPS SIMD when compiling with -mfpxx. . iceweasel (38.2.0esr-2~deb8u1) stable-security; urgency=medium . * debian/rules, debian/upstream.mk: Don't set LESS_SYSTEM_LIBS when building a backport for stretch. Closes: #795331. * debian/rules, debian/control.in: Force build with GCC 4.7 when backporting to wheezy. . * media/libvpx/moz.build: Build libvpx neon code without -mthumb and -mfloat-abi=softfp. Closes: #795337. inspircd (2.0.5-1+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the Wheezy LTS Team. * Reject replies to DNS PTR requests that contain invalid characters (CVE-2015-8702) iptables-persistent (0.5.7+deb7u1) wheezy; urgency=medium . * [062648] Stop rules files being world-readable. Thanks to Bernhard Thaler (Closes: #764645) isc-dhcp (4.2.2.dfsg.1-5+deb70u7) wheezy; urgency=low . [ Michael Gilbert ] * Fix error when max lease time is used on 64-bit systems (closes: #795227). jasper (1.900.1-13+deb7u4) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-1577: Prevent double-free in jas_iccattrval_destroy() (Closes: #816625) * CVE-2016-2089: matrix rows_ NULL pointer dereference in jas_matrix_clip() (Closes: #812978) * CVE-2016-2116: Prevent jas_stream_t memory leak in jas_iccprof_createfrombuf() (Closes: #816626) krb5 (1.10.1+dfsg-5+deb7u7) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Verify decoded kadmin C strings [CVE-2015-8629] CVE-2015-8629: An authenticated attacker can cause kadmind to read beyond the end of allocated memory by sending a string without a terminating zero byte. Information leakage may be possible for an attacker with permission to modify the database. (Closes: #813296) * Fix leaks in kadmin server stubs [CVE-2015-8631] CVE-2015-8631: An authenticated attacker can cause kadmind to leak memory by supplying a null principal name in a request which uses one. Repeating these requests will eventually cause kadmind to exhaust all available memory. (Closes: #813126) krb5 (1.10.1+dfsg-5+deb7u6) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Update 0036-Fix-build_principal-memory-bug-CVE-2015-2697.patch. Add check on rlen before doing memcpy. krb5 (1.10.1+dfsg-5+deb7u5) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add missing 0036-Fix-build_principal-memory-bug-CVE-2015-2697.patch. CVE-2015-2697: unsafe string handling in TGS processing. The previous wheezy-security upload mentioned the fix, but did not include the patch in the upload. Thanks to Marc Deslauriers (Closes: #803088) krb5 (1.10.1+dfsg-5+deb7u4) wheezy-security; urgency=high . * Import upstream patches for four CVEs: - CVE-2015-2695: SPNEGO context aliasing during establishment, Closes: #803083 - CVE-2015-2696: IAKERB context aliasing during establishment, Closes: #803084 - CVE-2015-2697: unsafe string handling in TGS processing, Closes: #803088 - CVE-2015-2698: regression (memory corruption) in patch for CVE-2015-2696 * In addition to CVE-2015-2698, the upstream patches for CVE-2015-2695 and CVE-2015-2696 introduced regressions preventing the use of gss_import_sec_context() with contexts established using IAKERB or SPNEGO; the fixes for those regressions are included here. libav (6:0.8.17-2) wheezy-security; urgency=medium . * debian/confflags: Build with --disable-protocol=concat as this is the only real fix for CVE-2016-1897 and CVE-2016-1898. * debian/patches/CVE-2016-2326.patch: avformat/asfenc: Check pts (CVE-2016-2326). libclamunrar (0.99-0+deb7u1) oldstable; urgency=medium . [ Scott Kitterman ] * Correct debian/copyright to add missing copyright declarations/dates . [ Sebastian Andrzej Siewior ] * Bumped standards version to 3.9.6 (no changes required). * Import new upstream. This is required because clamav's major .so version changed. * switch from libclamunrar6 to libclamunrar7 * copy clamav's watch file * add pkg-config to dependencies so autoreconf does not break * don't link against libpcre if available. libclamunrar (0.99-0+deb6u1) squeeze-lts; urgency=medium . [ Scott Kitterman ] * Correct debian/copyright to add missing copyright declarations/dates * Manually autreconf and add as patch since dh-autoreconf in squeeze is too old. . [ Sebastian Andrzej Siewior ] * Bumped standards version to 3.9.6 (no changes required). * Import new upstream. This is required because clamav's major .so version changed. * switch from libclamunrar6 to libclamunrar7 * copy clamav's watch file * add pkg-config to dependencies so autoreconf does not break * don't link against libpcre if available. libclamunrar (0.98.5-1) unstable; urgency=medium . [ Sebastian Andrzej Siewior ] * Update to new upstream version. - Finaly address "double-free error exists within the unrar_extract_next_prepare()" (Closes: #770647) * Drop automake workaround, the bug was fixed. * Fix LFS support using the same approach as clamav for compatibility and correctness . [ Scott Kitterman ] * Add build-dep on libssl-dev, needed for configure even if not used in libclamunrar * Update debian/copyright to add openssl exception per COPYING libcommons-collections3-java (3.2.1-5+deb7u1) wheezy-security; urgency=medium . * Backported a modification from commons-collections 3.2.2 disabling the deserialization of the functors classes unless the system property org.apache.commons.collections.enableUnsafeSerialization is set to true. This fixes a vulnerability in unsafe applications deserializing objects from untrusted sources without sanitizing the input data. libdatetime-timezone-perl (1:1.58-1+2016c) wheezy; urgency=medium . * Update to Olson database version 2016c. libdatetime-timezone-perl (1:1.58-1+2016b) wheezy; urgency=medium . * Update to Olson database version 2016b. libdatetime-timezone-perl (1:1.58-1+2016a) wheezy; urgency=medium . * Update to Olson database version 2016a. libdatetime-timezone-perl (1:1.58-1+2015g) wheezy; urgency=medium . * Update to Olson database version 2015g. libgcrypt11 (1.5.0-5+deb7u4) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix addition of EC points * Fix multiply by zero in gcry_mpi_ec_mul * ecc: Fix for chosen cipher text attacks (CVE-2015-7511) libgtk2-perl (2:1.244-1+deb7u1) wheezy-security; urgency=high . * Fix-incorrect-memory-management-in-Gtk2-Gdk-Display-list_devices.patch: new patch, cherry-picked from upstream, that fixes a security issue. libhtml-scrubber-perl (0.09-1+deb7u1) wheezy; urgency=medium . * [SECURITY] CVE-2015-5667: Backport upstream patch fixing a cross-site scripting vulnerability in comments. (Closes: #803943) libiptables-parse-perl (1.1-1+deb7u1) wheezy; urgency=medium . * Team upload. * Add CVE-2015-8326.patch patch. CVE-2015-8326: Use of predictable names for temporary files. libmatroska (1.3.0-2+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Wheezy LTS Team. * CVE-2015-8792: Fix invalid memory access issue. (patch taken from the Squeeze LTS version) libotr (3.2.1-1+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-2851: Integer overflow on 64-bit architectures when receiving 4GB messages libphp-phpmailer (5.1-1.1) oldstable-security; urgency=high . * CVE-2015-8476: Reject line breaks in to, from, and HELO calls to avoid command injection. (Closes: #807265) libphp-phpmailer (5.1-1+deb6u11) squeeze-lts; urgency=high . * CVE-2015-8476: Reject line breaks in to, from, and HELO calls to avoid command injection. (Closes: #807265) libpng (1.2.49-1+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patches to address CVE-2015-8472. CVE-2015-8472: Incomplete fix for callers on png_set_PLTE. (Closes: #807112) * Add CVE-2015-8540.patch patch. CVE-2015-8540: underflow read in png_check_keyword(). (Closes: #807694) libpng (1.2.49-1+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-7981.patch patch. CVE-2015-7981: Out-of-bounds read in png_convert_to_rfc1123. (Closes: #803078) * Add Prevent-writing-over-length-PLTE-chunk-Cosm.patch patch. CVE-2015-8126: Multiple buffer overflows in the png_set_PLTE and png_get_PLTE functions. (Closes: #805113) * Add Fixed-new-bug-with-CRC-error-after-reading-.patch patch. Fixed new bug with CRC error after reading an over-length palette. librsvg (2.36.1-2+deb7u1) wheezy; urgency=medium . * Non-maintainer upload. * Fix CVE-2015-7557: Out-of-bounds heap read when parsing SVG file. libssh (0.5.4-1+deb7u3) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-0739: Truncated Diffie-Hellman secret length (Closes: #815663) libssh (0.5.4-1+deb7u2) wheezy; urgency=medium . * Non-maintainer upload. * debian/patches: - Add 0005-security-fix-for-vulnerability-CVE-2014-8132.patch Fix "Double free on dangling pointers in initial key exchange packet" (Closes: #773577, CVE-2014-8132) - Add 0006-security-fix-for-vulnerability-CVE-2015-3146.patch Fix "null pointer dereference due to a logical error in the handling of a SSH_MSG_NEWKEYS and KEXDH_REPLY packets" (Closes: #784404, CVE-2015-3146) libssh2 (1.4.2-1.1+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-0787: Truncated Difffie-Hellman secret length libvdpau (0.4.1-7+deb7u1) wheezy-security; urgency=high . * Patch for CVE 2015-5198, 2015-5199, 2015-5200 - Use secure_getenv(3) to improve security (CVE-2015-5198, CVE-2015-5199, CVE-2015-5200). Closes: #797895. * Add myself and Vincent Cheng to Uploaders libxml2 (2.8.0+dfsg1-7+wheezy5) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patches to address CVE-2015-7941. CVE-2015-7941: Denial of service via out-of-bounds read. (Closes: #783010) * Add CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch. CVE-2015-1819: Enforce the reader to run in constant memory. Thanks to Mike Gabriel for the patch backport. (Closes: #782782) * Add patches to address CVE-2015-8317. CVE-2015-8317: Out-of-bounds heap read when parsing file with unfinished xml declaration. * Add patches to address CVE-2015-7942. CVE-2015-7942: heap-based buffer overflow in xmlParseConditionalSections(). (Closes: #802827) * Add Fix-parsing-short-unclosed-comment-uninitialized-acc.patch patch. Parsing an unclosed comment can result in `Conditional jump or move depends on uninitialised value(s)` and unsafe memory access. (Closes: #782985) * Add CVE-2015-8035-Fix-XZ-compression-support-loop.patch patch. CVE-2015-8035: DoS when parsing specially crafted XML document if XZ support is enabled. (Closes: #803942) * Add Avoid-extra-processing-of-MarkupDecl-when-EOF.patch patch. CVE-2015-8241: Buffer overread with XML parser in xmlNextChar. (Closes: #806384) * Add Avoid-processing-entities-after-encoding-conversion-.patch patch. CVE-2015-7498: Heap-based buffer overflow in xmlParseXmlDecl. * Add CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch patch. CVE-2015-7497: Heap-based buffer overflow in xmlDictComputeFastQKey. * Add CVE-2015-5312-Another-entity-expansion-issue.patch patch. CVE-2015-5312: CPU exhaustion when processing specially crafted XML input. * Add patches to address CVE-2015-7499. CVE-2015-7499: Heap-based buffer overflow in xmlGROW. Add a specific parser error (XML_ERR_USER_STOP), backported from e50ba8164eee06461c73cd8abb9b46aa0be81869 upstream (commit to address CVE-2013-2877, the "Try to stop parsing as quickly as possible" was not backported). * Add CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch patch. CVE-2015-7500: Heap buffer overflow in xmlParseMisc. lighttpd (1.4.31-4+deb7u4) wheezy-security; urgency=high . * Non-maintainer upload. * Fix CVE-2014-3566. (Closes: #765702) Disable SSLv3 by default and prevent the "POODLE" issue. Administrators are advised to refrain from using SSLv3 in lighttpd.conf and related configuration files. linux (3.2.78-1) wheezy; urgency=medium . * New upstream stable update: http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.74 - PCI: Fix devfn for VPD access through function 0 - PCI: Use function 0 VPD for identical functions, regular VPD for others - mac80211: fix driver RSSI event calculations - HID: core: Avoid uninitialized buffer access - wm831x_power: Use IRQF_ONESHOT to request threaded IRQs - mwifiex: fix mwifiex_rdeeprom_read() - mtd: mtdpart: fix add_mtd_partitions error path - devres: fix a for loop bounds check - packet: fix match_fanout_group() - Btrfs: added helper btrfs_next_item() - Btrfs: fix file corruption and data loss after cloning inline extents - [x86] iommu/vt-d: Fix ATSR handling for Root-Complex integrated endpoints - Btrfs: don't use ram_bytes for uncompressed inline items - Btrfs: fix truncation of compressed and inlined extents - ext4, jbd2: ensure entering into panic after recording an error in superblock - ACPI: Use correct IRQ when uninstalling ACPI interrupt handler - ALSA: hda - Disable 64bit address for Creative HDA controllers - megaraid_sas: Do not use PAGE_SIZE for max_sectors - can: Use correct type in sizeof() in nla_put() - mtd: blkdevs: fix potential deadlock + lockdep warnings - crypto: algif_hash - Only export and import on sockets with data - megaraid_sas : do not access user memory from IOCTL code - ipv6: fix tunnel error handling - ALSA: hda - Apply pin fixup for HP ProBook 6550b - firewire: ohci: fix JMicron JMB38x IT context discovery - scsi: restart list search after unlock in scsi_remove_target - [amd64] cpu: Call verify_cpu() after having entered long mode too - Btrfs: fix race leading to incorrect item deletion when dropping extents - Btrfs: fix race leading to BUG_ON when running delalloc for nodatacow - perf: Fix inherited events vs. tracepoint filters - scsi_sysfs: Fix queue_ramp_up_period return code - Btrfs: fix race when listing an inode's xattrs - net: fix a race in dst_release() - FS-Cache: Increase reference of parent after registering, netfs success - FS-Cache: Don't override netfs's primary_index if registering failed - FS-Cache: Handle a write to the page immediately beyond the EOF marker - binfmt_elf: Don't clobber passed executable's file header - fs: make dumpable=2 require fully qualified path - fs: if a coredump already exists, unlink and recreate with O_EXCL - irda: precedence bug in irlmp_seq_hb_idx() - RDS-TCP: Recover correctly from pskb_pull()/pksb_trim() failure in rds_tcp_data_recv - ipmr: fix possible race resulting from improper usage of IP_INC_STATS_BH() in preemptible context. - net: avoid NULL deref in inet_ctl_sock_destroy() http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.75 - fuse: break infinite loop in fuse_fill_write_pages() - sctp: translate host order to network order when setting a hmacid - ALSA: usb-audio: add packet size quirk for the Medeli DD305 - ALSA: usb-audio: prevent CH345 multiport output SysEx corruption - ALSA: usb-audio: work around CH345 input SysEx corruption - usb: musb: core: fix order of arguments to ulpi write callback - ASoC: wm8962: correct addresses for HPF_C_0/1 - net: fix __netdev_update_features return on ndo_set_features failure - FS-Cache: Add missing initialization of ret in cachefiles_write_page() - mac80211: mesh: fix call_rcu() usage - macvlan: fix leak in macvlan_handle_frame - xhci: Add XHCI_INTEL_HOST quirk - xhci: Workaround to get Intel xHCI reset working more reliably - usblp: do not set TASK_INTERRUPTIBLE before lock - mac: validate mac_partition is within sector - ip6mr: call del_timer_sync() in ip6mr_free_table() - net: ip6mr: fix static mfc/dev leaks on table destruction - can: sja1000: clear interrupts on start - USB: cp210x: Remove CP2110 ID from compatibility list - USB: cdc-acm - Add IGNORE_DEVICE quirk - USB: cdc_acm: Ignore Infineon Flash Loader utility - fix sysvfs symlinks - vfs: Make sendfile(2) killable even better - vfs: Avoid softlockups with sendfile(2) - broadcom: fix PHY_ID_BCM5481 entry in the id table - ring-buffer: Update read stamp with first real commit on page - ext4: Fix handling of extended tv_sec - jbd2: Fix unreclaimed pages after truncate in data=journal mode - nfs: if we have no valid attrs, then don't declare the attribute cache valid - AHCI: Fix softreset failed issue of Port Multiplier - sata_sil: disable trim - wan/x25: Fix use-after-free in x25_asy_open_tty() - USB: whci-hcd: add check for dma mapping error - usb: Use the USB_SS_MULT() macro to decode burst multiplier for log message - dm btree: fix leak of bufio-backed block in btree_split_sibling error path - ipv4: igmp: Allow removing groups from a removed interface - locking: Add WARN_ON_ONCE lock assertion - sched/core: Remove false-positive warning from wake_up_process() - sched/core: Clear the root_domain cpumasks in init_rootdomain() - usb: xhci: fix config fail of FS hub behind a HS hub with MTT - ALSA: rme96: Fix unexpected volume reset after rate changes - 9p: ->evict_inode() should kick out ->i_data, not ->i_mapping - ipmi: move timer init to before irq is setup - dm btree: fix bufio buffer leaks in dm_btree_del() error path - vgaarb: fix signal handling in vga_get() - mm, vmstat: allow WQ concurrency to discover memory reclaim doesn't make any progress - mm: hugetlb: call huge_pte_alloc() only if ptep is null - snmp: Remove duplicate OUTMCAST stat increment - tcp: initialize tp->copied_seq in case of cross SYN connection - net, scm: fix PaX detected msg_controllen overflow in scm_detach_fds - net: ipmr: fix static mfc/dev leaks on table destruction - ipv6: distinguish frag queues by device for multicast and link-local packets - dccp: remove unnecessary codes in ipv6.c - ipv6: add complete rcu protection around np->opt - ipv6: sctp: implement sctp_v6_destroy_sock() - atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation - sctp: update the netstamp_needed counter when copying sockets - ipv6: sctp: clone options to avoid use after free - af_unix: Revert 'lock_interruptible' in stream receive code - af_unix: fix a fatal race with bit fields http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.76 - sctp: start t5 timer only when peer rwnd is 0 and local state is SHUTDOWN_PENDING - ipv6: sctp: fix lockdep splat in sctp_v6_get_dst() - video: fbdev: fsl: Fix kernel crash when diu_ops is not implemented - crypto: skcipher - Copy iv from desc even for 0-len walks - rfkill: copy the name into the rfkill struct - ses: Fix problems with simple enclosures - ses: fix additional element traversal bug - tty: Fix GPF in flush_to_ldisc() - ALSA: tlv: compute TLV_*_ITEM lengths automatically - ALSA: tlv: add DECLARE_TLV_DB_RANGE() - ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly - sh_eth: fix TX buffer byte-swapping - mISDN: fix a loop count - ser_gigaset: fix deallocation of platform device structure - spi: fix parent-device reference leak - [s390*] dis: Fix handling of format specifiers - USB: ipaq.c: fix a timeout loop - USB: fix invalid memory access in hub_activate() - ipv6/addrlabel: fix ip6addrlbl_get() - ocfs2: fix BUG when calculate new backup super - mm/memory_hotplug.c: check for missing sections in test_pages_in_a_zone() - [mips*] Fix restart of indirect syscalls - net/core: revert "net: fix __netdev_update_features return.." and add comment - genirq: Prevent chip buslock deadlock - net: possible use after free in dst_release - [x86] kvm: only channel 0 of the i8254 is linked to the HPET - vmstat: allocate vmstat_wq before it is used - cdrom: Random writing support for BD-RE media http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.77 - gspca: ov534/topro: prevent a division by 0 - media: dvb-core: Don't force CAN_INVERSION_AUTO in oneshot mode - rc: allow rc modules to be loaded if rc-main is not a module - SCSI: initio: remove duplicate module device table - [x86] KVM: expose MSR_TSC_AUX to userspace - [x86] KVM: correctly print #AC in traces - ath9k_htc: check for underflow in ath9k_htc_rx_msg() - mtd: nand: fix ONFI parameter page layout - drm/radeon: call hpd_irq_event on resume - xhci: refuse loading if nousb is used - rtlwifi: fix memory leak for USB device - wlcore: SPI - fix spi transfer_list - wlcore/wl12xx: spi: fix oops on firmware load - EDAC: Robustify workqueues destruction - powerpc: Make value-returning atomics fully ordered - powerpc: Make {cmp}xchg* and their atomic_ versions fully ordered - asix: silence log message from oversize packet - futex: Drop refcount if requeue_pi() acquired the rtmutex - ALSA: fm801: propagate TUNER_ONLY bit when autodetected - drm/radeon: clean up fujitsu quirks - udf: limit the maximum number of indirect extents in a row - USB: cp210x: add ID for ELV Marble Sound Board 1 - posix-clock: Fix return code on the poll method's error path - [x86] LDT: Print the real LDT base address - rtlwifi: rtl8192de: Fix incorrect module parameter descriptions - rtlwifi: rtl8192se: Fix module parameter initialization - rtlwifi: rtl8192ce: Fix handling of module parameters - rtlwifi: rtl8192cu: Add missing parameter setup - NFS: Fix attribute cache revalidation - Input: i8042 - add Fujitsu Lifebook U745 to the nomux list - [x86] xen: don't reset vcpu_info on a cancelled suspend - udf: Prevent buffer overrun with multi-byte characters - udf: Check output buffer length when converting name to CS0 - power: test_power: correctly handle empty writes - locks: fix unlock when fcntl_setlk races with a close - dm snapshot: fix hung bios when copy error occurs - ipv6: tcp: add rcu locking in tcp_v6_send_synack() - [x86] mm: Add barriers and document switch_mm()-vs-flush synchronization - [x86] boot: Double BOOT_HEAP_SIZE to 64KB - [x86] reboot/quirks: Add iMac10,1 to pci_reboot_dmi_table[] - ALSA: seq: Fix missing NULL check at remove_events ioctl - ALSA: seq: Fix race at timer setup and close - [hppa] Fix __ARCH_SI_PREAMBLE_SIZE - [x86] mm: Improve switch_mm() barrier comments - ALSA: timer: Fix double unlink of active_list - ALSA: timer: Fix race among timer ioctls - [sparc64] fix incorrect sign extension in sys_sparc64_personality - cifs: Ratelimit kernel log messages - cifs: fix race between call_async() and reconnect() - cifs_dbg() outputs an uninitialized buffer in cifs_readdir() - dma-debug: switch check from _text to _stext - ocfs2/dlm: ignore cleaning the migration mle that is inuse - ALSA: timer: Harden slave timer list handling - memcg: only free spare array when readers are done - printk: help pr_debug and pr_devel to optimize out arguments - crypto: af_alg - Fix socket double-free when accept fails - ALSA: hrtimer: Fix stall by hrtimer_cancel() - ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode - ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode - ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0 - IB/qib: fix mcast detach when qp not attached - IB/mlx4: Initialize hop_limit when creating address handle - ocfs2: NFS hangs in __ocfs2_cluster_lock due to race with ocfs2_unblock_lock - crypto: algif_skcipher - Require setkey before accept(2) - crypto: af_alg - Disallow bind/setkey/... after accept(2) - crypto: af_alg - Add nokey compatibility path - crypto: algif_skcipher - Add nokey compatibility path - crypto: hash - Add crypto_ahash_has_setkey - crypto: algif_hash - Require setkey before accept(2) - crypto: skcipher - Add crypto_skcipher_has_setkey - crypto: algif_skcipher - Add key check exception for cipher_null - crypto: af_alg - Allow af_af_alg_release_parent to be called on nokey path - crypto: algif_hash - Remove custom release parent function - crypto: algif_skcipher - Remove custom release parent function - crypto: af_alg - Forbid bind(2) when nokey child sockets are present - crypto: algif_hash - Fix race condition in hash_check_key - crypto: algif_skcipher - Fix race condition in skcipher_check_key - crypto: algif_skcipher - Load TX SG list after waiting - sctp: Prevent soft lockup when sctp_accept() is called during a timeout event - usbvision-video: fix memory leak of alt_max_pkt_size - usbvision: fix leak of usb_dev on failure paths in usbvision_probe() - usbvision fix overflow of interfaces array - usbvision: fix crash on detecting device with invalid configuration http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.78 - [x86] KVM: vmx: fix MPX detection - hrtimer: Handle remaining time proper for TIME_LOW_RES - timerfd: Handle relative timers with CONFIG_TIME_LOW_RES proper - posix-timers: Handle relative timers with CONFIG_TIME_LOW_RES proper - itimers: Handle relative timers with CONFIG_TIME_LOW_RES proper - usb: cdc-acm: send zero packet for intel 7260 modem - cdc-acm:exclude Samsung phone 04e8:685d - af_unix: fix struct pid memory leak - pptp: fix illegal memory access caused by multiple bind()s - sctp: allow setting SCTP_SACK_IMMEDIATELY by the application - USB: cp210x: add ID for IAI USB to RS485 adaptor - USB: visor: fix null-deref at probe - USB: serial: visor: fix crash on detecting device without write_urbs - USB: serial: option: Adding support for Telit LE922 - ALSA: seq: Fix incorrect sanity check at snd_seq_oss_synth_cleanup() - ALSA: seq: Degrade the error message for too many opens - USB: serial: ftdi_sio: add support for Yaesu SCU-18 cable - PCI/AER: Flush workqueue on device remove to avoid use-after-free - libata: disable forced PORTS_IMPL for >= AHCI 1.3 - virtio_pci: fix use after free on release - rfkill: fix rfkill_fop_read wait_event usage - SCSI: fix crashes in sd and sr runtime PM - tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) - crypto: shash - Fix has_key setting - ALSA: dummy: Disable switching timer backend via sysfs - [x86] drm/vmwgfx: respect 'nomodeset' - [x86] mm/pat: Avoid truncation when converting cpa->numpages to address - crypto: algif_hash - wait for crypto_ahash_init() to complete - [x86] intel_scu_ipcutil: underflow in scu_reg_access() - ALSA: seq: Fix race at closing in virmidi driver - ALSA: rawmidi: Remove kernel WARNING for NULL user-space buffer check - ALSA: pcm: Fix potential deadlock in OSS emulation - ALSA: seq: Fix yet another races among ALSA timer accesses - ALSA: timer: Fix link corruption due to double start or stop - libata: fix sff host state machine locking while polling - ALSA: rawmidi: Make snd_rawmidi_transmit() race-free - ALSA: rawmidi: Fix race at copying & updating the position - ALSA: seq: Fix lockdep warnings due to double mutex locks - Revert "xhci: don't finish a TD if we get a short-transfer event mid TD" - [x86] usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Broxton-M platforms - xhci: Fix list corruption in urb dequeue at host removal - tda1004x: only update the frontend properties if locked - ALSA: timer: Fix leftover link at closing - saa7134-alsa: Only frees registered sound cards - scsi_dh_rdac: always retry MODE SELECT on command lock violation - mm, vmstat: fix wrong WQ sleep when memory reclaim doesn't make any progress - ocfs2/dlm: clear refmap bit of recovery lock while doing local recovery cleanup - crypto: user - lock crypto_alg_list on alg dump - klist: fix starting point removed bug in klist iterators - ALSA: dummy: Implement timer backend switching more safely - ALSA: timer: Fix wrong instance passed to slave callbacks - [arm*] 8517/1: ICST: avoid arithmetic overflow in icst_hz() - sctp: translate network order to host order when users get a hmacid - ALSA: timer: Fix race between stop and interrupt - ALSA: timer: Fix race at concurrent reads - [x86] ahci: Intel DNV device IDs SATA - [arm*] 8519/1: ICST: try other dividends than 1 - btrfs: properly set the termination value of ctx->pos in readdir - ALSA: usb-audio: avoid freeing umidi object twice - unix: properly account for FDs passed over unix sockets - unix: correctly track in-flight fds in sending process user_struct - pipe: limit the per-user amount of pages allocated in pipes - iw_cxgb3: Fix incorrectly returning error on success - pipe: Fix buffer offset after partially failed read - sched: fix __sched_setscheduler() vs load balancing race . [ Ben Hutchings ] * net: Ignore ABI changes due to "ipv6: add complete rcu protection around np->opt", which don't appear to affect out-of-tree modules * [rt] Update to 3.2.77-rt111: - rtmutex: Handle non enqueued waiters gracefully - rtmutex: Use chainwalking control enum - dump stack: don't disable preemption during trace - net: Make synchronize_rcu_expedited() conditional on - sched: Introduce the trace_sched_waking tracepoint - rtmutex: Have slowfn of rt_mutex_timed_fastlock() use * Revert "crypto: algif_skcipher - Do not dereference ctx without socket lock" (regression in 3.2.78) * crypto: {blk,giv}cipher: Set has_setkey (avoids regressing cryptsetup; see #815480) * [rt] Fix trace function type mismatch introduced in 3.2.77-rt111 linux (3.2.73-2+deb7u3) wheezy-security; urgency=high . [ Ben Hutchings ] * usb: serial: visor: fix crash on detecting device without write_urbs (CVE-2015-7566) * sctp: Prevent soft lockup when sctp_accept() is called during a timeout event (CVE-2015-8767) * tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) (CVE-2016-0723) * fuse: break infinite loop in fuse_fill_write_pages() (CVE-2015-8785) * [x86] mm: Add barriers and document switch_mm()-vs-flush synchronization (CVE-2016-2069) * [x86] mm: Improve switch_mm() barrier comments * pipe: limit the per-user amount of pages allocated in pipes (CVE-2013-4312) * iw_cxgb3: Fix incorrectly returning error on success (CVE-2015-8812) * aufs: Fix regression due to "mm: make sendfile(2) killable" (Closes: #812207) - tiny, extract a new func xino_fwrite_wkq() - XINO handles EINTR from the dying process * af_unix: Guard against other == sk in unix_dgram_sendmsg (regression in 3.2.73-2+deb7u1) * pipe: Fix buffer offset after partially failed read (CVE-2016-0774) * ALSA: usb-audio: avoid freeing umidi object twice (CVE-2016-2384) * unix: correctly track in-flight fds in sending process user_struct (CVE-2016-2550) * USB: fix invalid memory access in hub_activate() (CVE-2015-8816) * ALSA: seq: Fix missing NULL check at remove_events ioctl (CVE-2016-2543) * ALSA: seq: Fix race at timer setup and close (CVE-2016-2544) * ALSA: timer: Fix double unlink of active_list (CVE-2016-2545) * ALSA: timer: Fix race among timer ioctls (CVE-2016-2546) * ALSA: timer: Harden slave timer list handling (CVE-2016-2547, CVE-2016-2548) * ALSA: hrtimer: Fix stall by hrtimer_cancel() (CVE-2016-2549) . [ Salvatore Bonaccorso ] * unix: properly account for FDs passed over unix sockets (CVE-2013-4312) linux (3.2.73-2+deb7u2) wheezy-security; urgency=medium . * net: add validation for the socket syscall protocol argument (CVE-2015-8543) * [xen] Fix race conditions in back-end drivers (CVE-2015-8550, XSA-155) * [xen] pciback: Fix state validation in MSI control operations (CVE-2015-8551, CVE-2015-8852, XSA-157) * pptp: verify sockaddr_len in pptp_bind() and pptp_connect() (CVE-2015-8569) * bluetooth: Validate socket address length in sco_sock_bind() (CVE-2015-8575) * KEYS: Fix race between read and revoke (CVE-2015-7550) * [x86] KVM: Reload pit counters for all channels when restoring state (CVE-2015-7513) * udp: properly support MSG_PEEK with truncated buffers (Closes: #808293, regression in 3.2.72) * drm/radeon: fix hotplug race at startup (Closes: #808973, regression in 3.4.110) * Revert "xhci: don't finish a TD if we get a short transfer event mid TD" (Closes: #808602, #808953, regression in 3.2.73) linux (3.2.73-2+deb7u2~bpo60+1) squeeze-backports; urgency=medium . * Rebuild for squeeze: - Use gcc-4.4 for all architectures - Disable building of udebs - Change ABI number to 0.bpo.4 - Monkey-patch Python collections module to add OrderedDict if necessary - [armel] Disable CRYPTO_FIPS, VGA_ARB, FTRACE on iop32x and ixp4xx to reduce kernel size (as suggested by Arnaud Patard) - Use QUILT_PATCH_OPTS instead of missing quilt patch --fuzz option - Make build target depend on build-arch only, so we don't redundantly build documentation on each architecture . linux (3.2.73-2+deb7u2) wheezy-security; urgency=medium . * net: add validation for the socket syscall protocol argument (CVE-2015-8543) * [xen] Fix race conditions in back-end drivers (CVE-2015-8550, XSA-155) * [xen] pciback: Fix state validation in MSI control operations (CVE-2015-8551, CVE-2015-8852, XSA-157) * pptp: verify sockaddr_len in pptp_bind() and pptp_connect() (CVE-2015-8569) * bluetooth: Validate socket address length in sco_sock_bind() (CVE-2015-8575) * KEYS: Fix race between read and revoke (CVE-2015-7550) * [x86] KVM: Reload pit counters for all channels when restoring state (CVE-2015-7513) * udp: properly support MSG_PEEK with truncated buffers (Closes: #808293, regression in 3.2.72) * drm/radeon: fix hotplug race at startup (Closes: #808973, regression in 3.4.110) * Revert "xhci: don't finish a TD if we get a short transfer event mid TD" (Closes: #808602, #808953, regression in 3.2.73) . linux (3.2.73-2+deb7u1) wheezy-security; urgency=medium . * media: usbvision-video: fix memory leak of alt_max_pkt_size * media: usbvision: fix leak of usb_dev on failure paths in usbvision_probe() * media: usbvision: fix crash on detecting device with invalid configuration (CVE-2015-7833, partly fixed in 3.2.68-1+deb7u6) * [x86] KVM: svm: Restore #BP handler, mistakenly removed in 3.2.73-1 * unix: avoid use-after-free in ep_remove_wait_queue (CVE-2013-7446) . linux (3.2.73-2) wheezy; urgency=medium . * splice: sendfile() at once fails for big files (Closes: #785189) * drm, agp: Update to 3.4.110: - drm/radeon: take the mode_config mutex when dealing with hpds (v2) - [x86] agp/intel: Fix typo in needs_ilk_vtd_wa() - [x86] Revert "drm/i915: Don't skip request retirement if the active list is empty" (regression in 3.4.109) (Closes: #805880) - Revert "drm/radeon: Use drm_calloc_ab for CS relocs" (regression in 3.4.109) - drm/radeon: partially revert "fix VM_CONTEXT*_PAGE_TABLE_END_ADDR handling" (regression in 3.4.109) . linux (3.2.73-1) wheezy; urgency=medium . * New upstream stable update: http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.72 - xen/gntdevt: Fix race condition in gntdev_release() - [armel/ixp4xx] crypto: Remove bogus BUG_ON on scattered dst buffer - target/iscsi: Fix double free of a TUR followed by a solicited NOPOUT - md/raid1: extend spinlock to protect raid1_end_read_request against inconsistencies - target: REPORT LUNS should return LUN 0 even for dynamic ACLs - [mips*] Fix sched_getaffinity with MT FPAFF enabled - xhci: fix off by one error in TRB DMA address boundary check - rds: fix an integer overflow test in rds_info_getsockopt() - perf: Fix fasync handling on inherited events - [mips*] Make set_pte() SMP safe. - ocfs2: fix BUG in ocfs2_downconvert_thread_do_work() - net: Clone skb before setting peeked flag - net: Fix skb_set_peeked use-after-free bug - [x86] ldt: Make modify_ldt synchronous - [x86] ldt: Correct LDT access in single stepping logic - [x86] ldt: Correct FPU emulation access to LDT - dm btree: add ref counting ops for the leaves of top level btrees - libiscsi: Fix host busy blocking during connection teardown - libfc: Fix fc_fcp_cleanup_each_cmd() - ipc,sem: fix use after free on IPC_RMID after a task using same semaphore set exits - [x86] ldt: Further fix FPU emulation - net: Fix RCU splat in af_key - sctp: donot reset the overall_error_count in SHUTDOWN_RECEIVE state - [sparc] Fix userspace FPU register corruptions. (Closes: #789180) - rc-core: fix remove uevent generation - PCI: Fix TI816X class code quirk - mac80211: enable assoc check for mesh interfaces - PCI: Add VPD function 0 quirk for Intel Ethernet devices - usb: gadget: m66592-udc: forever loop in set_feature() - auxdisplay: ks0108: fix refcount - devres: fix devres_get() - [powerpc] windfarm: decrement client count when unregistering - NFSv4: don't set SETATTR for O_RDONLY|O_EXCL - usb: host: ehci-sys: delete useless bus_to_hcd conversion - eCryptfs: Invalidate dcache entries when lower i_nlink is zero - xfs: Fix xfs_attr_leafblock definition - of/address: Don't loop forever in of_find_matching_node_by_address(). - drivercore: Fix unregistration path of platform devices - xfs: return errors from partial I/O failures to files - IB/qib: Change lkey table allocation to support more MRs - SUNRPC: xs_reset_transport must mark the connection as disconnected - IB/mlx4: Use correct SL on AH query under RoCE - IB/uverbs: Fix race between ib_uverbs_open and remove_one - IB/uverbs: reject invalid or unknown opcodes - Input: evdev - do not report errors form flush() - [x86] crypto: ghash-clmulni: specify context size for ghash async algorithm - fs: create and use seq_show_option for escaping - ARM: 8429/1: disable GCC SRA optimization - pagemap: hide physical addresses from non-privileged users - [powerpc] MSI: Fix race condition in tearing down MSI interrupts - hfs,hfsplus: cache pages correctly between bnode_create and bnode_free - hfs: fix B-tree corruption after insertion at position 0 - perf header: Fixup reading of HEADER_NRCPUS feature - USB: option: add ZTE PIDs - Btrfs: fix read corruption of compressed and shared extents - btrfs: skip waiting on ordered range for special files - [armhf] 7880/1: Clear the IT state independent of the Thumb-2 mode - [i386] platform: Fix Geode LX timekeeping in the generic x86 build - [s390*] compat: correct uc_sigmask of the compat signal frame - [x86] KVM: trap AMD MSRs for the TSeg base and mask - usb: Use the USB_SS_MULT() macro to get the burst multiplier. - xhci: give command abortion one more chance before killing xhci - usb: xhci: Clear XHCI_STATE_DYING on start - xhci: change xhci 1.0 only restrictions to support xhci 1.1 - cifs: use server timestamp for ntlmv2 authentication - [x86] paravirt: Replace the paravirt nop with a bona fide empty function - ocfs2/dlm: fix deadlock when dispatch assert master - net/tipc: initialize security state for new connection socket - net: pktgen: fix race between pktgen_thread_worker() and kthread_stop() - net: Fix skb csum races when peeking - ipv6: lock socket in ip6_datagram_connect() - bonding: correct the MAC address for "follow" fail_over_mac policy - net/ipv6: Correct PIM6 mrt_lock handling - fib_rules: fix fib rule dumps across multiple skbs - ipv6: prevent fib6_run_gc() contention - ipv6: update ip6_rt_last_gc every time GC is run - jbd2: avoid infinite loop when destroying aborted journal http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.73 - module: Fix locking in symbol_put_addr() - regmap: debugfs: Ensure we don't underflow when printing access masks - regmap: debugfs: Don't bother actually printing when calculating max length - ath9k: declare required extra tx headroom - [x86] xen: Do not clip xen_e820_map to xen_e820_map_entries when sanitizing map - UBI: Validate data_size - UBI: return ENOSPC if no enough space available - [mips*] dma-default: Fix 32-bit fall back to GFP_DMA - [amd64] process: Add proper bound checks in 64bit get_wchan() - genirq: Fix race in register_irq_proc() - mm: hugetlbfs: skip shared VMAs when unmapping private pages to satisfy a fault - cifs: Do not fall back to SMBWriteX in set_file_size error cases - md/raid0: update queue parameter in a safer location. - md/raid0: apply base queue limits *before* disk_stack_limits - clocksource: Fix abs() usage w/ 64bit values - iio: accel: sca3000: memory corruption in sca3000_read_first_n_hw_rb() - USB: Add reset-resume quirk for two Plantronics usb headphones. - usb: Add device quirk for Logitech PTZ cameras - tty: fix stall caused by missing memory barrier in drivers/tty/n_tty.c - drivers/tty: require read access for controlling terminal - ppp: don't override sk->sk_state in pppoe_flush_dev() - iwlwifi: dvm: fix D3 firmware PN programming - ALSA: synth: Fix conflicting OSS device registration on AWE32 - sched/core: Fix TASK_DEAD race in finish_task_switch() - 3w-9xxx: don't unmap bounce buffered commands (regression in 3.2.70) - xen-blkfront: check for null drvdata in blkback_changed (XenbusStateClosing) - ALSA: hda - Fix inverted internal mic on Lenovo G50-80 - crypto: ahash - ensure statesize is non-zero - [x86] iommu/vt-d: fix range computation when making room for large pages - xhci: don't finish a TD if we get a short transfer event mid TD - xhci: handle no ping response error properly - xhci: Switch Intel Lynx Point LP ports to EHCI on shutdown. - xhci: Add spurious wakeup quirk for LynxPoint-LP controllers - crypto: api - Only abort operations on fatal signal - IB/cm: Fix rb-tree duplicate free and use-after-free - drm/nouveau/gem: return only valid domain when there's only one - [powerpc*] rtas: Validate rtas.entry before calling enter_rtas() - mm: make sendfile(2) killable - ppp: fix pppoe_dev deletion condition in pppoe_release() - dm btree remove: fix a bug when rebalancing nodes after removal - dm btree: fix leak of bufio-backed block in btree_split_beneath error path - md/raid1: ensure device failure recorded before write request returns. - md/raid1: don't clear bitmap bit when bad-block-list write fails. - md/raid10: ensure device failure recorded before write request returns. - md/raid10: don't clear bitmap bit when bad-block-list write fails. - mvsas: Fix NULL pointer dereference in mvs_slot_task_free - sched: declare pid_alive as inline - net: add length argument to skb_copy_and_csum_datagram_iovec (regression in 3.2.72) (CVE-2015-8019) - skbuff: Fix skb checksum flag on skb pull - skbuff: Fix skb checksum partial check. - ethtool: Use kcalloc instead of kmalloc for ethtool_get_strings - asix: Don't reset PHY on if_up for ASIX 88772 - asix: Do full reset during ax88772_bind - nfs: Failing to send a CLOSE if file is opened WRONLY and server reboots on a 4.x mount (regression in 3.2.71) . [ Ben Hutchings ] * [rt] Update to 3.2.72-rt105 (no functional change) * isdn_ppp: Add checks for allocation failure in isdn_ppp_open() * ppp, slip: Validate VJ compression slot parameters completely (CVE-2015-7799) * [x86] KVM: svm: unconditionally intercept #DB (CVE-2015-8104) . linux (3.2.71-2) wheezy; urgency=medium . * Ignore ABI changes in drivers/net/wireless/* (fixes FTBFS on i386) * jbd2: protect all log tail updates with j_checkpoint_mutex (regression in 3.2.71) . linux (3.2.71-1) wheezy; urgency=medium . * New upstream stable update: http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.69 - usb: core: buffer: smallest buffer should start at ARCH_DMA_MINALIGN - TPM: Add new TPMs to the tail of the list to prevent inadvertent change of dev - [x86] staging: comedi: comedi_compat32.c: fix COMEDI_CMD copy back - cdc-acm: add sanity checks - USB: fix use-after-free bug in usb_hcd_unlink_urb() - tty: Prevent untrappable signals from malicious program - rtnetlink: ifla_vf_policy: fix misuses of NLA_BINARY - fsnotify: fix handling of renames in audit - NFSv4.1: Fix a kfree() of uninitialised pointers in decode_cb_sequence_args - mm/hugetlb: fix getting refcount 0 page in hugetlb_fault() - mm/hugetlb: add migration/hwpoisoned entry check in hugetlb_change_protection - mm/hugetlb: add migration entry check in __unmap_hugepage_range - mm/mmap.c: fix arithmetic overflow in __vm_enough_memory() - iscsi-target: Drop problematic active_ts_list usage - mm/memory.c: actually remap enough memory - jffs2: fix handling of corrupted summary length - dm mirror: do not degrade the mirror on discard error - dm io: reject unsupported DISCARD requests with EOPNOTSUPP - sg: fix read() error reporting - netfilter: xt_socket: fix a stack corruption bug - IB/qib: Do not write EEPROM - dm: fix a race condition in dm_get_md - dm snapshot: fix a possible invalid memory access on unload - libceph: fix double __remove_osd() problem - ipv4: ip_check_defrag should correctly check return value of skb_copy_bits (regression in 3.2.36) - debugfs: leave freeing a symlink body until inode eviction - autofs4: check dev ioctl size before allocating - autofs4 copy_dev_ioctl(): keep the value of ->size we'd used for allocation - xfs: ensure truncate forces zeroed blocks to disk - net: compat: Ignore MSG_CMSG_COMPAT in compat_sys_{send, recv}msg (regression in 3.2.48) - xhci: Allocate correct amount of scratchpad buffers - USB: usbfs: don't leak kernel data in siginfo - USB: serial: fix potential use-after-free after failed probe - USB: serial: fix tty-device error handling at probe - nilfs2: fix potential memory overrun on inode - eCryptfs: don't pass fs-specific ioctl commands through - TTY: fix tty_wait_until_sent on 64-bit machines - gadgetfs: use-after-free in ->aio_read() - gadgetfs: Fix leak on error in aio_read() - fuse: notify: don't move pages - fuse: set stolen page uptodate - dm: hold suspend_lock while suspending device during device deletion - dm io: deal with wandering queue limits when handling REQ_DISCARD and REQ_WRITE_SAME - mac80211: drop unencrypted frames in mesh fwding - mac80211: disable u-APSD queues by default - libsas: Fix Kernel Crash in smp_execute_task - Input: synaptics - handle spurious release of trackstick buttons - can: add missing initialisations in CAN related skbuffs - ALSA: control: Add sanity checks for user ctl id name string - nilfs2: fix deadlock of segment constructor during recovery (regression in 3.2.68) - pagemap: do not leak physical addresses to non-privileged userspace (mitigation of the DRAM 'rowhammer' defect) - iio: core: Fix double free. - net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour (regression in 3.2.54) - cifs: fix use-after-free bug in find_writable_file - mm: fix anon_vma->degree underflow in anon_vma endless growing prevention (regression in 3.2.67) - hfsplus: fix B-tree corruption after insertion at position 0 - mac80211: fix RX A-MPDU session reorder timer deletion - ocfs2: _really_ sync the right range - net:socket: set msg_namelen to 0 if msg_name is passed as NULL in msghdr struct from userland. (fixes regression in 3.2.53-1) - jfs: fix readdir regression (regression in 3.2.51) - ip: zero sockaddr returned on error queue - net: rps: fix cpu unplug - ipv6: stop sending PTB packets for MTU < 1280 - ping: Fix race in free in receive path - ppp: deflate: never return len larger than output buffer - net: gen_stats.c: Duplicate xstats buffer for later use - ipv4: ip_check_defrag should not assume that skb_network_offset is zero - ematch: Fix auto-loading of ematch modules. - net: reject creation of netdev names with colons - macvtap: limit head length of skb allocated - macvtap: make sure neighbour code can push ethernet header - udp: only allow UFO for packets from SOCK_DGRAM sockets - rds: avoid potential stack overflow - tcp: make connect() mem charging friendly - 8139cp,8139too,r8169,tg3,ixgb,benet,gianfar: Call dev_kfree_skb_any instead of kfree_skb - tcp: avoid looping in tcp_send_fin() - net: make skb_gso_segment error handling more robust - spi: spidev: fix possible arithmetic overflow for multi-transfer message - IB/core: Avoid leakage from kernel to user space - ipvs: uninitialized data with IP_VS_IPV6 - [s390*] Revert "KVM: s390: flush CPU on load control" (regression in 3.2.67) http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.70 - [x86] Drivers: hv: vmbus: Fix a bug in the error path in vmbus_open() - e1000: add dummy allocator to fix race condition between mtu change and netpoll - [s390*] KVM: Zero out current VMDB of STSI before including level3 data. - [armhf/omap] usb: musb: core: fix TX/RX endpoint order - UBI: account for bitflips in both the VID header and data - UBI: fix out of bounds write - UBI: initialize LEB number variable - UBI: fix check for "too many bytes" - Btrfs: fix log tree corruption when fs mounted with -o discard - btrfs: don't accept bare namespace as a valid xattr - [arm*] 8320/1: fix integer overflow in ELF_ET_DYN_BASE - [mips*] Hibernate: flush TLB entries earlier - ext4: make fsync to sync parent dir in no-journal for real this time - jhash: Update jhash_[321]words functions to use correct initval - scsi: storvsc: Fix a bug in copy_from_bounce_buffer() - ALSA: emu10k1: don't deadlock in proc-functions - [s390*] hibernate: fix save and restore of kernel text section - Btrfs: fix inode eviction infinite loop after cloning into it - [powerpc] perf: Cap 64bit userspace backtraces to PERF_MAX_STACK_DEPTH - fs/binfmt_elf.c: fix bug in loading of PIE binaries - IB/core: disallow registering 0-sized memory region - ptrace: fix race between ptrace_resume() and wait_task_stopped() - memstick: mspro_block: add missing curly braces - [x86] KVM: VMX: Preserve host CR4.MCE value while in guest mode. - ALSA: emu10k1: Fix card shortname string buffer overflow - 3w-sas,3w-xxxx,3w-9xxx: fix command completion race - cdc-acm: prevent infinite loop when parsing CDC headers. - ALSA: emux: Fix mutex deadlock in OSS emulation - gpio: sysfs: fix memory leaks and device hotplug - ext4: move check under lock scope to close a race. - nfsd: fix the check for confirmed openowner in nfs4_preprocess_stateid_op - nilfs2: fix sanity check of btree level in nilfs_btree_root_broken() - ocfs2: dlm: fix race between purge and get lock resource - ACPI / init: Fix the ordering of acpi_reserve_resources() - md/raid5: don't record new size if resize_stripes fails. - ipvs: fix memory leak in ip_vs_ctl.c - mac80211: move WEP tailroom size check - [x86] KVM: MMU: fix CR4.SMEP=1, CR0.WP=0 with shadow pages - firmware: dmi_scan: Fix ordering of product_uuid (regression in 3.2.38) - ext4: check for zero length extent explicitly (regression in 3.2.55) - jbd2: fix r_count overflows leading to buffer overflow in journal recovery - sd: Disable support for 256 byte/sector disks - xen/events: don't bind non-percpu VIRQs with percpu chip - [s390*] crypto: ghash - Fix incorrect ghash icv buffer handling. - fs/binfmt_elf.c:load_elf_binary(): return -EINVAL on zero-length mappings - vfs: d_walk() might skip too much (regression in 3.2.66) - [amd64] Fix strnlen_user() to not touch memory after specified maximum - ipvs: kernel oops - do_ip_vs_get_ctl - [powerpc] Don't skip ePAPR spin-table CPUs (regression in 3.2.61) - net: dp83640: fix broken calibration routine. - unix/caif: sk_socket can disappear when state is unlocked - bridge: fix br_stp_set_bridge_priority race conditions - packet: read num_members once in packet_rcv_fanout() - packet: avoid out of bounds read in round robin fanout - neigh: do not modify unlinked entries - debugfs: Fix statfs() regression in 3.2.69 - net: socket: Fix the wrong returns for recvmsg and sendmsg - [x86] config: Enable NEED_DMA_MAP_STATE by default when SWIOTLB is selected (Closes: #786551) - softirq: reduce latencies - softirq: Fix lockup related to stop_machine being stuck in __do_softirq. - [mips*] Fix race condition in lazy cache flushing. - [mips/octeon] Remove udelay() causing huge IRQ latency http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.71 - hrtimer: Allow concurrent hrtimer_start() for self restarting timers - s5h1420: fix a buffer overflow when checking userspace params - cx24116: fix a buffer overflow when checking userspace params - mtd: fix: avoid race condition when accessing mtd->usecount - rcu: Correctly handle non-empty Tiny RCU callback list with none ready - [x86] staging: rtl8712: prevent buffer overrun in recvbuf2recvframe - SUNRPC: Fix a memory leak in the backchannel code - regulator: core: fix constraints output buffer - [armel] dmaengine: mv_xor: bug fix for racing condition in descriptors cleanup - ext4: fix race between truncate and __ext4_journalled_writepage() - [x86] pcmcia: Disable write buffering on Toshiba ToPIC95 - jbd2: issue cache flush after checkpointing even with internal journal - jbd2: fix ocfs2 corrupt when updating journal superblock fails - mmc: card: Fixup request missing in mmc_blk_issue_rw_rq - ext4: call sync_blockdev() before invalidate_bdev() in put_super() - iio: DAC: ad5624r_spi: fix bit shift of output data value - ext4: don't retry file block mapping on bigalloc fs with non-extent file - NET: ROSE: Don't dereference NULL neighbour pointer. - fs: Fix S_NOSEC handling - Btrfs: use kmem_cache_free when freeing entry in inode cache - Btrfs: fix race between caching kthread and returning inode to inode cache - fuse: initialize fc->release before calling it - ext4: avoid deadlocks in the writeback path by using sb_getblk_gfp - netfilter: bridge: don't leak skb in error paths - [x86] KVM: make vapics_in_nmi_mode atomic - 9p: forgetting to cancel request on interrupted zero-copy RPC - dm btree remove: fix bug in redistribute3 - rtnetlink: verify IFLA_VF_INFO attributes before passing them to driver - mm: avoid setting up anonymous pages into file mapping - net: do not process device backlog during unregistration - net: call rcu_read_lock early in process_backlog - 9p: don't leave a half-initialized inode sitting around - Btrfs: fix file corruption after cloning inline extents - rds: rds_ib_device.refcount overflow - libata: force disable trim for SuperSSpeed S238 - inet: frags: fix defragmented packet's IP header for af_packet - netfilter: nf_conntrack: Support expectations in different zones - usb-storage: ignore ZTE MF 823 card reader in mode 0x1225 - md/raid1: fix test for 'was read error from last working device'. - iscsi-target: Fix use-after-free during TPG session shutdown - [x86] xen: Probe target addresses in set_aliased_prot() before the hypercall . [ Ben Hutchings ] * drm, agp: Update to 3.4.109: - [x86] drm/i915: Unlock panel even when LVDS is disabled - drm/radeon: kernel panic in drm_calc_vbltimestamp_from_scanoutpos with 3.18.0-rc6 - [x86] drm/vmwgfx: Don't use memory accounting for kernel-side fence objects - [x86] drm/vmwgfx: Fix fence event code - drm/radeon: check the right ring in radeon_evict_flags() - [x86] drm/i915: Only fence tiled region of object. - drm/radeon/dp: Set EDP_CONFIGURATION_SET for bridge chips if necessary - drm/radeon: do a posting read in r100_set_irq - drm/radeon: do a posting read in rs600_set_irq - drm/radeon: do a posting read in r600_set_irq - drm/radeon: do a posting read in evergreen_set_irq - drm/radeon: do a posting read in si_set_irq - drm/radeon: fix DRM_IOCTL_RADEON_CS oops - [x86] drm/vmwgfx: Reorder device takedown somewhat - radeon: Do not directly dereference pointers to BIOS area. - drm/radeon: fix doublescan modes (v2) - drm/radeon: Use drm_calloc_ab for CS relocs - drm/radeon: fix VM_CONTEXT*_PAGE_TABLE_END_ADDR handling - [x86] drm/i915: Don't skip request retirement if the active list is empty * Revert "ACPICA: Utilities: split IO address types from data type models." to avoid ABI change on i386 * Adjust for migration to git: - Update .gitignore files - debian/control: Update Vcs-* fields - README.Debian, README.source: Update references to svn * [rt] Update to 3.2.70-rt103: - KVM: lapic: mark LAPIC timer handler as irqsafe - mm/slub: move slab initialization into irq enabled region - xfs: Disable percpu SB on PREEMPT_RT_FULL linux (3.2.73-2+deb7u1) wheezy-security; urgency=medium . * media: usbvision-video: fix memory leak of alt_max_pkt_size * media: usbvision: fix leak of usb_dev on failure paths in usbvision_probe() * media: usbvision: fix crash on detecting device with invalid configuration (CVE-2015-7833, partly fixed in 3.2.68-1+deb7u6) * [x86] KVM: svm: Restore #BP handler, mistakenly removed in 3.2.73-1 * unix: avoid use-after-free in ep_remove_wait_queue (CVE-2013-7446) linux (3.2.73-2) wheezy; urgency=medium . * splice: sendfile() at once fails for big files (Closes: #785189) * drm, agp: Update to 3.4.110: - drm/radeon: take the mode_config mutex when dealing with hpds (v2) - [x86] agp/intel: Fix typo in needs_ilk_vtd_wa() - [x86] Revert "drm/i915: Don't skip request retirement if the active list is empty" (regression in 3.4.109) (Closes: #805880) - Revert "drm/radeon: Use drm_calloc_ab for CS relocs" (regression in 3.4.109) - drm/radeon: partially revert "fix VM_CONTEXT*_PAGE_TABLE_END_ADDR handling" (regression in 3.4.109) linux (3.2.73-1) wheezy; urgency=medium . * New upstream stable update: http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.72 - xen/gntdevt: Fix race condition in gntdev_release() - [armel/ixp4xx] crypto: Remove bogus BUG_ON on scattered dst buffer - target/iscsi: Fix double free of a TUR followed by a solicited NOPOUT - md/raid1: extend spinlock to protect raid1_end_read_request against inconsistencies - target: REPORT LUNS should return LUN 0 even for dynamic ACLs - [mips*] Fix sched_getaffinity with MT FPAFF enabled - xhci: fix off by one error in TRB DMA address boundary check - rds: fix an integer overflow test in rds_info_getsockopt() - perf: Fix fasync handling on inherited events - [mips*] Make set_pte() SMP safe. - ocfs2: fix BUG in ocfs2_downconvert_thread_do_work() - net: Clone skb before setting peeked flag - net: Fix skb_set_peeked use-after-free bug - [x86] ldt: Make modify_ldt synchronous - [x86] ldt: Correct LDT access in single stepping logic - [x86] ldt: Correct FPU emulation access to LDT - dm btree: add ref counting ops for the leaves of top level btrees - libiscsi: Fix host busy blocking during connection teardown - libfc: Fix fc_fcp_cleanup_each_cmd() - ipc,sem: fix use after free on IPC_RMID after a task using same semaphore set exits - [x86] ldt: Further fix FPU emulation - net: Fix RCU splat in af_key - sctp: donot reset the overall_error_count in SHUTDOWN_RECEIVE state - [sparc] Fix userspace FPU register corruptions. (Closes: #789180) - rc-core: fix remove uevent generation - PCI: Fix TI816X class code quirk - mac80211: enable assoc check for mesh interfaces - PCI: Add VPD function 0 quirk for Intel Ethernet devices - usb: gadget: m66592-udc: forever loop in set_feature() - auxdisplay: ks0108: fix refcount - devres: fix devres_get() - [powerpc] windfarm: decrement client count when unregistering - NFSv4: don't set SETATTR for O_RDONLY|O_EXCL - usb: host: ehci-sys: delete useless bus_to_hcd conversion - eCryptfs: Invalidate dcache entries when lower i_nlink is zero - xfs: Fix xfs_attr_leafblock definition - of/address: Don't loop forever in of_find_matching_node_by_address(). - drivercore: Fix unregistration path of platform devices - xfs: return errors from partial I/O failures to files - IB/qib: Change lkey table allocation to support more MRs - SUNRPC: xs_reset_transport must mark the connection as disconnected - IB/mlx4: Use correct SL on AH query under RoCE - IB/uverbs: Fix race between ib_uverbs_open and remove_one - IB/uverbs: reject invalid or unknown opcodes - Input: evdev - do not report errors form flush() - [x86] crypto: ghash-clmulni: specify context size for ghash async algorithm - fs: create and use seq_show_option for escaping - ARM: 8429/1: disable GCC SRA optimization - pagemap: hide physical addresses from non-privileged users - [powerpc] MSI: Fix race condition in tearing down MSI interrupts - hfs,hfsplus: cache pages correctly between bnode_create and bnode_free - hfs: fix B-tree corruption after insertion at position 0 - perf header: Fixup reading of HEADER_NRCPUS feature - USB: option: add ZTE PIDs - Btrfs: fix read corruption of compressed and shared extents - btrfs: skip waiting on ordered range for special files - [armhf] 7880/1: Clear the IT state independent of the Thumb-2 mode - [i386] platform: Fix Geode LX timekeeping in the generic x86 build - [s390*] compat: correct uc_sigmask of the compat signal frame - [x86] KVM: trap AMD MSRs for the TSeg base and mask - usb: Use the USB_SS_MULT() macro to get the burst multiplier. - xhci: give command abortion one more chance before killing xhci - usb: xhci: Clear XHCI_STATE_DYING on start - xhci: change xhci 1.0 only restrictions to support xhci 1.1 - cifs: use server timestamp for ntlmv2 authentication - [x86] paravirt: Replace the paravirt nop with a bona fide empty function - ocfs2/dlm: fix deadlock when dispatch assert master - net/tipc: initialize security state for new connection socket - net: pktgen: fix race between pktgen_thread_worker() and kthread_stop() - net: Fix skb csum races when peeking - ipv6: lock socket in ip6_datagram_connect() - bonding: correct the MAC address for "follow" fail_over_mac policy - net/ipv6: Correct PIM6 mrt_lock handling - fib_rules: fix fib rule dumps across multiple skbs - ipv6: prevent fib6_run_gc() contention - ipv6: update ip6_rt_last_gc every time GC is run - jbd2: avoid infinite loop when destroying aborted journal http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.73 - module: Fix locking in symbol_put_addr() - regmap: debugfs: Ensure we don't underflow when printing access masks - regmap: debugfs: Don't bother actually printing when calculating max length - ath9k: declare required extra tx headroom - [x86] xen: Do not clip xen_e820_map to xen_e820_map_entries when sanitizing map - UBI: Validate data_size - UBI: return ENOSPC if no enough space available - [mips*] dma-default: Fix 32-bit fall back to GFP_DMA - [amd64] process: Add proper bound checks in 64bit get_wchan() - genirq: Fix race in register_irq_proc() - mm: hugetlbfs: skip shared VMAs when unmapping private pages to satisfy a fault - cifs: Do not fall back to SMBWriteX in set_file_size error cases - md/raid0: update queue parameter in a safer location. - md/raid0: apply base queue limits *before* disk_stack_limits - clocksource: Fix abs() usage w/ 64bit values - iio: accel: sca3000: memory corruption in sca3000_read_first_n_hw_rb() - USB: Add reset-resume quirk for two Plantronics usb headphones. - usb: Add device quirk for Logitech PTZ cameras - tty: fix stall caused by missing memory barrier in drivers/tty/n_tty.c - drivers/tty: require read access for controlling terminal - ppp: don't override sk->sk_state in pppoe_flush_dev() - iwlwifi: dvm: fix D3 firmware PN programming - ALSA: synth: Fix conflicting OSS device registration on AWE32 - sched/core: Fix TASK_DEAD race in finish_task_switch() - 3w-9xxx: don't unmap bounce buffered commands (regression in 3.2.70) - xen-blkfront: check for null drvdata in blkback_changed (XenbusStateClosing) - ALSA: hda - Fix inverted internal mic on Lenovo G50-80 - crypto: ahash - ensure statesize is non-zero - [x86] iommu/vt-d: fix range computation when making room for large pages - xhci: don't finish a TD if we get a short transfer event mid TD - xhci: handle no ping response error properly - xhci: Switch Intel Lynx Point LP ports to EHCI on shutdown. - xhci: Add spurious wakeup quirk for LynxPoint-LP controllers - crypto: api - Only abort operations on fatal signal - IB/cm: Fix rb-tree duplicate free and use-after-free - drm/nouveau/gem: return only valid domain when there's only one - [powerpc*] rtas: Validate rtas.entry before calling enter_rtas() - mm: make sendfile(2) killable - ppp: fix pppoe_dev deletion condition in pppoe_release() - dm btree remove: fix a bug when rebalancing nodes after removal - dm btree: fix leak of bufio-backed block in btree_split_beneath error path - md/raid1: ensure device failure recorded before write request returns. - md/raid1: don't clear bitmap bit when bad-block-list write fails. - md/raid10: ensure device failure recorded before write request returns. - md/raid10: don't clear bitmap bit when bad-block-list write fails. - mvsas: Fix NULL pointer dereference in mvs_slot_task_free - sched: declare pid_alive as inline - net: add length argument to skb_copy_and_csum_datagram_iovec (regression in 3.2.72) (CVE-2015-8019) - skbuff: Fix skb checksum flag on skb pull - skbuff: Fix skb checksum partial check. - ethtool: Use kcalloc instead of kmalloc for ethtool_get_strings - asix: Don't reset PHY on if_up for ASIX 88772 - asix: Do full reset during ax88772_bind - nfs: Failing to send a CLOSE if file is opened WRONLY and server reboots on a 4.x mount (regression in 3.2.71) . [ Ben Hutchings ] * [rt] Update to 3.2.72-rt105 (no functional change) * isdn_ppp: Add checks for allocation failure in isdn_ppp_open() * ppp, slip: Validate VJ compression slot parameters completely (CVE-2015-7799) * [x86] KVM: svm: unconditionally intercept #DB (CVE-2015-8104) linux (3.2.71-2) wheezy; urgency=medium . * Ignore ABI changes in drivers/net/wireless/* (fixes FTBFS on i386) * jbd2: protect all log tail updates with j_checkpoint_mutex (regression in 3.2.71) linux (3.2.71-1) wheezy; urgency=medium . * New upstream stable update: http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.69 - usb: core: buffer: smallest buffer should start at ARCH_DMA_MINALIGN - TPM: Add new TPMs to the tail of the list to prevent inadvertent change of dev - [x86] staging: comedi: comedi_compat32.c: fix COMEDI_CMD copy back - cdc-acm: add sanity checks - USB: fix use-after-free bug in usb_hcd_unlink_urb() - tty: Prevent untrappable signals from malicious program - rtnetlink: ifla_vf_policy: fix misuses of NLA_BINARY - fsnotify: fix handling of renames in audit - NFSv4.1: Fix a kfree() of uninitialised pointers in decode_cb_sequence_args - mm/hugetlb: fix getting refcount 0 page in hugetlb_fault() - mm/hugetlb: add migration/hwpoisoned entry check in hugetlb_change_protection - mm/hugetlb: add migration entry check in __unmap_hugepage_range - mm/mmap.c: fix arithmetic overflow in __vm_enough_memory() - iscsi-target: Drop problematic active_ts_list usage - mm/memory.c: actually remap enough memory - jffs2: fix handling of corrupted summary length - dm mirror: do not degrade the mirror on discard error - dm io: reject unsupported DISCARD requests with EOPNOTSUPP - sg: fix read() error reporting - netfilter: xt_socket: fix a stack corruption bug - IB/qib: Do not write EEPROM - dm: fix a race condition in dm_get_md - dm snapshot: fix a possible invalid memory access on unload - libceph: fix double __remove_osd() problem - ipv4: ip_check_defrag should correctly check return value of skb_copy_bits (regression in 3.2.36) - debugfs: leave freeing a symlink body until inode eviction - autofs4: check dev ioctl size before allocating - autofs4 copy_dev_ioctl(): keep the value of ->size we'd used for allocation - xfs: ensure truncate forces zeroed blocks to disk - net: compat: Ignore MSG_CMSG_COMPAT in compat_sys_{send, recv}msg (regression in 3.2.48) - xhci: Allocate correct amount of scratchpad buffers - USB: usbfs: don't leak kernel data in siginfo - USB: serial: fix potential use-after-free after failed probe - USB: serial: fix tty-device error handling at probe - nilfs2: fix potential memory overrun on inode - eCryptfs: don't pass fs-specific ioctl commands through - TTY: fix tty_wait_until_sent on 64-bit machines - gadgetfs: use-after-free in ->aio_read() - gadgetfs: Fix leak on error in aio_read() - fuse: notify: don't move pages - fuse: set stolen page uptodate - dm: hold suspend_lock while suspending device during device deletion - dm io: deal with wandering queue limits when handling REQ_DISCARD and REQ_WRITE_SAME - mac80211: drop unencrypted frames in mesh fwding - mac80211: disable u-APSD queues by default - libsas: Fix Kernel Crash in smp_execute_task - Input: synaptics - handle spurious release of trackstick buttons - can: add missing initialisations in CAN related skbuffs - ALSA: control: Add sanity checks for user ctl id name string - nilfs2: fix deadlock of segment constructor during recovery (regression in 3.2.68) - pagemap: do not leak physical addresses to non-privileged userspace (mitigation of the DRAM 'rowhammer' defect) - iio: core: Fix double free. - net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour (regression in 3.2.54) - cifs: fix use-after-free bug in find_writable_file - mm: fix anon_vma->degree underflow in anon_vma endless growing prevention (regression in 3.2.67) - hfsplus: fix B-tree corruption after insertion at position 0 - mac80211: fix RX A-MPDU session reorder timer deletion - ocfs2: _really_ sync the right range - net:socket: set msg_namelen to 0 if msg_name is passed as NULL in msghdr struct from userland. (fixes regression in 3.2.53-1) - jfs: fix readdir regression (regression in 3.2.51) - ip: zero sockaddr returned on error queue - net: rps: fix cpu unplug - ipv6: stop sending PTB packets for MTU < 1280 - ping: Fix race in free in receive path - ppp: deflate: never return len larger than output buffer - net: gen_stats.c: Duplicate xstats buffer for later use - ipv4: ip_check_defrag should not assume that skb_network_offset is zero - ematch: Fix auto-loading of ematch modules. - net: reject creation of netdev names with colons - macvtap: limit head length of skb allocated - macvtap: make sure neighbour code can push ethernet header - udp: only allow UFO for packets from SOCK_DGRAM sockets - rds: avoid potential stack overflow - tcp: make connect() mem charging friendly - 8139cp,8139too,r8169,tg3,ixgb,benet,gianfar: Call dev_kfree_skb_any instead of kfree_skb - tcp: avoid looping in tcp_send_fin() - net: make skb_gso_segment error handling more robust - spi: spidev: fix possible arithmetic overflow for multi-transfer message - IB/core: Avoid leakage from kernel to user space - ipvs: uninitialized data with IP_VS_IPV6 - [s390*] Revert "KVM: s390: flush CPU on load control" (regression in 3.2.67) http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.70 - [x86] Drivers: hv: vmbus: Fix a bug in the error path in vmbus_open() - e1000: add dummy allocator to fix race condition between mtu change and netpoll - [s390*] KVM: Zero out current VMDB of STSI before including level3 data. - [armhf/omap] usb: musb: core: fix TX/RX endpoint order - UBI: account for bitflips in both the VID header and data - UBI: fix out of bounds write - UBI: initialize LEB number variable - UBI: fix check for "too many bytes" - Btrfs: fix log tree corruption when fs mounted with -o discard - btrfs: don't accept bare namespace as a valid xattr - [arm*] 8320/1: fix integer overflow in ELF_ET_DYN_BASE - [mips*] Hibernate: flush TLB entries earlier - ext4: make fsync to sync parent dir in no-journal for real this time - jhash: Update jhash_[321]words functions to use correct initval - scsi: storvsc: Fix a bug in copy_from_bounce_buffer() - ALSA: emu10k1: don't deadlock in proc-functions - [s390*] hibernate: fix save and restore of kernel text section - Btrfs: fix inode eviction infinite loop after cloning into it - [powerpc] perf: Cap 64bit userspace backtraces to PERF_MAX_STACK_DEPTH - fs/binfmt_elf.c: fix bug in loading of PIE binaries - IB/core: disallow registering 0-sized memory region - ptrace: fix race between ptrace_resume() and wait_task_stopped() - memstick: mspro_block: add missing curly braces - [x86] KVM: VMX: Preserve host CR4.MCE value while in guest mode. - ALSA: emu10k1: Fix card shortname string buffer overflow - 3w-sas,3w-xxxx,3w-9xxx: fix command completion race - cdc-acm: prevent infinite loop when parsing CDC headers. - ALSA: emux: Fix mutex deadlock in OSS emulation - gpio: sysfs: fix memory leaks and device hotplug - ext4: move check under lock scope to close a race. - nfsd: fix the check for confirmed openowner in nfs4_preprocess_stateid_op - nilfs2: fix sanity check of btree level in nilfs_btree_root_broken() - ocfs2: dlm: fix race between purge and get lock resource - ACPI / init: Fix the ordering of acpi_reserve_resources() - md/raid5: don't record new size if resize_stripes fails. - ipvs: fix memory leak in ip_vs_ctl.c - mac80211: move WEP tailroom size check - [x86] KVM: MMU: fix CR4.SMEP=1, CR0.WP=0 with shadow pages - firmware: dmi_scan: Fix ordering of product_uuid (regression in 3.2.38) - ext4: check for zero length extent explicitly (regression in 3.2.55) - jbd2: fix r_count overflows leading to buffer overflow in journal recovery - sd: Disable support for 256 byte/sector disks - xen/events: don't bind non-percpu VIRQs with percpu chip - [s390*] crypto: ghash - Fix incorrect ghash icv buffer handling. - fs/binfmt_elf.c:load_elf_binary(): return -EINVAL on zero-length mappings - vfs: d_walk() might skip too much (regression in 3.2.66) - [amd64] Fix strnlen_user() to not touch memory after specified maximum - ipvs: kernel oops - do_ip_vs_get_ctl - [powerpc] Don't skip ePAPR spin-table CPUs (regression in 3.2.61) - net: dp83640: fix broken calibration routine. - unix/caif: sk_socket can disappear when state is unlocked - bridge: fix br_stp_set_bridge_priority race conditions - packet: read num_members once in packet_rcv_fanout() - packet: avoid out of bounds read in round robin fanout - neigh: do not modify unlinked entries - debugfs: Fix statfs() regression in 3.2.69 - net: socket: Fix the wrong returns for recvmsg and sendmsg - [x86] config: Enable NEED_DMA_MAP_STATE by default when SWIOTLB is selected (Closes: #786551) - softirq: reduce latencies - softirq: Fix lockup related to stop_machine being stuck in __do_softirq. - [mips*] Fix race condition in lazy cache flushing. - [mips/octeon] Remove udelay() causing huge IRQ latency http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.71 - hrtimer: Allow concurrent hrtimer_start() for self restarting timers - s5h1420: fix a buffer overflow when checking userspace params - cx24116: fix a buffer overflow when checking userspace params - mtd: fix: avoid race condition when accessing mtd->usecount - rcu: Correctly handle non-empty Tiny RCU callback list with none ready - [x86] staging: rtl8712: prevent buffer overrun in recvbuf2recvframe - SUNRPC: Fix a memory leak in the backchannel code - regulator: core: fix constraints output buffer - [armel] dmaengine: mv_xor: bug fix for racing condition in descriptors cleanup - ext4: fix race between truncate and __ext4_journalled_writepage() - [x86] pcmcia: Disable write buffering on Toshiba ToPIC95 - jbd2: issue cache flush after checkpointing even with internal journal - jbd2: fix ocfs2 corrupt when updating journal superblock fails - mmc: card: Fixup request missing in mmc_blk_issue_rw_rq - ext4: call sync_blockdev() before invalidate_bdev() in put_super() - iio: DAC: ad5624r_spi: fix bit shift of output data value - ext4: don't retry file block mapping on bigalloc fs with non-extent file - NET: ROSE: Don't dereference NULL neighbour pointer. - fs: Fix S_NOSEC handling - Btrfs: use kmem_cache_free when freeing entry in inode cache - Btrfs: fix race between caching kthread and returning inode to inode cache - fuse: initialize fc->release before calling it - ext4: avoid deadlocks in the writeback path by using sb_getblk_gfp - netfilter: bridge: don't leak skb in error paths - [x86] KVM: make vapics_in_nmi_mode atomic - 9p: forgetting to cancel request on interrupted zero-copy RPC - dm btree remove: fix bug in redistribute3 - rtnetlink: verify IFLA_VF_INFO attributes before passing them to driver - mm: avoid setting up anonymous pages into file mapping - net: do not process device backlog during unregistration - net: call rcu_read_lock early in process_backlog - 9p: don't leave a half-initialized inode sitting around - Btrfs: fix file corruption after cloning inline extents - rds: rds_ib_device.refcount overflow - libata: force disable trim for SuperSSpeed S238 - inet: frags: fix defragmented packet's IP header for af_packet - netfilter: nf_conntrack: Support expectations in different zones - usb-storage: ignore ZTE MF 823 card reader in mode 0x1225 - md/raid1: fix test for 'was read error from last working device'. - iscsi-target: Fix use-after-free during TPG session shutdown - [x86] xen: Probe target addresses in set_aliased_prot() before the hypercall . [ Ben Hutchings ] * drm, agp: Update to 3.4.109: - [x86] drm/i915: Unlock panel even when LVDS is disabled - drm/radeon: kernel panic in drm_calc_vbltimestamp_from_scanoutpos with 3.18.0-rc6 - [x86] drm/vmwgfx: Don't use memory accounting for kernel-side fence objects - [x86] drm/vmwgfx: Fix fence event code - drm/radeon: check the right ring in radeon_evict_flags() - [x86] drm/i915: Only fence tiled region of object. - drm/radeon/dp: Set EDP_CONFIGURATION_SET for bridge chips if necessary - drm/radeon: do a posting read in r100_set_irq - drm/radeon: do a posting read in rs600_set_irq - drm/radeon: do a posting read in r600_set_irq - drm/radeon: do a posting read in evergreen_set_irq - drm/radeon: do a posting read in si_set_irq - drm/radeon: fix DRM_IOCTL_RADEON_CS oops - [x86] drm/vmwgfx: Reorder device takedown somewhat - radeon: Do not directly dereference pointers to BIOS area. - drm/radeon: fix doublescan modes (v2) - drm/radeon: Use drm_calloc_ab for CS relocs - drm/radeon: fix VM_CONTEXT*_PAGE_TABLE_END_ADDR handling - [x86] drm/i915: Don't skip request retirement if the active list is empty * Revert "ACPICA: Utilities: split IO address types from data type models." to avoid ABI change on i386 * Adjust for migration to git: - Update .gitignore files - debian/control: Update Vcs-* fields - README.Debian, README.source: Update references to svn * [rt] Update to 3.2.70-rt103: - KVM: lapic: mark LAPIC timer handler as irqsafe - mm/slub: move slab initialization into irq enabled region - xfs: Disable percpu SB on PREEMPT_RT_FULL linux (3.2.68-1+deb7u6~bpo60+1) squeeze-backports; urgency=medium . * Rebuild for squeeze: - Use gcc-4.4 for all architectures - Disable building of udebs - Change ABI number to 0.bpo.4 - Monkey-patch Python collections module to add OrderedDict if necessary - [armel] Disable CRYPTO_FIPS, VGA_ARB, FTRACE on iop32x and ixp4xx to reduce kernel size (as suggested by Arnaud Patard) - Use QUILT_PATCH_OPTS instead of missing quilt patch --fuzz option - Make build target depend on build-arch only, so we don't redundantly build documentation on each architecture . linux (3.2.68-1+deb7u6) wheezy-security; urgency=medium . [ Salvatore Bonaccorso ] * KEYS: Fix race between key destruction and finding a keyring by name * KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring (CVE-2015-7872) * KEYS: Don't permit request_key() to construct a new keyring . [ Ben Hutchings ] * usbvision: fix overflow of interfaces array (CVE-2015-7833) * RDS: fix race condition when sending a message on unbound socket (CVE-2015-7990) * [x86] KVM: Intercept #AC to avoid guest->host denial-of-service (CVE-2015-5307) . linux (3.2.68-1+deb7u5) wheezy-security; urgency=medium . * USB: whiteheat: fix potential null-deref at probe (CVE-2015-5257) * ipc/sem.c: fully initialize sem_array before making it visible * ipc: Initialize msg/shm IPC objects before doing ipc_addid() (CVE-2015-7613) * vfs: Fix possible escape from mount namespace or chroot (CVE-2015-2925): - dcache: Handle escaped paths in prepend_path - vfs: Test for and handle paths that are unreachable from their mnt_root linux (3.2.68-1+deb7u4) wheezy-security; urgency=medium . * ipv6: addrconf: validate new MTU before applying it (CVE-2015-0272) * virtio-net: drop NETIF_F_FRAGLIST (CVE-2015-5156) * vhost: actually track log eventfd file (CVE-2015-6252) * RDS: verify the underlying transport exists before creating a connection (CVE-2015-6937) linux (3.2.68-1+deb7u4~bpo60+1) squeeze-backports; urgency=medium . * Rebuild for squeeze: - Use gcc-4.4 for all architectures - Disable building of udebs - Change ABI number to 0.bpo.4 - Monkey-patch Python collections module to add OrderedDict if necessary - [armel] Disable CRYPTO_FIPS, VGA_ARB, FTRACE on iop32x and ixp4xx to reduce kernel size (as suggested by Arnaud Patard) - Use QUILT_PATCH_OPTS instead of missing quilt patch --fuzz option - Make build target depend on build-arch only, so we don't redundantly build documentation on each architecture . linux (3.2.68-1+deb7u4) wheezy-security; urgency=medium . * ipv6: addrconf: validate new MTU before applying it (CVE-2015-0272) * virtio-net: drop NETIF_F_FRAGLIST (CVE-2015-5156) * vhost: actually track log eventfd file (CVE-2015-6252) * RDS: verify the underlying transport exists before creating a connection (CVE-2015-6937) live-tools (3.0.20-1+deb7u1) wheezy; urgency=medium . * Non-maintainer upload. * Depend on initramfs-tools. (Closes: #779888) maven2 (2.2.1-12+deb7u1) wheezy-proposed-updates; urgency=high . * Rebuild with libmaven2-core-java 2.2.1-8+deb7u1: Use a secure connection by default to download artifacts from the Maven Central repository (Closes: #779337) maven2-core (2.2.1-8+deb7u1) wheezy-proposed-updates; urgency=high . * Team upload. * Use a secure connection by default to download artifacts from the Maven Central repository (Closes: #779338) miniupnpc (1.5-2+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2015-6031: Buffer overflow vulnerability in XML parser functionality (Closes: #802650) mysql-5.5 (5.5.47-0+deb7u1) wheezy-security; urgency=high . * Imported Upstream version 5.5.47 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html - CVE-2016-0546 CVE-2016-0505 CVE-2016-0596 CVE-2016-0597 CVE-2016-0616 CVE-2016-0598 CVE-2016-0600 CVE-2016-0606 CVE-2016-0608 CVE-2016-0609 (Closes: #811428) * fix-test-suite-failure-caused-by-arbitrary-date-in-the-future-patch is no longer needed, as bug is fixed in new Upstream version mysql-5.5 (5.5.47-0+deb6u1) squeeze-lts; urgency=high . * Non-maintainer upload by the Squeeze LTS Team. * Merged from package proposed for wheezy by Lars Tangvald * New upstream version that fixes the following issues: - http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html - CVE-2016-0546 CVE-2016-0505 CVE-2016-0596 CVE-2016-0597 CVE-2016-0616 CVE-2016-0598 CVE-2016-0600 CVE-2016-0606 CVE-2016-0608 CVE-2016-0609 (Closes: #811428) * fix-test-suite-failure-caused-by-arbitrary-date-in-the-future-patch is no longer needed, as bug is fixed in new Upstream version mysql-5.5 (5.5.46-0+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Imported Upstream version 5.5.46 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html - CVE-2015-4792 CVE-2015-4802 CVE-2015-4815 CVE-2015-4816 CVE-2015-4819 CVE-2015-4826 CVE-2015-4830 CVE-2015-4836 CVE-2015-4858 CVE-2015-4861 CVE-2015-4870 CVE-2015-4879 CVE-2015-4913 (Closes: #802564) * Add fix-test-suite-failure-caused-by-arbitrary-date-in-the-future.patch. Fix test suite failure caused by arbitrary date in the future. Thanks to Marc Deslauriers mysql-5.5 (5.5.46-0+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Imported Upstream version 5.5.46 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html - CVE-2015-4792 CVE-2015-4802 CVE-2015-4815 CVE-2015-4816 CVE-2015-4819 CVE-2015-4826 CVE-2015-4830 CVE-2015-4836 CVE-2015-4858 CVE-2015-4861 CVE-2015-4870 CVE-2015-4879 CVE-2015-4913 (Closes: #802564) * Add fix-test-suite-failure-caused-by-arbitrary-date-in-the-future.patch. Fix test suite failure caused by arbitrary date in the future. Thanks to Marc Deslauriers * Add revert-to-_sync_lock_test_and_set.patch. Fixes FTBFS on arm and powerpw by reverting to __sync_lock_test_and_set. The gcc version in wheezy is too old to have __atomic_*. Thanks to Marc Deslauriers for the patch. mysql-5.5 (5.5.46-0+deb6u1) squeeze-lts; urgency=high . * Non-maintainer upload by the Squeeze LTS Team. * Backport mysql-5.5 to squeeze from wheezy (Thanks to Salvatore Bonaccorso ). * Drop unversioned packages: libmysqld-pic, libmysqld-dev, libmysqlclient-dev: - Remove debian/install,dir files: libmysqlclient-dev.* libmysqld-dev.* libmysqld-pic.* * debian/control: - Remove Build-Depends on doxygen-latex - mysql-server-5.5: * Remove Replaces and Breaks: libmysqlclient-dev ( << 5.5.17~) * Remove versioned dependency on initscripts. 2.88dsf-13.3 not available on squeeze. * Provides: mysql-server - Move mysql-common to mysql-common-5.5: * Create a new mysql-common-5.5 package to avoid dist-upgrade to upgrade mysql-common (5.1). * Conflicts: mysql-common (>> ${source:Version}) for a clean upgrade to wheezy. * Remove Breaks: mysql-common - mysql-server and mysql-client include Depends: on mysql-server-5.1 and mysql-client-5.1. * debian/compat: Move from 9 to 8 * debian/patches: - 71_disable_rpl_tests.patch: * Add rpl_innodb_bug28430 to disabled tests. * Really disable fix +rpl_heartbeat_basic. * debian/rules: - Remove multiarch support - Remove specific override_dh_command-arch targets (supported by debhelper >= 8.9.7). mysql-5.5 (5.5.44-0+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Imported Upstream version 5.5.44 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html - CVE-2015-4752 CVE-2015-4737 CVE-2015-2648 CVE-2015-2643 CVE-2015-2620 CVE-2015-2582 (Closes: #792445) nginx (1.2.1-2.2+wheezy4) wheezy-security; urgency=high . [ Christos Trochalakis ] * Fixes multiple resolver CVEs, CVE-2016-0742, CVE-2016-0746, CVE-2016-0747 Closes: #812806 nspr (2:4.9.2-1+deb7u3) wheezy-security; urgency=high . * Non-maintainer upload. * Fix CVE-2015-7183, MFSA-2015-133: heap-buffer overflow in PL_ARENA_ALLOCATE ntp (1:4.2.6.p5+dfsg-2+deb7u6) wheezy-security; urgency=medium . * Fix errors in previous changelog entry ntp (1:4.2.6.p5+dfsg-2+deb7u5) wheezy-security; urgency=medium . * Fix CVE-2015-7850 * Fix CVE-2015-7704 * Fix CVE-2015-7701 * Fix CVE-2015-7852 * Fix CVE-2015-7853 * Fix CVE-2015-7851 * Fix CVE-2015-7705 * Fix CVE-2015-7855 * Fix CVE-2015-7871 * Rename CVE-2014-9297.patch to CVE-2014-9750.patch and add missing patch. * Rename CVE-2014-9298.patch to CVE-2014-9751.patch * Rename bug-2797.patch to CVE-2015-3405.patch * FIX CVE-2015-5146 * FIX CVE-2015-5194 * FIX CVE-2015-5195 * FIX CVE-2015-5196 * FIX CVE-2015-5219 * FIX CVE-2015-5300 * FIX CVE-2015-7691, CVE-2015-7962, CVE-2015-7702 * Add build-depends on bison since one of the patches update the .y file. nvidia-graphics-drivers (304.131-1) wheezy; urgency=medium . * New upstream legacy 304xx branch release 304.131 (2015-11-16). * Fixed CVE-2015-7869: Unsanitized User Mode Input. (Closes: #805917) - Fixed a bug that could cause texture corruption in some OpenGL applications when video memory is exhausted by a combination of simultaneously running graphical and compute workloads. - Added support for X.Org xserver ABI 20 (xorg-server 1.18). * Improved compatibility with recent Linux kernels. * Add xorg-video-abi-20 as alternative dependency. * conftest.h: - Implement new conftest.sh functions hlist_for_each_entry, of_parse_phandle, for_each_online_node, node_end_pfn (358.09). - Update conftest.sh function scatterlist for logic reversal in 304.131/340.96/352.63, support both ways. * debian/control: Add Breaks between mismatching upstream versions of libcuda1 and nvidia-alternative to prevent partial upgrades. * Upload to wheezy. nvidia-graphics-drivers (304.128-1) wheezy; urgency=medium . * New upstream legacy 304xx branch release 304.128 (2015-08-31). * Fixed CVE-2015-5950: Memory corruption due to an unsanitized pointer. (Closes: #800566) * Improved compatibility with recent Linux kernels. * libgl1-nvidia-glx: Add Provides+Conflicts: libgl1-nvidia-glx-${nvidia:Version} to forbid co-installation of libgl1-nvidia-legacy-304xx-glx from the same upstream version due to file conflicts on versioned files that are not handled via alternatives. * conftest.h: - Implement new conftest.sh functions file_inode, drm_pci_set_busid (340.76). - Implement check for linux/log2.h (346.16). - Implement check for xen/ioemu.h (346.59). - Implement new conftest.sh functions write_cr4, xen_ioemu_inject_msi (346.59), list_cut_position (349.12). - Implement new conftest.sh functions backing_dev_info (346.82), phys_to_dma, dma_ops, get_dma_ops, noncoherent_swiotlb_dma_ops (352.09). - Implement new conftest.sh function dma_map_ops (352.30). - Reorder conftest.h to match conftest.sh. - Implement new conftest.sh function nvidia_grid_build (352.41). * bug-script: Synchronize with unstable (340.93-4). * Update lintian overrides. nvidia-graphics-modules (304.131+3.2.0+1) wheezy; urgency=medium . * Use nvidia-kernel-source 304.131. * Upload to wheezy. nvidia-graphics-modules (304.128+3.2.0+1) wheezy; urgency=medium . * Use nvidia-kernel-source 304.128. * Upload to wheezy. openafs (1.6.1-3+deb7u5) wheezy-security; urgency=high . * Apply upstream security patches corresponding to the 1.6.15 release: - OPENAFS-SA-2015-007 (CVE-2015-7762, CVE-2015-7763): rx ACK packets reveal plaintext of previously encrypted data packets. openjdk-7 (7u91-2.6.3-1~deb7u1) wheezy-security; urgency=low . * Rebuild for wheezy-security openjdk-7 (7u91-2.6.2-1) unstable; urgency=medium . [ Tiago Stürmer Daitx ] * IcedTea release 2.6.2 (based on 7u91): * Security fixes - S8048030, CVE-2015-4734: Expectations should be consistent - S8068842, CVE-2015-4803: Better JAXP data handling - S8076339, CVE-2015-4903: Better handling of remote object invocation - S8076383, CVE-2015-4835: Better CORBA exception handling - S8076387, CVE-2015-4882: Better CORBA value handling - S8076392, CVE-2015-4881: Improve IIOPInputStream consistency - S8076413, CVE-2015-4883: Better JRMP message handling - S8078427, CVE-2015-4842: More supportive home environment - S8078440: Safer managed types - S8080541: More direct property handling - S8080688, CVE-2015-4860: Service for DGC services - S8081760: Better group dynamics - S8086092, CVE-2015-4840: More palette improvements - S8086733, CVE-2015-4893: Improve namespace handling - S8087350: Improve array conversions - S8103671, CVE-2015-4805: More objective stream classes - S8103675: Better Binary searches - S8130078, CVE-2015-4911: Document better processing - S8130193, CVE-2015-4806: Improve HTTP connections - S8130864: Better server identity handling - S8130891, CVE-2015-4843: (bf) More direct buffering - S8131291, CVE-2015-4872: Perfect parameter patterning - S8132042, CVE-2015-4844: Preserve layout presentation * d/patches/it-debian-build-flags.diff: refreshed * d/patches/it-set-compiler.diff: refreshed * d/patches/it-use-quilt.diff: refreshed and updated * d/patches/it-jamvm-2.0.diff: refreshed * d/patches/xrender: removed as it was applied upstream openjdk-7 (7u85-2.6.1-6+deb8u1) jessie-security; urgency=medium . * Rebuild for jessie-security openjdk-7 (7u85-2.6.1-6) unstable; urgency=high . [ Tiago Stürmer Daitx ] * Security fixes - S8048030, CVE-2015-4734: Expectations should be consistent - S8068842, CVE-2015-4803: Better JAXP data handling - S8076339, CVE-2015-4903: Better handling of remote object invocation - S8076383, CVE-2015-4835: Better CORBA exception handling - S8076387, CVE-2015-4882: Better CORBA value handling - S8076392, CVE-2015-4881: Improve IIOPInputStream consistency - S8076413, CVE-2015-4883: Better JRMP message handling - S8078427, CVE-2015-4842: More supportive home environment - S8078440: Safer managed types - S8080541: More direct property handling - S8080688, CVE-2015-4860: Service for DGC services - S8081744, CVE-2015-4868: Clear out list corner case - S8081760: Better group dynamics - S8086092. CVE-2015-4840: More palette improvements - S8086733, CVE-2015-4893: Improve namespace handling - S8087350: Improve array conversions - S8103671, CVE-2015-4805: More objective stream classes - S8103675: Better Binary searches - S8129611: Accessbridge error handling improvement - S8130078, CVE-2015-4911: Document better processing - S8130185: More accessible access switch - S8130193, CVE-2015-4806: Improve HTTP connections - S8130864: Better server identity handling - S8130891, CVE-2015-4843: (bf) More direct buffering - S8131291, CVE-2015-4872: Perfect parameter patterning - S8132042, CVE-2015-4844: Preserve layout presentation * S6966259: Make PrincipalName and Realm immutable, required for S8048030 * S8078822: 8068842 fix missed one new file PrimeNumberSequenceGenerator.java . [ Matthias Klose ] * Re-enable the atk bridge for releases with a fixed atk bridge. Again closes: #797595. openjdk-7 (7u85-2.6.1-6~deb7u1) wheezy-security; urgency=low . * Rebuild for wheezy-security openjdk-7 (7u85-2.6.1-5) unstable; urgency=medium . * Fix passing --disable-system-sctp for non-linux targets. openjdk-7 (7u85-2.6.1-5~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie-security openjdk-7 (7u85-2.6.1-4) unstable; urgency=medium . * Build again with pulseaudio on alpha. * Update the kfreebsd support patches (Steven Chamberlain). Closes: #798123. * Fix parallel build. Closes: #798124. * Disable again the atk bridge, too many regressions. Reopens: #797595. openjdk-7 (7u85-2.6.1-3) unstable; urgency=medium . * Configure with --disable-system-sctp on KFreeBSD. * Stop building jamvm on mips and mipsel, fails to build. openjdk-7 (7u85-2.6.1-2) unstable; urgency=medium . * Stop building zero on AArch64, broken on the merged IcedTea Hotspot. * Only build-depend on libsctp-dev on linux architectures. * Configure for zero on sparc64, Hotspot build fails too. openjdk-7 (7u85-2.6.1-1) unstable; urgency=medium . * IcedTea7 2.6.1 release (based on OpenJDK 7u85). * Configure for Hotspot on sparc64. * Add mips to the openjdk stage1 architectures. * Sort the enums and the annotations in the package-tree.html files (Emmanuel Bourg). Closes: #787159. * Re-enable the atk bridge for releases with a fixed atk bridge. Closes: #797595. * Make derivatives builds the same as the parent distro. Closes: #797662. openjdk-7 (7u79-2.5.6-1) unstable; urgency=medium . * IcedTea7 2.5.6 release (based on OpenJDK 7u79). * Security fixes - S8043202, CVE-2015-2808: Prohibit RC4 cipher suites. - S8067694, CVE-2015-2625: Improved certification checking. - S8071715, CVE-2015-4760: Tune font layout engine. - S8071731: Better scaling for C1. - S8072490: Better font morphing redux. - S8072887: Better font handling improvements. - S8073334: Improved font substitutions. - S8073773: Presume path preparedness. - S8073894: Getting to the root of certificate chains. - S8074330: Set font anchors more solidly. - S8074335: Substitute for substitution formats. - S8074865, CVE-2015-2601: General crypto resilience changes. - S8074871: Adjust device table handling. - S8075374, CVE-2015-4748: Responding to OCSP responses. - S8075378, CVE-2015-4749: JNDI DnsClient Exception Handling. - S8075738: Better multi-JVM sharing. - S8075833, CVE-2015-2613: Straighter Elliptic Curves. - S8075838: Method for typing MethodTypes. - S8075853, CVE-2015-2621: Proxy for MBean proxies. - S8076328, CVE-2015-4000: Enforce key exchange constraints. - S8076376, CVE-2015-2628: Enhance IIOP operations. - S8076397, CVE-2015-4731: Better MBean connections. - S8076401, CVE-2015-2590: Serialize OIS data. - S8076405, CVE-2015-4732: Improve serial serialization. - S8076409, CVE-2015-4733: Reinforce RMI framework. - S8077520, CVE-2015-2632: Morph tables into improved form. - PR2487, CVE-2015-4000: Make jdk8 mode the default for jdk.tls.ephemeralDHKeySize. * Update the kfreebsd hotspot support patch (Steven Chamberlain). Closes: #788982. * openjdk-7-jre: Recommend the real libgconf2-4 and libgnome2-0 packages. Closes: #786594. openjdk-7 (7u79-2.5.6-1~deb8u1) jessie-security; urgency=medium . * Rebuild for stable openjdk-7 (7u79-2.5.6-1~deb7u1) wheezy-security; urgency=low . * Rebuild for oldstable openjdk-7 (7u79-2.5.5-1) unstable; urgency=high . * IcedTea7 2.5.5 release (based on OpenJDK 7u79). * Security fixes - S8059064: Better G1 log caching. - S8060461: Fix for JDK-8042609 uncovers additional issue. - S8064601, CVE-2015-0480: Improve jar file handling. - S8065286: Fewer subtable substitutions. - S8065291: Improved font lookups. - S8066479: Better certificate chain validation. - S8067050: Better font consistency checking. - S8067684: Better font substitutions. - S8067699, CVE-2015-0469: Better glyph storage. - S8068320, CVE-2015-0477: Limit applet requests. - S8068720, CVE-2015-0488: Better certificate options checking. - S8069198: Upgrade image library. - S8071726, CVE-2015-0478: Better RSA optimizations. - S8071818: Better vectorization on SPARC. - S8071931, CVE-2015-0460: Return of the phantom menace. * Build the documentation when building with a Hotspot VM. Closes: #781577. * openjdk-7-jre.preinst: Fix version for alternatives cleanup. Closes: #775072. * Re-enable HotSpot on SPARC; zero doesn't workm and there seems to be some work ongoing upstream. * Refresh patches. * Only install the openjdk-java.desktop file when using cautious-launcher. openjdk-7 (7u79-2.5.5-1~deb8u1) jessie-security; urgency=medium . * Rebuild for jessie, the upload didn' reach jessie in time due to a failing mips build openjdk-7 (7u79-2.5.5-1~deb7u1) wheezy-security; urgency=low . * Rebuild for stable openjdk-7 (7u75-2.5.4-3) unstable; urgency=medium . * Replace the ARM32 Thumb JIT with the ARM32 JIT. * Fix 8059327: XML parser returns corrupt attribute value. Closes: #780166. * openjdk-7-jre.preinst: Cleanup obsolete alternatives (javaws, pluginappletviewer) left by openjdk-6-jre/squeeze (Andreas Beckmann). Closes: #775072. openjdk-7 (7u75-2.5.4-2) unstable; urgency=medium . * Fix build on mips64 and mips64el. Addresses #776295. * Fix the build using the updated patch not following symlinks. openjdk-7 (7u75-2.5.4-1) unstable; urgency=high . * IcedTea7 2.5.4 release (based on OpenJDK 7u75). * Security fixes - S8046656: Update protocol support. - S8047125, CVE-2015-0395: (ref) More phantom object references. - S8047130: Fewer escapes from escape analysis. - S8048035, CVE-2015-0400: Ensure proper proxy protocols. - S8049253: Better GC validation. - S8050807, CVE-2015-0383: Better performing performance data handling. - S8054367, CVE-2015-0412: More references for endpoints. - S8055304, CVE-2015-0407: More boxing for DirectoryComboBoxModel. - S8055309, CVE-2015-0408: RMI needs better transportation considerations. - S8055479: TLAB stability. - S8055489, CVE-2014-6585: Better substitution formats. - S8056264, CVE-2014-6587: Multicast support improvements. - S8056276, CVE-2014-6591: Fontmanager feature improvements. - S8057555, CVE-2014-6593: Less cryptic cipher suite management. - S8058982, CVE-2014-6601: Better verification of an exceptional invokespecial. - S8059485, CVE-2015-0410: Resolve parsing ambiguity. - S8061210, CVE-2014-3566: Issues in TLS. openjdk-7 (7u75-2.5.4-1~deb7u1) wheezy-security; urgency=low . * Rebuild for stable openjdk-7 (7u71-2.5.3-2) unstable; urgency=medium . * Regenerate the .orig.tar to omit a third hotspot tarball. * Really fix the libjpeg runtime dependency for sid and jessie. Closes: #766601. * Fix regression running JamVM after the 2.5.3 security update. Closes: #767771. LP: #1382205. * Fix regression running CACAO after the 2.5.3 security update. * Backport S8000897, VM crash in CompileBroker. Closes: #768747. * Fix building icedtea-sound on x32 (patch dropped in 7u71-2.5.3-1). Closes: #766610. * Don't use the compatibility path names from the ttf-dejavu packages for recent releases. LP: #1362099. openjdk-7 (7u71-2.5.3-2~deb7u1) wheezy-security; urgency=low . * Build for stable openjdk-7 (7u71-2.5.3-1) unstable; urgency=high . * IcedTea7 2.5.1 release (based on OpenJDK 7u65). * Security fixes: - S8015256: Better class accessibility. - S8022783, CVE-2014-6504: Optimize C2 optimizations. - S8035162: Service printing service. - S8035781: Improve equality for annotations. - S8036805: Correct linker method lookup. - S8036810: Correct linker field lookup. - S8036936: Use local locales. - S8037066, CVE-2014-6457: Secure transport layer. - S8037846, CVE-2014-6558: Ensure streaming of input cipher streams. - S8038364: Use certificate exceptions correctly. - S8038899: Safer safepoints. - S8038903: More native monitor monitoring. - S8038908: Make Signature more robust. - S8038913: Bolster XML support. - S8039509, CVE-2014-6512: Wrap sockets more thoroughly. - S8039533, CVE-2014-6517: Higher resolution resolvers. - S8041540, CVE-2014-6511: Better use of pages in font processing. - S8041529: Better parameterization of parameter lists. - S8041545: Better validation of generated rasters. - S8041564, CVE-2014-6506: Improved management of logger resources. - S8041717, CVE-2014-6519: Issue with class file parser. - S8042609, CVE-2014-6513: Limit splashiness of splash images. - S8042797, CVE-2014-6502: Avoid strawberries in LogRecord. - S8044274, CVE-2014-6531: Proper property processing. . [ Matthias Klose ] * Change B-D to libjpeg-dev to finish the transition to libjpeg-turbo (Ondřej Surý). Closes: #763489. * Depend on libnss3 instead of libnss3-1d for recent releases. Addresses: #760122. * Ship the apt binary and man page again. Closes: #765037. . [ Bill Huey ] * Icedtea 2.5.3, jamvm-2.0.0 and icetea-sound-1.0.1 packaging updates. openjdk-7 (7u65-2.5.2-4.1) unstable; urgency=medium . * Non-maintainer upload * Change B-D to libjpeg-dev to finish the transition to libjpeg-turbo (Closes: #763489) openjdk-7 (7u65-2.5.2-4) unstable; urgency=medium . * Update the hotspot for AArch64, rev 9580ebccfdc3. * Don't install tapset files. Not yet ready. Closes: #761043. openjdk-7 (7u65-2.5.2-3) unstable; urgency=medium . * Enable systemtap for development versions. * Fix the icedtea-sound build on x32. Closes: #760436. * Enable the template interpreter for ppc64 and ppc64el. openjdk-7 (7u65-2.5.2-2) unstable; urgency=medium . * Update JamVM patch for kfreebsd (Steven Chamberlain). Closes: #760160. openjdk-7 (7u65-2.5.2-1) unstable; urgency=medium . * IcedTea7 2.5.1 release (based on OpenJDK 7u65). * Update JamVM to 2.0.0. * Update the hotspot for AArch64, rev 778cb4032983. openjdk-7 (7u65-2.5.1-5) unstable; urgency=medium . * Fix quoting of configure args for the zero build. * Fix a stack verifier regression in the latest security updates. http://hg.openjdk.java.net/jdk7u/jdk7u/hotspot/rev/bad107a5d096 (Bill Huey) LP: #1360392. * Don't ship the apt binary anymore for new releases (deprecated upstream). * Let openjdk-7-source replace openjdk-7-jdk, widening the version range. * Update the hotspot for AArch64, rev 778cb4032983. openjdk-7 (7u65-2.5.1-5~deb7u1) wheezy-security; urgency=low . * Upload to wheezy-security. openjdk-7 (7u65-2.5.1-4) unstable; urgency=medium . * Let the file system check for the libpcsclite library succeed again, although we are not using it. Closes: #755893. openjdk-7 (7u65-2.5.1-3) unstable; urgency=medium . * Use the system libpcsclite library. Closes: #754952. * Let openjdk-7-source replace openjdk-7-jdk. Closes: #755126. openjdk-7 (7u65-2.5.1-2) unstable; urgency=medium . * openjdk-7-jdk: Fix src.zip symlink. Closes: #755126. openjdk-7 (7u65-2.5.1-2~deb7u1) wheezy-security; urgency=low . * Rebuild for wheezy openjdk-7 (7u65-2.5.1-1) unstable; urgency=high . * IcedTea7 2.5.1 release (based on OpenJDK 7u65). * Security fixes: - S8029755, CVE-2014-4209: Enhance subject class. - S8030763: Validate global memory allocation. - S8031340, CVE-2014-4264: Better TLS/EC management. - S8031346, CVE-2014-4244: Enhance RSA key handling. - S8031540: Introduce document horizon. - S8032536: JVM resolves wrong method in some unusual cases. - S8033055: Issues in 2d. - S8033301, CVE-2014-4266: Build more informative InfoBuilder. - S8034267: Probabilistic native crash. - S8034272: Do not cram data into CRAM arrays. - S8034985, CVE-2014-2483: Better form for Lambda Forms. - S8035004, CVE-2014-4252: Provider provides less service. - S8035009, CVE-2014-4218: Make Proxy representations consistent. - S8035119, CVE-2014-4219: Fix exceptions to bytecode verification. - S8035699, CVE-2014-4268: File choosers should be choosier. - S8035788. CVE-2014-4221: Provide more consistency for lookups. - S8035793, CVE-2014-4223: Maximum arity maxed out. - S8036571: (process) Process process arguments carefully. - S8036800: Attribute OOM to correct part of code. - S8037046: Validate libraries to be loaded. - S8037076, CVE-2014-2490: Check constant pool constants. - S8037157: Verify call. - S8037162, CVE-2014-4263: More robust DH exchanges. - S8037167, CVE-2014-4216: Better method signature resolution. - S8039520, CVE-2014-4262: More atomicity of atomic updates. * Build libjsig and libsaproc with hardening defaults. * Fix some lintian warnings. * Move libjavagtk into the -jre package. Closes: #754770. * Recognize -dcevm as a jvm. Closes: #748625. * Install the src.zip into an architecture independent path. Closes: #749648. openjdk-7 (7u60-2.5.0-2) unstable; urgency=high . * Refresh KFreeBSD patches (Steven Chamberlain). Closes: #754214. * Backport S7179339, xrender pipeline creates graphics corruption. (Matthias Bläsing). LP: #1101348. * Configure with --disable-infinality. Closes: #754343. LP: #1338897. openjdk-7 (7u60-2.5.0-1) unstable; urgency=medium . * IcedTea7 2.5.0 release (based on OpenJDK 7u60). * Convert to package format 3.0 (quilt). * Add the IcedTea Sound tarball. * Build the hotspot VM for ppc64 and ppc64el. * Replace the IcedTea patch system with quilt. * Re-enable the ARM assembler interpreter. openjdk-7 (7u55-2.4.7-2) unstable; urgency=medium . * Fix the quoting of configure flags for the zero build. * Update the java-access-bridge-security patch (Raphael Geissert). * Don't hard code the compiler names in the AArch64 hotspot build. * Build using GCC 4.9 where available. * Add MIPS64(el) support (Yunqiang Su). Closes: #746207. * Suggest fonts-indic instead of ttf-indic-fonts. Closes: #747694. openjdk-7 (7u55-2.4.7-1) unstable; urgency=high . * IcedTea7 2.4.7 release. * Security fixes - S8023046: Enhance splashscreen support. - S8025005: Enhance CORBA initializations. - S8025010, CVE-2014-2412: Enhance AWT contexts. - S8025030, CVE-2014-2414: Enhance stream handling. - S8025152, CVE-2014-0458: Enhance activation set up. - S8026067: Enhance signed jar verification. - S8026163, CVE-2014-2427: Enhance media provisioning. - S8026188, CVE-2014-2423: Enhance envelope factory. - S8026200: Enhance RowSet Factory. - S8026716, CVE-2014-2402: (aio) Enhance asynchronous channel handling. - S8026736, CVE-2014-2398: Enhance Javadoc pages. - S8026797, CVE-2014-0451: Enhance data transfers. - S8026801, CVE-2014-0452: Enhance endpoint addressing. - S8027766, CVE-2014-0453: Enhance RSA processing. - S8027775: Enhance ICU code. - S8027841, CVE-2014-0429: Enhance pixel manipulations. - S8028385: Enhance RowSet Factory. - S8029282, CVE-2014-2403: Enhance CharInfo set up. - S8029286: Enhance subject delegation. - S8029699: Update Poller demo. - S8029730: Improve audio device additions. - S8029735: Enhance service mgmt natives. - S8029740, CVE-2014-0446: Enhance handling of loggers. - S8029745, CVE-2014-0454: Enhance algorithm checking. - S8029750: Enhance LCMS color processing (LCMS 2 only). - S8029760, CVE-2013-6629: Enhance AWT image libraries (in-tree libjpeg). - S8029844, CVE-2014-0455: Enhance argument validation. - S8029854, CVE-2014-2421: Enhance JPEG decodings. - S8029858, CVE-2014-0456: Enhance array copies. - S8030731, CVE-2014-0460: Improve name service robustness. - S8031330: Refactor ObjectFactory. - S8031335, CVE-2014-0459: Better color profiling. - S8031352, CVE-2013-6954: Enhance PNG handling (in-tree libpng). - S8031394, CVE-2014-0457: (sl) Fix exception handling in ServiceLoader. - S8031395: Enhance LDAP processing. - S8032686, CVE-2014-2413: Issues with method invoke. - S8033618, CVE-2014-1876: Correct logging output. - S8034926, CVE-2014-2397: Attribute classes properly. - S8036794, CVE-2014-0461: Manage JavaScript instances. * AArch64 fixes. openjdk-7 (7u55-2.4.7-1~deb7u1) stable-security; urgency=low . * Build for stable openjdk-7 (7u51-2.4.6-1) unstable; urgency=medium . * IcedTea7 2.4.6 release. * Explicitly use AC_MAINTAINER_MODE and automake-1.11 to create the debian .orig tarball. Addresses: #740289. * Apply patch from upstream to fix bold fonts in Swing applications using GTK L&F (Ryan Tandy). LP: #937200. * Explicitly build-depend on libkrb5-dev. * On AArch64 don't use the hotsport backport for the zero build. openjdk-7 (7u51-2.4.6~pre1-1) unstable; urgency=medium . * IcedTea7 2.4.6 prerelease. * Fix icedtea-web build failure on kfreebsd-* (unable to find sun.security.util.SecurityConstants). Steven Chamberlain. Closes: #739032. * Update the AArch64 Hotspot. openjdk-7 (7u51-2.4.5-2) unstable; urgency=medium . * Update the KFreeBSD patch (Steven Chamberlain). Closes: #736291. openjdk-7 (7u51-2.4.5-1) unstable; urgency=medium . * IcedTea7 2.4.5 release. * Build Hotspot client and server vms for AArch64. openjdk-7 (7u51-2.4.4-1) unstable; urgency=medium . * IcedTea7 2.4.4 release. * Security fixes - S6727821: Enhance JAAS Configuration. - S7068126, CVE-2014-0373: Enhance SNMP statuses. - S8010935: Better XML handling. - S8011786, CVE-2014-0368: Better applet networking. - S8021257, S8025022, CVE-2013-5896 : com.sun.corba.se.** should be on restricted package list. - S8021271, S8021266, CVE-2014-0408: Better buffering in ObjC code. - S8022904: Enhance JDBC Parsers. - S8022927: Input validation for byte/endian conversions. - S8022935: Enhance Apache resolver classes. - S8022945: Enhance JNDI implementation classes. - S8023057: Enhance start up image display. - S8023069, CVE-2014-0411: Enhance TLS connections. - S8023245, CVE-2014-0423: Enhance Beans decoding. - S8023301: Enhance generic classes. - S8023338: Update jarsigner to encourage timestamping. - S8023672: Enhance jar file validation. - S8024302: Clarify jar verifications. - S8024306, CVE-2014-0416: Enhance Subject consistency. - S8024530: Enhance font process resilience. - S8024867: Enhance logging start up. - S8025014: Enhance Security Policy. - S8025018, CVE-2014-0376: Enhance JAX-P set up. - S8025026, CVE-2013-5878: Enhance canonicalization. - S8025034, CVE-2013-5907: Improve layout lookups. - S8025448: Enhance listening events. - S8025758, CVE-2014-0422: Enhance Naming management. - S8025767, CVE-2014-0428: Enhance IIOP Streams. - S8026172: Enhance UI Management. - S8026176: Enhance document printing. - S8026193, CVE-2013-5884: Enhance CORBA stub factories. - S8026204: Enhance auth login contexts. - S8026417, CVE-2013-5910: Enhance XML canonicalization. - S8026502: java/lang/invoke/MethodHandleConstants.java fails on all platforms. - S8027201, CVE-2014-0376: Enhance JAX-P set up. - S8029507, CVE-2013-5893: Enhance JVM method processing. - S8029533: REGRESSION: closed/java/lang/invoke/8008140/Test8008140.java fails agains. * Remove alpha from stage1_gcj_archs. * Use the langtools and jdk tarballs as provided by IcedTea. * Hotspot is dead on sparc. Build the zero interpreter as the default. * Blindly update the KF***BSD patches. openjdk-7 (7u45-2.4.3-5) unstable; urgency=medium . * Run the jtreg tests on powerpcspe, tested by Roland Stigge. * Fix zero builds on 64k page kernel configs. * Fix more IcedTea bits to build on x32. openjdk-7 (7u45-2.4.3-4) unstable; urgency=low . * Re-enable running the testsuite on powerpc. * Run the testsuite on AArch64. * Fix IcedTea bits to build on x32. openjdk-7 (7u45-2.4.3-3) unstable; urgency=low . * Don't build on s390 anymore. * Update hotspot-mips-align patch (Aurelien Jarno). Closes: #732528). * Build for ppc64el. * Try to build zero on x32. * Configure with --enable-zero on sparc and sparc64. openjdk-7 (7u45-2.4.3-2.3) unstable; urgency=medium . * Disable bootstrap build on alpha. Closes: #719671. * Disable running the jdk jtreg tests on the hotspot architectures. Hanging on the buildds. * Re-enable the jexec patch, program logic confused by running jexec outside the assumed java home. Closes: #731961. * Don't apply the s390 patches on s390x. s390 is successfully dead. * Fix zero builds on little endian architectures, taken from the trunk. openjdk-7 (7u45-2.4.3-1) unstable; urgency=medium . * IcedTea7 2.4.3 release. * Security fixes: - S8006900, CVE-2013-3829: Add new date/time capability. - S8008589: Better MBean permission validation. - S8011071, CVE-2013-5780: Better crypto provider handling. - S8011081, CVE-2013-5772: Improve jhat. - S8011157, CVE-2013-5814: Improve CORBA portablility. - S8012071, CVE-2013-5790: Better Building of Beans. - S8012147: Improve tool support. - S8012277: CVE-2013-5849: Improve AWT DataFlavor. - S8012425, CVE-2013-5802: Transform TransformerFactory. - S8013503, CVE-2013-5851: Improve stream factories. - S8013506: Better Pack200 data handling. - S8013510, CVE-2013-5809: Augment image writing code. - S8013514: Improve stability of cmap class. - S8013739, CVE-2013-5817: Better LDAP resource management. - S8013744, CVE-2013-5783: Better tabling for AWT. - S8014085: Better serialization support in JMX classes. - S8014093, CVE-2013-5782: Improve parsing of images. - S8014098: Better profile validation. - S8014102, CVE-2013-5778: Improve image conversion. - S8014341, CVE-2013-5803: Better service from Kerberos servers. - S8014349, CVE-2013-5840: (cl) Class.getDeclaredClass problematic in some class loader configurations. - S8014530, CVE-2013-5825: Better digital signature processing. - S8014534: Better profiling support. - S8014987, CVE-2013-5842: Augment serialization handling. - S8015614: Update build settings. - S8015731: Subject java.security.auth.subject to improvements. - S8015743, CVE-2013-5774: Address internet addresses. - S8016256: Make finalization final. - S8016653, CVE-2013-5804: javadoc should ignore ignoreable characters in names. - S8016675, CVE-2013-5797: Make Javadoc pages more robust. - S8017196, CVE-2013-5850: Ensure Proxies are handled appropriately. - S8017287, CVE-2013-5829: Better resource disposal. - S8017291, CVE-2013-5830: Cast Proxies Aside. - S8017298, CVE-2013-4002: Better XML support. - S8017300, CVE-2013-5784: Improve Interface Implementation. - S8017505, CVE-2013-5820: Better Client Service. - S8019292: Better Attribute Value Exceptions. - S8019617: Better view of objects. - S8020293: JVM crash. - S8021275, CVE-2013-5805: Better screening for ScreenMenu. - S8021282, CVE-2013-5806: Better recycling of object instances. - S8021286: Improve MacOS resourcing. - S8021290, CVE-2013-5823: Better signature validation. - S8022931, CVE-2013-5800: Enhance Kerberos exceptions. - S8022940: Enhance CORBA translations. - S8023683: Enhance class file parsing. * Fix build failure on mips* (Aurelien Jarno). Closes: #729448). * Run autoreconf. Closes: #724083. * Merge the -jre-lib package into -jre-headless. Simplifies the packaging and the savings were not as big as wanted, because the rt.jar is still architecture dependant. Closes: #641049, #722510. openjdk-7 (7u25-2.3.12-4) unstable; urgency=low . * Add the hotspot patches for AArch64, which apparently were not included in the IcedTea release by intent. * Don't interpret arm64 as an ARM architecture, but as AArch64. So much for Debian calling this port arm64 ... * Use host macros instead of build macros for corba and hotspot config. * Re-add multiarch library directories to the default library path. Closes: #712567. * Enable the two-stage build on alpha. Closes: #719671. * Build for powerpcspe (Roland Stigge). Closes: #712686. * Recommend fonts-dejavu-extra instead of ttf-dejavu-extra for current releases. Closes: #718839. openjdk-7 (7u25-2.3.12-3) unstable; urgency=low . * Fix kFreeBSD builds (Thanks to Christoph Egger for his help). openjdk-7 (7u25-2.3.12-2) unstable; urgency=low . [ Matthias Klose ] * Regenerate the hotspot-s390 patch. . [ Damien Raude-Morvan ] * Update kfreebsd patches. openjdk-7 (7u25-2.3.12-1) unstable; urgency=low . * IcedTea7 2.3.12 release. * Don't build with pulseaudio on arm64. * Disable bootstraped build on s390 and sparc. openjdk-7 (7u25-2.3.10-2) unstable; urgency=low . [ Matthias Klose ] * Fix gcj-jdk build dependency on ia64 and s390. * Build zero on arm64. . [ Gianfranco Costamagna ] * Fix build failure on kfreebsd (Closes: #714528) openjdk-7 (7u25-2.3.10-1) unstable; urgency=high . * IcedTea7 2.3.10 release. * Security fixes * S6741606, CVE-2013-2407: Integrate Apache Santuario. * S7158805, CVE-2013-2445: Better rewriting of nested subroutine calls. * S7170730, CVE-2013-2451: Improve Windows network stack support. * S8000638, CVE-2013-2450: Improve deserialization. * S8000642, CVE-2013-2446: Better handling of objects for transportation. * S8001032: Restrict object access. * S8001033, CVE-2013-2452: Refactor network address handling in virtual machine identifiers. * S8001034, CVE-2013-1500: Memory management improvements. * S8001038, CVE-2013-2444: Resourcefully handle resources. * S8001043: Clarify definition restrictions. * S8001308: Update display of applet windows. * S8001309: Better handling of annotation interfaces. * S8001318, CVE-2013-2447: Socket.getLocalAddress not consistent with InetAddress.getLocalHost. * S8001330, CVE-2013-2443: Improve on checking order (non-Zero builds only). * S8003703, CVE-2013-2412: Update RMI connection dialog box. * S8004288, CVE-2013-2449: (fs) Files.probeContentType problems. * S8004584: Augment applet contextualization. * S8005007: Better glyph processing. * S8006328, CVE-2013-2448: Improve robustness of sound classes. * S8006611: Improve scripting. * S8007467: Improve robustness of JMX internal APIs. * S8007471: Improve MBean notifications. * S8007812, CVE-2013-2455: (reflect) Class.getEnclosingMethod problematic for some classes. * S8007925: Improve cmsStageAllocLabV2ToV4curves. * S8007926: Improve cmsPipelineDup. * S8007927: Improve cmsAllocProfileSequenceDescription. * S8007929: Improve CurvesAlloc. * S8008120, CVE-2013-2457: Improve JMX class checking. * S8008124, CVE-2013-2453: Better compliance testing. * S8008128: Better API coherence for JMX. * S8008132, CVE-2013-2456: Better serialization support. * S8008585: Better JMX data handling. * S8008593: Better URLClassLoader resource management. * S8008603: Improve provision of JMX providers. * S8008607: Better input checking in JMX. * S8008611: Better handling of annotations in JMX. * S8008615: Improve robustness of JMX internal APIs. * S8008623: Better handling of MBeanServers. * S8008744, CVE-2013-2407: Rework part of fix for JDK-6741606. * S8008982: Adjust JMX for underlying interface changes. * S8009004: Better implementation of RMI connections. * S8009008: Better manage management-api. * S8009013: Better handling of T2K glyphs. * S8009034: Improve resulting notifications in JMX. * S8009038: Improve JMX notification support. * S8009057, CVE-2013-2448: Improve MIDI event handling. * S8009067: Improve storing keys in KeyStore. * S8009071, CVE-2013-2459: Improve shape handling. * S8009235: Improve handling of TSA data. * S8009424, CVE-2013-2458: Adapt Nashorn to JSR-292 implementation change. * S8009554, CVE-2013-2454: Improve SerialJavaObject.getFields. * S8009654: Improve stability of cmsnamed. * S8010209, CVE-2013-2460: Better provision of factories. * S8011243, CVE-2013-2470: Improve ImagingLib. * S8011248, CVE-2013-2471: Better Component Rasters. * S8011253, CVE-2013-2472: Better Short Component Rasters. * S8011257, CVE-2013-2473: Better Byte Component Rasters. * S8012375, CVE-2013-1571: Improve Javadoc framing. * S8012421: Better positioning of PairPositioning. * S8012438, CVE-2013-2463: Better image validation. * S8012597, CVE-2013-2465: Better image channel verification. * S8012601, CVE-2013-2469: Better validation of image layouts. * S8014281, CVE-2013-2461: Better checking of XML signature. * S8015997: Additional improvement in Javadoc framing. * Breaks icedtea-netx (<< 1.4-2). openjdk-7 (7u25-2.3.10-1~deb7u1) stable-security; urgency=low . * Build for stable openjdk-7 (7u21-2.3.9-5) unstable; urgency=low . * Update kFreeBSD support (Guido Guenther). Closes: #708818. * Stop building the transitional cacao package for sid. openjdk-7 (7u21-2.3.9-4) unstable; urgency=high . * Build the transitional cacao package for sid as well. Apparently some buildds are not updated to list wheezy as the code name for the current distribution. openjdk-7 (7u21-2.3.9-3) unstable; urgency=high . * Disable the cacao build again, causing build failures on i386 and s390. * Build a transitional cacao jre package instead. openjdk-7 (7u21-2.3.9-2) unstable; urgency=high . * On ia64, use gcj-4.7 for the bootstrap build. * Drop the cacao jre from recommends to suggests. * Re-enable cacao, was enabled in the 2.1.x series. openjdk-7 (7u21-2.3.9-1) unstable; urgency=high . * IcedTea7 2.3.9 release. * Security fixes: - S6657673, CVE-2013-1518: Issues with JAXP. - S7200507: Refactor Introspector internals. - S8000724, CVE-2013-2417: Improve networking serialization. - S8001031, CVE-2013-2419: Better font processing. - S8001040, CVE-2013-1537: Rework RMI model. - S8001322: Refactor deserialization. - S8001329, CVE-2013-1557: Augment RMI logging. - S8003335: Better handling of Finalizer thread. - S8003445: Adjust JAX-WS to focus on API. - S8003543, CVE-2013-2415: Improve processing of MTOM attachments. - S8004261: Improve input validation. - S8004336, CVE-2013-2431: Better handling of method handle intrinsic frames. - S8004986, CVE-2013-2383: Better handling of glyph table. - S8004987, CVE-2013-2384: Improve font layout. - S8004994, CVE-2013-1569: Improve checking of glyph table. - S8005432: Update access to JAX-WS. - S8005943: (process) Improved Runtime.exec. - S8006309: More reliable control panel operation. - S8006435, CVE-2013-2424: Improvements in JMX. - S8006790: Improve checking for windows. - S8006795: Improve font warning messages. - S8007406: Improve accessibility of AccessBridge. - S8007617, CVE-2013-2420: Better validation of images. - S8007667, CVE-2013-2430: Better image reading. - S8007918, CVE-2013-2429: Better image writing. - S8008140: Better method handle resolution. - S8009049, CVE-2013-2436: Better method handle binding. - S8009063, CVE-2013-2426: Improve reliability of ConcurrentHashMap. - S8009305, CVE-2013-0401: Improve AWT data transfer. - S8009677, CVE-2013-2423: Better setting of setters. - S8009699, CVE-2013-2421: Methodhandle lookup. - S8009814, CVE-2013-1488: Better driver management. - S8009857, CVE-2013-2422: Problem with plugin. * Backports: - S7130662: GTK file dialog crashes with a NPE. * Bug fixes - PR1363: Fedora 19 / rawhide FTBFS SIGILL. - PR1401: Fix Zero build on 2.3.8. - Fix offset problem in ICU LETableReference. - Change -Werror fix to preserve OpenJDK default. - PR1303: Correct #ifdef to #if. - PR1404: Failure to bootstrap with ecj 4.2. openjdk-7 (7u17-2.3.8-2) experimental; urgency=low . * Remove Torsten Werner as uploader. openjdk-7 (7u17-2.3.8-1) experimental; urgency=low . * IcedTea7 2.3.8 release. * Security fixes: - S8007014, CVE-2013-0809: Improve image handling. - S8007675, CVE-2013-1493: Improve color conversion. * Backports: - S8002344: Krb5LoginModule config class does not return proper KDC list from DNS. - S8004344: Fix a crash in ToolkitErrorHandler() in XlibWrapper.c. - S8006179: JSR292 MethodHandles lookup with interface using findVirtual(). - S8006882: Proxy generated classes in sun.proxy package breaks JMockit. * Bug fixes: - PR1303: Correct #ifdef to #if. - PR1340: Simplify the rhino class rewriter to avoid use of concurrency. - Revert 7017193 and add the missing free call, until a better fix is ready. openjdk-7 (7u15-2.3.7-1) experimental; urgency=low . * IcedTea7 2.3.7 release. * Security fixes: - S8004937, CVE-2013-1484: Improve proxy construction. - S8006439, CVE-2013-1485: Improve MethodHandles coverage. - S8006446, CVE-2013-1486: Restrict MBeanServer access. - S8006777, CVE-2013-0169: Improve TLS handling of invalid messages. - S8007688: Blacklist known bad certificate. * Backports: - S8007393: Possible race condition after JDK-6664509. - S8007611: logging behavior in applet changed. * For zero builds, use the same hotspot version as in 2.1.6. * Reenable bootstrap builds, except for alpha. * Explicitly disable building on mips/mipsel. Not supported by the Debian OpenJDK maintainers, the Debian mips porters, or the Debian Java team. openjdk-7 (7u13-2.3.6-1) experimental; urgency=low . * IcedTea7 2.3.6 release. - Disable bootstrap builds, currently broken in IcedTea. * Security fixes: - S6563318, CVE-2013-0424: RMI data sanitization. - S6664509, CVE-2013-0425: Add logging context. - S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time. - S6776941: CVE-2013-0427: Improve thread pool shutdown. - S7141694, CVE-2013-0429: Improving CORBA internals. - S7173145: Improve in-memory representation of splashscreens. - S7186945: Unpack200 improvement. - S7186946: Refine unpacker resource usage. - S7186948: Improve Swing data validation. - S7186952, CVE-2013-0432: Improve clipboard access. - S7186954: Improve connection performance. - S7186957: Improve Pack200 data validation. - S7192392, CVE-2013-0443: Better validation of client keys. - S7192393, CVE-2013-0440: Better Checking of order of TLS Messages. - S7192977, CVE-2013-0442: Issue in toolkit thread. - S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies. - S7200491: Tighten up JTable layout code. - S7200500: Launcher better input validation. - S7201064: Better dialogue checking. - S7201066, CVE-2013-0441: Change modifiers on unused fields. - S7201068, CVE-2013-0435: Better handling of UI elements. - S7201070: Serialization to conform to protocol. - S7201071, CVE-2013-0433: InetSocketAddress serialization issue. - S8000210: Improve JarFile code quality. - S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class. - S8000540, CVE-2013-1475: Improve IIOP type reuse management. - S8000631, CVE-2013-1476: Restrict access to class constructor. - S8001235, CVE-2013-0434: Improve JAXP HTTP handling. - S8001242: Improve RMI HTTP conformance. - S8001307: Modify ACC_SUPER behavior. - S8001972, CVE-2013-1478: Improve image processing. - S8002325, CVE-2013-1480: Improve management of images. * Fix font suggestion for indic fonts in wheezy. * Fix fontconfig definitions for japanese and korean fonts, fixing compilation of the fontconfig file. * Add Built-Using: rhino attribute for the -lib package. * Don't use concurrent features to rewrite the rhino jar file. * Enable class data sharing for the hotspot server VM. openjdk-7 (7u9-2.3.5~pre1-1) experimental; urgency=low . * IcedTea7 2.3.5 snapshot, taken from the icedtea7-2.3 branch. - Disable bootstrap builds, currently broken in IcedTea. * Security fixes: - S6563318, CVE-2013-0424: RMI data sanitization. - S6664509, CVE-2013-0425: Add logging context. - S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time. - S6776941: CVE-2013-0427: Improve thread pool shutdown. - S7141694, CVE-2013-0429: Improving CORBA internals. - S7173145: Improve in-memory representation of splashscreens. - S7186945: Unpack200 improvement. - S7186946: Refine unpacker resource usage. - S7186948: Improve Swing data validation. - S7186952, CVE-2013-0432: Improve clipboard access. - S7186954: Improve connection performance. - S7186957: Improve Pack200 data validation. - S7192392, CVE-2013-0443: Better validation of client keys. - S7192393, CVE-2013-0440: Better Checking of order of TLS Messages. - S7192977, CVE-2013-0442: Issue in toolkit thread. - S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies. - S7200491: Tighten up JTable layout code. - S7200500: Launcher better input validation. - S7201064: Better dialogue checking. - S7201066, CVE-2013-0441: Change modifiers on unused fields. - S7201068, CVE-2013-0435: Better handling of UI elements. - S7201070: Serialization to conform to protocol. - S7201071, CVE-2013-0433: InetSocketAddress serialization issue. - S8000210: Improve JarFile code quality. - S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class. - S8000540, CVE-2013-1475: Improve IIOP type reuse management. - S8000631, CVE-2013-1476: Restrict access to class constructor. - S8001235, CVE-2013-0434: Improve JAXP HTTP handling. - S8001242: Improve RMI HTTP conformance. - S8001307: Modify ACC_SUPER behavior. - S8001972, CVE-2013-1478: Improve image processing. - S8002325, CVE-2013-1480: Improve management of images. * Fix font suggestion for indic fonts in wheezy. * Fix fontconfig definitions for japanese and korean fonts, fixing compilation of the fontconfig file. * Add Built-Using: rhino attribute for the -lib package. * Don't use concurrent features to rewrite the rhino jar file. * Enable class data sharing for the hotspot server VM. openjdk-7 (7u9-2.3.4-1) experimental; urgency=low . * IcedTea7 2.3.4 release. * Security fixes - S8004933, CVE-2012-3174: Improve MethodHandle interaction with libraries. - S8006017, CVE-2013-0422: Improve lookup resolutions. - S8006125: Update MethodHandles library interactions. * Bug fixes - S7197906: BlockOffsetArray::power_to_cards_back() needs to handle > 32 bit shifts. - G422525: Fix building with PaX enabled kernels. . [ Matthias Klose ] * Loosen OpenGL dependency. Closes: #695028. * Fix error parsing drop files parameter from pcmanfm (Alberto Fernández Martínez). Closes: #695992. . [ Thorsten Glaser ] * debian/rules: Use gcj-4.6-jdk for m68k builds. * d/patches/text-relocations.patch: build with -fPIC on all archs. openjdk-7 (7u9-2.3.3-1) experimental; urgency=low . * Upload to experimental. . openjdk-7 (7u9-2.3.3-0ubuntu1) quantal-security; urgency=low . * IcedTea7 2.3.3 release. * Security fixes - S6631398, CVE-2012-3216: FilePermission improved path checking. - S7093490: adjust package access in rmiregistry. - S7143535, CVE-2012-5068: ScriptEngine corrected permissions. - S7158796, CVE-2012-5070: Tighten properties checking in EnvHelp. - S7158807: Revise stack management with volatile call sites. - S7163198, CVE-2012-5076: Tightened package accessibility. - S7167656, CVE-2012-5077: Multiple Seeders are being created. - S7169884, CVE-2012-5073: LogManager checks do not work correctly for sub-types. - S7169887, CVE-2012-5074: Tightened package accessibility. - S7169888, CVE-2012-5075: Narrowing resource definitions in JMX RMI connector. - S7172522, CVE-2012-5072: Improve DomainCombiner checking. - S7186286, CVE-2012-5081: TLS implementation to better adhere to RFC. - S7189103, CVE-2012-5069: Executors needs to maintain state. - S7189490: More improvements to DomainCombiner checking. - S7189567, CVE-2012-5085: java net obselete protocol. - S7192975, CVE-2012-5071: Issue with JMX reflection. - S7195194, CVE-2012-5084: Better data validation for Swing. - S7195549, CVE-2012-5087: Better bean object persistence. - S7195917, CVE-2012-5086: XMLDecoder parsing at close-time should be improved. - S7195919, CVE-2012-5979: (sl) ServiceLoader can throw CCE without needing to create instance. - S7196190, CVE-2012-5088: Improve method of handling MethodHandles. - S7198296, CVE-2012-5089: Refactor classloader usage. - S7158800: Improve storage of symbol tables. - S7158801: Improve VM CompileOnly option. - S7158804: Improve config file parsing. - S7198606, CVE-2012-4416: Improve VM optimization. . openjdk-7 (7u7-2.3.2a-1ubuntu1) quantal; urgency=low . * Build a transitional icedtea-7-jre-cacao package to ease upgrades. openjdk-7 (7u7-2.3.2a-1) experimental; urgency=low . * Upload to experimental. . openjdk-7 (7u7-2.3.2a-0ubuntu1) quantal; urgency=low . * Repackage the source to drop the cacao tarball (and packaging files). * Depend again on system provided tzdata-java and restore the zi symlink on upgrade. LP: #1050404. * libgnome2-0, libgnomevfs2-0, libgconf2-4 are not prepared for multiarch. Don't depend on these so that openjdk-7 can be installed as a multiarch package. . openjdk-7 (7u7-2.3.2-1ubuntu2) quantal; urgency=low . * Make the avian VM a known runtime. . openjdk-7 (7u7-2.3.2-1ubuntu1) quantal; urgency=low . * Fix 32bit hotspot build, don't set maximal heap space lower than minimal heap space for the docs build. * d/p/sane-library-paths.patch, d/p/ant-diagnostics.diff, d/p/fix-race-cond-print.diff, d/p/gcc-hotspot-opt-O[02].diff, d/p/gcc-mtune-generic.diff, d/p/openjdk-6986968.diff: Remove, not used. * Remove unused shark/llvm-3.0 patches. * d/p/zero-only-use-floating-point-if-floating-poi.patch: Remove, applied upstream. * Don't explicitly build with -march=i586 on i386 architectures. * Re-apply zero-missing-headers.diff. * Disable cacao builds, needs update for 7u7. * For Ubuntu quantal, set priorities for alternatives higher than for OpenJDK 6. * Call update-alternatives when the existing priority for the alternative is lower than the current one. * Configure with --disable-downloading. * Pass -avoid-version to libtool to create a JamVM libjvm.so without SONAME version numbers to match the Hotspot Server/Client libjvm.so. LP: #850433. * Revert the following change: Move libgnome2-0, libgnomevfs2-0, libgconf2-4 from Depends of JRE package to Recommends (#661465). The proper fix is to create a -jdk-headless package, or not depending on these gnome packages at all (e.g. using XDG libraries). openjdk-7 (7u7-2.3.2-1) experimental; urgency=low . * New upstream IcedTea7 2.3.2 release. * Security fixes: - CVE-2012-4681: Reintroduce PackageAccessible checks removed in 6788531. - S7079902, CVE-2012-1711: Refine CORBA data models. - S7143606, CVE-2012-1717: File.createTempFile should be improved for temporary files created by the platform. - S7143614, CVE-2012-1716: SynthLookAndFeel stability improvement. - S7143617, CVE-2012-1713: Improve fontmanager layout lookup operations. - S7143851, CVE-2012-1719: Improve IIOP stub and tie generation in RMIC. - S7143872, CVE-2012-1718: Improve certificate extension processing. - S7152811, CVE-2012-1723: Issues in client compiler. - S7157609, CVE-2012-1724: Issues with loop. - S7160757, CVE-2012-1725: Problem with hotspot/runtime_classfile. - S7165628, CVE-2012-1726: Issues with java.lang.invoke.MethodHandles.Lookup. * Bump version to 7u7 (OpenJDK), 2.3.2 (IcedTea). Closes: #685276. * d/p/icedtea7-forest-jdk_7104625-XEvent_wrap_logging_calls_with_if.patch, d/p/hotspot-sparc.diff: Remove, integrated upstream. * d/p/{deb-multiarch,fix_extra_flags,hotspot-no-werror}.diff: Add variants for hotspot and zero builds. * d/p/default-jvm-cfg.diff, d/p/icedtea-4953367.patch, d/p/icedtea-patch.diff, d/p/icedtea-pretend-memory.diff, d/p/libpcsclite-dlopen.diff, d/p/nonreparenting-wm.diff: Update for 2.3.2. * Remove build support for Ubuntu releases earlier than hardy. * d/update-shasum.sh: Only update the shasums of the -dfsg tarballs. * Don't apply shark patches (not built anyway). openslp-dfsg (1.2.1-9+deb7u1) wheezy-security; urgency=high . * QA upload from the Security Team * Fix double free as per CVE-2015-5177 openssh (1:6.0p1-4+deb7u3) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Disable roaming in openssh client: roaming code is vulnerable to an information leak (CVE-2016-0777) and heap-based buffer overflow (CVE-2016-0778). openssl (1.0.1e-2+deb7u20) wheezy-security; urgency=medium . * Fix CVE-2016-0797 * Fix CVE-2016-0798 * Fix CVE-2016-0799 * Fix CVE-2016-0702 * Fix CVE-2016-0705 * Disable EXPORT and LOW ciphers: The DROWN attack (CVE-2016-0800) makes use of those, and SLOTH attack (CVE-2015-7575) can make use of them too. openssl (1.0.1e-2+deb7u19) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-7575.patch patch. CVE-2015-7575: SLOTH: Security Losses from Obsolete and Truncated Transcript Hashes. openssl (1.0.1e-2+deb7u18) wheezy-security; urgency=medium . * Fix CVE-2015-3194 * Fix CVE-2015-3195 * Fix CVE-2015-3196 perl (5.14.2-21+deb7u3) wheezy-security; urgency=high . * Work around a t/op/stat.t failure on GNU/kFreeBSD, possibly related to softupdates. Fix by Steven Chamberlain. (Closes: #796798) * [SECURITY] CVE-2016-2381 fix duplicate environment variable taint checking issue php5 (5.4.45-0+deb7u2) wheezy-security; urgency=high . * Merge security updates from PHP 5.5.30 into PHP 5.4.45 - Phar: . Fixed bug #69720 (Null pointer dereference in phar_get_fp_offset()). . Fixed bug #70433 (Uninitialized pointer in phar_make_dirstream when zip entry filename is "/"). * Add a notice about PHP 5.4 EOL to d/NEWS php5 (5.4.45-0+deb7u1) wheezy-security; urgency=medium . * New upstream version 5.4.45 - Core: . Fixed bug #70172 (Use After Free Vulnerability in unserialize()). . Fixed bug #70219 (Use after free vulnerability in session deserializer). - EXIF: . Fixed bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes). - hash: . Fixed bug #70312 (HAVAL gives wrong hashes in specific cases). - PCRE: . Fixed bug #70345 (Multiple vulnerabilities related to PCRE functions). - SOAP: . Fixed bug #70388 (SOAP serialize_function_call() type confusion / RCE). - SPL: . Fixed bug #70365 (Use-after-free vulnerability in unserialize() with SplObjectStorage). . Fixed bug #70366 (Use-after-free vulnerability in unserialize() with SplDoublyLinkedList). - XSLT: . Fixed bug #69782 (NULL pointer dereference). - ZIP: . Fixed bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories). * Rebase patches on top of 5.4.45 release phpmyadmin (4:3.4.11.1-2+deb7u2) wheezy-security; urgency=high . * Fix security issues (closes: #774194): - CVE-2014-8958: Multiple XSS vulnerabilities. - CVE-2014-9218: DoS vulnerability with long passwords. - CVE-2015-2206: Risk of BREACH attack due to reflected parameter. - CVE-2015-3902: XSRF/CSRF vulnerability in phpMyAdmin setup. pixman (0.26.0-4+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2014-9766: integer overflow in create_bits function polarssl (1.2.9-1~deb7u6) wheezy-security; urgency=high . * Non-maintainer upload by the LTS Security Team. * CVE-2015-5291: Remote attack on clients using session tickets or SNI postgresql-9.1 (9.1.19-0+deb7u1) wheezy; urgency=medium . * New upstream version. . + Fix contrib/pgcrypto to detect and report too-short crypt() salts (Josh Kupershmidt) . Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely. (CVE-2015-5288) postgresql-9.1 (9.1.18-0+deb8u1) jessie; urgency=medium . * New upstream release: No effective changes for PL/Perl, the version must just be higher than the one in wheezy. privoxy (3.0.19-2+deb7u3) wheezy-security; urgency=high . * 40_CVE-2016-1982: Prevent invalid reads in case of corrupt chunk-encoded content. * 41_CVE-2016-1983: Remove empty Host headers in client requests. Previously they would result in invalid reads. prosody (0.8.2-4+deb7u4) wheezy-security; urgency=high . * CVE-2016-0756: insecure dialback key generation/validation algorithm * Fix for regression introduced in the previous CVE-2016-1232 fix: s2s doesn't work if /dev/urandom is read-only. prosody (0.8.2-4+deb7u3) wheezy-security; urgency=high . * CVE-2016-1231: path traversal in http built-in server * CVE-2016-1232: weak PRNG for dialback on S2S putty (0.62-9+deb7u3) wheezy-security; urgency=high . * More robust control sequence parameter handling, including: - CVE-2015-5309: Fix a potentially memory-corrupting integer overflow in the handling of the ECH (erase characters) control sequence in the terminal emulator. pygments (1.5+dfsg-1+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-8557.patch patch. CVE-2015-8557: Shell injection in FontManager._get_nix_font_path. (Closes: #802828) pykerberos (1.1+svn4895-1+deb7u1) wheezy; urgency=medium . * Add KDC authenticity verification support (CVE-2015-3206). Obtained from upstream, ignoring white-space changes, URL: https://github.com/02strich/pykerberos/commit/ 02d13860b25fab58e739f0e000bed0067b7c6f9c pykerberos (1.1+svn4895-1+deb6u2) squeeze-lts; urgency=medium . * [8afa7e6] Make checkPassword behave as advertised. Don't verify the password by default and make the verify parameter optional (and non const). pykerberos (1.1+svn4895-1+deb6u1) squeeze-lts; urgency=medium . * Non-maintainer upload by the Debian LTS Team. * Add KDC authenticity verification support (CVE-2015-3206). Obtained from upstream, ignoring white-space changes, URL: https://github.com/02strich/pykerberos/commit/ 02d13860b25fab58e739f0e000bed0067b7c6f9c * Also include bin/login, an example script allowing the user to test the functionality of the new verify flag. * debian/NEWS: + Provide detailled background information on the new verify option of the checkPassword() method. python-django (1.4.5-1+deb7u14) wheezy-security; urgency=high . * New upstream security release: - Settings leak possibility in ``date`` template filter (CVE-2015-8213) python-django (1.4.5-1+deb7u14~bpo60+1) squeeze-backports; urgency=high . * Rebuild for squeeze-backports. python-imaging (1.1.7-4+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload. * CVE-2016-0775: Fix buffer overflow in FliDecode.c (Closes: #813909) * CVE-2016-2533: Fix buffer overflow in PcdDecode.c. qemu (1.1.2+dfsg-6a+deb7u12) wheezy-security; urgency=high . * applied 3 patches from upstream to fix virtio-net possible remote DoS (Closes: #799452 CVE-2015-7295) * pcnet-add-check-to-validate-receive-data-size-CVE-2015-7504.patch (Closes: #806742, CVE-2015-7504) * pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch (Closes: #806741, CVE-2015-7512) * eepro100-prevent-two-endless-loops-CVE-2015-8345.patch (Closes: #806373, CVE-2015-8345) * vnc-avoid-floating-point-exception-CVE-2015-8504.patch (Closes: #808130, CVE-2015-8504) * ehci-make-idt-processing-more-robust-CVE-2015-8558.patch (Closes: #808144, CVE-2015-8558) * net-ne2000-fix-bounds-check-in-ioport-operations-CVE-2015-8743.patch (Closes: #810519, CVE-2015-8743) * ide-ahci-reset-ncq-object-to-unused-on-error-CVE-2016-1568.patch (Closes: #810527, CVE-2016-1568) * fw_cfg-add-check-to-validate-current-entry-value-CVE-2016-1714.patch (Closes: CVE-2016-1714) * i386-avoid-null-pointer-dereference-CVE-2016-1922.patch (Closes: #811201, CVE-2016-1922) qemu (1.1.2+dfsg-6a+deb7u11) wheezy-security; urgency=high . * ne2000-add-checks-to-validate-ring-buffer-pointers-CVE-2015-5279.patch fix for Heap overflow vulnerability in ne2000_receive() function (Closes: #799074 CVE-2015-5279) * ne2000-avoid-infinite-loop-when-receiving-packets-CVE-2015-5278.patch (Closes: #799073 CVE-2015-5278) qemu (1.1.2+dfsg-6a+deb7u10) wheezy-security; urgency=high . * Acknowlege the previous update. Thank you Salvatore for the hard work you did fixing so many security issues. * rename last patches removing numeric prefixes, so that different series wont intermix with each other, add Bug-Debian: headers. * Add e1000-avoid-infinite-loop-in-transmit-CVE-2015-6815.patch. CVE-2015-6815: net: e1000 infinite loop issue in processing transmit descriptor. (Closes: #798101 CVE-2015-6815) * Add ide-fix-ATAPI-command-permissions-CVE-2015-6855.patch. CVE-2015-6855: ide: qemu allows arbitrary commands to be sent to an ATAPI device from guest, while illegal comands might have security impact, f.e. WIN_READ_NATIVE_MAX results in divide by zero error. (Closes: CVE-2015-6855) qemu (1.1.2+dfsg-6a+deb7u9) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patches for CVE-2015-5165. CVE-2015-5165: rtl8139 uninitialized heap memory information leakage to guest. (Closes: #794610) * Add 0001-virtio-serial-fix-ANY_LAYOUT.patch patch. CVE-2015-5745: buffer overflow in virtio-serial. (Closes: #795087) qemu-kvm (1.1.2+dfsg-6+deb7u12) wheezy-security; urgency=high . * applied 3 patches from upstream to fix virtio-net possible remote DoS (Closes: #799452 CVE-2015-7295) * pcnet-add-check-to-validate-receive-data-size-CVE-2015-7504.patch (Closes: #806742, CVE-2015-7504) * pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch (Closes: #806741, CVE-2015-7512) * eepro100-prevent-two-endless-loops-CVE-2015-8345.patch (Closes: #806373, CVE-2015-8345) * vnc-avoid-floating-point-exception-CVE-2015-8504.patch (Closes: #808130, CVE-2015-8504) * ehci-make-idt-processing-more-robust-CVE-2015-8558.patch (Closes: #808144, CVE-2015-8558) * net-ne2000-fix-bounds-check-in-ioport-operations-CVE-2015-8743.patch (Closes: #810519, CVE-2015-8743) * ide-ahci-reset-ncq-object-to-unused-on-error-CVE-2016-1568.patch (Closes: #810527, CVE-2016-1568) * fw_cfg-add-check-to-validate-current-entry-value-CVE-2016-1714.patch (Closes: CVE-2016-1714) * i386-avoid-null-pointer-dereference-CVE-2016-1922.patch (Closes: #811201, CVE-2016-1922) qemu-kvm (1.1.2+dfsg-6+deb7u11) wheezy-security; urgency=high . * ne2000-add-checks-to-validate-ring-buffer-pointers-CVE-2015-5279.patch fix for Heap overflow vulnerability in ne2000_receive() function (Closes: #799074 CVE-2015-5279) * ne2000-avoid-infinite-loop-when-receiving-packets-CVE-2015-5278.patch (Closes: #799073 CVE-2015-5278) qemu-kvm (1.1.2+dfsg-6+deb7u10) wheezy-security; urgency=high . * Acknowlege the previous update. Thank you Salvatore for the hard work you did fixing so many security issues. * rename last patches removing numeric prefixes, so that different series wont intermix with each other, add Bug-Debian: headers. * Add e1000-avoid-infinite-loop-in-transmit-CVE-2015-6815.patch. CVE-2015-6815: net: e1000 infinite loop issue in processing transmit descriptor. (Closes: #798101 CVE-2015-6815) * Add ide-fix-ATAPI-command-permissions-CVE-2015-6855.patch. CVE-2015-6855: ide: qemu allows arbitrary commands to be sent to an ATAPI device from guest, while illegal comands might have security impact, f.e. WIN_READ_NATIVE_MAX results in divide by zero error. (Closes: CVE-2015-6855) qemu-kvm (1.1.2+dfsg-6+deb7u9) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patches for CVE-2015-5165. CVE-2015-5165: rtl8139 uninitialized heap memory information leakage to guest. * Add 0001-virtio-serial-fix-ANY_LAYOUT.patch patch. CVE-2015-5745: buffer overflow in virtio-serial. quagga (0.99.22.4-1+wheezy2) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-2342: VPNv4 NLRI parses memcpys to stack on unchecked length (Closes: #819179) radicale (0.7-1.1+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload. * CVE-2015-8748 and CVE-2015-8747: Fix insecure path handling by sanitizing system paths and always making them absolute. Version 0.7 of Radicale is only partly affected by CVE-2015-8747 because the multifilesystem storage does not exist in this version. (Closes: #809920) roundup (1.4.20-1.1+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2014-6276: Disclosure of user hashed passwords rpcbind (0.2.0-8+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-7236.patch patch. CVE-2015-7236: Memory corruption in PMAP_CALLIT code leading to denial of service. (Closes: #799307) samba (2:3.6.6-6+deb7u7) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * s3:smbd: fix a corner case of the symlink verification. Address regression introduced by the patch for CVE-2015-5252. For the share path "/", the introduced checks deny all operations in the share. (Closes: #812429) * CVE-2015-7560: Incorrect ACL get/set allowed on symlink path samba (2:3.6.6-6+deb7u6) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Refresh waf-as-source.patch patch * Add CVE-2015-5252-v3-6-bso11395.patch patch. CVE-2015-5252: Insufficient symlink verification in smbd. * Add CVE-2015-5299-v3-6-bso11529.patch patch. CVE-2015-5299: Missing access control check in shadow copy code. * Add CVE-2015-5296-v3-6-bso11536.patch patch. CVE-2015-5296: Samba client requesting encryption vulnerable to downgrade attack. screen (4.1.0~20120320gitdb59704-7+deb7u1) wheezy-security; urgency=high . * Fix stack overflow due to too deep recursion (CVE-2015-6806). sendmail (8.14.4-4+deb7u1) wheezy; urgency=medium . * QA upload. * Set maintainer to Debian QA Group. (See: #740070) * Merge some bugfixes from sid. * close_on_exec.patch: Properly set the close-on-exec flag for file descriptors before executing mailers, cherry-picked from sendmail 8.14.9. CVE-2014-3956 (Closes: #750562) * libmilter-assert.patch: Fix an incorrect assertion in libmilter, cherry-picked from sendmail 8.14.7. (LP: #1299571) * Add support for OpenSSL options SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 (backported from 8.14.8), thanks to David F. Skoll. (Closes: #747910) * conf.c-ipv6.patch: Fix A-only MX CNAME interface binding issues when using IPv6, thanks to David F. Skoll. (Closes: #737164) (LP: #1223633) (backported from 8.14.6) * raise-max-daemons.patch: Raise MAXDAEMONS from 10 to 64, thanks to Kees Cook. (Closes: #720435) * Switch from deprecated 'find -perm +xxx' to 'find -perm /xxx'. (Closes: #724772) * Start sendmail after bind9 (or any other named) if it is installed. (Closes: #714184) * sendmailconfig: Add missing quoting, thanks to Stuart Sheldon. (Closes: #692047) * Fix infinite loop in update_db, thanks to Flo. (Closes: #717951) * Do not ship duplicate sendmail.8 manpage. (Closes: #709895, #597781) smokeping (2.6.8-2+deb7u1) oldstable-security; urgency=high . * security fix for CVE-2015-0859: code execution via CGI arguments due to Debian Apache configuration spice (0.11.0-1+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add series of patches for CVE-2015-5260 and CVE-2015-6261. CVE-2015-5260: insufficient validation of surface_id parameter can cause crash. (Closes: #801089) CVE-2015-5261: host memory access from guest using crafted images. (Closes: #801091) spip (2.1.17-1+deb7u5) wheezy-security; urgency=high . * Update displayed version * Backport security fixes from 2.1.29 - PHP code injection - Objects injection via unserialize * Update security screen to 1.2.4 squid3 (3.1.20-2.2+deb7u4) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-2571: better handling of huge response headers in src/http.cc stk (4.4.3-2+deb7u1) wheezy; urgency=medium . [ Hanno Zulla ] * Install missing SKINI.{msg,tbl} include files strongswan (4.5.2-1.5+deb7u8) wheezy-security; urgency=medium . * debian/patches: - CVE-2015-8023_eap_mschapv2_state added, fix authentication bypass when using EAP MSCHAPv2. sudo (1.8.5p2-1+nmu3+deb7u1) wheezy-security; urgency=medium . * Non-maintainer upload * Fix CVE-2014-9680-{1,2}.patch to edit sudoers.pod, not just the generated docs * Disable editing of files via user-controllable symlinks (Closes: #804149) (CVE-2015-5602) - sudoedit path restriction bypass using symlinks - Change warning when user tries to sudoedit a symbolic link - Open sudoedit files with O_NONBLOCK and fail if they are not regular files - Remove S_ISREG check from sudo_edit_open(), it is already done in the caller - Add directory writability checks for sudoedit - Fix directory writability checks for sudoedit - Enable sudoedit directory writability checks by default tomcat7 (7.0.28-4+deb7u3) wheezy-security; urgency=high . * Team upload. * Fixed CVE-2014-7810: Malicious web applications could use expression language to bypass the protections of a Security Manager as expressions were evaluated within a privileged code section. * Fixed CVE-2014-0099: Check for overflow when parsing the request content length header. This exposed a request smuggling vulnerability when Tomcat was located behind a reverse proxy that correctly processed the content length header. * Fixed CVE-2013-4444: Remove serialization support from FileItem to prevent a remote code execution vulnerablity in very limited circumstances. * Fixed CVE-2014-0075: Malformed chunk size as part of a chuncked request could enable the streaming of an unlimited amount of data to the server, bypassing the various size limits enforced on a request. This enabled a denial of service attack. * Fixed CVE-2014-0227: Add an error flag in ChunkedInputFilter to allow subsequent attempts at reading after an error to fail fast. This prevents remote attackers from conducting HTTP request smuggling attacks or causing a denial of service by streaming data with malformed chunked requests. * Fixed CVE-2014-0230: Add a new limit for the amount of data Tomcat will swallow for an aborted upload. This prevents remote attackers from causing a denial of service (thread consumption) via a series of aborted upload attempts. tzdata (2016c-0+deb7u1) oldstable; urgency=medium . * New upstream version, affecting the following future time stamps: - America/Santiago - Asia/Baku tzdata (2016b-1) unstable; urgency=medium . * New upstream version, affecting the following future time stamps: - America/Port-au-Prince - Asia/Gaza - Asia/Hebron * debian/rules: remove emdebian ifdefs. * debian/compat, debian/control, debian/rules: rewrite using dh and debhelper compatibility 9. * Update French debconf translation, by Christian Perrier. Closes: #814831. * Update Japanese debconf translation, by Takuma Yamada. Closes: #815386. * Drop the tzdata-java package. Closes: #814073. * debian/control: Update Standards-Version to 3.9.7, no changes. tzdata (2016b-0+deb8u1) stable; urgency=medium . * New upstream version, affecting the following future time stamps: - America/Cayman - America/Port-au-Prince - Asia/Chita - Asia/Gaza - Asia/Hebron - Asia/Tehran tzdata (2016b-0+deb7u1) oldstable; urgency=medium . * New upstream version, affecting the following future time stamps: - America/Cayman - America/Port-au-Prince - Asia/Chita - Asia/Gaza - Asia/Hebron - Asia/Tehran tzdata (2016a-1) unstable; urgency=medium . [ Aurelien Jarno ] * Add Vcs-Git and Vcs-Browser fields to debian/control. * New upstream version, affecting the following future time stamps: - America/Cayman - Asia/Chita - Asia Tehran * Change /etc/timezone into a symlink (closes: #803144) tzdata (2015g-1) unstable; urgency=medium . [ Aurelien Jarno ] * New upstream version, affecting the following future time stamps: - Fiji - Fort Nelson, British Columbia - Norfolk Island - Turkey (closes: #801172) tzdata (2015g-0+deb8u1) stable; urgency=medium . [ Aurelien Jarno ] * New upstream version, affecting the following future time stamps: - Fiji - Fort Nelson, British Columbia - Norfolk Island - Turkey (closes: #801172) tzdata (2015g-0+deb7u1) oldstable; urgency=medium . [ Aurelien Jarno ] * New upstream version, affecting the following future time stamps: - Fiji - Fort Nelson, British Columbia - Norfolk Island - Turkey (closes: #801172) tzdata (2015g-0+deb6u1) squeeze-lts; urgency=medium . * New upstream version: - Fiji - Fort Nelson, British Columbia - Norfolk Island - Turkey (closes: #801172) - North Korea switches to +0830 on 2015-08-15. - Uruguay no longer observes DST (closes: #801336). - DST suspension from 2015-06-14 03:00 through 2015-07-19 02:00 in Morroco. tzdata (2015f-1) unstable; urgency=high . [ Aurelien Jarno ] * New upstream version, affecting the following future time stamps: - North Korea switches to +0830 on 2015-08-15. - Uruguay no longer observes DST. tzdata (2015f-0+deb8u1) stable; urgency=medium . * New upstream version, affecting the following future time stamps: - North Korea switches to +0830 on 2015-08-15. - Uruguay no longer observes DST. unzip (6.0-8+deb7u5) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Update 16-fix-integer-underflow-csiz-decrypted patch. Fix regression in handling 0-byte files. (Closes: #804595) unzip (6.0-8+deb7u4) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix infinite loop when extracting password-protected archive. This is CVE-2015-7697. Closes: #802160. * Fix heap overflow when extracting password-protected archive. This is CVE-2015-7696. Closes: #802162. * Fix additional unsigned overflow on invalid input. virtualbox (4.1.42-dfsg-1+deb7u1) wheezy-security; urgency=medium . * New upstream release. - Addressed CVE-2015-4813 and CVE-2015-4896 virtualbox (4.1.42-dfsg-1+deb7u1~bpo60+1) squeeze-backports; urgency=medium . * Rebuild for squeeze-backports. virtualbox (4.1.40-dfsg-1+deb7u1) wheezy-security; urgency=medium . * New upstream release. * Remove all the CVE related patches, and refresh patches. virtualbox (4.1.18-dfsg-2.1) experimental; urgency=low . [ Stefan Lippers-Hollmann ] * Non-maintainer upload. * fix kernel module compilation against v3.6 and v3.7 (closes: #691169, #696011, #696667, #696953, #698607) websvn (2.3.3-1.1+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team * Properly escape user-supplied input (CVE-2016-2511) wireshark (1.8.2-5wheezy18) wheezy-security; urgency=medium . * security fixes from Wireshark 1.12.10: - DNP dissector infinite loop (CVE-2016-2523) - RSL dissector crash (CVE-2016-2530 CVE-2016-2531) - GSM A-bis OML dissector crash - ASN.1 BER dissector crashes * security fixes from Wireshark 1.12.9: - RSL dissector crash (CVE-2015-8731) - 802.11 decryption crash (CVE-2015-8723, CVE-2015-8724) - ANSI A & GSM A dissector crashes (CVE-2015-8728) - DIAMETER dissector crash (CVE-2015-8725) wireshark (1.8.2-5wheezy17) wheezy-security; urgency=high . * security fixes from Wireshark 1.12.8: - Pcapng file parser crash. Discovered by Dario Lombardo and Shannon Sabens. (CVE-2015-7830) * security fixes from Wireshark 1.12.7: - The ptvcursor implementation could crash (CVE-2015-6248) - Crash in the dissector table implementation (CVE-2015-6243) - The WaveAgent dissector could crash (CVE-2015-6246) * security fixes from Wireshark 1.12.9: - DCOM dissector crash (CVE-2015-8714) - NLM dissector crash (CVE-2015-8718) - BER dissector crash (CVE-2015-8720) - Zlib decompression crash (CVE-2015-8721) - RSVP dissector crash (CVE-2015-8727) - Ascend file parser crash (CVE-2015-8729) wordpress (3.6.1+dfsg-1~deb7u10) wheezy-security; urgency=high . * Changeset 36435 fixes SSRF for URLs CVE-2016-2222 * Changeset 36444 improved redirect checking CVE-2016-2221 * Closes: #813697 wordpress (3.6.1+dfsg-1~deb7u9) wheezy-security; urgency=high . * Apply changeset 36185 fixes XSS CVE-2016-1564 Closes: #810325 wordpress (3.6.1+dfsg-1~deb7u8) wheezy-security; urgency=high . * Backport of 4.3.1 security fixes Closes: #799140 * Changeset 34137 XSS in user list table CVE-2015-7989 * Changeset 34144 unclosed HTML elements CVE-2015-5714 * Changeset 34151 unsticky private posts CVE-2015-5715 wpa (1.0-3+deb7u3) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add patch to address CVE-2015-4141. CVE-2015-4141: WPS UPnP vulnerability with HTTP chunked transfer encoding. (Closes: #787372) * Add patch to address CVE-2015-4142. CVE-2015-4142: Integer underflow in AP mode WMM Action frame processing. (Closes: #787373) * Add patches to address CVE-2015-4143. CVE-2015-4143: EAP-pwd missing payload length validation. (Closes: #787371) * Add patch to address 2015-5 vulnerability. NFC: Fix payload length validation in NDEF record parser. Note that this issue does not affect the binary packages distributed in Debian in Wheezy as CONFIG_WPS_NFC=y is not set in the build configuration. (Closes: #795740) xdelta3 (3.0.0.dfsg-1+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2014-9765: buffer overflow in main_get_appheader (Closes: #814067) xen (4.1.4-3+deb7u9) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-7835-xsa148.patch patch. CVE-2015-7835: x86: Uncontrolled creation of large page mappings by PV guests. xerces-c (3.1.1-3+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2016-0729: Buffer overlows during processing and error reporting xscreensaver (5.15-3+deb7u1) wheezy-security; urgency=high . * Port squeeze LTS patch for "xscreensaver aborts when unplugging second monitor" security issue, CVE-2015-8025 (Closes: #802914) zendframework (1.11.13-1.1+deb7u5) wheezy; urgency=medium . * Backport security fix from 1.12.17 - ZF2015-09: Fixed entropy issue in word CAPTCHA http://framework.zend.com/security/advisory/ZF2015-09 zendframework (1.11.13-1.1+deb7u4) wheezy-security; urgency=high . * Backport security fixes from 1.12.16 - ZF2015-07: Filesystem Permissions Issues in Multiple Components http://framework.zend.com/security/advisory/ZF2015-07 [CVE-2015-5723] - ZF2015-08: Potential SQL injection vector using null byte for PDO (MsSql, SQLite) http://framework.zend.com/security/advisory/ZF2015-08 [CVE-2014-8089] ====================================== Sat, 05 Sep 2015 - Debian 7.9 released ====================================== ========================================================================= [Date: Sat, 05 Sep 2015 10:45:17 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: cia-clients | 20120903 | source, all Closed bugs: 781286 ------------------- Reason ------------------- RoM; useless as cia.vc is gone ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 05 Sep 2015 10:45:50 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: get-iplayer | 2.82-2+deb7u1 | source, all Closed bugs: 788015 ------------------- Reason ------------------- RoM; broken by content provider changes ---------------------------------------------- ========================================================================= ========================================================================= [Date: Sat, 05 Sep 2015 10:46:27 +0000] [ftpmaster: Archive Administrator] Removed the following packages from oldstable: typo3 | 4.5.19+dfsg1-5+wheezy3 | all typo3 | 4.5.19+dfsg1-5+wheezy4 | all typo3-database | 4.5.19+dfsg1-5+wheezy3 | all typo3-database | 4.5.19+dfsg1-5+wheezy4 | all typo3-dummy | 4.5.19+dfsg1-5+wheezy3 | all typo3-dummy | 4.5.19+dfsg1-5+wheezy4 | all typo3-src | 4.5.19+dfsg1-5+wheezy3 | source typo3-src | 4.5.19+dfsg1-5+wheezy4 | source typo3-src-4.5 | 4.5.19+dfsg1-5+wheezy3 | all typo3-src-4.5 | 4.5.19+dfsg1-5+wheezy4 | all Closed bugs: 793414 ------------------- Reason ------------------- RoST; no longer supported ---------------------------------------------- ========================================================================= activemq (5.6.0+dfsg-1+deb7u1) wheezy-security; urgency=high . * Team upload. * Fixed security issues (Closes: #777196, #792857) - CVE-2014-3612: JAAS LDAPLoginModule allows empty password authentication - CVE-2014-3600: XML External Entity expansion when evaluating XPath expressions - CVE-2014-3576: DoS via unauthenticated remote shutdown command - Disable JMX by default (Closes: #769887) amd64-microcode (1.20141028.1) stable; urgency=medium . * Upstream release 20141028 built from linux-firmware + Updated microcode patches for family 0x15 processors + Added microcode patches for family 0x16 processors * AMD did not update the relevant microcode documentation (errata fixed, microcode patch levels, etc) for the 20141028 release, so there is no documentation for the family 0x16 microcode patches, and the documentation for the family 0x15 microcode patches is stale. * Upstream release 20131007 built from linux-firmware + updated microcode: sig 0x00500F10, id 0x05000029: erratum (+) 784; sig 0x00500F20, id 0x05000119: erratum (+) 784; sig 0x00600F12, id 0x0600063D: errata (-) 668, (+) 759, 778; + new microcode: sig 0x00200F31, id 0x02000032: errata 311, 316; sig 0x00600F20, id 0x06000822: errata 691, 699, 704, 708, 709, 734, 740, 778; + This update fixes important processor bugs that cause data corruption or unpredictable system behaviour. It also fixes a performance issue and several issues that cause system lockup. * Switch to native package, since there is no upstream tarball * debian/copyright: update upstream URL (Closes: #753593) * debian/copyright: update with new license * debian/install: all _fam microcode files for install * docs: use glob pattern for _fam* README * control: remove homepage and update standards-version amd64-microcode (1.20120910-3) unstable; urgency=low . * control: remove homepage and update standards-version * initramfs: update copyright information * initramfs, postinst: don't do anything on non-AMD systems (Closes: #715518) * initramfs, postinst: blacklist several kernel versions (Closes: #717185) * control: add breaks: intel-microcode (<< 1.20130222.6~) * load microcode module on package install/upgrade apache2 (2.2.22-13+deb7u6) wheezy-security; urgency=medium . * Fix regression causing spurious errors when loading certificate chain. Closes: #794383 apache2 (2.2.22-13+deb7u5) wheezy-security; urgency=medium . * CVE-2015-3183: Fix request smuggling via chunked transfer encoding. Backported by Marc Deslauriers. * Don't limit default DH parameters to 1024 bits. Closes: #780398 This may cause problems with some Java based clients. A work-around is to configure these client not to use DHE key exchange but use ECDHE or RSA instead. A server-side work-around that limits the DH parameters to 1024 bits for all clients is described at http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh . * Backport support for adding DH parameters to the SSLCertificateFile. arj (3.10.22-10+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team with patches from Guillem Jover * Fix buffer overflow from size under user control. This is causing free() on an invalid pointer. Fixes: CVE-2015-2782 (Closes: #774015) * Fix absolute path directory traversal. Fixes: CVE-2015-0557 (Closes: #774435) * Fix symlink directory traversal. Fixes: CVE-2015-0556 (Closes: #774434) base-files (7.1wheezy9) oldstable; urgency=low . * Changed /etc/debian_version to 7.9, for Debian 7.9 point release. * Distribution is now "oldstable" because this is for wheezy. batik (1.7+dfsg-3+deb7u1) wheezy-security; urgency=high . * Team upload. * Add debian/patches/cve_2015_0250.patch to disable external XML entity resolution (information disclosure). This addresses CVE-2015-0250. (Closes: #780897) bind9 (1:9.8.4.dfsg.P1-6+nmu2+deb7u6) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2015-5477: A failure to reset a value to NULL in tkey.c could result in an assertion failure. bind9 (1:9.8.4.dfsg.P1-6+nmu2+deb7u5) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2015-4620: Specially constructed zone data can cause a resolver to crash when validating. bind9 (1:9.8.4.dfsg.P1-6+nmu2+deb7u4) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2015-1349: avoid crash due to managed-key rollover. Revoking a managed trust anchor and supplying an untrusted replacement could cause named to crash with an assertion failure. binutils (2.22-8+deb7u2) wheezy-security; urgency=high . * FTBFS on armel, kfreebsd-i386, mips, mipsel, powerpc, and s390 fixed. binutils (2.22-8+deb7u1) wheezy-security; urgency=high . * Wheezy security upload: CVE-2014-8484 CVE-2014-8485 CVE-2014-8501 CVE-2014-8502 CVE-2014-8503 CVE-2014-8504 CVE-2014-8737 CVE-2014-8738 binutils-mingw-w64 (2+deb7u1) wheezy-security; urgency=high . * Rebuild against binutils 2.22-8+deb7u2 to fix CVE-2014-8484, CVE-2014-8485, CVE-2014-8501, CVE-2014-8502, CVE-2014-8503, CVE-2014-8504, CVE-2014-8737, CVE-2014-8738 (Closes: #775165). bley (0.1.5-2+deb7u1) stable; urgency=medium . * drop dnsbl.ahbl.org from the config, it was shut down and produces false positives. cacti (0.8.8a+dfsg-5+deb7u6) wheezy-security; urgency=high . * Security update - CVE-2015-4634 SQL injection in graphs.php - Multiple other SQL injection vulnerabilities cacti (0.8.8a+dfsg-5+deb7u5) wheezy-security; urgency=high . * Security update - CVE-2015-2665 Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. - CVE-2015-4342 SQL Injection and Location header injection from cdef id - CVE-2015-4454 SQL injection vulnerability in the get_hash_graph_template function in lib/functions.php in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via the graph_template_id parameter to graph_templates.php. - Unassigned CVE SQL injection VN:JVN#78187936 / TN:JPCERT#98968540 checkpw (1.02-1+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2015-0885: Fix denial of service via -- in usernames (Closes: #780139) checkpw (1.02-1+deb6u1) squeeze-lts; urgency=high . * Non-maintainer upload by the Squeeze LTS Team. * CVE-2015-0885: Fix denial of service via -- in usernames (Closes: #780139) chrony (1.24-3.1+deb7u3) wheezy-security; urgency=medium . * With the following security bugfixes (See: #782160): - Fix CVE-2015-1853: Protect authenticated symmetric NTP associations against DoS attacks. - Fix CVE-2015-1821: Fix access configuration with subnet size indivisible by 4. - Fix CVE-2015-1822: Fix initialization of reply slots for authenticated commands. clamav (0.98.7+dfsg-0+deb7u1) oldstable; urgency=high . [ Andreas Cadhalpun ] * Fix variable name mismatch in clamav-milter.postinst in order to make preseeding work correctly. (Closes: #778445) * Drop 'XS-Testsuite: autopkgtest' from debian/control. Debhelper automatically adds the Testsuite field. This fixes the lintian warning xs-testsuite-header-in-debian-control. * Fix cleanup on purge in clamav-base.postrm. . [ Sebastian Andrzej Siewior ] * Replace ” with " in debian/common_functions (Closes: #781088) * Import new upstream: - Improvements to PDF processing: decryption, escape sequence handling, and file property collection. - Scanning/analysis of additional Microsoft Office 2003 XML format. - Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221. - Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2222. - Fix false negatives on files within iso9660 containers. This issue was reported by Minzhuan Gong. - Fix a couple crashes on crafted upack packed file. Identified and patches supplied by Sebastian Andrzej Siewior. - Fix a crash during algorithmic detection on crafted PE file. Identified and patch supplied by Sebastian Andrzej Siewior. - Fix an infinite loop condition on a crafted "xz" archive file. This was reported by Dimitri Kirchner and Goulven Guiheux. CVE-2015-2668. - Fix compilation error after ./configure --disable-pthreads. Reported and fix suggested by John E. Krokes. - Apply upstream patch for possible heap overflow in Henry Spencer's regex library. CVE-2015-2305 (Closes: #778406). - Fix crash in upx decoder with crafted file. Discovered and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2170. - Fix segfault scanning certain HTML files. Reported with sample by Kai Risku. - Improve detections within xar/pkg files. * update GPG key used to verify releases to get uscan/get_orig.sh working again. * update symbol version for cl_retflevel due to CL_FLEVEL change. clamav (0.98.7+dfsg-0+deb6u2) squeeze-lts; urgency=medium . * Don't error out if rar file cat fails to work around arch/indep issues on squeeze clamav (0.98.7+dfsg-0+deb6u1) squeeze-lts; urgency=high . [ Andreas Cadhalpun ] * Fix variable name mismatch in clamav-milter.postinst in order to make preseeding work correctly. (Closes: #778445) * Drop 'XS-Testsuite: autopkgtest' from debian/control. Debhelper automatically adds the Testsuite field. This fixes the lintian warning xs-testsuite-header-in-debian-control. * Fix cleanup on purge in clamav-base.postrm. . [ Sebastian Andrzej Siewior ] * Replace ” with " in debian/common_functions (Closes: #781088) * Import new upstream: - Improvements to PDF processing: decryption, escape sequence handling, and file property collection. - Scanning/analysis of additional Microsoft Office 2003 XML format. - Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221. - Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2222. - Fix false negatives on files within iso9660 containers. This issue was reported by Minzhuan Gong. - Fix a couple crashes on crafted upack packed file. Identified and patches supplied by Sebastian Andrzej Siewior. - Fix a crash during algorithmic detection on crafted PE file. Identified and patch supplied by Sebastian Andrzej Siewior. - Fix an infinite loop condition on a crafted "xz" archive file. This was reported by Dimitri Kirchner and Goulven Guiheux. CVE-2015-2668. - Fix compilation error after ./configure --disable-pthreads. Reported and fix suggested by John E. Krokes. - Apply upstream patch for possible heap overflow in Henry Spencer's regex library. CVE-2015-2305 (Closes: #778406). - Fix crash in upx decoder with crafted file. Discovered and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2170. - Fix segfault scanning certain HTML files. Reported with sample by Kai Risku. - Improve detections within xar/pkg files. * update GPG key used to verify releases to get uscan/get_orig.sh working again. * update symbol version for cl_retflevel due to CL_FLEVEL change. . [ Scott Kitterman ] * Drop minimum debhelper version to 8 for squeeze and drop indep specific override of dh_installdocs * Manually patch in results of autoreconf since dh_autoreconf is too old and package FTBFS otherwise * Drop procps requirement and dpkg minimum version requirement since squeeze versions are too old and revert init script changes for freshclam, daemon, and milter to use the squeeze versions of the init scripts (also restore required functions to debian/common_functions) clamav (0.98.6+dfsg-3) unstable; urgency=medium . * Fix syntax errors in clamav-freshclam.postinst. Thanks piuparts! * Fix cleanup on purge in clamav-base.postrm. clamav (0.98.6+dfsg-2) unstable; urgency=medium . [ Andreas Cadhalpun ] * Fix variable name mismatch in clamav-milter.postinst in order to make preseeding work correctly. (Closes: #778445) * Fix clamav-daemon installability with custom PidFile. Thanks to Andy Dorman for the bug report and patch. (Closes: #778507) * Rename DEBCONFILE to DEBCONFFILE in clamav-freshclam.postinst making it consistent with the other postinst scripts. * Build against libsystemd-dev. (Closes: #779758) * Drop 'XS-Testsuite: autopkgtest' from debian/control. Debhelper automatically adds the Testsuite field. This fixes the lintian warning xs-testsuite-header-in-debian-control. * Shorten debian/copyright. This fixes some lintian warnings: - dep5-copyright-license-name-not-unique - wildcard-matches-nothing-in-dep5-copyright - unused-file-paragraph-in-dep5-copyright * Use pathfind to avoid hardcoding paths. This fixes command-with-path-in-maintainer-script lintian warnings. . [ Sebastian Andrzej Siewior ] * Replace ” with " in debian/common_functions (Closes: #781088) * Drop __DATE__ from tfm to make the package build reproducible with -Werror=date-time. With this change faketime is no longer required. clamav (0.98.6+dfsg-1+deb8u1) jessie; urgency=medium . [ Andreas Cadhalpun ] * Fix clamav-daemon installability with custom PidFile. Thanks to Andy Dorman for the bug report and patch. (Closes: #778507) clamav (0.98.6+dfsg-1) unstable; urgency=high . [ Sebastian Andrzej Siewior ] * update "fix-ssize_t-size_t-off_t-printf-modifier", include of misc.h was missing but was pulled in via the systemd patch. * Don't leak return codes from libmspack to clamav API. (Closes: #774686). . [ Andreas Cadhalpun ] * Add patch to avoid emitting incremental progress messages when not outputting to a terminal. (Closes: #767350) * Update lintian-overrides for unused-file-paragraph-in-dep5-copyright. * clamav-base.postinst: always chown /var/log/clamav and /var/lib/clamav to clamav:clamav, not only on fresh installations. (Closes: #775400) * Adapt the clamav-daemon and clamav-freshclam logrotate scripts, so that they correctly work under systemd. * Move the PidFile variable from the clamd/freshclam configuration files to the init scripts. This makes the init scripts more robust against misconfiguration and avoids error messages with systemd. (Closes: #767353) * debian/copyright: drop files from Files-Excluded only present in github tarballs * Drop Workaround-a-bug-in-libc-on-Hurd.patch, because hurd got fixed. (see #752237) * debian/rules: Remove useless --with-system-tommath --without-included-ltdl configure options. . [ Scott Kitterman ] * Stop stripping llvm when repacking the tarball as the system llvm on some releases is too old to use * New upstream bugfix release - Library shared object revisions. - Includes a patch from Sebastian Andrzej Siewior making ClamAV pid files compatible with systemd. - Fix a heap out of bounds condition with crafted Yoda's crypter files. This issue was discovered by Felix Groebert of the Google Security Team. - Fix a heap out of bounds condition with crafted mew packer files. This issue was discovered by Felix Groebert of the Google Security Team. - Fix a heap out of bounds condition with crafted upx packer files. This issue was discovered by Kevin Szkudlapski of Quarkslab. - Fix a heap out of bounds condition with crafted upack packer files. This issue was discovered by Sebastian Andrzej Siewior. CVE-2014-9328. - Compensate a crash due to incorrect compiler optimization when handling crafted petite packer files. This issue was discovered by Sebastian Andrzej Siewior. * Update lintian override for embedded zlib to match new so version . [ Javier Fernández-Sanguino ] * Updated Spanish Debconf template translation (Closes: #773563) clamav (0.98.6+dfsg-0+deb7u1) stable; urgency=medium . [ Sebastian Andrzej Siewior ] * New upstream bugfix release - Library shared object revisions. - Includes a patch from Sebastian Andrzej Siewior making ClamAV pid files compatible with systemd. - Fix a heap out of bounds condition with crafted Yoda's crypter files. This issue was discovered by Felix Groebert of the Google Security Team. - Fix a heap out of bounds condition with crafted mew packer files. This issue was discovered by Felix Groebert of the Google Security Team. - Fix a heap out of bounds condition with crafted upx packer files. This issue was discovered by Kevin Szkudlapski of Quarkslab. - Fix a heap out of bounds condition with crafted upack packer files. This issue was discovered by Sebastian Andrzej Siewior. CVE-2014-9328. - Compensate a crash due to incorrect compiler optimization when handling crafted petite packer files. This issue was discovered by Sebastian Andrzej Siewior. * Update embedded libmspack from 0.4alpha to 0.5alpha (security bugfix release) * Don't leak return codes from libmspack to clamav API. (Closes: #774686). . [ Andreas Cadhalpun ] * Drop Workaround-a-bug-in-libc-on-Hurd.patch, because hurd got fixed. (see #752237) * Update libclamav6: embedded-library lintian override for new libclamav6 and make it generic * Update lintian-overrides for unused-file-paragraph-in-dep5-copyright. * clamav-base.postinst: always chown /var/log/clamav and /var/lib/clamav to clamav:clamav, not only on fresh installations. (Closes: #775400) * debian/copyright: drop files from Files-Excluded only present in github tarballs * debian/rules: Remove useless --with-system-tommath --without-included-ltdl configure options. . [ Scott Kitterman ] * Stop stripping llvm when repacking the tarball as the system llvm on some releases is too old to use . [ Javier Fernández-Sanguino ] * Updated Spanish Debconf template translation (Closes: #773563) clamav (0.98.5+dfsg-3) unstable; urgency=medium . * Fix failure to purge, noticed by piuparts. (Closes: #772092) clamav (0.98.5+dfsg-2) unstable; urgency=medium . * Automatically extend the clamav-daemon.socket systemd unit to create the TCP socket, when clamd is configured to use TCP. (Closes: #771911) * Also accept AF_INET6 sockets in clamd, as they are now supported. Systemd uses AF_INET6 for TCP sockets without specified address. clamav (0.98.5+dfsg-1) unstable; urgency=medium . [ Sebastian Andrzej Siewior ] * import new upsstream version, refresh patches: dropped: - LLVM-3.5-version-check-update.patch - add-support-for-LLVM-3.5.patch - fix-test-failure-on-powerpc-again.patch updated: - hardcode-LLVM-linker-flag-because-llvm-config-return - added "bb-10731-Allow-to-specificy-a-group-for-the-socket-o" as dependecy for "clamav-milter-add-additinal-SMFIF_-flags-before-invo" (Closes: #763300) * Add "Bump-.so-version-number", likely the RPM version of 769384. * Add "llvm-don-t-use-system-libs", since we don't link against .a libs, we don't need the deps either. . [ Scott Kitterman ] * Update libclamav6: embedded-library lintian override for new libclamav6 so version clamav (0.98.5+dfsg-0+deb7u3) stable; urgency=medium . * add "mspack-fix-division-by-zero-in-chm-format-handling" to fix divide by zero in the chm unpacked. Found & patch by Jakub Wilk (Closes: #774766). * add "mspack-fix-overflow-in-pointer-arithmetic-on-32bit" to avoid overflow in pointer arithmetic causing a segfault on 32bit (Closes: #774767). commons-httpclient (3.1-10.2+deb7u1) wheezy; urgency=high . * Team upload. * Add CVE-2014-3577.patch. (Closes: #758086) It was found that the fix for CVE-2012-6153 was incomplete: the code added to check that the server hostname matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. The fix for CVE-2012-6153 was intended to address the incomplete patch for CVE-2012-5783. The issue is now completely resolved by applying this patch and the 06_fix_CVE-2012-5783.patch. * Change java.source and java.target ant properties to 1.5, otherwise commons-httpclient will not compile with this patch. condor (7.8.2~dfsg.1-1+deb7u3) wheezy-security; urgency=medium . * Non-maintainer upload by the Security Team * Add a default SENDMAIL variable to the config file, to properly fix CVE-2014-8126 condor (7.8.2~dfsg.1-1+deb7u2) wheezy-security; urgency=medium . * Non-maintainer upload by the Security Team * Fix CVE-2014-8126: mailx invocation enabled code execution as condor user conky (1.9.0-2+deb7u1) wheezy; urgency=medium . * Non-maintainer upload. * Backport fix for #739245 from 1.9.0-4 to wheezy. . [ Vincent Cheng ] * Declare Breaks+Replaces relationship against conky (<< 1.8.0-1, the version in Debian where the conky package was first split into multiple binary packages) to fix upgrade path from lenny -> squeeze -> wheezy. (Closes: #739245) conntrack (1:1.2.1-1+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2015-6496: conntrackd crash on unexpected network traffic (Closes: #796103) cups (1.5.3-5+deb7u6) wheezy-security; urgency=high . * Import 1.5 upstream fix for CERT VU#810572: Privilege escalation through dynamic linker and isolated vulnerabilities: STR: #4609, VU#810572 - CVE-2015-1158 - Improper Update of Reference Count - CVE-2015-1159 - Cross-Site Scripting cups (1.5.3-5+deb7u5) wheezy-security; urgency=high . * Backport upstream patch to fix cupsRasterReadPixels buffer overflow with invalid page header and compressed raster data (CVE-2014-9679, STR: #4551, Closes: #778387) cups-filters (1.0.18-2.1+deb7u2) wheezy-security; urgency=high . * Backport upstream fixes for buffer overflows on size allocation in texttopdf. (CVE-2015-3258, CVE-2015-3279) curl (7.26.0-1+wheezy13) wheezy-security; urgency=high . * Fix re-using authenticated connection when unauthenticated as per CVE-2015-3143 http://curl.haxx.se/docs/adv_20150422A.html * Fix Negotiate not treated as connection-oriented as per CVE-2015-3148 http://curl.haxx.se/docs/adv_20150422B.html curl (7.26.0-1+wheezy12) wheezy-security; urgency=high . * Fix URL request injection vulnerability as per CVE-2014-8150 http://curl.haxx.se/docs/adv_20150108B.html * Set urgency=high accordingly das-watchdog (0.9.0-2+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix buffer overflow in the handling of the XAUTHORITY env variable (CVE-2015-2831) (Closes: #781806) * Remove duplicate check for temp[i] == '\0' in das_watchdog.c * Fix infinite loop on platforms where char is unsigned * Add fix-memory-leak-on-realloc.patch patch. Fix potential memory leak on realloc and causing "NULL+i" (write) dereference afterwards. Thanks to Niels Thykier das-watchdog (0.9.0-2+deb6u1) squeeze-lts; urgency=high . * Non-maintainer upload. * Fix buffer overflow in the handling of the XAUTHORITY env variable (CVE-2015-2831) (Closes: #781806) * Remove duplicate check for temp[i] == '\0' in das_watchdog.c * Fix infinite loop on platforms where char is unsigned * Add fix-memory-leak-on-realloc.patch patch. Fix potential memory leak on realloc and causing "NULL+i" (write) dereference afterwards. Thanks to Niels Thykier dbus (1.6.8-1+deb7u6) wheezy-security; urgency=high . * Add patch for system.conf to fix a local denial of service when using systemd activation (CVE-2015-0245) debian-installer (20130613+deb7u3) wheezy; urgency=medium . [ Didier Raboud ] * Use APT `apt-config dump`s result to determine where to find the system's sources.list (Closes: #775136) . [ Cyril Brulebois ] * build/Makefile: Move the drop_lang definition to the top of the file to deal with incompatible changes in make 3.82 leading to the following error: “recipe commences before first target” (Closes: #720719). debian-installer-netboot-images (20130613+deb7u3) wheezy; urgency=medium . * Update to 20130613+deb7u3 images, from proposed-updates. * Replace http.debian.net with httpredir.debian.org as the default mirror (and support setting MIRROR to something else). debian-security-support (2015.04.04~deb7u1) wheezy; urgency=low . * Rebuild for wheezy debian-security-support (2015.04.04~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. . debian-security-support (2015.04.04) unstable; urgency=high . * Add wireshark to unsupported packages in Squeeze (Closes: #774312) * Remove php5 and memcached from "limited support": Debian's PHP support is not different from upstream's and is well understood by the community. The same applies to memcached (Closes: #775582) * Mark chromium-browser as unsupported in Wheezy (Closes: #776904). The same applies to rails * Mark piwigo as unsupported in Squeeze (Closes: #779104) * Mark xulrunner as unsupported . debian-security-support (2014.12.17) unstable; urgency=high . * Add to list of packages not supported in squeeze-lts: - src:qemu (Closes: #772858) - src:textpattern (Closes: #773048) . debian-security-support (2014.12.08) unstable; urgency=high . * Remove remaining bashism. Closes: #772268 * limited support: mozjs* and libv8-3.14 * postinst: Have an (empty) triggered target * Add list of packages not supported in jessie, empty for the time being . debian-security-support (2014.11.07) unstable; urgency=high . * Check hook for existence before running it. Closes: #768391 . debian-security-support (2014.11.04) unstable; urgency=high . * Closes an RC bug, urgency set to high * Add src:axis2c to list of packages not supported in squeeze-lts. Closes: #765374 * Use dpkg invoke hook instead of triggers. Thanks Guillem Jover for the detailed explanations. Closes: #762031 . debian-security-support (2014.10.26) unstable; urgency=low . * Features and Bugfixes - Add VCS information - Move manpage to man/ directory - Declare the trigger "-noawait". See: #762031 - Use dpkg-query to retrieve the dpkg version number - Override TMPDIR unless it has relaxed permissions. Closes: #763277 * limited support list - Alter text for kde4libs, change webkit to webkitgtk - Remove wireshark from list of packages with limited support * l10n - Prepare support for localized manpage, leave a note for translators - Swedish debconf template translation [Martin Bagge]. Closes: #762794 - Dutch debconf template translation [Paul Gevers]. Closes: #762927 . debian-security-support (2014.09.11) UNRELEASED; urgency=low . * Add iceweasel to list of packages not supported in squeeze-lts . debian-security-support (2014.09.07) unstable; urgency=low . * Turkish debconf template translation [Mert Dirik]. Closes: #757511 * Add flashplugin-nonfree to list of packages not supported in squeeze-lts * Packaging: Migrate templating to Template Toolkit * Handle --type without --list (Closes: #749894), fix parameter passing debian-security-support (2015.04.04~~deb6u1) squeeze-lts; urgency=low . * Rebuild for squeeze-lts. . debian-security-support (2015.04.04) unstable; urgency=high . * Add wireshark to unsupported packages in Squeeze (Closes: #774312) * Remove php5 and memcached from "limited support": Debian's PHP support is not different from upstream's and is well understood by the community. The same applies to memcached (Closes: #775582) * Mark chromium-browser as unsupported in Wheezy (Closes: #776904). The same applies to rails * Mark piwigo as unsupported in Squeeze (Closes: #779104) * Mark xulrunner as unsupported . debian-security-support (2014.12.17) unstable; urgency=high . * Add to list of packages not supported in squeeze-lts: - src:qemu (Closes: #772858) - src:textpattern (Closes: #773048) debian-security-support (2014.12.17) unstable; urgency=high . * Add to list of packages not supported in squeeze-lts: - src:qemu (Closes: #772858) - src:textpattern (Closes: #773048) debian-security-support (2014.12.17~bpo60+1) squeeze-lts; urgency=low . * Rebuild for squeeze-lts . debian-security-support (2014.12.17) unstable; urgency=high . * Add to list of packages not supported in squeeze-lts: - src:qemu (Closes: #772858) - src:textpattern (Closes: #773048) debian-security-support (2014.12.08) unstable; urgency=high . * Remove remaining bashism. Closes: #772268 * limited support: mozjs* and libv8-3.14 * postinst: Have an (empty) triggered target * Add list of packages not supported in jessie, empty for the time being debian-security-support (2014.12.08~bpo60+1) squeeze-lts; urgency=low . * Rebuild for squeeze-lts debian-security-support (2014.11.07) unstable; urgency=high . * Check hook for existence before running it. Closes: #768391 debian-security-support (2014.11.04) unstable; urgency=high . * Closes an RC bug, urgency set to high * Add src:axis2c to list of packages not supported in squeeze-lts. Closes: #765374 * Use dpkg invoke hook instead of triggers. Thanks Guillem Jover for the detailed explanations. Closes: #762031 debian-security-support (2014.10.26) unstable; urgency=low . * Features and Bugfixes - Add VCS information - Move manpage to man/ directory - Declare the trigger "-noawait". See: #762031 - Use dpkg-query to retrieve the dpkg version number - Override TMPDIR unless it has relaxed permissions. Closes: #763277 * limited support list - Alter text for kde4libs, change webkit to webkitgtk - Remove wireshark from list of packages with limited support * l10n - Prepare support for localized manpage, leave a note for translators - Swedish debconf template translation [Martin Bagge]. Closes: #762794 - Dutch debconf template translation [Paul Gevers]. Closes: #762927 debian-security-support (2014.09.11~deb6u1) squeeze-lts; urgency=low . * Rebuild for squeeze-lts debian-security-support (2014.09.07+deb6u1) unstable; urgency=low . * Rebuild for squeeze-lts debian-security-support (2014.09.07) unstable; urgency=low . * Turkish debconf template translation [Mert Dirik]. Closes: #757511 * Add flashplugin-nonfree to list of packages not supported in squeeze-lts * Packaging: Migrate templating to Template Toolkit * Handle --type without --list (Closes: #749894), fix parameter passing debian-security-support (2014.09.07~bpo70+1) wheezy-backports; urgency=medium . * Rebuild for wheezy-backports. . debian-security-support (2014.09.07) unstable; urgency=low . * Turkish debconf template translation [Mert Dirik]. Closes: #757511 * Add flashplugin-nonfree to list of packages not supported in squeeze-lts * Packaging: Migrate templating to Template Toolkit * Handle --type without --list (Closes: #749894), fix parameter passing . debian-security-support (2014.07.31) unstable; urgency=low . * Czech program translation (Michal Simunek). Closes: #752511 * Process substitution might fail in chroots, use temp files instead. Closes: #753940 . debian-security-support (2014.07.20) unstable; urgency=low . [ security-support lists ] * Unsupported in squeeze-lts: turba2, xen-qemu-dm-4.0 * Fix support-ended list: Add ffmpeg * Pretty-format security-support lists, also: Closes: #752143 . [ features ] * Run check program with specified shell * Revert accidential re-introduction of #748960 * Fix system account check, thanks gregor herrmann. Closes: #753325 * Update package descriptions and message catalogs. Closes: #747697 . [ Debconf translations ] * Danish (Joe Hansen). Closes: #750675 * Russian (Yuri Kozlov). Closes: #750744 * German (Chris Leick). Closes: #751166 * French (Julien Patriarca). Closes: #751219 * Portuguese (Américo Monteiro). Closes: #751824 * Polish (Michał Kułach). Closes: #752089 * Czech (Michal Simunek). Closes: #752155 * Italian (Beatrice Torracca). Closes: #752174 * Brazilian Portuguese (Adriano Rafael Gomes). Closes: #752200 * Spanish; (Matías Bellone). Closes: #752268 . [ Program translations ] * Danish (Joe Hansen). Closes: #750675 * Russian (Yuri Kozlov). Closes: #750820 * Portuguese (Américo Monteiro). Closes: #751824 * German (Chris Leick). Closes: #751913 * French (Julien Patriarca). Closes: #751950 * Polish (Michał Kułach). Closes: #752113 * Italian (Beatrice Torracca). Closes: #752233 * Brazilian Portuguese (Adriano Rafael Gomes). Closes: #752365 . debian-security-support (2014.05.29) unstable; urgency=low . * Update messages catalog, thanks to Justin B Rye * Ignore packages removed but not purged. Closes: #749551 * Test suite: - Do the explanation spacing testcase right - Assert check-support-status works for all awk variants (gawk, mawk, original-awk) . debian-security-support (2014.05.27) unstable; urgency=low . * Set LC_ALL=C everywhere when a program call should be l18n-agnostic. Closes: #748446 * Drop --dpkg* parameters, they are needed for tests only * Update list of unsupported packages as per discussion on debian-lts@lists.debian.org * Update manpage, thanks to Justin B Rye for review and suggestions * Rename "semaphore" to "status db" to reflect its actual function . debian-security-support (2014.05.24) unstable; urgency=low . * Update security support ended information from 2014.05.16+deb6u1 * Don't overtrim the explanative text. Closes: #748954 * Don't run the check program through a login shell. Closes: #748960 . debian-security-support (2014.05.16) unstable; urgency=low . * Fix build error with older versions of Test::Command * Add Debian Security Team to Uploaders: * Update package description to reflect limited support, too . debian-security-support (2014.04.28) unstable; urgency=low . * Initial Release debian-security-support (2014.07.31) unstable; urgency=low . * Czech program translation (Michal Simunek). Closes: #752511 * Process substitution might fail in chroots, use temp files instead. Closes: #753940 debian-security-support (2014.07.20) unstable; urgency=low . [ security-support lists ] * Unsupported in squeeze-lts: turba2, xen-qemu-dm-4.0 * Fix support-ended list: Add ffmpeg * Pretty-format security-support lists, also: Closes: #752143 . [ features ] * Run check program with specified shell * Revert accidential re-introduction of #748960 * Fix system account check, thanks gregor herrmann. Closes: #753325 * Update package descriptions and message catalogs. Closes: #747697 . [ Debconf translations ] * Danish (Joe Hansen). Closes: #750675 * Russian (Yuri Kozlov). Closes: #750744 * German (Chris Leick). Closes: #751166 * French (Julien Patriarca). Closes: #751219 * Portuguese (Américo Monteiro). Closes: #751824 * Polish (Michał Kułach). Closes: #752089 * Czech (Michal Simunek). Closes: #752155 * Italian (Beatrice Torracca). Closes: #752174 * Brazilian Portuguese (Adriano Rafael Gomes). Closes: #752200 * Spanish; (Matías Bellone). Closes: #752268 . [ Program translations ] * Danish (Joe Hansen). Closes: #750675 * Russian (Yuri Kozlov). Closes: #750820 * Portuguese (Américo Monteiro). Closes: #751824 * German (Chris Leick). Closes: #751913 * French (Julien Patriarca). Closes: #751950 * Polish (Michał Kułach). Closes: #752113 * Italian (Beatrice Torracca). Closes: #752233 * Brazilian Portuguese (Adriano Rafael Gomes). Closes: #752365 debian-security-support (2014.05.29+deb6u1) unstable; urgency=low . * Rebuild for squeeze-lts debian-security-support (2014.05.29) unstable; urgency=low . * Update messages catalog, thanks to Justin B Rye * Ignore packages removed but not purged. Closes: #749551 * Test suite: - Do the explanation spacing testcase right - Assert check-support-status works for all awk variants (gawk, mawk, original-awk) debian-security-support (2014.05.27) unstable; urgency=low . * Set LC_ALL=C everywhere when a program call should be l18n-agnostic. Closes: #748446 * Drop --dpkg* parameters, they are needed for tests only * Update list of unsupported packages as per discussion on debian-lts@lists.debian.org * Update manpage, thanks to Justin B Rye for review and suggestions * Rename "semaphore" to "status db" to reflect its actual function debian-security-support (2014.05.24+deb6u1) squeeze-lts; urgency=low . * Update list of unsupported packages as per discussion on debian-lts@lists.debian.org debian-security-support (2014.05.24) unstable; urgency=low . * Update security support ended information from 2014.05.16+deb6u1 * Don't overtrim the explanative text. Closes: #748954 * Don't run the check program through a login shell. Closes: #748960 debian-security-support (2014.05.16+deb6u1) squeeze-lts; urgency=low . * Add initial list of unsupported packages in squeeze-lts, some are still under discussion on the mailing list * Disable test suite temporarily debian-security-support (2014.05.16) unstable; urgency=low . * Fix build error with older versions of Test::Command * Add Debian Security Team to Uploaders: * Update package description to reflect limited support, too debian-security-support (2014.04.28) unstable; urgency=low . * Initial Release debmirror (1:2.16~deb7u1) oldstable; urgency=low . * Upload for wheezy. Closes: #749734. debmirror (1:2.15) unstable; urgency=low . * Improved interface to gpgv. Thanks, Tom Jones. * Add --keyring option. Thanks, Tom Jones. * Add --exclude-field and --include-field options. Closes: #695767. Thanks, Colin Watson * Supports https. Closes: #697687 Thanks, Fernando Ike * Treat "Origin: Canonical" like "Origin: Ubuntu" Closes: #702319. Thanks, Tal Danzig debootstrap (1.0.48+deb7u4) wheezy; urgency=medium . * Add support for stretch (Closes: #783361). debootstrap (1.0.48+deb7u3) wheezy; urgency=medium . [ Colin Watson ] * Resolve mount point symlinks relative to the target chroot before unmounting them (closes: #702861, #703037, #704744, #753442). didjvu (0.2.3-2+deb7u1) oldstable; urgency=medium . * add fix-insecure-use-of-tmp-when-calling-c44.diff on security bug #784888 (closed by 0.4-1 in sid). django-markupfield (1.0.2-2+deb7u1) wheezy-security; urgency=high . * Security Upload * Include fix for remote file inclusion, CVE-2015-0846, thanks to James P. Turk for finding this bug and providing a fix. dnsmasq (2.62-3+deb7u3) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Handle case where SO_REUSEPORT may be defined but not supported by the running kernel. The update for CVE-2015-3294 caused a regression for the armel and armhf builds due to a newer linux-libc-dev package installed in the wheezy chroots used for the build. The libc headers defined SO_REUSEPORT, whereas the kernel in wheezy does not support it uncovering this problem. (Closes: #784571) * Set SO_REUSEADDR as well as SO_REUSEPORT on DHCP sockets when both are available dnsmasq (2.62-3+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2015-3294: denial of service and memory disclosure via malformed DNS requests (Closes: #783459) dpkg (1.16.16) wheezy-security; urgency=high . [ Guillem Jover ] * Do not leak long tar names on bogus or truncated archives. * Do not leak the filepackages iterator when a directory is used by other packages. * Do not leak color string on «dselect --color». * Fix memory leaks when parsing alternatives. * Fix memory leaks in buffer_copy() on error conditions. * Fix possible out of bounds buffer read access in the error output on bogus ar member sizes. * Fix file triggers/Unincorp descriptor leak on subprocesses. Regression introduced with the initial triggers implementation in dpkg 1.14.17. Closes: #751021 * Fix a descriptor leak on dselect subprocesses when --debug is used. * Do not run qsort() over the scandir() list in libcompat if it is NULL. * Fix off-by-one stack buffer overrun in start-stop-daemon on GNU/Linux and GNU/kFreeBSD if the executable pathname is longer than _POSIX_PATH_MAX. Although this should not have security implications as the buffer is surrounded by two arrays (so those catch accesses even if the stack grows up or down), and we are compiling with -fstack-protector anyway. * Add a workaround to start-stop-daemon for bogus OpenVZ Linux kernels that prepend, instead of appending, the " (deleted)" marker in /proc/PID/exe. Closes: #731530 * Fix off-by-one error in libdpkg command argv size calculation. Based on a patch by Bálint Réczey . Closes: #760690 * Escape package and architecture names on control file parsing warning, as those get injected into a variable that is used as a format string, and they come from the package fields, which are under user control. Regression introduced in dpkg 1.16.0. Fixes CVE-2014-8625. Closes: #768485 Reported by Joshua Rogers . * Do not match partial field names in control files. Closes: #769119 Regression introduced in dpkg 1.10. * Fix out-of-bounds buffer read accesses when parsing field and trigger names or checking package ownership of conffiles and directories. Reported by Joshua Rogers . * Add powerpcel support to cputable. Thanks to Jae Junh . * Fix OpenPGP Armor Header Line parsing in Dpkg::Control::Hash. We should only accept [\r\t ] as trailing whitespace, although RFC4880 does not clarify what whitespace really maps to, we should really match the GnuPG implementation anyway, as that's what we use to verify the signatures. Reported by Jann Horn . Fixes CVE-2015-0840. . [ Raphaël Hertzog ] * Drop myself from Uploaders. . [ Updated scripts translations ] * Fix typos in German (Helge Kreutzmann) * Swedish (Peter Krefting). . [ Updated man page translations ] * Fix typos in German (Helge Kreutzmann) * Swedish (Peter Krefting). drupal7 (7.14-2+deb7u10) oldstable-security; urgency=high . * Backported from 7.38: SA-CORE-2015-002 (Multiple vulnerabilities. CVE IDs assigned as follows: + Impersonation (OpenID module - Drupal 6 and 7): CVE-2015-3234 + Open redirect (Field UI module - Drupal 7): CVE-2015-3232 + Open redirect (Overlay module - Drupal 7: CVE-2015-3233 + Information disclosure (Render cache system - Drupal 7): CVE-2015-3231 * Refreshed patches that are applied for the build process, lowering the amount of build-noise generated. drupal7 (7.14-2+deb7u10~bpo60+1) squeeze-backports; urgency=high . * Backported from 7.38: SA-CORE-2015-002 (Multiple vulnerabilities. CVE IDs assigned as follows: + Impersonation (OpenID module - Drupal 6 and 7): CVE-2015-3234 + Open redirect (Field UI module - Drupal 7): CVE-2015-3232 + Open redirect (Overlay module - Drupal 7: CVE-2015-3233 + Information disclosure (Render cache system - Drupal 7): CVE-2015-3231 * Refreshed patches that are applied for the build process, lowering the amount of build-noise generated. drupal7 (7.14-2+deb7u9) wheezy-security; urgency=high . * Backported from version 7.35 addressing SA-CORE-2015-001 (Access bypass on password reset URLs; Open redirect) drupal7 (7.14-2+deb7u9~bpo60+1) squeeze-backports; urgency=high . * Backported from version 7.35 addressing SA-CORE-2015-001 (Access bypass on password reset URLs; Open redirect) dulwich (0.8.5-2+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 03_CVE-2014-9706 patch. CVE-2014-9706: Don't allow writing to files under .git/ when checking out working trees. (Closes: #780989) dulwich (0.8.5-2+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 02_CVE-2015-0838 patch. CVE-2015-0838: Buffer overflow in C implementation of apply_delta(). e2fsprogs (1.42.5-1.1+deb7u1) stable-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix CVE-2015-0247: buffer overflow in ext file system open/close routines. * Fix CVE-2015-1572: incomplete fix for CVE-2015-0247. eglibc (2.13-38+deb7u8) wheezy-security; urgency=medium . * debian/patches/any/cvs-wscanf.diff: new patch from upstream to fix a heap buffer overflow in wscanf (CVE-2015-1472, CVE-2015-1473). Closes: #777197. * debian/patches/any/cvs-vfprintf.diff: new patch from ustream to fix a stack overflow in vfprintf (CVE-2012-3406). Closes: #681888. * debian/patches/any/cvs-posix_spawn_file_actions_addopen.diff: new patch from upstream to fix a vulnerability in posix_spawn_file_actions_addopen (CVE-2014-4043). Closes: #751774. * debian/patches/any/cvs-getnetbyname.diff: new patch from upstream to fix an infinite loop in getnetbyname (CVE-2014-9402). Closes: #775572. * debian/patches/any/cvs-getaddrinfo-idn.diff: new patch from upstream to fix a invalid-free when using getaddrinfo with IDN (CVE-2013-7424). eglibc (2.13-38+deb7u7) wheezy-security; urgency=medium . * debian/patches/any/cvs-gethostbyname.diff: new patch from upstream to fix a buffer overflow in gethostbyname (CVE-2015-0235). * debian/patches/any/cvs-iconvdata-ibm930.diff: new patch from upstream to fix a possible crash when using the iconv function to convert IBM930 encoded data (CVE-2012-6656). * debian/patches/any/cvs-iconvdata-ibm.diff: new patch from upstream to fix fix a possible crash when using the iconv function to convert IBM933, IBM935, IBM937, IBM939, IBM1364 encoded data (CVE-2014-6040). * debian/patches/any/cvs-wordexp.diff: new patch from upstream to fix a command execution in wordexp() with WRDE_NOCMD specified (CVS-2014-7817). exactimage (0.8.5-5+deb7u4) wheezy; urgency=high . * Fix CVE-2015-3885: Integer overflow in the ljpeg_start function in dcraw * debian/patches: - Add CVE-2015-3885.patch, Avoid overflow in ljpeg_start() (Closes: #786785) - Add draw_jpeg_fix.patch, Fix execution order of ljpeg_start() and result check expat (2.1.0-1+deb7u2) wheezy-security; urgency=high . * Fix CVE-2015-1283, multiple integer overflows in the XML_GetBuffer function (closes: #793484). file (5.11-2+deb7u8) wheezy-security; urgency=high . * Fix partial reads in readelf.c [CVE-2014-9653]. Closes: #777585 file (5.11-2+deb7u7) wheezy-security; urgency=high . * Fix several security issues, Closes: #773148 freetype (2.4.9-1.1+deb7u1) wheezy-security; urgency=high . * CVE-2014-9656 CVE-2014-9657 CVE-2014-9658 CVE-2014-9660 CVE-2014-9661 CVE-2014-9663 CVE-2014-9664 CVE-2014-9666 CVE-2014-9667 CVE-2014-9669 CVE-2014-9670 CVE-2014-9671 CVE-2014-9672 CVE-2014-9673 CVE-2014-9675 freexl (1.0.0b-1+deb7u2) wheezy-security; urgency=high . * Add patch to fix 32 bit multiplication overflow. freexl (1.0.0b-1+deb7u1) wheezy-security; urgency=high . * Add myself to Uploaders. * Update Vcs-* URLs for move to pkg-grass & wheezy branch for Vcs-Git. * Add patch to fix vulnerabilities identified by American Fuzzy Lop. (closes: #781228) frogr (0.7-2+deb7u1) stable; urgency=medium . * use-ssl-api.patch: - Use the SSL endpoints for the Flickr API. The non-SSL API was disabled on June 2014. * fix-gcrypt-crash.patch: - Fix crash in gcrypt. * debian/control: - Remove obsolete DM-Upload-Allowed flag. - Update home page address. * Update my e-mail address in debian/*. fuse (2.9.0-2+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 04-CVE-2015-3202.patch patch. CVE-2015-3202: Missing scrubbing of the environment before executing a mount or umount of a filesystem. gamera (3.3.3-2+deb7u1) oldstable; urgency=medium . * add avoid_mktexmp.diff to fix CVE-2014-1937 (related bug #737324 was closed in Sid by 3.4.1-1). gdk-pixbuf (2.26.1-1+deb7u1) wheezy-security; urgency=low . * CVE-2015-4491 ghostscript (9.05~dfsg-6.3+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-3228.patch patch. CVE-2015-3228: Integer overflow in gs_heap_alloc_bytes() (Closes: #793489) gnome-shell (3.4.2-7+deb7u2) wheezy; urgency=low . * 29_week_number.patch: backported patch from upstream. Fix week number computation, which is wrong in 2015. Closes: #769118. gnupg (1.4.12-7+deb7u7) wheezy-security; urgency=high . * Use ciphertext blinding for Elgamal decryption to counteract a side-channel attack as per CVE-2014-3591 * Fix data-dependent timing variations in the modular exponentiation function that could be used to mount a side-channel attack as per CVE-2015-0837 * Fix a use-after-free when importing a garbled keyring file as per CVE-2015-1606 (Closes: #778652) gnutls26 (2.12.20-8+deb7u3) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 40_CVE-2015-0294.diff patch. CVE-2015-0294: certificate algorithm consistency checking issue. * Add 41_CVE-2015-0282.diff patch. CVE-2015-0282: RSA PKCS#1 signature verification forgery (GNUTLS-SA-2015-1). gst-plugins-bad0.10 (0.10.23-7.1+deb7u2) wheezy-security; urgency=low . * Fix buffer overflow in MP4 playback, thanks to Ralph Giles hp2xx (3.4.4-8+deb7u1) stable; urgency=high . * include patch by Martin Kroeker to fix crashes found by Jodie Cunningham httpcomponents-client (4.1.1-2+deb7u1) wheezy; urgency=high . * Team upload. * Add CVE-2012-6153.patch and CVE-2014-3577.patch. It was found that the fix for CVE-2012-5783 and CVE-2012-6153 was incomplete. The code added to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate using a specially crafted subject. iceweasel (38.2.1esr-1~deb7u1) oldstable-security; urgency=high . * New upstream release. * Fixes for mfsa2015-{94-95}, also known as: CVE-2015-4497, CVE-2015-4498. . * configure.in: Build libvpx neon code with -mfloat-abi=softfp on armel. * media/libjpeg/simd/jsimd_mips_dspr2.S: Fix build error in MIPS SIMD when compiling with -mfpxx. . iceweasel (38.2.0esr-2~deb7u1) oldstable-security; urgency=medium . * debian/rules, debian/upstream.mk: Don't set LESS_SYSTEM_LIBS when building a backport for stretch. Closes: #795331. * debian/rules, debian/control.in: Force build with GCC 4.7 when backporting to wheezy. . * media/libvpx/moz.build: Build libvpx neon code without -mthumb and -mfloat-abi=softfp. Closes: #795337. iceweasel (38.2.0esr-1) unstable; urgency=high . * New upstream release. * Fixes for mfsa2015-{79-80,82-83,87-88,90,92}, also known as: CVE-2015-4473, CVE-2015-4475, CVE-2015-4478, CVE-2015-4479, CVE-2015-4480, CVE-2015-4493, CVE-2015-4484, CVE-2015-4491, CVE-2015-4487, CVE-2015-4488, CVE-2015-4489, CVE-2015-4492. . * debian/latest_nightly.py, debian/upstream.mk: Modify latest_nightly.py to work without ftp now that it's gone. * debian/upstream.mk: Switch to HTTPS for all hg.mozilla.org urls. . * toolkit/components/search/nsSearchService.js: Revert change from 32.0.3-1 that bumped the search engine max icon size to 35kB because it's not needed anymore. iceweasel (38.2.0esr-1~stretch) stretch; urgency=medium . * Non-maintainer upload. * Rebuild 38.2.0esr-1 for stretch so that various security fixes can bypass the g++-5 transition. iceweasel (38.2.0esr-1~deb8u1) stable-security; urgency=high . * New upstream release. * Fixes for mfsa2015-{79-80,82-83,87-90,92}, also known as: CVE-2015-4473, CVE-2015-4475, CVE-2015-4478, CVE-2015-4479, CVE-2015-4480, CVE-2015-4493, CVE-2015-4484, CVE-2015-4491, CVE-2015-4485, CVE-2015-4486, CVE-2015-4487, CVE-2015-4488, CVE-2015-4489, CVE-2015-4492. . * debian/latest_nightly.py, debian/upstream.mk: Modify latest_nightly.py to work without ftp now that it's gone. * debian/upstream.mk: Switch to HTTPS for all hg.mozilla.org urls. . * toolkit/components/search/nsSearchService.js: Revert change from 32.0.3-1 that bumped the search engine max icon size to 35kB because it's not needed anymore. . iceweasel (38.1.1esr-1) unstable; urgency=high . * New upstream release. * Fixes for mfsa2015-78, also known as CVE-2015-4495. . * debian/source.filter: Remove the source tarball filtering of search plugin icons. See 20150715221703.GD19084@glandium.org. . iceweasel (38.1.0esr-3) unstable; urgency=medium . * debian/browser.js.in, debian/vendor.js.in: Fix localized searchplugins. Closes: #775813. . iceweasel (38.1.0esr-2) unstable; urgency=medium . * debian/control*: Bump NSS build dependency. . iceweasel (38.1.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{59-67,69}, also known as: CVE-2015-2724, CVE-2015-2725, CVE-2015-2727, CVE-2015-2728, CVE-2015-2729, CVE-2015-2731, CVE-2015-2730, CVE-2015-2722, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-2741, CVE-2015-2743. . * debian/rules: Use the right --target, --host and --build arguments to configure for the Mozilla build system, which uses different meanings. * debian/branding/firefox-branding.js: Add devtools.selfxss.count pref to the iceweasel branding to match unofficial branding. Closes: #787975. * debian/browser.js.in: Use a sticky pref for browser.newtabpage.enhanced. * debian/branding/content/Makefile.in: Revert branding changes for SVG wordmark, not used on ESR . * modules/libpref/prefapi.*, modules/libpref/prefread.*, modules/libpref/test/unit/data/testPrefSticky*.js, modules/libpref/test/unit/test_stickyprefs.js, modules/libpref/test/unit/xpcshell.ini: support 'sticky' preferences, meaning a user value is retained even when it matches the default. bz#1098343. * browser/app/profile/firefox.js, browser/base/content/newtab/intro.js, browser/base/content/newtab/page.js, browser/modules/DirectoryLinksProvider.jsm: Update patch from bz#1094324 to fit what landed upstream in newer versions. . iceweasel (38.0.1-5) unstable; urgency=medium . * debian/rules: Force a timezone when extracting defaults/* files from omni.ja archives. . iceweasel (38.0.1-4) unstable; urgency=medium . * python/mozbuild/mozpack/files.py: Fixup to keep file type. * toolkit/content/Makefile.in, toolkit/content/buildconfig.html: Remove build machine name from about:buildconfig. bz#1168316. . iceweasel (38.0.1-3) unstable; urgency=medium . * debian/upstream.mk: Force a timezone when setting MOZ_BUILD_DATE. . * python/mozbuild/mozpack/files.py: Normalize file mode in jars. bz#1168231. . iceweasel (38.0.1-2) unstable; urgency=medium . * debian/upstream.mk: Set MOZ_BUILD_DATE to the date of the last debian/changelog entry for non-Aurora builds. * debian/branding/content/Makefile.in: Add a dummy conversion for about.png to remove timestamps. * debian/browser.js.in: Default to classic view for about:newtab. * debian/copyright: Update copyright file to some degree. * debian/control*: Bump Standards-Version to 3.9.6.0. - debian/rules: Add build-arch and build-indep targets to debian/rules. * debian/control*: Switch Vcs-* urls to anonscm.debian.org. . * ipc/testshell/XPCShellEnvironment.cpp, js/src/shell/js.cpp, js/xpconnect/src/XPCShellImpl.cpp: Remove build() function from js and xpc shells. bz#1166243. * toolkit/locales/l10n.mk. Use dozip.py for langpacks. bz#1166538. * browser/app/profile/firefox.js, browser/base/content/newtab/intro.js browser/modules/DirectoryLinksProvider.jsm: Set browser.newtabpage.enhanced default in prefs. bz#1094324. . iceweasel (38.0.1-1) unstable; urgency=medium . * New upstream release. . * debian/vendor.js.in: Disable auto-installing webide related addons. Closes: #785595. * debian/rules: Disable jit on mips. Only mipsel is supported by the jit code currently. . * configure.in, media/libjpeg/moz.build: Fixup libjpeg-turbo assembly cleanup. * security/manager/ssl/src/SSLServerCertVerification.cpp: Add a NULL-check for extensions on the end entity certificate when gathering EKU telemetry. Closes: #782772. . iceweasel (38.0-2) unstable; urgency=medium . * debian/repack.py: Fix to support filter patterns excluding a top-level directory. . * configure.in: Cleanup how libjpeg-turbo assembly build variables are set. bz#1165654. This should fix FTBFSes on arm64 and mips*. * memory/mozjemalloc/jemalloc.c: Make powerpc not use static page sizes. Closes: #763900. . iceweasel (38.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{46,48-51,53-56}, also know as: CVE-2015-2708, CVE-2015-2709, CVE-2015-2710, CVE-2015-2711, CVE-2015-2712, CVE-2015-2713, CVE-2015-2715, CVE-2015-2716, CVE-2015-2717, CVE-2015-2718. . * debian/branding/Makefile.in, debian/branding/moz.build: Adapt build rules to upstream changes * debian/branding/locales/en-US/brand.*: Add brandShorterName to Iceweasel branding. * debian/branding/content/Makefile.in: Add silhouette-40.svg from the unofficial branding to iceweasel branding * debian/control*: Bump nss and sqlite build dependencies. * debian/control.in, debian/upstream.mk: Change backport rules. - Set LESS_SYSTEM_LIBS on wheezy and jessie. - Only use gstreamer 0.10 on wheezy. . iceweasel (37.0.2-1) experimental; urgency=medium . * New upstream release. * Fix for mfsa2015-45, also known as CVE-2015-2706. . iceweasel (37.0.1-1) experimental; urgency=medium . * New upstream release. * Fix for mfsa2015-44, also known as CVE-2015-0799. . * debian/browser.js.in: Change the pref used to disable openh264. Closes: #769716. . iceweasel (37.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{30-34,36-40,42}, also known as: CVE-2015-0815, CVE-2015-0814, CVE-2015-0813, CVE-2015-0812, CVE-2015-0816, CVE-2015-0811, CVE-2015-0808, CVE-2015-0807, CVE-2015-0805, CVE-2015-0806, CVE-2015-0803, CVE-2015-0804, CVE-2015-0801, CVE-2015-0802. . iceweasel (36.0.4-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{28-29}, also known as: CVE-2015-0818, CVE-2015-0817. . iceweasel (36.0.1-2) experimental; urgency=medium . * debian/browser.mozconfig.in: Don't build with --disable-eme, reverting the change from 36.0-1. . iceweasel (36.0.1-1) experimental; urgency=medium . * New upstream release. . * gfx/layers/basic/BasicCompositor.cpp, gfx/layers/basic/BasicLayerManager.cpp: Reintroduce pixman code path removed in bz#1097776 for --disable-skia builds. bz#1136958. . iceweasel (36.0-2) experimental; urgency=medium . * debian/browser.mozconfig.in: Force enable skia, to possibly fix FTBFS on non-x86/amd64/arm architectures. . * gfx/skia/moz.build: Remove duplicate SkDiscardableMemory_none.cpp. bz#1136958. . iceweasel (36.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{11,13-17,19-27}, also known as: CVE-2015-0836, CVE-2015-0835, CVE-2015-0832, CVE-2015-0830, CVE-2015-0834, CVE-2015-0831, CVE-2015-0829, CVE-2015-0827, CVE-2015-0826, CVE-2015-0825, CVE-2015-0824, CVE-2015-0823, CVE-2015-0822, CVE-2015-0821, CVE-2015-0819, CVE-2015-0820. . * debian/control*: Bump nss and sqlite build dependencies. * debian/branding/Makefile.in, debian/branding/moz.build, debian/extra-stuff/Makefile.in, debian/extra-stuff/moz.build: Update and cleanup. * debian/browser.install.in: Remove mozilla-xremote-client, it was removed upstream. * debian/browser.install.in, debian/rules: Remove libmozsandbox.so, it's not a shared library anymore. * debian/browser.mozconfig.in: Build with --disable-eme for now, . iceweasel (35.0.1-1) experimental; urgency=medium . * New upstream release. . * debian/browser.install.in, debian/rules: Only install libmozsandbox.so on i386 and amd64. * debian/control: Recommend gstreamer packages for video playing capabilities. Closes: #737092. Also change the gstreamer build dependencies not to use alternatives. . iceweasel (35.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{01-06,08-09}, also known as: CVE-2014-8634, CVE-2014-8635, CVE-2014-8637, CVE-2014-8637, CVE-2014-8639, CVE-2014-8640, CVE-2014-8641, CVE-2014-8642, CVE-2014-8636. . * debian/browser.mozconfig.in: Build with --enable-pie instead of our own patch to the build system. . * moz.build: Fix how debian/extra-stuff is added to upstream build system directory traversal after upstream changes. . iceweasel (34.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{83-89,91}, also known as: CVE-2014-1587, CVE-2014-1588, CVE-2014-1589, CVE-2014-1590, CVE-2014-1591, CVE-2014-1592, CVE-2014-1593, CVE-2014-1594, CVE-2014-8631, CVE-2014-8632. . * debian/branding/firefox-branding.js: Set browser.aboutHomeSnippets.updateUrl to "data:text/html,", which resets previously downloaded snippets after a day. * debian/browser.js.in: Avoid openh264 being downloaded and disable it if it is already there. Closes: #769716. * debian/control*: Bump nss and sqlite build dependencies. * debian/rules: Remove --disable-compile-environment for l10n builds because of bz#1063880. * debian/browser.install.in: Add sandbox library. . iceweasel (33.1-1) experimental; urgency=medium . * New upstream release. . * debian/changelog: Add missing entries for 27.0.1-1. * debian/rules: Don't force to build with GCC 4.9 on armhf anymore. * debian/browser.mozconfig.in: Don't build with --enable-unified-compilation. It may be causing build problems on architectures with limited resources. * debian/browser.install.in, debian/browser.postinst.in, debian/browser.postrm.in, debian/browser.preinst.in, debian/duckduckgo.xml: Remove duckduckgo search engine, since upstream now has it included. * debian/branding/firefox-branding.js: - Set browser.startup.homepage_override.mstone to "ignore". - Set browser.aboutHomeSnippets.updateUrl to nothing. Closes: #721689. . * Import patches from the nss source package that are relevant to building iceweasel against the in-tree nss source, for backports: - security/nss/lib/freebl/unix_rand.c, security/nss/cmd/shlibsign/shlibsign.c: Fix FTBFS on Hurd because of MAXPATHLEN - security/nss/coreconf/Linux.mk, security/nss/coreconf/arch.mk, security/nss/coreconf/config.mk, security/nss/lib/freebl/unix_rand.c, security/nss/lib/softoken/softoken.h, security/nss/lib/ssl/sslmutex.*: GNU/kFreeBSD support. - security/nss/lib/ckfw/builtins/certdata.txt: Adds the SPI Inc. and CAcert.org CA certificates. Those patches were applied on the esr24 branch, but were forgotten on the release branch at the time. * media/libcubeb/tests/moz.build: Work around binutils assertion on mips. . iceweasel (33.0-2) experimental; urgency=medium . * debian/control*, debian/rules: Do not build depend on gstreamer 1.0 when building a backport. . * netwerk/base/public/security-prefs.js, security/manager/ssl/src/nsNSSComponent.cpp: Disable SSLv3 to address CVE-2014-3566. bz#1076983. . iceweasel (33.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{74-76,78-82}, also known as: CVE-2014-1574, CVE-2014-1575, CVE-2014-1576, CVE-2014-1577, CVE-2014-1580, CVE-2014-1581, CVE-2014-1582, CVE-2014-1584, CVE-2014-1585, CVE-2014-1586, CVE-2014-1583. . * debian/control*: Bump nss and sqlite build dependencies. * debian/browser.install.in, debian/control.in, debian/rules, debian/upstream.mk, debian/vendor.js.in: Change how official branding is handled. * debian/rules: Disable tests on stable-security. * debian/browser.install.in, debian/browser.mozconfig.in, debian/control.in, debian/rules: Allow to build against Gtk+3 by setting the GTK3 environment variable while building. . iceweasel (32.0.3-1) experimental; urgency=medium . * New upstream release. . * toolkit/components/search/nsSearchService.js: Bump search engine max icon size to 35kB. Closes: #749084. * build/autoconf/compiler-opts.m4, config/rules.mk: Build target programs as position independent executable when supported by gcc/clang. bz#857628. . iceweasel (32.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{67-70,72}, also known as: CVE-2014-1562, CVE-2014-1553, CVE-2014-1554, CVE-2014-1563, CVE-2014-1564, CVE-2014-1565, CVE-2014-1567. . * debian/browser.bug-script.in, debian/browser.install.in, debian/extra-stuff/Makefile.in, debian/extra-stuff/reportbug-helper-script, debian/installer/package-manifest.browser: Fix bug script. * debian/browser.install.in, debian/rules, debian/upstream.mk: Install libreplace_malloc.so when building a nightly. * debian/control*: Bump nss and sqlite build dependencies. iceweasel (38.2.0esr-1~deb7u1) oldstable-security; urgency=high . * New upstream release. * Fixes for mfsa2015-{79-80,82-83,87-90,92}, also known as: CVE-2015-4473, CVE-2015-4475, CVE-2015-4478, CVE-2015-4479, CVE-2015-4480, CVE-2015-4493, CVE-2015-4484, CVE-2015-4491, CVE-2015-4485, CVE-2015-4486, CVE-2015-4487, CVE-2015-4488, CVE-2015-4489, CVE-2015-4492. . * debian/latest_nightly.py, debian/upstream.mk: Modify latest_nightly.py to work without ftp now that it's gone. * debian/upstream.mk: Switch to HTTPS for all hg.mozilla.org urls. . * toolkit/components/search/nsSearchService.js: Revert change from 32.0.3-1 that bumped the search engine max icon size to 35kB because it's not needed anymore. . iceweasel (38.1.1esr-1) unstable; urgency=high . * New upstream release. * Fixes for mfsa2015-78, also known as CVE-2015-4495. . * debian/source.filter: Remove the source tarball filtering of search plugin icons. See 20150715221703.GD19084@glandium.org. . iceweasel (38.1.0esr-3) unstable; urgency=medium . * debian/browser.js.in, debian/vendor.js.in: Fix localized searchplugins. Closes: #775813. . iceweasel (38.1.0esr-2) unstable; urgency=medium . * debian/control*: Bump NSS build dependency. . iceweasel (38.1.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{59-67,69}, also known as: CVE-2015-2724, CVE-2015-2725, CVE-2015-2727, CVE-2015-2728, CVE-2015-2729, CVE-2015-2731, CVE-2015-2730, CVE-2015-2722, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-2741, CVE-2015-2743. . * debian/rules: Use the right --target, --host and --build arguments to configure for the Mozilla build system, which uses different meanings. * debian/branding/firefox-branding.js: Add devtools.selfxss.count pref to the iceweasel branding to match unofficial branding. Closes: #787975. * debian/browser.js.in: Use a sticky pref for browser.newtabpage.enhanced. * debian/branding/content/Makefile.in: Revert branding changes for SVG wordmark, not used on ESR . * modules/libpref/prefapi.*, modules/libpref/prefread.*, modules/libpref/test/unit/data/testPrefSticky*.js, modules/libpref/test/unit/test_stickyprefs.js, modules/libpref/test/unit/xpcshell.ini: support 'sticky' preferences, meaning a user value is retained even when it matches the default. bz#1098343. * browser/app/profile/firefox.js, browser/base/content/newtab/intro.js, browser/base/content/newtab/page.js, browser/modules/DirectoryLinksProvider.jsm: Update patch from bz#1094324 to fit what landed upstream in newer versions. . iceweasel (38.0.1-5) unstable; urgency=medium . * debian/rules: Force a timezone when extracting defaults/* files from omni.ja archives. . iceweasel (38.0.1-4) unstable; urgency=medium . * python/mozbuild/mozpack/files.py: Fixup to keep file type. * toolkit/content/Makefile.in, toolkit/content/buildconfig.html: Remove build machine name from about:buildconfig. bz#1168316. . iceweasel (38.0.1-3) unstable; urgency=medium . * debian/upstream.mk: Force a timezone when setting MOZ_BUILD_DATE. . * python/mozbuild/mozpack/files.py: Normalize file mode in jars. bz#1168231. . iceweasel (38.0.1-2) unstable; urgency=medium . * debian/upstream.mk: Set MOZ_BUILD_DATE to the date of the last debian/changelog entry for non-Aurora builds. * debian/branding/content/Makefile.in: Add a dummy conversion for about.png to remove timestamps. * debian/browser.js.in: Default to classic view for about:newtab. * debian/copyright: Update copyright file to some degree. * debian/control*: Bump Standards-Version to 3.9.6.0. - debian/rules: Add build-arch and build-indep targets to debian/rules. * debian/control*: Switch Vcs-* urls to anonscm.debian.org. . * ipc/testshell/XPCShellEnvironment.cpp, js/src/shell/js.cpp, js/xpconnect/src/XPCShellImpl.cpp: Remove build() function from js and xpc shells. bz#1166243. * toolkit/locales/l10n.mk. Use dozip.py for langpacks. bz#1166538. * browser/app/profile/firefox.js, browser/base/content/newtab/intro.js browser/modules/DirectoryLinksProvider.jsm: Set browser.newtabpage.enhanced default in prefs. bz#1094324. . iceweasel (38.0.1-1) unstable; urgency=medium . * New upstream release. . * debian/vendor.js.in: Disable auto-installing webide related addons. Closes: #785595. * debian/rules: Disable jit on mips. Only mipsel is supported by the jit code currently. . * configure.in, media/libjpeg/moz.build: Fixup libjpeg-turbo assembly cleanup. * security/manager/ssl/src/SSLServerCertVerification.cpp: Add a NULL-check for extensions on the end entity certificate when gathering EKU telemetry. Closes: #782772. . iceweasel (38.0-2) unstable; urgency=medium . * debian/repack.py: Fix to support filter patterns excluding a top-level directory. . * configure.in: Cleanup how libjpeg-turbo assembly build variables are set. bz#1165654. This should fix FTBFSes on arm64 and mips*. * memory/mozjemalloc/jemalloc.c: Make powerpc not use static page sizes. Closes: #763900. . iceweasel (38.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{46,48-51,53-56}, also know as: CVE-2015-2708, CVE-2015-2709, CVE-2015-2710, CVE-2015-2711, CVE-2015-2712, CVE-2015-2713, CVE-2015-2715, CVE-2015-2716, CVE-2015-2717, CVE-2015-2718. . * debian/branding/Makefile.in, debian/branding/moz.build: Adapt build rules to upstream changes * debian/branding/locales/en-US/brand.*: Add brandShorterName to Iceweasel branding. * debian/branding/content/Makefile.in: Add silhouette-40.svg from the unofficial branding to iceweasel branding * debian/control*: Bump nss and sqlite build dependencies. * debian/control.in, debian/upstream.mk: Change backport rules. - Set LESS_SYSTEM_LIBS on wheezy and jessie. - Only use gstreamer 0.10 on wheezy. . iceweasel (37.0.2-1) experimental; urgency=medium . * New upstream release. * Fix for mfsa2015-45, also known as CVE-2015-2706. . iceweasel (37.0.1-1) experimental; urgency=medium . * New upstream release. * Fix for mfsa2015-44, also known as CVE-2015-0799. . * debian/browser.js.in: Change the pref used to disable openh264. Closes: #769716. . iceweasel (37.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{30-34,36-40,42}, also known as: CVE-2015-0815, CVE-2015-0814, CVE-2015-0813, CVE-2015-0812, CVE-2015-0816, CVE-2015-0811, CVE-2015-0808, CVE-2015-0807, CVE-2015-0805, CVE-2015-0806, CVE-2015-0803, CVE-2015-0804, CVE-2015-0801, CVE-2015-0802. . iceweasel (36.0.4-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{28-29}, also known as: CVE-2015-0818, CVE-2015-0817. . iceweasel (36.0.1-2) experimental; urgency=medium . * debian/browser.mozconfig.in: Don't build with --disable-eme, reverting the change from 36.0-1. . iceweasel (36.0.1-1) experimental; urgency=medium . * New upstream release. . * gfx/layers/basic/BasicCompositor.cpp, gfx/layers/basic/BasicLayerManager.cpp: Reintroduce pixman code path removed in bz#1097776 for --disable-skia builds. bz#1136958. . iceweasel (36.0-2) experimental; urgency=medium . * debian/browser.mozconfig.in: Force enable skia, to possibly fix FTBFS on non-x86/amd64/arm architectures. . * gfx/skia/moz.build: Remove duplicate SkDiscardableMemory_none.cpp. bz#1136958. . iceweasel (36.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{11,13-17,19-27}, also known as: CVE-2015-0836, CVE-2015-0835, CVE-2015-0832, CVE-2015-0830, CVE-2015-0834, CVE-2015-0831, CVE-2015-0829, CVE-2015-0827, CVE-2015-0826, CVE-2015-0825, CVE-2015-0824, CVE-2015-0823, CVE-2015-0822, CVE-2015-0821, CVE-2015-0819, CVE-2015-0820. . * debian/control*: Bump nss and sqlite build dependencies. * debian/branding/Makefile.in, debian/branding/moz.build, debian/extra-stuff/Makefile.in, debian/extra-stuff/moz.build: Update and cleanup. * debian/browser.install.in: Remove mozilla-xremote-client, it was removed upstream. * debian/browser.install.in, debian/rules: Remove libmozsandbox.so, it's not a shared library anymore. * debian/browser.mozconfig.in: Build with --disable-eme for now, . iceweasel (35.0.1-1) experimental; urgency=medium . * New upstream release. . * debian/browser.install.in, debian/rules: Only install libmozsandbox.so on i386 and amd64. * debian/control: Recommend gstreamer packages for video playing capabilities. Closes: #737092. Also change the gstreamer build dependencies not to use alternatives. . iceweasel (35.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{01-06,08-09}, also known as: CVE-2014-8634, CVE-2014-8635, CVE-2014-8637, CVE-2014-8637, CVE-2014-8639, CVE-2014-8640, CVE-2014-8641, CVE-2014-8642, CVE-2014-8636. . * debian/browser.mozconfig.in: Build with --enable-pie instead of our own patch to the build system. . * moz.build: Fix how debian/extra-stuff is added to upstream build system directory traversal after upstream changes. . iceweasel (34.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{83-89,91}, also known as: CVE-2014-1587, CVE-2014-1588, CVE-2014-1589, CVE-2014-1590, CVE-2014-1591, CVE-2014-1592, CVE-2014-1593, CVE-2014-1594, CVE-2014-8631, CVE-2014-8632. . * debian/branding/firefox-branding.js: Set browser.aboutHomeSnippets.updateUrl to "data:text/html,", which resets previously downloaded snippets after a day. * debian/browser.js.in: Avoid openh264 being downloaded and disable it if it is already there. Closes: #769716. * debian/control*: Bump nss and sqlite build dependencies. * debian/rules: Remove --disable-compile-environment for l10n builds because of bz#1063880. * debian/browser.install.in: Add sandbox library. . iceweasel (33.1-1) experimental; urgency=medium . * New upstream release. . * debian/changelog: Add missing entries for 27.0.1-1. * debian/rules: Don't force to build with GCC 4.9 on armhf anymore. * debian/browser.mozconfig.in: Don't build with --enable-unified-compilation. It may be causing build problems on architectures with limited resources. * debian/browser.install.in, debian/browser.postinst.in, debian/browser.postrm.in, debian/browser.preinst.in, debian/duckduckgo.xml: Remove duckduckgo search engine, since upstream now has it included. * debian/branding/firefox-branding.js: - Set browser.startup.homepage_override.mstone to "ignore". - Set browser.aboutHomeSnippets.updateUrl to nothing. Closes: #721689. . * Import patches from the nss source package that are relevant to building iceweasel against the in-tree nss source, for backports: - security/nss/lib/freebl/unix_rand.c, security/nss/cmd/shlibsign/shlibsign.c: Fix FTBFS on Hurd because of MAXPATHLEN - security/nss/coreconf/Linux.mk, security/nss/coreconf/arch.mk, security/nss/coreconf/config.mk, security/nss/lib/freebl/unix_rand.c, security/nss/lib/softoken/softoken.h, security/nss/lib/ssl/sslmutex.*: GNU/kFreeBSD support. - security/nss/lib/ckfw/builtins/certdata.txt: Adds the SPI Inc. and CAcert.org CA certificates. Those patches were applied on the esr24 branch, but were forgotten on the release branch at the time. * media/libcubeb/tests/moz.build: Work around binutils assertion on mips. . iceweasel (33.0-2) experimental; urgency=medium . * debian/control*, debian/rules: Do not build depend on gstreamer 1.0 when building a backport. . * netwerk/base/public/security-prefs.js, security/manager/ssl/src/nsNSSComponent.cpp: Disable SSLv3 to address CVE-2014-3566. bz#1076983. . iceweasel (33.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{74-76,78-82}, also known as: CVE-2014-1574, CVE-2014-1575, CVE-2014-1576, CVE-2014-1577, CVE-2014-1580, CVE-2014-1581, CVE-2014-1582, CVE-2014-1584, CVE-2014-1585, CVE-2014-1586, CVE-2014-1583. . * debian/control*: Bump nss and sqlite build dependencies. * debian/browser.install.in, debian/control.in, debian/rules, debian/upstream.mk, debian/vendor.js.in: Change how official branding is handled. * debian/rules: Disable tests on stable-security. * debian/browser.install.in, debian/browser.mozconfig.in, debian/control.in, debian/rules: Allow to build against Gtk+3 by setting the GTK3 environment variable while building. . iceweasel (32.0.3-1) experimental; urgency=medium . * New upstream release. . * toolkit/components/search/nsSearchService.js: Bump search engine max icon size to 35kB. Closes: #749084. * build/autoconf/compiler-opts.m4, config/rules.mk: Build target programs as position independent executable when supported by gcc/clang. bz#857628. . iceweasel (32.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{67-70,72}, also known as: CVE-2014-1562, CVE-2014-1553, CVE-2014-1554, CVE-2014-1563, CVE-2014-1564, CVE-2014-1565, CVE-2014-1567. . * debian/browser.bug-script.in, debian/browser.install.in, debian/extra-stuff/Makefile.in, debian/extra-stuff/reportbug-helper-script, debian/installer/package-manifest.browser: Fix bug script. * debian/browser.install.in, debian/rules, debian/upstream.mk: Install libreplace_malloc.so when building a nightly. * debian/control*: Bump nss and sqlite build dependencies. iceweasel (38.1.1esr-1) unstable; urgency=high . * New upstream release. * Fixes for mfsa2015-78, also known as CVE-2015-4495. . * debian/source.filter: Remove the source tarball filtering of search plugin icons. See 20150715221703.GD19084@glandium.org. iceweasel (38.1.1esr-1~deb9u1) stretch; urgency=high . * Non-maintainer upload. * Rebuild iceweasel/38.1.1esr-1 in stretch so CVE-2015-4495 can be fixed there before the g++-5 transition finishes. No source changes. iceweasel (38.1.0esr-3) unstable; urgency=medium . * debian/browser.js.in, debian/vendor.js.in: Fix localized searchplugins. Closes: #775813. iceweasel (38.1.0esr-2) unstable; urgency=medium . * debian/control*: Bump NSS build dependency. iceweasel (38.1.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{59-67,69}, also know as: CVE-2015-2724, CVE-2015-2725, CVE-2015-2727, CVE-2015-2728, CVE-2015-2729, CVE-2015-2731, CVE-2015-2730, CVE-2015-2722, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-2741, CVE-2015-2743. . * debian/rules: Use the right --target, --host and --build arguments to configure for the Mozilla build system, which uses different meanings. * debian/branding/firefox-branding.js: Add devtools.selfxss.count pref to the iceweasel branding to match unofficial branding. Closes: #787975. * debian/browser.js.in: Use a sticky pref for browser.newtabpage.enhanced. * debian/branding/content/Makefile.in: Revert branding changes for SVG wordmark, not used on ESR . * modules/libpref/prefapi.*, modules/libpref/prefread.*, modules/libpref/test/unit/data/testPrefSticky*.js, modules/libpref/test/unit/test_stickyprefs.js, modules/libpref/test/unit/xpcshell.ini: support 'sticky' preferences, meaning a user value is retained even when it matches the default. bz#1098343. * browser/app/profile/firefox.js, browser/base/content/newtab/intro.js, browser/base/content/newtab/page.js, browser/modules/DirectoryLinksProvider.jsm: Update patch from bz#1094324 to fit what landed upstream in newer versions. iceweasel (38.0.1-5) unstable; urgency=medium . * debian/rules: Force a timezone when extracting defaults/* files from omni.ja archives. iceweasel (38.0.1-4) unstable; urgency=medium . * python/mozbuild/mozpack/files.py: Fixup to keep file type. * toolkit/content/Makefile.in, toolkit/content/buildconfig.html: Remove build machine name from about:buildconfig. bz#1168316. iceweasel (38.0.1-3) unstable; urgency=medium . * debian/upstream.mk: Force a timezone when setting MOZ_BUILD_DATE. . * python/mozbuild/mozpack/files.py: Normalize file mode in jars. bz#1168231. iceweasel (38.0.1-2) unstable; urgency=medium . * debian/upstream.mk: Set MOZ_BUILD_DATE to the date of the last debian/changelog entry for non-Aurora builds. * debian/branding/content/Makefile.in: Add a dummy conversion for about.png to remove timestamps. * debian/browser.js.in: Default to classic view for about:newtab. * debian/copyright: Update copyright file to some degree. * debian/control*: Bump Standards-Version to 3.9.6.0. - debian/rules: Add build-arch and build-indep targets to debian/rules. * debian/control*: Switch Vcs-* urls to anonscm.debian.org. . * ipc/testshell/XPCShellEnvironment.cpp, js/src/shell/js.cpp, js/xpconnect/src/XPCShellImpl.cpp: Remove build() function from js and xpc shells. bz#1166243. * toolkit/locales/l10n.mk. Use dozip.py for langpacks. bz#1166538. * browser/app/profile/firefox.js, browser/base/content/newtab/intro.js browser/modules/DirectoryLinksProvider.jsm: Set browser.newtabpage.enhanced default in prefs. bz#1094324. iceweasel (38.0.1-1) unstable; urgency=medium . * New upstream release. . * debian/vendor.js.in: Disable auto-installing webide related addons. Closes: #785595. * debian/rules: Disable jit on mips. Only mipsel is supported by the jit code currently. . * configure.in, media/libjpeg/moz.build: Fixup libjpeg-turbo assembly cleanup. * security/manager/ssl/src/SSLServerCertVerification.cpp: Add a NULL-check for extensions on the end entity certificate when gathering EKU telemetry. Closes: #782772. iceweasel (38.0-2) unstable; urgency=medium . * debian/repack.py: Fix to support filter patterns excluding a top-level directory. . * configure.in: Cleanup how libjpeg-turbo assembly build variables are set. bz#1165654. This should fix FTBFSes on arm64 and mips*. * memory/mozjemalloc/jemalloc.c: Make powerpc not use static page sizes. Closes: #763900. iceweasel (38.0-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{46,48-51,53-56}, also know as: CVE-2015-2708, CVE-2015-2709, CVE-2015-2710, CVE-2015-2711, CVE-2015-2712, CVE-2015-2713, CVE-2015-2715, CVE-2015-2716, CVE-2015-2717, CVE-2015-2718. . * debian/branding/Makefile.in, debian/branding/moz.build: Adapt build rules to upstream changes * debian/branding/locales/en-US/brand.*: Add brandShorterName to Iceweasel branding. * debian/branding/content/Makefile.in: Add silhouette-40.svg from the unofficial branding to iceweasel branding * debian/control*: Bump nss and sqlite build dependencies. * debian/control.in, debian/upstream.mk: Change backport rules. - Set LESS_SYSTEM_LIBS on wheezy and jessie. - Only use gstreamer 0.10 on wheezy. iceweasel (37.0.2-1) experimental; urgency=medium . * New upstream release. * Fix for mfsa2015-45, also known as CVE-2015-2706. iceweasel (37.0.1-1) experimental; urgency=medium . * New upstream release. * Fix for mfsa2015-44, also known as CVE-2015-0799. . * debian/browser.js.in: Change the pref used to disable openh264. Closes: #769716. iceweasel (37.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{30-34,36-40,42}, also known as: CVE-2015-0815, CVE-2015-0814, CVE-2015-0813, CVE-2015-0812, CVE-2015-0816, CVE-2015-0811, CVE-2015-0808, CVE-2015-0807, CVE-2015-0805, CVE-2015-0806, CVE-2015-0803, CVE-2015-0804, CVE-2015-0801, CVE-2015-0802. iceweasel (36.0.4-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{28-29}, also known as: CVE-2015-0818, CVE-2015-0817. iceweasel (36.0.1-2) experimental; urgency=medium . * debian/browser.mozconfig.in: Don't build with --disable-eme, reverting the change from 36.0-1. iceweasel (36.0.1-1) experimental; urgency=medium . * New upstream release. . * gfx/layers/basic/BasicCompositor.cpp, gfx/layers/basic/BasicLayerManager.cpp: Reintroduce pixman code path removed in bz#1097776 for --disable-skia builds. bz#1136958. iceweasel (36.0-2) experimental; urgency=medium . * debian/browser.mozconfig.in: Force enable skia, to possibly fix FTBFS on non-x86/amd64/arm architectures. . * gfx/skia/moz.build: Remove duplicate SkDiscardableMemory_none.cpp. bz#1136958. iceweasel (36.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{11,13-17,19-27}, also known as: CVE-2015-0836, CVE-2015-0835, CVE-2015-0832, CVE-2015-0830, CVE-2015-0834, CVE-2015-0831, CVE-2015-0829, CVE-2015-0827, CVE-2015-0826, CVE-2015-0825, CVE-2015-0824, CVE-2015-0823, CVE-2015-0822, CVE-2015-0821, CVE-2015-0819, CVE-2015-0820. . * debian/control*: Bump nss and sqlite build dependencies. * debian/branding/Makefile.in, debian/branding/moz.build, debian/extra-stuff/Makefile.in, debian/extra-stuff/moz.build: Update and cleanup. * debian/browser.install.in: Remove mozilla-xremote-client, it was removed upstream. * debian/browser.install.in, debian/rules: Remove libmozsandbox.so, it's not a shared library anymore. * debian/browser.mozconfig.in: Build with --disable-eme for now, iceweasel (35.0.1-1) experimental; urgency=medium . * New upstream release. . * debian/browser.install.in, debian/rules: Only install libmozsandbox.so on i386 and amd64. * debian/control: Recommend gstreamer packages for video playing capabilities. Closes: #737092. Also change the gstreamer build dependencies not to use alternatives. iceweasel (35.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2015-{01-06,08-09}, also known as: CVE-2014-8634, CVE-2014-8635, CVE-2014-8637, CVE-2014-8637, CVE-2014-8639, CVE-2014-8640, CVE-2014-8641, CVE-2014-8642, CVE-2014-8636. . * debian/browser.mozconfig.in: Build with --enable-pie instead of our own patch to the build system. . * moz.build: Fix how debian/extra-stuff is added to upstream build system directory traversal after upstream changes. iceweasel (34.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{83-89,91}, also known as: CVE-2014-1587, CVE-2014-1588, CVE-2014-1589, CVE-2014-1590, CVE-2014-1591, CVE-2014-1592, CVE-2014-1593, CVE-2014-1594, CVE-2014-8631, CVE-2014-8632. . * debian/branding/firefox-branding.js: Set browser.aboutHomeSnippets.updateUrl to "data:text/html,", which resets previously downloaded snippets after a day. * debian/browser.js.in: Avoid openh264 being downloaded and disable it if it is already there. Closes: #769716. * debian/control*: Bump nss and sqlite build dependencies. * debian/rules: Remove --disable-compile-environment for l10n builds because of bz#1063880. * debian/browser.install.in: Add sandbox library. iceweasel (33.1-1) experimental; urgency=medium . * New upstream release. . * debian/changelog: Add missing entries for 27.0.1-1. * debian/rules: Don't force to build with GCC 4.9 on armhf anymore. * debian/browser.mozconfig.in: Don't build with --enable-unified-compilation. It may be causing build problems on architectures with limited resources. * debian/browser.install.in, debian/browser.postinst.in, debian/browser.postrm.in, debian/browser.preinst.in, debian/duckduckgo.xml: Remove duckduckgo search engine, since upstream now has it included. * debian/branding/firefox-branding.js: - Set browser.startup.homepage_override.mstone to "ignore". - Set browser.aboutHomeSnippets.updateUrl to nothing. Closes: #721689. . * Import patches from the nss source package that are relevant to building iceweasel against the in-tree nss source, for backports: - security/nss/lib/freebl/unix_rand.c, security/nss/cmd/shlibsign/shlibsign.c: Fix FTBFS on Hurd because of MAXPATHLEN - security/nss/coreconf/Linux.mk, security/nss/coreconf/arch.mk, security/nss/coreconf/config.mk, security/nss/lib/freebl/unix_rand.c, security/nss/lib/softoken/softoken.h, security/nss/lib/ssl/sslmutex.*: GNU/kFreeBSD support. - security/nss/lib/ckfw/builtins/certdata.txt: Adds the SPI Inc. and CAcert.org CA certificates. Those patches were applied on the esr24 branch, but were forgotten on the release branch at the time. * media/libcubeb/tests/moz.build: Work around binutils assertion on mips. iceweasel (33.0-2) experimental; urgency=medium . * debian/control*, debian/rules: Do not build depend on gstreamer 1.0 when building a backport. . * netwerk/base/public/security-prefs.js, security/manager/ssl/src/nsNSSComponent.cpp: Disable SSLv3 to address CVE-2014-3566. bz#1076983. iceweasel (33.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{74-76,78-82}, also known as: CVE-2014-1574, CVE-2014-1575, CVE-2014-1576, CVE-2014-1577, CVE-2014-1580, CVE-2014-1581, CVE-2014-1582, CVE-2014-1584, CVE-2014-1585, CVE-2014-1586, CVE-2014-1583. . * debian/control*: Bump nss and sqlite build dependencies. * debian/browser.install.in, debian/control.in, debian/rules, debian/upstream.mk, debian/vendor.js.in: Change how official branding is handled. * debian/rules: Disable tests on stable-security. * debian/browser.install.in, debian/browser.mozconfig.in, debian/control.in, debian/rules: Allow to build against Gtk+3 by setting the GTK3 environment variable while building. iceweasel (32.0.3-1) experimental; urgency=medium . * New upstream release. . * toolkit/components/search/nsSearchService.js: Bump search engine max icon size to 35kB. Closes: #749084. * build/autoconf/compiler-opts.m4, config/rules.mk: Build target programs as position independent executable when supported by gcc/clang. bz#857628. iceweasel (32.0-1) experimental; urgency=medium . * New upstream release. * Fixes for mfsa2014-{67-70,72}, also known as: CVE-2014-1562, CVE-2014-1553, CVE-2014-1554, CVE-2014-1563, CVE-2014-1564, CVE-2014-1565, CVE-2014-1567. . * debian/browser.bug-script.in, debian/browser.install.in, debian/extra-stuff/Makefile.in, debian/extra-stuff/reportbug-helper-script, debian/installer/package-manifest.browser: Fix bug script. * debian/browser.install.in, debian/rules, debian/upstream.mk: Install libreplace_malloc.so when building a nightly. * debian/control*: Bump nss and sqlite build dependencies. iceweasel (32.0~b5-1) experimental; urgency=medium . * New upstream beta release. . * debian/browser.install.in, debian/rules, debian/upstream.mk: Install libreplace_malloc.so when building a nightly. * debian/control*: Bump nss and sqlite build dependencies. . * media/libstagefright/moz.build: Fix libstagefright build on GNU/kFreeBSD. bz#1048064. iceweasel (32.0~b3-1) experimental; urgency=medium . * New upstream beta release. . * debian/browser.install.in, debian/rules, debian/upstream.mk: Install libreplace_malloc.so when building a nightly. * debian/control*: Bump nss and sqlite build dependencies. . * testing/mozbase/mozinfo/mozinfo/mozinfo.py: Add a fallback for unknown platforms after bz#945869. bz#1044414. iceweasel (32.0~b1-1) experimental; urgency=medium . * New upstream beta release. . * debian/browser.install.in, debian/rules, debian/upstream.mk: Install libreplace_malloc.so when building a nightly. * debian/control*: Bump nss and sqlite build dependencies. iceweasel (31.8.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{59,61,64-66,69-71}, also known as: CVE-2015-2724, CVE-2015-2728, CVE-2015-2730, CVE-2015-2722, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-2743, CVE-2015-4000, CVE-2015-2721. . * debian/rules, debian/control*: Use bundled libraries because of the requirement for a newer NSS. . * dom/indexedDB/IndexedDatabaseManager.cpp: Backout mercurial changeset 4fd4c854dc0f (fixup for bz#1142210) to unbust unified builds. iceweasel (31.8.0esr-1~deb7u1) oldstable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{59,61,64-66,69-71}, also known as: CVE-2015-2724, CVE-2015-2728, CVE-2015-2730, CVE-2015-2722, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-2743, CVE-2015-4000, CVE-2015-2721. . * debian/rules, debian/control*: Use bundled libraries because of the requirement for a newer NSS. . * dom/indexedDB/IndexedDatabaseManager.cpp: Backout mercurial changeset 4fd4c854dc0f (fixup for bz#1142210) to unbust unified builds. iceweasel (31.7.0esr-1~deb8u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{46-48,51,54,57}, also known as: CVE-2015-2708, CVE-2015-0797, CVE-2015-2710, CVE-2015-2713, CVE-2015-2716, CVE-2011-3079. . * debian/control.in, debian/rules, debian/upstream.mk: Change backport rules. - Only set LESS_SYSTEM_LIBS on wheezy (for now). - Only exclude gstreamer 1.0 on wheezy. iceweasel (31.7.0esr-1~deb7u1) oldstable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{46-48,51,54,57}, also known as: CVE-2015-2708, CVE-2015-0797, CVE-2015-2710, CVE-2015-2713, CVE-2015-2716, CVE-2011-3079. . * debian/control.in, debian/rules, debian/upstream.mk: Change backport rules. - Only set LESS_SYSTEM_LIBS on wheezy (for now). - Only exclude gstreamer 1.0 on wheezy. iceweasel (31.6.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{30-31,33,37,40}, also known as: CVE-2015-0815, CVE-2015-0813, CVE-2015-0816, CVE-2015-0807, CVE-2015-0801. iceweasel (31.6.0esr-1~deb7u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{30-31,33,37,40}, also known as: CVE-2015-0815, CVE-2015-0813, CVE-2015-0816, CVE-2015-0807, CVE-2015-0801. iceweasel (31.5.3esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{28-29}, also known as: CVE-2015-0818, CVE-2015-0817. iceweasel (31.5.3esr-1~deb7u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{28-29}, also known as: CVE-2015-0818, CVE-2015-0817. iceweasel (31.5.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{11,16,19,24}, also known as: CVE-2015-0836, CVE-2015-0831, CVE-2015-0827, CVE-2015-0822. . * debian/source.filter: Remove files that were mistakenly added to upstream source tarballs. bz#1136240. * debian/repack.py: Fix to support those new filters. . * memory/mozjemalloc/jemalloc.c: Make powerpc not use static page sizes. Closes: #763900 iceweasel (31.5.0esr-1~deb7u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{11,16,19,24}, also known as: CVE-2015-0836, CVE-2015-0831, CVE-2015-0827, CVE-2015-0822. . * debian/source.filter: Remove files that were mistakenly added to upstream source tarballs. bz#1136240. * debian/repack.py: Fix to support those new filters. . * memory/mozjemalloc/jemalloc.c: Make powerpc not use static page sizes. Closes: #763900 iceweasel (31.4.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2015-{01,03-04,06}, also known as: CVE-2014-8634, CVE-2014-8638, CVE-2014-8639, CVE-2014-8641. iceweasel (31.4.0esr-1~deb7u1) stable-security; urgency=medium . * New upstream release. * Fixes for mfsa2015-{01,03-04,06}, also known as: CVE-2014-8634, CVE-2014-8638, CVE-2014-8639, CVE-2014-8641. iceweasel (31.3.0esr-1) unstable; urgency=medium . * New upstream release. * Fixes for mfsa2014-{83,85,87-88}, also known as: CVE-2014-1587, CVE-2014-1590, CVE-2014-1592, CVE-2014-1593, CVE-2014-1594. . * debian/browser.mozconfig.in: Revert change from release 31.2.0esr-3, because it made no difference. * debian/branding/firefox-branding.js: - Set browser.startup.homepage_override.mstone to "ignore". - Set browser.aboutHomeSnippets.updateUrl to "data:text/html,", which disables downloading snippets from Mozilla servers and resets previously downloaded snippets after a day. Closes: #721689. icu (4.8.1.1-12+deb7u3) wheezy-security; urgency=high . * Fix security bugs: - CVE-2015-4760 , missing boundary checks in layout engine, - CVE-2014-6585 , finish null pointer checks. * Add myself as uploader. icu (4.8.1.1-12+deb7u2) stable-security; urgency=high . * Non-maintainer upload by the Security Team. - Thanks to Marc Deslauriers for many of the backports. * Backport of icu's new layout engine. - Fixes CVE-2013-1569, CVE-2013-2383, CVE-2013-2384, and CVE-2013-2419. * CVE-2014-6585: out-of-bounds read. * CVE-2014-6591: more out-of-bounds reads. * CVE-2014-7923: memory corruption in regular expression comparison. * CVE-2014-7926: memory corruption in regular expression comparison. * CVE-2014-7940: uninitialized memory in i18n/icol.cpp. * CVE-2014-9654: more regular expression handling issues. ikiwiki (3.20120629.2) wheezy; urgency=medium . [ Joey Hess ] * Fix XSS in openid selector. Thanks, Raghav Bisht. (Closes: #781483; CVE-2015-2793) ikiwiki (3.20120629.1) wheezy; urgency=medium . Backport blogspam plugin from experimental, because the version in wheezy is no longer usable: . [ Joey Hess ] * Set Debian package maintainer to Simon McVittie as I'm retiring from Debian. . [ Amitai Schlair ] * blogspam: use the 2.0 JSON API (the 1.0 XML-RPC API has been EOL'd). Closes: #774441 inspircd (2.0.5-1+deb7u1) wheezy-security; urgency=high . * CVE-2012-1836 was partially fixed; refresh 03_CVE-2012-1836 patch by importing 2.0.7 src/dns.cpp changes (Closes: #780880) intel-microcode (1.20150121.1) stable; urgency=high . * New upstream microcode data file 20150121 + Downgraded microcodes (to a previously shipped revision): sig 0x000306f2, pf mask 0x6f, 2014-09-03, rev 0x0029, size 28672 * The microcode downgrade fixes a very nasty regression on Xeon E5v3 processors (closes: #776431) * critical urgency: the broken sig 0x306f2, rev 0x2b microcode shipped in release 20150107 caused CPU core hangs and Linux boot failures. The upstream fix was to downgrade it to the same microcode revision that was shipped in release 20140913 * source: remove superseded upstream data file: 20150107. ipsec-tools (1:0.8.0-14+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add bug785778-null-pointer-deref.patch patch. CVE-2015-4047: Fix NULL pointer dereference in racoon in gssapi.c leading to a possible crash and denial of service attack. (Closes: #785778) ircd-hybrid (1:7.2.2.dfsg.2-10+deb7u1) stable; urgency=medium . * Disable SSLv3 to mitigate against the POODLE vulnerability (Closes: #767026) jackrabbit (2.3.6-1+deb7u1) wheezy-security; urgency=medium . * Team upload. * Add CVE-2015-1833.patch. Fix XXE/XEE vulnerability of the Jackrabbit WebDAV bundle. When processing a WebDAV request body containing XML, the XML parser can be instructed to read content from network resources accessible to the host, identified by URI schemes such as "http(s)" or "file". Depending on the WebDAV request, this can not only be used to trigger internal network requests, but might also be used to insert said content into the request, potentially exposing it to the attacker and others. (Closes: #787316) jasper (1.900.1-13+deb7u3) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 07-CVE-2014-8157.patch patch. CVE-2014-8157: dec->numtiles off-by-one check in jpc_dec_process_sot(). (Closes: #775970) * Add 08-CVE-2014-8158.patch patch. CVE-2014-8158: unrestricted stack memory use in jpc_qmfb.c (Closes: #775970) jqueryui (1.8.ooops.21+dfsg-2+deb7u2) wheezy-security; urgency=medium . * NMU by the Security Team * Fix regression introduced in 1.8.ooops.21+dfsg-2+deb7u1 (Closes: #787100) jqueryui (1.8.ooops.21+dfsg-2+deb7u1) wheezy-security; urgency=high . * NMU by the Security Team * Fix cross-site scripting vulnerability (CVE-2010-5312) krb5 (1.10.1+dfsg-5+deb7u3) stable-security; urgency=high . * MITKRB5-SA-2015-001 - CVE-2014-5352: gss_process_context_token() incorrectly frees context - CVE-2014-9421: kadmind doubly frees partial deserialization results - CVE-2014-9422: kadmind incorrectly validates server principal name - CVE-2014-9423: libgssrpc server applications leak uninitialized bytes lame (3.99.5+repack1-3+deb7u1) wheezy; urgency=medium . * Add check for invalid input sample rate, thanks Maks Naumov (Closes: #775959, #777160, #777161). Thanks Jakub Wilk and Brian Carpenter for the bug reports and test cases. * Extend Maks Naumov's patch to also include a sanity check for a valid amount of input channels (Closes: #778703). * Avoid malformed wav causing floating point exception in the frontend (Closes: #777159). * Fix decision if sample rate ratio is an integer value or not (Closes: #778529). Thanks to Henri Salo for the bug reports and the fuzzed samples! lcms (1.19.dfsg2-1.2+deb7u1) stable-proposed-updates; urgency=medium . * Non-maintainer upload. * Remove non-free file python/testbed/AdobeRGB1998.icc from source tarball (Closes: #753759). Also remove testbed/sRGBSpac.icm * Cherry-Pick fix from Peter Michael Green's NMU (1.19.dfsg1-1.4) - Link icctrans with -lm to Fix link failure on amd64. * Apply fix from OpenSuse for CVE-2013-4276 (Closes: #718682) * Repack orig-source to remove non-dfsg free color profiles. This is necessary as the resulting lintian error license-problem-md5sum-non-free-file would lead to an autoreject (Closes: #736806). * Fix CVE-2013-4160 by backporting the fix from lcms-2 (Closes: #728208) lcms (1.19.dfsg1-1.4) unstable; urgency=medium . * Non maintainer upload * Same as 1.19.dfsg1-1.3+autotool upload to debian-ports unreleased * Use dh_autoreconf to fix build on newer ports. (Closes: 543464) (thanks to Fernando Seiti Furusato) * Modify lcms.h to not assume powerpc is big endian and hence support ppc64el (thanks to Fernando Seiti Furusato) * Use DEB_BUILD_ARCH_ENDIAN rather than incomplete hardcoded list of big endian architectures in debian/rules. (though i'm not convinced the code in question actually does anything useful anyway). * Add watchfile from Tobaias Frost. (Closes: 742749) * Avoid build depending on transitional package libtiff4-dev. * Link icctrans with -lm to Fix link failure on amd64. lcms (1.19.dfsg1-1.3) unstable; urgency=medium . * Non-maintainer upload. * Apply fix from OpenSuse for CVE-2013-4276 (Closes: #718682) * Repack orig-source to remove non-dfsg free color profiles. This is necessary as the resulting lintian error license-problem-md5sum-non-free-file would lead to an autoreject (Closes: #736806). * Fix CVE-2013-4160 by backporting the fix from lcms-2 (Closes: #728208) libapache-mod-jk (1:1.2.37-1+deb7u1) wheezy-security; urgency=high . * Team upload. * Add CVE-2014-8111.patch. (Closes: #783233) It was discovered that a JkUnmount rule for a subtree of a previous JkMount rule could be ignored. This could allow a remote attacker to potentially access a private artifact in a tree that would otherwise not be accessible to them. - Add option to control handling of multiple adjacent slashes in mount and unmount. New default is collapsing the slashes only in unmount. Before this change, adjacent slashes were never collapsed, so most mounts and unmounts didn't match for URLs with multiple adjacent slashes. - Configuration is done via new JkOption for Apache (values "CollapseSlashesAll", "CollapseSlashesNone" or "CollapseSlashesUnmount"). libarchive (3.0.4-3+wheezy1) wheezy-security; urgency=high . * Fix directory traversal vulnerability in bsdcpio (Closes: #778266) libav (6:0.8.17-1) wheezy-security; urgency=medium . * New upstream release fixing multiple security issues. - utvideodec: Handle slice_height being zero (CVE-2014-9604) - tiff: Check that there is no aliasing in pixel format selection (CVE-2014-8544) - rmenc: limit packet size - eamad: check for out of bounds read (CID/1257500) - h264_cabac: Break infinite loops - matroskadec: Fix read-after-free in matroska_read_seek() (chromium/427266) - gifdec: refactor interleave end handling (CVE-2014-8547) - smc: fix the bounds check (CVE-2014-8548) - mmvideo: check frame dimensions (CVE-2014-8543) - jvdec: check frame dimensions (CVE-2014-8542) - mov: avoid a memleak when multiple stss boxes are present - apetag: Fix APE tag size check - x86: Only use optimizations with cmov if the CPU supports the instruction - x86: Add CPU flag for the i686 cmov instruction libcrypto++ (5.6.1-6+deb7u1) wheezy-security; urgency=high . * Fix CVE-2015-2141, misuse of blinding technique that is aimed at preventing timing attacks. * Update my email address. libdatetime-timezone-perl (1:1.58-1+2015f) wheezy; urgency=medium . * Update to Olson database version 2015f. libdatetime-timezone-perl (1:1.58-1+2015e) wheezy; urgency=medium . * Update to Olson database version 2015e. libdatetime-timezone-perl (1:1.58-1+2015d) wheezy; urgency=medium . * Update to Olson database version 2015d. libdatetime-timezone-perl (1:1.58-1+2015c) stable-proposed-updates; urgency=medium . * Update to Olson database version 2015c. libdatetime-timezone-perl (1:1.58-1+2015b) stable-proposed-updates; urgency=medium . * Update to version 2015b of the Olson database. libdatetime-timezone-perl (1:1.58-1+2015a) stable-proposed-updates; urgency=medium . * Update to version 2015a of the Olson database. libdbd-pg-perl (2.19.2-2+deb7u1) wheezy; urgency=medium . * Team upload. * Add 0001-Adjustments-for-the-loss-of-spclocation-in-9.2.patch patch. Fixes interoperability problem between wheezy clients using DBD::Pg against newer PostgreSQL versions. Thanks to Christoph Biedl (Closes: #781722) libevent (2.0.19-stable-3+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2014-6272.patch patch. CVE-2014-6272: A flaw in the Libevent evbuffer API leaves programs using this API open to possible heap overflows. libfcgi (2.4.0-8.1+deb7u1) wheezy; urgency=low . * Non-maintainer upload. * CVE-2012-6687: Apply path from Anton Kortunov to swap select with poll to avoid stack smashing. Closes: #681591. libgcrypt11 (1.5.0-5+deb7u3) wheezy-security; urgency=high . * Use ciphertext blinding for Elgamal decryption to counteract a side-channel attack as per CVE-2014-3591 * Fix data-dependent timing variations in the modular exponentiation function that could be used to mount a side-channel attack as per CVE-2015-0837 libgd2 (2.0.36~rc1~dfsg-6.1+deb7u1) wheezy-security; urgency=high . * Fix NULL pointer dereference when reading XPM files with a crafted color table as per CVE-2014-2497 (Closes: #744719) * Fix buffer read overflow when reading invalid GIF files as per CVE-2014-9709 liblivemedia (2012.05.17-1+wheezy1) wheezy-security; urgency=high . * Fix integer underflow when parsing RTSP messages starting with whitespace as per CVE-2013-6933 * Set urgency=high accordingly libmodule-signature-perl (0.68-1+deb7u3) wheezy-security; urgency=high . * Team upload. * Add 0001-make-skip-work-again.patch patch. Restore --skip functionality for cpansign. (Closes: #785701) libmodule-signature-perl (0.68-1+deb7u2) wheezy-security; urgency=high . * Team upload. * Add CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch patch. CVE-2015-3406: Module::Signature parses the unsigned portion of the SIGNATURE file as the signed portion due to incorrect handling of PGP signature boundaries. CVE-2015-3407: Module::Signature incorrectly handles files that are not listed in the SIGNATURE file. This includes some files in the t/ directory that would execute when tests are run. CVE-2015-3408: Module::Signature uses two argument open() calls to read the files when generating checksums from the signed manifest, allowing to embed arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process. (Closes: #783451) * Add CVE-2015-3409.patch patch. CVE-2015-3409: Module::Signature incorrectly handles module loading allowing to load modules from relative paths in @INC. A remote attacker providing a malicious module could use this issue to execute arbitrary code during signature verification. (Closes: #783451) * Add Fix-signature-tests.patch patch. Fix signature tests by defaulting to verify(skip=>1) when $ENV{TEST_SIGNATURE} is true. libphp-snoopy (2.0.0-1~deb7u1) wheezy-security; urgency=high . * Upload to wheezy-security libraw (0.14.6-2+deb7u1) wheezy; urgency=high . * debian/patches/: patchset updated - 0001-Fix_CVE-2015-3885.patch added (Closes: #786788) | Integer overflow in the ljpeg_start function | in dcraw 7.00 and earlier allows remote attackers | to cause a denial of service (crash) via a | crafted image, which triggers a buffer overflow, | related to the len variable. libssh2 (1.4.2-1.1+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-1782.patch. CVE-2015-1782: Using SSH_MSG_KEXINIT data unbounded. libtasn1-3 (2.13-2+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-2806.patch patch. CVE-2015-2806: stack overflow in asn1_der_decoding. libtest-signature-perl (1.10-1+deb7u1) wheezy-security; urgency=high . * Team upload. * Consider MANIFEST.SKIP when verfying signature as part of testsuites. Set skip => 1 on Module::Signature::verify for compatibility with the fix for CVE-2015-3407 in libmodule-signature-perl. libtest-signature-perl (1.10-1+deb6u1) squeeze-lts; urgency=medium . * Non-maintainer upload by the Squeeze LTS team. * Set debian/source/format to 3.0 (quilt) . [Salvatore Bonaccorso ] * Consider MANIFEST.SKIP when verfying signature as part of testsuites. Set skip => 1 on Module::Signature::verify for compatibility with the fix for CVE-2015-3407 in libmodule-signature-perl. libwmf (0.2.8.4-10.3+deb7u1) wheezy-security; urgency=low . * CVE-2015-0848 CVE-2015-4588 CVE-2015-4695 CVE-2015-4696 libx11 (2:1.5.0-1+deb7u2) wheezy-security; urgency=low . * CVE-2013-7439 libxfont (1:1.4.5-5) wheezy-security; urgency=high . * Integer overflows in BDF font parsing * NULL pointer deref in BDF font parsing libxml-libxml-perl (2.0001+dfsg-1+deb7u1) wheezy-security; urgency=high . * Team upload. * Add CVE-2015-3451.patch patch. CVE-2015-3451: expand_entities set to 0 is not preserved after a _clone() call. (Closes: #783443) libxml2 (2.8.0+dfsg1-7+wheezy4) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add missing required patches for CVE-2014-3660. The two upstream commits a3f1e3e5712257fd279917a9158278534e8f4b72 and cff2546f13503ac028e4c1f63c7b6d85f2f2d777 are required in addition to the commit be2a7edaf289c5da74a4f9ed3a0b6c733e775230 to fix CVE-2014-3660 due to changes in the use of ent->checked. Fixes "libxml2: CVE-2014-3660 patch makes installation-guide FTBFS". (Closes: #774358) * Refresh cve-2014-3660.patch patch * Refresh cve-2014-3660-bis.patch patch libxml2 (2.8.0+dfsg1-7+wheezy3) wheezy-security; urgency=high . * Do not fetch external parsed entities unless asked to do so. This supplements the patch for CVE-2014-0191 * Fix regression introducedd by the patch fixing CVE-2014-3660 (Closes: #768089) * Set urgency=high accordingly libxrender (1:0.9.7-1+deb7u2) wheezy-security; urgency=medium . * Tighten build dependency on libx11-dev (Closes: #782505) linux (3.2.68-1+deb7u3) wheezy-security; urgency=medium . * udp: fix behavior of wrong checksums (CVE-2015-5364, CVE-2015-5366) * sctp: fix ASCONF list handling (CVE-2015-3212) * [x86] bpf_jit: fix compilation of large bpf programs (CVE-2015-4700) * sg_start_req(): make sure that there's not too many elements in iovec (CVE-2015-5707) * md: use kzalloc() when bitmap is disabled (CVE-2015-5697) linux (3.2.68-1+deb7u3~bpo60+1) squeeze-backports; urgency=medium . * Rebuild for squeeze: - Use gcc-4.4 for all architectures - Disable building of udebs - Change ABI number to 0.bpo.4 - Monkey-patch Python collections module to add OrderedDict if necessary - [armel] Disable CRYPTO_FIPS, VGA_ARB, FTRACE on iop32x and ixp4xx to reduce kernel size (as suggested by Arnaud Patard) - Use QUILT_PATCH_OPTS instead of missing quilt patch --fuzz option - Make build target depend on build-arch only, so we don't redundantly build documentation on each architecture . linux (3.2.68-1+deb7u3) wheezy-security; urgency=medium . * udp: fix behavior of wrong checksums (CVE-2015-5364, CVE-2015-5366) * sctp: fix ASCONF list handling (CVE-2015-3212) * [x86] bpf_jit: fix compilation of large bpf programs (CVE-2015-4700) * sg_start_req(): make sure that there's not too many elements in iovec (CVE-2015-5707) * md: use kzalloc() when bitmap is disabled (CVE-2015-5697) linux (3.2.68-1+deb7u2) wheezy-security; urgency=high . * pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic (CVE-2015-1805) * udf: Remove repeated loads blocksize * udf: Check length of extended attributes and allocation descriptors (CVE-2015-4167) * ipv4: Missing sk_nulls_node_init() in ping_unhash(). (CVE-2015-3636) linux (3.2.68-1+deb7u2~bpo60+1) squeeze-backports; urgency=medium . * Rebuild for squeeze: - Use gcc-4.4 for all architectures - Disable building of udebs - Change ABI number to 0.bpo.4 - Monkey-patch Python collections module to add OrderedDict if necessary - [armel] Disable CRYPTO_FIPS, VGA_ARB, FTRACE on iop32x and ixp4xx to reduce kernel size (as suggested by Arnaud Patard) - Use QUILT_PATCH_OPTS instead of missing quilt patch --fuzz option - Make build target depend on build-arch only, so we don't redundantly build documentation on each architecture . linux (3.2.68-1+deb7u2) wheezy-security; urgency=high . * pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic (CVE-2015-1805) * udf: Remove repeated loads blocksize * udf: Check length of extended attributes and allocation descriptors (CVE-2015-4167) * ipv4: Missing sk_nulls_node_init() in ping_unhash(). (CVE-2015-3636) linux (3.2.68-1+deb7u1) wheezy-security; urgency=high . * IB/core: Prevent integer overflow in ib_umem_get address arithmetic (CVE-2014-8159) * netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len (CVE-2014-9715) * net: llc: use correct size for sysctl timeout entries (CVE-2015-2041) * net: rds: use correct size for max unacked packets and bytes (CVE-2015-2042) * xen-pciback: limit guest control of command register (CVE-2015-2150) * [amd64] asm/entry: Remove a bogus 'ret_from_fork' optimization (CVE-2015-2830) * ipv6: Don't reduce hop limit for an interface (CVE-2015-2922) * [x86] crypto: aesni - fix memory usage in GCM decryption (Closes: #782561) (CVE-2015-3331) * fs: take i_mutex during prepare_binprm for set[ug]id executables (CVE-2015-3339) linux (3.2.68-1+deb7u1~bpo60+1) squeeze-backports; urgency=medium . * Rebuild for squeeze: - Use gcc-4.4 for all architectures - Disable building of udebs - Change ABI number to 0.bpo.4 - Monkey-patch Python collections module to add OrderedDict if necessary - [armel] Disable CRYPTO_FIPS, VGA_ARB, FTRACE on iop32x and ixp4xx to reduce kernel size (as suggested by Arnaud Patard) - Use QUILT_PATCH_OPTS instead of missing quilt patch --fuzz option - Make build target depend on build-arch only, so we don't redundantly build documentation on each architecture . linux (3.2.68-1+deb7u1) wheezy-security; urgency=high . * IB/core: Prevent integer overflow in ib_umem_get address arithmetic (CVE-2014-8159) * netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len (CVE-2014-9715) * net: llc: use correct size for sysctl timeout entries (CVE-2015-2041) * net: rds: use correct size for max unacked packets and bytes (CVE-2015-2042) * xen-pciback: limit guest control of command register (CVE-2015-2150) * [amd64] asm/entry: Remove a bogus 'ret_from_fork' optimization (CVE-2015-2830) * ipv6: Don't reduce hop limit for an interface (CVE-2015-2922) * [x86] crypto: aesni - fix memory usage in GCM decryption (Closes: #782561) (CVE-2015-3331) * fs: take i_mutex during prepare_binprm for set[ug]id executables (CVE-2015-3339) . linux (3.2.68-1) wheezy; urgency=medium . * New upstream stable update: http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.66 - net: sctp: fix memory leak in auth key management - tcp: md5: remove spinlock usage in fast path - tcp: md5: do not use alloc_percpu() - ipv4: dst_entry leak in ip_send_unicast_reply() - net: sctp: use MAX_HEADER for headroom reserve in output path http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.67 - eCryptfs: Force RO mount when encrypted view is enabled - ipv4: Remove all uses of LL_ALLOCATED_SPACE - ipv6: Remove all uses of LL_ALLOCATED_SPACE - ipv6: mld: fix add_grhead skb_over_panic for devs with large MTUs - [s390*] KVM: flush CPU on load control - UBI: Fix invalid vfree() - drbd: merge_bvec_fn: properly remap bvm->bi_bdev - PCI: Restore detection of read-only BARs - genhd: check for int overflow in disk_expand_part_tbl() - USB: cdc-acm: check for valid interfaces - dm space map metadata: fix sm_bootstrap_get_nr_blocks() - [x86] iommu/vt-d: Fix an off-by-one bug in __domain_mapping() - KEYS: Fix stale key registration at error path - Btrfs: fix fs corruption on transaction abort if device supports discard - ncpfs: return proper error from NCP_IOC_SETROOT ioctl - mac80211: fix multicast LED blinking and counter (regression in 3.2.65) - genirq: Prevent proc race against freeing of irq descriptors - decompress_bunzip2: off by one in get_next_block() - [x86] tls: Disallow unusual TLS segments - iscsi-target: Fail connection on short sendmsg writes - ceph: introduce global empty snap context - [x86] tls: Don't validate lm in set_thread_area() after all - ocfs2: fix journal commit deadlock - udf: Verify i_size when loading inode - udf: Verify symlink size before loading it - udf: Treat symlink component of type 2 as / - udf: Check path length when reading symlink - udf: Check component length before reading it - crypto: af_alg - fix backlog handling - Revert "tcp: Apply device TSO segment limit earlier" (regression in 3.2.30) - virtio_pci: defer kfree until release callback - mm: propagate error from stack expansion even for guard page - time: settimeofday: Validate the values of tv from user - regulator: core: fix race condition in regulator_put() - mm: prevent endless growth of anon_vma hierarchy - mm: protect set_page_dirty() from ongoing truncation - HID: roccat: potential out of bounds in pyra_sysfs_write_settings() - USB: console: fix potential use after free - mm: Don't count the stack guard page towards RLIMIT_STACK - mm: fix corner case in anon_vma endless growing prevention - can: dev: fix crtlmode_supported check - net: sctp: fix race for one-to-many sockets in sendmsg's auto associate - libata: allow sata_sil24 to opt-out of tag ordered submission (regression in 3.2.62) - nl80211: fix per-station group key get/del and memory leak - vm: add VM_FAULT_SIGSEGV handling support - vm: make stack guard page errors return VM_FAULT_SIGSEGV rather than SIGBUS - ACPI / EC: Fix regression due to conflicting firmware behavior between Samsung and Acer. (regression in 3.2.63) - [s390*] 3215: fix tty output containing tabs (Closes: #758264) - fsnotify: next_i is freed during fsnotify_unmount_inodes. - PCI: Handle read-only BARs on AMD CS553x devices http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.68 - mm: pagewalk: call pte_hole() for VM_PFNMAP during walk_page_range (regression in 3.2.46) - nilfs2: fix deadlock of segment constructor over I_SYNC flag - staging: comedi: cb_pcidas64: fix incorrect AI range code handling - time: adjtimex: Validate the ADJ_FREQUENCY values - ntp: Fixup adjtimex freq validation on 32-bit systems - Bluetooth: ath3k: workaround the compatibility issue with xHCI controller (maybe fixes #778463) . [ Ben Hutchings ] * drm, agp: Update to 3.4.106: - [x86] drm/vmwgfx: Filter out modes those cannot be supported by the current VRAM size. - drm/radeon: add missing crtc unlock when setting up the MC * [rt] Update to 3.2.68-rt99: - Replace the plist functions with rt_mutex_enqueue{_pi}() and rt_mutex_dequeue{_pi}() like upstream -rt does - rtmutex: Simplify rtmutex_slowtrylock() - rtmutex: Simplify and document try_to_take_rtmutex() - rtmutex: No need to keep task ref for lock owner check - rtmutex: Clarify the boost/deboost part - rtmutex: Document pi chain walk - rtmutex: Simplify remove_waiter() - rtmutex: Confine deadlock logic to futex - rtmutex: Cleanup deadlock detector debug logic - rtmutex: Avoid pointless requeueing in the deadlock detection chain walk - futex: Make unlock_pi more robust - futex: Use futex_top_waiter() in lookup_pi_state() - futex: Split out the waiter check from lookup_pi_state() - futex: Split out the first waiter attachment from lookup_pi_state() - futex: Simplify futex_lock_pi_atomic() and make it more robust - rt-mutex: avoid a NULL pointer dereference on deadlock - x86: UV: raw_spinlock conversion - scheduling while atomic in cgroup code - work-simple: Simple work queue implemenation - sunrpc: make svc_xprt_do_enqueue() use get_cpu_light() - fs,btrfs: fix rt deadlock on extent_buffer->lock * hpsa: Update device ID tables (Closes: #781548) * NFSv4: Fix oops in nfs4_handle_exception when server returns NFS4ERR_OPENMODE (Closes: #731439) * netfilter: ipset: Check and reject crazy /0 input parameters (Closes: #732689) linux (3.2.68-1) wheezy; urgency=medium . * New upstream stable update: http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.66 - net: sctp: fix memory leak in auth key management - tcp: md5: remove spinlock usage in fast path - tcp: md5: do not use alloc_percpu() - ipv4: dst_entry leak in ip_send_unicast_reply() - net: sctp: use MAX_HEADER for headroom reserve in output path http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.67 - eCryptfs: Force RO mount when encrypted view is enabled - ipv4: Remove all uses of LL_ALLOCATED_SPACE - ipv6: Remove all uses of LL_ALLOCATED_SPACE - ipv6: mld: fix add_grhead skb_over_panic for devs with large MTUs - [s390*] KVM: flush CPU on load control - UBI: Fix invalid vfree() - drbd: merge_bvec_fn: properly remap bvm->bi_bdev - PCI: Restore detection of read-only BARs - genhd: check for int overflow in disk_expand_part_tbl() - USB: cdc-acm: check for valid interfaces - dm space map metadata: fix sm_bootstrap_get_nr_blocks() - [x86] iommu/vt-d: Fix an off-by-one bug in __domain_mapping() - KEYS: Fix stale key registration at error path - Btrfs: fix fs corruption on transaction abort if device supports discard - ncpfs: return proper error from NCP_IOC_SETROOT ioctl - mac80211: fix multicast LED blinking and counter (regression in 3.2.65) - genirq: Prevent proc race against freeing of irq descriptors - decompress_bunzip2: off by one in get_next_block() - [x86] tls: Disallow unusual TLS segments - iscsi-target: Fail connection on short sendmsg writes - ceph: introduce global empty snap context - [x86] tls: Don't validate lm in set_thread_area() after all - ocfs2: fix journal commit deadlock - udf: Verify i_size when loading inode - udf: Verify symlink size before loading it - udf: Treat symlink component of type 2 as / - udf: Check path length when reading symlink - udf: Check component length before reading it - crypto: af_alg - fix backlog handling - Revert "tcp: Apply device TSO segment limit earlier" (regression in 3.2.30) - virtio_pci: defer kfree until release callback - mm: propagate error from stack expansion even for guard page - time: settimeofday: Validate the values of tv from user - regulator: core: fix race condition in regulator_put() - mm: prevent endless growth of anon_vma hierarchy - mm: protect set_page_dirty() from ongoing truncation - HID: roccat: potential out of bounds in pyra_sysfs_write_settings() - USB: console: fix potential use after free - mm: Don't count the stack guard page towards RLIMIT_STACK - mm: fix corner case in anon_vma endless growing prevention - can: dev: fix crtlmode_supported check - net: sctp: fix race for one-to-many sockets in sendmsg's auto associate - libata: allow sata_sil24 to opt-out of tag ordered submission (regression in 3.2.62) - nl80211: fix per-station group key get/del and memory leak - vm: add VM_FAULT_SIGSEGV handling support - vm: make stack guard page errors return VM_FAULT_SIGSEGV rather than SIGBUS - ACPI / EC: Fix regression due to conflicting firmware behavior between Samsung and Acer. (regression in 3.2.63) - [s390*] 3215: fix tty output containing tabs (Closes: #758264) - fsnotify: next_i is freed during fsnotify_unmount_inodes. - PCI: Handle read-only BARs on AMD CS553x devices http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.68 - mm: pagewalk: call pte_hole() for VM_PFNMAP during walk_page_range (regression in 3.2.46) - nilfs2: fix deadlock of segment constructor over I_SYNC flag - staging: comedi: cb_pcidas64: fix incorrect AI range code handling - time: adjtimex: Validate the ADJ_FREQUENCY values - ntp: Fixup adjtimex freq validation on 32-bit systems - Bluetooth: ath3k: workaround the compatibility issue with xHCI controller (maybe fixes #778463) . [ Ben Hutchings ] * drm, agp: Update to 3.4.106: - [x86] drm/vmwgfx: Filter out modes those cannot be supported by the current VRAM size. - drm/radeon: add missing crtc unlock when setting up the MC * [rt] Update to 3.2.68-rt99: - Replace the plist functions with rt_mutex_enqueue{_pi}() and rt_mutex_dequeue{_pi}() like upstream -rt does - rtmutex: Simplify rtmutex_slowtrylock() - rtmutex: Simplify and document try_to_take_rtmutex() - rtmutex: No need to keep task ref for lock owner check - rtmutex: Clarify the boost/deboost part - rtmutex: Document pi chain walk - rtmutex: Simplify remove_waiter() - rtmutex: Confine deadlock logic to futex - rtmutex: Cleanup deadlock detector debug logic - rtmutex: Avoid pointless requeueing in the deadlock detection chain walk - futex: Make unlock_pi more robust - futex: Use futex_top_waiter() in lookup_pi_state() - futex: Split out the waiter check from lookup_pi_state() - futex: Split out the first waiter attachment from lookup_pi_state() - futex: Simplify futex_lock_pi_atomic() and make it more robust - rt-mutex: avoid a NULL pointer dereference on deadlock - x86: UV: raw_spinlock conversion - scheduling while atomic in cgroup code - work-simple: Simple work queue implemenation - sunrpc: make svc_xprt_do_enqueue() use get_cpu_light() - fs,btrfs: fix rt deadlock on extent_buffer->lock * hpsa: Update device ID tables (Closes: #781548) * NFSv4: Fix oops in nfs4_handle_exception when server returns NFS4ERR_OPENMODE (Closes: #731439) * netfilter: ipset: Check and reject crazy /0 input parameters (Closes: #732689) linux (3.2.65-1+deb7u2) wheezy-security; urgency=medium . * splice: Apply generic position and size checks to each write (CVE-2014-7822) * crypto: Fix unprivileged arbitrary module loading (CVE-2013-7421, CVE-2014-9644) - prefix module autoloading with "crypto-" - include crypto- module prefix in template - add missing crypto module aliases * netfilter: conntrack: disable generic tracking for known protocols (CVE-2014-8160) * [amd64] vdso: Fix the vdso address randomization algorithm (CVE-2014-9585) * [x86] KVM: x86 emulator: reject SYSENTER in compatibility mode on AMD guests * [x86] KVM: SYSENTER emulation is broken (CVE-2015-0239) * vfs: move d_rcu from overlapping d_child to overlapping d_alias * aufs: move d_rcu from overlapping d_child to overlapping d_alias * vfs: deal with deadlock in d_walk() (CVE-2014-8559) * vfs: read file_handle only once in handle_to_path (CVE-2015-1420) * ASLR: fix stack randomization on 64-bit systems (CVE-2015-1593) * vfs: Fix vfsmount_lock imbalance in path_init() (regression in 3.2.64) * net: sctp: fix slab corruption from use after free on INIT collisions (CVE-2015-1421) * Fix regressions caused by CVE-2014-8133 fix: - [amd64] tls, ldt: Stop checking lm in LDT_empty - [x86] tls: Interpret an all-zero struct user_desc as "no segment" * eCryptfs: Remove buggy and unnecessary write in file name decode routine (CVE-2014-9683) linux (3.2.65-1+deb7u2~bpo60+1) squeeze-backports; urgency=medium . * Rebuild for squeeze: - Use gcc-4.4 for all architectures - Disable building of udebs - Change ABI number to 0.bpo.4 - Monkey-patch Python collections module to add OrderedDict if necessary - [armel] Disable CRYPTO_FIPS, VGA_ARB, FTRACE on iop32x and ixp4xx to reduce kernel size (as suggested by Arnaud Patard) - Use QUILT_PATCH_OPTS instead of missing quilt patch --fuzz option - Make build target depend on build-arch only, so we don't redundantly build documentation on each architecture . linux (3.2.65-1+deb7u2) wheezy-security; urgency=medium . * splice: Apply generic position and size checks to each write (CVE-2014-7822) * crypto: Fix unprivileged arbitrary module loading (CVE-2013-7421, CVE-2014-9644) - prefix module autoloading with "crypto-" - include crypto- module prefix in template - add missing crypto module aliases * netfilter: conntrack: disable generic tracking for known protocols (CVE-2014-8160) * [amd64] vdso: Fix the vdso address randomization algorithm (CVE-2014-9585) * [x86] KVM: x86 emulator: reject SYSENTER in compatibility mode on AMD guests * [x86] KVM: SYSENTER emulation is broken (CVE-2015-0239) * vfs: move d_rcu from overlapping d_child to overlapping d_alias * aufs: move d_rcu from overlapping d_child to overlapping d_alias * vfs: deal with deadlock in d_walk() (CVE-2014-8559) * vfs: read file_handle only once in handle_to_path (CVE-2015-1420) * ASLR: fix stack randomization on 64-bit systems (CVE-2015-1593) * vfs: Fix vfsmount_lock imbalance in path_init() (regression in 3.2.64) * net: sctp: fix slab corruption from use after free on INIT collisions (CVE-2015-1421) * Fix regressions caused by CVE-2014-8133 fix: - [amd64] tls, ldt: Stop checking lm in LDT_empty - [x86] tls: Interpret an all-zero struct user_desc as "no segment" * eCryptfs: Remove buggy and unnecessary write in file name decode routine (CVE-2014-9683) linux (3.2.65-1+deb7u1) wheezy-security; urgency=medium . * [amd64] Revert NX changes that caused a regresion in 3.2.65 (Closes: #774436) - Revert "x86, mm: Set NX across entire PMD at boot" - Revert "x86, 64bit, mm: Mark data/bss/brk to nx" * [x86] cpu, amd: Add workaround for family 16h, erratum 793 (CVE-2013-6885) * [x86] tls: Validate TLS entries to protect espfix (CVE-2014-8133) * [amd64] switch_to(): Load TLS descriptors before switching DS and ES (CVE-2014-9419) * KEYS: close race between key lookup and freeing (CVE-2014-9529) * isofs: Fix unchecked printing of ER records (CVE-2014-9584) linux (3.2.65-1+deb7u1~bpo60+1) squeeze-backports; urgency=medium . * Rebuild for squeeze: - Use gcc-4.4 for all architectures - Disable building of udebs - Change ABI number to 0.bpo.4 - Monkey-patch Python collections module to add OrderedDict if necessary - [armel] Disable CRYPTO_FIPS, VGA_ARB, FTRACE on iop32x and ixp4xx to reduce kernel size (as suggested by Arnaud Patard) - Use QUILT_PATCH_OPTS instead of missing quilt patch --fuzz option - Make build target depend on build-arch only, so we don't redundantly build documentation on each architecture . linux (3.2.65-1+deb7u1) wheezy-security; urgency=medium . * [amd64] Revert NX changes that caused a regresion in 3.2.65 (Closes: #774436) - Revert "x86, mm: Set NX across entire PMD at boot" - Revert "x86, 64bit, mm: Mark data/bss/brk to nx" * [x86] cpu, amd: Add workaround for family 16h, erratum 793 (CVE-2013-6885) * [x86] tls: Validate TLS entries to protect espfix (CVE-2014-8133) * [amd64] switch_to(): Load TLS descriptors before switching DS and ES (CVE-2014-9419) * KEYS: close race between key lookup and freeing (CVE-2014-9529) * isofs: Fix unchecked printing of ER records (CVE-2014-9584) . linux (3.2.65-1) wheezy; urgency=medium . * New upstream stable update: http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.64 - percpu: fix pcpu_alloc_pages() failure path - percpu: perform tlb flush after pcpu_map_pages() failure - cgroup: reject cgroup names with '\n' - [s390*] KVM: Fix user triggerable bug in dead code - regmap: Fix handling of volatile registers for format_write() chips - Revert "iwlwifi: dvm: don't enable CTS to self" (regression in 3.2.62) - aio: add missing smp_rmb() in read_events_ring - block: Fix dev_t minor allocation lifetime - uwb: init beacon cache entry before registering uwb device - perf: Fix a race condition in perf_remove_from_context() - libceph: gracefully handle large reply messages from the mon - libceph: add process_one_ticket() helper - libceph: do not hard code max auth ticket len - usb: hub: take hub->hdev reference when processing from eventlist - futex: Unlock hb->lock in futex_wait_requeue_pi() error path - alarmtimer: Return relative times in timer_gettime - alarmtimer: Do not signal SIGEV_NONE timers - alarmtimer: Lock k_itimer during timer callback - vfs: don't bugger nd->seq on set_root_rcu() from follow_dotdot_rcu() - vfs: Fold follow_mount_rcu() into follow_dotdot_rcu() - vfs: be careful with nd->inode in path_init() and follow_dotdot_rcu() - iscsi-target: Fix memory corruption in iscsit_logout_post_handler_diffcid - NFSv4: Fix another bug in the close/open_downgrade code - libiscsi: fix potential buffer overrun in __iscsi_conn_send_pdu - nl80211: clear skb cb before passing to netlink - ALSA: pcm: fix fifo_size frame calculation - Fix nasty 32-bit overflow bug in buffer i/o code. - sched: Fix unreleased llc_shared_mask bit during CPU hotplug - [armhf] 8165/1: alignment: don't break misaligned NEON load/store - nilfs2: fix data loss with mmap() - ocfs2/dlm: do not get resource spinlock if lockres is new (regression in 3.2) - shmem: fix nlink for rename overwrite directory - mm: migrate: Close race between migration completion and mprotect - perf: fix perf bug in fork() - [mips*] Fix forgotten preempt_enable() when CPU has inclusive pcaches - ipv4: move route garbage collector to work queue - ipv4: avoid parallel route cache gc executions - ipv4: disable bh while doing route gc - ipv6: reallocate addrconf router for ipv6 address when lo device up (regression in 3.2.50) - [x86] kvm,vmx: Preserve CR4 across VM entry - ipvs: avoid netns exit crash on ip_vs_conn_drop_conntrack - ring-buffer: Fix infinite spin in reading buffer (regression in 3.2.63) - genhd: fix leftover might_sleep() in blk_free_devt() - [x86] KVM: Fix far-jump to non-canonical check (regression in 3.2.63-2+deb7u1) - l2tp: fix race while getting PMTU on PPP pseudo-wire * New upstream stable update: http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.65 - [x86] kvm: fix stale mmio cache bug - UBIFS: fix a race condition - [s390*] KVM: unintended fallthrough for external call - ext4: check EA value offset when loading - v4l2-common: fix overflow in v4l_bound_align_image() - Revert "lzo: properly check for overruns" - lzo: check for length overrun in variable length encoding. - NFSv4: fix open/lock state recovery error handling - NFSv4.1: Fix an NFSv4.1 state renewal regression - target: Fix queue full status NULL pointer for SCF_TRANSPORT_TASK_SENSE - vfs: fix data corruption when blocksize < pagesize for mmaped data - dm bufio: update last_accessed when relinking a buffer - ext4: don't orphan or truncate the boot loader inode - ext4: add ext4_iget_normal() which is to be used for dir tree lookups - ecryptfs: avoid to access NULL pointer when write metadata in xattr - fs: make cont_expand_zero interruptible - fix misuses of f_count() in ppp and netlink - block: fix alignment_offset math that assumes io_min is a power-of-2 - fanotify: enable close-on-exec on events' fd when requested in fanotify_init() - selinux: fix inode security list corruption - random: add and use memzero_explicit() for clearing data - dm raid: ensure superblock's size matches device's logical block size - scsi: Fix error handling in SCSI_IOCTL_SEND_COMMAND - usb: serial: ftdi_sio: add "bricked" FTDI device PID - nfsd4: fix crash on unknown operation number - [x86] kvm: don't kill guest on unknown exit reason - posix-timers: Fix stack info leak in timer_create() - futex: Fix a race condition between REQUEUE_PI and task death - ALSA: pcm: Zero-clear reserved fields of PCM status ioctl in compat mode - zap_pte_range: update addr when forcing flush after TLB batching faiure - mm, thp: fix collapsing of hugepages on madvise - lib/bitmap.c: fix undefined shift in __bitmap_shift_{left|right}() - ext4: fix overflow when updating superblock backups after resize - ext4: bail out from make_indexed_dir() on first error - tracing/syscalls: Fix perf syscall tracing when syscall_nr == -1 - tracing/syscalls: Ignore numbers outside NR_syscalls' range - mac80211: fix use-after-free in defragmentation - xhci: no switching back on non-ULT Haswell (regression in 3.2.53) - audit: keep inode pinned - libceph: do not crash on large auth tickets - firewire: cdev: prevent kernel stack leaking into ioctl arguments - iio: Fix IIO_EVENT_CODE_EXTRACT_DIR bit mask - [x86] Require exact match for 'noxsave' command line option - [amd64] mm: Mark data/bss/brk to nx - [amd64] mm: Set NX across entire PMD at boot - SUNRPC: Fix locking around callback channel reply receive - bnx2fc: do not add shared skbs to the fcoe_rx_list - Revert "xhci: clear root port wake on bits if controller isn't wake-up capable" (regression in 3.2.62) - [amd64] ALSA: hda - Limit 40bit DMA for AMD HDMI controllers - mei: add mei_quirk_probe function - tcp: be more strict before accepting ECN negociation - hpsa: fix a race in cmd_free/scsi_done - mm: Remove false WARN_ON from pagecache_isize_extended() . [ Ben Hutchings ] * [rt] Update to 3.2.64-rt94: - sched: Do not clear PF_NO_SETAFFINITY flag in select_fallback_rq() - workqueue: Prevent deadlock/stall on RT - hrtimer:fix the miss of hrtimer_peek_ahead_timers in nort code - lockdep: Fix backport of "Correctly annotate hardirq context in irq_exit()" * drm, agp: Update to 3.4.105: - drm/i915: Remove bogus __init annotation from DMI callbacks - drm/vmwgfx: Fix a potential infinite spin waiting for fifo idle - drm/radeon: add connector quirk for fujitsu board * [x86] KVM: Don't report guest userspace emulation error to userspace (CVE-2014-7842) * [x86] kvm: Clear paravirt_enabled on KVM guests for espfix32's benefit (CVE-2014-8134) * isofs: Fix infinite looping over CE entries (CVE-2014-9420) linux-ftpd-ssl (0.17.33+0.3-1+deb7u1) wheezy; urgency=medium . * QA Upload * NLST of empty directory results in segfault. (Closes: #788331) + debian/patches/500-ssl.diff: Updated. lsyncd (2.0.7-3+deb7u1) wheezy-security; urgency=high . * fix security issue CVE-2014-8990 that allows code execution via shell characters in file names and denial of service scenarios by applying debian/patches/fix-CVE-2014-8990-shell-escapes.patch (Closes: #767227) mailman (1:2.1.15-1+deb7u1) wheezy-security; urgency=high . * Fix security issue: path traversal through local_part. Affects installations which use an Exim or Postfix transport instead of fixed aliases; attacker needs to be able to place files on the local filesystem. (CVE-2015-2775, Closes: 781626) mantis (1.2.18-1) wheezy-security; urgency=medium . * NMU by the Security Team New upstream release, fixes many security issues maven (3.0.4-3+deb7u1) stable; urgency=high . * Team upload. * Use a secure connection by default to download artifacts from the Maven Central repository (Closes: #779331) mdbtools (0.7-1+deb7u2) wheezy; urgency=medium . * memo_zero_len_multipage: Fix overflow in some memo fields. Thanks to lovelytwo@github. * bin_output_fix: Fix output of binary data. Thanks to tyzhaoqi. mediatomb (0.12.1-4+deb7u1) oldstable; urgency=high . * Backport fix for #580120, #778669 from 0.12.1-47-g7ab7616-1 and 0.12.0~svn2018-6.1 to wheezy. . [ IOhannes m zmölnig ] * Disabled User-Interface by default. (Closes: #580120, #778669) mercurial (2.2.2-4+deb7u1) wheezy-security; urgency=high . * Fix "CVE-2014-9462" by adding patch from_upstream__sshpeer_more_thorough_shell_quoting.patch (Closes: #783237) mercurial (2.2.2-4) stable; urgency=high . * Security update for CVE-2014-9390: errors in handling case-sensitive directories allow for remote code execution on pull. mod-gnutls (0.5.10-1.1+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix "GnuTLSClientVerify require is ignored", check server wide GnuTLSClientVerify if not set for directory (Closes: #578663) mono (2.10.8.1-8+deb7u1) wheezy-security; urgency=high . * [c2afe08] Mono's implementation of the SSL/TLS stack failed to check the order of the handshake messages. Which would allow various attacks on the protocol to succeed. ("SKIP-TLS" attack). (Closes: #780751, CVE-2015-2318) * [997bd08] Remove the client-side SSLv2 fallback. There's almost no SSLv3 web site left so a v2 fallback is only extra code we do not need to carry forward. (Closes: #780751, CVE-2015-2320) * [b570325] Remove the EXPORT ciphers and related code path. That was still useful in 2003/2004 but the technical and legal landscape changed a lot since then. Removing the old, limited key size, cipher suites also allow removed additional parts of the code that deals with them. ("FREAK" attack) (Closes: #780751, CVE-2015-2319) movabletype-opensource (5.1.4+dfsg-4+deb7u3) wheezy-security; urgency=medium . * Fix format string injection vulnerability in localisation of templates (CVE-2015-0845) movabletype-opensource (5.1.4+dfsg-4+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2014-9057.patch patch. CVE-2014-9057: SQL injection vulnerability in the XML-RPC interface. (Closes: #774192) * Add CVE-2015-1592.patch patch. CVE-2015-1592: The Perl Storable::thaw function is not properly used, allowing remote attackers to include and execute arbitrary local Perl files and possibly remotely execute arbitrary code. * Add CVE-2013-2184.patch patch. CVE-2013-2184: Unsafe use of Storable::thaw in the handling of comments to blog posts. (Closes: #712602) mozilla-noscript (2.6.8.19-1~deb7u2) wheezy; urgency=medium . [ David Prévot ] * Track Wheezy . [ Kalle Olavi Niemitalo ] * Fix enumeration of scripts on iceweasel >= 35 Backported from upstream 2.6.8.42rc1 (Closes: #797043) mplayer (2:1.0~rc4.dfsg1+svn34540-1+deb7u1) wheezy-security; urgency=high . * BinNMU, to build it agains liblivemedia_2012.05.17-1+wheezy1. mysql-5.5 (5.5.44-0+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Imported Upstream version 5.5.44 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html - CVE-2015-4752 CVE-2015-4737 CVE-2015-2648 CVE-2015-2643 CVE-2015-2620 CVE-2015-2582 (Closes: #792445) mysql-5.5 (5.5.43-0+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Imported Upstream version 5.5.43 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html - CVE-2015-0499 CVE-2015-0501 CVE-2015-0505 CVE-2015-2571 (Closes: #782645) * Update copyright years for upstream files mysql-5.5 (5.5.43-0+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Imported Upstream version 5.5.43 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html - CVE-2015-0433 CVE-2015-0441 CVE-2015-0499 CVE-2015-0501 CVE-2015-0505 CVE-2015-2568 CVE-2015-2571 CVE-2015-2573 (Closes: #782645) * Update copyright years for upstream files mysql-5.5 (5.5.42-1) unstable; urgency=medium . [ James Page ] * SECURITY UPDATE: Update to 5.5.41 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html - CVE-2015-0411, CVE-2015-0382, CVE-2015-0381, CVE-2015-0432, CVE-2014-6568, CVE-2015-0374 (Closes: #775881). * d/p/fix-func_math-test-failure.patch: Dropped, included upstream. . [ Akhil Mohan ] * New upstream version, resolving date driven test failures in certs. * Example option in log_slow_queries d/additions/my.cnf is deprecated and replaced with options slow_query_log_file and slow_query_log. (Closes: #677222) mysql-5.5 (5.5.41-0+wheezy1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Imported Upstream version 5.5.41 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html - CVE-2014-6568, CVE-2015-0374, CVE-2015-0381, CVE-2015-0382, CVE-2015-0411, CVE-2015-0432 (Closes: #775881) mysql-5.5 (5.5.40-1) unstable; urgency=medium . * SECURITY UPDATE: Update to 5.5.40 to fix security issues: - http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html - CVE-2012-5615, CVE-2014-4274, CVE-2014-4287, CVE-2014-6463, CVE-2014-6464, CVE-2014-6469, CVE-2014-6478, CVE-2014-6484, CVE-2014-6491, CVE-2014-6494, CVE-2014-6495, CVE-2014-6496, CVE-2014-6500, CVE-2014-6505, CVE-2014-6507, CVE-2014-6520, CVE-2014-6530, CVE-2014-6551, CVE-2014-6555, CVE-2014-6559 (Closes: #765663, #769337) * d/p/fix-mysqlhotcopy-test-failure.patch: Add return code 255 to the list of allowable return codes for mysqlhotcopy tests. * d/rules: Enable parallel builds. nbd (1:3.2-4~deb7u5) oldstable-security; urgency=medium . * Backport fix for CVE-2015-0847 to fix handling of SIGTERM and SIGCHLD. Closes: #784657. * Merge patch by Tuomas Räsänen to do all negotiation in the child process. Closes: #781547, CVE-2013-7441. nbd (1:3.2-4~deb7u5~bpo60+1) squeeze-backports; urgency=medium . * Re-upload to squeeze-backports. . nbd (1:3.2-4~deb7u5) oldstable-security; urgency=medium . * Backport fix for CVE-2015-0847 to fix handling of SIGTERM and SIGCHLD. Closes: #784657. * Merge patch by Tuomas Räsänen to do all negotiation in the child process. Closes: #781547, CVE-2013-7441. netcf (0.1.9-2+deb7u2) wheezy; urgency=medium . * Non-maintainer upload. * Add netcf-debian-memleak.patch. Prevent a memory leak when listing interfaces (Closes: #709335) netcf (0.1.9-2+deb7u1) stable; urgency=medium . * Cherrypick d340f2df to fix ipcalc_netmask. (Closes: #726127) nss (2:3.14.5-1+deb7u5) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-2721.patch patch. CVE-2015-2721: NSS incorrectly permits skipping of ServerKeyExchange. * Add CVE-2015-2730.patch patch. CVE-2015-2730: ECDSA signature validation fails to handle some signatures correctly. nss (2:3.14.5-1+deb7u4) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2014-1569.patch. CVE-2014-1569: ASN.1 DER decoding of lengths is too permissive, allowing undetected smuggling of arbitrary data. (Closes: #773625) ntfs-3g (1:2012.1.15AR.5-2.1+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Update CVE-2015-3202.patch patch. CVE-2015-3202: Missing scrubbing of the environment before executing a mount or umount of a filesystem. The previous fix for CVE-2015-3202 was incomplete and missed the replacement of one execl call with execle. (Closes: #786475) ntfs-3g (1:2012.1.15AR.5-2.1+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-3202.patch patch. CVE-2015-3202: Missing scrubbing of the environment before executing a mount or umount of a filesystem. ntp (1:4.2.6.p5+dfsg-2+deb7u4) wheezy-security; urgency=medium . * Fix CVE-2015-1798 and CVE-2015-1799 (Closes: #782095) * Fix endless loop and non-random key generation using ntp-keygen on big endian machines. ntp (1:4.2.6.p5+dfsg-2+deb7u3) wheezy-security; urgency=medium . * Add missing fix for CVE-2014-9297 ntp (1:4.2.6.p5+dfsg-2+deb7u2) wheezy-security; urgency=medium . * Fix CVE-2014-9297 * Fix CVE-2014-9298 open-vm-tools (2:8.8.0+2012.05.21-724730-1+nmu2+deb7u1) stable; urgency=medium . * [6f4a32b1] Add patch to handle the move of d_alias to d_u.d_alias. Thanks to Stefan Schueller (Closes: #779081) * [b32d3413] Add git-buildpackage config for wheezy. * [3f1b34b0] Updating Maintainer. openafs (1.6.1-3+deb7u4) wheezy-proposed-updates; urgency=medium . * Fix the kernel module build when d_alias is in the d_u union (Closes: #780865, Closes: #794224) * Fix potential file corruption of mmapped files (Closes: #778851) openafs (1.6.1-3+deb7u3) wheezy-security; urgency=high . * Apply upstream security patches from the 1.6.13 release (thanks to Benjamin Kaduk for providing the patches): - OPENAFS-SA-2015-001 (CVE-2015-3282): vos leaks stack data onto the wire when creating vldb entries - OPENAFS-SA-2015-002 (CVE-2015-3283): bos commands can be spoofed, including some which alter server state - OPENAFS-SA-2015-003 (CVE-2015-3284): pioctls leak kernel memory contents - OPENAFS-SA-2015-004 (CVE-2015-3285): kernel pioctl support for OSD command parsing can trigger a panic - OPENAFS-SA-2015-006 (CVE-2015-3287): Buffer overflow in OpenAFS vlserver * The patch for OPENAFS-SA-2015-005 is not applied, since that vulnerability is limited to the Solaris kernel module opencv (2.3.1-11+deb7u1) stable; urgency=low . * Update license for test of GPU. (Closes: 724920) Add patches/updated-license-header-in-whole-gpu-module.patch openldap (2.4.31-2) wheezy-security; urgency=high . * Team upload. . [ Ryan Tandy ] * debian/slapd.init.ldif: Disallow modifying one's own entry by default, except specific attributes. (CVE-2014-9713) (Closes: #761406) * debian/slapd.{config,templates}: On upgrade, if an access rule begins with "to * by self write", show a debconf note warning that it should be changed. * debian/slapd.README.debian: Add information about how to remove "to * by self write" from existing ACLs. * debian/po/*: Add translations of debconf warning. * debian/patches/ITS8027-deref-reject-empty-attr-list.patch: Import upstream patch to fix a crash when a search includes the Deref control with an empty attribute list. (ITS#8027) (CVE-2015-1545) (Closes: #776988) * debian/patches/ITS7723-fix-reference-counting.patch: Import upstream patch to fix a crash in the rwm overlay when a search is immediately followed by an unbind. (ITS#7723) (CVE-2013-4449) (Closes: #729367) opensaml2 (2.4.3-4+deb7u1) wheezy-security; urgency=high . * Rebuild against fixed xmltooling for DSA 3321-1 openssl (1.0.1e-2+deb7u17) wheezy-security; urgency=medium . * Fix CVE-2015-1791 * Fix CVE-2015-1792 * Fix CVE-2015-1789 * Fix CVE-2015-1790 * Fix CVE-2015-1788 * Fix CVE-2015-4000 * Fix CVE-2014-8176 openssl (1.0.1e-2+deb7u16) wheezy-security; urgency=medium . * Revert patch 0003-Free-up-passed-ASN.1-structure-if-reused.patch, it breaks nginx and doesn't have a security issue * Add patch 0008-Fix-a-failure-to-NULL-a-pointer-freed-on-error.patch as follow up to CVE-2015-0209 openssl (1.0.1e-2+deb7u15) wheezy-security; urgency=medium . * Fix CVE-2015-0286 * Fix CVE-2015-0287 * Fix CVE-2015-0289 * Fix CVE-2015-0292 * Fix CVE-2015-0293 (not affected, SSLv2 disabled) * Fix CVE-2015-0209 * Fix CVE-2015-0288 * Remove export ciphers from DEFAULT. * Make DTLS always act as if read_ahead is set. This fixes a regression introduce by the fix for CVE-2014-3571. (Closes: #775502) * Fix error codes. openssl (1.0.1e-2+deb7u14) wheezy-security; urgency=medium . - Fix for CVE-2014-3571 - Fix for CVE-2015-0206 - Fix for CVE-2014-3569 - Fix for CVE-2014-3572 - Fix for CVE-2015-0204 - Fix for CVE-2015-0205 - Fix for CVE-2014-8275 - Fix for CVE-2014-3570 openvswitch (1.4.2+git20120612-9.1~deb7u1.1) stable-proposed-updates; urgency=medium . * Non-maintainer upload. * Fix "openvswitch-datapath-dkms fails to build on Debian 7.7 3.2.0-4- amd64 (3.2.63-2+deb7u1)" import Chris J. Arges' patch for tunnel.c (Closes: #768095) osc (0.134.1-2+deb7u1) stable; urgency=high . * Fix shell injection (Closes: #780410, CVE-2015-0778). otrs2 (3.1.7+dfsg1-8+deb7u5) wheezy-security; urgency=high . * Add patch 37-CVE-2014-9324 which fixes CVE-2014-9324, also known as OSA-2014-06: An attacker with valid OTRS credentials could access and manipulate ticket data of other users via the GenericInterface, if a ticket webservice is configured and not additionally secured. p7zip (9.20.1~dfsg.1-4+deb7u1) wheezy-security; urgency=medium . * Non-maintainer upload. * Delay creation of symlinks to prevent arbitrary file writes (CVE-2015-1038) (Closes: #774660) partconf (1.40+deb7u1) wheezy; urgency=low . [ Milan Kupcevic ] * Exclude CD/DVD drives from partition search. (thanks, Frank Fegert) Closes: #332227 pdf2djvu (0.7.12-2+deb7u1) oldstable; urgency=medium . * added fix-insecure-use-of-tmp-when-executing-c44.diff, fix of no-dsa security issue (related bug #784889 closed by 0.7.21-1 in Sid). * deb/rules: added empty override for dh_auto_clean (see #724228). pgbouncer (1.5.2-4+deb7u1) wheezy; urgency=medium . * Fix remote crash - invalid packet order causes lookup of NULL pointer. Not exploitable, just DoS. (CVE-2015-4054) Cherry-picked from upstream 1.5.5. php5 (5.4.44-0+deb7u1) wheezy-security; urgency=medium . * New upstream version 5.4.44 - Core: . Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive method calls). . Fixed bug #69892 (Different arrays compare indentical due to integer key truncation). . Fixed bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref). - OpenSSL: . Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically secure). - Phar: . Improved fix for bug #69441. . Fixed bug #70019 (Files extracted from archive may be placed outside of destination directory). - SOAP: . Fixed bug #70081 (SoapClient info leak / null pointer dereference via multiple type confusions). - SPL: . Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject items). . Fixed bug #70166 (Use After Free Vulnerability in unserialize() with SPLArrayObject). . Fixed bug #70168 (Use After Free Vulnerability in unserialize() with SplObjectStorage). . Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList). * New upstream version 5.4.43 - Core: . Fixed bug #69768 (escapeshell*() doesn't cater to !). . Fixed bug #69874 (Can't set empty additional_headers for mail()), regression from fix to bug #68776. . - Mysqlnd: . Fixed bug #69669 (mysqlnd is vulnerable to BACKRONYM) (CVE-2015-3152). - Phar: . Fixed bug #69958 (Segfault in Phar::convertToData on invalid file). . Fixed bug #69923 (Buffer overflow and stack smashing error in phar_fix_filepath). * Rebase patches on top of 5.4.44 release . php5 (5.4.42-0+deb7u1) wheezy-security; urgency=medium . * New upstream version 5.4.42 (CVE-2015-4643, CVE-2015-4644, CVE-2015-4598) - Core: . Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). . Fixed bug #69646 (OS command injection vulnerability in escapeshellarg). . Fixed bug #69719 (Incorrect handling of paths with NULs). - Litespeed SAPI: . Fixed bug #68812 (Unchecked return value). - Mail: . Fixed bug #68776 (mail() does not have mail header injection prevention for additional headers). - Postgres: . Fixed bug #69667 (segfault in php_pgsql_meta_data). - Sqlite3: . Upgrade bundled sqlite to 3.8.10.2. * Refresh patches using gbp pq (rebase) php5 (5.4.41-0+deb7u1) wheezy-security; urgency=medium . * New upstream version 5.4.41 - Core: . Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). . Fixed bug #69403 (str_repeat() sign mismatch based memory corruption). . Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). . Fixed bug #69522 (heap buffer overflow in unpack()). - FTP: . Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). - PCNTL: . Fixed bug #68598 (pcntl_exec() should not allow null char). - PCRE . Upgraded pcrelib to 8.37. - Phar: . Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename starts with null). * Rebase patches on top of 5.4.41 version php5 (5.4.39-0+deb7u2) wheezy-security; urgency=medium . * Fix segfault when using SoapClient::__setSoapHeader (Closes: #781125) php5 (5.4.39-0+deb7u1) wheezy-security; urgency=high . * New upstream version 5.4.39 - Core: . Fixed bug #68976 (Use After Free Vulnerability in unserialize()) (CVE-2015-0231). . Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). . Fixed bug #69207 (move_uploaded_file allows nulls in path). - Ereg: . Fixed bug #69248 (heap overflow vulnerability in regcomp.c) (CVE-2015-2305). - SOAP: . Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()). - ZIP: . Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap boundary) (CVE-2015-2331). (Closes: #780713) * Refresh patches for 5.4.39 and remove already merged VU695940 * Start using git pq to manage patches in d/patches/ * Move PEAR-Builder-print-info-about-php5-dev.patch to debian/ since it's not a quilt patch * Add newly assigned CVE identifiers to older d/changelog entries * New patches: - 0060-PHP-SegFault-zend_hash_find-PHP-68486.patch - 0061-Fix-use-after-free-in-phar_object.c-PHP-68901-CVE-20.patch (CVE-2015-2301) * Remove invalid curl patch that got pulled as part of CVE-2015-1352 (Closes: #780771, #780764) * Split upstream fixes for PHP#68740 and PHP#68741 into separate patches php5 (5.4.38-0+deb7u1) wheezy-security; urgency=high . * New upstream version 5.4.38 - Core: . Removed support for multi-line headers, as the are deprecated by RFC 7230. . Added NULL byte protection to exec, system and passthru. . Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname buffer overflow). . Fixed bug #67827 (broken detection of system crypt sha256/sha512 support). . Fixed bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone). (CVE-2015-0273) - Enchant: . Fixed bug #6855 (heap buffer overflow in enchant_broker_request_dict()). - SOAP: . Fixed bug #67427 (SoapServer cannot handle large messages) * Update patches for 5.4.38 release * Pull patch from DragonFly BSD Project to limit the pattern space to avoid a 32-bit overflow in Henry Spencer regular expressions (regex) library (Closes: #778389) * Drop PHP use system libs crypt patch, it has been broken and it's not strictly needed php5 (5.4.36-0+deb7u3) wheezy-security; urgency=medium . * Fix fileinfo out-of-bounds memory access * Explicitly remove readelf.c to prove we are not vulnerable to recent readelf vulnerabilities (CVE-2014-8116) phpbb3 (3.0.10-4+deb7u3) wheezy; urgency=medium . * Fix possible redirection on Chrome: an insufficient check allowed users of the Google Chrome browser to be redirected to external domains (e.g. on login) [CVE-2015-3880] phpbb3 (3.0.10-4+deb7u2) wheezy; urgency=medium . * Fix CSRF vulnerability [CVE-2015-1432] and CSS injection [CVE-2015-1431] (Closes: #776699) polarssl (1.2.9-1~deb7u5) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-1182.patch patch. CVE-2015-1182: Denial of service and possible remote code execution using crafted certificates. (Closes: #775776) policyd-weight (0.1.15.2-5+wheezy2) wheezy; urgency=low . * Add 10_del_rhsbl.ahbl.org.patch which removes rhsbl.ahbl.org list due to service shutdown (Closes: #774772) * Add 11_fix_default_rhsbl_dnsbl_in_man5.patch which updates default dnsbls/rhsbls in man5 manpage postgresql-9.1 (9.1.18-0+deb7u1) wheezy; urgency=medium . * New upstream version. + Fix rare failure to invalidate relation cache init file * Remove obsolete .bzr-builddeb/. postgresql-9.1 (9.1.17-0+deb8u1) jessie; urgency=medium . * New upstream release: No effective changes for PL/Perl, the version must just be higher than the one in wheezy. postgresql-9.1 (9.1.17-0+deb7u1) wheezy; urgency=medium . * New upstream version including the fsync fix. postgresql-9.1 (9.1.16-0+deb8u1) stable-security; urgency=medium . * New upstream version, relevant PL/Perl change: . + Improve detection of system-call failures (Noah Misch) . Our replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure, due to our code assuming that a buffer had been overwritten when it hadn't been. Also, there were a few places in which security-relevant calls of other system library functions did not check for failure. . It remains possible that some calls of the *printf() family of functions are vulnerable to information disclosure if an out-of-memory error occurs at just the wrong time. We judge the risk to not be large, but will continue analysis in this area. (CVE-2015-3166) . * Repository moved to git, update Vcs headers. postgresql-9.1 (9.1.16-0+deb7u2) wheezy-security; urgency=medium . * Fix fsync-at-startup code to not treat errors as fatal. (Abhijit Menon-Sen and Tom Lane, Closes: #786874) postgresql-9.1 (9.1.16-0+deb7u1) wheezy-security; urgency=medium . * New upstream version. . + Avoid possible crash when client disconnects just before the authentication timeout expires (Benkocs Norbert Attila) . If the timeout interrupt fired partway through the session shutdown sequence, SSL-related state would be freed twice, typically causing a crash and hence denial of service to other sessions. Experimentation shows that an unauthenticated remote attacker could trigger the bug somewhat consistently, hence treat as security issue. (CVE-2015-3165) . + Improve detection of system-call failures (Noah Misch) . Our replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure, due to our code assuming that a buffer had been overwritten when it hadn't been. Also, there were a few places in which security-relevant calls of other system library functions did not check for failure. . It remains possible that some calls of the *printf() family of functions are vulnerable to information disclosure if an out-of-memory error occurs at just the wrong time. We judge the risk to not be large, but will continue analysis in this area. (CVE-2015-3166) . + In contrib/pgcrypto, uniformly report decryption failures as Wrong key or corrupt data (Noah Misch) . Previously, some cases of decryption with an incorrect key could report other error message texts. It has been shown that such variance in error reports can aid attackers in recovering keys from other systems. While it's unknown whether pgcrypto's specific behaviors are likewise exploitable, it seems better to avoid the risk by using a one-size-fits-all message. (CVE-2015-3167) . * Repository moved to git, update Vcs headers. postgresql-9.1 (9.1.15-0+deb8u1) unstable; urgency=low . * New upstream release: No effective changes for PL/Perl, the version must just be higher than the one in wheezy. postgresql-9.1 (9.1.15-0+deb7u1) wheezy-security; urgency=medium . * New upstream release. + Fix buffer overruns in to_char() (CVE-2015-0241) + Fix buffer overruns in contrib/pgcrypto (CVE-2015-0243) + Fix possible loss of frontend/backend protocol synchronization after an error (CVE-2015-0244) + Fix information leak via constraint-violation error messages (CVE-2014-8161) postgresql-9.1 (9.1.15-0+deb7u1~bpo60+1) squeeze-backports; urgency=medium . * Rebuild for squeeze-backports. . postgresql-9.1 (9.1.15-0+deb7u1) wheezy-security; urgency=medium . * New upstream release. + Fix buffer overruns in to_char() (CVE-2015-0241) + Fix buffer overruns in contrib/pgcrypto (CVE-2015-0243) + Fix possible loss of frontend/backend protocol synchronization after an error (CVE-2015-0244) + Fix information leak via constraint-violation error messages (CVE-2014-8161) . postgresql-9.1 (9.1.14-0+deb7u1) wheezy; urgency=medium . * New upstream release. Noteworthy changes: + Secure Unix-domain sockets of temporary postmasters started during make check (Noah Misch) . Any local user able to access the socket file could connect as the server's bootstrap superuser, then proceed to execute arbitrary code as the operating-system user running the test, as we previously noted in CVE-2014-0067. This change defends against that risk by placing the server's socket in a temporary, mode 0700 subdirectory of /tmp. . * Remove debian/pg_regress-in-tmp.patch. postgresql-9.1 (9.1.14-0+deb8u1) unstable; urgency=medium . * New upstream release: No effective changes for PL/Perl, the version must just be higher than the one in wheezy. * Add Breaks: postgresql-9.1 (<< 9.1.12) to ensure the server package supports CheckFunctionValidatorAccess. * Update Vcs URLs. * Remove 60-pg_regress_socketdir.patch, 61-extra_regress_opts: Went upstream (and aren't relevant for plperl anyway). * Add perl license to debian/copyright. pound (2.6-2+deb7u1) wheezy-security; urgency=high . [ Brett Parker ] * Add anti_poodle patch (CVE-2014-3566, Closes: #765539) - It's now possible to disable SSLv3 with the "DisableSSLv3" directive in pound.cfg. It's however not disabled by default. * Disable tls compression patch (CVE-2012-4929, Closes: 727197) * Add missing chunk to renegotiation patch (CVE-2009-3555, Closes: #765649). * don't wrongly encode = in redirect (Closes: #723731) . [ Thijs Kinkhorst ] * Upload to wheezy-security. ppp (2.4.5-5.1+deb7u2) wheezy-security; urgency=medium . * Non-maintainer upload by the Security Team (thanks to Emanuele Rocca for the patch). * Fix CVE-2015-3310: buffer overflow which may lead to DoS (Closes: #782450). privoxy (3.0.19-2+deb7u2) wheezy-security; urgency=medium . * 38_CVE-2015-1381: multiple segmentation faults and memory leaks in the pcrs code. * 39_CVE-2015-1382: invalid read. * These 2 patches Closes: #776490 in wheezy. privoxy (3.0.19-2+deb7u1) stable-security; urgency=medium . * 35_CVE-2015-1031-CID66394: unmap(): Prevent use-after-free if the map only consists of one item. CID 66394. * 36_CVE-2015-1031-CID66376: pcrs_execute(): Consistently set *result to NULL in case of errors. Should make use-after-free in the caller less likely. CID 66391, CID 66376. * These 2 patches Closes: #775167. proftpd-dfsg (1.3.4a-5+deb7u3) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team * Fix CVE-2015-3306: unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy (Closes: #782781) putty (0.62-9+deb7u2) stable-security; urgency=high . * Backport from upstream: - MATTA-2015-002: Enforce acceptable range for Diffie-Hellman server value. - Fix an erroneous length field in SSH-1 key load. - CVE-2015-2157: Fix failure to clear sensitive private key information from memory (closes: #779488). python-django (1.4.5-1+deb7u13) wheezy-security; urgency=medium . * New upstream security release: - Possible denial-of-service via logout() (CVE-2015-5963) python-django (1.4.5-1+deb7u12) wheezy-security; urgency=high . * New upstream security release: - Possible denial-of-service via session store (CVE-2015-5143) - Possible email header injection via newlines (CVE-2015-5144) python-django (1.4.5-1+deb7u11) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * No change rebuild. Brings back missing jquery symlinks. python-django (1.4.5-1+deb7u11~bpo60+1) squeeze-backports; urgency=low . * Rebuild for squeeze-backports. python-django (1.4.5-1+deb7u10) wheezy-security; urgency=high . * New upstream security release: https://www.djangoproject.com/weblog/2015/mar/18/security-releases/ - Possible XSS attack via user-supplied redirect URLs (CVE-2015-2317) python-django (1.4.5-1+deb7u9) wheezy-security; urgency=high . * New upstream security release: https://www.djangoproject.com/weblog/2015/jan/13/security/ - WSGI header spoofing via underscore/dash conflation (CVE-2015-0219) - Possible XSS attack via user-supplied redirect URLs (CVE-2015-0220) - Denial-of-service attack against django.views.static.serve (CVE-2015-0221) Closes: #775375 * Also include a fix for a regression introduced by the patch for CVE-2015-0221: https://code.djangoproject.com/ticket/24158 qemu (1.1.2+dfsg-6a+deb7u8) wheezy-security; urgency=high . * slirp-use-less-predictable-directory-name-in-tmp-CVE-2015-4037.patch (Closes: CVE-2015-4037) * pcnet-force-buffer-access-to-be-in-bounds-CVE-2015-3209.patch with preparation bugfix pcnet-fix-negative-array-index-read.patch from upstream (Closes: #788460 CVE-2015-3209) qemu (1.1.2+dfsg-6a+deb7u7) wheezy-security; urgency=high . * fdc-force-the-fifo-access-to-be-in-bounds-CVE-2015-3456.patch backported from upstream 2.3 (Closes: CVE-2015-3456) * rename CVE-2014-8106 patches to match upstream, add bug# (no actual code changed) qemu (1.1.2+dfsg-6a+deb7u7~bpo60+1) squeeze-backports; urgency=low . * Rebuild for squeeze-backports: disable fdt and usbredir support for squeeze . qemu (1.1.2+dfsg-6a+deb7u7) wheezy-security; urgency=high . * fdc-force-the-fifo-access-to-be-in-bounds-CVE-2015-3456.patch backported from upstream 2.3 (Closes: CVE-2015-3456) * rename CVE-2014-8106 patches to match upstream, add bug# (no actual code changed) . qemu (1.1.2+dfsg-6a+deb7u6) wheezy-security; urgency=high . * apply upstream patches for CVE-2014-8106 (cirrus: insufficient blit region checks) (Closes: #772025 CVE-2014-8106) . qemu (1.1.2+dfsg-6a+deb7u5) wheezy-security; urgency=medium . * apply 5 patches backported from upstream to fix a security issue in vmware-vga (Closes: #765496 CVE-2014-3689) * vnc-sanitize-bits_per_pixel-from-the-client-CVE-2014-7815.patch from upstream (Closes: CVE-2014-7815) . qemu (1.1.2+dfsg-6a+deb7u4) wheezy-security; urgency=medium . * image-format-validation patch series backported from 2.0, closing CVE-2014-0142, CVE-2014-0143, CVE-2014-0144, CVE-2014-0145, CVE-2014-0146, CVE-2014-0147, CVE-2014-0222, CVE-2014-0223 (Closes: #742730) * slirp-udp-fix-NULL-pointer-deref-uninit-socket-CVE-2014-3640.patch closing CVE-2014-3640 (Closes: #762532) * spice-make-sure-we-don-t-overflow-ssd-buf-CVE-2014-3615.patch and vbe-rework-sanity-checks-CVE-2014-3615.patch closing CVE-2014-3615 . qemu (1.1.2+dfsg-6a+deb7u3) wheezy-security; urgency=high . * ide-correct-improper-smart-self-test-counter-reset-CVE-2014-2894.patch (Closes: #745157 CVE-2014-2894) * scsi-allocate-SCSITargetReq-r-buf-dynamically-CVE-2013-4344.patch (Closes: #725944 CVE-2013-4344) . qemu (1.1.2+dfsg-6a+deb7u2) stable; urgency=medium . [ Gabriele Giacone ] * Fix crash booting GNU/Hurd on both hwaccel systems without --enable-kvm option and on non-hwaccel ones (Closes: #719633). * Fix crash booting GNU/Hurd with QEMU multiboot options (Closes: #741873). . qemu (1.1.2+dfsg-6a+deb7u1) wheezy-security; urgency=high . * fix guest-triggerable buffer overrun in virtio-net device (Closes: #744221 CVE-2014-0150) . qemu (1.1.2+dfsg-6a) unstable; urgency=low . * reupload to remove two unrelated files slipped in debian/ . qemu (1.1.2+dfsg-6) unstable; urgency=low . * another bugfix for USB, upstream from early days of past-1.1. usb-split-endpoint-init-and-reset.patch. With certain redirected to guest USB devices, qemu process may crash: . usb_packet_complete: Assertion `((&ep->queue)->tqh_first) == p' failed. . The patch fixes this by de-coupling reset and complete paths. Big thanks goes to Joseph Price who found the fix by doing a reverse git bisection. (Closes: #701926) . qemu (1.1.2+dfsg-5) unstable; urgency=low . * fix USB regression introduced in 1.1 (Closes: #683983) uhci-don-t-queue-up-packets-after-one-with-the-SPD-flag-set.patch Big thanks to Peter Schaefer (https://bugs.launchpad.net/bugs/1033727) for the help identifying the fix. . qemu (1.1.2+dfsg-4) unstable; urgency=medium . * linux-user-fix-mips-32-on-64-prealloc-case.patch (Closes: #668658) * e1000-discard-oversized-packets-based-on-SBP_LPE.patch: the second half of the fix for CVE-2012-6075. (Finally Closes: #696051) . qemu (1.1.2+dfsg-3) unstable; urgency=low . * add build-dependency on libcap-dev [linux-any] to enable virtfs support which has been dropped in 1.1. (Closes: #677654) * intel_hda-do-not-call-msi_reset-when-only-device-state-needs-resetting.patch patch to fix Fixing reset of MSI function in intel-hda virtual device. The fix (applied to stable-1.1.1) was partially wrong, as it actually added the msi_reset() call to two code paths instead of one as planned. Fix this by splitting the function in question into two parts. (Closes: #688964) * blockdev-preserve-readonly-and-snapshot-states-across-media-changes.patch: allow opening of read-only cdrom images/devices (Closes: #686776) * ahci-properly-reset-PxCMD-on-HBA-reset.patch: fix windows install on ahci (Closes: #696052) * e1000-discard-packets-that-are-too-long-if-not-SBP-and-not-LPE.patch: discard too long rx packets which may overflow guest buffer (Closes: #696051) * eepro100-fix-network-hang-when-rx-buffers-run-out.patch: fix e100 stall (Closes: #696061) * fix possible network stalls/slowness in e1000 device emulation: net-notify-iothread-after-flushing-queue.patch e1000-flush-queue-whenever-can_receive-can-go-from-false-to-true.patch (Closes: #696063) * fixes-related-to-processing-of-qemu-s-numa-option.patch: fixes numa handling (Closes: #691343) * qcow2-fix-avail_sectors-in-cluster-allocation-code.patch: fixes data corruption in stacked qcow2 (Closes: #695905) * qcow2-fix-refcount-table-size-calculation.patch: another possible corruption or crash in qcow2 (Closes: #691569) * tap-reset-vnet-header-size-on-open.patch: always ensure tap device is in known state initially (Closes: #696057) * vmdk-fix-data-corruption-bug-in-WRITE-and-READ-handling.patch: possible data corruption bug in vmdk image format (Closes: #696050) . qemu (1.1.2+dfsg-2) unstable; urgency=low . * remove debian/patches/fix-armhf-prctl.patch, it is included upstream in 1.1.0 version and is misapplied since 1.1.0~rc3+dfsg-1. * drop -jN passing to downstream makes, as it breaks dpkg-buildpackage -j and actually breaks build (Closes: #597524 - said to be fixed in 0.14.1 but was still present) * add revert-serial-fix-retry-logic.patch that restores old (semi-)working behavour of a virtual serial port. qemu-kvm (1.1.2+dfsg-6+deb7u8) wheezy-security; urgency=high . * slirp-use-less-predictable-directory-name-in-tmp-CVE-2015-4037.patch (Closes: CVE-2015-4037) * pcnet-force-buffer-access-to-be-in-bounds-CVE-2015-3209.patch with preparation bugfix pcnet-fix-negative-array-index-read.patch from upstream (Closes: #788460 CVE-2015-3209) qemu-kvm (1.1.2+dfsg-6+deb7u7) wheezy-security; urgency=high . * fdc-force-the-fifo-access-to-be-in-bounds-CVE-2015-3456.patch backported from upstream 2.3 (Closes: CVE-2015-3456) * rename CVE-2014-8106 patches to match upstream, add bug# (no actual code changed) qemu-kvm (1.1.2+dfsg-6+deb7u7~bpo60+1) squeeze-backports; urgency=high . * Rebuild for squeeze-backports (removed usbredir support) . qemu-kvm (1.1.2+dfsg-6+deb7u7) wheezy-security; urgency=high . * fdc-force-the-fifo-access-to-be-in-bounds-CVE-2015-3456.patch backported from upstream 2.3 (Closes: CVE-2015-3456) * rename CVE-2014-8106 patches to match upstream, add bug# (no actual code changed) . qemu-kvm (1.1.2+dfsg-6+deb7u6) wheezy-security; urgency=high . * apply upstream patches for CVE-2014-8106 (cirrus: insufficient blit region checks) (Closes: #772025 CVE-2014-8106) . qemu-kvm (1.1.2+dfsg-6+deb7u5) wheezy-security; urgency=medium . * apply 5 patches backported from upstream to fix a security issue in vmware-vga (Closes: #765496 CVE-2014-3689) * vnc-sanitize-bits_per_pixel-from-the-client-CVE-2014-7815.patch from upstream (Closes: CVE-2014-7815) . qemu-kvm (1.1.2+dfsg-6+deb7u4) wheezy-security; urgency=medium . * image-format-validation patch series backported from 2.0, closing CVE-2014-0142, CVE-2014-0143, CVE-2014-0144, CVE-2014-0145, CVE-2014-0146, CVE-2014-0147, CVE-2014-0222, CVE-2014-0223 (Closes: #742730) * slirp-udp-fix-NULL-pointer-deref-uninit-socket-CVE-2014-3640.patch closing CVE-2014-3640 (Closes: #762532) * spice-make-sure-we-don-t-overflow-ssd-buf-CVE-2014-3615.patch and vbe-rework-sanity-checks-CVE-2014-3615.patch closing CVE-2014-3615 . qemu-kvm (1.1.2+dfsg-6+deb7u3) wheezy-security; urgency=high . * ide-correct-improper-smart-self-test-counter-reset-CVE-2014-2894.patch (Closes: #745157 CVE-2014-2894) * scsi-allocate-SCSITargetReq-r-buf-dynamically-CVE-2013-4344.patch (Closes: #725944 CVE-2013-4344) . qemu-kvm (1.1.2+dfsg-6+deb7u2) stable; urgency=medium . [ Gabriele Giacone ] * Fix crash booting GNU/Hurd on both hwaccel systems without --enable-kvm option and on non-hwaccel ones (Closes: #719633). * Fix crash booting GNU/Hurd with QEMU multiboot options (Closes: #741873). . qemu-kvm (1.1.2+dfsg-6+deb7u1) wheezy-security; urgency=high . * fix guest-triggerable buffer overrun in virtio-net device (Closes: #744221 CVE-2014-0150) . qemu-kvm (1.1.2+dfsg-6) unstable; urgency=low . * another bugfix for USB, upstream from early days of past-1.1. usb-split-endpoint-init-and-reset.patch. With certain redirected to guest USB devices, qemu process may crash: . usb_packet_complete: Assertion `((&ep->queue)->tqh_first) == p' failed. . The patch fixes this by de-coupling reset and complete paths. Big thanks goes to Joseph Price who found the fix by doing a reverse git bisection. (Closes: #701926) . * fix wrong description of kvm transitional package (Closes: #701910) . qemu-kvm (1.1.2+dfsg-5) unstable; urgency=low . * fix USB regression introduced in 1.1 (Closes: #683983) uhci-don-t-queue-up-packets-after-one-with-the-SPD-flag-set.patch Big thanks to Peter Schaefer (https://bugs.launchpad.net/bugs/1033727) for the help identifying the fix. rawtherapee (4.0.9-4+deb7u1) wheezy; urgency=high . * Add patch debian/patches/04-fix_CVE-2015-3885.patch: - Fix dcraw imput sanitization errors (CVE-2015-3885) request-tracker4 (4.0.7-5+deb7u4) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 73_CVE-2015-5475 patch. CVE-2015-5475: Cross-site scripting attack via the user and group rights managment pages. request-tracker4 (4.0.7-5+deb7u3) wheezy-security; urgency=high . * Fix remote DoS via email gateway (CVE-2014-9472) * Fix information discloure revealing RSS feed URLs (CVE-2015-1165) * Fix privilege escalation via RSS feed URLs (CVE-2015-1464) request-tracker4 (4.0.7-5+deb7u3~bpo60+1) squeeze-backports; urgency=high . * Rebuild for squeeze-backports. * Drop versioned depends on liburi-perl as it's not available in squeeze (and libplack-perl in bpo depends on an earlier version); this means that upstream #18104 (missing tickets in dashboard emails) is still unfixed * Drop versioned depends on libipc-run-perl as it's not available in at the required version in squeeze-bpo; this means that upstream #19802 (drawing graphs of relationships with UTF-8 strings) is still unfixed * Split out 72_patchset-2015-02-05 into multiple files to work around #608829 . request-tracker4 (4.0.7-5+deb7u3) wheezy-security; urgency=high . * Fix remote DoS via email gateway (CVE-2014-9472) * Fix information discloure revealing RSS feed URLs (CVE-2015-1165) * Fix privilege escalation via RSS feed URLs (CVE-2015-1464) requests (0.12.1-1+deb7u1) wheezy-security; urgency=medium . * Non-maintainer upload by the security team * Fix CVE-2014-1829 and CVE-2014-1830 by extracting the relevant changes from version 2.3.0 rpm (4.10.0-5+deb7u2) wheezy-security; urgency=medium . * CVE-2013-6435, CVE-2014-8118 ruby-rack (1.4.1-2.1+deb7u1) wheezy-security; urgency=high . * Create cherry-picked patch for Security Fix (Closes: #789311). - CVE-2015-3225: 0006-Fix-Params_Depth.patch Default depth at which the parameter parser will raise an exception for being too deep, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth. ruby-redcloth (4.2.9-2+deb7u2) wheezy-security; urgency=medium . * Re-upload, no changes ruby-redcloth (4.2.9-2+deb7u1) wheezy-security; urgency=high . * Team upload. * 0001-Filter-out-javascript-links-when-using-filter_html-o.patch: filter javascript: links when proper HTML sanitization options are turned on (Closes: #774748 [CVE-2012-6684]) ruby1.8 (1.8.7.358-7.1+deb7u3) wheezy-security; urgency=high . * Fix OpenSSL Hostname Verification [CVE-2015-1855] ruby1.8 (1.8.7.358-7.1+deb7u2) wheezy-security; urgency=high . * Fix unrestricted entity expansion in the REXML parser as per CVE-2014-8080 and CVE-2014-8090 * Set urgency=high accordingly samba (2:3.6.6-6+deb7u5) wheezy-security; urgency=high . * Security update * CVE-2015-0240: Unauthenticated code execution attack on smbd file services samba (2:3.6.6-6+deb7u5~bpo60+1) squeeze-backports; urgency=medium . * Rebuild for squeeze-backports. * Refresh security-CVE-2015-0240.patch to make it apply with patch from squeeze. . samba (2:3.6.6-6+deb7u5) wheezy-security; urgency=high . * Security update * CVE-2015-0240: Unauthenticated code execution attack on smbd file services shibboleth-sp2 (2.4.3+dfsg-5+deb7u1) wheezy-security; urgency=high . * Backport security fix from V2.5.4 for CVE-2015-2684: authenticated denial of service vulnerability that results in a crash on certain kinds of malformed SAML messages. spamassassin (3.3.2-5+deb7u3) stable; urgency=medium . * Remove references to ahbl.org DNSBL, which has ceased operation. (Closes: #774768) sqlite3 (3.7.13-1+deb7u2) wheezy-security; urgency=high . * Properly handle precision and width values during floating-point conversions in sqlite3VXPrintf() as per CVE-2015-3416 (Thanks to Santiago Ruano Rincón for backporting the patch) squid (2.7.STABLE9-4.1+deb7u1) wheezy-security; urgency=medium . * Non-maintainer upload by the Security Team * Fix CVE-2014-3609 by backporting 3.0-based upstream patch squid3 (3.1.20-2.2+deb7u3) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2015-5400.patch patch. CVE-2015-5400: Information disclosure due to incorrect handling of peer responses. (Closes: #793128) ssl-cert (1.0.32+deb7u1) wheezy; urgency=medium . * Switch to SHA2 for newly generated certificates. Closes: #733255, #773815 * Set umask to make sure that the generated key is not world-readable for a short timespan while make-ssl-cert runs. Closes: #780828 strongswan (4.5.2-1.5+deb7u7) wheezy-security; urgency=high . * debian/patches: - CVE-2015-4171_enforce_remote_auth added, fix potential leak of authentication credential to rogue server when using PSK or EAP. This is CVE-2015-4171. strongswan (4.5.2-1.5+deb7u6) wheezy-security; urgency=high . * debian/patches: - CVE-2014-9221_dh_group added, fix regression with CVE-2014-9221_modp_custom breaking TLS authentication. subversion (1.6.17dfsg-4+deb7u10) wheezy-security; urgency=high . * patches/CVE-2015-3817: svn_repos_trace_node_locations() reveals paths hidden by authz subversion (1.6.17dfsg-4+deb7u9) wheezy-security; urgency=high . * patches/CVE-2015-0248: Assertion DoS vulnerability for certain mod_dav_svn and svnserve requests with dynamically evaluated revision numbers * patches/CVE-2015-0251: mod_dav_svn allows spoofing svn:author property values for new revisions sudo (1.8.5p2-1+nmu3) wheezy; urgency=medium . * Non-maintainer upload with maintainer approval. * Backport from 1.8.7-1: "recognize lenny and squeeze unmodified sudoers" to avoid dpkg questions about modified conffiles on upgrades to wheezy. (Closes: #660594) * *.preinst: Recognize the unmodified /etc/sudoers from sudo-ldap/lenny. sudo (1.8.5p2-1+nmu2) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add CVE-2014-9680-1.patch patch. CVE-2014-9680: unsafe handling of TZ environment variable. (Closes: #772707) * Add CVE-2014-9680-2.patch patch. Documents that a leading ':' is skipped when checking TZ for a fully-qualified path name. sympa (6.1.11~dfsg-5+deb7u2) wheezy-security; urgency=high . * Add a patch to fix a vulnerability in the web interface (wwsympa) which allows one to send himself by email any readable file by the sympa user on the filesystem. tcllib (1.14-dfsg-3+deb7u1) wheezy; urgency=low . * Added a patch from upstream which fixes an XSS vulnerability in the html module for